File name:

i.ps1

Full analysis: https://app.any.run/tasks/89bee93e-2ac1-4043-818b-003fe0d49da7
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: April 15, 2025, 12:43:59
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
susp-powershell
stealer
evasion
rat
remcos
remote
api-base64
telegram
nodejs
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (6074), with no line terminators
MD5:

70E9F8B79323D52778C951092C1C7E50

SHA1:

435E74551890B8C70C4B09446EC6CE0A932763F5

SHA256:

643A7167361F96BD89B939F2DCDC4B696E6A336FE31B420D43D4967C48535C8E

SSDEEP:

96:f749jcwqan6KHZq7xjUYuvT+ylIiRUaf024Ng08HrUqhFNa+85DzDCoo8/MqPN1p:f749jcFa6KHZqtJuvT+mRt058HrNEHz9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 7448)
      • powershell.exe (PID: 6256)
      • powershell.exe (PID: 8100)
      • powershell.exe (PID: 496)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7448)
      • powershell.exe (PID: 7720)
      • powershell.exe (PID: 7964)
      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 896)
      • powershell.exe (PID: 4464)
      • powershell.exe (PID: 736)
      • powershell.exe (PID: 8384)
      • powershell.exe (PID: 8504)
      • powershell.exe (PID: 2960)
      • powershell.exe (PID: 8540)
      • powershell.exe (PID: 7212)
      • powershell.exe (PID: 5044)
      • powershell.exe (PID: 6256)
      • powershell.exe (PID: 8100)
      • powershell.exe (PID: 8748)
      • powershell.exe (PID: 8096)
      • powershell.exe (PID: 8168)
      • powershell.exe (PID: 496)
      • powershell.exe (PID: 5984)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 8660)
      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 8076)
      • powershell.exe (PID: 8272)
      • powershell.exe (PID: 8988)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 7448)
      • powershell.exe (PID: 6256)
      • powershell.exe (PID: 8100)
      • powershell.exe (PID: 496)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 7448)
      • powershell.exe (PID: 6256)
      • powershell.exe (PID: 8100)
      • powershell.exe (PID: 496)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 7448)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 7448)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 4400)
      • cmd.exe (PID: 7908)
      • cmd.exe (PID: 3268)
      • cmd.exe (PID: 3676)
      • SearchFilter.exe (PID: 1764)
      • cmd.exe (PID: 5364)
      • powershell.exe (PID: 736)
      • cmd.exe (PID: 9072)
      • cmd.exe (PID: 2288)
      • cmd.exe (PID: 8104)
      • cmd.exe (PID: 1672)
      • cmd.exe (PID: 6612)
      • wscript.exe (PID: 8240)
      • wscript.exe (PID: 7604)
      • cmd.exe (PID: 2560)
      • cmd.exe (PID: 8880)
      • cmd.exe (PID: 5136)
      • wscript.exe (PID: 8176)
      • cmd.exe (PID: 5436)
      • cmd.exe (PID: 7316)
      • cmd.exe (PID: 7908)
      • powershell.exe (PID: 8168)
      • cmd.exe (PID: 6392)
      • cmd.exe (PID: 2692)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 736)
      • powershell.exe (PID: 6256)
      • powershell.exe (PID: 8100)
      • powershell.exe (PID: 8168)
      • powershell.exe (PID: 496)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 8432)
      • cmd.exe (PID: 8572)
      • cmd.exe (PID: 8656)
      • cmd.exe (PID: 6740)
      • cmd.exe (PID: 9072)
      • cmd.exe (PID: 8216)
      • cmd.exe (PID: 7916)

    • UAC/LUA settings modification

      • reg.exe (PID: 5364)
      • reg.exe (PID: 5980)

    • Disables Windows Defender

      • reg.exe (PID: 8920)
      • reg.exe (PID: 8440)
      • reg.exe (PID: 6264)
      • reg.exe (PID: 8600)
      • reg.exe (PID: 7236)
      • reg.exe (PID: 8132)
      • reg.exe (PID: 2776)
      • reg.exe (PID: 8872)
      • reg.exe (PID: 9072)

    • Deletes shadow copies

      • powershell.exe (PID: 8384)
      • powershell.exe (PID: 7052)

    • The DLL Hijacking

      • taskhostw.exe (PID: 4108)
      • Microsoft.exe (PID: 8372)

    • Actions looks like stealing of personal data

      • NVIDIA Control Panel.exe (PID: 8752)

    • Deletes a file (SCRIPT)

      • wscript.exe (PID: 8240)
      • wscript.exe (PID: 7604)
      • wscript.exe (PID: 8176)

    • Starts CMD.EXE for self-deleting

      • powershell.exe (PID: 6256)
      • powershell.exe (PID: 8100)
      • powershell.exe (PID: 496)

    • Steals credentials from Web Browsers

      • NVIDIA Control Panel.exe (PID: 8752)

    • REMCOS has been detected (SURICATA)

      • DWWIN.EXE (PID: 6208)

  • SUSPICIOUS

    • Converts a string into array of characters (POWERSHELL)

      • powershell.exe (PID: 7448)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 7448)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 7448)

    • Starts a new process with hidden mode (POWERSHELL)

      • powershell.exe (PID: 7448)

    • Reverses array data (POWERSHELL)

      • powershell.exe (PID: 7448)

    • Drops 7-zip archiver for unpacking

      • powershell.exe (PID: 7448)
      • SearchFilter.exe (PID: 1764)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7448)
      • 7z.exe (PID: 1300)
      • SearchFilter.exe (PID: 1764)
      • csc.exe (PID: 7768)
      • SearchFilter.exe (PID: 7896)
      • 7z.exe (PID: 8848)
      • csc.exe (PID: 2568)
      • 7z4.exe (PID: 5044)
      • taskhostw.exe (PID: 1452)
      • NVIDIA Control Panel.exe (PID: 8752)
      • 7z.exe (PID: 3784)

    • Creates new GUID (POWERSHELL)

      • powershell.exe (PID: 7448)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 7448)

    • Process drops legitimate windows executable

      • 7z.exe (PID: 1300)
      • SearchFilter.exe (PID: 1764)
      • 7z.exe (PID: 8848)
      • 7z4.exe (PID: 5044)
      • 7z.exe (PID: 3784)

    • Starts CMD.EXE for commands execution

      • SearchFilter.exe (PID: 1764)
      • SearchFilter.exe (PID: 7896)
      • NVIDIA Control Panel.exe (PID: 8752)
      • taskhostw.exe (PID: 1452)
      • powershell.exe (PID: 6256)
      • Microsoft.exe (PID: 5360)
      • powershell.exe (PID: 8100)
      • powershell.exe (PID: 496)

    • Starts NET.EXE to display or manage information about active sessions

      • cmd.exe (PID: 4408)
      • net.exe (PID: 5008)
      • net.exe (PID: 8224)
      • cmd.exe (PID: 8892)
      • cmd.exe (PID: 2064)
      • net.exe (PID: 6384)
      • net.exe (PID: 7864)
      • cmd.exe (PID: 7268)
      • cmd.exe (PID: 2596)
      • net.exe (PID: 8900)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4400)
      • cmd.exe (PID: 7908)
      • cmd.exe (PID: 3268)
      • cmd.exe (PID: 3676)
      • SearchFilter.exe (PID: 1764)
      • cmd.exe (PID: 5364)
      • powershell.exe (PID: 736)
      • cmd.exe (PID: 9072)
      • cmd.exe (PID: 2288)
      • cmd.exe (PID: 8104)
      • cmd.exe (PID: 6612)
      • cmd.exe (PID: 1672)
      • wscript.exe (PID: 8240)
      • wscript.exe (PID: 7604)
      • cmd.exe (PID: 2560)
      • cmd.exe (PID: 8880)
      • cmd.exe (PID: 5136)
      • wscript.exe (PID: 8176)
      • cmd.exe (PID: 5436)
      • cmd.exe (PID: 7148)
      • cmd.exe (PID: 7316)
      • cmd.exe (PID: 7908)
      • powershell.exe (PID: 8168)
      • cmd.exe (PID: 6392)
      • cmd.exe (PID: 4024)
      • cmd.exe (PID: 2320)
      • cmd.exe (PID: 1012)
      • cmd.exe (PID: 2692)

    • Application launched itself

      • SearchFilter.exe (PID: 1764)
      • SearchFilter.exe (PID: 7896)
      • powershell.exe (PID: 736)
      • taskhostw.exe (PID: 1452)
      • NVIDIA Control Panel.exe (PID: 8752)
      • Microsoft.exe (PID: 5360)
      • powershell.exe (PID: 8168)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 8004)
      • cmd.exe (PID: 3240)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 4068)
      • WMIC.exe (PID: 8216)

    • Uses WMIC.EXE to obtain local storage devices information

      • cmd.exe (PID: 2984)
      • cmd.exe (PID: 8952)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 7768)
      • csc.exe (PID: 2568)

    • The process executes Powershell scripts

      • cmd.exe (PID: 3268)
      • cmd.exe (PID: 5364)
      • powershell.exe (PID: 736)
      • cmd.exe (PID: 2560)
      • wscript.exe (PID: 8240)
      • wscript.exe (PID: 7604)
      • cmd.exe (PID: 8880)
      • cmd.exe (PID: 5136)
      • wscript.exe (PID: 8176)
      • powershell.exe (PID: 8168)

    • Found strings related to reading or modifying Windows Defender settings

      • SearchFilter.exe (PID: 7896)
      • Microsoft.exe (PID: 5360)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 5364)
      • powershell.exe (PID: 736)
      • cmd.exe (PID: 5136)
      • powershell.exe (PID: 8168)

    • Starts process via Powershell

      • powershell.exe (PID: 4464)
      • powershell.exe (PID: 736)
      • powershell.exe (PID: 2960)
      • powershell.exe (PID: 8168)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 8736)
      • cmd.exe (PID: 8808)
      • cmd.exe (PID: 8884)
      • cmd.exe (PID: 8964)
      • cmd.exe (PID: 8900)
      • cmd.exe (PID: 8500)
      • cmd.exe (PID: 9044)
      • cmd.exe (PID: 9112)
      • cmd.exe (PID: 8048)
      • cmd.exe (PID: 9200)
      • cmd.exe (PID: 5308)
      • cmd.exe (PID: 5228)
      • cmd.exe (PID: 8636)
      • cmd.exe (PID: 8752)
      • cmd.exe (PID: 8668)
      • cmd.exe (PID: 8868)
      • cmd.exe (PID: 8892)
      • cmd.exe (PID: 9056)
      • cmd.exe (PID: 8660)
      • cmd.exe (PID: 6944)
      • cmd.exe (PID: 7372)
      • cmd.exe (PID: 5364)
      • cmd.exe (PID: 8640)
      • cmd.exe (PID: 8580)
      • cmd.exe (PID: 8828)
      • cmd.exe (PID: 8840)
      • cmd.exe (PID: 8960)
      • cmd.exe (PID: 8096)
      • cmd.exe (PID: 9024)
      • cmd.exe (PID: 9060)
      • cmd.exe (PID: 9136)
      • cmd.exe (PID: 9184)
      • cmd.exe (PID: 6584)
      • cmd.exe (PID: 9108)
      • cmd.exe (PID: 9184)
      • cmd.exe (PID: 6740)
      • cmd.exe (PID: 7104)
      • cmd.exe (PID: 8924)
      • cmd.exe (PID: 6392)
      • cmd.exe (PID: 3016)
      • cmd.exe (PID: 8984)
      • cmd.exe (PID: 6824)
      • cmd.exe (PID: 8216)
      • cmd.exe (PID: 6800)
      • cmd.exe (PID: 7340)
      • cmd.exe (PID: 8612)
      • cmd.exe (PID: 1040)
      • cmd.exe (PID: 9032)
      • cmd.exe (PID: 4068)
      • cmd.exe (PID: 6564)
      • cmd.exe (PID: 8952)
      • cmd.exe (PID: 6264)
      • cmd.exe (PID: 7616)
      • cmd.exe (PID: 7100)
      • cmd.exe (PID: 8456)
      • cmd.exe (PID: 4728)
      • cmd.exe (PID: 5176)
      • cmd.exe (PID: 2408)
      • cmd.exe (PID: 7864)
      • cmd.exe (PID: 8992)
      • cmd.exe (PID: 2240)
      • cmd.exe (PID: 8612)
      • cmd.exe (PID: 1164)
      • cmd.exe (PID: 8872)
      • cmd.exe (PID: 6264)
      • cmd.exe (PID: 8236)
      • cmd.exe (PID: 7604)
      • cmd.exe (PID: 1812)
      • cmd.exe (PID: 6872)
      • cmd.exe (PID: 8876)
      • cmd.exe (PID: 9072)

    • Modifies existing scheduled task

      • schtasks.exe (PID: 8480)
      • schtasks.exe (PID: 8628)
      • schtasks.exe (PID: 8828)
      • schtasks.exe (PID: 8704)
      • schtasks.exe (PID: 9004)
      • schtasks.exe (PID: 8712)
      • schtasks.exe (PID: 2408)
      • schtasks.exe (PID: 8364)
      • schtasks.exe (PID: 8924)
      • schtasks.exe (PID: 1324)

    • Executes as Windows Service

      • VSSVC.exe (PID: 9076)
      • VSSVC.exe (PID: 8040)

    • There is functionality for taking screenshot (YARA)

      • SearchFilter.exe (PID: 2148)

    • Get information on the list of running processes

      • cmd.exe (PID: 9072)
      • SearchFilter.exe (PID: 1764)
      • cmd.exe (PID: 8256)
      • cmd.exe (PID: 8244)
      • NVIDIA Control Panel.exe (PID: 8752)
      • cmd.exe (PID: 7656)
      • cmd.exe (PID: 4452)
      • taskhostw.exe (PID: 1452)
      • Microsoft.exe (PID: 5360)
      • cmd.exe (PID: 2692)

    • Lists all scheduled tasks

      • schtasks.exe (PID: 8024)
      • schtasks.exe (PID: 2772)
      • schtasks.exe (PID: 900)
      • schtasks.exe (PID: 2316)
      • schtasks.exe (PID: 2240)
      • schtasks.exe (PID: 9028)
      • schtasks.exe (PID: 7196)
      • schtasks.exe (PID: 340)
      • schtasks.exe (PID: 7912)
      • schtasks.exe (PID: 7832)

    • Hides command output

      • cmd.exe (PID: 7316)
      • cmd.exe (PID: 4932)
      • cmd.exe (PID: 8856)
      • cmd.exe (PID: 5256)
      • cmd.exe (PID: 352)
      • cmd.exe (PID: 7476)
      • cmd.exe (PID: 7292)

    • The process executes via Task Scheduler

      • taskhostw.exe (PID: 1452)
      • Microsoft.exe (PID: 5360)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • curl.exe (PID: 5608)
      • Microsoft.exe (PID: 5360)
      • SearchFilter.exe (PID: 1764)
      • NVIDIA Control Panel.exe (PID: 8752)

    • The process executes VB scripts

      • cmd.exe (PID: 7848)
      • cmd.exe (PID: 8604)
      • cmd.exe (PID: 5556)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 8240)
      • wscript.exe (PID: 7604)
      • wscript.exe (PID: 8176)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 8240)
      • wscript.exe (PID: 7604)
      • wscript.exe (PID: 8176)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 8240)
      • wscript.exe (PID: 7604)
      • wscript.exe (PID: 8176)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 8244)

    • Converts a specified value to an integer (POWERSHELL)

      • powershell.exe (PID: 6256)
      • powershell.exe (PID: 8100)
      • powershell.exe (PID: 496)

    • Uses TASKKILL.EXE to kill Browsers

      • cmd.exe (PID: 8248)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 6132)
      • cmd.exe (PID: 3804)
      • cmd.exe (PID: 1388)

    • Contacting a server suspected of hosting an CnC

      • DWWIN.EXE (PID: 6208)

    • Connects to unusual port

      • DWWIN.EXE (PID: 6208)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 4408)

    • Query Microsoft Defender preferences

      • SearchFilter.exe (PID: 1764)

    • Accesses antivirus product name via WMI (SCRIPT)

      • WMIC.exe (PID: 8720)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • NVIDIA Control Panel.exe (PID: 8752)
      • SearchFilter.exe (PID: 1764)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 8720)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 8276)

  • INFO

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 7448)

    • Creates files in the program directory

      • powershell.exe (PID: 7448)
      • SearchFilter.exe (PID: 1764)
      • 7z.exe (PID: 3784)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 7448)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 7448)
      • powershell.exe (PID: 6256)
      • powershell.exe (PID: 8100)
      • powershell.exe (PID: 496)

    • Checks proxy server information

      • powershell.exe (PID: 7448)
      • SearchFilter.exe (PID: 1764)
      • SearchFilter.exe (PID: 7896)
      • taskhostw.exe (PID: 1452)
      • slui.exe (PID: 8308)
      • NVIDIA Control Panel.exe (PID: 8752)
      • Microsoft.exe (PID: 5360)
      • DWWIN.EXE (PID: 6208)

    • Disables trace logs

      • powershell.exe (PID: 7448)

    • The sample compiled with english language support

      • powershell.exe (PID: 7448)
      • 7z.exe (PID: 1300)
      • SearchFilter.exe (PID: 1764)
      • 7z.exe (PID: 8848)
      • 7z4.exe (PID: 5044)
      • 7z.exe (PID: 3784)

    • Found Base64 encoded file access via PowerShell (YARA)

      • powershell.exe (PID: 7448)

    • The executable file from the user directory is run by the Powershell process

      • SearchFilter.exe (PID: 1764)
      • SearchFilter.exe (PID: 7896)
      • NVIDIA Control Panel.exe (PID: 8752)

    • Reads the computer name

      • 7z.exe (PID: 1300)
      • SearchFilter.exe (PID: 1764)
      • SearchFilter.exe (PID: 2148)
      • SearchFilter.exe (PID: 7172)
      • identity_helper.exe (PID: 7252)
      • SearchFilter.exe (PID: 7896)
      • SearchFilter.exe (PID: 7748)
      • 7z.exe (PID: 8848)
      • 7z4.exe (PID: 5044)
      • taskhostw.exe (PID: 1452)
      • taskhostw.exe (PID: 4108)
      • NVIDIA Control Panel.exe (PID: 8752)
      • curl.exe (PID: 5608)
      • NVIDIA Control Panel.exe (PID: 2284)
      • 7z.exe (PID: 2268)

    • Checks supported languages

      • 7z.exe (PID: 1300)
      • SearchFilter.exe (PID: 1764)
      • SearchFilter.exe (PID: 2148)
      • SearchFilter.exe (PID: 7172)
      • csc.exe (PID: 7768)
      • cvtres.exe (PID: 672)
      • identity_helper.exe (PID: 7252)
      • SearchFilter.exe (PID: 7896)
      • SearchFilter.exe (PID: 7748)
      • SearchFilter.exe (PID: 8212)
      • 7z.exe (PID: 8848)
      • csc.exe (PID: 2568)
      • cvtres.exe (PID: 4284)
      • taskhostw.exe (PID: 1452)
      • taskhostw.exe (PID: 4108)
      • taskhostw.exe (PID: 3620)
      • 7z4.exe (PID: 5044)
      • NVIDIA Control Panel.exe (PID: 8752)
      • curl.exe (PID: 5608)
      • NVIDIA Control Panel.exe (PID: 8336)
      • NVIDIA Control Panel.exe (PID: 2284)
      • Microsoft.exe (PID: 5360)
      • Microsoft.exe (PID: 8372)
      • Microsoft.exe (PID: 7900)
      • SearchFilter.exe (PID: 8228)
      • 7z.exe (PID: 2268)
      • identity_helper.exe (PID: 6040)
      • 7z.exe (PID: 7100)

    • Create files in a temporary directory

      • 7z.exe (PID: 1300)
      • SearchFilter.exe (PID: 1764)
      • cvtres.exe (PID: 672)
      • csc.exe (PID: 7768)
      • SearchFilter.exe (PID: 7896)
      • csc.exe (PID: 2568)
      • powershell.exe (PID: 5868)
      • taskhostw.exe (PID: 1452)
      • NVIDIA Control Panel.exe (PID: 8752)
      • powershell.exe (PID: 8272)
      • Microsoft.exe (PID: 5360)
      • 7z.exe (PID: 7100)

    • Reads product name

      • SearchFilter.exe (PID: 1764)
      • SearchFilter.exe (PID: 7896)

    • Reads Environment values

      • SearchFilter.exe (PID: 1764)
      • identity_helper.exe (PID: 7252)
      • SearchFilter.exe (PID: 7896)

    • Process checks computer location settings

      • SearchFilter.exe (PID: 1764)
      • SearchFilter.exe (PID: 7896)
      • NVIDIA Control Panel.exe (PID: 8752)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • powershell.exe (PID: 7448)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 4068)
      • WMIC.exe (PID: 208)
      • powershell.exe (PID: 5868)
      • WMIC.exe (PID: 8216)
      • DWWIN.EXE (PID: 6208)
      • WMIC.exe (PID: 8720)
      • WMIC.exe (PID: 7424)
      • powershell.exe (PID: 8272)

    • Reads the machine GUID from the registry

      • SearchFilter.exe (PID: 1764)
      • csc.exe (PID: 7768)
      • SearchFilter.exe (PID: 7896)
      • csc.exe (PID: 2568)

    • Manual execution by a user

      • msedge.exe (PID: 7276)
      • msedge.exe (PID: 6660)

    • Application launched itself

      • msedge.exe (PID: 7276)
      • msedge.exe (PID: 6660)

    • Potential access to remote process (Base64 Encoded 'OpenProcess')

      • SearchFilter.exe (PID: 1764)

    • Found Base64 encoded access to processes via PowerShell (YARA)

      • SearchFilter.exe (PID: 1764)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • SearchFilter.exe (PID: 1764)

    • Node.js compiler has been detected

      • SearchFilter.exe (PID: 1764)
      • SearchFilter.exe (PID: 2148)
      • SearchFilter.exe (PID: 7172)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 8384)
      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 8272)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 8384)
      • powershell.exe (PID: 7052)

    • Reads the software policy settings

      • slui.exe (PID: 7620)
      • powershell.exe (PID: 5868)
      • slui.exe (PID: 8308)

    • Creates files or folders in the user directory

      • 7z.exe (PID: 8848)
      • 7z4.exe (PID: 5044)
      • SearchFilter.exe (PID: 1764)
      • taskhostw.exe (PID: 1452)
      • NVIDIA Control Panel.exe (PID: 8752)
      • Microsoft.exe (PID: 5360)
      • DWWIN.EXE (PID: 6208)
      • 7z.exe (PID: 2268)

    • Reads CPU info

      • SearchFilter.exe (PID: 1764)
      • NVIDIA Control Panel.exe (PID: 8752)
      • Microsoft.exe (PID: 5360)

    • Execution of CURL command

      • cmd.exe (PID: 8748)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 8096)

    • Gets or sets the time when the file was last written to (POWERSHELL)

      • powershell.exe (PID: 8096)

    • Creates a new folder

      • cmd.exe (PID: 4608)

    • Attempting to use instant messaging service

      • SearchFilter.exe (PID: 1764)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
750
Monitored processes
613
Malicious processes
36
Suspicious processes
11

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe rundll32.exe no specs 7z.exe conhost.exe no specs searchfilter.exe cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs searchfilter.exe no specs searchfilter.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs searchfilter.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs searchfilter.exe no specs searchfilter.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs vssadmin.exe no specs vssvc.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe cmd.exe no specs conhost.exe no specs 7z.exe no specs cmd.exe no specs conhost.exe no specs 7z.exe msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs 7z4.exe cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs taskhostw.exe msedge.exe no specs taskhostw.exe no specs taskhostw.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs nvidia control panel.exe cmd.exe no specs conhost.exe no specs curl.exe nvidia control panel.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs nvidia control panel.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs 7z.exe msedge.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wscript.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs microsoft.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs microsoft.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs cmd.exe no specs microsoft.exe no specs timeout.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wscript.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs svchost.exe regasm.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs #REMCOS dwwin.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs regasm.exe no specs tasklist.exe no specs msedge.exe no specs searchfilter.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs regasm.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs regasm.exe no specs cmd.exe no specs conhost.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs schtasks.exe no specs regasm.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs regasm.exe no specs regasm.exe no specs cmd.exe no specs conhost.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs cmd.exe no specs reg.exe no specs timeout.exe no specs cmd.exe no specs conhost.exe no specs regasm.exe no specs regasm.exe no specs cmd.exe no specs reg.exe no specs timeout.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs reg.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs 7z.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs wmic.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs vssadmin.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs vssvc.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs attrib.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs 7z.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208WMIC LOGICALDISK GET Name,Size,FreeSpaceC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
208\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
340schtasks /query /TN "WindowsActionsDialog" C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
352C:\WINDOWS\system32\cmd.exe /d /s /c "schtasks /query /TN "WindowsActionsDialog" >nul 2>&1"C:\Windows\System32\cmd.exeMicrosoft.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
456\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
496"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Temp\4c2e3142-0cc9-483f-a592-ec2f23f95d9f.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
536\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
672\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES4D52.tmp" "c:\Users\admin\AppData\Local\Temp\CSCA049026EB6084E85A87994EF71B077CB.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
736PowerShell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File \"C:\Users\admin\.vs-script\disabledefender.ps1\"' -WindowStyle Hidden -Verb RunAs"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
169 413
Read events
169 264
Write events
133
Delete events
16

Modification events

(PID) Process:(7448) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(7276) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(7276) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(7276) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(7276) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(7276) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
9488BFD066912F00
(PID) Process:(7276) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\131902
Operation:writeName:WindowTabManagerFileMappingId
Value:
{22809989-9B9A-43DE-96E5-10518EA02435}
(PID) Process:(7276) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
D887D0D066912F00
(PID) Process:(7276) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\131902
Operation:writeName:WindowTabManagerFileMappingId
Value:
{71F56AE5-A800-4ABA-BE13-8363AAC9F4E5}
(PID) Process:(7276) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\131902
Operation:writeName:WindowTabManagerFileMappingId
Value:
{2C037AB0-E205-4C52-A7A6-C18B49169BE1}
Executable files
105
Suspicious files
1 407
Text files
337
Unknown types
1

Dropped files

PID
Process
Filename
Type
7448powershell.exeC:\Users\admin\AppData\Local\Temp\ab9da7bd-8b22-4c76-98de-85c856ef2b9b.7z
MD5:
SHA256:
13007z.exeC:\Users\admin\AppData\Local\Temp\71f05754-07be-416a-9ed7-11cf41ce9e5a\icudtl.dat
MD5:
SHA256:
7448powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10b77a.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
7448powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NLW04ID8A86PJMGP4GLG.tempbinary
MD5:84B65FE4F5EDE1B0F1F648B215F72484
SHA256:5688626B3762059808D2342908704483C3EEF914CFDDAF61A63DAEB912F34EE3
7448powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_up54u5uf.yvx.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
13007z.exeC:\Users\admin\AppData\Local\Temp\71f05754-07be-416a-9ed7-11cf41ce9e5a\chrome_100_percent.pakbinary
MD5:ACD0FA0A90B43CD1C87A55A991B4FAC3
SHA256:CCBCA246B9A93FA8D4F01A01345E7537511C590E4A8EFD5777B1596D10923B4B
7448powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:84B65FE4F5EDE1B0F1F648B215F72484
SHA256:5688626B3762059808D2342908704483C3EEF914CFDDAF61A63DAEB912F34EE3
13007z.exeC:\Users\admin\AppData\Local\Temp\71f05754-07be-416a-9ed7-11cf41ce9e5a\locales\bn.pakbinary
MD5:5CDD07FA357C846771058C2DB67EB13B
SHA256:01C830B0007B8CE6ACA46E26D812947C3DF818927B826F7D8C5FFD0008A32384
7448powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hitdhxw4.s20.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7448powershell.exeC:\ProgramData\sevenZip\7z.exeexecutable
MD5:9F018E5FEB96AAE0E893A739C83A8B1F
SHA256:D2C0045523CF053A6B43F9315E9672FC2535F06AEADD4FFA53C729CD8B2B6DFE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
38
TCP/UDP connections
232
DNS requests
208
Threats
49

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7232
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
9024
svchost.exe
HEAD
200
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/cf34b06a-2f53-4bd0-9d11-b58cf2e820a4?P1=1744955547&P2=404&P3=2&P4=a2wtyXdisMlJZrrk%2b7J9ZIa3VBMNAHfKKQirfiFUsLxa4jCzL8KcAZGK3OSSY2Gyc6jWxKwejXdvOt3tmQxhrQ%3d%3d
unknown
whitelisted
7232
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
9024
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/cf34b06a-2f53-4bd0-9d11-b58cf2e820a4?P1=1744955547&P2=404&P3=2&P4=a2wtyXdisMlJZrrk%2b7J9ZIa3VBMNAHfKKQirfiFUsLxa4jCzL8KcAZGK3OSSY2Gyc6jWxKwejXdvOt3tmQxhrQ%3d%3d
unknown
whitelisted
9024
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/cf34b06a-2f53-4bd0-9d11-b58cf2e820a4?P1=1744955547&P2=404&P3=2&P4=a2wtyXdisMlJZrrk%2b7J9ZIa3VBMNAHfKKQirfiFUsLxa4jCzL8KcAZGK3OSSY2Gyc6jWxKwejXdvOt3tmQxhrQ%3d%3d
unknown
whitelisted
9024
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/cf34b06a-2f53-4bd0-9d11-b58cf2e820a4?P1=1744955547&P2=404&P3=2&P4=a2wtyXdisMlJZrrk%2b7J9ZIa3VBMNAHfKKQirfiFUsLxa4jCzL8KcAZGK3OSSY2Gyc6jWxKwejXdvOt3tmQxhrQ%3d%3d
unknown
whitelisted
9024
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/cf34b06a-2f53-4bd0-9d11-b58cf2e820a4?P1=1744955547&P2=404&P3=2&P4=a2wtyXdisMlJZrrk%2b7J9ZIa3VBMNAHfKKQirfiFUsLxa4jCzL8KcAZGK3OSSY2Gyc6jWxKwejXdvOt3tmQxhrQ%3d%3d
unknown
whitelisted
5608
curl.exe
GET
200
104.26.12.205:80
http://api.ipify.org/
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2104
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7448
powershell.exe
49.12.202.237:443
www.7-zip.org
Hetzner Online GmbH
DE
whitelisted
7448
powershell.exe
188.114.96.3:443
rlim.com
CLOUDFLARENET
NL
unknown
7448
powershell.exe
140.82.121.4:443
github.com
GITHUB
US
whitelisted
7448
powershell.exe
185.199.109.133:443
objects.githubusercontent.com
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 23.48.23.166
  • 23.48.23.156
  • 23.48.23.143
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
www.7-zip.org
  • 49.12.202.237
whitelisted
rlim.com
  • 188.114.96.3
  • 188.114.97.3
unknown
github.com
  • 140.82.121.4
  • 140.82.121.3
whitelisted
objects.githubusercontent.com
  • 185.199.109.133
  • 185.199.108.133
  • 185.199.110.133
  • 185.199.111.133
whitelisted
login.live.com
  • 20.190.159.64
  • 20.190.159.75
  • 20.190.159.129
  • 20.190.159.68
  • 40.126.31.0
  • 40.126.31.1
  • 20.190.159.2
  • 20.190.159.71
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted

Threats

PID
Process
Class
Message
6964
msedge.exe
Misc activity
ET INFO Commonly Abused File Sharing Site Domain Observed in DNS Lookup (file .io)
6964
msedge.exe
Misc activity
ET INFO Commonly Abused File Sharing Site Domain Observed in DNS Lookup (file .io)
6964
msedge.exe
Misc activity
ET INFO Commonly Abused File Sharing Site Domain Observed in DNS Lookup (file .io)
6964
msedge.exe
Misc activity
ET INFO Commonly Abused File Sharing Site Domain Observed in DNS Lookup (file .io)
6964
msedge.exe
Misc activity
ET INFO Commonly Abused File Sharing Site Domain Observed in DNS Lookup (file .io)
6964
msedge.exe
Misc activity
ET INFO Observed Commonly Abused File Sharing Site Domain (file .io) in TLS SNI
6964
msedge.exe
Misc activity
ET INFO Commonly Abused File Sharing Site Domain Observed in DNS Lookup (file .io)
6964
msedge.exe
Misc activity
ET INFO Observed Commonly Abused File Sharing Site Domain (file .io) in TLS SNI
6964
msedge.exe
Misc activity
ET INFO Observed Commonly Abused File Sharing Site Domain (file .io) in TLS SNI
6964
msedge.exe
Misc activity
ET INFO Observed Commonly Abused File Sharing Site Domain (file .io) in TLS SNI
No debug info