File name:

i.ps1

Full analysis: https://app.any.run/tasks/89bee93e-2ac1-4043-818b-003fe0d49da7
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: April 15, 2025, 12:43:59
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
susp-powershell
stealer
evasion
rat
remcos
remote
api-base64
telegram
nodejs
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (6074), with no line terminators
MD5:

70E9F8B79323D52778C951092C1C7E50

SHA1:

435E74551890B8C70C4B09446EC6CE0A932763F5

SHA256:

643A7167361F96BD89B939F2DCDC4B696E6A336FE31B420D43D4967C48535C8E

SSDEEP:

96:f749jcwqan6KHZq7xjUYuvT+ylIiRUaf024Ng08HrUqhFNa+85DzDCoo8/MqPN1p:f749jcFa6KHZqtJuvT+mRt058HrNEHz9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 7448)
      • powershell.exe (PID: 6256)
      • powershell.exe (PID: 8100)
      • powershell.exe (PID: 496)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7448)
      • powershell.exe (PID: 7720)
      • powershell.exe (PID: 7964)
      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 896)
      • powershell.exe (PID: 4464)
      • powershell.exe (PID: 736)
      • powershell.exe (PID: 8384)
      • powershell.exe (PID: 8504)
      • powershell.exe (PID: 2960)
      • powershell.exe (PID: 8540)
      • powershell.exe (PID: 5044)
      • powershell.exe (PID: 7212)
      • powershell.exe (PID: 6256)
      • powershell.exe (PID: 8748)
      • powershell.exe (PID: 8100)
      • powershell.exe (PID: 8096)
      • powershell.exe (PID: 8168)
      • powershell.exe (PID: 496)
      • powershell.exe (PID: 5984)
      • powershell.exe (PID: 5968)
      • powershell.exe (PID: 7052)
      • powershell.exe (PID: 8076)
      • powershell.exe (PID: 8660)
      • powershell.exe (PID: 8272)
      • powershell.exe (PID: 8988)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 7448)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 7448)
      • powershell.exe (PID: 6256)
      • powershell.exe (PID: 8100)
      • powershell.exe (PID: 496)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 7448)
      • powershell.exe (PID: 6256)
      • powershell.exe (PID: 8100)
      • powershell.exe (PID: 496)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 7448)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 4400)
      • cmd.exe (PID: 7908)
      • cmd.exe (PID: 3268)
      • SearchFilter.exe (PID: 1764)
      • cmd.exe (PID: 3676)
      • cmd.exe (PID: 5364)
      • powershell.exe (PID: 736)
      • cmd.exe (PID: 9072)
      • cmd.exe (PID: 2288)
      • cmd.exe (PID: 8104)
      • cmd.exe (PID: 1672)
      • cmd.exe (PID: 6612)
      • wscript.exe (PID: 8240)
      • cmd.exe (PID: 2560)
      • wscript.exe (PID: 7604)
      • cmd.exe (PID: 8880)
      • cmd.exe (PID: 5136)
      • wscript.exe (PID: 8176)
      • cmd.exe (PID: 5436)
      • cmd.exe (PID: 7316)
      • cmd.exe (PID: 7908)
      • powershell.exe (PID: 8168)
      • cmd.exe (PID: 6392)
      • cmd.exe (PID: 2692)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 736)
      • powershell.exe (PID: 6256)
      • powershell.exe (PID: 8100)
      • powershell.exe (PID: 8168)
      • powershell.exe (PID: 496)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 8572)
      • cmd.exe (PID: 8432)
      • cmd.exe (PID: 8656)
      • cmd.exe (PID: 6740)
      • cmd.exe (PID: 9072)
      • cmd.exe (PID: 8216)
      • cmd.exe (PID: 7916)

    • Disables Windows Defender

      • reg.exe (PID: 6264)
      • reg.exe (PID: 8440)
      • reg.exe (PID: 8920)
      • reg.exe (PID: 8600)
      • reg.exe (PID: 9072)
      • reg.exe (PID: 8132)
      • reg.exe (PID: 7236)
      • reg.exe (PID: 2776)
      • reg.exe (PID: 8872)

    • UAC/LUA settings modification

      • reg.exe (PID: 5364)
      • reg.exe (PID: 5980)

    • Deletes shadow copies

      • powershell.exe (PID: 8384)
      • powershell.exe (PID: 7052)

    • The DLL Hijacking

      • taskhostw.exe (PID: 4108)
      • Microsoft.exe (PID: 8372)

    • Actions looks like stealing of personal data

      • NVIDIA Control Panel.exe (PID: 8752)

    • Deletes a file (SCRIPT)

      • wscript.exe (PID: 8240)
      • wscript.exe (PID: 7604)
      • wscript.exe (PID: 8176)

    • Starts CMD.EXE for self-deleting

      • powershell.exe (PID: 6256)
      • powershell.exe (PID: 496)
      • powershell.exe (PID: 8100)

    • Steals credentials from Web Browsers

      • NVIDIA Control Panel.exe (PID: 8752)

    • REMCOS has been detected (SURICATA)

      • DWWIN.EXE (PID: 6208)

  • SUSPICIOUS

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 7448)

    • Reverses array data (POWERSHELL)

      • powershell.exe (PID: 7448)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 7448)

    • Starts a new process with hidden mode (POWERSHELL)

      • powershell.exe (PID: 7448)

    • Converts a string into array of characters (POWERSHELL)

      • powershell.exe (PID: 7448)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7448)
      • 7z.exe (PID: 1300)
      • SearchFilter.exe (PID: 1764)
      • csc.exe (PID: 7768)
      • SearchFilter.exe (PID: 7896)
      • 7z.exe (PID: 8848)
      • csc.exe (PID: 2568)
      • 7z4.exe (PID: 5044)
      • taskhostw.exe (PID: 1452)
      • NVIDIA Control Panel.exe (PID: 8752)
      • 7z.exe (PID: 3784)

    • Drops 7-zip archiver for unpacking

      • powershell.exe (PID: 7448)
      • SearchFilter.exe (PID: 1764)

    • Creates new GUID (POWERSHELL)

      • powershell.exe (PID: 7448)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 7448)

    • Process drops legitimate windows executable

      • 7z.exe (PID: 1300)
      • 7z.exe (PID: 8848)
      • SearchFilter.exe (PID: 1764)
      • 7z4.exe (PID: 5044)
      • 7z.exe (PID: 3784)

    • Starts CMD.EXE for commands execution

      • SearchFilter.exe (PID: 1764)
      • SearchFilter.exe (PID: 7896)
      • NVIDIA Control Panel.exe (PID: 8752)
      • taskhostw.exe (PID: 1452)
      • powershell.exe (PID: 6256)
      • Microsoft.exe (PID: 5360)
      • powershell.exe (PID: 8100)
      • powershell.exe (PID: 496)

    • Starts NET.EXE to display or manage information about active sessions

      • cmd.exe (PID: 4408)
      • net.exe (PID: 5008)
      • net.exe (PID: 8224)
      • cmd.exe (PID: 8892)
      • net.exe (PID: 6384)
      • cmd.exe (PID: 2064)
      • cmd.exe (PID: 7268)
      • net.exe (PID: 7864)
      • cmd.exe (PID: 2596)
      • net.exe (PID: 8900)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7908)
      • cmd.exe (PID: 4400)
      • cmd.exe (PID: 3268)
      • cmd.exe (PID: 3676)
      • SearchFilter.exe (PID: 1764)
      • cmd.exe (PID: 5364)
      • powershell.exe (PID: 736)
      • cmd.exe (PID: 9072)
      • cmd.exe (PID: 2288)
      • cmd.exe (PID: 8104)
      • cmd.exe (PID: 6612)
      • wscript.exe (PID: 8240)
      • cmd.exe (PID: 1672)
      • cmd.exe (PID: 2560)
      • wscript.exe (PID: 7604)
      • cmd.exe (PID: 8880)
      • cmd.exe (PID: 5136)
      • wscript.exe (PID: 8176)
      • cmd.exe (PID: 5436)
      • cmd.exe (PID: 7316)
      • cmd.exe (PID: 7148)
      • cmd.exe (PID: 7908)
      • powershell.exe (PID: 8168)
      • cmd.exe (PID: 6392)
      • cmd.exe (PID: 4024)
      • cmd.exe (PID: 2320)
      • cmd.exe (PID: 1012)
      • cmd.exe (PID: 2692)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 8004)
      • cmd.exe (PID: 3240)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 4068)
      • WMIC.exe (PID: 8216)

    • Uses WMIC.EXE to obtain local storage devices information

      • cmd.exe (PID: 2984)
      • cmd.exe (PID: 8952)

    • Application launched itself

      • SearchFilter.exe (PID: 1764)
      • SearchFilter.exe (PID: 7896)
      • powershell.exe (PID: 736)
      • taskhostw.exe (PID: 1452)
      • NVIDIA Control Panel.exe (PID: 8752)
      • Microsoft.exe (PID: 5360)
      • powershell.exe (PID: 8168)

    • The process executes Powershell scripts

      • cmd.exe (PID: 3268)
      • cmd.exe (PID: 5364)
      • powershell.exe (PID: 736)
      • wscript.exe (PID: 8240)
      • cmd.exe (PID: 2560)
      • wscript.exe (PID: 7604)
      • cmd.exe (PID: 8880)
      • cmd.exe (PID: 5136)
      • wscript.exe (PID: 8176)
      • powershell.exe (PID: 8168)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 7768)
      • csc.exe (PID: 2568)

    • Starts process via Powershell

      • powershell.exe (PID: 4464)
      • powershell.exe (PID: 736)
      • powershell.exe (PID: 2960)
      • powershell.exe (PID: 8168)

    • Found strings related to reading or modifying Windows Defender settings

      • SearchFilter.exe (PID: 7896)
      • Microsoft.exe (PID: 5360)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 5364)
      • powershell.exe (PID: 736)
      • cmd.exe (PID: 5136)
      • powershell.exe (PID: 8168)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 8964)
      • cmd.exe (PID: 9112)
      • cmd.exe (PID: 9044)
      • cmd.exe (PID: 9200)
      • cmd.exe (PID: 8736)
      • cmd.exe (PID: 8808)
      • cmd.exe (PID: 8884)
      • cmd.exe (PID: 9056)
      • cmd.exe (PID: 9108)
      • cmd.exe (PID: 6944)
      • cmd.exe (PID: 9184)
      • cmd.exe (PID: 7372)
      • cmd.exe (PID: 5364)
      • cmd.exe (PID: 8048)
      • cmd.exe (PID: 5308)
      • cmd.exe (PID: 5228)
      • cmd.exe (PID: 8500)
      • cmd.exe (PID: 8636)
      • cmd.exe (PID: 8668)
      • cmd.exe (PID: 8752)
      • cmd.exe (PID: 8868)
      • cmd.exe (PID: 8900)
      • cmd.exe (PID: 8892)
      • cmd.exe (PID: 8580)
      • cmd.exe (PID: 9024)
      • cmd.exe (PID: 8640)
      • cmd.exe (PID: 8660)
      • cmd.exe (PID: 8828)
      • cmd.exe (PID: 9136)
      • cmd.exe (PID: 8840)
      • cmd.exe (PID: 8960)
      • cmd.exe (PID: 8096)
      • cmd.exe (PID: 9184)
      • cmd.exe (PID: 6584)
      • cmd.exe (PID: 9060)
      • cmd.exe (PID: 6740)
      • cmd.exe (PID: 7104)
      • cmd.exe (PID: 8924)
      • cmd.exe (PID: 8984)
      • cmd.exe (PID: 6392)
      • cmd.exe (PID: 6824)
      • cmd.exe (PID: 3016)
      • cmd.exe (PID: 6564)
      • cmd.exe (PID: 8216)
      • cmd.exe (PID: 6800)
      • cmd.exe (PID: 7340)
      • cmd.exe (PID: 8612)
      • cmd.exe (PID: 6264)
      • cmd.exe (PID: 8872)
      • cmd.exe (PID: 1040)
      • cmd.exe (PID: 4068)
      • cmd.exe (PID: 9032)
      • cmd.exe (PID: 8612)
      • cmd.exe (PID: 1164)
      • cmd.exe (PID: 8952)
      • cmd.exe (PID: 7100)
      • cmd.exe (PID: 8456)
      • cmd.exe (PID: 7616)
      • cmd.exe (PID: 5176)
      • cmd.exe (PID: 4728)
      • cmd.exe (PID: 2408)
      • cmd.exe (PID: 6264)
      • cmd.exe (PID: 8236)
      • cmd.exe (PID: 7864)
      • cmd.exe (PID: 8992)
      • cmd.exe (PID: 9072)
      • cmd.exe (PID: 2240)
      • cmd.exe (PID: 7604)
      • cmd.exe (PID: 1812)
      • cmd.exe (PID: 6872)
      • cmd.exe (PID: 8876)

    • Modifies existing scheduled task

      • schtasks.exe (PID: 8704)
      • schtasks.exe (PID: 8480)
      • schtasks.exe (PID: 8628)
      • schtasks.exe (PID: 9004)
      • schtasks.exe (PID: 8828)
      • schtasks.exe (PID: 8712)
      • schtasks.exe (PID: 8924)
      • schtasks.exe (PID: 1324)
      • schtasks.exe (PID: 8364)
      • schtasks.exe (PID: 2408)

    • Executes as Windows Service

      • VSSVC.exe (PID: 9076)
      • VSSVC.exe (PID: 8040)

    • There is functionality for taking screenshot (YARA)

      • SearchFilter.exe (PID: 2148)

    • Get information on the list of running processes

      • SearchFilter.exe (PID: 1764)
      • cmd.exe (PID: 9072)
      • cmd.exe (PID: 8256)
      • cmd.exe (PID: 7656)
      • cmd.exe (PID: 8244)
      • NVIDIA Control Panel.exe (PID: 8752)
      • taskhostw.exe (PID: 1452)
      • cmd.exe (PID: 4452)
      • Microsoft.exe (PID: 5360)
      • cmd.exe (PID: 2692)

    • Lists all scheduled tasks

      • schtasks.exe (PID: 8024)
      • schtasks.exe (PID: 2772)
      • schtasks.exe (PID: 900)
      • schtasks.exe (PID: 2316)
      • schtasks.exe (PID: 2240)
      • schtasks.exe (PID: 9028)
      • schtasks.exe (PID: 7912)
      • schtasks.exe (PID: 7196)
      • schtasks.exe (PID: 7832)
      • schtasks.exe (PID: 340)

    • The process executes via Task Scheduler

      • taskhostw.exe (PID: 1452)
      • Microsoft.exe (PID: 5360)

    • Hides command output

      • cmd.exe (PID: 7316)
      • cmd.exe (PID: 4932)
      • cmd.exe (PID: 8856)
      • cmd.exe (PID: 7292)
      • cmd.exe (PID: 7476)
      • cmd.exe (PID: 352)
      • cmd.exe (PID: 5256)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • curl.exe (PID: 5608)
      • Microsoft.exe (PID: 5360)
      • SearchFilter.exe (PID: 1764)
      • NVIDIA Control Panel.exe (PID: 8752)

    • The process executes VB scripts

      • cmd.exe (PID: 7848)
      • cmd.exe (PID: 8604)
      • cmd.exe (PID: 5556)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 8240)
      • wscript.exe (PID: 7604)
      • wscript.exe (PID: 8176)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 8240)
      • wscript.exe (PID: 7604)
      • wscript.exe (PID: 8176)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 8240)
      • wscript.exe (PID: 7604)
      • wscript.exe (PID: 8176)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 8244)

    • Uses TASKKILL.EXE to kill Browsers

      • cmd.exe (PID: 8248)

    • Converts a specified value to an integer (POWERSHELL)

      • powershell.exe (PID: 6256)
      • powershell.exe (PID: 8100)
      • powershell.exe (PID: 496)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 6132)
      • cmd.exe (PID: 1388)
      • cmd.exe (PID: 3804)

    • Contacting a server suspected of hosting an CnC

      • DWWIN.EXE (PID: 6208)

    • Connects to unusual port

      • DWWIN.EXE (PID: 6208)

    • Accesses antivirus product name via WMI (SCRIPT)

      • WMIC.exe (PID: 8720)

    • Query Microsoft Defender preferences

      • SearchFilter.exe (PID: 1764)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • NVIDIA Control Panel.exe (PID: 8752)
      • SearchFilter.exe (PID: 1764)

    • Uses WMIC.EXE to obtain Windows Installer data

      • cmd.exe (PID: 4408)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 8720)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 8276)

  • INFO

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 7448)
      • powershell.exe (PID: 6256)
      • powershell.exe (PID: 8100)
      • powershell.exe (PID: 496)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 7448)

    • Creates files in the program directory

      • powershell.exe (PID: 7448)
      • SearchFilter.exe (PID: 1764)
      • 7z.exe (PID: 3784)

    • Disables trace logs

      • powershell.exe (PID: 7448)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 7448)

    • Checks proxy server information

      • powershell.exe (PID: 7448)
      • SearchFilter.exe (PID: 1764)
      • SearchFilter.exe (PID: 7896)
      • taskhostw.exe (PID: 1452)
      • NVIDIA Control Panel.exe (PID: 8752)
      • slui.exe (PID: 8308)
      • Microsoft.exe (PID: 5360)
      • DWWIN.EXE (PID: 6208)

    • The sample compiled with english language support

      • powershell.exe (PID: 7448)
      • 7z.exe (PID: 1300)
      • SearchFilter.exe (PID: 1764)
      • 7z.exe (PID: 8848)
      • 7z4.exe (PID: 5044)
      • 7z.exe (PID: 3784)

    • Checks supported languages

      • 7z.exe (PID: 1300)
      • SearchFilter.exe (PID: 1764)
      • SearchFilter.exe (PID: 2148)
      • SearchFilter.exe (PID: 7172)
      • csc.exe (PID: 7768)
      • cvtres.exe (PID: 672)
      • identity_helper.exe (PID: 7252)
      • SearchFilter.exe (PID: 7896)
      • SearchFilter.exe (PID: 7748)
      • SearchFilter.exe (PID: 8212)
      • 7z.exe (PID: 8848)
      • cvtres.exe (PID: 4284)
      • 7z4.exe (PID: 5044)
      • csc.exe (PID: 2568)
      • taskhostw.exe (PID: 1452)
      • taskhostw.exe (PID: 4108)
      • taskhostw.exe (PID: 3620)
      • NVIDIA Control Panel.exe (PID: 8752)
      • curl.exe (PID: 5608)
      • NVIDIA Control Panel.exe (PID: 2284)
      • NVIDIA Control Panel.exe (PID: 8336)
      • Microsoft.exe (PID: 5360)
      • Microsoft.exe (PID: 8372)
      • Microsoft.exe (PID: 7900)
      • SearchFilter.exe (PID: 8228)
      • 7z.exe (PID: 2268)
      • 7z.exe (PID: 7100)
      • identity_helper.exe (PID: 6040)

    • Found Base64 encoded file access via PowerShell (YARA)

      • powershell.exe (PID: 7448)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • powershell.exe (PID: 7448)

    • Reads the computer name

      • 7z.exe (PID: 1300)
      • SearchFilter.exe (PID: 1764)
      • SearchFilter.exe (PID: 7172)
      • SearchFilter.exe (PID: 2148)
      • identity_helper.exe (PID: 7252)
      • SearchFilter.exe (PID: 7896)
      • SearchFilter.exe (PID: 7748)
      • 7z.exe (PID: 8848)
      • 7z4.exe (PID: 5044)
      • taskhostw.exe (PID: 1452)
      • taskhostw.exe (PID: 4108)
      • curl.exe (PID: 5608)
      • NVIDIA Control Panel.exe (PID: 2284)
      • NVIDIA Control Panel.exe (PID: 8752)
      • 7z.exe (PID: 2268)

    • Create files in a temporary directory

      • 7z.exe (PID: 1300)
      • SearchFilter.exe (PID: 1764)
      • cvtres.exe (PID: 672)
      • csc.exe (PID: 7768)
      • SearchFilter.exe (PID: 7896)
      • powershell.exe (PID: 5868)
      • csc.exe (PID: 2568)
      • taskhostw.exe (PID: 1452)
      • NVIDIA Control Panel.exe (PID: 8752)
      • powershell.exe (PID: 8272)
      • 7z.exe (PID: 7100)
      • Microsoft.exe (PID: 5360)

    • The executable file from the user directory is run by the Powershell process

      • SearchFilter.exe (PID: 1764)
      • SearchFilter.exe (PID: 7896)
      • NVIDIA Control Panel.exe (PID: 8752)

    • Reads Environment values

      • SearchFilter.exe (PID: 1764)
      • identity_helper.exe (PID: 7252)
      • SearchFilter.exe (PID: 7896)

    • Reads product name

      • SearchFilter.exe (PID: 1764)
      • SearchFilter.exe (PID: 7896)

    • Process checks computer location settings

      • SearchFilter.exe (PID: 1764)
      • SearchFilter.exe (PID: 7896)
      • NVIDIA Control Panel.exe (PID: 8752)

    • Reads the machine GUID from the registry

      • SearchFilter.exe (PID: 1764)
      • csc.exe (PID: 7768)
      • SearchFilter.exe (PID: 7896)
      • csc.exe (PID: 2568)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 4068)
      • WMIC.exe (PID: 208)
      • powershell.exe (PID: 5868)
      • WMIC.exe (PID: 8216)
      • DWWIN.EXE (PID: 6208)
      • WMIC.exe (PID: 8720)
      • WMIC.exe (PID: 7424)
      • powershell.exe (PID: 8272)

    • Manual execution by a user

      • msedge.exe (PID: 7276)
      • msedge.exe (PID: 6660)

    • Application launched itself

      • msedge.exe (PID: 7276)
      • msedge.exe (PID: 6660)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • SearchFilter.exe (PID: 1764)

    • Found Base64 encoded access to processes via PowerShell (YARA)

      • SearchFilter.exe (PID: 1764)

    • Potential access to remote process (Base64 Encoded 'OpenProcess')

      • SearchFilter.exe (PID: 1764)

    • Node.js compiler has been detected

      • SearchFilter.exe (PID: 1764)
      • SearchFilter.exe (PID: 2148)
      • SearchFilter.exe (PID: 7172)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 8384)
      • powershell.exe (PID: 8272)
      • powershell.exe (PID: 7052)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 8384)
      • powershell.exe (PID: 7052)

    • Reads the software policy settings

      • slui.exe (PID: 7620)
      • powershell.exe (PID: 5868)
      • slui.exe (PID: 8308)

    • Creates files or folders in the user directory

      • 7z.exe (PID: 8848)
      • 7z4.exe (PID: 5044)
      • SearchFilter.exe (PID: 1764)
      • taskhostw.exe (PID: 1452)
      • NVIDIA Control Panel.exe (PID: 8752)
      • Microsoft.exe (PID: 5360)
      • DWWIN.EXE (PID: 6208)
      • 7z.exe (PID: 2268)

    • Reads CPU info

      • SearchFilter.exe (PID: 1764)
      • NVIDIA Control Panel.exe (PID: 8752)
      • Microsoft.exe (PID: 5360)

    • Execution of CURL command

      • cmd.exe (PID: 8748)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 8096)

    • Gets or sets the time when the file was last written to (POWERSHELL)

      • powershell.exe (PID: 8096)

    • Creates a new folder

      • cmd.exe (PID: 4608)

    • Attempting to use instant messaging service

      • SearchFilter.exe (PID: 1764)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
750
Monitored processes
613
Malicious processes
36
Suspicious processes
11

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe rundll32.exe no specs 7z.exe conhost.exe no specs searchfilter.exe cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs searchfilter.exe no specs searchfilter.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs searchfilter.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs searchfilter.exe no specs searchfilter.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs vssadmin.exe no specs vssvc.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe cmd.exe no specs conhost.exe no specs 7z.exe no specs cmd.exe no specs conhost.exe no specs 7z.exe msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs 7z4.exe cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs taskhostw.exe msedge.exe no specs taskhostw.exe no specs taskhostw.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs nvidia control panel.exe cmd.exe no specs conhost.exe no specs curl.exe nvidia control panel.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs nvidia control panel.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs 7z.exe msedge.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wscript.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs microsoft.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs microsoft.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs cmd.exe no specs microsoft.exe no specs timeout.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wscript.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs svchost.exe regasm.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs #REMCOS dwwin.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs regasm.exe no specs tasklist.exe no specs msedge.exe no specs searchfilter.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs regasm.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs regasm.exe no specs cmd.exe no specs conhost.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs schtasks.exe no specs regasm.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs regasm.exe no specs regasm.exe no specs cmd.exe no specs conhost.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs regasm.exe no specs cmd.exe no specs reg.exe no specs timeout.exe no specs cmd.exe no specs conhost.exe no specs regasm.exe no specs regasm.exe no specs cmd.exe no specs reg.exe no specs timeout.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs reg.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs 7z.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs wmic.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs vssadmin.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs vssvc.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs attrib.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs 7z.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208WMIC LOGICALDISK GET Name,Size,FreeSpaceC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
208\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
340schtasks /query /TN "WindowsActionsDialog" C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
352C:\WINDOWS\system32\cmd.exe /d /s /c "schtasks /query /TN "WindowsActionsDialog" >nul 2>&1"C:\Windows\System32\cmd.exeMicrosoft.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
456\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
496"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\Temp\4c2e3142-0cc9-483f-a592-ec2f23f95d9f.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
536\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
672\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES4D52.tmp" "c:\Users\admin\AppData\Local\Temp\CSCA049026EB6084E85A87994EF71B077CB.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
736PowerShell -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Start-Process PowerShell -ArgumentList '-NoProfile -ExecutionPolicy Bypass -File \"C:\Users\admin\.vs-script\disabledefender.ps1\"' -WindowStyle Hidden -Verb RunAs"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
169 413
Read events
169 264
Write events
133
Delete events
16

Modification events

(PID) Process:(7448) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(7276) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(7276) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(7276) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(7276) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(7276) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
9488BFD066912F00
(PID) Process:(7276) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\131902
Operation:writeName:WindowTabManagerFileMappingId
Value:
{22809989-9B9A-43DE-96E5-10518EA02435}
(PID) Process:(7276) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
D887D0D066912F00
(PID) Process:(7276) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\131902
Operation:writeName:WindowTabManagerFileMappingId
Value:
{71F56AE5-A800-4ABA-BE13-8363AAC9F4E5}
(PID) Process:(7276) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\131902
Operation:writeName:WindowTabManagerFileMappingId
Value:
{2C037AB0-E205-4C52-A7A6-C18B49169BE1}
Executable files
105
Suspicious files
1 407
Text files
337
Unknown types
1

Dropped files

PID
Process
Filename
Type
7448powershell.exeC:\Users\admin\AppData\Local\Temp\ab9da7bd-8b22-4c76-98de-85c856ef2b9b.7z
MD5:
SHA256:
13007z.exeC:\Users\admin\AppData\Local\Temp\71f05754-07be-416a-9ed7-11cf41ce9e5a\icudtl.dat
MD5:
SHA256:
7448powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NLW04ID8A86PJMGP4GLG.tempbinary
MD5:84B65FE4F5EDE1B0F1F648B215F72484
SHA256:5688626B3762059808D2342908704483C3EEF914CFDDAF61A63DAEB912F34EE3
7448powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:84B65FE4F5EDE1B0F1F648B215F72484
SHA256:5688626B3762059808D2342908704483C3EEF914CFDDAF61A63DAEB912F34EE3
7448powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10b77a.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
13007z.exeC:\Users\admin\AppData\Local\Temp\71f05754-07be-416a-9ed7-11cf41ce9e5a\locales\en-US.pakbinary
MD5:5E3813E616A101E4A169B05F40879A62
SHA256:4D207C5C202C19C4DACA3FDDB2AE4F747F943A8FAF86A947EEF580E2F2AEE687
13007z.exeC:\Users\admin\AppData\Local\Temp\71f05754-07be-416a-9ed7-11cf41ce9e5a\chrome_200_percent.pakbinary
MD5:4610337E3332B7E65B73A6EA738B47DF
SHA256:C91ABF556E55C29D1EA9F560BB17CC3489CB67A5D0C7A22B58485F5F2FBCF25C
7448powershell.exeC:\ProgramData\sevenZip\7z.exeexecutable
MD5:9F018E5FEB96AAE0E893A739C83A8B1F
SHA256:D2C0045523CF053A6B43F9315E9672FC2535F06AEADD4FFA53C729CD8B2B6DFE
13007z.exeC:\Users\admin\AppData\Local\Temp\71f05754-07be-416a-9ed7-11cf41ce9e5a\chrome_100_percent.pakbinary
MD5:ACD0FA0A90B43CD1C87A55A991B4FAC3
SHA256:CCBCA246B9A93FA8D4F01A01345E7537511C590E4A8EFD5777B1596D10923B4B
13007z.exeC:\Users\admin\AppData\Local\Temp\71f05754-07be-416a-9ed7-11cf41ce9e5a\locales\en-GB.pakbinary
MD5:D59E613E8F17BDAFD00E0E31E1520D1F
SHA256:90E585F101CF0BB77091A9A9A28812694CEE708421CE4908302BBD1BC24AC6FD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
38
TCP/UDP connections
232
DNS requests
208
Threats
49

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7232
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
9024
svchost.exe
HEAD
200
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/cf34b06a-2f53-4bd0-9d11-b58cf2e820a4?P1=1744955547&P2=404&P3=2&P4=a2wtyXdisMlJZrrk%2b7J9ZIa3VBMNAHfKKQirfiFUsLxa4jCzL8KcAZGK3OSSY2Gyc6jWxKwejXdvOt3tmQxhrQ%3d%3d
unknown
whitelisted
9024
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/cf34b06a-2f53-4bd0-9d11-b58cf2e820a4?P1=1744955547&P2=404&P3=2&P4=a2wtyXdisMlJZrrk%2b7J9ZIa3VBMNAHfKKQirfiFUsLxa4jCzL8KcAZGK3OSSY2Gyc6jWxKwejXdvOt3tmQxhrQ%3d%3d
unknown
whitelisted
7232
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
9024
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/cf34b06a-2f53-4bd0-9d11-b58cf2e820a4?P1=1744955547&P2=404&P3=2&P4=a2wtyXdisMlJZrrk%2b7J9ZIa3VBMNAHfKKQirfiFUsLxa4jCzL8KcAZGK3OSSY2Gyc6jWxKwejXdvOt3tmQxhrQ%3d%3d
unknown
whitelisted
9024
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/cf34b06a-2f53-4bd0-9d11-b58cf2e820a4?P1=1744955547&P2=404&P3=2&P4=a2wtyXdisMlJZrrk%2b7J9ZIa3VBMNAHfKKQirfiFUsLxa4jCzL8KcAZGK3OSSY2Gyc6jWxKwejXdvOt3tmQxhrQ%3d%3d
unknown
whitelisted
9024
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/cf34b06a-2f53-4bd0-9d11-b58cf2e820a4?P1=1744955547&P2=404&P3=2&P4=a2wtyXdisMlJZrrk%2b7J9ZIa3VBMNAHfKKQirfiFUsLxa4jCzL8KcAZGK3OSSY2Gyc6jWxKwejXdvOt3tmQxhrQ%3d%3d
unknown
whitelisted
9024
svchost.exe
GET
206
199.232.210.172:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/cf34b06a-2f53-4bd0-9d11-b58cf2e820a4?P1=1744955547&P2=404&P3=2&P4=a2wtyXdisMlJZrrk%2b7J9ZIa3VBMNAHfKKQirfiFUsLxa4jCzL8KcAZGK3OSSY2Gyc6jWxKwejXdvOt3tmQxhrQ%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2104
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7448
powershell.exe
49.12.202.237:443
www.7-zip.org
Hetzner Online GmbH
DE
whitelisted
7448
powershell.exe
188.114.96.3:443
rlim.com
CLOUDFLARENET
NL
unknown
7448
powershell.exe
140.82.121.4:443
github.com
GITHUB
US
whitelisted
7448
powershell.exe
185.199.109.133:443
objects.githubusercontent.com
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 23.48.23.166
  • 23.48.23.156
  • 23.48.23.143
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
www.7-zip.org
  • 49.12.202.237
whitelisted
rlim.com
  • 188.114.96.3
  • 188.114.97.3
unknown
github.com
  • 140.82.121.4
  • 140.82.121.3
whitelisted
objects.githubusercontent.com
  • 185.199.109.133
  • 185.199.108.133
  • 185.199.110.133
  • 185.199.111.133
whitelisted
login.live.com
  • 20.190.159.64
  • 20.190.159.75
  • 20.190.159.129
  • 20.190.159.68
  • 40.126.31.0
  • 40.126.31.1
  • 20.190.159.2
  • 20.190.159.71
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted

Threats

PID
Process
Class
Message
6964
msedge.exe
Misc activity
ET INFO Commonly Abused File Sharing Site Domain Observed in DNS Lookup (file .io)
6964
msedge.exe
Misc activity
ET INFO Commonly Abused File Sharing Site Domain Observed in DNS Lookup (file .io)
6964
msedge.exe
Misc activity
ET INFO Commonly Abused File Sharing Site Domain Observed in DNS Lookup (file .io)
6964
msedge.exe
Misc activity
ET INFO Commonly Abused File Sharing Site Domain Observed in DNS Lookup (file .io)
6964
msedge.exe
Misc activity
ET INFO Commonly Abused File Sharing Site Domain Observed in DNS Lookup (file .io)
6964
msedge.exe
Misc activity
ET INFO Observed Commonly Abused File Sharing Site Domain (file .io) in TLS SNI
6964
msedge.exe
Misc activity
ET INFO Commonly Abused File Sharing Site Domain Observed in DNS Lookup (file .io)
6964
msedge.exe
Misc activity
ET INFO Observed Commonly Abused File Sharing Site Domain (file .io) in TLS SNI
6964
msedge.exe
Misc activity
ET INFO Observed Commonly Abused File Sharing Site Domain (file .io) in TLS SNI
6964
msedge.exe
Misc activity
ET INFO Observed Commonly Abused File Sharing Site Domain (file .io) in TLS SNI
No debug info