File name:	01062025_1437_1.ps1
Full analysis:	https://app.any.run/tasks/936395ee-3e33-4e4d-8c99-e3dcc8233e5e
Verdict:	Malicious activity
Analysis date:	June 01, 2025, 14:43:52
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	evasion arch-exec arch-doc python
Indicators:
MIME:	text/plain
File info:	Unicode text, UTF-8 text
MD5:	9303AF8A1310D4A66684A660ED286551
SHA1:	9ABC45F8D6A4C5CFC8F403AE529713DEA40FDF3A
SHA256:	644D9AADA9EBE7D434753097BFA8875C4C41B545E8DD63E69EF54A6FEDE66624
SSDEEP:	48:Jh4DVNOdnBcii9AEG/PB5adXGS1qipIfnERyu5tG2RT2Ot+Em5Qv/9W/4OtXLr59:nNG90Udb1BgERyuK22m+15QX9g4OtXJ9


(PID) Process:	(7576) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(7576) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(7576) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(7576) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\python311.zip
(PID) Process:	(7576) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(7576) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(7576) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(7576) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100

PID	Process	Filename		Type
6476	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF12044e.TMP		binary
		MD5:D040F64E9E7A2BB91ABCA5613424598E	SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
6476	powershell.exe	C:\Users\admin\AppData\Local\Temp\python-embed.zip		compressed
		MD5:9199879FBAD4884ED93DDF77E8764920	SHA256:6347068CA56BF4DD6319F7EF5695F5A03F1ADE3E9AA2D6A095AB27FAA77A1290
6476	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_iyckfpdg.aub.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6476	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bg42revr.3ai.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6476	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H2Y56ZB24AIHVX94DQOL.temp		binary
		MD5:42C7D8EA103B136632E654DE841DB068	SHA256:E423B0E91A312B8C0C885F818310C4409E2BD0F7FEF9ADE82AFC310E60ACD653
6476	powershell.exe	C:\Temp\PortablePython\pythonw.exe		executable
		MD5:837DD66E580DDC9B5DCC191156A202C2	SHA256:E65ECC6B135F8C2269A2163F5C906376F2FEA3B61571D312D779F36F772CEAC1
6476	powershell.exe	C:\Temp\PortablePython\select.pyd		executable
		MD5:E07AE2F7F28305B81ADFD256716AE8C6	SHA256:FB06AC13F8B444C3F7AE5D2AF15710A4E60A126C3C61A1F1E1683F05F685626C
6476	powershell.exe	C:\Temp\PortablePython\unicodedata.pyd		executable
		MD5:5CC36A5DE45A2C16035ADE016B4348EB	SHA256:F28AC3E3AD02F9E1D8B22DF15FA30B2190B080261A9ADC6855248548CD870D20
6476	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms		binary
		MD5:42C7D8EA103B136632E654DE841DB068	SHA256:E423B0E91A312B8C0C885F818310C4409E2BD0F7FEF9ADE82AFC310E60ACD653
6476	powershell.exe	C:\Temp\PortablePython\pyexpat.pyd		executable
		MD5:D7ECC2746314FEC5CA46B64C964EA93E	SHA256:58B95F03A2D7EC49F5260E3E874D2B9FB76E95ECC80537E27ABEF0C74D03CB00

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	MoUsoCoreWorker.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7852	RUXIMICS.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7852	RUXIMICS.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6476	powershell.exe	GET	200	34.160.111.145:80	http://ifconfig.me/ip	unknown	—	—	shared
—	—	GET	200	151.101.0.223:443	https://www.python.org/ftp/python/3.11.8/python-3.11.8-embed-amd64.zip	unknown	compressed	10.6 Mb	whitelisted
—	—	GET	200	151.101.128.175:443	https://bootstrap.pypa.io/get-pip.py	unknown	text	2.17 Mb	whitelisted
8040	rundll32.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAcfFBuLMA0l8xTrIwzQ0d0%3D	unknown	—	—	whitelisted
—	—	GET	200	151.101.192.223:443	https://files.pythonhosted.org/packages/29/a2/d40fb2460e883eca5199c62cfc2463fd261f760556ae6290f88488c362c0/pip-25.1.1-py3-none-any.whl.metadata	unknown	text	3.56 Kb	whitelisted
—	—	GET	200	151.101.64.223:443	https://pypi.org/simple/setuptools/	unknown	binary	747 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
7852	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5496	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5496	MoUsoCoreWorker.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
7852	RUXIMICS.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5496	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
7852	RUXIMICS.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6476	powershell.exe	34.160.111.145:80	ifconfig.me	GOOGLE	US	shared

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
google.com	216.58.206.78	whitelisted
crl.microsoft.com	23.48.23.156 23.48.23.166 23.48.23.143	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
ifconfig.me	34.160.111.145	shared
www.python.org	151.101.0.223 151.101.64.223 151.101.128.223 151.101.192.223	whitelisted
bootstrap.pypa.io	151.101.64.175 151.101.192.175 151.101.128.175 151.101.0.175	whitelisted
ocsp.digicert.com	2.17.190.73	whitelisted
pypi.org	151.101.64.223 151.101.0.223 151.101.128.223 151.101.192.223	whitelisted
files.pythonhosted.org	151.101.192.223 151.101.0.223 151.101.64.223 151.101.128.223	whitelisted

PID	Process	Class	Message
2196	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Lookup Domain (ifconfig .me)
6476	powershell.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain (ifconfig .me)
6476	powershell.exe	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
6476	powershell.exe	Device Retrieving External IP Address Detected	SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
2196	svchost.exe	Misc activity	ET FILE_SHARING File Hosting Service Domain Domain in DNS Lookup (files .pythonhosted .org)
7680	python.exe	Misc activity	ET INFO Observed File Hosting Service Domain (files .pythonhosted .org in TLS SNI)

General Info

01062025_1437_1.ps1

9303AF8A1310D4A66684A660ED286551

9ABC45F8D6A4C5CFC8F403AE529713DEA40FDF3A

644D9AADA9EBE7D434753097BFA8875C4C41B545E8DD63E69EF54A6FEDE66624

48:Jh4DVNOdnBcii9AEG/PB5adXGS1qipIfnERyu5tG2RT2Ot+Em5Qv/9W/4OtXLr59:nNG90Udb1BgERyuK22m+15QX9g4OtXJ9

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Bypass execution policy to execute commands

SUSPICIOUS

Checks for external IP

Gets file extension (POWERSHELL)

The process drops C-runtime libraries

Process drops legitimate windows executable

Loads Python modules

Starts CMD.EXE for commands execution

Process drops python dynamic module

Executable content was dropped or overwritten

INFO

Disables trace logs

Checks proxy server information

Checks if a key exists in the options dictionary (POWERSHELL)

Manual execution by a user

Python executable

The sample compiled with english language support

Checks operating system version

Reads the software policy settings

Checks supported languages

Creates files or folders in the user directory

Create files in a temporary directory

Drops encrypted JS script (Microsoft Script Encoder)

Checks whether the specified file exists (POWERSHELL)

Reads security settings of Internet Explorer

Reads the machine GUID from the registry

Reads the computer name

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings