File name:

1.ps1

Full analysis: https://app.any.run/tasks/35b29787-f032-40cd-b934-17ed404a5b75
Verdict: Malicious activity
Analysis date: June 02, 2025, 01:15:54
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
python
arch-exec
arch-doc
Indicators:
MIME: text/plain
File info: Unicode text, UTF-8 text
MD5:

172EA9A8815E73CA94D28927D21CC527

SHA1:

B23F8FDCF0B1D769C6D75934FB916EE9E59244F5

SHA256:

65627A0B02B2C741A94FBA5345781C2471A38A3A1D9270F56DCE24A896F16C75

SSDEEP:

48:Jh4DVNOdnBcii9AEG/PB5adXGS1qipIfnERyu5tG2RT2Ot+Em5QvuWTOtXLrWxnV:nNG90Udb1BgERyuK22m+15QWuOtXGY1k

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7752)

  • SUSPICIOUS

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • powershell.exe (PID: 7752)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7752)
      • python.exe (PID: 5988)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 7752)

    • The process drops C-runtime libraries

      • powershell.exe (PID: 7752)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 7752)

    • Process drops python dynamic module

      • powershell.exe (PID: 7752)

    • Loads Python modules

      • python.exe (PID: 5988)

    • Starts CMD.EXE for commands execution

      • python.exe (PID: 5988)

  • INFO

    • Checks proxy server information

      • powershell.exe (PID: 7752)
      • python.exe (PID: 5988)

    • Disables trace logs

      • powershell.exe (PID: 7752)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7752)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 7752)

    • The sample compiled with english language support

      • powershell.exe (PID: 7752)
      • python.exe (PID: 5988)

    • Python executable

      • python.exe (PID: 5988)

    • Checks supported languages

      • python.exe (PID: 5988)

    • Create files in a temporary directory

      • python.exe (PID: 5988)

    • Checks operating system version

      • python.exe (PID: 5988)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • python.exe (PID: 5988)

    • Reads the computer name

      • python.exe (PID: 5988)

    • Manual execution by a user

      • OpenWith.exe (PID: 2064)
      • notepad.exe (PID: 8188)
      • cmd.exe (PID: 7368)
      • notepad.exe (PID: 6744)

    • Reads the machine GUID from the registry

      • python.exe (PID: 5988)

    • Creates files or folders in the user directory

      • python.exe (PID: 5988)

    • Reads the software policy settings

      • python.exe (PID: 5988)
      • slui.exe (PID: 7388)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 6744)
      • notepad.exe (PID: 8188)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 2064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
14
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe svchost.exe python.exe cmd.exe no specs cmd.exe no specs conhost.exe no specs notepad.exe no specs rundll32.exe no specs openwith.exe no specs slui.exe notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2064"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\fetch_macholibC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2616C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
4192C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\System32\cmd.exepython.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
5036\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5988"C:\Temp\PortablePython\python.exe" C:\\Temp\PortablePython\get-pip.pyC:\Temp\PortablePython\python.exe
powershell.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
MEDIUM
Description:
Python
Version:
3.11.8
Modules
Images
c:\temp\portablepython\python.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\temp\portablepython\vcruntime140.dll
c:\temp\portablepython\python311.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6744"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\README.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
7324\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7368C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\fetch_macholib.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
7388"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
13 421
Read events
13 421
Write events
0
Delete events
0

Modification events

No data
Executable files
44
Suspicious files
964
Text files
943
Unknown types
0

Dropped files

PID
Process
Filename
Type
7752powershell.exeC:\Users\admin\AppData\Local\Temp\python-embed.zipcompressed
MD5:9199879FBAD4884ED93DDF77E8764920
SHA256:6347068CA56BF4DD6319F7EF5695F5A03F1ADE3E9AA2D6A095AB27FAA77A1290
7752powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_i0mbup1x.fvt.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7752powershell.exeC:\Temp\PortablePython\python.exeexecutable
MD5:AF3E610BE9DCBF04D79C40C328316F81
SHA256:01FD1819096D112696BD2152068C1195C9BD4F57B6AB776EDDD98D66D44B8259
7752powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ixxfkfjk.wk5.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7752powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C4O3DB6ZM0WOEYX5IO7A.tempbinary
MD5:1B1A9E18EABCE3E40F9ED4F1EDDA25A7
SHA256:4A42F7187605DEDCCE9E0CB0F748E0CC2214F3E90D0207740BA0EC1D94BE5DFD
7752powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF11f5c7.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
7752powershell.exeC:\Temp\PortablePython\LICENSE.txttext
MD5:B52C821C7750804295E23B9E94525085
SHA256:E502C6B880FF58D614901495A9009C136539CD0B1E2A2ABB8FC00B934C203419
7752powershell.exeC:\Temp\PortablePython\vcruntime140_1.dllexecutable
MD5:F8DFA78045620CF8A732E67D1B1EB53D
SHA256:A113F192195F245F17389E6ECBED8005990BCB2476DDAD33F7C4C6C86327AFE5
7752powershell.exeC:\Temp\PortablePython\vcruntime140.dllexecutable
MD5:BE8DBE2DC77EBE7F88F910C61AEC691A
SHA256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
7752powershell.exeC:\Temp\PortablePython\python3.dllexecutable
MD5:35DA4143951C5354262A28DEE569B7B2
SHA256:920350A7C24C46339754E38D0DB34AB558E891DA0B3A389D5230A0D379BEE802
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
24
DNS requests
18
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7752
powershell.exe
GET
200
34.160.111.145:80
http://ifconfig.me/ip
unknown
shared
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6700
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6700
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.166:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5608
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.166:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7784
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
7752
powershell.exe
34.160.111.145:80
ifconfig.me
GOOGLE
US
shared
7752
powershell.exe
167.82.48.223:443
www.python.org
FASTLY
US
whitelisted
6544
svchost.exe
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.48.23.166
  • 23.48.23.143
  • 23.48.23.147
  • 23.48.23.156
  • 23.48.23.173
  • 23.48.23.176
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
google.com
  • 142.250.184.238
whitelisted
ifconfig.me
  • 34.160.111.145
shared
www.python.org
  • 167.82.48.223
whitelisted
login.live.com
  • 20.190.159.68
  • 20.190.159.23
  • 40.126.31.129
  • 40.126.31.0
  • 40.126.31.2
  • 40.126.31.69
  • 40.126.31.130
  • 40.126.31.1
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
bootstrap.pypa.io
  • 151.101.192.175
  • 151.101.128.175
  • 151.101.64.175
  • 151.101.0.175
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Lookup Domain (ifconfig .me)
7752
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
7752
powershell.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (ifconfig .me)
2196
svchost.exe
Misc activity
ET FILE_SHARING File Hosting Service Domain Domain in DNS Lookup (files .pythonhosted .org)
5988
python.exe
Misc activity
ET INFO Observed File Hosting Service Domain (files .pythonhosted .org in TLS SNI)
7752
powershell.exe
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
No debug info