File name:

1.ps1

Full analysis: https://app.any.run/tasks/76b8435a-8793-418c-bce7-ad6bf74a0d3c
Verdict: Malicious activity
Analysis date: June 02, 2025, 01:21:01
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
arch-exec
arch-doc
python
Indicators:
MIME: text/plain
File info: Unicode text, UTF-8 text
MD5:

172EA9A8815E73CA94D28927D21CC527

SHA1:

B23F8FDCF0B1D769C6D75934FB916EE9E59244F5

SHA256:

65627A0B02B2C741A94FBA5345781C2471A38A3A1D9270F56DCE24A896F16C75

SSDEEP:

48:Jh4DVNOdnBcii9AEG/PB5adXGS1qipIfnERyu5tG2RT2Ot+Em5QvuWTOtXLrWxnV:nNG90Udb1BgERyuK22m+15QWuOtXGY1k

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5956)

  • SUSPICIOUS

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • powershell.exe (PID: 5956)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 5956)
      • python.exe (PID: 4724)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 5956)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 5956)

    • Loads Python modules

      • python.exe (PID: 4724)

    • Starts CMD.EXE for commands execution

      • python.exe (PID: 4724)

    • The process drops C-runtime libraries

      • powershell.exe (PID: 5956)

    • Process drops python dynamic module

      • powershell.exe (PID: 5956)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 5956)

    • Python executable

      • python.exe (PID: 4404)
      • pythonw.exe (PID: 516)
      • python.exe (PID: 4724)

    • Manual execution by a user

      • pythonw.exe (PID: 516)
      • python.exe (PID: 4404)
      • notepad.exe (PID: 7980)
      • cmd.exe (PID: 7800)
      • WinRAR.exe (PID: 1116)
      • rundll32.exe (PID: 7408)
      • OpenWith.exe (PID: 7808)
      • OpenWith.exe (PID: 7524)
      • notepad.exe (PID: 6248)
      • notepad.exe (PID: 3032)
      • notepad.exe (PID: 656)
      • notepad.exe (PID: 7764)
      • OpenWith.exe (PID: 1276)
      • OpenWith.exe (PID: 7700)
      • OpenWith.exe (PID: 6828)
      • notepad.exe (PID: 2560)
      • OpenWith.exe (PID: 8048)
      • notepad.exe (PID: 5720)
      • notepad.exe (PID: 856)

    • Checks proxy server information

      • powershell.exe (PID: 5956)
      • rundll32.exe (PID: 7408)
      • python.exe (PID: 4724)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 7980)
      • rundll32.exe (PID: 7408)
      • notepad.exe (PID: 856)

    • The sample compiled with english language support

      • powershell.exe (PID: 5956)
      • python.exe (PID: 4724)

    • Reads the software policy settings

      • rundll32.exe (PID: 7408)
      • python.exe (PID: 4724)

    • Creates files or folders in the user directory

      • rundll32.exe (PID: 7408)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5956)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 5956)

    • Create files in a temporary directory

      • python.exe (PID: 4724)

    • Checks operating system version

      • python.exe (PID: 4724)

    • Reads the machine GUID from the registry

      • python.exe (PID: 4724)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • python.exe (PID: 4724)

    • Reads the computer name

      • python.exe (PID: 4724)

    • Checks supported languages

      • python.exe (PID: 4724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
28
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs svchost.exe python.exe no specs conhost.exe no specs pythonw.exe no specs notepad.exe no specs winrar.exe no specs rundll32.exe rundll32.exe no specs cmd.exe no specs conhost.exe no specs notepad.exe no specs python.exe cmd.exe no specs slui.exe openwith.exe no specs openwith.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs openwith.exe no specs notepad.exe no specs openwith.exe no specs openwith.exe no specs notepad.exe no specs notepad.exe no specs openwith.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
516"C:\Users\admin\Desktop\pythonw.exe" C:\Users\admin\Desktop\pythonw.exeexplorer.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
MEDIUM
Description:
Python
Exit code:
3221225781
Version:
3.11.8
Modules
Images
c:\users\admin\desktop\pythonw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\vcruntime140.dll
656"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\LICENSE.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
856"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\README.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
1116"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\python311.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1276"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\METADATAC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2560"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\top_level.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
3032"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\vendor.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
4404"C:\Users\admin\Desktop\python.exe" C:\Users\admin\Desktop\python.exeexplorer.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
MEDIUM
Description:
Python
Exit code:
3221225781
Version:
3.11.8
Modules
Images
c:\users\admin\desktop\python.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\vcruntime140.dll
4724"C:\Temp\PortablePython\python.exe" C:\\Temp\PortablePython\get-pip.pyC:\Temp\PortablePython\python.exe
powershell.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
MEDIUM
Description:
Python
Version:
3.11.8
Modules
Images
c:\temp\portablepython\python.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\temp\portablepython\vcruntime140.dll
c:\temp\portablepython\python311.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
25 791
Read events
25 781
Write events
10
Delete events
0

Modification events

(PID) Process:(1116) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(1116) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(1116) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(1116) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\python311.zip
(PID) Process:(1116) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1116) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1116) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1116) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1116) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList
Operation:writeName:ArcSort
Value:
32
(PID) Process:(1116) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList
Operation:writeName:ArcSort
Value:
0
Executable files
44
Suspicious files
825
Text files
765
Unknown types
0

Dropped files

PID
Process
Filename
Type
7408rundll32.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_26B14BC5FFF8CCADF0E4994815CF2509binary
MD5:D69174A258486F34875C183B2C2B7A5E
SHA256:1DEF5779A206F30FD08A81DAA2E03107DEFAC0BA0BEBA678651C82583605E237
5956powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kbpakbo3.dh3.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5956powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF12025a.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
5956powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vndwjuh2.zlf.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5956powershell.exeC:\Users\admin\AppData\Local\Temp\python-embed.zipcompressed
MD5:9199879FBAD4884ED93DDF77E8764920
SHA256:6347068CA56BF4DD6319F7EF5695F5A03F1ADE3E9AA2D6A095AB27FAA77A1290
5956powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:1081C3AC71976AA3D6D019589B272BE1
SHA256:81DBC3615AA7AB74A5BE0E4E0662081946697A74130CC652A7A904A7FE749028
7408rundll32.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:E26D74E3A4FB309C8987430B913D0F7B
SHA256:F60EAE614CCDBE68B0DE5885935D4E79AAC8448684861A6EDA8FFF7C56FCCA22
7408rundll32.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:B283D53BDD99A66A1B3F97345C3A0457
SHA256:6FC4873DC93989FECD879FBA906C727D1C27FA8DB84299C53B3F9FA1844AB61C
5956powershell.exeC:\Temp\PortablePython\python.exeexecutable
MD5:AF3E610BE9DCBF04D79C40C328316F81
SHA256:01FD1819096D112696BD2152068C1195C9BD4F57B6AB776EDDD98D66D44B8259
5956powershell.exeC:\Temp\PortablePython\python3.dllexecutable
MD5:35DA4143951C5354262A28DEE569B7B2
SHA256:920350A7C24C46339754E38D0DB34AB558E891DA0B3A389D5230A0D379BEE802
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
27
DNS requests
12
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
151.101.128.223:443
https://www.python.org/ftp/python/3.11.8/python-3.11.8-embed-amd64.zip
unknown
compressed
10.6 Mb
whitelisted
5956
powershell.exe
GET
200
34.160.111.145:80
http://ifconfig.me/ip
unknown
shared
5056
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5056
RUXIMICS.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
151.101.128.175:443
https://bootstrap.pypa.io/get-pip.py
unknown
text
2.17 Mb
whitelisted
7408
rundll32.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
GET
151.101.0.223:443
https://pypi.org/simple/pip/
unknown
7408
rundll32.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAcfFBuLMA0l8xTrIwzQ0d0%3D
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
GET
200
151.101.128.223:443
https://pypi.org/simple/pip/
unknown
binary
136 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5056
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5956
powershell.exe
34.160.111.145:80
ifconfig.me
GOOGLE
US
shared
5056
RUXIMICS.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5056
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5956
powershell.exe
151.101.0.223:443
www.python.org
FASTLY
US
whitelisted
7408
rundll32.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
5956
powershell.exe
151.101.192.175:443
bootstrap.pypa.io
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.238
whitelisted
ifconfig.me
  • 34.160.111.145
shared
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
www.python.org
  • 151.101.0.223
  • 151.101.128.223
  • 151.101.64.223
  • 151.101.192.223
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
bootstrap.pypa.io
  • 151.101.192.175
  • 151.101.64.175
  • 151.101.0.175
  • 151.101.128.175
whitelisted
pypi.org
  • 151.101.128.223
  • 151.101.64.223
  • 151.101.0.223
  • 151.101.192.223
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Lookup Domain (ifconfig .me)
5956
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
5956
powershell.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (ifconfig .me)
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
5956
powershell.exe
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
2196
svchost.exe
Misc activity
ET FILE_SHARING File Hosting Service Domain Domain in DNS Lookup (files .pythonhosted .org)
4724
python.exe
Misc activity
ET INFO Observed File Hosting Service Domain (files .pythonhosted .org in TLS SNI)
No debug info