File name:

trigger.ps1

Full analysis: https://app.any.run/tasks/2916e43e-3096-43f0-b70f-630fa4ca893d
Verdict: Malicious activity
Threats:

Quasar is a very popular RAT in the world thanks to its code being available in open-source. This malware can be used to control the victim’s computer remotely.

Malware Trends Tracker     >>>
Analysis date: May 18, 2025, 18:27:07
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
github
auto-reg
quasar
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

E962F0AA5105C04DEA4720899CFABDA9

SHA1:

6498BB0CC3BD570D8FA64851BD71F6C0D42689DE

SHA256:

89A28D9D97E08B6A50887B56FC3A4AF370444D2643286594373499410EC3144F

SSDEEP:

6:vs84deGgdEYlqihCyLLh8TQ2rLTMqi0RxvmWf2i+21hLNKUvWkqi0RxvZ:vs84kuPOCyXGTQ2fV9HmY2LQy9HZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7288)

    • Adds path to the Windows Defender exclusion list

      • powershell.exe (PID: 7288)

    • Changes Windows Defender settings

      • powershell.exe (PID: 7288)

    • Changes the autorun value in the registry

      • RuntimeBroker.exe (PID: 7920)
      • RuntimeBroker.exe (PID: 7876)

    • QUASAR has been detected (YARA)

      • RuntimeBroker.exe (PID: 7920)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 7288)

    • Script adds exclusion path to Windows Defender

      • powershell.exe (PID: 7288)

    • Application launched itself

      • powershell.exe (PID: 7288)

    • Manipulates environment variables

      • powershell.exe (PID: 7592)

    • Starts itself from another location

      • RuntimeBroker.exe (PID: 7876)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7288)
      • RuntimeBroker.exe (PID: 7876)

    • Connects to unusual port

      • RuntimeBroker.exe (PID: 7920)

    • There is functionality for taking screenshot (YARA)

      • RuntimeBroker.exe (PID: 7920)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 2196)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 7288)

    • Checks proxy server information

      • powershell.exe (PID: 7288)
      • slui.exe (PID: 5380)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7592)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7592)

    • Auto-launch of the file from Registry key

      • RuntimeBroker.exe (PID: 7876)
      • RuntimeBroker.exe (PID: 7920)

    • Reads the computer name

      • RuntimeBroker.exe (PID: 7920)
      • RuntimeBroker.exe (PID: 7876)
      • RuntimeBroker.exe (PID: 7996)

    • Checks supported languages

      • RuntimeBroker.exe (PID: 7920)
      • RuntimeBroker.exe (PID: 7876)
      • RuntimeBroker.exe (PID: 7996)

    • Reads Environment values

      • RuntimeBroker.exe (PID: 7920)
      • RuntimeBroker.exe (PID: 7876)
      • RuntimeBroker.exe (PID: 7996)

    • Reads the machine GUID from the registry

      • RuntimeBroker.exe (PID: 7920)
      • RuntimeBroker.exe (PID: 7876)
      • RuntimeBroker.exe (PID: 7996)

    • The executable file from the user directory is run by the Powershell process

      • RuntimeBroker.exe (PID: 7876)

    • Creates files or folders in the user directory

      • RuntimeBroker.exe (PID: 7876)

    • Reads the software policy settings

      • slui.exe (PID: 5380)

    • Manual execution by a user

      • RuntimeBroker.exe (PID: 7996)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Quasar

(PID) Process(7920) RuntimeBroker.exe
Version1.4.1
C2 (2)anonam39-41248.portmap.io:41248
Sub_Dira7
Install_NameRuntimeBroker.exe
Mutexbcabad1b-b1a9-478b-a187-3607b6476fd1
StartupRuntimeBroker
TagRuntimeBroker
LogDirLogs
SignatureIRSv9+3T5/mK+JFqhTzHs9VCwzt9UmZdNX4mpaH6sUOiS/SzOx3oFMaYcXyRiq3yqqOTprI9n/pp405+UqX6svT2SVriTNryUvgv3RVeJGNnIrwWEV/OgsWN4ppBiFUKp+agc7bem0KxtMTs0/z86MSSxSrknYIkd822PJk/4oOFnMjLLwtARUpcN9dEM982jblkOpoe/xahtY5AUTLw1VFgxCArQPYhCbdogvRjNmVOsaL9bUt440QDIC2TEx0qx3OQMGDDwEJr8Lq2FMFuSjjMVJBJlZq508ztqXrtugcJ...
CertificateMIIE9DCCAtygAwIBAgIQAJTsDfVbBAk6GsI4YETERzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTAyNjE2NTczOVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3KEybjgwX9mumSck9V8jHw5JN3DJLMTvlaNKW6TDq3TEySE5l4hdabpSlEn23mxb+U8NcYzO...
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
9
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs powershell.exe conhost.exe no specs runtimebroker.exe #QUASAR runtimebroker.exe svchost.exe runtimebroker.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5380C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7288"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\trigger.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7296\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7592"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:AppData C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
7600\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7876"C:\Users\admin\AppData\Roaming\RuntimeBroker.exe" C:\Users\admin\AppData\Roaming\RuntimeBroker.exe
powershell.exe
User:
admin
Integrity Level:
MEDIUM
Description:
RuntimeBroker
Exit code:
3
Version:
1.1.1.1
Modules
Images
c:\users\admin\appdata\roaming\runtimebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7920"C:\Users\admin\AppData\Roaming\a7\RuntimeBroker.exe"C:\Users\admin\AppData\Roaming\a7\RuntimeBroker.exe
RuntimeBroker.exe
User:
admin
Integrity Level:
MEDIUM
Description:
RuntimeBroker
Version:
1.1.1.1
Modules
Images
c:\users\admin\appdata\roaming\a7\runtimebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Quasar
(PID) Process(7920) RuntimeBroker.exe
Version1.4.1
C2 (2)anonam39-41248.portmap.io:41248
Sub_Dira7
Install_NameRuntimeBroker.exe
Mutexbcabad1b-b1a9-478b-a187-3607b6476fd1
StartupRuntimeBroker
TagRuntimeBroker
LogDirLogs
SignatureIRSv9+3T5/mK+JFqhTzHs9VCwzt9UmZdNX4mpaH6sUOiS/SzOx3oFMaYcXyRiq3yqqOTprI9n/pp405+UqX6svT2SVriTNryUvgv3RVeJGNnIrwWEV/OgsWN4ppBiFUKp+agc7bem0KxtMTs0/z86MSSxSrknYIkd822PJk/4oOFnMjLLwtARUpcN9dEM982jblkOpoe/xahtY5AUTLw1VFgxCArQPYhCbdogvRjNmVOsaL9bUt440QDIC2TEx0qx3OQMGDDwEJr8Lq2FMFuSjjMVJBJlZq508ztqXrtugcJ...
CertificateMIIE9DCCAtygAwIBAgIQAJTsDfVbBAk6GsI4YETERzANBgkqhkiG9w0BAQ0FADAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMCAXDTI0MTAyNjE2NTczOVoYDzk5OTkxMjMxMjM1OTU5WjAbMRkwFwYDVQQDDBBRdWFzYXIgU2VydmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA3KEybjgwX9mumSck9V8jHw5JN3DJLMTvlaNKW6TDq3TEySE5l4hdabpSlEn23mxb+U8NcYzO...
7996"C:\Users\admin\AppData\Roaming\a7\RuntimeBroker.exe"C:\Users\admin\AppData\Roaming\a7\RuntimeBroker.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
RuntimeBroker
Exit code:
2
Version:
1.1.1.1
Modules
Images
c:\users\admin\appdata\roaming\a7\runtimebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
15 299
Read events
15 297
Write events
2
Delete events
0

Modification events

(PID) Process:(7876) RuntimeBroker.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:RuntimeBroker
Value:
"C:\Users\admin\AppData\Roaming\a7\RuntimeBroker.exe"
(PID) Process:(7920) RuntimeBroker.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:RuntimeBroker
Value:
"C:\Users\admin\AppData\Roaming\a7\RuntimeBroker.exe"
Executable files
2
Suspicious files
7
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
7288powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_uubowdwf.zeu.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7288powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J1E6AX4ANDUZCSZH6SYC.tempbinary
MD5:5DE4B9662BD5819BE0D34950909608C9
SHA256:CF221456A0A59EAD871C4C9828798CB5587B7C7AF4C13B8A811FB05E384D8AB2
7288powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10bfc7.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
7288powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:5DE4B9662BD5819BE0D34950909608C9
SHA256:CF221456A0A59EAD871C4C9828798CB5587B7C7AF4C13B8A811FB05E384D8AB2
7288powershell.exeC:\Users\admin\AppData\Roaming\RuntimeBroker.exeexecutable
MD5:29A51CECF6F6EBBE981A939F208BDCDF
SHA256:5E6C07ED2FC454CCA8BE8EBD13A18D32BDB217859A8C9DC871A104A3017D32D5
7592powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:FD16079304762DE8A379E36AF31C669A
SHA256:C308BED9B58033EAADAD792C05832732566F5AE9F9E2A068F9A5668534D8469E
7592powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:8C9EFCB40660F8974A3EF5DD97BF47A3
SHA256:787233FF4464DEAB89F552CE7C2E2EBC0A2E89607495531132988D08AB743DF1
7876RuntimeBroker.exeC:\Users\admin\AppData\Roaming\a7\RuntimeBroker.exeexecutable
MD5:29A51CECF6F6EBBE981A939F208BDCDF
SHA256:5E6C07ED2FC454CCA8BE8EBD13A18D32BDB217859A8C9DC871A104A3017D32D5
7288powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bb1ty33p.nq1.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7592powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gejd32yh.s4b.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
90
DNS requests
20
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.141:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5352
RUXIMICS.exe
GET
304
23.48.23.141:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5352
RUXIMICS.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
8152
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
8152
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8152
SIHClient.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
8152
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
8152
SIHClient.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
8152
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5352
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.48.23.141:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5352
RUXIMICS.exe
23.48.23.141:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5352
RUXIMICS.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.46
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
crl.microsoft.com
  • 23.48.23.141
  • 23.48.23.169
  • 23.48.23.180
  • 23.48.23.166
  • 23.48.23.194
  • 23.48.23.193
  • 23.48.23.147
  • 23.48.23.143
  • 23.48.23.176
  • 23.48.23.164
  • 23.48.23.177
  • 23.48.23.145
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
login.live.com
  • 20.190.159.128
  • 40.126.31.130
  • 40.126.31.129
  • 20.190.159.4
  • 20.190.159.73
  • 20.190.159.130
  • 20.190.159.64
  • 20.190.159.75
whitelisted
github.com
  • 140.82.121.4
whitelisted
raw.githubusercontent.com
  • 185.199.109.133
  • 185.199.108.133
  • 185.199.111.133
  • 185.199.110.133
whitelisted
anonam39-41248.portmap.io
  • 193.161.193.99
malicious
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Misc activity
ET INFO Request for EXE via Powershell
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Misc activity
ET INFO Request for EXE via Powershell
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Misc activity
ET HUNTING EXE Downloaded from Github
2196
svchost.exe
Potential Corporate Privacy Violation
ET INFO DNS Query to a Reverse Proxy Service Observed
2196
svchost.exe
Misc activity
ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
trigger.ps1