File name:

powershell.exe

Full analysis: https://app.any.run/tasks/d3f6c6d7-9e94-41d7-afd3-ceceeab50a1a
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 13, 2025, 05:29:51
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
reflection
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (console) x86-64, for MS Windows, 6 sections
MD5:

2E5A8590CF6848968FC23DE3FA1E25F1

SHA1:

801262E122DB6A2E758962896F260B55BBD0136A

SHA256:

9785001B0DCF755EDDB8AF294A373C0B87B2498660F724E76C4D53F9C217C7A3

SSDEEP:

12288:oufZaQ9EEEEEEEE4OvnEEEEEEEE4NDzw9jXhVXVVVV3+VVVVCNGxDx:outEEEEEEEE4MnEEEEEEEE4NDyjXbCx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the date of Windows installation

      • powershell.exe (PID: 1480)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 1480)

    • Starts a Microsoft application from unusual location

      • powershell.exe (PID: 1480)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 1480)

    • Process checks Powershell history file

      • powershell.exe (PID: 1480)

    • Detects reflection assembly loader (YARA)

      • powershell.exe (PID: 1480)

    • Checks Windows Trust Settings

      • powershell.exe (PID: 1480)

  • INFO

    • Process checks computer location settings

      • powershell.exe (PID: 1480)

    • The sample compiled with english language support

      • powershell.exe (PID: 1480)

    • Process checks Powershell version

      • powershell.exe (PID: 1480)

    • Reads the computer name

      • powershell.exe (PID: 1480)

    • Checks supported languages

      • powershell.exe (PID: 1480)

    • Reads the machine GUID from the registry

      • powershell.exe (PID: 1480)

    • Reads the software policy settings

      • powershell.exe (PID: 1480)

    • Create files in a temporary directory

      • powershell.exe (PID: 1480)

    • The process uses the downloaded file

      • powershell.exe (PID: 1480)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 1480)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2096:03:14 04:00:21+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.2
CodeSize: 38400
InitializedDataSize: 418304
UninitializedDataSize: -
EntryPoint: 0x42a0
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 10
Subsystem: Windows command line
FileVersionNumber: 10.0.19041.3996
ProductVersionNumber: 10.0.19041.3996
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Windows PowerShell
FileVersion: 10.0.19041.3996 (WinBuild.160101.0800)
InternalName: POWERSHELL
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: PowerShell.EXE
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.19041.3996
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1480"C:\Users\admin\AppData\Local\Temp\powershell.exe" C:\Users\admin\AppData\Local\Temp\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2448\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
4 854
Read events
4 854
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
1480powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bapgbmgf.tfp.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1480powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_orvjjfvz.xfw.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
32
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6184
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7156
SIHClient.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7156
SIHClient.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2224
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5064
SearchApp.exe
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
40.126.32.138:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.218.209.163
whitelisted
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
whitelisted
login.live.com
  • 40.126.32.138
  • 40.126.32.133
  • 40.126.32.136
  • 20.190.160.17
  • 40.126.32.68
  • 20.190.160.22
  • 40.126.32.140
  • 40.126.32.76
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
fd.api.iris.microsoft.com
  • 20.199.58.43
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
powershell.exe