File name:

pas.ps1

Full analysis: https://app.any.run/tasks/3657c443-085e-4eca-8db3-5f1358f5a45b
Verdict: Malicious activity
Analysis date: April 11, 2025, 17:26:52
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (1513), with CRLF line terminators
MD5:

10FEBC686B7035BA0731C85E8E474BCD

SHA1:

9E6BE78D4B09D2E77FE1B56FC9F71742D60390AC

SHA256:

A833F27C2BB4CAD31344E70386C44B5C221F031D7CD2F2A6B8601919E790161E

SSDEEP:

24:w1PKVrzNFtjntAnOPANehb/KfA+eKiOUexvFA1OYyGb5xaTGqEtIGZdcXhBzOCh:w1PQFNtAqAMJmA+HWex6oYkGLWGBCh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 5408)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5408)

  • SUSPICIOUS

    • Connects to the server without a host name

      • powershell.exe (PID: 5408)

  • INFO

    • Checks proxy server information

      • powershell.exe (PID: 5408)

    • Disables trace logs

      • powershell.exe (PID: 5408)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5408)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs sppextcomobj.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1628\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5408"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\AppData\Local\Temp\pas.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6184C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Total events
4 080
Read events
4 080
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
5408powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JLSF0CETHQP2O4DQ21N2.tempbinary
MD5:5F3810A0AEEB8A7AFBAE90A072A0AFCF
SHA256:176755CC50E15ABDCB55E4CFB62A3E869F0B46E9EF6628E59373A1C62853A2DD
5408powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10b940.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
5408powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_o1ybhe3a.5eu.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5408powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:5F3810A0AEEB8A7AFBAE90A072A0AFCF
SHA256:176755CC50E15ABDCB55E4CFB62A3E869F0B46E9EF6628E59373A1C62853A2DD
5408powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gm0nttf4.eyl.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
18
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3888
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
CL
binary
407 b
whitelisted
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
5408
powershell.exe
GET
200
5.252.153.241:80
http://5.252.153.241/649566714
PA
html
11.4 Kb
malicious
5408
powershell.exe
GET
200
5.252.153.241:80
http://5.252.153.241/649566714
PA
html
11.4 Kb
malicious
5408
powershell.exe
GET
200
5.252.153.241:80
http://5.252.153.241/649566714
PA
html
11.4 Kb
malicious
5408
powershell.exe
GET
200
5.252.153.241:80
http://5.252.153.241/649566714
PA
html
11.4 Kb
malicious
5408
powershell.exe
GET
200
5.252.153.241:80
http://5.252.153.241/649566714
PA
html
11.4 Kb
malicious
5408
powershell.exe
GET
200
5.252.153.241:80
http://5.252.153.241/649566714
PA
html
11.4 Kb
malicious
5408
powershell.exe
GET
200
5.252.153.241:80
http://5.252.153.241/649566714
PA
html
11.4 Kb
malicious
5408
powershell.exe
GET
200
5.252.153.241:80
http://5.252.153.241/649566714
PA
html
11.4 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5408
powershell.exe
5.252.153.241:80
PA
malicious
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.1:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3888
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
google.com
  • 142.250.186.142
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.31.1
  • 20.190.159.129
  • 40.126.31.130
  • 40.126.31.73
  • 40.126.31.67
  • 20.190.159.64
  • 20.190.159.73
  • 40.126.31.71
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
pas.ps1