File name:

ps1

Full analysis: https://app.any.run/tasks/03393d49-9697-4356-a687-8c8bda8ed2da
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 23, 2026, 09:50:21
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
susp-powershell
anti-evasion
stealer
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (1199)
MD5:

A7EAE5249C0930664BBF2ACEAF2A9B08

SHA1:

88969A3B5B312CBC9E436169A9086FC4EAFE3464

SHA256:

AE9BC11ADB457930D402844BD3BF3AF8EA7C13FDB7EA269FBE73877B18AF1CA8

SSDEEP:

192:blhyuaU++yCMjz+KskUWgLcKbXTWnqTqZPRkYvHVRS+NaWNH9FD2zu:blhFaUmj9LKbXK5ck1RS+o67qq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 2452)

    • Enumerates physical memory (Win32_PhysicalMemory) (SCRIPT)

      • powershell.exe (PID: 2452)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 2452)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 2452)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 2452)

    • Actions looks like stealing of personal data

      • powershell.exe (PID: 2452)

    • Steals credentials from Web Browsers

      • powershell.exe (PID: 2452)

  • SUSPICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2452)

    • Converts a specified value to an integer (POWERSHELL)

      • powershell.exe (PID: 2452)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 2452)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 4300)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 4300)

    • Gets path to any of the special folders (POWERSHELL)

      • powershell.exe (PID: 2452)

    • Enumerates operating system information (Win32_OperatingSystem) (SCRIPT)

      • powershell.exe (PID: 2452)

    • Identifying current user with WHOAMI command

      • powershell.exe (PID: 2452)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 2452)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 2452)

    • Creates new GUID (POWERSHELL)

      • powershell.exe (PID: 2452)

  • INFO

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 2452)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 2452)

    • Checks supported languages

      • csc.exe (PID: 4300)
      • cvtres.exe (PID: 4324)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 4300)

    • Create files in a temporary directory

      • csc.exe (PID: 4300)
      • cvtres.exe (PID: 4324)

    • Reads Windows Product ID

      • powershell.exe (PID: 2452)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 2452)

    • Using PowerShell for GZIP File Operations

      • powershell.exe (PID: 2452)

    • Creates a byte array (POWERSHELL)

      • powershell.exe (PID: 2452)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 2452)

    • Remote server returned an error (POWERSHELL)

      • powershell.exe (PID: 2452)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
powershell.exe conhost.exe no specs csc.exe cvtres.exe no specs whoami.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2452"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\AppData\Local\Temp\ps1.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2456\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4300"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\2rvudpa0.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
4324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESFEA.tmp" "c:\Users\admin\AppData\Local\Temp\CSCF191C7FE9C94EA387737BF1CF91327D.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
7928"C:\WINDOWS\system32\whoami.exe" /userC:\Windows\System32\whoami.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
whoami - displays logged on user information
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\whoami.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
7 407
Read events
7 407
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
7
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
2452powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V0AG372H7YFDLHKLG3NZ.tempbinary
MD5:799092FA6E655BF069F1529BD7DEB4AD
SHA256:56F2CB0C275F677303815791135F5F87506B081B622759B37C6D153A33D81216
2452powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qcdpqb4t.qcg.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4300csc.exeC:\Users\admin\AppData\Local\Temp\CSCF191C7FE9C94EA387737BF1CF91327D.TMPbinary
MD5:1C39EEBC92606175F765542FB6E03110
SHA256:D197E318B5B7750A604D7216BB065344004AF5455CF40B61A36447B8890D2B40
2452powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:03DFE565B258E2B8B589674E073F1841
SHA256:A5DA11D1FEEA6E3B256E477D94658FBF998D07CC2374BA62552701BE78BCA79E
2452powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFdff50.TMPbinary
MD5:00A03B286E6E0EBFF8D9C492365D5EC2
SHA256:4DBFC417D053BA6867308671F1C61F4DCAFC61F058D4044DB532DA6D3BDE3615
2452powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:799092FA6E655BF069F1529BD7DEB4AD
SHA256:56F2CB0C275F677303815791135F5F87506B081B622759B37C6D153A33D81216
2452powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pbu4wuqi.i5k.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2452powershell.exeC:\Users\admin\AppData\Local\Temp\2rvudpa0.cmdlinetext
MD5:1ACEADFB625F1367EC56ADF22288278F
SHA256:CDC0264FCCB6671A50525CEB3DD978B00454FDB5D04232DFC1A8D5DA03325309
2452powershell.exeC:\Users\admin\AppData\Local\Temp\2rvudpa0.0.cstext
MD5:1926B4A9C9707ADCBAF5D1FC6AF7545C
SHA256:E0C05A9FCA34ABBBC03D3E36143C419188FA6050EDC5F76742DF9E1B6E45451F
4300csc.exeC:\Users\admin\AppData\Local\Temp\2rvudpa0.outtext
MD5:2DEA02696FA70A49469CDFED081B4B30
SHA256:93203CEADD96B1CF9BDB6AF35916931D6A2C917E1DAAFD35B241A73C93B809A9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
43
TCP/UDP connections
31
DNS requests
24
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
131.253.33.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D
US
binary
958 b
whitelisted
2452
powershell.exe
GET
301
172.67.141.127:443
https://events.msft23.com/1
US
html
162 b
unknown
GET
200
162.159.142.9:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D
US
binary
314 b
whitelisted
2452
powershell.exe
GET
301
172.67.141.127:80
http://events.msft23.com/1
US
unknown
7984
svchost.exe
GET
200
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=0&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
text
5.80 Kb
whitelisted
7984
svchost.exe
GET
200
23.216.77.30:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
5276
MoUsoCoreWorker.exe
GET
304
51.104.136.2:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
2452
powershell.exe
POST
200
172.67.141.127:443
https://events.msft23.com/take/dIG1bXo3/bb926e54-e3ca-40fd-ae90-2764341e7792
US
text
2 b
unknown
7984
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
5892
SIHClient.exe
GET
304
74.178.240.61:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
7984
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7312
slui.exe
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5532
SearchApp.exe
2.16.241.201:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
162.159.142.9:80
ocsp.digicert.com
CLOUDFLARENET
US
whitelisted
131.253.33.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
2452
powershell.exe
146.185.233.59:80
mo2307.com
AS-GLOBALTELEHOST
US
unknown
2452
powershell.exe
172.67.141.127:80
events.msft23.com
CLOUDFLARENET
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
  • 51.104.136.2
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
www.bing.com
  • 2.16.241.201
  • 2.16.241.203
  • 2.16.241.204
  • 2.16.241.200
  • 2.16.241.199
  • 2.16.241.205
  • 2.16.241.225
  • 2.16.241.223
  • 2.16.241.196
whitelisted
ocsp.digicert.com
  • 162.159.142.9
  • 172.66.2.5
  • 23.11.41.157
whitelisted
oneocsp.microsoft.com
  • 131.253.33.203
whitelisted
google.com
  • 142.251.20.113
  • 142.251.20.139
  • 142.251.20.102
  • 142.251.20.101
  • 142.251.20.100
  • 142.251.20.138
whitelisted
mo2307.com
  • 146.185.233.59
unknown
events.msft23.com
  • 172.67.141.127
  • 104.21.87.46
unknown
crl.microsoft.com
  • 23.216.77.30
  • 23.216.77.6
  • 23.216.77.8
  • 23.216.77.36
  • 23.216.77.42
  • 23.216.77.21
  • 23.216.77.10
  • 23.216.77.23
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 23.59.18.102
whitelisted

Threats

PID
Process
Class
Message
2452
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
2452
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
2452
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
2452
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
2452
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
7984
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2452
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
2452
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
No debug info