File name:

1.ps1

Full analysis: https://app.any.run/tasks/edd28ebd-5b13-4b75-992a-a46c861e603b
Verdict: Malicious activity
Analysis date: May 31, 2025, 17:43:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
arch-exec
arch-doc
python
Indicators:
MIME: text/plain
File info: Unicode text, UTF-8 text
MD5:

AA00661AB05EDDCB50573492E722F1C8

SHA1:

1D348C943ABCA0A5EA4A750EE9A70EE0C6E2E9A8

SHA256:

AEAD3F1B89CAB3F3E26227A62FCA48B810F88DECF668D212A029B5B19088FA15

SSDEEP:

48:Jh4DVNOdnBcii9AEG/PB5adXGS1qipIfnERyu5tG2RT2Ot+Em5Qv/2W/LOtXLrN6:nNG90Udb1BgERyuK22m+15QmyOtXKY1k

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7316)

  • SUSPICIOUS

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • powershell.exe (PID: 7316)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 7316)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7316)
      • python.exe (PID: 5056)

    • Process drops python dynamic module

      • powershell.exe (PID: 7316)

    • Loads Python modules

      • python.exe (PID: 5056)

    • Starts CMD.EXE for commands execution

      • python.exe (PID: 5056)

    • The process drops C-runtime libraries

      • powershell.exe (PID: 7316)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 7316)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 7316)

    • Manual execution by a user

      • pythonw.exe (PID: 7656)
      • python.exe (PID: 6840)
      • notepad.exe (PID: 4016)
      • WinRAR.exe (PID: 1056)
      • rundll32.exe (PID: 7260)
      • cmd.exe (PID: 5376)
      • notepad.exe (PID: 4200)
      • OpenWith.exe (PID: 1600)
      • notepad.exe (PID: 3868)
      • notepad.exe (PID: 2124)
      • OpenWith.exe (PID: 2108)
      • notepad.exe (PID: 7696)
      • OpenWith.exe (PID: 1472)
      • OpenWith.exe (PID: 7972)
      • notepad.exe (PID: 6372)
      • notepad.exe (PID: 2408)
      • notepad.exe (PID: 2136)
      • notepad.exe (PID: 3804)
      • notepad.exe (PID: 7336)
      • notepad.exe (PID: 2796)
      • notepad.exe (PID: 5172)
      • OpenWith.exe (PID: 4608)
      • notepad.exe (PID: 132)

    • Checks proxy server information

      • powershell.exe (PID: 7316)
      • python.exe (PID: 5056)
      • rundll32.exe (PID: 7260)

    • Python executable

      • pythonw.exe (PID: 7656)
      • python.exe (PID: 6840)
      • python.exe (PID: 5056)

    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 7260)
      • notepad.exe (PID: 4200)
      • notepad.exe (PID: 4016)

    • Creates files or folders in the user directory

      • rundll32.exe (PID: 7260)
      • python.exe (PID: 5056)

    • The sample compiled with english language support

      • powershell.exe (PID: 7316)
      • python.exe (PID: 5056)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 7316)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • python.exe (PID: 5056)

    • Reads the computer name

      • python.exe (PID: 5056)

    • Reads the software policy settings

      • python.exe (PID: 5056)
      • rundll32.exe (PID: 7260)

    • Reads the machine GUID from the registry

      • python.exe (PID: 5056)

    • Checks operating system version

      • python.exe (PID: 5056)

    • Create files in a temporary directory

      • python.exe (PID: 5056)

    • Checks supported languages

      • python.exe (PID: 5056)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7316)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
153
Monitored processes
32
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs svchost.exe pythonw.exe no specs python.exe no specs conhost.exe no specs notepad.exe no specs winrar.exe no specs rundll32.exe rundll32.exe no specs cmd.exe no specs conhost.exe no specs notepad.exe no specs python.exe cmd.exe no specs slui.exe openwith.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs openwith.exe no specs openwith.exe no specs openwith.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs notepad.exe no specs openwith.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
132"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\top_level.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
1056"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\python311.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1472"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\RECORDC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1600"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\command_templateC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2108"C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\METADATAC:\Windows\System32\OpenWith.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Pick an app
Exit code:
2147943623
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2124"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\LICENSE.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
2136"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\top_level.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2236\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2408"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\entry_points.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
Total events
22 696
Read events
22 688
Write events
8
Delete events
0

Modification events

(PID) Process:(1056) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(1056) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(1056) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(1056) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\python311.zip
(PID) Process:(1056) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1056) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1056) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1056) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
44
Suspicious files
989
Text files
943
Unknown types
0

Dropped files

PID
Process
Filename
Type
7260rundll32.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141binary
MD5:6B35F9719C80E0571223D5BCD0B9F2BD
SHA256:366415E535BB5CB0C85FD271C6F937229D92DC8A456C5781C72F0BB46D56A66B
7316powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF120e60.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
7316powershell.exeC:\Temp\PortablePython\vcruntime140.dllexecutable
MD5:BE8DBE2DC77EBE7F88F910C61AEC691A
SHA256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
7316powershell.exeC:\Temp\PortablePython\python3.dllexecutable
MD5:35DA4143951C5354262A28DEE569B7B2
SHA256:920350A7C24C46339754E38D0DB34AB558E891DA0B3A389D5230A0D379BEE802
7316powershell.exeC:\Users\admin\AppData\Local\Temp\python-embed.zipcompressed
MD5:9199879FBAD4884ED93DDF77E8764920
SHA256:6347068CA56BF4DD6319F7EF5695F5A03F1ADE3E9AA2D6A095AB27FAA77A1290
7316powershell.exeC:\Temp\PortablePython\pythonw.exeexecutable
MD5:837DD66E580DDC9B5DCC191156A202C2
SHA256:E65ECC6B135F8C2269A2163F5C906376F2FEA3B61571D312D779F36F772CEAC1
7260rundll32.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_26B14BC5FFF8CCADF0E4994815CF2509binary
MD5:58B86DB07C34A5B1F6EBE9C45C6A8D7F
SHA256:8126DFFCCCD9FBDB18C50206A42CED720C2D0F44801989B307F935C766702A19
7316powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vvavov0y.o1x.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7316powershell.exeC:\Temp\PortablePython\vcruntime140_1.dllexecutable
MD5:F8DFA78045620CF8A732E67D1B1EB53D
SHA256:A113F192195F245F17389E6ECBED8005990BCB2476DDAD33F7C4C6C86327AFE5
7316powershell.exeC:\Temp\PortablePython\unicodedata.pydexecutable
MD5:5CC36A5DE45A2C16035ADE016B4348EB
SHA256:F28AC3E3AD02F9E1D8B22DF15FA30B2190B080261A9ADC6855248548CD870D20
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
42
DNS requests
20
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2800
RUXIMICS.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2800
RUXIMICS.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
151.101.128.223:443
https://www.python.org/ftp/python/3.11.8/python-3.11.8-embed-amd64.zip
unknown
compressed
10.6 Mb
whitelisted
7260
rundll32.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D
unknown
whitelisted
7316
powershell.exe
GET
200
34.160.111.145:80
http://ifconfig.me/ip
unknown
shared
7260
rundll32.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAcfFBuLMA0l8xTrIwzQ0d0%3D
unknown
whitelisted
GET
200
151.101.192.175:443
https://bootstrap.pypa.io/get-pip.py
unknown
text
2.17 Mb
whitelisted
GET
200
151.101.0.223:443
https://pypi.org/simple/pip/
unknown
binary
136 Kb
whitelisted
GET
200
151.101.128.223:443
https://files.pythonhosted.org/packages/29/a2/d40fb2460e883eca5199c62cfc2463fd261f760556ae6290f88488c362c0/pip-25.1.1-py3-none-any.whl.metadata
unknown
text
3.56 Kb
whitelisted
GET
200
151.101.0.223:443
https://pypi.org/simple/setuptools/
unknown
binary
747 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2800
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2800
RUXIMICS.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
2800
RUXIMICS.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
7316
powershell.exe
34.160.111.145:80
ifconfig.me
GOOGLE
US
shared
7316
powershell.exe
151.101.0.223:443
www.python.org
FASTLY
US
whitelisted
7260
rundll32.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
7316
powershell.exe
151.101.128.175:443
bootstrap.pypa.io
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 172.217.16.142
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
ifconfig.me
  • 34.160.111.145
shared
www.python.org
  • 151.101.0.223
  • 151.101.64.223
  • 151.101.128.223
  • 151.101.192.223
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
bootstrap.pypa.io
  • 151.101.128.175
  • 151.101.0.175
  • 151.101.64.175
  • 151.101.192.175
whitelisted
pypi.org
  • 151.101.128.223
  • 151.101.64.223
  • 151.101.0.223
  • 151.101.192.223
whitelisted
files.pythonhosted.org
  • 151.101.0.223
  • 151.101.64.223
  • 151.101.128.223
  • 151.101.192.223
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Lookup Domain (ifconfig .me)
7316
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
7316
powershell.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (ifconfig .me)
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
7316
powershell.exe
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
2196
svchost.exe
Misc activity
ET FILE_SHARING File Hosting Service Domain Domain in DNS Lookup (files .pythonhosted .org)
5056
python.exe
Misc activity
ET INFO Observed File Hosting Service Domain (files .pythonhosted .org in TLS SNI)
No debug info