File name:

malware.ps1

Full analysis: https://app.any.run/tasks/16e272ea-47a3-4ffc-a1b8-ed4f6c8b9a31
Verdict: Malicious activity
Analysis date: June 21, 2025, 03:28:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-sch
Indicators:
MIME: text/plain
File info: ASCII text, with no line terminators
MD5:

4525745FD61CF8FCCFFAD917492DD613

SHA1:

426EE056C5CACDD8FB274637173681AD1B628899

SHA256:

B4650EECBC77404228D17DA2481626752CE39123FB491DA703A35BD2DE21834C

SSDEEP:

3:BHNJRJJjNUMAM:RNfHjNyM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 1660)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1660)
      • powershell.exe (PID: 2028)

    • Uses Task Scheduler to autorun other applications

      • powershell.exe (PID: 1660)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 2028)

  • SUSPICIOUS

    • Application launched itself

      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 5012)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 2764)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 1508)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 4528)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 4816)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 5424)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 5900)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 2596)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 6336)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 6296)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 4800)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 1472)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 2324)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 2620)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 4960)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 2460)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 3396)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 5080)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 3620)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 3888)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 6672)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 5692)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 1868)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 1660)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 1660)

    • Changes AMSI initialization state that disables detection systems (POWERSHELL)

      • powershell.exe (PID: 1660)

    • Creates new GUID (POWERSHELL)

      • powershell.exe (PID: 1660)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 1660)

  • INFO

    • Checks supported languages

      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 5012)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 1508)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 2764)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 4528)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 5900)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 5424)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 2596)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 6336)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 4800)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 6296)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 1472)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 4816)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 3888)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 3396)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 2324)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 2620)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 4960)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 3620)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 5080)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 1868)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 2460)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 5692)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 6672)
      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 3108)

    • The sample compiled with english language support

      • powershell.exe (PID: 1660)

    • The executable file from the user directory is run by the Powershell process

      • a1a3378882ae42779491e6bb5e9322da.exe (PID: 4528)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 1660)

    • Checks proxy server information

      • powershell.exe (PID: 1660)
      • slui.exe (PID: 6776)

    • Disables trace logs

      • powershell.exe (PID: 1660)

    • Manual execution by a user

      • powershell.exe (PID: 2028)

    • Reads the software policy settings

      • slui.exe (PID: 6776)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
186
Monitored processes
55
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs a1a3378882ae42779491e6bb5e9322da.exe no specs conhost.exe no specs a1a3378882ae42779491e6bb5e9322da.exe no specs conhost.exe no specs a1a3378882ae42779491e6bb5e9322da.exe no specs conhost.exe no specs a1a3378882ae42779491e6bb5e9322da.exe no specs conhost.exe no specs a1a3378882ae42779491e6bb5e9322da.exe no specs conhost.exe no specs schtasks.exe no specs a1a3378882ae42779491e6bb5e9322da.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs a1a3378882ae42779491e6bb5e9322da.exe no specs slui.exe conhost.exe no specs a1a3378882ae42779491e6bb5e9322da.exe no specs conhost.exe no specs a1a3378882ae42779491e6bb5e9322da.exe no specs conhost.exe no specs a1a3378882ae42779491e6bb5e9322da.exe no specs conhost.exe no specs a1a3378882ae42779491e6bb5e9322da.exe no specs conhost.exe no specs a1a3378882ae42779491e6bb5e9322da.exe no specs conhost.exe no specs a1a3378882ae42779491e6bb5e9322da.exe no specs conhost.exe no specs a1a3378882ae42779491e6bb5e9322da.exe no specs conhost.exe no specs a1a3378882ae42779491e6bb5e9322da.exe no specs conhost.exe no specs a1a3378882ae42779491e6bb5e9322da.exe no specs conhost.exe no specs a1a3378882ae42779491e6bb5e9322da.exe no specs conhost.exe no specs a1a3378882ae42779491e6bb5e9322da.exe no specs conhost.exe no specs a1a3378882ae42779491e6bb5e9322da.exe no specs conhost.exe no specs a1a3378882ae42779491e6bb5e9322da.exe no specs conhost.exe no specs a1a3378882ae42779491e6bb5e9322da.exe no specs conhost.exe no specs a1a3378882ae42779491e6bb5e9322da.exe no specs conhost.exe no specs a1a3378882ae42779491e6bb5e9322da.exe no specs conhost.exe no specs a1a3378882ae42779491e6bb5e9322da.exe no specs conhost.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
888\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exea1a3378882ae42779491e6bb5e9322da.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1336\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exea1a3378882ae42779491e6bb5e9322da.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1388\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exea1a3378882ae42779491e6bb5e9322da.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1472"C:\Users\admin\AppData\Local\a1a3378882ae42779491e6bb5e9322da\a1a3378882ae42779491e6bb5e9322da.exe"C:\Users\admin\AppData\Local\a1a3378882ae42779491e6bb5e9322da\a1a3378882ae42779491e6bb5e9322da.exea1a3378882ae42779491e6bb5e9322da.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Sxs Tracing Tool
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\a1a3378882ae42779491e6bb5e9322da\a1a3378882ae42779491e6bb5e9322da.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1488\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1496\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exea1a3378882ae42779491e6bb5e9322da.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1508"C:\Users\admin\AppData\Local\a1a3378882ae42779491e6bb5e9322da\a1a3378882ae42779491e6bb5e9322da.exe"C:\Users\admin\AppData\Local\a1a3378882ae42779491e6bb5e9322da\a1a3378882ae42779491e6bb5e9322da.exea1a3378882ae42779491e6bb5e9322da.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Sxs Tracing Tool
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\a1a3378882ae42779491e6bb5e9322da\a1a3378882ae42779491e6bb5e9322da.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
1564\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exea1a3378882ae42779491e6bb5e9322da.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1660"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\malware.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1700\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exea1a3378882ae42779491e6bb5e9322da.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
13 500
Read events
13 500
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
4
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
1660powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1768bc.TMPbinary
MD5:00A03B286E6E0EBFF8D9C492365D5EC2
SHA256:4DBFC417D053BA6867308671F1C61F4DCAFC61F058D4044DB532DA6D3BDE3615
1660powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:8CEB280F80C28B355C01C46B801F163B
SHA256:83F7CD6D0DFB10972AEF00C89C97FC4086127C7BFD745593F8F5944CFAC7996A
1660powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5HVKYX413TBS01IMQLCN.tempbinary
MD5:8CEB280F80C28B355C01C46B801F163B
SHA256:83F7CD6D0DFB10972AEF00C89C97FC4086127C7BFD745593F8F5944CFAC7996A
1660powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nvlqshuf.0b1.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1660powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_31srfxbn.3gg.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2028powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4m12gvts.mzf.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1660powershell.exeC:\Users\admin\AppData\Local\a1a3378882ae42779491e6bb5e9322da\a1a3378882ae42779491e6bb5e9322da.exeexecutable
MD5:5E3A03487829D7F7A4FFB15994EED6BB
SHA256:A5C9A3EF870B6F7DCED5615C1C6D83BB49B530E3D696DF84B2F08949EC659AE7
2028powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_h4m5eeni.ges.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1660powershell.exeC:\Users\admin\AppData\Roaming\codetext
MD5:7AEAEEA3148F8DCBC1D9AC977BE12AA3
SHA256:5C1938F0C03E4D07600CDE8906B5793DD235B43D80613C1AD49934C3A2729B39
1660powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:95E972B26F54980CB9E3579A2FB2D24A
SHA256:260962E58B97EE535246AE8AEBE7C6DFCC22A19FDD2D622D6D98B0C23A299AD6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
21
DNS requests
7
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
2.18.121.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4984
RUXIMICS.exe
GET
200
2.18.121.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.18.121.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4984
RUXIMICS.exe
GET
304
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1660
powershell.exe
GET
301
91.92.46.24:80
http://gitllm.dev/spotify
unknown
unknown
GET
200
91.92.46.24:443
https://gitllm.dev/spotify
unknown
GET
200
91.92.46.24:443
https://gitllm.dev/crypted.exe
unknown
GET
200
91.92.46.24:443
https://gitllm.dev/code
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4984
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
2.18.121.147:80
crl.microsoft.com
AKAMAI-AS
FR
whitelisted
4984
RUXIMICS.exe
2.18.121.147:80
crl.microsoft.com
AKAMAI-AS
FR
whitelisted
1268
svchost.exe
2.18.121.147:80
crl.microsoft.com
AKAMAI-AS
FR
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 2.18.121.147
  • 2.18.121.139
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
gitllm.dev
  • 91.92.46.24
malicious
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 104.208.16.88
whitelisted

Threats

PID
Process
Class
Message
1660
powershell.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 14
1660
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Misc activity
ET INFO Powershell Base64 Decode Command Inbound
Potentially Bad Traffic
ET ATTACK_RESPONSE PowerShell NoProfile Command Received In Powershell Stagers
A Network Trojan was detected
ET HUNTING Download Request Containing Suspicious Filename - Crypted
Misc activity
ET INFO Packed Executable Download
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
malware.ps1