| File name: | Temp.exe |
| Full analysis: | https://app.any.run/tasks/74ff47b4-5a18-40dc-82d6-da96cfd78344 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | February 15, 2026, 06:21:22 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (console) x86-64, for MS Windows, 8 sections |
| MD5: | 764E70BB7A203D94E5CEE9BD1641E6BC |
| SHA1: | 14752F626395FCBB2887AE059A24D730C3BD31B9 |
| SHA256: | CB7833C9CCF83E18E3E39070F2C99E8FFDB64D038732E16C696E71BCD290CA42 |
| SSDEEP: | 98304:BXoAGi1aGgpBI48MLGjU/Smt03xze+apprIszP7krSURn37AZkHCR/u96ZGIhv11:Elw5pNIH |
MALICIOUS
Changes powershell execution policy (Bypass)
- Temp.exe (PID: 9048)
SUSPICIOUS
The process bypasses the loading of PowerShell profile settings
- Temp.exe (PID: 9048)
Possible stealing of messenger data
- powershell.exe (PID: 5440)
- powershell.exe (PID: 508)
Creates file in the systems drive root
- Temp.exe (PID: 9048)
Starts POWERSHELL.EXE for commands execution
- Temp.exe (PID: 9048)
The process executes Powershell scripts
- powershell.exe (PID: 508)
Bypass execution policy to execute commands
- powershell.exe (PID: 508)
- powershell.exe (PID: 5440)
Starts CMD.EXE for commands execution
- Temp.exe (PID: 9048)
INFO
Checks supported languages
- Temp.exe (PID: 9048)
Drops script file
- Temp.exe (PID: 9048)
- powershell.exe (PID: 508)
- powershell.exe (PID: 5440)
Checks proxy server information
- Temp.exe (PID: 9048)
- slui.exe (PID: 7492)
Reads the computer name
- Temp.exe (PID: 9048)
Reads the machine GUID from the registry
- Temp.exe (PID: 9048)
Reads security settings of Internet Explorer
- Temp.exe (PID: 9048)
VMProtect protector has been detected
- Temp.exe (PID: 9048)
Create files in a temporary directory
- Temp.exe (PID: 9048)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:12:10 02:02:27+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.44 |
| CodeSize: | 196608 |
| InitializedDataSize: | 93184 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x3dbd73 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
Total processes
147
Monitored processes
9
Malicious processes
1
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 508 | powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\admin\AppData\Local\Temp\extract_ids.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | Temp.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2456 | "C:\Users\admin\Desktop\Temp.exe" | C:\Users\admin\Desktop\Temp.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
| 3036 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5392 | C:\WINDOWS\system32\cmd.exe /c cls | C:\Windows\System32\cmd.exe | — | Temp.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5440 | powershell -ExecutionPolicy Bypass -NoProfile -File "C:\Users\admin\AppData\Local\Temp\extract_ids.ps1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | Temp.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7372 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | Temp.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7492 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 8324 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 9048 | "C:\Users\admin\Desktop\Temp.exe" | C:\Users\admin\Desktop\Temp.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Modules
| |||||||||||||||
Total events
15 536
Read events
15 533
Write events
3
Delete events
0
Modification events
| (PID) Process: | (9048) Temp.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (9048) Temp.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (9048) Temp.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
Executable files
0
Suspicious files
1
Text files
6
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 508 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_by0t4v1i.rc2.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5440 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ybhwayhv.nk1.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5440 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:C3A20630854ABFCBA0E5E9E1AB276148 | SHA256:ACB6333F86A40CE1C0CB70518DF6CF4C70819EA06BEEE821E999A4B9BECF21BA | |||
| 9048 | Temp.exe | C:\screenshot.jpg | image | |
MD5:09868EFC8FFA2321F8215B5EE70A1909 | SHA256:59765D4AC83AA803B0EE756A846A6958D6005DEE09B9AF0DA3B2AD5D7BF9D7AE | |||
| 508 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_s3vzqaqy.utp.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5440 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ew3atg3f.tfe.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 9048 | Temp.exe | C:\Users\admin\AppData\Local\Temp\extract_ids.ps1 | text | |
MD5:63152A0A257DE6DC7149C5B326CB90E6 | SHA256:63BB0A53FC13C221932BC50571FA52AFC81A662FDEFDCFB469CB0D1A1C4046DA | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
24
DNS requests
12
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
8776 | svchost.exe | GET | 200 | 2.16.168.124:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | POST | 200 | 188.114.96.3:443 | https://spoof.su/api/upload-screenshot | unknown | text | 16 b | unknown |
— | — | GET | 200 | 2.16.168.124:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
6768 | MoUsoCoreWorker.exe | GET | 200 | 2.16.168.124:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
9048 | Temp.exe | POST | 200 | 188.114.96.3:443 | https://spoof.su/api/upload-screenshot | unknown | — | 16 b | unknown |
— | — | POST | 500 | 48.192.1.65:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | binary | 512 b | unknown |
3292 | svchost.exe | GET | 200 | 72.246.29.11:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl | unknown | — | — | whitelisted |
3588 | slui.exe | POST | 500 | 48.192.1.65:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | — | 512 b | whitelisted |
3292 | svchost.exe | GET | 200 | 72.246.29.11:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl | unknown | — | — | whitelisted |
3292 | svchost.exe | GET | 200 | 72.246.29.11:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
— | — | 95.100.158.115:443 | www.bing.com | AKAMAI-ASN1 | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
8776 | svchost.exe | 2.16.168.124:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
— | — | 2.16.168.124:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
6768 | MoUsoCoreWorker.exe | 2.16.168.124:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
8776 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
9048 | Temp.exe | 188.114.96.3:443 | spoof.su | CLOUDFLARENET | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
spoof.su |
| unknown |
activation-v2.sls.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2292 | svchost.exe | Misc activity | INFO [ANY.RUN] .su TLD domain request |