File name:

b.png.ps1

Full analysis: https://app.any.run/tasks/c55ce9e9-e87d-4e17-97c2-479bfd2fdb4c
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 27, 2025, 19:52:22
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
netsupport
unwanted
auto
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

C22A096C41EE1617E1F379F2956DF442

SHA1:

3494B4FBA526DD787221BCB332CA66B7AC2115F5

SHA256:

F65EA8B91CC3A418DB36A0EC31B443D76F3487B337B87050AA907543D26F6229

SSDEEP:

48:UdKxIOgGiK257VVbQFREKSXaWyoKGPngm0VKLJyYBfYeHOwqfsdDUpCqbbZU/nQ:2N95RdkREKSXByPMgnAl19luw9F4F/S4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3732)

    • NETSUPPORT has been found (auto)

      • powershell.exe (PID: 3732)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 3732)

    • Process uses IPCONFIG to clear DNS cache

      • powershell.exe (PID: 3732)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 4716)

    • Potential Corporate Privacy Violation

      • powershell.exe (PID: 3732)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3732)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 3732)

    • The process drops C-runtime libraries

      • powershell.exe (PID: 3732)

    • Drop NetSupport executable file

      • powershell.exe (PID: 3732)

  • INFO

    • Gets or sets the time when the file was last written to (POWERSHELL)

      • powershell.exe (PID: 3732)

    • Disables trace logs

      • powershell.exe (PID: 3732)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 3732)

    • The sample compiled with english language support

      • powershell.exe (PID: 3732)

    • Checks proxy server information

      • powershell.exe (PID: 3732)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.pic | Bio-Rad Image(s) bitmap (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #NETSUPPORT powershell.exe conhost.exe no specs ipconfig.exe no specs cmd.exe no specs attrib.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1140\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3732"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\b.png.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3988attrib +h C:\Users\admin\AppData\Roaming\hOWQAJC:\Windows\System32\attrib.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\attrib.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
4716"C:\WINDOWS\system32\cmd.exe" /c attrib +h C:\Users\admin\AppData\Roaming\hOWQAJC:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
5000"C:\WINDOWS\system32\ipconfig.exe" /flushdnsC:\Windows\System32\ipconfig.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
Total events
5 228
Read events
5 227
Write events
1
Delete events
0

Modification events

(PID) Process:(3732) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Microsoft
Value:
C:\Users\admin\AppData\Roaming\hOWQAJ\client32.exe
Executable files
8
Suspicious files
5
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
3732powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J06U5IAZZT7RX17SCF3Y.tempbinary
MD5:EA71CFC433843A90E694CAEFB6D38C85
SHA256:C9974F2E96AA1B6D2436807124F5103DBB2151EDA993C86769ACE65BE3F8F30B
3732powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:EA71CFC433843A90E694CAEFB6D38C85
SHA256:C9974F2E96AA1B6D2436807124F5103DBB2151EDA993C86769ACE65BE3F8F30B
3732powershell.exeC:\Users\admin\AppData\Roaming\hOWQAJ\nskbfltr.infbinary
MD5:26E28C01461F7E65C402BDF09923D435
SHA256:D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
3732powershell.exeC:\Users\admin\AppData\Roaming\hOWQAJ\PCICHEK.DLLexecutable
MD5:A0B9388C5F18E27266A31F8C5765B263
SHA256:313117E723DDA6EA3911FAACD23F4405003FB651C73DE8DEFF10B9EB5B4A058A
3732powershell.exeC:\Users\admin\AppData\Roaming\hOWQAJ\TCCTL32.DLLexecutable
MD5:EAB603D12705752E3D268D86DFF74ED4
SHA256:6795D760CE7A955DF6C2F5A062E296128EFDB8C908908EDA4D666926980447EA
3732powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vfxswvpb.fhu.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3732powershell.exeC:\Users\admin\AppData\Roaming\hOWQAJ\NSM.inibinary
MD5:88B1DAB8F4FD1AE879685995C90BD902
SHA256:60FE386112AD51F40A1EE9E1B15ECA802CED174D7055341C491DEE06780B3F92
3732powershell.exeC:\Users\admin\AppData\Roaming\hOWQAJ\HTCTL32.DLLexecutable
MD5:2D3B207C8A48148296156E5725426C7F
SHA256:EDFE2B923BFB5D1088DE1611401F5C35ECE91581E71503A5631647AC51F7D796
3732powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_umsxrk1j.j3f.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3732powershell.exeC:\Users\admin\AppData\Roaming\hOWQAJ\client32.exeexecutable
MD5:EE75B57B9300AAB96530503BFAE8A2F2
SHA256:06A0A243811E9C4738A9D413597659CA8D07B00F640B74ADC9CB351C179B3268
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
22
DNS requests
8
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3732
powershell.exe
GET
200
104.194.151.34:80
http://mellittler.com/a/1.png
unknown
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.140:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3732
powershell.exe
GET
200
104.194.151.34:80
http://mellittler.com/a/2.png
unknown
3732
powershell.exe
GET
200
104.194.151.34:80
http://mellittler.com/a/4.png
unknown
3732
powershell.exe
GET
200
104.194.151.34:80
http://mellittler.com/a/6.png
unknown
3732
powershell.exe
GET
200
104.194.151.34:80
http://mellittler.com/a/5.png
unknown
3732
powershell.exe
GET
200
104.194.151.34:80
http://mellittler.com/a/3.png
unknown
3732
powershell.exe
GET
200
104.194.151.34:80
http://mellittler.com/a/7.png
unknown
3732
powershell.exe
GET
200
104.194.151.34:80
http://mellittler.com/a/9.png
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
104.126.37.162:443
Akamai International B.V.
DE
unknown
4712
MoUsoCoreWorker.exe
23.48.23.140:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3976
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3732
powershell.exe
104.194.151.34:80
mellittler.com
PONYNET
US
unknown
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.48.23.140
  • 23.48.23.191
  • 23.48.23.139
  • 23.48.23.192
  • 23.48.23.137
  • 23.48.23.185
  • 23.48.23.194
  • 23.48.23.183
  • 23.48.23.184
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
mellittler.com
  • 104.194.151.34
unknown
self.events.data.microsoft.com
  • 20.189.173.12
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
b.png.ps1