| File name: | _b5b771bd9796284faa24f4f9c45d1e77567432049b1e897416bf6f6534b659e9.txt |
| Full analysis: | https://app.any.run/tasks/bef07847-785e-4475-9452-259af275cf67 |
| Verdict: | Malicious activity |
| Analysis date: | April 22, 2026, 17:52:25 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with CRLF line terminators |
| MD5: | 11FE09FE8BAB18B53F5FFF0EF7D79724 |
| SHA1: | 365D0FFB52EAE1771E29ED8008DBD86FDD475885 |
| SHA256: | B5B771BD9796284FAA24F4F9C45D1E77567432049B1E897416BF6F6534B659E9 |
| SSDEEP: | 96:RdJVygH2O1bMbdgcUC8SXNqk8FkF0mPEVtWciupXGzzNSNRBnlshu5lVifC5l1NF:RdrJ11tcUCnXNhG4EVtWcPpXGzh0RBl7 |
MALICIOUS
No malicious indicators.SUSPICIOUS
Extracts files to a directory (POWERSHELL)
- powershell.exe (PID: 2436)
Runs WScript without displaying logo
- wscript.exe (PID: 7984)
Runs shell command (SCRIPT)
- wscript.exe (PID: 7984)
Checks a user's role membership (POWERSHELL)
- powershell.exe (PID: 2436)
- powershell.exe (PID: 6148)
The process executes via Task Scheduler
- wscript.exe (PID: 7984)
Creates FileSystem object to access computer's file system (SCRIPT)
- wscript.exe (PID: 7984)
Executes script using NodeJS
- node.exe (PID: 784)
Gets path to any of the special folders (POWERSHELL)
- powershell.exe (PID: 2436)
The process checks if current user has admin rights
- node.exe (PID: 784)
Bypass execution policy to execute commands
- powershell.exe (PID: 2436)
Starts POWERSHELL.EXE for commands execution
- node.exe (PID: 784)
Uses TASKKILL.EXE to kill process
- node.exe (PID: 784)
The process hide an interactive prompt from the user
- node.exe (PID: 784)
The process bypasses the loading of PowerShell profile settings
- node.exe (PID: 784)
INFO
Checks supported languages
- node.exe (PID: 784)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 2436)
Reads product name
- node.exe (PID: 784)
Creates files or folders in the user directory
- node.exe (PID: 784)
Using PowerShell for ZIP File Operations
- powershell.exe (PID: 2436)
Reads Environment values
- node.exe (PID: 784)
Reads the computer name
- node.exe (PID: 784)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
144
Monitored processes
10
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 784 | "C:\Users\admin\AppData\Local\TryNodeUpdate\node-v20.11.0-win-x64\node.exe" "C:\Users\admin\AppData\Local\TryNodeUpdate\main.js" "BLOCKCHAIN_CONTRACT_ADDRESS=0x75E1eDFA0d0f96D5f8F228358376d6ecdB22d802" | C:\Users\admin\AppData\Local\TryNodeUpdate\node-v20.11.0-win-x64\node.exe | wscript.exe | ||||||||||||
User: admin Company: Node.js Integrity Level: MEDIUM Description: Node.js JavaScript Runtime Version: 20.11.0 Modules
| |||||||||||||||
| 2232 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2364 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2436 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\_b5b771bd9796284faa24f4f9c45d1e77567432049b1e897416bf6f6534b659e9.txt.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2880 | taskkill /IM rpc.exe /F | C:\Windows\System32\taskkill.exe | — | node.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Terminates Processes Exit code: 128 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5404 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | taskkill.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6148 | powershell.exe -NoProfile -NonInteractive -Command "$p=New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); if($p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)){'admin'} else {'user'}" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | node.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6408 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7364 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | node.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7984 | "C:\WINDOWS\system32\wscript.exe" //nologo "C:\Users\admin\AppData\Local\TryNodeUpdate\nodeupdate.vbs" | C:\Windows\System32\wscript.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
Total events
15 133
Read events
15 133
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
6
Text files
2 084
Unknown types
56
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2436 | powershell.exe | C:\Users\admin\AppData\Local\TryNodeUpdate\node-v20.11.0-win-x64\node.exe | — | |
MD5:— | SHA256:— | |||
| 2436 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DB5W91DBOBRKM8FTAI50.temp | binary | |
MD5:259DF29CFA8A6DE2EBEBB44AFE3DECFD | SHA256:CB3ED4AE56A7F3A57928963C8C12AEF25F9D9F43AA0E13CF1C5F0E6F00CF617E | |||
| 2436 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFe177b.TMP | binary | |
MD5:00A03B286E6E0EBFF8D9C492365D5EC2 | SHA256:4DBFC417D053BA6867308671F1C61F4DCAFC61F058D4044DB532DA6D3BDE3615 | |||
| 2436 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms | binary | |
MD5:259DF29CFA8A6DE2EBEBB44AFE3DECFD | SHA256:CB3ED4AE56A7F3A57928963C8C12AEF25F9D9F43AA0E13CF1C5F0E6F00CF617E | |||
| 2436 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_byxv3nyp.bik.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2436 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mffnitg0.t4u.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2436 | powershell.exe | C:\Users\admin\AppData\Local\TryNodeUpdate\node-v20.11.0-win-x64\LICENSE | text | |
MD5:BC2C5AA3A71A7A913843A8CF521ADCBB | SHA256:CAA460A2FC5AF44DCE61867B2FEA2EFB1FA2FC41C13130E3526845F77ECA430A | |||
| 2436 | powershell.exe | C:\Users\admin\AppData\Local\TryNodeUpdate\node-v20.11.0-win-x64\nodevars.bat | text | |
MD5:E6636C5B093F5CC13DFB7508305B8D8B | SHA256:A2B020E2F641524C6FD1B8EBBCD9EE03C7DC44009F2B78E701E773AD048BE9A5 | |||
| 2436 | powershell.exe | C:\Users\admin\AppData\Local\TryNodeUpdate\node-v20.11.0-win-x64\node_modules\corepack\dist\lib\corepack.cjs | text | |
MD5:7AD95851F426B70F0E1272849AB7EDD9 | SHA256:C9F4A2C56F87436B91FD068C6C9FB37E7DB638094F135A1AEF2A060563946224 | |||
| 2436 | powershell.exe | C:\Users\admin\AppData\Local\TryNodeUpdate\node-v20.11.0-win-x64\node_modules\corepack\CHANGELOG.md | text | |
MD5:15E6158D6BE30AF4E7E81A1436607032 | SHA256:66E53CAFE7641367FF662C7543D113A18BEF4E11C58E1583F0C8F208EA5F7A8B | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
77
TCP/UDP connections
76
DNS requests
35
Threats
33
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5276 | MoUsoCoreWorker.exe | GET | 200 | 2.16.164.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
— | — | POST | 400 | 20.190.160.17:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 203 b | whitelisted |
— | — | POST | 400 | 20.190.160.17:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 203 b | whitelisted |
— | — | POST | 400 | 20.190.160.17:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 203 b | whitelisted |
5316 | svchost.exe | POST | 400 | 20.190.160.128:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 203 b | whitelisted |
5316 | svchost.exe | POST | 400 | 20.190.160.128:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 203 b | whitelisted |
5276 | MoUsoCoreWorker.exe | GET | 200 | 23.52.181.212:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | US | binary | 814 b | whitelisted |
— | — | POST | 200 | 20.190.160.17:443 | https://login.live.com/RST2.srf | US | xml | 1.24 Kb | whitelisted |
5316 | svchost.exe | POST | 400 | 20.190.160.128:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 203 b | whitelisted |
5316 | svchost.exe | POST | 400 | 20.190.160.128:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 203 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
— | — | 48.192.1.64:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
— | — | 2.16.241.222:443 | www.bing.com | AKAMAI-ASN1 | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
5276 | MoUsoCoreWorker.exe | 2.16.164.120:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
5276 | MoUsoCoreWorker.exe | 23.52.181.212:80 | www.microsoft.com | AKAMAI-AS | US | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5316 | svchost.exe | 20.190.160.128:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3428 | svchost.exe | 172.211.123.250:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
activation-v2.sls.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
www.google.com |
| whitelisted |
raw.githubusercontent.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2436 | powershell.exe | A Network Trojan was detected | ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check |
2232 | svchost.exe | Not Suspicious Traffic | INFO [ANY.RUN] Attempting to access raw user content on GitHub |
— | — | Misc activity | SUSPICIOUS [ANY.RUN] JavaScript Obfuscation (ParseInt) |
2436 | powershell.exe | Misc activity | SUSPICIOUS [ANY.RUN] JavaScript Obfuscation (ParseInt) |
2232 | svchost.exe | Misc activity | ET INFO Observed Smart Chain Domain in DNS Lookup (bsc .blockrazor .xyz) |
784 | node.exe | Misc activity | ET INFO Observed Smart Chain Domain in TLS SNI (bsc .blockrazor .xyz) |
2232 | svchost.exe | Misc activity | ET INFO Observed Smart Chain Domain in DNS Lookup (bsc-dataseed .nariox .org) |
2232 | svchost.exe | Misc activity | ET INFO Observed Smart Chain Domain in DNS Lookup (bnb .rpc .subquery .network) |
784 | node.exe | Misc activity | ET INFO Observed Smart Chain Domain in TLS SNI (bsc-dataseed .bnbchain .org) |
784 | node.exe | Misc activity | ET INFO Observed Smart Chain Domain in TLS SNI (bsc .nodereal .io) |