File name:

_d824029a485fc06ae3a26f8936ad20b9cefee5ded05754f8d5468177855ed3bc.txt

Full analysis: https://app.any.run/tasks/7265377b-5597-4d02-8a25-beb506a33d4c
Verdict: Malicious activity
Analysis date: March 14, 2026, 06:33:23
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
anti-evasion
susp-powershell
arch-exec
Indicators:
MIME: text/plain
File info: ASCII text
MD5:

BB587C17763F0AC73356216A1D9B22BD

SHA1:

1217F3FFEA54CAA400DE6EBD0DE775D2DF38C3C6

SHA256:

D824029A485FC06AE3A26F8936AD20B9CEFEE5DED05754F8D5468177855ED3BC

SSDEEP:

1536:kjtoT1Lxy3s5EgvAzXD4GbhJ7+C12CIemQGqrQzHFM5gi11QE3+Q370xQaSbaT:kjtoT1l0s5EgIzD4GbhR+CsCIKGLbFM0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Enumerates installed antivirus status via Win32_AntivirusProduct (SCRIPT)

      • powershell.exe (PID: 8456)

    • Get Video Controller Information (POWERSHELL)

      • powershell.exe (PID: 8456)

    • Enumerates physical memory (Win32_PhysicalMemory) (SCRIPT)

      • powershell.exe (PID: 8456)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 8456)

  • SUSPICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 8456)

    • The process executes Powershell scripts

      • powershell.exe (PID: 8456)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 8456)

    • Converts a string into array of characters (POWERSHELL)

      • powershell.exe (PID: 8456)

    • Checks for external IP

      • powershell.exe (PID: 8456)
      • svchost.exe (PID: 2292)

    • Checks a user's role membership (POWERSHELL)

      • powershell.exe (PID: 8456)

    • Starts a new process with hidden mode (POWERSHELL)

      • powershell.exe (PID: 8456)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 8456)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 8456)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 8456)

    • Creates new GUID (POWERSHELL)

      • powershell.exe (PID: 8456)

    • Possible path obfuscation (POWERSHELL)

      • powershell.exe (PID: 8456)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 8456)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 8456)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 8456)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 8456)

    • Using PowerShell for ZIP File Operations

      • powershell.exe (PID: 8456)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 8456)

    • User-Agent configuration (POWERSHELL)

      • powershell.exe (PID: 8456)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 8456)

    • The sample compiled with english language support

      • powershell.exe (PID: 8456)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 8456)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 8456)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
141
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
412\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2292C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3032C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
8456"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\_d824029a485fc06ae3a26f8936ad20b9cefee5ded05754f8d5468177855ed3bc.txt.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\ucrtbase.dll
Total events
9 459
Read events
9 459
Write events
0
Delete events
0

Modification events

No data
Executable files
12
Suspicious files
6
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
8456powershell.exeC:\Users\admin\AppData\Local\riqhovr_qmkg_upd_mousi\libpsl-5.dllexecutable
MD5:3A0D8A9668D1EF5197F9BAA57D0B8E3B
SHA256:F5D1D631552ACC1470FDF19D02BC89FD134F13EDFC30B3F2C3AE27E236B55B09
8456powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_k2i51ekd.bam.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8456powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:9185FB7161B3BC1B538D26EA5F3B798B
SHA256:12A4D0F402DCE86E98CF7EF482514D1C1DD30ACE6EB627B9153A2FD28B26941E
8456powershell.exeC:\Users\admin\AppData\Local\Temp\yfndlvdnk_rcj_ptmdeo.zip.tmpcompressed
MD5:1580D5C86A0469F92A9876EAA76DF8C7
SHA256:D1E843217520A8667D0F2FCF15D761B9FDA8C0FF0756FE8CF7735B3CE03875F5
8456powershell.exeC:\Users\admin\AppData\Local\Temp\yfndlvdnk_rcj_ptmdeo.zipcompressed
MD5:1580D5C86A0469F92A9876EAA76DF8C7
SHA256:D1E843217520A8667D0F2FCF15D761B9FDA8C0FF0756FE8CF7735B3CE03875F5
8456powershell.exeC:\Users\admin\AppData\Local\riqhovr_qmkg_upd_mousi\libiconv-2.dllexecutable
MD5:9A47E690745D2ABF439B3466ABB0EC16
SHA256:9740C8A8351587206AFF71A976B9FEA7457E59126807216B2E76F68A41579ED4
8456powershell.exeC:\Users\admin\AppData\Local\riqhovr_qmkg_upd_mousi\libunistring-5.dllexecutable
MD5:F6027BBA63F798A5DB8CE3F43BFDA60E
SHA256:351AB6DB834DE03308E468A660DD93CB76D1E60AA213C7FCE1C36603C431B7BA
8456powershell.exeC:\Users\admin\AppData\Local\riqhovr_qmkg_upd_mousi\psl.exeexecutable
MD5:F83C15CDCF054820008944D8366B6F24
SHA256:12C931DBFA907D4E394FB928F3A8A27ED7E5BF203578DABCD65BB2DD5F2F1280
8456powershell.exeC:\Users\admin\AppData\Local\riqhovr_qmkg_upd_mousi\msys-unistring-5.dllexecutable
MD5:5374FCF8F138A6A0F84CFA8A3602E59C
SHA256:7C6C656D2413D2398F99DE4616416319EAEA0D9F91AB8A6EFA953B2FE7DEF760
8456powershell.exeC:\Users\admin\AppData\Local\riqhovr_qmkg_upd_mousi\msys-iconv-2.dllexecutable
MD5:C29EE585EB10AD99A3A87AAD2A772517
SHA256:B76044939DD5D6C6B7CF0D0CF877DB6A2D8D7FD433212B78C837BA58F77A1775
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
30
DNS requests
18
Threats
23

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
876
svchost.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
876
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
140.82.121.5:443
https://api.github.com/zen
unknown
26 b
GET
200
34.160.111.145:443
https://ifconfig.me/ip
unknown
37 b
GET
200
116.202.222.249:443
https://sabrineme.com/asfixsoftwaredev.zip
unknown
6.70 Mb
8456
powershell.exe
GET
200
140.82.121.6:443
https://api.github.com/zen
unknown
text
26 b
unknown
8456
powershell.exe
GET
200
34.160.111.145:443
https://ifconfig.me/ip
unknown
text
37 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
2.16.241.205:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
2.16.164.120:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
2.16.164.120:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
876
svchost.exe
2.16.164.120:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
6768
MoUsoCoreWorker.exe
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
876
svchost.exe
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
self.events.data.microsoft.com
  • 20.189.173.3
  • 52.182.143.208
whitelisted
www.bing.com
  • 2.16.241.205
  • 2.16.241.218
whitelisted
google.com
  • 142.251.141.110
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 23.59.18.102
whitelisted
api.github.com
  • 140.82.121.6
whitelisted
api.publicapis.org
unknown
ifconfig.me
  • 34.160.111.145
whitelisted
worldtimeapi.org
  • 213.188.196.246
whitelisted

Threats

PID
Process
Class
Message
2292
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Lookup Domain (ifconfig .me)
2292
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ifconfig .me) in DNS Lookup
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
8456
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
8456
powershell.exe
Misc activity
ET INFO Observed External IP Lookup Domain (ifconfig .me) in TLS SNI
8456
powershell.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup SSL/TLS Certificate (ifconfig .me)
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (ifconfig .me)
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
8456
powershell.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain (ifconfig .me)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_d824029a485fc06ae3a26f8936ad20b9cefee5ded05754f8d5468177855ed3bc.txt