File name:

fo0suc2ki2.ps1

Full analysis: https://app.any.run/tasks/d9c24354-1dba-44ba-8f17-62a08cd590c4
Verdict: Malicious activity
Analysis date: February 20, 2026, 19:22:09
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
python
Indicators:
MIME: text/plain
File info: Unicode text, UTF-8 (with BOM) text, with very long lines (3624), with CRLF line terminators
MD5:

EB6E7FE4EF5B11AF1CB9278F448B91B5

SHA1:

E668E11F38237972A891FBECCC8144B6016A9B3B

SHA256:

F1CCABEE3261621EE37F5E1A54E12267981C7A8FEF49A50359902B5264792F1C

SSDEEP:

12288:idbSRJZOPasUDojd3KyWh9IPSjN/3aAVkL9ZfdDPxOzAqYB7Ns+GunY8WCLX3Zh/:2SRwtU8d3KyM9IPSZl2J1dD5ZBbnE7ET

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 5872)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5872)

    • Possible path obfuscation (POWERSHELL)

      • powershell.exe (PID: 5872)

    • Gets path to any of the special folders (POWERSHELL)

      • powershell.exe (PID: 5872)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 5872)

    • Process drops python dynamic module

      • powershell.exe (PID: 5872)

    • Loads Python modules

      • tpm2emu.exe (PID: 8468)

  • INFO

    • Drops script file

      • powershell.exe (PID: 5872)

    • Disables trace logs

      • powershell.exe (PID: 5872)

    • User-Agent configuration (POWERSHELL)

      • powershell.exe (PID: 5872)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 5872)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 5872)

    • The executable file from the user directory is run by the Powershell process

      • tpm2emu.exe (PID: 8468)

    • Python executable

      • tpm2emu.exe (PID: 8468)

    • Checks supported languages

      • tpm2emu.exe (PID: 8468)

    • Checks proxy server information

      • powershell.exe (PID: 5872)
      • tpm2emu.exe (PID: 8468)
      • slui.exe (PID: 2640)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5872)

    • Reads the computer name

      • tpm2emu.exe (PID: 8468)

    • Creates files or folders in the user directory

      • tpm2emu.exe (PID: 8468)

    • Reads the machine GUID from the registry

      • tpm2emu.exe (PID: 8468)

    • Reads security settings of Internet Explorer

      • tpm2emu.exe (PID: 8468)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-8 encoded (100)
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs slui.exe tpm2emu.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2292C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2640C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5872"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\AppData\Local\Temp\fo0suc2ki2.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
8300\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8468"C:\Users\admin\AppData\Roaming\Portmaster\Assets\MSVC_net8\78fd79ae849c61ed\tpm2emu.exe" "C:\Users\admin\AppData\Roaming\Portmaster\Assets\MSVC_net8\78fd79ae849c61ed\node_modules.asar"C:\Users\admin\AppData\Roaming\Portmaster\Assets\MSVC_net8\78fd79ae849c61ed\tpm2emu.exe
powershell.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
MEDIUM
Description:
Python
Version:
3.14.3
Modules
Images
c:\users\admin\appdata\roaming\portmaster\assets\msvc_net8\78fd79ae849c61ed\tpm2emu.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\roaming\portmaster\assets\msvc_net8\78fd79ae849c61ed\vcruntime140.dll
c:\users\admin\appdata\roaming\portmaster\assets\msvc_net8\78fd79ae849c61ed\python314.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
16 226
Read events
16 223
Write events
3
Delete events
0

Modification events

(PID) Process:(8468) tpm2emu.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(8468) tpm2emu.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(8468) tpm2emu.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
0
Suspicious files
0
Text files
0
Unknown types
35

Dropped files

PID
Process
Filename
Type
5872powershell.exeC:\Users\admin\AppData\Roaming\Portmaster\Assets\MSVC_net8\78fd79ae849c61ed\tpm2emu.exebinary
MD5:74D4268D16116B148E6E32D9B44101D8
SHA256:4CF4BA3C64C5AC896A319BD0EBBF0768BE14D42E48FC14702ABE23810A359646
5872powershell.exeC:\Users\admin\AppData\Roaming\Portmaster\Assets\MSVC_net8\78fd79ae849c61ed\_ctypes.pydbinary
MD5:03FB3055ED0C56155BBF030596726E03
SHA256:F8A9F7831E81B2BFBA12456E589F8198114F24986BD527AC231A844565AFCDDB
5872powershell.exeC:\Users\admin\AppData\Roaming\Portmaster\Assets\MSVC_net8\78fd79ae849c61ed\node_modules.asarbinary
MD5:C7426EB9B1A3A30E7AA85746E38EAD47
SHA256:C59CC7B6DFA47446EA25718796FBA554F879DBCE007508D67293EDDA1D71A30B
5872powershell.exeC:\Users\admin\AppData\Roaming\Portmaster\Assets\MSVC_net8\78fd79ae849c61ed\unicodedata.pydbinary
MD5:E521FD8D69046AC8EDEE6D9F5D9AE80B
SHA256:4445B894F836E89A8B9FDCC88B5E59FBC76ACA805BAAF40AEB69E869978D4E6D
5872powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e5532.TMPbinary
MD5:00A03B286E6E0EBFF8D9C492365D5EC2
SHA256:4DBFC417D053BA6867308671F1C61F4DCAFC61F058D4044DB532DA6D3BDE3615
5872powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_emczxp3i.11r.ps1binary
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5872powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DCZXAZVDL19JBNEQX03D.tempbinary
MD5:71B123450CB3B355FB90A3DC2A8EB100
SHA256:07B403E00407B8EAA1C61388F0F71A37CDD13D852285DF0A0FDDD050903140AA
5872powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:71B123450CB3B355FB90A3DC2A8EB100
SHA256:07B403E00407B8EAA1C61388F0F71A37CDD13D852285DF0A0FDDD050903140AA
5872powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sao3xznw.fld.psm1binary
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5872powershell.exeC:\Users\admin\AppData\Roaming\Portmaster\Assets\MSVC_net8\78fd79ae849c61ed\vcruntime140.dllbinary
MD5:32DA96115C9D783A0769312C0482A62D
SHA256:8B10C53241726B0ACC9F513157E67FCB01C166FEC69E5E38CA6AADA8F9A3619F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
71
TCP/UDP connections
59
DNS requests
40
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D
US
binary
959 b
whitelisted
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAjTxtAB8my1oj8MfWpz%2F7Y%3D
US
binary
314 b
whitelisted
356
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
US
binary
471 b
whitelisted
356
svchost.exe
POST
200
20.190.160.132:443
https://login.live.com/RST2.srf
US
binary
11.1 Kb
whitelisted
8552
svchost.exe
GET
200
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=1&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
binary
5.70 Kb
whitelisted
5872
powershell.exe
GET
200
151.101.0.223:443
https://pypi.org/pypi/isort/json
US
binary
217 Kb
unknown
5872
powershell.exe
GET
200
140.82.121.6:443
https://api.github.com/repos/jestjs/jest
US
binary
6.48 Kb
unknown
5872
powershell.exe
GET
200
140.82.121.6:443
https://api.github.com/repos/puppeteer/puppeteer/tags
US
binary
14.0 Kb
unknown
5872
powershell.exe
GET
200
151.101.0.223:443
https://pypi.org/pypi/wheel/json
US
binary
111 Kb
unknown
5872
powershell.exe
GET
200
140.82.121.6:443
https://api.github.com/repos/rust-lang/rust/releases
US
binary
273 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
8552
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8068
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2.16.241.218:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
356
svchost.exe
20.190.160.132:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
  • 51.104.136.2
whitelisted
www.bing.com
  • 2.16.241.218
  • 2.16.241.205
  • 2.16.241.207
whitelisted
google.com
  • 142.251.141.78
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.132
  • 20.190.160.20
  • 20.190.160.14
  • 40.126.32.76
  • 20.190.160.130
  • 20.190.160.22
  • 20.190.160.4
  • 20.190.160.3
whitelisted
crl.microsoft.com
  • 184.24.77.14
  • 184.24.77.23
  • 184.24.77.19
  • 184.24.77.18
  • 184.24.77.22
  • 184.24.77.17
  • 184.24.77.16
  • 184.24.77.11
  • 184.24.77.15
  • 184.24.77.27
  • 184.24.77.36
  • 184.24.77.29
  • 184.24.77.38
  • 184.24.77.34
  • 184.24.77.10
  • 184.24.77.42
  • 184.24.77.12
  • 184.24.77.6
whitelisted
www.microsoft.com
  • 23.52.181.212
  • 88.221.169.152
whitelisted
pypi.org
  • 151.101.0.223
  • 151.101.64.223
  • 151.101.192.223
  • 151.101.128.223
whitelisted

Threats

PID
Process
Class
Message
8552
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2292
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES DNS Query to Commonly Actor Abused Online Service (data-seed-prebsc-1-s1 .binance .org)
8468
tpm2emu.exe
Misc activity
ET TA_ABUSED_SERVICES Observed Commonly Actor Abused Online Service Domain (data-seed-prebsc-1-s1 .binance .org in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
fo0suc2ki2.ps1