download:

/y.txt

Full analysis: https://app.any.run/tasks/9bda3d93-e5a1-4729-9410-b7ff62f95234
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 19, 2025, 15:27:00
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
reflection
loader
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

A75F9C9B5F005F2E889D9F18B607AFF7

SHA1:

82B6E40C73CC0C108388458A54BDEB31B1301F49

SHA256:

4E650ECE679C7E50C1B194B9A4E5528303224A593DCFF9512716E370B67483FB

SSDEEP:

48:DtoMKfrevZMyQWbMLcxa0dfHBvly1KrgwWbQq2mfHFujx4zg6vOCFVbVNs/jvkR+:DtoJevWyDALcMQqKqQzYEuBNsjz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6344)

  • SUSPICIOUS

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 6768)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 6768)
      • powershell.exe (PID: 6344)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6344)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 6344)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 6344)

    • The process drops C-runtime libraries

      • powershell.exe (PID: 6344)

    • Detects reflection assembly loader (YARA)

      • powershell.exe (PID: 6344)

  • INFO

    • Reads the machine GUID from the registry

      • csc.exe (PID: 6768)

    • Checks supported languages

      • csc.exe (PID: 6768)
      • cvtres.exe (PID: 6844)
      • DDMService.exe (PID: 68)
      • DDMService.exe (PID: 3224)

    • Create files in a temporary directory

      • csc.exe (PID: 6768)
      • cvtres.exe (PID: 6844)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6344)

    • Disables trace logs

      • powershell.exe (PID: 6344)

    • Checks proxy server information

      • powershell.exe (PID: 6344)

    • The process uses the downloaded file

      • powershell.exe (PID: 6344)

    • The executable file from the user directory is run by the Powershell process

      • DDMService.exe (PID: 68)
      • DDMService.exe (PID: 3224)

    • The sample compiled with english language support

      • powershell.exe (PID: 6344)

    • Creates files or folders in the user directory

      • DDMService.exe (PID: 68)

    • Reads the computer name

      • DDMService.exe (PID: 3224)
      • DDMService.exe (PID: 68)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • powershell.exe (PID: 6344)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs csc.exe cvtres.exe no specs ddmservice.exe no specs ddmservice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
68"C:\Users\admin\AppData\Local\Temp\extracted4_7080\DDMService.exe" -ExecutionPolicy Bypass C:\Users\admin\AppData\Local\Temp\extracted4_7080\DDMService.exepowershell.exe
User:
admin
Company:
DivX, LLC
Integrity Level:
MEDIUM
Description:
DivX Download Manager Service
Exit code:
0
Version:
1.2.0.195
Modules
Images
c:\users\admin\appdata\local\temp\extracted4_7080\ddmservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
3224"C:\Users\admin\AppData\Local\Temp\extract12_9707\DDMService.exe" -ExecutionPolicy Bypass C:\Users\admin\AppData\Local\Temp\extract12_9707\DDMService.exepowershell.exe
User:
admin
Company:
DivX, LLC
Integrity Level:
MEDIUM
Description:
DivX Download Manager Service
Exit code:
0
Version:
1.2.0.195
Modules
Images
c:\users\admin\appdata\local\temp\extract12_9707\ddmservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
6344"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\y.txt.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6376\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6768"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\042evepr.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
6844C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES69C9.tmp" "c:\Users\admin\AppData\Local\Temp\CSC972DF01A4B5548EFA474C43B99A55A1.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
Total events
6 853
Read events
6 853
Write events
0
Delete events
0

Modification events

No data
Executable files
9
Suspicious files
12
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
6344powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1357b8.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
6344powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wyzy3har.sh2.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6344powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sbvhb4q4.kin.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6344powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:EE73059A8EC1FDFE5FC8BFE7A7E90FC0
SHA256:80254392A2ECFA37258A6288B416677FDFFB73E12AAC6C315C292492046D1707
6344powershell.exeC:\Users\admin\AppData\Local\Temp\extracted4_7080\carpentry.xlsxbinary
MD5:150854E2BB76284106F6CE3EFCCF045A
SHA256:380DF3C27CC5BFA4EFF709A4324742B77C22B0BBDEB8B34BD0D35D875046D43C
6344powershell.exeC:\Users\admin\AppData\Local\Temp\extracted4_7080\DivXDownloadManager.dllexecutable
MD5:A702C7D1EAE9FB1DAEE6DB31BFA00E33
SHA256:3EFFDB2BD4582993DCDC0D0A87C61BB42517115B86245BD9BF17F44FE876F406
6344powershell.exeC:\Users\admin\AppData\Local\Temp\extracted4_7080\msvcp80.dllexecutable
MD5:272A9E637ADCAF30B34EA184F4852836
SHA256:35B15B78C31111DB4FA11D9C9CAD3A6F22C92DAA5E6F069DC455E72073266CC4
6768csc.exeC:\Users\admin\AppData\Local\Temp\042evepr.dllexecutable
MD5:F872080B7B7DA4FDDCAFC93B4CBC1171
SHA256:BCDC04255FFAEC38F28ED8171ED765036E8C64195C4D124E443C13598F09F45E
6768csc.exeC:\Users\admin\AppData\Local\Temp\042evepr.outtext
MD5:596F4189B8B9888D0BA5493B28937C3A
SHA256:DA0D2FC49E4CC6B2374F5DD2E420BEA630B9BCCA14BE8FB32DB2CD05BA5BD21A
6344powershell.exeC:\Users\admin\AppData\Local\Temp\downloaded12.zipcompressed
MD5:683234A388B0CE0EBE8E0E81A4496AA6
SHA256:B7A449C3E8B5F239C43139B46BCA90364870F1A1D4281EED645ED85EAFE5F131
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
27
DNS requests
14
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6344
powershell.exe
GET
200
104.21.32.1:80
http://securesolutions.cyou/9237465/v572t4y9h.zip
unknown
unknown
6344
powershell.exe
GET
200
104.21.32.1:80
http://securesolutions.cyou/9237465/5fyt429736h.zip
unknown
unknown
6368
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
4716
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4716
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1076
svchost.exe
23.35.238.131:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
6344
powershell.exe
104.21.32.1:80
securesolutions.cyou
CLOUDFLARENET
unknown
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2632
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
login.live.com
  • 20.190.160.20
  • 40.126.32.68
  • 40.126.32.76
  • 40.126.32.74
  • 40.126.32.138
  • 40.126.32.136
  • 40.126.32.140
  • 40.126.32.134
whitelisted
securesolutions.cyou
  • 104.21.32.1
  • 104.21.64.1
  • 104.21.16.1
  • 104.21.112.1
  • 104.21.48.1
  • 104.21.80.1
  • 104.21.96.1
unknown
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
fd.api.iris.microsoft.com
  • 20.74.47.205
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

PID
Process
Class
Message
6344
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
6344
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/y.txt