download:

/y.txt

Full analysis: https://app.any.run/tasks/9bda3d93-e5a1-4729-9410-b7ff62f95234
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 19, 2025, 15:27:00
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
reflection
loader
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

A75F9C9B5F005F2E889D9F18B607AFF7

SHA1:

82B6E40C73CC0C108388458A54BDEB31B1301F49

SHA256:

4E650ECE679C7E50C1B194B9A4E5528303224A593DCFF9512716E370B67483FB

SSDEEP:

48:DtoMKfrevZMyQWbMLcxa0dfHBvly1KrgwWbQq2mfHFujx4zg6vOCFVbVNs/jvkR+:DtoJevWyDALcMQqKqQzYEuBNsjz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6344)

  • SUSPICIOUS

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 6768)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 6768)
      • powershell.exe (PID: 6344)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6344)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 6344)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 6344)

    • The process drops C-runtime libraries

      • powershell.exe (PID: 6344)

    • Detects reflection assembly loader (YARA)

      • powershell.exe (PID: 6344)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 6344)

    • Checks supported languages

      • cvtres.exe (PID: 6844)
      • csc.exe (PID: 6768)
      • DDMService.exe (PID: 68)
      • DDMService.exe (PID: 3224)

    • Checks proxy server information

      • powershell.exe (PID: 6344)

    • Create files in a temporary directory

      • cvtres.exe (PID: 6844)
      • csc.exe (PID: 6768)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 6768)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6344)

    • The executable file from the user directory is run by the Powershell process

      • DDMService.exe (PID: 68)
      • DDMService.exe (PID: 3224)

    • The process uses the downloaded file

      • powershell.exe (PID: 6344)

    • The sample compiled with english language support

      • powershell.exe (PID: 6344)

    • Creates files or folders in the user directory

      • DDMService.exe (PID: 68)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • powershell.exe (PID: 6344)

    • Reads the computer name

      • DDMService.exe (PID: 68)
      • DDMService.exe (PID: 3224)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs csc.exe cvtres.exe no specs ddmservice.exe no specs ddmservice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
68"C:\Users\admin\AppData\Local\Temp\extracted4_7080\DDMService.exe" -ExecutionPolicy Bypass C:\Users\admin\AppData\Local\Temp\extracted4_7080\DDMService.exepowershell.exe
User:
admin
Company:
DivX, LLC
Integrity Level:
MEDIUM
Description:
DivX Download Manager Service
Exit code:
0
Version:
1.2.0.195
Modules
Images
c:\users\admin\appdata\local\temp\extracted4_7080\ddmservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
3224"C:\Users\admin\AppData\Local\Temp\extract12_9707\DDMService.exe" -ExecutionPolicy Bypass C:\Users\admin\AppData\Local\Temp\extract12_9707\DDMService.exepowershell.exe
User:
admin
Company:
DivX, LLC
Integrity Level:
MEDIUM
Description:
DivX Download Manager Service
Exit code:
0
Version:
1.2.0.195
Modules
Images
c:\users\admin\appdata\local\temp\extract12_9707\ddmservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
6344"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\y.txt.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6376\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6768"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\042evepr.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
6844C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES69C9.tmp" "c:\Users\admin\AppData\Local\Temp\CSC972DF01A4B5548EFA474C43B99A55A1.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
Total events
6 853
Read events
6 853
Write events
0
Delete events
0

Modification events

No data
Executable files
9
Suspicious files
12
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
6344powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3QQK4I85BLKCCRY1K2CM.tempbinary
MD5:EE73059A8EC1FDFE5FC8BFE7A7E90FC0
SHA256:80254392A2ECFA37258A6288B416677FDFFB73E12AAC6C315C292492046D1707
6344powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1357b8.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
6344powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sbvhb4q4.kin.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6344powershell.exeC:\Users\admin\AppData\Local\Temp\downloaded12.zipcompressed
MD5:683234A388B0CE0EBE8E0E81A4496AA6
SHA256:B7A449C3E8B5F239C43139B46BCA90364870F1A1D4281EED645ED85EAFE5F131
6344powershell.exeC:\Users\admin\AppData\Local\Temp\extract12_9707\cardinalpriest.zipbinary
MD5:2FFAB8BDD73349A389085F157723C8CD
SHA256:134891B4E6679CCB06A0924A393AC8A3DD84A25F42EC9B8A58EC0F0D2E47C0E0
6844cvtres.exeC:\Users\admin\AppData\Local\Temp\RES69C9.tmpbinary
MD5:9C8210DD73A0B4A32AB26A7484171A9A
SHA256:D2FD95805464FD16F2F70088BB1D57F5522282DDA78D2589313E6372FB135475
6344powershell.exeC:\Users\admin\AppData\Local\Temp\042evepr.0.cstext
MD5:7EF2DC814F5C082336D1FBE487A53299
SHA256:89BDFB37BAD7981CB859D457C6DA2AC99D1F6B3C8C3324B46C569F2CEC1124B3
6344powershell.exeC:\Users\admin\AppData\Local\Temp\042evepr.cmdlinetext
MD5:9B8F6433DCBBED7808018C5280CDA7D5
SHA256:89FE1F6D8E815796DB453E89C17ED60A6FC60C73FDA1E21591D73B33D3207ED9
6344powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:EE73059A8EC1FDFE5FC8BFE7A7E90FC0
SHA256:80254392A2ECFA37258A6288B416677FDFFB73E12AAC6C315C292492046D1707
6344powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wyzy3har.sh2.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
27
DNS requests
14
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6344
powershell.exe
GET
200
104.21.32.1:80
http://securesolutions.cyou/9237465/v572t4y9h.zip
unknown
unknown
6344
powershell.exe
GET
200
104.21.32.1:80
http://securesolutions.cyou/9237465/5fyt429736h.zip
unknown
unknown
4716
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4716
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6368
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1076
svchost.exe
23.35.238.131:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
6344
powershell.exe
104.21.32.1:80
securesolutions.cyou
CLOUDFLARENET
unknown
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2632
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
login.live.com
  • 20.190.160.20
  • 40.126.32.68
  • 40.126.32.76
  • 40.126.32.74
  • 40.126.32.138
  • 40.126.32.136
  • 40.126.32.140
  • 40.126.32.134
whitelisted
securesolutions.cyou
  • 104.21.32.1
  • 104.21.64.1
  • 104.21.16.1
  • 104.21.112.1
  • 104.21.48.1
  • 104.21.80.1
  • 104.21.96.1
unknown
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
fd.api.iris.microsoft.com
  • 20.74.47.205
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

PID
Process
Class
Message
6344
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
6344
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/y.txt