File name:

loader2.ps1

Full analysis: https://app.any.run/tasks/28be8706-a88c-4273-b315-bde7bb7eca1e
Verdict: Malicious activity
Analysis date: April 18, 2025, 07:23:46
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: text/plain
File info: Unicode text, UTF-8 text
MD5:

754021A1FB8AA76C3D927EF703C6A1D5

SHA1:

6274C55A38A1CC0FFEFEC7FBB0F07ADCC5ACEF2D

SHA256:

572642F19DDC0B0B231EAE1EEE3824B4EAB443368498DB9D3610861FA899640C

SSDEEP:

48:Mf9HKnXzDwDlZI9B2mfa+zfbG+YahmtI51gLE:MF9GpfRzfRYNt41l

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4224)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 4224)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 4224)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 4224)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 4224)

  • SUSPICIOUS

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 4224)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 5608)
      • csc.exe (PID: 6768)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 5608)
      • csc.exe (PID: 6768)

    • Connects to unusual port

      • powershell.exe (PID: 4224)

    • Connects to the server without a host name

      • powershell.exe (PID: 4224)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 4224)

    • Checks proxy server information

      • powershell.exe (PID: 4224)

    • Checks supported languages

      • csc.exe (PID: 5608)
      • cvtres.exe (PID: 5008)
      • csc.exe (PID: 6768)
      • cvtres.exe (PID: 4776)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 5608)
      • csc.exe (PID: 6768)

    • Create files in a temporary directory

      • csc.exe (PID: 5608)
      • cvtres.exe (PID: 5008)
      • cvtres.exe (PID: 4776)
      • csc.exe (PID: 6768)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 4224)

    • Reads the software policy settings

      • slui.exe (PID: 7152)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
9
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4224"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\AppData\Local\Temp\loader2.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4620C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
4776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESC304.tmp" "c:\Users\admin\AppData\Local\Temp\CSCC6C2015B7A0F4389B61CC4526135B9D2.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
4920C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5008C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESC20A.tmp" "c:\Users\admin\AppData\Local\Temp\CSCA4C8E8534670484380236B75F2D18E.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1_clr0400.dll
5608"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\xosyzrdh.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
6436\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6768"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\j5vhitzb.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
7152"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
7 609
Read events
7 609
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
7
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
4224powershell.exeC:\Users\admin\AppData\Local\Temp\j5vhitzb.0.cstext
MD5:C395ADB422EEDB33AE024D833117DF7E
SHA256:D308D2C91CFA3925EC5200DC34B41ECE26A8CE2588B98AFD3050EF3A061B7F2D
4224powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IQDPHNCNXJDCC3TBDSUA.tempbinary
MD5:33222A03B4B52B0E4634BED6343F2497
SHA256:5E9C1D512EE7D719D2FCF542889D95ADD2A47B9969D590F99E095664FEE84C3A
4224powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:33222A03B4B52B0E4634BED6343F2497
SHA256:5E9C1D512EE7D719D2FCF542889D95ADD2A47B9969D590F99E095664FEE84C3A
4224powershell.exeC:\Users\admin\AppData\Local\Temp\xosyzrdh.cmdlinetext
MD5:676D78BC38691EACAE87A40147E48360
SHA256:C625FD7EEB96A8D64A2058840DC2E9690077A949B4D6B606469C76D68B86EBA6
4224powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ti4ui5wo.0cv.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4224powershell.exeC:\Users\admin\AppData\Local\Temp\xosyzrdh.0.cstext
MD5:9B6C82997DB035DDD077B5960A13D19A
SHA256:D9DFBB8B732F54F4E863DE056CDC94F141B340690A7426FADCF972D9D045F925
4224powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10b519.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
5008cvtres.exeC:\Users\admin\AppData\Local\Temp\RESC20A.tmpbinary
MD5:9C207D32E567050E2DD3D11018352861
SHA256:EE9C9074CFD0BE21DD6D9BB9318B465BA0AB0146B9F9ABF5BF1457D90C4F1F7B
4776cvtres.exeC:\Users\admin\AppData\Local\Temp\RESC304.tmpbinary
MD5:31CA7E12AC0BB0A92894D2C4442E9C80
SHA256:C694CCE7D9B58CCC44012909084197E7E899F8CAAF7F85CCDA1C930EB26E8A73
6768csc.exeC:\Users\admin\AppData\Local\Temp\j5vhitzb.outtext
MD5:30A11BB4CDC744EA9C3AD24F7F717EAA
SHA256:F301B218263044A18C5D7401D92AD00899B41754B80B65C81A049CC401C8E412
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
66
DNS requests
15
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4224
powershell.exe
GET
200
212.227.245.12:80
http://212.227.245.12/payload2.bin
unknown
malicious
5064
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5064
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4224
powershell.exe
212.227.245.12:80
IONOS SE
DE
malicious
4224
powershell.exe
85.215.173.244:8000
Strato AG
DE
unknown
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 2.16.164.106
  • 2.16.164.72
  • 2.16.164.81
  • 2.16.164.89
  • 2.16.164.49
  • 2.16.164.51
  • 2.16.164.43
  • 2.16.164.98
  • 2.16.164.40
whitelisted
google.com
  • 142.250.186.142
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.31.67
  • 40.126.31.131
  • 40.126.31.2
  • 20.190.159.129
  • 20.190.159.71
  • 40.126.31.0
  • 20.190.159.68
  • 20.190.159.4
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
4224
powershell.exe
A Network Trojan was detected
ET MALWARE HTTP Request to URL Ending in Payload .bin
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
loader2.ps1