File name:

BLACKSHEEP.ps1

Full analysis: https://app.any.run/tasks/c9b75e01-79dc-43d2-855a-2ca404a439cb
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 17:21:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (2261), with no line terminators
MD5:

80C74D8CD0FFD40C1DE676ADF5A11498

SHA1:

755FCC7F716321589D300E361343E24514AE032D

SHA256:

D0627AB546AA43CB2C59B874B770CB50AB76456972002443533DADD3BA6AE43E

SSDEEP:

48:tmq1xstdFURTjF3gNZE+KbyN580NkzKzwou4:tWITh4/lN5rNMis4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6652)

  • SUSPICIOUS

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6652)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 6172)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 6172)

    • Connects to the server without a host name

      • powershell.exe (PID: 6652)

    • Process requests binary or script from the Internet

      • powershell.exe (PID: 6652)

  • INFO

    • Reads the machine GUID from the registry

      • csc.exe (PID: 6172)

    • Create files in a temporary directory

      • csc.exe (PID: 6172)
      • cvtres.exe (PID: 3888)

    • Checks supported languages

      • csc.exe (PID: 6172)
      • cvtres.exe (PID: 3888)

    • Disables trace logs

      • powershell.exe (PID: 6652)

    • Checks proxy server information

      • powershell.exe (PID: 6652)
      • slui.exe (PID: 5724)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6652)

    • Reads the software policy settings

      • slui.exe (PID: 5724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs csc.exe cvtres.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
3652\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3888C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES7436.tmp" "c:\Users\admin\AppData\Local\Temp\CSCB846FA767D7467A8378A8C7C4612D37.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_clr0400.dll
5724C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6172"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\bv2fn22y.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
6652"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\BLACKSHEEP.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
10 885
Read events
10 885
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
6
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
6652powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z1AAGQWUJAJRVUSNMULO.tempbinary
MD5:319481B42E0BCA05D50EC9167A1A7631
SHA256:5005C0E24C991F14D6FC0D3D467B09F90AF6CAC4347F01A724ED7E5AC2CEDE5A
6652powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:319481B42E0BCA05D50EC9167A1A7631
SHA256:5005C0E24C991F14D6FC0D3D467B09F90AF6CAC4347F01A724ED7E5AC2CEDE5A
6652powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vzt02u3r.aun.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6652powershell.exeC:\Users\admin\AppData\Local\Temp\bv2fn22y.cmdlinetext
MD5:14BEA99806BEBDB4DA538739BCC46A6E
SHA256:83536EE24A7071CF87B5F9AFA9AFF24CC9A79784C57F17F1FF40195F88231386
3888cvtres.exeC:\Users\admin\AppData\Local\Temp\RES7436.tmpbinary
MD5:958FD929D3076CE4CFB13B846BF1D2B2
SHA256:E72F27E5EFB85E22F93AC29BE76C006BB58A904D41796C8F096FA9CACAAFE58E
6172csc.exeC:\Users\admin\AppData\Local\Temp\bv2fn22y.outtext
MD5:FA4139089953A0EC2B6D4659970755D2
SHA256:8D44B867AE8E7DA903CE60D17F4707287D03870B8F7D501CB88C6C83E1B66312
6172csc.exeC:\Users\admin\AppData\Local\Temp\bv2fn22y.dllexecutable
MD5:F7B97674AA2CCCDDE052C804A27E0E66
SHA256:D3E45D645A7116E7C6C8DD54476EC6E9409BB48CF731066937116225272A239D
6652powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_v3ndadlf.rz3.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6652powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF176aef.TMPbinary
MD5:00A03B286E6E0EBFF8D9C492365D5EC2
SHA256:4DBFC417D053BA6867308671F1C61F4DCAFC61F058D4044DB532DA6D3BDE3615
6172csc.exeC:\Users\admin\AppData\Local\Temp\CSCB846FA767D7467A8378A8C7C4612D37.TMPbinary
MD5:046C8E19A6D30C63842DDF0E6868D616
SHA256:CD84BDDFA49128E917B438ED1EEE2AF0C088157D8638403131970C0D18D358E3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
21
DNS requests
8
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4844
RUXIMICS.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4844
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6652
powershell.exe
GET
176.65.134.79:80
http://176.65.134.79/HOST/CZXCVTD.exe
unknown
unknown
6652
powershell.exe
GET
176.65.134.79:80
http://176.65.134.79/HOST/CZXCVTD.exe
unknown
unknown
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4844
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1268
svchost.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
4844
RUXIMICS.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.55.104.190
  • 23.55.104.172
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 13.89.179.10
whitelisted

Threats

PID
Process
Class
Message
6652
powershell.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
6652
powershell.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
BLACKSHEEP.ps1