File name:

mal.ps1

Full analysis: https://app.any.run/tasks/7b1d165c-f8a4-44d5-b156-6bd0c420ca88
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 21:39:52
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
Indicators:
MIME: text/plain
File info: ASCII text
MD5:

4359A3FFE68925BF7907F5ADAA470F91

SHA1:

5D88B172CEBEA6A060F0D02919D2515F31131493

SHA256:

DB33695F8CAE9B067089664E7730A6123686FC4B30A809091F35724C69B4EB19

SSDEEP:

48:3FlMxV0kKKRvQ7LiQuOIjoUyu1Pad3d1EJ+2zEo3O1sPQjUZNvBJAJP4aUgQgJ:Q049LRRyu8vI+2bAcQcvB+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7724)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 7724)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 7724)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7724)
      • 7z.exe (PID: 6824)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 7724)

    • Drops 7-zip archiver for unpacking

      • powershell.exe (PID: 7724)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 7724)

    • Creates new GUID (POWERSHELL)

      • powershell.exe (PID: 7724)

    • Process drops legitimate windows executable

      • 7z.exe (PID: 6824)

  • INFO

    • Creates files in the program directory

      • powershell.exe (PID: 7724)

    • Disables trace logs

      • powershell.exe (PID: 7724)

    • The sample compiled with english language support

      • powershell.exe (PID: 7724)
      • 7z.exe (PID: 6824)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 7724)

    • Checks proxy server information

      • powershell.exe (PID: 7724)
      • slui.exe (PID: 2516)

    • Reads the software policy settings

      • slui.exe (PID: 2516)

    • Reads the computer name

      • 7z.exe (PID: 6824)

    • Create files in a temporary directory

      • 7z.exe (PID: 6824)

    • Checks supported languages

      • 7z.exe (PID: 6824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs slui.exe 7z.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1672\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe7z.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2516C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6824"C:\ProgramData\sevenZip\7z.exe" x "C:\Users\admin\AppData\Local\Temp\161e20fd-3d2f-43b7-9077-c0d646714382.7z" -o"C:\Users\admin\AppData\Local\Temp\495e4dd8-cacc-4892-9d07-534088fd4b7b" -phR3^&b2%A9!gK*6LqP7t$NpW -y C:\ProgramData\sevenZip\7z.exe
powershell.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Reduced Standalone Console
Version:
24.09
Modules
Images
c:\programdata\sevenzip\7z.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\msvcp_win.dll
7724"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\mal.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7732\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
8 840
Read events
8 839
Write events
1
Delete events
0

Modification events

(PID) Process:(7724) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
Executable files
6
Suspicious files
63
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7724powershell.exeC:\Users\admin\AppData\Local\Temp\161e20fd-3d2f-43b7-9077-c0d646714382.7z
MD5:
SHA256:
68247z.exeC:\Users\admin\AppData\Local\Temp\495e4dd8-cacc-4892-9d07-534088fd4b7b\icudtl.dat
MD5:
SHA256:
7724powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10bf0c.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
7724powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M12A06ORLURG4GD4NTPP.tempbinary
MD5:9F8AF8C4230B9A7C79EC027578562AED
SHA256:D4FA5ECDA12953FB5FEAD93B007E949D952730B602CA1964B2E8F53FD144C451
68247z.exeC:\Users\admin\AppData\Local\Temp\495e4dd8-cacc-4892-9d07-534088fd4b7b\locales\af.pakbinary
MD5:7E51349EDC7E6AED122BFA00970FAB80
SHA256:F528E698B164283872F76DF2233A47D7D41E1ABA980CE39F6B078E577FD14C97
7724powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:9F8AF8C4230B9A7C79EC027578562AED
SHA256:D4FA5ECDA12953FB5FEAD93B007E949D952730B602CA1964B2E8F53FD144C451
7724powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vxyf4b2k.osy.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7724powershell.exeC:\ProgramData\sevenZip\7z.exeexecutable
MD5:9F018E5FEB96AAE0E893A739C83A8B1F
SHA256:D2C0045523CF053A6B43F9315E9672FC2535F06AEADD4FFA53C729CD8B2B6DFE
68247z.exeC:\Users\admin\AppData\Local\Temp\495e4dd8-cacc-4892-9d07-534088fd4b7b\locales\bn.pakbinary
MD5:5CDD07FA357C846771058C2DB67EB13B
SHA256:01C830B0007B8CE6ACA46E26D812947C3DF818927B826F7D8C5FFD0008A32384
68247z.exeC:\Users\admin\AppData\Local\Temp\495e4dd8-cacc-4892-9d07-534088fd4b7b\locales\bg.pakbinary
MD5:A19269683A6347E07C55325B9ECC03A4
SHA256:AD65351A240205E881EF5C4CF30AD1BC6B6E04414343583597086B62D48D8A24
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
28
DNS requests
13
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
302
140.82.121.4:443
https://github.com/optimism72321/ruby-freebase/releases/download/releases/SearchFilter.7z
unknown
2104
svchost.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
302
140.82.121.3:443
https://github.com/optimism72321/ruby-freebase/releases/download/releases/SearchFilter.7z
unknown
GET
200
188.114.96.3:443
https://rlim.com/seraswodinsx/raw
unknown
text
224 b
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
GET
200
49.12.202.237:443
https://www.7-zip.org/a/7zr.exe
unknown
executable
579 Kb
whitelisted
GET
200
151.101.194.59:443
https://popcorn-soft.glitch.me/popcornsoft.me
unknown
text
224 b
shared
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
7724
powershell.exe
49.12.202.237:443
www.7-zip.org
Hetzner Online GmbH
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7724
powershell.exe
188.114.96.3:443
rlim.com
CLOUDFLARENET
NL
unknown
7724
powershell.exe
140.82.121.4:443
github.com
GITHUB
US
whitelisted
7724
powershell.exe
185.199.110.133:443
objects.githubusercontent.com
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.7-zip.org
  • 49.12.202.237
whitelisted
rlim.com
  • 188.114.96.3
  • 188.114.97.3
unknown
github.com
  • 140.82.121.4
  • 140.82.121.3
whitelisted
objects.githubusercontent.com
  • 185.199.110.133
  • 185.199.109.133
  • 185.199.108.133
  • 185.199.111.133
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
popcorn-soft.glitch.me
  • 151.101.194.59
  • 151.101.66.59
  • 151.101.2.59
  • 151.101.130.59
shared

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET HUNTING 7-zip Executable Requested (GET)
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
2196
svchost.exe
Misc activity
ET INFO DNS Query to Online Application Hosting Domain (glitch .me)
7724
powershell.exe
Misc activity
ET INFO Observed Online Application Hosting Domain (glitch .me in TLS SNI)
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
mal.ps1