| File name: | download.dat |
| Full analysis: | https://app.any.run/tasks/6ea36c73-ae3d-43c9-a9d3-c486e17e2a11 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | May 26, 2025, 08:19:31 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with very long lines (3488) |
| MD5: | BA6BCEADD8EC32552F9259B5F852E3F7 |
| SHA1: | A32255A31D40C14AE8F02F594A5AB4FEFBB4259F |
| SHA256: | 60E05A67A75A3DC8DC9345589D71FB317C76F1090576ECE453E57EFCEE7961D6 |
| SSDEEP: | 192:9tghyBjsIPWpm5+GhkjcSAPtofOAhQRz7zTPxY6:96gBgOhkjcSAP7p |
MALICIOUS
Bypass execution policy to execute commands
- powershell.exe (PID: 1812)
- powershell.exe (PID: 2560)
Changes powershell execution policy (Bypass)
- mshta.exe (PID: 3956)
Dynamically loads an assembly (POWERSHELL)
- powershell.exe (PID: 2560)
Scans artifacts that could help determine the target
- dw20.exe (PID: 904)
- msedge.exe (PID: 2772)
Actions looks like stealing of personal data
- OOBE-Maintenance.exe (PID: 1512)
SUSPICIOUS
Uses sleep to delay execution (POWERSHELL)
- powershell.exe (PID: 1812)
- powershell.exe (PID: 2560)
- powershell.exe (PID: 4188)
The process executes via Task Scheduler
- mshta.exe (PID: 3956)
PowerShell delay command usage (probably sleep evasion)
- powershell.exe (PID: 2560)
- powershell.exe (PID: 4188)
Starts a new process with hidden mode (POWERSHELL)
- powershell.exe (PID: 2560)
Possibly malicious use of IEX has been detected
- mshta.exe (PID: 3956)
Starts POWERSHELL.EXE for commands execution
- mshta.exe (PID: 3956)
- powershell.exe (PID: 2560)
Gets or sets the security protocol (POWERSHELL)
- powershell.exe (PID: 2560)
Writes data into a file (POWERSHELL)
- powershell.exe (PID: 2560)
Reads the date of Windows installation
- dw20.exe (PID: 904)
- dw20.exe (PID: 3676)
Removes files via Powershell
- powershell.exe (PID: 4188)
Application launched itself
- powershell.exe (PID: 2560)
The process checks if it is being run in the virtual environment
- RegSvcs.exe (PID: 644)
Reads the BIOS version
- RegSvcs.exe (PID: 644)
Reads security settings of Internet Explorer
- msedge.exe (PID: 2772)
Connects to unusual port
- dllhost.exe (PID: 7928)
Reads Mozilla Firefox installation path
- msedge.exe (PID: 2772)
INFO
Reads Internet Explorer settings
- mshta.exe (PID: 3956)
Manual execution by a user
- schtasks.exe (PID: 6436)
- OOBE-Maintenance.exe (PID: 1512)
Uses string replace method (POWERSHELL)
- powershell.exe (PID: 1812)
- powershell.exe (PID: 2560)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 1812)
Gets data length (POWERSHELL)
- powershell.exe (PID: 1812)
- powershell.exe (PID: 2560)
Checks supported languages
- RegSvcs.exe (PID: 6632)
- RegSvcs.exe (PID: 2644)
- dw20.exe (PID: 3676)
- dw20.exe (PID: 904)
- RegSvcs.exe (PID: 1116)
- RegSvcs.exe (PID: 644)
- chrome.exe (PID: 4452)
- msedge.exe (PID: 2772)
Disables trace logs
- powershell.exe (PID: 2560)
Creates files in the program directory
- powershell.exe (PID: 2560)
- dw20.exe (PID: 904)
- dw20.exe (PID: 3676)
Gets or sets the time when the file was last written to (POWERSHELL)
- powershell.exe (PID: 2560)
Checks proxy server information
- powershell.exe (PID: 2560)
- dw20.exe (PID: 3676)
- dw20.exe (PID: 904)
- chrome.exe (PID: 4452)
- msedge.exe (PID: 2772)
Reads the computer name
- dw20.exe (PID: 3676)
- RegSvcs.exe (PID: 644)
- RegSvcs.exe (PID: 6632)
- dw20.exe (PID: 904)
- chrome.exe (PID: 4452)
- msedge.exe (PID: 2772)
Reads Environment values
- dw20.exe (PID: 3676)
- dw20.exe (PID: 904)
- chrome.exe (PID: 4452)
- msedge.exe (PID: 2772)
Reads the machine GUID from the registry
- dw20.exe (PID: 3676)
- dw20.exe (PID: 904)
- RegSvcs.exe (PID: 644)
- RegSvcs.exe (PID: 6632)
- chrome.exe (PID: 4452)
Reads product name
- dw20.exe (PID: 904)
- dw20.exe (PID: 3676)
Process checks computer location settings
- dw20.exe (PID: 904)
- dw20.exe (PID: 3676)
- chrome.exe (PID: 4452)
- msedge.exe (PID: 2772)
Reads CPU info
- dw20.exe (PID: 904)
- dw20.exe (PID: 3676)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 2560)
- powershell.exe (PID: 4188)
Checks whether the specified file exists (POWERSHELL)
- powershell.exe (PID: 2560)
Reads the software policy settings
- dw20.exe (PID: 3676)
- dw20.exe (PID: 904)
Application launched itself
- chrome.exe (PID: 4452)
- msedge.exe (PID: 2772)
Create files in a temporary directory
- chrome.exe (PID: 4452)
- msedge.exe (PID: 2772)
- OOBE-Maintenance.exe (PID: 1512)
Process checks whether UAC notifications are on
- msedge.exe (PID: 2772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
176
Monitored processes
51
Malicious processes
2
Suspicious processes
5
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 644 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Exit code: 0 Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
| 664 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | schtasks.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 904 | dw20.exe -x -s 804 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe | RegSvcs.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Error Reporting Shim Exit code: 0 Version: 2.0.50727.9149 (WinRelRS6.050727-9100) Modules
| |||||||||||||||
| 1116 | "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Exit code: 3762507597 Version: 2.0.50727.9149 (WinRelRS6.050727-9100) Modules
| |||||||||||||||
| 1280 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3868 --field-trial-handle=1980,i,12870782566252461539,7037168601174182606,262144 --variations-seed-version /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 122.0.6261.70 Modules
| |||||||||||||||
| 1452 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | OOBE-Maintenance.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1512 | "C:\WINDOWS\system32\OOBE-Maintenance.exe" | C:\Windows\System32\OOBE-Maintenance.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: OOBE-Maintenance Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1660 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1660 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1812 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\download.dat.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 4294967295 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
37 702
Read events
37 681
Write events
20
Delete events
1
Modification events
| (PID) Process: | (1812) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | bookingm72 |
Value: schtasks /run /tn bookingm72 | |||
| (PID) Process: | (3956) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (3956) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (3956) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (3676) dw20.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData |
| Operation: | write | Name: | ClockTimeSeconds |
Value: 5124346800000000 | |||
| (PID) Process: | (3676) dw20.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData |
| Operation: | write | Name: | TickCount |
Value: 6992110000000000 | |||
| (PID) Process: | (4452) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
| (PID) Process: | (4452) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (4452) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 1 | |||
| (PID) Process: | (4452) chrome.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics |
| Operation: | write | Name: | user_experience_metrics.stability.exited_cleanly |
Value: 0 | |||
Executable files
6
Suspicious files
209
Text files
75
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2560 | powershell.exe | C:\ProgramData\lundistanlusta\phuduwwww.~!!@@!!@!!!!!!@+++---+++!@@@!!ASJDuu9wd++__++___+~!!@@!!@!!!!!!@+++---+++!@@@!!ASJDuu9wd++__++___++@!!@@!@@!!@@!!~+@!!@@!@@!!@@!!~ | — | |
MD5:— | SHA256:— | |||
| 3676 | dw20.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_cdb91b7cbb029f3575443b28fbe755628d6e7e_00000000_ada6625d-9ed0-4769-bfef-f33ecb8219f2\Report.wer | — | |
MD5:— | SHA256:— | |||
| 904 | dw20.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_cdb91b7cbb029f3575443b28fbe755628d6e7e_00000000_487612d7-1165-4feb-9091-b45949e03f5e\Report.wer | — | |
MD5:— | SHA256:— | |||
| 1812 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FBN2QQ0VVO1VXIW8KXQI.temp | binary | |
MD5:675D660F033D10B029D7C7B8EE9797DB | SHA256:ABF36A5B03759111B745737C07752F96618C3602EBF005D7926A53C79C656E89 | |||
| 1812 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10c8e0.TMP | binary | |
MD5:D040F64E9E7A2BB91ABCA5613424598E | SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670 | |||
| 4188 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:90FE85DA53D4FD687259BF502FA65542 | SHA256:FA01364C32F21C84E1888634753BBAF70B4DA2E241D47F45D081A4F5C9944C89 | |||
| 1812 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lvroto5o.vzg.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4188 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_11njyhjn.3t1.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2560 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kl3uyojj.npd.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2560 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_w5y3xq1e.jmc.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
60
TCP/UDP connections
87
DNS requests
58
Threats
9
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5496 | MoUsoCoreWorker.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | GET | 200 | 2.20.245.137:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | POST | 200 | 20.190.159.71:443 | https://login.live.com/RST2.srf | unknown | xml | 1.24 Kb | whitelisted |
— | — | POST | 400 | 20.190.159.71:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | POST | 400 | 20.190.159.68:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | POST | 400 | 20.190.159.73:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | POST | 400 | 20.190.159.23:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | GET | 302 | 216.58.212.161:443 | https://hotel22may.blogspot.com/nigga.pdf | unknown | html | 218 b | whitelisted |
— | — | GET | 200 | 185.166.143.49:443 | https://bitbucket.org/!api/2.0/snippets/phuddimahan/dqrKEG/62a37a626d22db020942c16cff782cecf6b0009f/files/file | unknown | text | 8.51 Mb | whitelisted |
— | — | GET | 302 | 216.58.212.161:443 | https://hotel22may.blogspot.com/atom.xml | unknown | — | — | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3216 | svchost.exe | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
5496 | MoUsoCoreWorker.exe | 2.20.245.137:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
5496 | MoUsoCoreWorker.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
5496 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 20.190.159.128:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2112 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
hotel22may.blogspot.com |
| whitelisted |
bitbucket.org |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Misc activity | ET INFO Request for PDF via PowerShell |
— | — | A Network Trojan was detected | ET MALWARE Observed Malicious Powershell Loader Payload Request (GET) |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Potentially Bad Traffic | ET INFO Possible Chrome Plugin install |
— | — | Potentially Bad Traffic | ET INFO Possible Chrome Plugin install |
— | — | Not Suspicious Traffic | INFO [ANY.RUN] Websocket Upgrade Request |
— | — | Not Suspicious Traffic | INFO [ANY.RUN] Websocket Upgrade Request |