| File name: | echo.txt |
| Full analysis: | https://app.any.run/tasks/29505570-8b29-45b3-b5f1-10681e6782c1 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | January 16, 2026, 17:53:35 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with CRLF line terminators |
| MD5: | C16FE519008E7063D4F11071949D9A1A |
| SHA1: | 29C3825B3A045ECBFE492637F4E650C0BFAEB9FA |
| SHA256: | 72E0814A38690437EA1378E84D184EB0B4232689BA67E9246C1C127B7BE071DA |
| SSDEEP: | 48:IqFDl9oQ41j4k4q869hr6RL17sxsfGD/ffyRn917Dcgz8xXI7B5jNAxUxM1+veSw:9otj4k4BoxsfKfiTfbRO2i+vZaX |
MALICIOUS
Bypass execution policy to execute commands
- powershell.exe (PID: 7552)
Downloads the requested resource (POWERSHELL)
- powershell.exe (PID: 7552)
Reads a specific registry key of the VM
- powershell.exe (PID: 7552)
- MSBuild.exe (PID: 7748)
Run PowerShell with an invisible window
- powershell.exe (PID: 7364)
Actions looks like stealing of personal data
- powershell.exe (PID: 7552)
SUSPICIOUS
CSC.EXE is used to compile C# code
- csc.exe (PID: 7720)
- csc.exe (PID: 7780)
- csc.exe (PID: 7800)
Executable content was dropped or overwritten
- csc.exe (PID: 7720)
- csc.exe (PID: 7780)
- csc.exe (PID: 7800)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 7552)
Converts a string into array of characters (POWERSHELL)
- powershell.exe (PID: 7552)
Creates new GUID (POWERSHELL)
- powershell.exe (PID: 7552)
Reverses array data (POWERSHELL)
- powershell.exe (PID: 7552)
Reads the BIOS version
- powershell.exe (PID: 7552)
- MSBuild.exe (PID: 7748)
Connects to unusual port
- powershell.exe (PID: 7552)
Possible stealing of FTP data
- powershell.exe (PID: 7552)
MSBuild is used to compile and execute code
- MSBuild.exe (PID: 7748)
INFO
Drops script file
- powershell.exe (PID: 7552)
- powershell.exe (PID: 7364)
Checks supported languages
- csc.exe (PID: 7720)
- cvtres.exe (PID: 7740)
- csc.exe (PID: 7780)
- cvtres.exe (PID: 7800)
- MSBuild.exe (PID: 7748)
- cvtres.exe (PID: 7824)
- csc.exe (PID: 7800)
Create files in a temporary directory
- csc.exe (PID: 7720)
- cvtres.exe (PID: 7740)
- csc.exe (PID: 7780)
- cvtres.exe (PID: 7800)
- MSBuild.exe (PID: 7748)
- csc.exe (PID: 7800)
- cvtres.exe (PID: 7824)
Reads the machine GUID from the registry
- csc.exe (PID: 7720)
- csc.exe (PID: 7780)
- MSBuild.exe (PID: 7748)
- csc.exe (PID: 7800)
Uses string split method (POWERSHELL)
- powershell.exe (PID: 7552)
Disables trace logs
- powershell.exe (PID: 7552)
Checks proxy server information
- powershell.exe (PID: 7552)
- slui.exe (PID: 5468)
Gets data length (POWERSHELL)
- powershell.exe (PID: 7552)
Manual execution by a user
- powershell.exe (PID: 7364)
Reads the computer name
- MSBuild.exe (PID: 7748)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
158
Monitored processes
12
Malicious processes
1
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 5468 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7340 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7364 | powershell -WindowStyle hidden -Command C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Users\admin\AppData\Local\Microsoft\MSBuild\c_3791.proj | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7552 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\AppData\Local\Temp\echo.txt.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7560 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7720 | "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\epjna4xa.cmdline" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
| 7740 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESE7A7.tmp" "c:\Users\admin\AppData\Local\Temp\CSC2E9B6FA259B40A69DAC7BEF2A42A8CC.TMP" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe | — | csc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 14.32.31326.0 Modules
| |||||||||||||||
| 7748 | "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" C:\Users\admin\AppData\Local\Microsoft\MSBuild\c_3791.proj | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: MSBuild.exe Exit code: 2 Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
| 7780 | "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\mxjtjnm4.cmdline" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Visual C# Command Line Compiler Exit code: 0 Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
| 7800 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESF11D.tmp" "c:\Users\admin\AppData\Local\Temp\CSC499464577FBB494C80748A23BD7444E3.TMP" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe | — | csc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 14.32.31326.0 Modules
| |||||||||||||||
Total events
18 795
Read events
18 793
Write events
2
Delete events
0
Modification events
| (PID) Process: | (7552) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | daa77f14-c72f-5546-a4284f |
Value: powershell -WindowStyle hidden -Command C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Users\admin\AppData\Local\Microsoft\MSBuild\c_3791.proj | |||
| (PID) Process: | (7552) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | profile |
Value: powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\autorun.ps1 | |||
Executable files
3
Suspicious files
14
Text files
15
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7552 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F05IXDFX5VMBNGABYJC8.temp | binary | |
MD5:351DAB76544EA79EAE180C3C00383E92 | SHA256:4F6107D2AE68FF3C4E8D9D10AECBFCA0A94220531987CA103D4CB6BF868D4A48 | |||
| 7552 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms | binary | |
MD5:351DAB76544EA79EAE180C3C00383E92 | SHA256:4F6107D2AE68FF3C4E8D9D10AECBFCA0A94220531987CA103D4CB6BF868D4A48 | |||
| 7552 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qxlg1zav.vgp.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7552 | powershell.exe | C:\Users\admin\AppData\Local\Temp\epjna4xa.0.cs | text | |
MD5:FF6B3D565E2FC73975C5884754847CC0 | SHA256:7613A47EBBA0FDCB04E0014ED25590AF8882565836EBCFE0635719C227AB9F53 | |||
| 7552 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFfdcca.TMP | binary | |
MD5:00A03B286E6E0EBFF8D9C492365D5EC2 | SHA256:4DBFC417D053BA6867308671F1C61F4DCAFC61F058D4044DB532DA6D3BDE3615 | |||
| 7780 | csc.exe | C:\Users\admin\AppData\Local\Temp\CSC499464577FBB494C80748A23BD7444E3.TMP | binary | |
MD5:55E4F3406ECFA2BDF0C7BADDF95702F5 | SHA256:10E6AED4CEB9CE98D42DD092DB96246FC28F84FF080E9CDA518832358B489E96 | |||
| 7780 | csc.exe | C:\Users\admin\AppData\Local\Temp\mxjtjnm4.out | text | |
MD5:5321CE7A119FF07179602921708C7BAA | SHA256:55D22BDE93DA2E09177F1090A3025269899673A4AE0E852FFF583A8062D082AF | |||
| 7800 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RESF11D.tmp | binary | |
MD5:B32167C3FB5BEC7A15DFEA249A9D12A6 | SHA256:FD6D5ECB08F94ECF05EDFC1071C27C8DED7EE46E3A5147F8ED37F793DFA3A44C | |||
| 7720 | csc.exe | C:\Users\admin\AppData\Local\Temp\epjna4xa.out | text | |
MD5:9709ED1CF9BF1E133438B3F463934997 | SHA256:1D4747304344FA58B70FF07B76531FF2442D705795E05762F029ACB2C2AD6414 | |||
| 7552 | powershell.exe | C:\Users\admin\AppData\Local\Temp\mxjtjnm4.0.cs | text | |
MD5:891BB20EF7907E9E94F650099721A902 | SHA256:583E90EC6E7BB038EAD33437A1491D4AE9ACD980E691159AD378418D1EB4A73C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
30
DNS requests
18
Threats
4
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6768 | MoUsoCoreWorker.exe | GET | 304 | 51.124.78.146:443 | https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop | unknown | — | — | whitelisted |
6768 | MoUsoCoreWorker.exe | GET | 304 | 51.124.78.146:443 | https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30 | unknown | — | — | whitelisted |
7552 | powershell.exe | GET | 200 | 172.66.47.117:443 | https://los-santos.pages.dev/continue?ray_id=14c8725e4569dfe3 | unknown | compressed | 128 Kb | unknown |
1600 | svchost.exe | GET | 200 | 40.127.240.158:443 | https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=562&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=1&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2 | unknown | text | 5.58 Kb | whitelisted |
1080 | svchost.exe | POST | 200 | 40.126.31.73:443 | https://login.live.com/RST2.srf | unknown | xml | 10.3 Kb | whitelisted |
1848 | SIHClient.exe | GET | 200 | 13.95.31.18:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | unknown | — | — | whitelisted |
1848 | SIHClient.exe | GET | 200 | 20.165.94.63:443 | https://slscr.update.microsoft.com/sls/ping | unknown | — | — | whitelisted |
1848 | SIHClient.exe | GET | 304 | 20.165.94.63:443 | https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | whitelisted |
6768 | MoUsoCoreWorker.exe | GET | 200 | 51.124.78.146:443 | https://settings-win.data.microsoft.com/settings/v3.0/FlightSettings/FSService?ProcessorClockSpeed=3094&IsRetailOS=1&OEMManufacturerName=DELL&FlightingPolicyValue=3&EnablePreviewBuilds=4294967295&OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&ManagePreviewBuilds=3&BranchReadinessLevelSource=0&AttrDataVer=186&ProcessorCores=6&BranchReadinessLevelRaw=16&TotalPhysicalRAM=6144&TPMVersion=0&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&DeviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&App=FSS&AppVer=10.0&SmartActiveHoursState=1&ActiveHoursStart=20&SecureBootCapable=0&ActiveHoursEnd=13&DeviceFamily=Windows.Desktop | unknown | text | 87.3 Kb | whitelisted |
1600 | svchost.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
496 | RUXIMICS.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
1600 | svchost.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
6768 | MoUsoCoreWorker.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
3412 | svchost.exe | 172.211.123.250:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
7552 | powershell.exe | 172.66.47.117:443 | los-santos.pages.dev | CLOUDFLARENET | US | whitelisted |
7552 | powershell.exe | 95.216.51.236:31415 | — | HETZNER-AS | DE | unknown |
1080 | svchost.exe | 40.126.31.73:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
1080 | svchost.exe | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
los-santos.pages.dev |
| unknown |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2292 | svchost.exe | Not Suspicious Traffic | INFO [ANY.RUN] Cloudflare Pages platform for frontend developers to collaborate and deploy websites (pages .dev) |
2292 | svchost.exe | Misc activity | ET INFO DNS Query to Cloudflare Page Developer Domain (pages .dev) |
7552 | powershell.exe | Misc activity | ET INFO Observed Cloudflare Page Developer Domain (pages .dev in TLS SNI) |
— | — | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |