| File name: | 18386a8b8abb8bafc43132c737af5d5e7d688aafe72d6cc37c76ce05634ed22c.txt |
| Full analysis: | https://app.any.run/tasks/79f75e4f-fb82-4344-87a6-2816d888a62a |
| Verdict: | Malicious activity |
| Threats: | Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold. |
| Analysis date: | September 03, 2025, 16:20:18 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with very long lines (485), with CRLF line terminators |
| MD5: | CA20E92955C3FE4DE3CDD3577768E89F |
| SHA1: | 11C532ACA1477C5CFBC73F2359F45C10F096B19B |
| SHA256: | 18386A8B8ABB8BAFC43132C737AF5D5E7D688AAFE72D6CC37C76CE05634ED22C |
| SSDEEP: | 768:tsXhzER2jfOLW5UWe2390M6wnwV330+4SYABXp/ZPHBBau7:tsXSWqW5brmMEBKjYpZhBaK |
MALICIOUS
Uses sleep, probably for evasion detection (SCRIPT)
- wscript.exe (PID: 3576)
Gets %appdata% folder path (SCRIPT)
- wscript.exe (PID: 3576)
Gets path to any of the special folders (SCRIPT)
- wscript.exe (PID: 3576)
Accesses environment variables (SCRIPT)
- wscript.exe (PID: 3576)
Opens a text file (SCRIPT)
- wscript.exe (PID: 3576)
PowerShell executes remote file download (POWERSHELL)
- powershell.exe (PID: 7116)
Executes malicious content triggered by hijacked COM objects (POWERSHELL)
- powershell.exe (PID: 7116)
Actions looks like stealing of personal data
- msiexec.exe (PID: 2292)
AGENTTESLA has been detected (YARA)
- msiexec.exe (PID: 2292)
Steals credentials from Web Browsers
- msiexec.exe (PID: 2292)
SUSPICIOUS
Explorer used for Indirect Command Execution
- explorer.exe (PID: 1948)
Starts POWERSHELL.EXE for commands execution
- explorer.exe (PID: 6392)
Manipulates environment variables
- powershell.exe (PID: 7116)
- powershell.exe (PID: 5372)
Runs shell command (SCRIPT)
- wscript.exe (PID: 3576)
Writes binary data to a Stream object (SCRIPT)
- wscript.exe (PID: 3576)
Reads data from a binary Stream object (SCRIPT)
- wscript.exe (PID: 3576)
Creates FileSystem object to access computer's file system (SCRIPT)
- wscript.exe (PID: 3576)
Probably obfuscated PowerShell command line is found
- explorer.exe (PID: 6392)
Gets or sets the security protocol (POWERSHELL)
- powershell.exe (PID: 7116)
- powershell.exe (PID: 5372)
Uses sleep to delay execution (POWERSHELL)
- powershell.exe (PID: 7116)
Creates an instance of the specified .NET type (POWERSHELL)
- powershell.exe (PID: 7116)
Retrieves command line args for running process (POWERSHELL)
- powershell.exe (PID: 7116)
- powershell.exe (PID: 5372)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 5372)
- powershell.exe (PID: 7116)
Converts a specified value to a byte (POWERSHELL)
- powershell.exe (PID: 5372)
Checks for external IP
- msiexec.exe (PID: 2292)
- svchost.exe (PID: 2200)
Connects to SMTP port
- msiexec.exe (PID: 2292)
INFO
Reads security settings of Internet Explorer
- explorer.exe (PID: 6392)
- msiexec.exe (PID: 2292)
Checks proxy server information
- powershell.exe (PID: 7116)
- slui.exe (PID: 1100)
- msiexec.exe (PID: 2292)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 7116)
- powershell.exe (PID: 5372)
Uses string split method (POWERSHELL)
- powershell.exe (PID: 7116)
- powershell.exe (PID: 5372)
Disables trace logs
- powershell.exe (PID: 7116)
- msiexec.exe (PID: 2292)
Converts byte array into ASCII string (POWERSHELL)
- powershell.exe (PID: 5372)
- powershell.exe (PID: 7116)
Gets data length (POWERSHELL)
- powershell.exe (PID: 5372)
Manual execution by a user
- powershell.exe (PID: 5372)
ULTRAVNC has been detected
- msiexec.exe (PID: 2292)
Reads the software policy settings
- slui.exe (PID: 1100)
- msiexec.exe (PID: 2292)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 5372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
AgentTesla
(PID) Process(2292) msiexec.exe
Protocolsmtp
Hostsslout.de
Port587
Username0x0@erika-klos.de
Password0x0dataset123
Total processes
143
Monitored processes
10
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1100 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1828 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1948 | "C:\Windows\explorer.exe" c:windowssystem32svchost.exe | C:\Windows\explorer.exe | — | wscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2200 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2292 | "C:\WINDOWS\SysWOW64\msiexec.exe" | C:\Windows\SysWOW64\msiexec.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Version: 5.0.19041.3636 (WinBuild.160101.0800) Modules
AgentTesla(PID) Process(2292) msiexec.exe Protocolsmtp Hostsslout.de Port587 Username0x0@erika-klos.de Password0x0dataset123 | |||||||||||||||
| 3576 | "C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\18386a8b8abb8bafc43132c737af5d5e7d688aafe72d6cc37c76ce05634ed22c.txt.js | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 5248 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5372 | "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Aliquots17=$env:appdata+'\Palletise';$Vandalict=(Get-Item $Aliquots17).OpenText().ReadToEnd();$Bryll=$Vandalict[4309..4311] -join '';.$Bryll $Vandalict" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6392 | C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | C:\Windows\explorer.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7116 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Aliquots17=$env:appdata+'\Palletise';$Vandalict=(Get-Item $Aliquots17).OpenText().ReadToEnd();$Bryll=$Vandalict[4309..4311] -join '';.$Bryll $Vandalict" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
35 225
Read events
35 179
Write events
46
Delete events
0
Modification events
| (PID) Process: | (6392) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | NodeSlots |
Value: 02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202 | |||
| (PID) Process: | (6392) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU |
| Operation: | write | Name: | MRUListEx |
Value: 040000000000000003000000110000000E000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF | |||
| (PID) Process: | (6392) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\4 |
| Operation: | write | Name: | MRUListEx |
Value: 040000000000000003000000050000000200000001000000FFFFFFFF | |||
| (PID) Process: | (6392) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar |
| Operation: | write | Name: | Locked |
Value: 1 | |||
| (PID) Process: | (6392) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Ribbon |
| Operation: | write | Name: | MinimizedStateTabletModeOff |
Value: 0 | |||
| (PID) Process: | (6392) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\119\Shell |
| Operation: | write | Name: | SniffedFolderType |
Value: Documents | |||
| (PID) Process: | (3576) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3576) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3576) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3576) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
Executable files
0
Suspicious files
2
Text files
11
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7116 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_byhswgfk.dbi.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5372 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sxx2ezyj.tmx.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 3576 | wscript.exe | C:\Users\admin\AppData\Local\Temp\Alderamin | text | |
MD5:F385DD3B06565D92ECC55B2E51233D8F | SHA256:E2B7745AAEE59315975A98DAD3AEACE4F50677044626FD3C684E1C3756A938B7 | |||
| 7116 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_di3wxutt.asi.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7116 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_frwr0pgb.ual.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 3576 | wscript.exe | C:\Users\admin\AppData\Roaming\Palletise | text | |
MD5:D44403FE4B32D9660469AFFFA254B35F | SHA256:7273755215DD3EDDDAE22C6ADE2246BB340C728D13DD03D30937B0C577EABD40 | |||
| 7116 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rxfef1u2.xkq.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7116 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:9565B24ED645F940E4C9782164655247 | SHA256:9EA41E67B021218DFCBF3D9C831598430404C1DD7FF2E818519DF71CAD88E845 | |||
| 7116 | powershell.exe | C:\Users\admin\AppData\Roaming\Regaine.Luk | text | |
MD5:94C9FC5A722A550CFFB29E705D3AEC41 | SHA256:F5BA30F67B5B3F7EC40689176E4E2E4E4674A351D931AF5599C4D3A56E9F638E | |||
| 5372 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vmldmnny.5lp.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
26
DNS requests
11
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5944 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | DE | binary | 825 b | whitelisted |
1268 | svchost.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | DE | binary | 825 b | whitelisted |
1568 | RUXIMICS.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | DE | binary | 825 b | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | NL | binary | 814 b | whitelisted |
1568 | RUXIMICS.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | NL | binary | 814 b | whitelisted |
1268 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | NL | binary | 814 b | whitelisted |
— | — | GET | 200 | 93.114.248.245:443 | https://infootopeni.ro/Sdeevn.pcx | RO | text | 557 Kb | unknown |
— | — | GET | 200 | 93.114.248.245:443 | https://infootopeni.ro/ping.bin | RO | binary | 247 Kb | unknown |
2292 | msiexec.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/line/?fields=hosting | US | — | 6 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | US | xml | 512 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
5944 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1268 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1568 | RUXIMICS.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 23.216.77.28:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1268 | svchost.exe | 23.216.77.28:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1568 | RUXIMICS.exe | 23.216.77.28:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
1268 | svchost.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
infootopeni.ro |
| unknown |
self.events.data.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
ip-api.com |
| whitelisted |
sslout.de |
| malicious |
x1.c.lencr.org |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2200 | svchost.exe | Device Retrieving External IP Address Detected | INFO [ANY.RUN] External IP Check (ip-api .com) |
2200 | svchost.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com) |
2292 | msiexec.exe | A Network Trojan was detected | ET MALWARE Common Stealer Behavior - Source IP Associated with Hosting Provider Check via ip.api .com |
2292 | msiexec.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup ip-api.com |
2292 | msiexec.exe | Device Retrieving External IP Address Detected | POLICY [ANY.RUN] External Hosting Lookup by ip-api |