File name:

kinngg.ps1

Full analysis: https://app.any.run/tasks/ab602e37-57fc-4099-b656-cd4d14ff6a4b
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 10:40:25
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
exfiltration
stealer
agenttesla
ftp
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (65534), with CRLF line terminators
MD5:

C0E1BA6B7ED7EBAE58920A047DDE6A27

SHA1:

A173E529DC665E0F15F9068667DC7F791673DD33

SHA256:

78A66DF658B89312DC76CA94B3206091F71DEDE3C0B40C1F3CBDEA409D067F30

SSDEEP:

3072:AMpeIGz5uxP+a2bCZY/iZ0Uev/o3pQYSk6xxHCupOu3G0Tu7g6:vdGz5uxPFYaZ0D/Ip2xxHCuAV9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 7684)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7684)

    • Actions looks like stealing of personal data

      • RegAsm.exe (PID: 7984)

    • AGENTTESLA has been detected (SURICATA)

      • RegAsm.exe (PID: 7984)

    • Steals credentials from Web Browsers

      • RegAsm.exe (PID: 7984)

    • AGENTTESLA has been detected (YARA)

      • RegAsm.exe (PID: 7984)

  • SUSPICIOUS

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 7684)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7684)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 7684)

    • Connects to unusual port

      • RegAsm.exe (PID: 7984)

    • Checks for external IP

      • RegAsm.exe (PID: 7984)
      • svchost.exe (PID: 2196)

    • Connects to the server without a host name

      • CmevaXPk.exe (PID: 7860)

    • Connects to FTP

      • RegAsm.exe (PID: 7984)

  • INFO

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 7684)

    • The executable file from the user directory is run by the Powershell process

      • CmevaXPk.exe (PID: 7860)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 7684)

    • Reads the computer name

      • CmevaXPk.exe (PID: 7860)
      • RegAsm.exe (PID: 7984)

    • Reads the machine GUID from the registry

      • CmevaXPk.exe (PID: 7860)
      • RegAsm.exe (PID: 7984)

    • Checks supported languages

      • CmevaXPk.exe (PID: 7860)
      • RegAsm.exe (PID: 7984)

    • Disables trace logs

      • CmevaXPk.exe (PID: 7860)
      • RegAsm.exe (PID: 7984)

    • Checks proxy server information

      • CmevaXPk.exe (PID: 7860)
      • RegAsm.exe (PID: 7984)
      • slui.exe (PID: 4120)

    • Reads the software policy settings

      • slui.exe (PID: 4120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs cmevaxpk.exe #AGENTTESLA regasm.exe svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4120C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7684"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\kinngg.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7692\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7860"C:\Users\admin\AppData\Local\Temp\CmevaXPk.exe" C:\Users\admin\AppData\Local\Temp\CmevaXPk.exe
powershell.exe
User:
admin
Integrity Level:
MEDIUM
Description:
XCXVGDF
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\cmevaxpk.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7984"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
CmevaXPk.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
9 535
Read events
9 507
Write events
28
Delete events
0

Modification events

(PID) Process:(7860) CmevaXPk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CmevaXPk_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7860) CmevaXPk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CmevaXPk_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7860) CmevaXPk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CmevaXPk_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7860) CmevaXPk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CmevaXPk_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7860) CmevaXPk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CmevaXPk_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7860) CmevaXPk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CmevaXPk_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7860) CmevaXPk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CmevaXPk_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7860) CmevaXPk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CmevaXPk_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7860) CmevaXPk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CmevaXPk_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7860) CmevaXPk.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CmevaXPk_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
1
Suspicious files
4
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7684powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kzzhiwbf.bea.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7684powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10bfd7.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
7684powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yrhepp1r.3ez.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7684powershell.exeC:\Users\admin\AppData\Local\Temp\CmevaXPk.exeexecutable
MD5:D111B27C6D41E45D62F9021A50D61790
SHA256:AD72B3256FFC8F88E700AA23FF187FCABE02BD8C08713F59B6583679766DCA33
7684powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:028D24B20DABE2D415D957666EC4EB24
SHA256:1292A77A356B16DBFF43830B812837059EB5028F659A347EEDB231CA66CBA139
7684powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WIOLTVNDTY967OOQAG6P.tempbinary
MD5:028D24B20DABE2D415D957666EC4EB24
SHA256:1292A77A356B16DBFF43830B812837059EB5028F659A347EEDB231CA66CBA139
7684powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:DF5A972B2CEA1029E3BD8E6CA7C9C5E2
SHA256:AE3511889F7985435B6A02454DC31E3920B931B4CEA78F7DF6CF13DAEA286AE6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
54
DNS requests
18
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7860
CmevaXPk.exe
GET
200
176.65.144.23:80
http://176.65.144.23/ff/kkinng.txt
unknown
unknown
7984
RegAsm.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
whitelisted
3896
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3896
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
3896
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
3896
SIHClient.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
3896
SIHClient.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7860
CmevaXPk.exe
176.65.144.23:80
DE
unknown
7984
RegAsm.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.194
  • 23.48.23.162
  • 23.48.23.169
  • 23.48.23.158
  • 2.16.164.72
  • 2.16.164.9
  • 2.16.164.24
  • 2.16.164.51
  • 2.16.164.18
  • 2.16.164.32
  • 2.16.164.40
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.159.64
  • 40.126.31.71
  • 20.190.159.2
  • 20.190.159.130
  • 40.126.31.73
  • 20.190.159.129
  • 20.190.159.0
  • 40.126.31.131
whitelisted
ip-api.com
  • 208.95.112.1
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
7860
CmevaXPk.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 30
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
7984
RegAsm.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
7984
RegAsm.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
7984
RegAsm.exe
A Network Trojan was detected
STEALER [ANY.RUN] AgentTesla Exfiltration (raw TCP)
7984
RegAsm.exe
A Network Trojan was detected
ET MALWARE AgentTesla Exfil via FTP
7984
RegAsm.exe
Misc activity
INFO [ANY.RUN] FTP protocol command for uploading a file
7984
RegAsm.exe
A Network Trojan was detected
STEALER [ANY.RUN] AgentTesla Exfiltration (raw TCP)
7984
RegAsm.exe
Misc activity
INFO [ANY.RUN] FTP server is ready for the new user
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
kinngg.ps1