File name:

PI_230524.lzh

Full analysis: https://app.any.run/tasks/09f229f5-2ba0-455d-8db5-45a31db0a009
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Malware Trends Tracker     >>>
Analysis date: May 23, 2024, 17:42:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
smtp
exfiltration
stealer
agenttesla
Indicators:
MIME: application/x-lzh-compressed
File info: LHa (2.x) archive data [lh5], with "PI_230524.exe"
MD5:

85B1C23B7B66D6686D4A10684992E09B

SHA1:

2661769B027D5D7AE9D32373DD6F85A0E1DB6E5C

SHA256:

C1568495406914DD96619244C410B6C64608831B6B99740E9468D6A102021E70

SSDEEP:

12288:zNlA4IPAOqp2eh2IrQbDtSp69IBCCILbl2gL9VhQFRMc7Wg0Um/4O8:zXA4IPAOqp2eh2G8DtSpWIBCLbl2g5Vw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 2172)

    • Drops the executable file immediately after the start

      • powershell.exe (PID: 2172)

    • Changes the autorun value in the registry

      • reg.exe (PID: 2168)

    • Steals credentials from Web Browsers

      • Awner.exe (PID: 2456)
      • Awner.exe (PID: 2776)

    • Actions looks like stealing of personal data

      • Awner.exe (PID: 2456)
      • Awner.exe (PID: 2776)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • PI_230524.exe (PID: 4028)
      • powershell.exe (PID: 2128)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3972)
      • Awner.exe (PID: 2456)
      • Awner.exe (PID: 2776)

    • Evaluates numerical expressions in cmd (potential data obfuscation)

      • powershell.exe (PID: 2172)
      • powershell.exe (PID: 2368)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 2172)
      • Awner.exe (PID: 2456)
      • powershell.exe (PID: 2368)

    • Converts a string into array of characters (POWERSHELL)

      • powershell.exe (PID: 2172)
      • powershell.exe (PID: 2368)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 2172)
      • powershell.exe (PID: 2368)

    • Gets information about processes (POWERSHELL)

      • powershell.exe (PID: 2172)
      • powershell.exe (PID: 2368)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2172)

    • Reads the Internet Settings

      • Awner.exe (PID: 2456)
      • sipnotify.exe (PID: 1560)
      • Awner.exe (PID: 2776)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 1044)

    • Checks Windows Trust Settings

      • Awner.exe (PID: 2456)
      • Awner.exe (PID: 2776)

    • Reads settings of System Certificates

      • Awner.exe (PID: 2456)
      • sipnotify.exe (PID: 1560)
      • Awner.exe (PID: 2776)

    • Checks for external IP

      • Awner.exe (PID: 2456)
      • Awner.exe (PID: 2776)

    • The process executes via Task Scheduler

      • sipnotify.exe (PID: 1560)
      • ctfmon.exe (PID: 1612)

    • Connects to SMTP port

      • Awner.exe (PID: 2456)
      • Awner.exe (PID: 2776)

    • Application launched itself

      • powershell.exe (PID: 2128)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 2128)

    • Accesses Microsoft Outlook profiles

      • Awner.exe (PID: 2456)
      • Awner.exe (PID: 2776)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3972)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3972)

    • Checks supported languages

      • PI_230524.exe (PID: 4028)
      • Awner.exe (PID: 2456)
      • wmpnscfg.exe (PID: 600)
      • IMEKLMG.EXE (PID: 2112)
      • IMEKLMG.EXE (PID: 2120)
      • wmpnscfg.exe (PID: 2616)
      • wmpnscfg.exe (PID: 2644)
      • Awner.exe (PID: 2776)
      • wmpnscfg.exe (PID: 3012)

    • Reads the computer name

      • PI_230524.exe (PID: 4028)
      • Awner.exe (PID: 2456)
      • wmpnscfg.exe (PID: 600)
      • IMEKLMG.EXE (PID: 2112)
      • IMEKLMG.EXE (PID: 2120)
      • wmpnscfg.exe (PID: 2616)
      • Awner.exe (PID: 2776)
      • wmpnscfg.exe (PID: 3012)
      • wmpnscfg.exe (PID: 2644)

    • Create files in a temporary directory

      • PI_230524.exe (PID: 4028)

    • Creates files or folders in the user directory

      • PI_230524.exe (PID: 4028)
      • Awner.exe (PID: 2456)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 2172)
      • powershell.exe (PID: 2368)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 2172)
      • powershell.exe (PID: 2368)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 2172)
      • powershell.exe (PID: 2368)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 2172)
      • powershell.exe (PID: 2368)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2172)
      • powershell.exe (PID: 2368)

    • Checks proxy server information

      • Awner.exe (PID: 2456)
      • Awner.exe (PID: 2776)

    • The executable file from the user directory is run by the Powershell process

      • Awner.exe (PID: 2456)
      • Awner.exe (PID: 2776)

    • Reads the software policy settings

      • Awner.exe (PID: 2456)
      • sipnotify.exe (PID: 1560)
      • Awner.exe (PID: 2776)

    • Reads the machine GUID from the registry

      • Awner.exe (PID: 2456)
      • Awner.exe (PID: 2776)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 600)
      • IMEKLMG.EXE (PID: 2112)
      • IMEKLMG.EXE (PID: 2120)
      • powershell.exe (PID: 2128)
      • wmpnscfg.exe (PID: 2644)
      • wmpnscfg.exe (PID: 2616)
      • wmpnscfg.exe (PID: 3012)

    • Reads Environment values

      • Awner.exe (PID: 2456)
      • Awner.exe (PID: 2776)

    • Disables trace logs

      • Awner.exe (PID: 2456)
      • Awner.exe (PID: 2776)

    • Process checks whether UAC notifications are on

      • IMEKLMG.EXE (PID: 2112)
      • IMEKLMG.EXE (PID: 2120)

    • Reads security settings of Internet Explorer

      • sipnotify.exe (PID: 1560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lzh/lha | LHARC/LZARK compressed archive (generic) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
104
Monitored processes
19
Malicious processes
9
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe pi_230524.exe no specs powershell.exe cmd.exe no specs awner.exe cmd.exe no specs reg.exe wmpnscfg.exe no specs ctfmon.exe no specs sipnotify.exe imeklmg.exe no specs imeklmg.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs wmpnscfg.exe no specs wmpnscfg.exe no specs awner.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
600"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1044"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Straaets% -windowstyle minimized $Abietinic=(Get-ItemProperty -Path 'HKCU:\Altsaxofonists\').Folkesocialisternes;%Straaets% ($Abietinic)"C:\Windows\System32\cmd.exeAwner.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1560C:\Windows\system32\sipnotify.exe -LogonOrUnlockC:\Windows\System32\sipnotify.exe
taskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
sipnotify
Exit code:
0
Version:
6.1.7602.20480 (win7sp1_ldr_escrow.191010-1716)
Modules
Images
c:\windows\system32\sipnotify.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1612C:\Windows\System32\ctfmon.exe C:\Windows\System32\ctfmon.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CTF Loader
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ctfmon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msctfmonitor.dll
c:\windows\system32\msctf.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
1960"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2112"C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /JPN /LogC:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office IME 2010
Exit code:
1
Version:
14.0.4734.1000
Modules
Images
c:\program files\common files\microsoft shared\ime14\shared\imeklmg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\userenv.dll
2120"C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /KOR /LogC:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Office IME 2010
Exit code:
1
Version:
14.0.4734.1000
Modules
Images
c:\program files\common files\microsoft shared\ime14\shared\imeklmg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\userenv.dll
2128"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle minimized $Abietinic=(Get-ItemProperty -Path 'HKCU:\Altsaxofonists\').Folkesocialisternes;c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe ($Abietinic)C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
4294967295
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2168REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Straaets% -windowstyle minimized $Abietinic=(Get-ItemProperty -Path 'HKCU:\Altsaxofonists\').Folkesocialisternes;%Straaets% ($Abietinic)"C:\Windows\System32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2172"powershell.exe" -windowstyle hidden "$Treholdsskiftet=Get-Content 'C:\Users\admin\AppData\Roaming\fertiliseringer\Hudflettende\Strapper\Swallowling.Pre';$Skiameter=$Treholdsskiftet.SubString(55621,3);.$Skiameter($Treholdsskiftet)"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PI_230524.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
32 655
Read events
32 413
Write events
214
Delete events
28

Modification events

(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3972) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Downloads\PI_230524.lzh
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3972) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
2
Suspicious files
27
Text files
8
Unknown types
1

Dropped files

PID
Process
Filename
Type
4028PI_230524.exeC:\Users\admin\AppData\Roaming\fertiliseringer\Hudflettende\Strapper\Criniger\Elmore.whibinary
MD5:A1F4A5E3799EA3E3F4E36B6F38EB3780
SHA256:BC2D8071643BE1689CBFB080360841FE0E0113D4A73C46744B9C3F052F852402
4028PI_230524.exeC:\Users\admin\AppData\Roaming\fertiliseringer\Hudflettende\Strapper\Swallowling.Pretext
MD5:22252E2ECC5FAD588B2A1855271240D7
SHA256:D82EC244A3F9172AC6EB88F87B46147B085B1EF3CD0B1787CB7029F5EEEF74C0
4028PI_230524.exeC:\Users\admin\AppData\Roaming\fertiliseringer\Hudflettende\Strapper\Betnksomst.sirbinary
MD5:13562D161E0932E108EEEC7A9A080CC4
SHA256:A208A8F361E56DCC29AC934C293FE16EB3D8228621CCF4C414555899BB74C782
4028PI_230524.exeC:\Users\admin\AppData\Roaming\fertiliseringer\Hudflettende\Strapper\Criniger\flokken.avebinary
MD5:17AE8090149D5A89E58B7272BA5B0912
SHA256:7BDE00AA9C021C743ACD1C8FA1D6B1B3A88B944FA1828A5AAC901A6E1167B401
4028PI_230524.exeC:\Users\admin\AppData\Roaming\fertiliseringer\Hudflettende\Strapper\Criniger\philopornist.antbinary
MD5:3F28B68878DB110B099C2AA9285ABEC7
SHA256:2A775985173B2EC6CDC5BEA576D6B10F35D852A03EDF5C788DCC1C7403538394
4028PI_230524.exeC:\Users\admin\AppData\Roaming\fertiliseringer\Hudflettende\Strapper\Criniger\cellinas.prebinary
MD5:B7EDD8491A7D5EAA339DA0C7AB729554
SHA256:3DF2282AA8313730D7B01545096423CA26DCB1EDEA7F25AF6DF7E1BE0F626DA6
4028PI_230524.exeC:\Users\admin\AppData\Roaming\fertiliseringer\Hudflettende\Strapper\Criniger\computerbrugeres.stsbinary
MD5:7A362FEC7FE89A2BFF10F4CE7DB4168E
SHA256:E8E5CC5E7AC2564E58A619F93B4F0A2CDB84B6F8940EC42B808E6ACA4517005A
4028PI_230524.exeC:\Users\admin\AppData\Roaming\fertiliseringer\Hudflettende\Delfiteknikkens.Griabr
MD5:6EA9E79B54B8A56CEC498B93E929ECE2
SHA256:30D6AA82F35BA4D346C05E6B6E825201641CF484C4AB8F343A18C32388D53931
4028PI_230524.exeC:\Users\admin\AppData\Roaming\fertiliseringer\Hudflettende\Strapper\Deagol.lynbinary
MD5:F01C9151A434D50C2BC0A02EEAB55643
SHA256:AA75AD97A7B1714CD4908B3349DDFF92AD6CCB3CCC00E5E85D362CC820CBFB9B
4028PI_230524.exeC:\Users\admin\AppData\Roaming\fertiliseringer\Hudflettende\Strapper\Criniger\hydrolytisk.cunbinary
MD5:DF35D40A84AFCB121969409BC40F79D4
SHA256:82B0E73A730C6791CFB20F24499FC915A95CECD40F86A0A651D0990A96552130
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
24
DNS requests
14
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2456
Awner.exe
GET
304
173.222.107.15:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?834959a41c0f6567
unknown
2456
Awner.exe
GET
200
23.37.10.90:80
http://x1.c.lencr.org/
unknown
1088
svchost.exe
GET
304
173.222.107.25:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e523dd86aac30a8d
unknown
1560
sipnotify.exe
HEAD
200
23.61.141.106:80
http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133609634480460000
unknown
1412
svchost.exe
GET
200
23.194.202.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
1412
svchost.exe
GET
200
2.18.173.151:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
unknown
224.0.0.252:5355
unknown
2456
Awner.exe
103.21.58.98:443
www.innovativebuildingsolutions.in
PUBLIC-DOMAIN-REGISTRY
IN
unknown
2456
Awner.exe
173.222.107.15:80
ctldl.windowsupdate.com
Akamai International B.V.
IT
unknown
2456
Awner.exe
23.37.10.90:80
x1.c.lencr.org
AKAMAI-AS
PH
unknown
2456
Awner.exe
104.26.13.205:443
api.ipify.org
CLOUDFLARENET
US
unknown
2456
Awner.exe
67.23.226.139:587
mail.showpiece.trillennium.biz
DIMENOC
US
unknown
1088
svchost.exe
173.222.107.25:80
ctldl.windowsupdate.com
Akamai International B.V.
IT
unknown
1104
svchost.exe
224.0.0.252:5355
unknown

DNS requests

Domain
IP
Reputation
www.innovativebuildingsolutions.in
  • 103.21.58.98
unknown
ctldl.windowsupdate.com
  • 173.222.107.15
  • 173.222.107.10
  • 173.222.107.25
  • 173.222.107.17
  • 173.222.107.22
  • 173.222.107.5
  • 173.222.107.21
  • 173.222.107.7
  • 173.222.107.13
  • 173.222.107.24
  • 173.222.107.27
unknown
x1.c.lencr.org
  • 23.37.10.90
unknown
api.ipify.org
  • 104.26.13.205
  • 104.26.12.205
  • 172.67.74.152
unknown
mail.showpiece.trillennium.biz
  • 67.23.226.139
unknown
query.prod.cms.rt.microsoft.com
  • 23.61.141.106
unknown
settings-win.data.microsoft.com
  • 40.127.240.158
unknown
crl.microsoft.com
  • 23.194.202.9
  • 23.194.202.11
unknown
www.microsoft.com
  • 2.18.173.151
unknown

Threats

PID
Process
Class
Message
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
Misc activity
INFO [ANY.RUN] SMTP email client opens transfer with server (EHLO)
Successful Credential Theft Detected
STEALER [ANY.RUN] Exfiltration via SMTP (AgentTesla)
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
Potentially Bad Traffic
ET INFO Observed DNS Query to .biz TLD
Misc activity
INFO [ANY.RUN] SMTP email client opens transfer with server (EHLO)
Successful Credential Theft Detected
STEALER [ANY.RUN] Exfiltration via SMTP (AgentTesla)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
PI_230524.lzh