File name:

VER_09307980263_2025-24-05-720255018_22203E25P5.vbs

Full analysis: https://app.any.run/tasks/be259787-0da2-4726-a054-18e0d79ab61c
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 25, 2025, 08:01:25
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
evasion
delphi
stealer
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (4842), with CRLF line terminators
MD5:

223C79097FFD4A4C03BE3FBA3F732F9A

SHA1:

B3DAA3E88F5B6B0A51B3B1B61873916E24615294

SHA256:

FE83C4C52BC751B0711E7064056F0A3350D396EFD164F3E2A9B01E4984C30418

SSDEEP:

49152:hVnfiVqIZTQyZ7m9CoFMpyMJvax0tiz5IAUulBybpa+WKUOX4AY:9O8NPFeu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses base64 encoding (SCRIPT)

      • wscript.exe (PID: 7012)

    • Actions looks like stealing of personal data

      • CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe (PID: 6148)

  • SUSPICIOUS

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7012)

    • Saves data to a binary file (SCRIPT)

      • wscript.exe (PID: 7012)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 7012)

    • Writes binary data to a Stream object (SCRIPT)

      • wscript.exe (PID: 7012)

    • Sets XML DOM element text (SCRIPT)

      • wscript.exe (PID: 7012)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • wscript.exe (PID: 7012)

    • There is functionality for communication over UDP network (YARA)

      • CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe (PID: 6148)

    • There is functionality for taking screenshot (YARA)

      • CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe (PID: 6148)

    • Likely accesses (executes) a file from the Public directory

      • CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe (PID: 6148)

    • Checks for external IP

      • CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe (PID: 6148)
      • svchost.exe (PID: 2196)

    • Connects to unusual port

      • CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe (PID: 6148)

  • INFO

    • Compiled with Borland Delphi (YARA)

      • CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe (PID: 6148)

    • Reads the software policy settings

      • slui.exe (PID: 4608)
      • CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe (PID: 6148)

    • The sample compiled with english language support

      • wscript.exe (PID: 7012)

    • Checks supported languages

      • CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe (PID: 6148)

    • Reads the computer name

      • CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe (PID: 6148)

    • Checks proxy server information

      • CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe (PID: 6148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.cnt | Help File Contents (100)
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs chcpjntscnkdtyhjpilpwihtksdz.exe sppextcomobj.exe no specs slui.exe slui.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2392C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4608"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5352C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
6148"C:\Users\Public\CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe" C:\Users\Public\CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe
wscript.exe
User:
admin
Company:
CloudBridge Solutions 0730194 Inc.
Integrity Level:
MEDIUM
Description:
Advanced Data Protection Management 0730194, 31086.26765.11881.17806, R739.
Exit code:
0
Version:
31086.26765.11881.17806
Modules
Images
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.3636_none_a863d714867441db\comctl32.dll
c:\windows\syswow64\winhttp.dll
c:\windows\syswow64\wsock32.dll
c:\windows\syswow64\ws2_32.dll
c:\windows\syswow64\imm32.dll
c:\windows\syswow64\msctf.dll
c:\windows\syswow64\uxtheme.dll
c:\windows\syswow64\kernel.appcore.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\wtsapi32.dll
7012"C:\WINDOWS\System32\WScript.exe" C:\Users\admin\AppData\Local\Temp\VER_09307980263_2025-24-05-720255018_22203E25P5.vbsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
2 585
Read events
2 584
Write events
1
Delete events
0

Modification events

(PID) Process:(7012) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value:
0100000000000000B08606205C9DDB01
Executable files
0
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7012wscript.exeC:\Users\Public\JYRIUSeobezc18FY50JJFE1ZMTJPZBPoygp.vrc
MD5:
SHA256:
7012wscript.exeC:\Users\Public\CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe
MD5:
SHA256:
7012wscript.exeC:\Users\Public\CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.zipcompressed
MD5:7E4FF79ABA4686CD116998753EFB9D3C
SHA256:4EB997772AD402F979F9BF30CF46C10CFF75AD41675E9A8142085EEDFDE5CD1F
7012wscript.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-msbinary
MD5:922D29A4CEF55E596EF4E110F9552306
SHA256:5C7A695A17D5FDB95887491BDCC92368FA10ADDD52190933DBD62BD7F56CC555
7012wscript.exeC:\Users\Public\PNHHrQtdIatMseT.txttext
MD5:6018C175F073275A394D386AF41C878A
SHA256:EF46864BB7EA34269EE64CABA42F380637492B446B513931C575DEAD35DADC11
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
33
DNS requests
17
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7020
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6148
CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
6148
CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
6148
CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
6148
CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
6148
CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
6148
CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
whitelisted
5680
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
20.198.162.76:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
SG
whitelisted
6544
svchost.exe
20.190.160.14:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7020
backgroundTaskHost.exe
20.74.47.205:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.72
whitelisted
google.com
  • 172.217.16.206
whitelisted
client.wns.windows.com
  • 20.198.162.76
whitelisted
login.live.com
  • 20.190.160.14
  • 20.190.160.128
  • 40.126.32.76
  • 20.190.160.22
  • 20.190.160.130
  • 20.190.160.20
  • 40.126.32.74
  • 20.190.160.66
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
arc.msn.com
  • 20.74.47.205
whitelisted
ip-api.com
  • 208.95.112.1
whitelisted
dns.google
  • 8.8.4.4
  • 8.8.8.8
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Device Retrieving External IP Address Detected
INFO [ANY.RUN] External IP Check (ip-api .com)
6148
CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
6148
CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User-Agent (Clever Internet Suite)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com)
6148
CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User-Agent (Clever Internet Suite)
6148
CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
6148
CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User-Agent (Clever Internet Suite)
6148
CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
6148
CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ip-api.com
6148
CHCPjnTsCNkdtYHjPiLpwiHtKsDZ.exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User-Agent (Clever Internet Suite)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
VER_09307980263_2025-24-05-720255018_22203E25P5.vbs