| File name: | 20032026_0018_18032026_RFQ-12655-Riyad.gz |
| Full analysis: | https://app.any.run/tasks/c140ec29-06d7-464e-9342-bae64dba9b53 |
| Verdict: | Malicious activity |
| Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
| Analysis date: | March 20, 2026, 00:24:13 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/gzip |
| File info: | gzip compressed data, was "RFQ-12655-Riyad.vbs", last modified: Wed Mar 18 13:00:16 2026, from FAT filesystem (MS-DOS, OS/2, NT), original size modulo 2^32 2504673 |
| MD5: | BF739BA331CE31671A70D0241DCAA680 |
| SHA1: | 65CE795C497A9362018169DBDC0BEBF5B17C799D |
| SHA256: | 03225C5055F3E6104399CBE8A61D0B4266980314F94BE94C3EBC86A077C7A63A |
| SSDEEP: | 768:9lNpIl3WerSIQc/Tnml38bzZnL+Mf7RW322222222h:9lNG3eCmlSlL+fh |
MALICIOUS
Copies file to a new location (SCRIPT)
- wscript.exe (PID: 3996)
May hide the program window using WMI (SCRIPT)
- wscript.exe (PID: 3996)
Run PowerShell with an invisible window
- powershell.exe (PID: 3112)
Downloads the requested resource (POWERSHELL)
- powershell.exe (PID: 3112)
REMCOS has been detected
- CasPol.exe (PID: 4956)
REMCOS mutex has been found
- CasPol.exe (PID: 4956)
REMCOS has been detected (YARA)
- CasPol.exe (PID: 4956)
SUSPICIOUS
Gets full path of the running script (SCRIPT)
- wscript.exe (PID: 3996)
Uses WMI to retrieve WMI-managed resources (SCRIPT)
- wscript.exe (PID: 3996)
The process executes VB scripts
- wscript.exe (PID: 3996)
Creates FileSystem object to access computer's file system (SCRIPT)
- wscript.exe (PID: 3996)
Creates an object to access WMI (SCRIPT)
- wscript.exe (PID: 3996)
Manipulates environment variables
- powershell.exe (PID: 3112)
Possibly malicious use of IEX has been detected
- powershell.exe (PID: 3112)
Executed via WMI
- powershell.exe (PID: 3112)
Converts a string into array of characters (POWERSHELL)
- powershell.exe (PID: 3112)
Bypass execution policy to execute commands
- powershell.exe (PID: 3112)
Reverses array data (POWERSHELL)
- powershell.exe (PID: 3112)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 3112)
Starts CMD.EXE for commands execution
- cmd.exe (PID: 4704)
Executing commands from a ".bat" file
- WinRAR.exe (PID: 2748)
INFO
Generic archive extractor
- WinRAR.exe (PID: 2748)
Manual execution by a user
- wscript.exe (PID: 3996)
Disables trace logs
- powershell.exe (PID: 3112)
Uses string replace method (POWERSHELL)
- powershell.exe (PID: 3112)
Gets data length (POWERSHELL)
- powershell.exe (PID: 3112)
Potential modification of remote process state (Base64 Encoded 'SetThreadContext')
- powershell.exe (PID: 3112)
Potential remote process memory writing (Base64 Encoded 'WriteProcessMemory')
- powershell.exe (PID: 3112)
Potential remote process memory reading (Base64 Encoded 'ReadProcessMemory')
- powershell.exe (PID: 3112)
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 2748)
Checks supported languages
- MpCmdRun.exe (PID: 7544)
- CasPol.exe (PID: 4956)
Detects Babel protector (YARA)
- powershell.exe (PID: 3112)
Reads the computer name
- MpCmdRun.exe (PID: 7544)
- CasPol.exe (PID: 4956)
There is functionality for taking screenshot (YARA)
- CasPol.exe (PID: 4956)
Create files in a temporary directory
- MpCmdRun.exe (PID: 7544)
Potential remote process memory interaction (Base64 Encoded 'VirtualAllocEx')
- powershell.exe (PID: 3112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Remcos
(PID) Process(4956) CasPol.exe
C2 (1)honerable.ydns.eu:50312:1honerable-bk.ydns.eu:52541
BotnetHonFire
Options
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\Shell100000
Setup_path%LOCALAPPDATA%
Copy_fileremcos.exe
Startup_valueFalse
Hide_fileFalse
Mutex_nameRmc-DCMPJB
Keylog_flag0
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path1
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirremcos
TRiD
| .z/gz/gzip | | | GZipped data (100) |
|---|
EXIF
ZIP
| Compression: | Deflated |
|---|---|
| Flags: | FileName |
| ModifyDate: | 2026:03:18 13:00:16+00:00 |
| ExtraFlags: | (none) |
| OperatingSystem: | FAT filesystem (MS-DOS, OS/2, NT/Win32) |
| ArchivedFileName: | RFQ-12655-Riyad.vbs |
Total processes
144
Monitored processes
11
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2748 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\20032026_0018_18032026_RFQ-12655-Riyad.gz | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 3112 | powershell.exe -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "IEX $env:INTERNAL_DB_CACHE;[Environment]::SetEnvironmentVariable('INTERNAL_DB_CACHE',$null,'User')" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WmiPrvSE.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3996 | "C:\WINDOWS\System32\WScript.exe" C:\Users\admin\Desktop\RFQ-12655-Riyad.vbs | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 4704 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR2748.43696\Rar$Scan36589.bat" " | C:\Windows\System32\cmd.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4956 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Framework CAS Policy Manager Version: 4.8.9037.0 built by: NET481REL1 Modules
Remcos(PID) Process(4956) CasPol.exe C2 (1)honerable.ydns.eu:50312:1honerable-bk.ydns.eu:52541 BotnetHonFire Options Connect_interval1 Install_flagFalse Install_HKCU\RunTrue Install_HKLM\RunTrue Install_HKLM\Explorer\Run1 Install_HKLM\Winlogon\Shell100000 Setup_path%LOCALAPPDATA% Copy_fileremcos.exe Startup_valueFalse Hide_fileFalse Mutex_nameRmc-DCMPJB Keylog_flag0 Keylog_path%LOCALAPPDATA% Keylog_filelogs.dat Keylog_cryptFalse Hide_keylogFalse Screenshot_flagFalse Screenshot_time5 Take_ScreenshotFalse Screenshot_path%APPDATA% Screenshot_fileScreenshots Screenshot_cryptFalse Mouse_optionFalse Delete_fileFalse Audio_record_time5 Audio_path1 Audio_dirMicRecords Connect_delay0 Copy_dirRemcos Keylog_dirremcos | |||||||||||||||
| 6180 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6668 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Framework CAS Policy Manager Exit code: 4294967295 Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
| 6844 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7244 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7544 | "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR2748.43696" | C:\Program Files\Windows Defender\MpCmdRun.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Malware Protection Command Line Utility Exit code: 2 Version: 4.18.1909.6 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
11 161
Read events
11 141
Write events
19
Delete events
1
Modification events
| (PID) Process: | (2748) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (2748) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (2748) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (2748) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (2748) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Downloads\chromium_build 1.zip | |||
| (PID) Process: | (2748) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\20032026_0018_18032026_RFQ-12655-Riyad.gz | |||
| (PID) Process: | (2748) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2748) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2748) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2748) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
Executable files
0
Suspicious files
2
Text files
0
Unknown types
5
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3996 | wscript.exe | C:\Users\Public\Downloads\Name_File.vbs | binary | |
MD5:217AFD761F038A7AADC97BE4289C003A | SHA256:13277A62CACF440247A450919FB4391FDE5FB25435B249903676A0E79AEDCD72 | |||
| 2748 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR2748.43696\20032026_0018_18032026_RFQ-12655-Riyad.gz\RFQ-12655-Riyad.vbs | binary | |
MD5:217AFD761F038A7AADC97BE4289C003A | SHA256:13277A62CACF440247A450919FB4391FDE5FB25435B249903676A0E79AEDCD72 | |||
| 3112 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:7D503B356DA0035813581E375F717D03 | SHA256:38F9C0E32F40B55B89C1DAB2FEC1EBB7959E41B246BAFF46BD8F6FD4CA93B87A | |||
| 7544 | MpCmdRun.exe | C:\Users\admin\AppData\Local\Temp\MpCmdRun.log | binary | |
MD5:527B45CB652A1750F89BC11D11DBD6F8 | SHA256:921B53723FF4C05CB91A61D667EA99B212E402062A9970FD572517793D196F20 | |||
| 3112 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vsac550l.rsy.ps1 | binary | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 3112 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ge0qytqr.pax.psm1 | binary | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2748 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR2748.43696\Rar$Scan36589.bat | binary | |
MD5:08B7E8DCFCD53F56DA72210CA627702B | SHA256:05D6C402BCFAE8B6E395C3CA6EDDD2019BACC1565868DA410A281B5C4E2A25BC | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
53
TCP/UDP connections
46
DNS requests
26
Threats
4
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3112 | powershell.exe | GET | 302 | 104.17.148.83:443 | https://www.mediafire.com/file/vy9033g8sp157ab/img_055856.png/file | US | — | — | unknown |
1788 | SIHClient.exe | GET | 304 | 20.165.94.63:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | US | — | — | whitelisted |
5316 | svchost.exe | POST | 200 | 20.190.159.71:443 | https://login.live.com/RST2.srf | US | — | 1.24 Kb | whitelisted |
— | — | POST | 400 | 20.190.160.4:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | binary | 203 b | whitelisted |
1788 | SIHClient.exe | GET | 200 | 135.233.95.135:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | US | — | — | whitelisted |
3112 | powershell.exe | GET | 200 | 162.159.133.82:443 | https://res.cloudinary.com/dzptvoj1b/image/upload/v1773339102/MSI_PRO_with_b64_wavpuj.jpg | unknown | binary | 2.81 Mb | unknown |
5316 | svchost.exe | POST | 400 | 20.190.159.71:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | — | 203 b | whitelisted |
5316 | svchost.exe | POST | 400 | 20.190.159.71:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | — | 203 b | whitelisted |
— | — | POST | 400 | 20.190.160.4:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | US | binary | 203 b | whitelisted |
1788 | SIHClient.exe | GET | 304 | 20.165.94.63:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | US | — | — | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
7988 | slui.exe | 48.192.1.64:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
— | — | 92.123.104.31:443 | www.bing.com | AKAMAI-ASN1 | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
3352 | svchost.exe | 23.48.23.166:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
3352 | svchost.exe | 23.52.181.212:80 | www.microsoft.com | AKAMAI-AS | US | whitelisted |
5276 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3352 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5208 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
res.cloudinary.com |
| whitelisted |
www.mediafire.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2232 | svchost.exe | Potentially Bad Traffic | ET HUNTING File Sharing Related Domain (www .mediafire .com) in DNS Lookup |
2232 | svchost.exe | Potentially Bad Traffic | ET FILE_SHARING File Sharing Related Domain in DNS Lookup (download .mediafire .com) |
2232 | svchost.exe | Misc activity | INFO [ANY.RUN] Dynamic DNS Service (ydns .eu) |
2232 | svchost.exe | Misc activity | INFO [ANY.RUN] Dynamic DNS Service (ydns .eu) |