File name:

StandoffInject.zip

Full analysis: https://app.any.run/tasks/167b01da-916b-4d24-a045-b703ea04c723
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 10:37:12
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-doc
auto-sch
sheetrat
rat
auto-reg
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

B8A0E23663C772CDD14ADE33F509E48B

SHA1:

5E9CBC52AB199CF9CF91BEE132375E020DC66DF7

SHA256:

2B34AE0A7F98ECB00DE4280EC05B6A363DBEBD7D3274AEEE4160A200026DCE60

SSDEEP:

6144:Qk7Ytj/dRFi3KdB6var1gEaptlFqjqLbcImFHqjmv3oXO/ODyNBD2G2QdW:l78/dRFi3Kf6d3dUqXcILA3o+/qG2QdW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 1984)

    • SHEETRAT mutex has been found

      • StandoffInject.exe (PID: 6220)
      • xdwdSystem.exe (PID: 7060)
      • xdwdSystem.exe (PID: 6368)

    • Changes the AppInit_DLLs value (autorun option)

      • StandoffInject.exe (PID: 6220)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 5528)
      • cmd.exe (PID: 5496)
      • cmd.exe (PID: 3936)
      • cmd.exe (PID: 4836)
      • cmd.exe (PID: 5252)
      • cmd.exe (PID: 3948)
      • cmd.exe (PID: 6460)
      • cmd.exe (PID: 1028)
      • cmd.exe (PID: 3196)
      • cmd.exe (PID: 1604)
      • cmd.exe (PID: 1700)
      • cmd.exe (PID: 6676)
      • cmd.exe (PID: 760)
      • cmd.exe (PID: 2976)
      • cmd.exe (PID: 6680)
      • cmd.exe (PID: 1212)
      • cmd.exe (PID: 6264)
      • cmd.exe (PID: 2148)
      • cmd.exe (PID: 3736)
      • cmd.exe (PID: 6304)
      • cmd.exe (PID: 516)
      • cmd.exe (PID: 984)
      • cmd.exe (PID: 2324)
      • cmd.exe (PID: 6700)
      • cmd.exe (PID: 4456)
      • cmd.exe (PID: 3788)
      • cmd.exe (PID: 7060)
      • cmd.exe (PID: 6876)
      • cmd.exe (PID: 2532)
      • cmd.exe (PID: 4048)
      • cmd.exe (PID: 2192)
      • cmd.exe (PID: 640)
      • cmd.exe (PID: 4944)
      • cmd.exe (PID: 4012)
      • cmd.exe (PID: 2656)
      • cmd.exe (PID: 5416)
      • cmd.exe (PID: 6684)
      • cmd.exe (PID: 3676)
      • cmd.exe (PID: 6228)
      • cmd.exe (PID: 1880)

    • Changes the login/logoff helper path in the registry

      • StandoffInject.exe (PID: 6220)

    • Uses Task Scheduler to autorun other applications

      • cmd.exe (PID: 4456)

    • Changes the autorun value in the registry

      • StandoffInject.exe (PID: 6220)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • StandoffInject.exe (PID: 1564)
      • WinRAR.exe (PID: 1984)

    • Reads the date of Windows installation

      • StandoffInject.exe (PID: 1564)

    • Application launched itself

      • StandoffInject.exe (PID: 1564)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 1984)
      • StandoffInject.exe (PID: 6220)
      • xdwdSystem.exe (PID: 5504)
      • xdwdMicrosoft Security Essentials.exe (PID: 864)
      • xdwdSystem.exe (PID: 7060)
      • xdwdSystem.exe (PID: 6368)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 1984)

    • The process creates files with name similar to system file names

      • StandoffInject.exe (PID: 6220)

    • Likely accesses (executes) a file from the Public directory

      • schtasks.exe (PID: 4708)
      • cmd.exe (PID: 5496)
      • schtasks.exe (PID: 6680)
      • cmd.exe (PID: 4456)
      • xdwdSystem.exe (PID: 5504)
      • cmd.exe (PID: 3936)
      • schtasks.exe (PID: 320)
      • cmd.exe (PID: 5252)
      • schtasks.exe (PID: 7056)
      • cmd.exe (PID: 4836)
      • schtasks.exe (PID: 5628)
      • schtasks.exe (PID: 4888)
      • cmd.exe (PID: 3948)
      • xdwdSystem.exe (PID: 7060)
      • schtasks.exe (PID: 7116)
      • cmd.exe (PID: 6460)
      • xdwdSystem.exe (PID: 6368)
      • cmd.exe (PID: 1028)
      • cmd.exe (PID: 3196)
      • schtasks.exe (PID: 5444)
      • schtasks.exe (PID: 1932)
      • cmd.exe (PID: 1604)
      • schtasks.exe (PID: 2348)
      • schtasks.exe (PID: 4888)
      • cmd.exe (PID: 1700)
      • cmd.exe (PID: 6676)
      • schtasks.exe (PID: 5716)
      • schtasks.exe (PID: 4880)
      • cmd.exe (PID: 760)
      • cmd.exe (PID: 2976)
      • cmd.exe (PID: 6680)
      • schtasks.exe (PID: 1356)
      • schtasks.exe (PID: 5708)
      • cmd.exe (PID: 1212)
      • schtasks.exe (PID: 6104)
      • cmd.exe (PID: 6228)
      • cmd.exe (PID: 2148)
      • schtasks.exe (PID: 5232)
      • cmd.exe (PID: 6264)
      • schtasks.exe (PID: 5772)
      • cmd.exe (PID: 6304)
      • cmd.exe (PID: 3736)
      • schtasks.exe (PID: 6504)
      • schtasks.exe (PID: 2192)
      • schtasks.exe (PID: 1332)
      • schtasks.exe (PID: 2280)
      • cmd.exe (PID: 516)
      • schtasks.exe (PID: 3564)
      • cmd.exe (PID: 2324)
      • schtasks.exe (PID: 4040)
      • cmd.exe (PID: 4456)
      • schtasks.exe (PID: 2320)
      • cmd.exe (PID: 984)
      • schtasks.exe (PID: 2808)
      • cmd.exe (PID: 7060)
      • schtasks.exe (PID: 4544)
      • cmd.exe (PID: 6700)
      • schtasks.exe (PID: 864)
      • cmd.exe (PID: 6876)
      • cmd.exe (PID: 3788)
      • schtasks.exe (PID: 2696)
      • cmd.exe (PID: 4048)
      • schtasks.exe (PID: 4688)
      • schtasks.exe (PID: 6828)
      • cmd.exe (PID: 2532)
      • cmd.exe (PID: 640)
      • cmd.exe (PID: 2192)
      • schtasks.exe (PID: 424)
      • cmd.exe (PID: 4944)
      • schtasks.exe (PID: 6260)
      • schtasks.exe (PID: 6704)
      • cmd.exe (PID: 6684)
      • cmd.exe (PID: 2656)
      • schtasks.exe (PID: 2468)
      • cmd.exe (PID: 5416)
      • schtasks.exe (PID: 2120)
      • cmd.exe (PID: 4012)
      • schtasks.exe (PID: 7096)
      • schtasks.exe (PID: 1440)
      • cmd.exe (PID: 3676)
      • schtasks.exe (PID: 7072)
      • cmd.exe (PID: 1880)
      • schtasks.exe (PID: 6232)

    • Connects to unusual port

      • StandoffInject.exe (PID: 6220)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 2200)

    • The process executes via Task Scheduler

      • xdwdSystem.exe (PID: 7060)
      • xdwdSystem.exe (PID: 6368)

    • Executable content was dropped or overwritten

      • StandoffInject.exe (PID: 6220)

  • INFO

    • Checks supported languages

      • StandoffInject.exe (PID: 1564)
      • StandoffInject.exe (PID: 6220)
      • MpCmdRun.exe (PID: 5060)
      • xdwdSystem.exe (PID: 5504)
      • xdwdMicrosoft Security Essentials.exe (PID: 864)
      • xdwdSystem.exe (PID: 7060)
      • xdwdSystem.exe (PID: 6368)

    • Reads the computer name

      • StandoffInject.exe (PID: 1564)
      • StandoffInject.exe (PID: 6220)
      • MpCmdRun.exe (PID: 5060)
      • xdwdSystem.exe (PID: 5504)
      • xdwdMicrosoft Security Essentials.exe (PID: 864)
      • xdwdSystem.exe (PID: 7060)
      • xdwdSystem.exe (PID: 6368)

    • Manual execution by a user

      • StandoffInject.exe (PID: 1564)
      • notepad.exe (PID: 1520)
      • xdwdMicrosoft Security Essentials.exe (PID: 864)
      • xdwdSystem.exe (PID: 5504)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 1520)

    • Reads the machine GUID from the registry

      • StandoffInject.exe (PID: 1564)
      • StandoffInject.exe (PID: 6220)

    • Process checks computer location settings

      • StandoffInject.exe (PID: 1564)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1984)

    • Create files in a temporary directory

      • MpCmdRun.exe (PID: 5060)

    • Launching a file from a Registry key

      • StandoffInject.exe (PID: 6220)

    • Launching a file from Task Scheduler

      • cmd.exe (PID: 5496)
      • cmd.exe (PID: 5528)
      • cmd.exe (PID: 3936)
      • cmd.exe (PID: 5252)
      • cmd.exe (PID: 4836)
      • cmd.exe (PID: 3948)
      • cmd.exe (PID: 6460)
      • cmd.exe (PID: 1028)
      • cmd.exe (PID: 3196)
      • cmd.exe (PID: 1604)
      • cmd.exe (PID: 6676)
      • cmd.exe (PID: 1700)
      • cmd.exe (PID: 760)
      • cmd.exe (PID: 2976)
      • cmd.exe (PID: 6680)
      • cmd.exe (PID: 1212)
      • cmd.exe (PID: 2148)
      • cmd.exe (PID: 6264)
      • cmd.exe (PID: 3736)
      • cmd.exe (PID: 6304)
      • cmd.exe (PID: 984)
      • cmd.exe (PID: 516)
      • cmd.exe (PID: 2324)
      • cmd.exe (PID: 3788)
      • cmd.exe (PID: 6700)
      • cmd.exe (PID: 4456)
      • cmd.exe (PID: 7060)
      • cmd.exe (PID: 2532)
      • cmd.exe (PID: 4048)
      • cmd.exe (PID: 6876)
      • cmd.exe (PID: 6684)
      • cmd.exe (PID: 2192)
      • cmd.exe (PID: 640)
      • cmd.exe (PID: 4944)
      • cmd.exe (PID: 6228)
      • cmd.exe (PID: 4012)
      • cmd.exe (PID: 2656)
      • cmd.exe (PID: 5416)
      • cmd.exe (PID: 1880)
      • cmd.exe (PID: 3676)

    • Reads the software policy settings

      • slui.exe (PID: 7140)

    • Checks proxy server information

      • slui.exe (PID: 7140)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2025:06:21 04:12:28
ZipCRC: 0x8d33b54c
ZipCompressedSize: 70
ZipUncompressedSize: 79
ZipFileName: Readme.txt
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
276
Monitored processes
142
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe standoffinject.exe no specs notepad.exe no specs #SHEETRAT standoffinject.exe cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs cmd.exe conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs svchost.exe xdwdsystem.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs xdwdmicrosoft security essentials.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs slui.exe cmd.exe no specs conhost.exe no specs schtasks.exe no specs #SHEETRAT xdwdsystem.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs #SHEETRAT xdwdsystem.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
320SchTaSKs /create /f /sc minute /mo -1 /tn "Sage CRM" /tr "C:\Users\Public\Documents\xdwdSystem.exe" /RL HIGHEST C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
2147500037
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
416SchTaSKs /create /f /sc minute /mo 5 /tn "Jira" /tr "C:\Users\admin\Music\xdwdMicrosoft Security Essentials.exe" /RL HIGHEST C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
424\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
424SchTaSKs /create /f /sc minute /mo -1 /tn "Sage CRM" /tr "C:\Users\Public\Documents\xdwdSystem.exe" /RL HIGHEST C:\Windows\System32\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
2147500037
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
472\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
516"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage CRM" /tr "C:\Users\Public\Documents\xdwdSystem.exe" /RL HIGHEST & exitC:\Windows\System32\cmd.exeStandoffInject.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2147500037
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
620\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
640"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage CRM" /tr "C:\Users\Public\Documents\xdwdSystem.exe" /RL HIGHEST & exitC:\Windows\System32\cmd.exeStandoffInject.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2147500037
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
760"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Sage CRM" /tr "C:\Users\Public\Documents\xdwdSystem.exe" /RL HIGHEST & exitC:\Windows\System32\cmd.exeStandoffInject.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
2147500037
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
864"C:\Users\admin\Music\xdwdMicrosoft Security Essentials.exe"C:\Users\admin\Music\xdwdMicrosoft Security Essentials.exeexplorer.exe
User:
admin
Company:
MATLAB
Integrity Level:
MEDIUM
Description:
GIMP (GNU Image Manipulation Program)
Exit code:
218
Version:
50.217.287.288
Modules
Images
c:\users\admin\music\xdwdmicrosoft security essentials.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
11 052
Read events
11 035
Write events
17
Delete events
0

Modification events

(PID) Process:(1984) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1984) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1984) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(1984) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(1984) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(1984) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\StandoffInject.zip
(PID) Process:(1984) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1984) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1984) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1984) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
4
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
6220StandoffInject.exeC:\Users\Public\Documents\xdwdSystem.exeexecutable
MD5:52003A7C3702A09B4BA4DBCCE2533A94
SHA256:4B1E2F141A8EB2DCD10722032BF84469324A8BC768A76EAB641E72E19E653CD7
5060MpCmdRun.exeC:\Users\admin\AppData\Local\Temp\MpCmdRun.logtext
MD5:2796636481E2193D2890C1B220C6D274
SHA256:FCCCD2A67FEB9C9933863963D21E7D0CE87ADE415715ABA46E772CFFA53EE797
1984WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR1984.7533\StandoffInject.zip\Readme.txttext
MD5:204CA3D3E18525BA8AD5EA6EAD87B2F4
SHA256:008F9A473E9C64ADC86EF87A35F63EE529112A4E488ABA6D0C8CD79379199CA9
6220StandoffInject.exeC:\Windows\xdwd.dllexecutable
MD5:16E5A492C9C6AE34C59683BE9C51FA31
SHA256:35C8D022E1D917F1AABDCEAE98097CCC072161B302F84C768CA63E4B32AC2B66
1984WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR1984.7533\Rar$Scan25995.battext
MD5:D520EA5EB11AD897F77E15BB04E8FB13
SHA256:D921146E9BDBDC949384F317E11A7F3E1972309E89557CC3633C571F4968C4E6
6220StandoffInject.exeC:\Users\admin\Music\xdwdMicrosoft Security Essentials.exeexecutable
MD5:52003A7C3702A09B4BA4DBCCE2533A94
SHA256:4B1E2F141A8EB2DCD10722032BF84469324A8BC768A76EAB641E72E19E653CD7
1984WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR1984.7533\StandoffInject.zip\StandoffInject.exeexecutable
MD5:52003A7C3702A09B4BA4DBCCE2533A94
SHA256:4B1E2F141A8EB2DCD10722032BF84469324A8BC768A76EAB641E72E19E653CD7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
54
DNS requests
20
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2072
RUXIMICS.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
20.190.160.5:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
POST
200
20.190.160.130:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
POST
200
20.190.160.132:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
POST
200
40.126.32.140:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
40.126.32.76:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
2620
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2072
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2072
RUXIMICS.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
login.live.com
  • 20.190.160.131
  • 40.126.32.136
  • 20.190.160.128
  • 20.190.160.20
  • 20.190.160.2
  • 40.126.32.133
  • 20.190.160.22
  • 40.126.32.74
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.43
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
e3-40657.portmap.io
  • 193.161.193.99
malicious

Threats

PID
Process
Class
Message
2200
svchost.exe
Potential Corporate Privacy Violation
ET INFO DNS Query to a Reverse Proxy Service Observed
2200
svchost.exe
Misc activity
ET INFO DNS Query for Port Mapping/Tunneling Service Domain (.portmap .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
StandoffInject.zip