URL:

https://siemenx.com/filesession/MP7748-NIA%20QUOTE,MP7748%20QUOTE,ORDER%20DESCRIPTION.iso

Full analysis: https://app.any.run/tasks/c208d7d8-dd50-4355-8da3-2ff4882bd669
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: July 30, 2024, 04:38:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
rat
remcos
remote
evasion
Indicators:
MD5:

63D6BE2297C272431D7D59C8BC5463BF

SHA1:

3F2F68734950CAE3CC50F534466630D98BA03F7E

SHA256:

4517A3232C867C8F14A69D99D5E1387F95C26263E732C8E4662FC0A8973DBDD5

SSDEEP:

3:N8BsD06LXYbFMqXjjw43hg3yLg2mc3rLXK:2CHEZMql23H2lXK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • MP7748-NIA QUOTE,MP7748 QUOTE,ORDER DESCRIPTION^^^^^^^^^ (1).exe (PID: 8028)

    • Drops the executable file immediately after the start

      • MP7748-NIA QUOTE,MP7748 QUOTE,ORDER DESCRIPTION^^^^^^^^^ (1).exe (PID: 8028)

    • REMCOS has been detected

      • jsc.exe (PID: 3572)
      • jsc.exe (PID: 3572)
      • jsc.exe (PID: 3572)

    • Changes the autorun value in the registry

      • MP7748-NIA QUOTE,MP7748 QUOTE,ORDER DESCRIPTION^^^^^^^^^ (1).exe (PID: 8028)

    • REMCOS has been detected (SURICATA)

      • jsc.exe (PID: 3572)

    • REMCOS has been detected (YARA)

      • jsc.exe (PID: 3572)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • MP7748-NIA QUOTE,MP7748 QUOTE,ORDER DESCRIPTION^^^^^^^^^ (1).exe (PID: 8028)

    • Reads security settings of Internet Explorer

      • jsc.exe (PID: 3572)

    • Executable content was dropped or overwritten

      • MP7748-NIA QUOTE,MP7748 QUOTE,ORDER DESCRIPTION^^^^^^^^^ (1).exe (PID: 8028)

    • Script adds exclusion path to Windows Defender

      • MP7748-NIA QUOTE,MP7748 QUOTE,ORDER DESCRIPTION^^^^^^^^^ (1).exe (PID: 8028)

    • Checks for external IP

      • jsc.exe (PID: 3572)

    • Contacting a server suspected of hosting an CnC

      • jsc.exe (PID: 3572)

    • There is functionality for taking screenshot (YARA)

      • jsc.exe (PID: 3572)

    • Connects to unusual port

      • jsc.exe (PID: 3572)

    • Starts CMD.EXE for commands execution

      • explorer.exe (PID: 5016)

    • Creates file in the systems drive root

      • explorer.exe (PID: 5016)

    • Image mount has been detect

      • explorer.exe (PID: 5016)

  • INFO

    • Application launched itself

      • chrome.exe (PID: 7048)

    • Manual execution by a user

      • MP7748-NIA QUOTE,MP7748 QUOTE,ORDER DESCRIPTION^^^^^^^^^ (1).exe (PID: 8028)
      • cmd.exe (PID: 7668)

    • Reads Microsoft Office registry keys

      • chrome.exe (PID: 7048)

    • Checks supported languages

      • jsc.exe (PID: 3572)
      • MP7748-NIA QUOTE,MP7748 QUOTE,ORDER DESCRIPTION^^^^^^^^^ (1).exe (PID: 8028)

    • Reads the computer name

      • jsc.exe (PID: 3572)

    • Checks proxy server information

      • jsc.exe (PID: 3572)
      • slui.exe (PID: 7692)

    • Reads the machine GUID from the registry

      • jsc.exe (PID: 3572)

    • Creates files or folders in the user directory

      • jsc.exe (PID: 3572)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7992)

    • Reads Environment values

      • jsc.exe (PID: 3572)

    • Creates files in the program directory

      • jsc.exe (PID: 3572)

    • Reads the software policy settings

      • slui.exe (PID: 7692)

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 6200)

    • Drops the executable file immediately after the start

      • chrome.exe (PID: 6200)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 5016)

    • The process uses the downloaded file

      • chrome.exe (PID: 8000)
      • explorer.exe (PID: 5016)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Remcos

(PID) Process(3572) jsc.exe
C2 (1)remremc.duckdns.org:57155
BotnetYenom
Options
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\Shell100000
Setup_path%LOCALAPPDATA%
Copy_fileremcos.exe
Startup_valueFalse
Hide_fileFalse
Mutex_nameRmc-V6SI6Q
Keylog_flag1
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptTrue
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirremcos
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
178
Monitored processes
30
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs slui.exe chrome.exe no specs chrome.exe no specs mp7748-nia quote,mp7748 quote,order description^^^^^^^^^ (1).exe conhost.exe no specs powershell.exe no specs conhost.exe no specs caspol.exe no specs msbuild.exe no specs #REMCOS jsc.exe svchost.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs cmd.exe no specs conhost.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
484"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoABAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=5368 --field-trial-handle=1872,i,4860660361576497502,7901811851496641305,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2284C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2308"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5320 --field-trial-handle=1872,i,4860660361576497502,7901811851496641305,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2988"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=2036 --field-trial-handle=1872,i,4860660361576497502,7901811851496641305,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:3C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
3572"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
MP7748-NIA QUOTE,MP7748 QUOTE,ORDER DESCRIPTION^^^^^^^^^ (1).exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
jsc.exe
Version:
14.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\jsc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Remcos
(PID) Process(3572) jsc.exe
C2 (1)remremc.duckdns.org:57155
BotnetYenom
Options
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Install_HKLM\Winlogon\Shell100000
Setup_path%LOCALAPPDATA%
Copy_fileremcos.exe
Startup_valueFalse
Hide_fileFalse
Mutex_nameRmc-V6SI6Q
Keylog_flag1
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptTrue
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirremcos
3840"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgABAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1868 --field-trial-handle=1872,i,4860660361576497502,7901811851496641305,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
3900"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1872,i,4860660361576497502,7901811851496641305,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
4772"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=2220 --field-trial-handle=1872,i,4860660361576497502,7901811851496641305,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
4992"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5032 --field-trial-handle=1872,i,4860660361576497502,7901811851496641305,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
5016C:\WINDOWS\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
Total events
43 670
Read events
43 502
Write events
140
Delete events
28

Modification events

(PID) Process:(7048) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(7048) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(7048) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(7048) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(7048) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(7048) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:(7048) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(7048) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
(PID) Process:(7048) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(7048) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:metricsid
Value:
Executable files
3
Suspicious files
129
Text files
44
Unknown types
4

Dropped files

PID
Process
Filename
Type
7048chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
7048chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
7048chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
7048chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old
MD5:
SHA256:
7048chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF1c1583.TMP
MD5:
SHA256:
7048chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old~RF1c1583.TMP
MD5:
SHA256:
7048chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
7048chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old
MD5:
SHA256:
7048chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF1c1535.TMPtext
MD5:8F45965291AB2DA10EEB049FB6E917C6
SHA256:8A0DE526945B27CDBBD87357C85FDDD37B572370F894CB0A5AC533FD465D2166
7048chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:19D1A06251A8678F85D8DE5BFAB83807
SHA256:AA6E55DCF84CDAF0BD3F913E7B837F65500E9B71A5A7AA773D02FFBC18C7FF01
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
82
DNS requests
50
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4424
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5032
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3676
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5032
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
5368
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
7992
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
4132
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
3968
svchost.exe
HEAD
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adg4ikc3k6ilzneaxhtgtkcsrauq_20240717.655735111.14/obedbbhbpmojnkanicioggnmelmoomoc_20240717.655735111.14_all_ENUS500000_ac3welbkvyx2dmbes6tx5lrih6jq.crx3
unknown
whitelisted
3968
svchost.exe
GET
206
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adg4ikc3k6ilzneaxhtgtkcsrauq_20240717.655735111.14/obedbbhbpmojnkanicioggnmelmoomoc_20240717.655735111.14_all_ENUS500000_ac3welbkvyx2dmbes6tx5lrih6jq.crx3
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
whitelisted
1044
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3392
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5368
SearchApp.exe
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
5368
SearchApp.exe
104.126.37.139:443
www.bing.com
Akamai International B.V.
DE
unknown
6012
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5812
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
752
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
t-ring-fdv2.msedge.net
  • 13.107.237.254
unknown
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
www.bing.com
  • 104.126.37.139
  • 104.126.37.131
  • 104.126.37.130
  • 104.126.37.161
  • 104.126.37.155
  • 104.126.37.153
  • 104.126.37.128
  • 104.126.37.162
  • 104.126.37.171
  • 104.126.37.160
  • 104.126.37.144
whitelisted
google.com
  • 142.250.185.78
whitelisted
siemenx.com
  • 85.31.62.226
unknown
accounts.google.com
  • 64.233.167.84
whitelisted
sb-ssl.google.com
  • 216.58.212.142
whitelisted
detectportal.firefox.com
  • 34.107.221.82
whitelisted
prod.detectportal.prod.cloudops.mozgcp.net
  • 34.107.221.82
  • 2600:1901:0:38d7::
whitelisted

Threats

PID
Process
Class
Message
2284
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
2284
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2284
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2284
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
3572
jsc.exe
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
3572
jsc.exe
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
3572
jsc.exe
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
3572
jsc.exe
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
3572
jsc.exe
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
3572
jsc.exe
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://siemenx.com/filesession/MP7748-NIA%20QUOTE,MP7748%20QUOTE,ORDER%20DESCRIPTION.iso