File name:	4cd8dd0c2916a962fbef018de240de5f2d8dcd13c69d4d1f2c9d4ae1ac3a32d9.zip
Full analysis:	https://app.any.run/tasks/4ca15ba8-b7fc-4cf1-b423-46f99a978483
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Remcos is a commercially distributed remote administration and surveillance tool that has been widely observed in unauthorized deployments, where threat actors use it to perform remote actions on compromised machines. It is actively maintained by its vendor, with new versions and feature updates released on a frequent, near-monthly basis. Remcos ist eine Malware vom Typ RAT, mit der Angreifer aus der Ferne Aktionen auf infizierten Computern durchführen können. Diese Malware ist extrem aktiv und wird fast jeden Monat mit Updates auf den neuesten Stand gebracht. Malware Trends Tracker >>>
Analysis date:	April 29, 2026, 07:19:20
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-scr susp-powershell auto-reg loader reverseloader rat remcos payload api-base64
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	06B23218C25C6CC1C8D37B6CAF62EF9B
SHA1:	AEAA40EB6DDFBEB42570EA08F43EB69AFE44E741
SHA256:	4CD8DD0C2916A962FBEF018DE240DE5F2D8DCD13C69D4D1F2C9D4AE1AC3A32D9
SSDEEP:	192:AqRpA7lryuoO+bjbBU8ZawJjvtKC73VTbscSevAwS:AGA52dO+ntdrjFhJmmVS

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2026:04:28 19:06:38
ZipCRC:	0xb702e0cd
ZipCompressedSize:	5771
ZipUncompressedSize:	41069
ZipFileName:	PO 4500070387.js


(PID) Process:	(4968) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(4968) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(4968) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(4968) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(4968) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Downloads\chromium_build 1.zip
(PID) Process:	(4968) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\4cd8dd0c2916a962fbef018de240de5f2d8dcd13c69d4d1f2c9d4ae1ac3a32d9.zip
(PID) Process:	(4968) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(4968) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(4968) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(4968) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100

PID	Process	Filename		Type
6804	powershell.exe	C:\Users\admin\AppData\Local\Temp\qrdhlngu.cmdline		text
		MD5:EA9363C990A4C2F4E56AA3BB571E4311	SHA256:1985409465CC26EE96119B0CC96F9F5A7A7F1EA186E1C9C77033345E2D852978
6804	powershell.exe	C:\Users\admin\AppData\Local\Temp\qrdhlngu.0.cs		text
		MD5:DBD5C6F96ED1813DBCC61C2C6091C05E	SHA256:6F73F3ED4FDCAC3BE47B0398F5E9F79C0E138E052F31F885E86B37E2060A00E0
7232	csc.exe	C:\Users\admin\AppData\Local\Temp\qrdhlngu.out		text
		MD5:488CBB8DEE536049F617452BCE8E223A	SHA256:6D87D026166F4174F902672417E1600E491337B1ACD9EC1B2F6482ED62004944
6804	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mli4v3u3.sli.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6804	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jlf5wjia.kmy.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2132	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_n0v0goz1.bgi.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2132	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:CE473557B23EF1AAB43D04E34CF4F3AD	SHA256:E7FAFCE9AEDA7941A05699C6075C17D93B6958795193E7211AE6989506F63E10
6804	powershell.exe	C:\ProgramData\AaSehbm.js		text
		MD5:D1AD730A6E1F476537E856E21DFFB69F	SHA256:CD26B27A96B78D7C581924F55B45152A716CB45959F6621FFB19C1B0A3A04A2C
7232	csc.exe	C:\Users\admin\AppData\Local\Temp\qrdhlngu.dll		executable
		MD5:FFE8BB5F74660873B1BAF16299768B69	SHA256:5B003E8DEB2CB40AB655CED5FA5B41194FFA81A1C445B777FE685201DD741E6E
7856	cvtres.exe	C:\Users\admin\AppData\Local\Temp\RES588B.tmp		binary
		MD5:5E8D75C81CD94061F20BAA4EA5D54632	SHA256:137F154744C6E360DACD9BA84B0F5028F2644DE851D6F7FFC8C4A6BEA2BB96D3

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5276	MoUsoCoreWorker.exe	GET	304	51.124.78.146:443	https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30	US	—	—	whitelisted
4044	svchost.exe	GET	200	23.59.18.102:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
5316	svchost.exe	POST	400	40.126.31.67:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	204 b	whitelisted
5316	svchost.exe	POST	400	40.126.31.67:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	204 b	whitelisted
4044	svchost.exe	GET	200	23.216.77.42:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
5316	svchost.exe	POST	200	40.126.31.67:443	https://login.live.com/RST2.srf	US	xml	1.24 Kb	whitelisted
5316	svchost.exe	POST	400	40.126.31.67:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	204 b	whitelisted
5316	svchost.exe	POST	400	40.126.31.67:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	204 b	whitelisted
5316	svchost.exe	POST	400	40.126.31.67:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	204 b	whitelisted
5316	svchost.exe	POST	400	40.126.31.67:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	204 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
4044	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5276	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
8152	slui.exe	48.192.1.65:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
4044	svchost.exe	23.216.77.42:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
4044	svchost.exe	23.59.18.102:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
5276	MoUsoCoreWorker.exe	23.59.18.102:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
5208	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3416	slui.exe	48.192.1.65:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
activation-v2.sls.microsoft.com	48.192.1.65	whitelisted
crl.microsoft.com	23.216.77.42 23.216.77.20 2.18.67.76 2.18.67.70	whitelisted
google.com	142.251.14.102 142.251.14.138 142.251.14.113 142.251.14.101 142.251.14.100 142.251.14.139	whitelisted
www.microsoft.com	23.59.18.102 173.222.171.238	whitelisted
settings-win.data.microsoft.com	51.124.78.146	whitelisted
login.live.com	40.126.31.67 40.126.31.131 40.126.31.2 20.190.159.71 40.126.31.129 20.190.159.73 40.126.31.1 20.190.159.68	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
paste.sensio.no	185.240.204.143	unknown
slscr.update.microsoft.com	135.233.95.144	whitelisted
arc.msn.com	20.86.201.138	whitelisted

PID	Process	Class	Message
5276	MoUsoCoreWorker.exe	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
—	—	A Network Trojan was detected	ET MALWARE Windows executable base64 encoded
—	—	Misc activity	ET HUNTING EXE Base64 Encoded potential malware
6804	powershell.exe	A Network Trojan was detected	ET MALWARE Windows executable base64 encoded
6804	powershell.exe	Misc activity	ET HUNTING EXE Base64 Encoded potential malware
—	—	Exploit Kit Activity Detected	ET EXPLOIT_KIT Unknown EK Landing Feb 16 2015 b64 2 M1
—	—	Exploit Kit Activity Detected	ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound
2232	svchost.exe	Potentially Bad Traffic	ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2232	svchost.exe	Misc activity	ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
—	—	Potentially Bad Traffic	PAYLOAD [ANY.RUN] Reverse Base64 Encoded EXE Inbound

General Info

4cd8dd0c2916a962fbef018de240de5f2d8dcd13c69d4d1f2c9d4ae1ac3a32d9.zip

06B23218C25C6CC1C8D37B6CAF62EF9B

AEAA40EB6DDFBEB42570EA08F43EB69AFE44E741

4CD8DD0C2916A962FBEF018DE240DE5F2D8DCD13C69D4D1F2C9D4AE1AC3A32D9

192:AqRpA7lryuoO+bjbBU8ZawJjvtKC73VTbscSevAwS:AGA52dO+ntdrjFhJmmVS

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Uses sleep, probably for evasion detection (SCRIPT)

May hide the program window using WMI (SCRIPT)

Downloads the requested resource (POWERSHELL)

Changes the autorun value in the registry

Run PowerShell with an invisible window

REMCOS mutex has been found

REMCOS has been detected

REVERSELOADER has been detected (SURICATA)

REMCOS has been detected (YARA)

SUSPICIOUS

Creates an object to access WMI (SCRIPT)

Executed via WMI

Uses WMI to retrieve WMI-managed resources (SCRIPT)

Сharacter substitution obfuscation via .replace()

Uses sleep to delay execution (POWERSHELL)

Uses base64 encoding (POWERSHELL)

Gets full path of the running script (SCRIPT)

Gets or sets the security protocol (POWERSHELL)

CSC.EXE is used to compile C# code

Executable content was dropped or overwritten

Starts process via Powershell

Application launched itself

Uses TASKKILL.EXE to kill process

Starts CMD.EXE for commands execution

Uses TIMEOUT.EXE to delay execution

Contacting a server suspected of hosting an Exploit Kit

Get information on the list of running processes

Starts POWERSHELL.EXE for commands execution

Payload loading activity detected

Executing commands from a ".bat" file

INFO

Manual execution by a user

Generic archive extractor

Found Base64 encoded text manipulation via PowerShell (YARA)

Found Base64 encoded access to processes via PowerShell (YARA)

Found Base64 encoded reflection usage via PowerShell (YARA)

Uses string replace method (POWERSHELL)

Gets a random number, or selects objects randomly from a collection (POWERSHELL)

Converts byte array into Unicode string (POWERSHELL)

Found Base64 encoded network access via PowerShell (YARA)

Create files in a temporary directory

Checks supported languages

Reads the machine GUID from the registry

Reads security settings of Internet Explorer

Gets data length (POWERSHELL)

Launching a file from a Registry key

Potential remote process memory reading (Base64 Encoded 'ReadProcessMemory')

Potential dynamic function import (Base64 Encoded 'GetProcAddress')

Reads the computer name

Potential remote process memory writing (Base64 Encoded 'WriteProcessMemory')

Potential modification of remote process state (Base64 Encoded 'SetThreadContext')

There is functionality for taking screenshot (YARA)

Potential remote process memory interaction (Base64 Encoded 'VirtualAllocEx')

Potential library load (Base64 Encoded 'LoadLibrary')

Malware configuration

Remcos

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information