File name:

Annexure_1_BOQ_and_Supporting_Documents.cmd

Full analysis: https://app.any.run/tasks/4d127cfc-76a1-4c2d-87de-618160910a78
Verdict: Malicious activity
Threats:

DBatLoader is a loader malware used for distributing payloads of different types, including WarzoneRAT and Formbook. It is employed in multi-stage attacks that usually start with a phishing email carrying a malicious attachment.

Analysis date: April 15, 2025, 18:26:00
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
remcos
rat
delphi
dbatloader
loader
remote
stealer
Indicators:
MIME: text/plain
File info: Unicode text, UTF-8 text, with very long lines (1581), with CRLF line terminators
MD5:

E177070CD5EC02B435A0D9BFF45F7596

SHA1:

DD6FE3DBC8A4A7F5581D460B30C4045D6F16079F

SHA256:

7CF06902620427A2ECF5D05A473CBB4E9E734251CB00CA82F0AF726BD9F66EA6

SSDEEP:

49152:AI12zx8PTa0ToNlyLiz9kBj5zm9xMqfo4gFdGNMk0FjgudvK7:0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6244)
    • DBATLOADER has been detected (YARA)

      • chrome.PIF (PID: 4040)
    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 6228)
    • REMCOS mutex has been found

      • chrome.PIF (PID: 4040)
      • Blqlsjlk.PIF (PID: 4776)
    • REMCOS has been detected

      • chrome.PIF (PID: 4040)
    • Actions looks like stealing of personal data

      • chrome.PIF (PID: 4040)
      • chrome.exe (PID: 4336)
      • recover.exe (PID: 5352)
      • recover.exe (PID: 4024)
      • msedge.exe (PID: 5204)
      • recover.exe (PID: 728)
    • Steals credentials from Web Browsers

      • chrome.PIF (PID: 4040)
      • recover.exe (PID: 728)
    • REMCOS has been detected (SURICATA)

      • chrome.PIF (PID: 4040)
  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1184)
    • Likely accesses (executes) a file from the Public directory

      • extrac32.exe (PID: 4608)
      • expha.pif (PID: 1676)
      • expha.pif (PID: 6300)
      • expha.pif (PID: 6620)
      • alpha.pif (PID: 5556)
      • ghf.pif (PID: 5868)
      • alpha.pif (PID: 4024)
      • ghf.pif (PID: 5176)
      • alpha.pif (PID: 1056)
      • rdha.pif (PID: 7148)
      • chrome.PIF (PID: 4040)
      • esentutl.exe (PID: 6640)
      • alpha.pif (PID: 728)
      • alpha.pif (PID: 4408)
    • The process hide an interactive prompt from the user

      • cmd.exe (PID: 1184)
    • Executable content was dropped or overwritten

      • extrac32.exe (PID: 4608)
      • expha.pif (PID: 1676)
      • expha.pif (PID: 6300)
      • expha.pif (PID: 6620)
      • ghf.pif (PID: 5176)
      • esentutl.exe (PID: 6640)
      • chrome.PIF (PID: 4040)
    • Drops a file with a rarely used extension (PIF)

      • extrac32.exe (PID: 4608)
      • expha.pif (PID: 1676)
      • expha.pif (PID: 6300)
      • expha.pif (PID: 6620)
      • ghf.pif (PID: 5176)
      • esentutl.exe (PID: 6640)
      • chrome.PIF (PID: 4040)
    • Process drops legitimate windows executable

      • extrac32.exe (PID: 4608)
      • expha.pif (PID: 1676)
    • Starts a Microsoft application from unusual location

      • expha.pif (PID: 1676)
      • expha.pif (PID: 6300)
      • expha.pif (PID: 6620)
      • alpha.pif (PID: 5556)
      • ghf.pif (PID: 5868)
      • alpha.pif (PID: 4024)
      • ghf.pif (PID: 5176)
      • alpha.pif (PID: 1056)
      • rdha.pif (PID: 7148)
      • alpha.pif (PID: 728)
      • alpha.pif (PID: 4408)
    • Starts application with an unusual extension

      • cmd.exe (PID: 1184)
      • alpha.pif (PID: 5556)
      • alpha.pif (PID: 4024)
      • rdha.pif (PID: 7148)
      • cmd.exe (PID: 2096)
      • rundll32.exe (PID: 668)
      • rundll32.exe (PID: 4692)
    • Process drops legitimate windows executable (CertUtil.exe)

      • expha.pif (PID: 6620)
    • Starts itself from another location

      • cmd.exe (PID: 1184)
      • cmd.exe (PID: 2096)
    • Runs PING.EXE to delay simulation

      • alpha.pif (PID: 1056)
      • cmd.exe (PID: 4112)
    • Reads security settings of Internet Explorer

      • rdha.pif (PID: 7148)
      • chrome.PIF (PID: 4040)
      • Blqlsjlk.PIF (PID: 4776)
    • Reads the date of Windows installation

      • rdha.pif (PID: 7148)
    • Application launched itself

      • cmd.exe (PID: 1184)
    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 1184)
      • chrome.PIF (PID: 4040)
    • Executing commands from ".cmd" file

      • chrome.PIF (PID: 4040)
    • Created directory related to system

      • alpha.pif (PID: 728)
    • There is functionality for taking screenshot (YARA)

      • chrome.PIF (PID: 4040)
    • Connects to unusual port

      • chrome.PIF (PID: 4040)
    • The process executes via Task Scheduler

      • rundll32.exe (PID: 668)
      • rundll32.exe (PID: 4692)
    • Contacting a server suspected of hosting an CnC

      • chrome.PIF (PID: 4040)
  • INFO

    • Reads the computer name

      • extrac32.exe (PID: 4608)
      • ghf.pif (PID: 5868)
      • ghf.pif (PID: 5176)
      • rdha.pif (PID: 7148)
      • chrome.PIF (PID: 4040)
      • chrome.exe (PID: 4336)
      • Blqlsjlk.PIF (PID: 4776)
      • msedge.exe (PID: 5204)
    • Checks supported languages

      • extrac32.exe (PID: 4608)
      • expha.pif (PID: 1676)
      • expha.pif (PID: 6300)
      • expha.pif (PID: 6620)
      • alpha.pif (PID: 5556)
      • ghf.pif (PID: 5868)
      • alpha.pif (PID: 4024)
      • ghf.pif (PID: 5176)
      • alpha.pif (PID: 1056)
      • rdha.pif (PID: 7148)
      • chrome.PIF (PID: 4040)
      • alpha.pif (PID: 728)
      • alpha.pif (PID: 4408)
      • Blqlsjlk.PIF (PID: 4776)
      • chrome.exe (PID: 4336)
      • msedge.exe (PID: 5204)
      • Blqlsjlk.PIF (PID: 6564)
    • The sample compiled with english language support

      • extrac32.exe (PID: 4608)
      • expha.pif (PID: 6620)
      • esentutl.exe (PID: 6640)
      • expha.pif (PID: 1676)
    • Process checks computer location settings

      • rdha.pif (PID: 7148)
    • Checks proxy server information

      • chrome.PIF (PID: 4040)
      • chrome.exe (PID: 4336)
      • Blqlsjlk.PIF (PID: 4776)
      • msedge.exe (PID: 5204)
    • Creates files in the program directory

      • chrome.PIF (PID: 4040)
    • Compiled with Borland Delphi (YARA)

      • chrome.PIF (PID: 4040)
    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 668)
      • rundll32.exe (PID: 4692)
    • Local mutex for internet shortcut management

      • rundll32.exe (PID: 668)
      • rundll32.exe (PID: 4692)
    • Reads the machine GUID from the registry

      • chrome.PIF (PID: 4040)
      • msedge.exe (PID: 5204)
      • chrome.exe (PID: 4336)
    • Create files in a temporary directory

      • chrome.PIF (PID: 4040)
      • chrome.exe (PID: 4336)
      • recover.exe (PID: 728)
      • recover.exe (PID: 4024)
      • recover.exe (PID: 5352)
    • Creates files or folders in the user directory

      • chrome.PIF (PID: 4040)
    • Application launched itself

      • chrome.exe (PID: 4336)
      • msedge.exe (PID: 5204)
    • Reads Environment values

      • chrome.exe (PID: 4336)
      • msedge.exe (PID: 5204)
    • Reads the software policy settings

      • slui.exe (PID: 2656)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
172
Monitored processes
48
Malicious processes
10
Suspicious processes
3

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs powershell.exe no specs sppextcomobj.exe no specs slui.exe extrac32.exe expha.pif expha.pif expha.pif alpha.pif no specs ghf.pif no specs alpha.pif no specs ghf.pif alpha.pif no specs ping.exe no specs rdha.pif no specs #REMCOS chrome.pif cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs esentutl.exe alpha.pif no specs alpha.pif no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs svchost.exe rundll32.exe no specs #REMCOS blqlsjlk.pif no specs chrome.exe chrome.exe no specs recover.exe no specs recover.exe recover.exe no specs recover.exe recover.exe no specs recover.exe chrome.exe no specs chrome.exe no specs slui.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs rundll32.exe no specs blqlsjlk.pif no specs

Process information

PID
CMD
Path
Indicators
Parent process
664\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
668C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\ieframe.dll",OpenURL C:\\ProgramData\\Blqlsjlk.urlC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
728C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " C:\Users\Public\alpha.pifcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\public\alpha.pif
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
728C:\Windows\SysWOW64\recover.exe /stext "C:\Users\admin\AppData\Local\Temp\rqnvqwzkchnaesoagchhy"C:\Windows\SysWOW64\recover.exe
chrome.PIF
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Recover Files Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\recover.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\user32.dll
1056C:\\Users\\Public\\Libraries\\alpha.pif /c PING -n 4 127.0.0.1 C:\Users\Public\Libraries\alpha.pifcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\public\libraries\alpha.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1072"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --mojo-platform-channel-handle=1712 --field-trial-handle=1428,i,9955097783025348542,16901198568200577477,262144 --disable-features=PaintHolding --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1184C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Annexure_1_BOQ_and_Supporting_Documents.cmd" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1324PING -n 4 127.0.0.1 C:\Windows\System32\PING.EXEalpha.pif
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nsi.dll
1676C:\\Users\\Public\\Libraries\\expha.pif /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\Libraries\\alpha.pif" C:\Users\Public\Libraries\expha.pif
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® CAB File Extract Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\users\public\libraries\expha.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1676cmd /c exit /b 0 C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
10 944
Read events
10 929
Write events
15
Delete events
0

Modification events

(PID) Process:(7148) rdha.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(4040) chrome.PIFKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-RHFRKK
Operation:writeName:exepath
Value:
61187676E8D1450E21A3EEBE38AD1E282F5658AE33CBDB104FF45BC7CC868992C7406A279B308F42C6A152DD62EE2146EB3062311599F458EED53A2B3CF7421CC6407D823E1AC9036D84
(PID) Process:(4040) chrome.PIFKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-RHFRKK
Operation:writeName:licence
Value:
B8012A48FDBB5186182A5C8EB20DFC5A
(PID) Process:(4040) chrome.PIFKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-RHFRKK
Operation:writeName:time
Value:
(PID) Process:(4040) chrome.PIFKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-RHFRKK
Operation:writeName:UID
Value:
(PID) Process:(4040) chrome.PIFKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4040) chrome.PIFKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4040) chrome.PIFKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4336) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(4336) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
Executable files
7
Suspicious files
10
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
6244powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hkpjqbwr.2ly.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6244powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_wtdta1z0.zgj.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
728recover.exeC:\Users\admin\AppData\Local\Temp\bhvAC5A.tmp
MD5:
SHA256:
6300expha.pifC:\Users\Public\Libraries\rdha.pifexecutable
MD5:100F56A73211E0B2BCD076A55E6393FD
SHA256:00BE065F405E93233CC2F0012DEFDCBB1D6817B58969D5FFD9FD72FC4783C6F4
4608extrac32.exeC:\Users\Public\Libraries\expha.pifexecutable
MD5:41330D97BF17D07CD4308264F3032547
SHA256:A224559FD6621066347A5BA8F4AEECEEA8A0A7A881A71BD36DE69ACEB52E9DF7
5868ghf.pifC:\Users\Public\Libraries\donex.avitext
MD5:0779631D37B08A8FE0F87CD9B7998DAE
SHA256:19F50D05B08C1993FF62E58BB29B07E6543F6853E79E2E862C7BEC2E765DAA76
6620expha.pifC:\Users\Public\Libraries\ghf.pifexecutable
MD5:A7A5B67EC704EAC6D6E6AF0489353F42
SHA256:BF072F9A6A15B550B13AE86A4FBD3FA809D2A13236847AE9FA9A68F41386106E
1676expha.pifC:\Users\Public\Libraries\alpha.pifexecutable
MD5:CB6CD09F6A25744A8FA6E4B3E4D260C5
SHA256:265B69033CEA7A9F8214A34CD9B17912909AF46C7A47395DD7BB893A24507E59
4040chrome.PIFC:\ProgramData\774.cmdtext
MD5:1DF650CCA01129127D30063634AB5C03
SHA256:EDD4094E7A82A6FF8BE65D6B075E9513BD15A6B74F8032B5C10CE18F7191FA60
5176ghf.pifC:\Users\Public\Libraries\chrome.PIFexecutable
MD5:71A4B65DE7AD524F18D9D6598EC8C8BC
SHA256:9EA7C6AC8BB20575CA7A51A8B1F74EEAEAFAC75171015A20B17E1E5AE64CF263
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
26
DNS requests
19
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6676
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6676
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4040
chrome.PIF
GET
200
178.237.33.50:80
http://geoplugin.net/json.gp
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6404
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.200
  • 23.53.41.90
  • 23.53.40.178
  • 23.53.40.202
whitelisted
login.live.com
  • 20.190.159.2
  • 20.190.159.68
  • 20.190.159.4
  • 20.190.159.64
  • 40.126.31.130
  • 20.190.159.128
  • 20.190.159.23
  • 20.190.159.130
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
mailhost.mysynology.net
  • 103.198.26.208
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.mysynology .net Domain
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.dynuddns .net Domain
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
No debug info