File name:

Annexure_1_BOQ_and_Supporting_Documents.cmd

Full analysis: https://app.any.run/tasks/f88cb768-164c-46e8-83b9-35f91b70d8ce
Verdict: Malicious activity
Threats:

DBatLoader is a loader malware used for distributing payloads of different types, including WarzoneRAT and Formbook. It is employed in multi-stage attacks that usually start with a phishing email carrying a malicious attachment.

Analysis date: April 15, 2025, 18:27:33
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
rat
remcos
delphi
dbatloader
loader
remote
Indicators:
MIME: text/plain
File info: Unicode text, UTF-8 text, with very long lines (1581), with CRLF line terminators
MD5:

E177070CD5EC02B435A0D9BFF45F7596

SHA1:

DD6FE3DBC8A4A7F5581D460B30C4045D6F16079F

SHA256:

7CF06902620427A2ECF5D05A473CBB4E9E734251CB00CA82F0AF726BD9F66EA6

SSDEEP:

49152:AI12zx8PTa0ToNlyLiz9kBj5zm9xMqfo4gFdGNMk0FjgudvK7:0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1812)
    • DBATLOADER has been detected (YARA)

      • chrome.PIF (PID: 5892)
    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 4608)
    • REMCOS has been detected

      • chrome.PIF (PID: 5892)
    • REMCOS mutex has been found

      • chrome.PIF (PID: 5892)
      • Blqlsjlk.PIF (PID: 6148)
      • Blqlsjlk.PIF (PID: 6456)
    • REMCOS has been detected (SURICATA)

      • chrome.PIF (PID: 5892)
  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5416)
    • The process hide an interactive prompt from the user

      • cmd.exe (PID: 5416)
    • Likely accesses (executes) a file from the Public directory

      • extrac32.exe (PID: 5956)
      • expha.pif (PID: 664)
      • expha.pif (PID: 5352)
      • expha.pif (PID: 4180)
      • alpha.pif (PID: 720)
      • ghf.pif (PID: 5548)
      • alpha.pif (PID: 2656)
      • ghf.pif (PID: 5404)
      • alpha.pif (PID: 1324)
      • rdha.pif (PID: 5204)
      • chrome.PIF (PID: 5892)
      • esentutl.exe (PID: 856)
      • alpha.pif (PID: 5404)
      • alpha.pif (PID: 5720)
    • Drops a file with a rarely used extension (PIF)

      • extrac32.exe (PID: 5956)
      • expha.pif (PID: 664)
      • expha.pif (PID: 5352)
      • expha.pif (PID: 4180)
      • ghf.pif (PID: 5404)
      • esentutl.exe (PID: 856)
      • chrome.PIF (PID: 5892)
    • Executable content was dropped or overwritten

      • extrac32.exe (PID: 5956)
      • expha.pif (PID: 664)
      • expha.pif (PID: 5352)
      • expha.pif (PID: 4180)
      • ghf.pif (PID: 5404)
      • esentutl.exe (PID: 856)
      • chrome.PIF (PID: 5892)
    • Starts a Microsoft application from unusual location

      • expha.pif (PID: 664)
      • expha.pif (PID: 5352)
      • expha.pif (PID: 4180)
      • alpha.pif (PID: 720)
      • ghf.pif (PID: 5548)
      • alpha.pif (PID: 2656)
      • ghf.pif (PID: 5404)
      • alpha.pif (PID: 1324)
      • rdha.pif (PID: 5204)
      • alpha.pif (PID: 5404)
      • alpha.pif (PID: 5720)
    • Process drops legitimate windows executable

      • extrac32.exe (PID: 5956)
      • expha.pif (PID: 664)
      • expha.pif (PID: 5352)
    • Starts application with an unusual extension

      • cmd.exe (PID: 5416)
      • alpha.pif (PID: 720)
      • alpha.pif (PID: 2656)
      • rdha.pif (PID: 5204)
      • cmd.exe (PID: 632)
      • rundll32.exe (PID: 472)
      • rundll32.exe (PID: 5136)
    • Process drops legitimate windows executable (CertUtil.exe)

      • expha.pif (PID: 4180)
    • Starts itself from another location

      • cmd.exe (PID: 5416)
      • cmd.exe (PID: 632)
    • Runs PING.EXE to delay simulation

      • alpha.pif (PID: 1324)
      • cmd.exe (PID: 1388)
    • Reads security settings of Internet Explorer

      • rdha.pif (PID: 5204)
      • chrome.PIF (PID: 5892)
      • Blqlsjlk.PIF (PID: 6148)
      • Blqlsjlk.PIF (PID: 6456)
    • Reads the date of Windows installation

      • rdha.pif (PID: 5204)
    • Application launched itself

      • cmd.exe (PID: 5416)
    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 5416)
      • chrome.PIF (PID: 5892)
    • There is functionality for taking screenshot (YARA)

      • chrome.PIF (PID: 5892)
    • Executing commands from ".cmd" file

      • chrome.PIF (PID: 5892)
    • Created directory related to system

      • alpha.pif (PID: 5404)
    • Connects to unusual port

      • chrome.PIF (PID: 5892)
    • The process executes via Task Scheduler

      • rundll32.exe (PID: 472)
      • rundll32.exe (PID: 5136)
    • Contacting a server suspected of hosting an CnC

      • chrome.PIF (PID: 5892)
  • INFO

    • Checks supported languages

      • extrac32.exe (PID: 5956)
      • expha.pif (PID: 664)
      • expha.pif (PID: 5352)
      • expha.pif (PID: 4180)
      • alpha.pif (PID: 720)
      • ghf.pif (PID: 5548)
      • alpha.pif (PID: 2656)
      • ghf.pif (PID: 5404)
      • alpha.pif (PID: 1324)
      • rdha.pif (PID: 5204)
      • chrome.PIF (PID: 5892)
      • alpha.pif (PID: 5404)
      • alpha.pif (PID: 5720)
      • Blqlsjlk.PIF (PID: 6148)
      • Blqlsjlk.PIF (PID: 6456)
    • Reads the computer name

      • extrac32.exe (PID: 5956)
      • ghf.pif (PID: 5548)
      • ghf.pif (PID: 5404)
      • rdha.pif (PID: 5204)
      • chrome.PIF (PID: 5892)
      • Blqlsjlk.PIF (PID: 6148)
      • Blqlsjlk.PIF (PID: 6456)
    • The sample compiled with english language support

      • extrac32.exe (PID: 5956)
      • expha.pif (PID: 664)
      • expha.pif (PID: 5352)
      • expha.pif (PID: 4180)
      • esentutl.exe (PID: 856)
    • Process checks computer location settings

      • rdha.pif (PID: 5204)
    • Checks proxy server information

      • chrome.PIF (PID: 5892)
      • Blqlsjlk.PIF (PID: 6148)
      • slui.exe (PID: 4268)
      • Blqlsjlk.PIF (PID: 6456)
    • Compiled with Borland Delphi (YARA)

      • chrome.PIF (PID: 5892)
      • Blqlsjlk.PIF (PID: 6456)
    • Creates files in the program directory

      • chrome.PIF (PID: 5892)
    • Reads the machine GUID from the registry

      • chrome.PIF (PID: 5892)
    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 472)
      • rundll32.exe (PID: 5136)
    • Local mutex for internet shortcut management

      • rundll32.exe (PID: 472)
      • rundll32.exe (PID: 5136)
    • Reads the software policy settings

      • slui.exe (PID: 4268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
157
Monitored processes
33
Malicious processes
8
Suspicious processes
1

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs powershell.exe no specs extrac32.exe expha.pif expha.pif expha.pif alpha.pif no specs ghf.pif no specs alpha.pif no specs ghf.pif alpha.pif no specs ping.exe no specs rdha.pif no specs #REMCOS chrome.pif cmd.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs esentutl.exe alpha.pif no specs alpha.pif no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs svchost.exe slui.exe rundll32.exe no specs #REMCOS blqlsjlk.pif no specs rundll32.exe no specs #REMCOS blqlsjlk.pif no specs

Process information

PID
CMD
Path
Indicators
Parent process
472C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\ieframe.dll",OpenURL C:\\ProgramData\\Blqlsjlk.urlC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
632C:\WINDOWS\system32\cmd.exe /c C:\\ProgramData\\9874.cmdC:\Windows\SysWOW64\cmd.exechrome.PIF
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
664C:\\Users\\Public\\Libraries\\expha.pif /C /Y "C:\\Windows\\System32\\cmd.exe" "C:\\Users\\Public\\Libraries\\alpha.pif" C:\Users\Public\Libraries\expha.pif
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® CAB File Extract Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\users\public\libraries\expha.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
720C:\\Users\\Public\\Libraries\\alpha.pif /C C:\\Users\\Public\\Libraries\\ghf.pif -decodehex -f "C:\Users\admin\Desktop\Annexure_1_BOQ_and_Supporting_Documents.cmd" "C:\Users\Public\\Libraries\donex.avi" 9 C:\Users\Public\Libraries\alpha.pifcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\public\libraries\alpha.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
856C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o C:\Windows\SysWOW64\esentutl.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\esentutl.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\esent.dll
864\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1272cmd /c exit /b 0 C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
1324C:\\Users\\Public\\Libraries\\alpha.pif /c PING -n 4 127.0.0.1 C:\Users\Public\Libraries\alpha.pifcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\users\public\libraries\alpha.pif
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1388C:\WINDOWS\system32\cmd.exe /c C:\\ProgramData\\15311.cmdC:\Windows\SysWOW64\cmd.exechrome.PIF
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1812PowerShell -WindowStyle hidden -inputformat none -outputformat none -NonInteractive -Command " @echo offC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
11 338
Read events
11 332
Write events
6
Delete events
0

Modification events

(PID) Process:(5204) rdha.pifKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(5892) chrome.PIFKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-RHFRKK
Operation:writeName:exepath
Value:
61187676E8D1450E21A3EEBE38AD1E282F5658AE33CBDB104FF45BC7CC868992C7406A279B308F42C6A152DD62EE2146EB3062311599F458EED53A2B3CF7421CC6407D823E1AC9036D84
(PID) Process:(5892) chrome.PIFKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-RHFRKK
Operation:writeName:licence
Value:
B8012A48FDBB5186182A5C8EB20DFC5A
(PID) Process:(5892) chrome.PIFKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-RHFRKK
Operation:writeName:time
Value:
(PID) Process:(5892) chrome.PIFKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-RHFRKK
Operation:writeName:UID
Value:
(PID) Process:(472) rundll32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
Executable files
7
Suspicious files
2
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
1812powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sqlwbekh.o0a.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1812powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pnaccydr.tau.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1812powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:3422D8902388F4A1409F4B1447001885
SHA256:8559800558100F78A6FDE97B188E27AE89DD03DCEDB8361261EA91B04639219D
5892chrome.PIFC:\ProgramData\neo.cmdtext
MD5:5BAF253744AD26F35BA17DB6B80763E9
SHA256:9CBB41E6C4F8565A6D121B770FCF3F15A6891C8DF8BFBA6D0414B3AD3298BDBA
5548ghf.pifC:\Users\Public\Libraries\donex.avitext
MD5:0779631D37B08A8FE0F87CD9B7998DAE
SHA256:19F50D05B08C1993FF62E58BB29B07E6543F6853E79E2E862C7BEC2E765DAA76
5892chrome.PIFC:\ProgramData\15311.cmdtext
MD5:9A020804EBA1FFAC2928D7C795144BBF
SHA256:A86C6C7A2BF9E12C45275A5E7EBEBD5E6D2BA302FE0A12600B7C9FDF283D9E63
5892chrome.PIFC:\Users\admin\Links\Blqlsjlk.PIFexecutable
MD5:71A4B65DE7AD524F18D9D6598EC8C8BC
SHA256:9EA7C6AC8BB20575CA7A51A8B1F74EEAEAFAC75171015A20B17E1E5AE64CF263
5892chrome.PIFC:\ProgramData\Blqlsjlk.urlbinary
MD5:8E1CDF67C210BA6AF8F2873192B66F54
SHA256:98A037BD9ACEB52DA84952739771F21BDEED5F24F29E08F466D0471499CF277E
5892chrome.PIFC:\ProgramData\236.cmdtext
MD5:BAF6D3E2EFD77928B67724F9438BB249
SHA256:E506618B00E20BFCD4EFC8D8F0AD31C7750CA31EA86A37EE081ACB1031C6C789
856esentutl.exeC:\Users\Public\alpha.pifexecutable
MD5:D3348AC2130C7E754754A6E9CB053B09
SHA256:E9EF013238495BFFCE7459E059BFFE340A0F08B439EC94E7D4436F4E13714ECD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
48
DNS requests
20
Threats
16

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
5776
SIHClient.exe
GET
200
23.48.23.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5776
SIHClient.exe
GET
200
23.48.23.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5776
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5776
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
200
52.165.164.15:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
5776
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5776
SIHClient.exe
GET
200
23.48.23.176:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
GET
200
4.175.87.197:443
https://slscr.update.microsoft.com/sls/ping
unknown
5776
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5776
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5776
SIHClient.exe
23.48.23.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.206
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.159.128
  • 20.190.159.71
  • 40.126.31.73
  • 20.190.159.130
  • 20.190.159.73
  • 40.126.31.130
  • 20.190.159.75
  • 40.126.31.3
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
crl.microsoft.com
  • 23.48.23.176
  • 23.48.23.194
  • 23.48.23.177
  • 23.48.23.143
  • 23.48.23.180
  • 23.48.23.141
  • 23.48.23.145
  • 23.48.23.166
  • 23.48.23.164
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
mailhost.mysynology.net
  • 103.198.26.208
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.mysynology .net Domain
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.dynuddns .net Domain
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
No debug info