Malware analysis https://albaddadcapital-my.sharepoint.com/:u:/g/personal/adsales3_albaddad_com/EdHSZDI0fE1GhbiUd5Eg7_QB9WDezp87-a79QhG1t2wviQ?e=Ee4bsy&download=1 Malicious activity

Add for printing

URL:	https://albaddadcapital-my.sharepoint.com/:u:/g/personal/adsales3_albaddad_com/EdHSZDI0fE1GhbiUd5Eg7_QB9WDezp87-a79QhG1t2wviQ?e=Ee4bsy&download=1
Full analysis:	https://app.any.run/tasks/16be8e6b-eae8-45a2-aaea-5adeea1794fb
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Remcos is a commercially distributed remote administration and surveillance tool that has been widely observed in unauthorized deployments, where threat actors use it to perform remote actions on compromised machines. It is actively maintained by its vendor, with new versions and feature updates released on a frequent, near-monthly basis. Remcos ist eine Malware vom Typ RAT, mit der Angreifer aus der Ferne Aktionen auf infizierten Computern durchführen können. Diese Malware ist extrem aktiv und wird fast jeden Monat mit Updates auf den neuesten Stand gebracht. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	February 17, 2025, 05:51:34
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	sharepoint possible-phishing rat remcos remote stealer delphi mpress
Indicators:
MD5:	7218AC4A0A4A42C906D896BCF5040467
SHA1:	163010F15120538B956D7D961F748D29345070E3
SHA256:	81E7DF73237451A18A910AC90EC7B6029B5838964673AD499C493B167EB89C56
SSDEEP:	3:N8U1wxdWN+ArL5kKVFSE/iJVMWOxVi/3FhRC8AYrj92Un:2UCdK+AfzQJFOx8/Zrj9zn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Adds path to the Windows Defender exclusion list
  - cmd.exe (PID: 5836)
  - alpha.pif (PID: 7568)
  - cmd.exe (PID: 6876)
  - alpha.pif (PID: 7724)
- Starts PowerShell from an unusual location
  - alpha.pif (PID: 7568)
  - alpha.pif (PID: 7724)
- Changes the autorun value in the registry
  - Specifications_BOQ_SPEC_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 7852)
- REMCOS has been detected (SURICATA)
  - SndVol.exe (PID: 5580)
- Actions looks like stealing of personal data
  - SndVol.exe (PID: 7624)
  - SndVol.exe (PID: 6648)
  - SndVol.exe (PID: 5112)
  - SndVol.exe (PID: 5536)
- Steals credentials from Web Browsers
  - SndVol.exe (PID: 5112)
SUSPICIOUS
- Access to SharePoint Content
  - msedge.exe (PID: 4740)
- Reads security settings of Internet Explorer
  - Specifications_BOQ_SPEC_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 7852)
  - ndpha.pif (PID: 4520)
  - aken.pif (PID: 7596)
  - Drawing_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 7896)
  - ndpha.pif (PID: 1556)
  - aken.pif (PID: 6916)
  - BOQ_BOQ_SPEC_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 3564)
  - ndpha.pif (PID: 1476)
- There is functionality for taking screenshot (YARA)
  - Specifications_BOQ_SPEC_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 7852)
  - Drawing_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 7896)
  - SndVol.exe (PID: 5580)
- Executing commands from ".cmd" file
  - Specifications_BOQ_SPEC_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 7852)
  - svchost.pif (PID: 5112)
  - Drawing_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 7896)
  - svchost.pif (PID: 7692)
  - BOQ_BOQ_SPEC_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 3564)
  - svchost.pif (PID: 7140)
- Drops a file with a rarely used extension (PIF)
  - Specifications_BOQ_SPEC_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 7852)
  - extrac32.exe (PID: 5208)
  - extrac32.exe (PID: 7480)
  - extrac32.exe (PID: 7520)
  - extrac32.exe (PID: 7572)
  - extrac32.exe (PID: 7060)
  - extrac32.exe (PID: 7056)
- Starts CMD.EXE for commands execution
  - Specifications_BOQ_SPEC_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 7852)
  - svchost.pif (PID: 5112)
  - Drawing_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 7896)
  - svchost.pif (PID: 7692)
  - BOQ_BOQ_SPEC_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 3564)
  - svchost.pif (PID: 7140)
- Likely accesses (executes) a file from the Public directory
  - cmd.exe (PID: 4640)
  - extrac32.exe (PID: 5208)
  - cmd.exe (PID: 5876)
  - ndpha.pif (PID: 4520)
  - extrac32.exe (PID: 7480)
  - cmd.exe (PID: 5836)
  - extrac32.exe (PID: 7520)
  - extrac32.exe (PID: 7572)
  - alpha.pif (PID: 7568)
  - aken.pif (PID: 7596)
  - extrac32.exe (PID: 7060)
  - cmd.exe (PID: 7664)
  - cmd.exe (PID: 1856)
  - extrac32.exe (PID: 6860)
  - ndpha.pif (PID: 1556)
  - extrac32.exe (PID: 3532)
  - alpha.pif (PID: 7724)
  - aken.pif (PID: 6916)
  - cmd.exe (PID: 1888)
  - extrac32.exe (PID: 7056)
  - cmd.exe (PID: 7620)
  - ndpha.pif (PID: 1476)
  - cmd.exe (PID: 2736)
  - extrac32.exe (PID: 7076)
  - cmd.exe (PID: 6876)
- Executable content was dropped or overwritten
  - Specifications_BOQ_SPEC_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 7852)
  - extrac32.exe (PID: 5208)
  - extrac32.exe (PID: 7480)
  - extrac32.exe (PID: 7520)
  - extrac32.exe (PID: 7572)
  - extrac32.exe (PID: 7060)
  - extrac32.exe (PID: 7056)
- Process drops legitimate windows executable
  - Specifications_BOQ_SPEC_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 7852)
  - extrac32.exe (PID: 5208)
  - extrac32.exe (PID: 7480)
  - extrac32.exe (PID: 7520)
  - extrac32.exe (PID: 7572)
  - extrac32.exe (PID: 7060)
  - extrac32.exe (PID: 7056)
- Starts a Microsoft application from unusual location
  - ndpha.pif (PID: 4520)
  - alpha.pif (PID: 7568)
  - aken.pif (PID: 7596)
  - ndpha.pif (PID: 1556)
  - alpha.pif (PID: 7724)
  - aken.pif (PID: 6916)
  - ndpha.pif (PID: 1476)
- Starts application with an unusual extension
  - cmd.exe (PID: 5876)
  - ndpha.pif (PID: 4520)
  - cmd.exe (PID: 5836)
  - alpha.pif (PID: 7568)
  - cmd.exe (PID: 1856)
  - ndpha.pif (PID: 1556)
  - cmd.exe (PID: 6876)
  - alpha.pif (PID: 7724)
  - cmd.exe (PID: 7620)
  - ndpha.pif (PID: 1476)
- Starts itself from another location
  - cmd.exe (PID: 5836)
  - cmd.exe (PID: 6876)
- Checks Windows Trust Settings
  - aken.pif (PID: 7596)
  - aken.pif (PID: 6916)
- Contacting a server suspected of hosting an CnC
  - SndVol.exe (PID: 5580)
- Connects to unusual port
  - SndVol.exe (PID: 5580)
- Application launched itself
  - SndVol.exe (PID: 5580)
INFO
- Checks supported languages
  - identity_helper.exe (PID: 6248)
  - Specifications_BOQ_SPEC_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 7852)
  - Drawing_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 7896)
  - extrac32.exe (PID: 5208)
  - ndpha.pif (PID: 4520)
  - BOQ_BOQ_SPEC_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 3564)
  - svchost.pif (PID: 5112)
  - extrac32.exe (PID: 7480)
  - extrac32.exe (PID: 7520)
  - extrac32.exe (PID: 7572)
  - alpha.pif (PID: 7568)
  - aken.pif (PID: 7596)
  - extrac32.exe (PID: 7060)
  - extrac32.exe (PID: 6860)
  - ndpha.pif (PID: 1556)
  - extrac32.exe (PID: 7076)
  - extrac32.exe (PID: 3532)
  - alpha.pif (PID: 7724)
  - aken.pif (PID: 6916)
  - extrac32.exe (PID: 7056)
  - ndpha.pif (PID: 1476)
  - svchost.pif (PID: 7140)
  - svchost.pif (PID: 7692)
- Reads Environment values
  - identity_helper.exe (PID: 6248)
  - aken.pif (PID: 7596)
  - aken.pif (PID: 6916)
- Reads the computer name
  - identity_helper.exe (PID: 6248)
  - Specifications_BOQ_SPEC_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 7852)
  - extrac32.exe (PID: 5208)
  - extrac32.exe (PID: 7480)
  - extrac32.exe (PID: 7520)
  - extrac32.exe (PID: 7572)
  - ndpha.pif (PID: 4520)
  - aken.pif (PID: 7596)
  - Drawing_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 7896)
  - extrac32.exe (PID: 7060)
  - ndpha.pif (PID: 1556)
  - extrac32.exe (PID: 7076)
  - extrac32.exe (PID: 3532)
  - aken.pif (PID: 6916)
  - extrac32.exe (PID: 7056)
  - BOQ_BOQ_SPEC_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 3564)
  - ndpha.pif (PID: 1476)
  - extrac32.exe (PID: 6860)
- Reads Microsoft Office registry keys
  - msedge.exe (PID: 4740)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 5748)
  - msedge.exe (PID: 1864)
- Manual execution by a user
  - Specifications_BOQ_SPEC_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 7852)
  - Drawing_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 7896)
  - BOQ_BOQ_SPEC_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 3564)
  - firefox.exe (PID: 7808)
- Compiled with Borland Delphi (YARA)
  - Specifications_BOQ_SPEC_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 7852)
  - Drawing_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 7896)
- Checks proxy server information
  - Specifications_BOQ_SPEC_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 7852)
  - Drawing_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 7896)
  - BOQ_BOQ_SPEC_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 3564)
  - SndVol.exe (PID: 5580)
- The sample compiled with english language support
  - Specifications_BOQ_SPEC_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 7852)
  - extrac32.exe (PID: 5208)
  - extrac32.exe (PID: 7480)
  - extrac32.exe (PID: 7520)
  - extrac32.exe (PID: 7572)
  - extrac32.exe (PID: 7060)
  - extrac32.exe (PID: 7056)
  - msedge.exe (PID: 1864)
- Process checks computer location settings
  - ndpha.pif (PID: 4520)
  - ndpha.pif (PID: 1556)
  - ndpha.pif (PID: 1476)
- Application launched itself
  - msedge.exe (PID: 4740)
  - firefox.exe (PID: 7808)
  - firefox.exe (PID: 7788)
- Reads the software policy settings
  - aken.pif (PID: 7596)
  - aken.pif (PID: 6916)
- Process checks Powershell version
  - aken.pif (PID: 7596)
  - aken.pif (PID: 6916)
- Reads the machine GUID from the registry
  - aken.pif (PID: 7596)
  - aken.pif (PID: 6916)
  - Specifications_BOQ_SPEC_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 7852)
  - Drawing_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 7896)
  - BOQ_BOQ_SPEC_UAE0225QNA01700-2025_Al Rakha Group.exe (PID: 3564)
- Create files in a temporary directory
  - aken.pif (PID: 7596)
  - aken.pif (PID: 6916)
  - SndVol.exe (PID: 6648)
  - SndVol.exe (PID: 7624)
  - SndVol.exe (PID: 5112)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - aken.pif (PID: 7596)
  - aken.pif (PID: 6916)
- Script raised an exception (POWERSHELL)
  - aken.pif (PID: 7596)
  - aken.pif (PID: 6916)
- Reads security settings of Internet Explorer
  - SndVol.exe (PID: 5580)
- Creates files or folders in the user directory
  - SndVol.exe (PID: 5580)
- Mpress packer has been detected
  - SndVol.exe (PID: 5580)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

245

Monitored processes

113

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

624

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7064 -childID 9 -isForBrowser -prefsHandle 5836 -prefMapHandle 6992 -prefsLen 32108 -prefMapSize 244583 -jsInitHandle 1488 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {118ec7ba-d130-4e90-b693-fdafc5639374} 7788 "\\.\pipe\gecko-crash-server-pipe.7788" 264924fea10 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll

732

"C:\Windows \SysWOW64\svchost.pif"

C:\Windows \SysWOW64\svchost.pif

—

ndpha.pif

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Exchange ActiveSync Invoker

Exit code:

3221226540

Version:

10.0.22621.1 (WinBuild.160101.0800)

Modules

Images
c:\windows \syswow64\svchost.pif
c:\windows\system32\ntdll.dll

836

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6792 --field-trial-handle=2400,i,10491848237813873826,7667278564200486402,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1200

C:\Windows\System32\colorcpl.exe

C:\Windows\SysWOW64\colorcpl.exe

—

BOQ_BOQ_SPEC_UAE0225QNA01700-2025_Al Rakha Group.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Color Control Panel

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\colorcpl.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1400

"C:\Windows \SysWOW64\svchost.pif"

C:\Windows \SysWOW64\svchost.pif

—

ndpha.pif

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Exchange ActiveSync Invoker

Exit code:

3221226540

Version:

10.0.22621.1 (WinBuild.160101.0800)

Modules

Images
c:\windows \syswow64\svchost.pif
c:\windows\system32\ntdll.dll

1476

C:\\Users\\Public\\ndpha.pif zipfldr.dll,RouteTheCall C:\Windows \SysWOW64\svchost.pif

C:\Users\Public\ndpha.pif

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\users\public\ndpha.pif
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1556

C:\\Users\\Public\\ndpha.pif zipfldr.dll,RouteTheCall C:\Windows \SysWOW64\svchost.pif

C:\Users\Public\ndpha.pif

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\users\public\ndpha.pif
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1616

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x308,0x30c,0x310,0x304,0x314,0x7ff820fe5fd8,0x7ff820fe5fe4,0x7ff820fe5ff0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1856

C:\WINDOWS\system32\cmd.exe /c ""C:\Users\Public\Libraries\\Zhpymxci12.cmd" "

C:\Windows\SysWOW64\cmd.exe

—

Drawing_UAE0225QNA01700-2025_Al Rakha Group.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1864

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5564 --field-trial-handle=2400,i,10491848237813873826,7667278564200486402,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

PWA Identity Proxy Host

Exit code:

3221226029

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll

Add for printing

Total events

43 650

Read events

43 488

Write events

145

Delete events

Modification events


(PID) Process:	(4740) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(4740) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(4740) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(4740) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(4740) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:	write	Name:	S-1-5-21-1693682860-607145093-2874071422-1001
Value: 2E14B166E68C2F00
(PID) Process:	(4740) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:	write	Name:	S-1-5-21-1693682860-607145093-2874071422-1001
Value: 376CC166E68C2F00
(PID) Process:	(4740) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328198
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {DFF2072E-D400-47DE-ADA1-868DC05B3DDC}
(PID) Process:	(4740) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\328198
Operation:	write	Name:	WindowTabManagerFileMappingId
Value: {99A3838A-DA16-4EC5-92B8-B3F42A86B444}
(PID) Process:	(4740) msedge.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:	write	Name:	S-1-5-21-1693682860-607145093-2874071422-1001
Value: B318D566E68C2F00
(PID) Process:	(4740) msedge.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	MicrosoftEdgeAutoLaunch_29EBC4579851B72EE312C449CF839B1A
Value: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start

Add for printing

Executable files

Suspicious files

742

Text files

128

Unknown types

Dropped files

PID	Process	Filename		Type
4740	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF134b35.TMP		—
		MD5:—	SHA256:—
4740	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—
4740	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF134b35.TMP		—
		MD5:—	SHA256:—
4740	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
4740	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF134b35.TMP		—
		MD5:—	SHA256:—
4740	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—
4740	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF134b54.TMP		—
		MD5:—	SHA256:—
4740	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
4740	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF134b64.TMP		—
		MD5:—	SHA256:—
4740	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

161

DNS requests

191

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	2.19.11.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.222.10.99:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3508	svchost.exe	GET	200	2.19.11.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3508	svchost.exe	GET	200	23.222.10.99:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
628	backgroundTaskHost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
—	—	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7976	svchost.exe	HEAD	200	199.232.210.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0c269ced-c74b-4e70-9b58-6e7999b292c0?P1=1739806675&P2=404&P3=2&P4=E77quK4VD7l4xjeVu%2fB23sXxX3yknHJ9llMK%2f0%2bKh4s1Rr3VjkNl%2fiVvD8Zewt3Z1M88tTRR8f9Ph4ZHwrxbVQ%3d%3d	unknown	—	—	whitelisted
7976	svchost.exe	GET	206	199.232.210.172:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0c269ced-c74b-4e70-9b58-6e7999b292c0?P1=1739806675&P2=404&P3=2&P4=E77quK4VD7l4xjeVu%2fB23sXxX3yknHJ9llMK%2f0%2bKh4s1Rr3VjkNl%2fiVvD8Zewt3Z1M88tTRR8f9Ph4ZHwrxbVQ%3d%3d	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
3508	svchost.exe	2.19.11.120:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
4712	MoUsoCoreWorker.exe	2.19.11.120:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
4712	MoUsoCoreWorker.exe	23.222.10.99:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
3508	svchost.exe	23.222.10.99:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
—	—	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3568	RUXIMICS.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4740	msedge.exe	239.255.255.250:1900	—	—	—	whitelisted
6368	msedge.exe	13.107.136.10:443	albaddadcapital-my.sharepoint.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
6368	msedge.exe	204.79.197.239:443	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	2.19.11.120 2.19.11.111	whitelisted
www.microsoft.com	23.222.10.99 2.23.246.101	whitelisted
google.com	142.250.185.238	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
albaddadcapital-my.sharepoint.com	13.107.136.10 13.107.138.10	unknown
edge.microsoft.com	204.79.197.239 13.107.21.239	whitelisted
business.bing.com	13.107.6.158	whitelisted
edge-mobile-static.azureedge.net	13.107.246.45	whitelisted
bzib.nelreports.net	2.19.11.120 2.19.11.100	whitelisted
update.googleapis.com	142.250.185.67	whitelisted

Threats

PID	Process	Class	Message
6368	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Request to SharePoint public/private file sharing DNS (.sharepoint .com)
6368	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Request to SharePoint public/private file sharing TLS SNI (.sharepoint .com)
6368	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Request to SharePoint public/private file sharing DNS (.sharepoint .com)
6368	msedge.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
6368	msedge.exe	Generic Protocol Command Decode	SURICATA QUIC failed decrypt
6368	msedge.exe	Possible Social Engineering Attempted	SUSPICIOUS [ANY.RUN] Accessing SharePoint content without a legitimate Microsoft Sign-In
5580	SndVol.exe	A Network Trojan was detected	REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
5580	SndVol.exe	Malware Command and Control Activity Detected	ET JA3 Hash - Remcos 3.x/4.x TLS Connection
5580	SndVol.exe	A Network Trojan was detected	REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
5580	SndVol.exe	Malware Command and Control Activity Detected	ET JA3 Hash - Remcos 3.x/4.x TLS Connection

Add for printing

No debug info

General Info

https://albaddadcapital-my.sharepoint.com/:u:/g/personal/adsales3_albaddad_com/EdHSZDI0fE1GhbiUd5Eg7_QB9WDezp87-a79QhG1t2wviQ?e=Ee4bsy&download=1

7218AC4A0A4A42C906D896BCF5040467

163010F15120538B956D7D961F748D29345070E3

81E7DF73237451A18A910AC90EC7B6029B5838964673AD499C493B167EB89C56

3:N8U1wxdWN+ArL5kKVFSE/iJVMWOxVi/3FhRC8AYrj92Un:2UCdK+AfzQJFOx8/Zrj9zn

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Adds path to the Windows Defender exclusion list

Starts PowerShell from an unusual location

Changes the autorun value in the registry

REMCOS has been detected (SURICATA)

Actions looks like stealing of personal data

Steals credentials from Web Browsers

SUSPICIOUS

Access to SharePoint Content

Reads security settings of Internet Explorer

There is functionality for taking screenshot (YARA)

Executing commands from ".cmd" file

Drops a file with a rarely used extension (PIF)

Starts CMD.EXE for commands execution

Likely accesses (executes) a file from the Public directory

Executable content was dropped or overwritten

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Starts application with an unusual extension

Starts itself from another location

Checks Windows Trust Settings

Contacting a server suspected of hosting an CnC

Connects to unusual port

Application launched itself

INFO

Checks supported languages

Reads Environment values

Reads the computer name

Reads Microsoft Office registry keys

Executable content was dropped or overwritten

Manual execution by a user

Compiled with Borland Delphi (YARA)

Checks proxy server information

The sample compiled with english language support

Process checks computer location settings

Application launched itself

Reads the software policy settings

Process checks Powershell version

Reads the machine GUID from the registry

Create files in a temporary directory

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

Reads security settings of Internet Explorer

Creates files or folders in the user directory

Mpress packer has been detected

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information