Malware analysis Bina Tegas Sdn Bhd Voucher Receipts (1).zip Malicious activity

Add for printing

File name:	Bina Tegas Sdn Bhd Voucher Receipts (1).zip
Full analysis:	https://app.any.run/tasks/61099ec1-fe81-4828-9f15-46408e2fccb0
Verdict:	Malicious activity
Threats:	Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Remcos is a commercially distributed remote administration and surveillance tool that has been widely observed in unauthorized deployments, where threat actors use it to perform remote actions on compromised machines. It is actively maintained by its vendor, with new versions and feature updates released on a frequent, near-monthly basis. Remcos ist eine Malware vom Typ RAT, mit der Angreifer aus der Ferne Aktionen auf infizierten Computern durchführen können. Diese Malware ist extrem aktiv und wird fast jeden Monat mit Updates auf den neuesten Stand gebracht. Malware Trends Tracker >>>
Analysis date:	May 16, 2025, 03:53:28
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto rat remcos phishing
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	A5E899FB1B7E098135AE0FCAC9C7E729
SHA1:	9402790D94D5439C29308AB305DBD2DC12075B42
SHA256:	8981C66D12E2357378529DD82637A8B2E45ED708665774602D27E3CCE3AC1D71
SSDEEP:	49152:ofQCCc9XaOv4WHL0vCvapk9HF2e4o9lL9/3p9Hl80elQAYaBuLUMVY4Xdz2mfb2L:oXCCJ4AL0+LCe4oh33lilQAY9LUMVY4I

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- REMCOS has been found (auto)
  - WinRAR.exe (PID: 7356)
- Executing a file with an untrusted certificate
  - Bina Tegas Sdn Bhd Voucher Receipts.exe (PID: 8180)
- Changes the autorun value in the registry
  - IMCCPHR.exe (PID: 4208)
- PHISHING has been detected (SURICATA)
  - svchost.exe (PID: 2196)
- REMCOS mutex has been found
  - IMCCPHR.exe (PID: 4208)
SUSPICIOUS
- The process creates files with name similar to system file names
  - Bina Tegas Sdn Bhd Voucher Receipts.exe (PID: 8180)
- Malware-specific behavior (creating "System.dll" in Temp)
  - Bina Tegas Sdn Bhd Voucher Receipts.exe (PID: 8180)
- Executable content was dropped or overwritten
  - Bina Tegas Sdn Bhd Voucher Receipts.exe (PID: 8180)
- There is functionality for taking screenshot (YARA)
  - Bina Tegas Sdn Bhd Voucher Receipts.exe (PID: 8180)
- Potential Corporate Privacy Violation
  - IMCCPHR.exe (PID: 4208)
- Connects to unusual port
  - IMCCPHR.exe (PID: 4208)
INFO
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 7356)
- Checks supported languages
  - Bina Tegas Sdn Bhd Voucher Receipts.exe (PID: 8180)
- Reads the computer name
  - Bina Tegas Sdn Bhd Voucher Receipts.exe (PID: 8180)
- Create files in a temporary directory
  - Bina Tegas Sdn Bhd Voucher Receipts.exe (PID: 8180)
- Manual execution by a user
  - Bina Tegas Sdn Bhd Voucher Receipts.exe (PID: 8180)
- The sample compiled with english language support
  - WinRAR.exe (PID: 7356)
- Creates files or folders in the user directory
  - Bina Tegas Sdn Bhd Voucher Receipts.exe (PID: 8180)
  - IMCCPHR.exe (PID: 4208)
- Checks proxy server information
  - IMCCPHR.exe (PID: 4208)
  - slui.exe (PID: 896)
- Reads the software policy settings
  - slui.exe (PID: 7496)
  - IMCCPHR.exe (PID: 4208)
  - slui.exe (PID: 896)
- Reads security settings of Internet Explorer
  - IMCCPHR.exe (PID: 4208)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	0x0009
ZipCompression:	Deflated
ZipModifyDate:	2025:03:13 10:23:40
ZipCRC:	0xd6fd9fbf
ZipCompressedSize:	1286826
ZipUncompressedSize:	1375376
ZipFileName:	Bina Tegas Sdn Bhd Voucher Receipts.exe

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

141

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

536

"C:\Users\admin\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe"

C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe

—

Bina Tegas Sdn Bhd Voucher Receipts.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

IMCCPHR.exe

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\ime\shared\imccphr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

896

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

2196

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

4208

"C:\Users\admin\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe"

C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe

Bina Tegas Sdn Bhd Voucher Receipts.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

IMCCPHR.exe

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\certmgr.dll
c:\windows\syswow64\ime\shared\imccphr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

7356

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Bina Tegas Sdn Bhd Voucher Receipts (1).zip"

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

7460

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SppExtComObj.Exe

—

svchost.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

KMS Connection Broker

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll

7496

"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent

C:\Windows\System32\slui.exe

SppExtComObj.Exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

8180

"C:\Users\admin\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe"

C:\Users\admin\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Version:

1.1.0.0

Modules

Images
c:\users\admin\desktop\bina tegas sdn bhd voucher receipts.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

Add for printing

Total events

7 650

Read events

7 605

Write events

Delete events

Modification events


(PID) Process:	(7356) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(7356) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(7356) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(7356) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Bina Tegas Sdn Bhd Voucher Receipts (1).zip
(PID) Process:	(7356) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(7356) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(7356) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(7356) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(7356) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:	write	Name:	name
Value: 256
(PID) Process:	(7356) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:	write	Name:	size
Value: 80

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
8180	Bina Tegas Sdn Bhd Voucher Receipts.exe	C:\Users\admin\Persistent131\tyttebrsyltetjet\Sikkerhedsseler126\Womerah.win		—
		MD5:—	SHA256:—
8180	Bina Tegas Sdn Bhd Voucher Receipts.exe	C:\Users\admin\Persistent131\tyttebrsyltetjet\Sikkerhedsseler126\Appendikserne\diuresers.pou		—
		MD5:—	SHA256:—
8180	Bina Tegas Sdn Bhd Voucher Receipts.exe	C:\Users\admin\Persistent131\tyttebrsyltetjet\Sikkerhedsseler126\Appendikserne\noodles.and		—
		MD5:—	SHA256:—
8180	Bina Tegas Sdn Bhd Voucher Receipts.exe	C:\Users\admin\Persistent131\tyttebrsyltetjet\Disketteformateringernes.jpg		image
		MD5:5E63725C26FA6C11D5170AC8372C9C91	SHA256:24446D6BCF3AD48A3F6E001760ED2F6B1B6C0C42109E867CAA01763B143C40D7
8180	Bina Tegas Sdn Bhd Voucher Receipts.exe	C:\Users\admin\Persistent131\tyttebrsyltetjet\Orthosubstituted.Tri		binary
		MD5:90354353A98C2031171C08D51E8A120F	SHA256:096CF306A25BC73FC56997667711865F255B4F1ADB7E539486D3DED56895A8E9
7356	WinRAR.exe	C:\Users\admin\Desktop\Bina Tegas Sdn Bhd Voucher Receipts.exe		executable
		MD5:BD77910E1CDEAD3CDD559950952536E9	SHA256:E11A97236AFDE003D97440B91A471A73F59FCD2C6F40CC4DDE9F7AC57E67EE5D
8180	Bina Tegas Sdn Bhd Voucher Receipts.exe	C:\Users\admin\AppData\Local\Temp\nsw46BB.tmp\System.dll		executable
		MD5:6AD39193ED20078AA1B23C33A1E48859	SHA256:B9631423A50C666FAF2CC6901C5A8D6EB2FECD306FDD2524256B7E2E37B251C2
8180	Bina Tegas Sdn Bhd Voucher Receipts.exe	C:\Users\admin\Persistent131\tyttebrsyltetjet\Sikkerhedsseler126\Appendikserne\reblooms.ini		binary
		MD5:335596CB616CC2EDD29DE824B92B2E82	SHA256:3C05E02249D5A6D7A57D61EC3AAEB7B646A6F9683891193D6735572B8C45CAF0
4208	IMCCPHR.exe	C:\Users\admin\AppData\Roaming\Atrulx\logs.dat		binary
		MD5:E43A111E71D03F0A4769B2F25EB98115	SHA256:2C2A366A40BE24EA8CA88B2ACCCEB46FB9A1BD6D38836893CC364B38369824D8
4208	IMCCPHR.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_5A9FE11E8B6335FDA91281200971E038		binary
		MD5:72BA1F5ECC3802EFBD23CFBEA6EF6EF6	SHA256:340D988F7A2DF09B7CAE4B6C94DFDFD5F92FA9B89A018DB852EACF541AA4BB8A

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4208	IMCCPHR.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D	unknown	—	—	whitelisted
4208	IMCCPHR.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAyVRp0LO%2F899HuOUNmwbkY%3D	unknown	—	—	whitelisted
4208	IMCCPHR.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEA6isGT21L%2B%2BLXlK7gS%2BvZE%3D	unknown	—	—	whitelisted
8032	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
8032	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	20.190.160.65:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	2.17.190.73:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
2104	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
8032	SIHClient.exe	4.245.163.56:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
crl.microsoft.com	23.53.40.176 23.53.40.178	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
google.com	216.58.206.78	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
login.live.com	20.190.160.65 20.190.160.14 40.126.32.140 20.190.160.66 20.190.160.17 40.126.32.76 20.190.160.130 20.190.160.22	whitelisted
ocsp.digicert.com	2.17.190.73 2.23.77.188	whitelisted
slscr.update.microsoft.com	4.245.163.56	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

Threats

PID	Process	Class	Message
4208	IMCCPHR.exe	Potential Corporate Privacy Violation	ET INFO Dropbox.com Offsite File Backup in Use
2196	svchost.exe	Misc activity	ET DYN_DNS DYNAMIC_DNS Query to dynnamn .ru Domain
2196	svchost.exe	Possible Social Engineering Attempted	PHISHING [ANY.RUN] Suspected Phishing domain by CrossDomain ( .dynnamn .ru)

Add for printing

No debug info

General Info

Bina Tegas Sdn Bhd Voucher Receipts (1).zip

A5E899FB1B7E098135AE0FCAC9C7E729

9402790D94D5439C29308AB305DBD2DC12075B42

8981C66D12E2357378529DD82637A8B2E45ED708665774602D27E3CCE3AC1D71

49152:ofQCCc9XaOv4WHL0vCvapk9HF2e4o9lL9/3p9Hl80elQAYaBuLUMVY4Xdz2mfb2L:oXCCJ4AL0+LCe4oh33lilQAY9LUMVY4I

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

REMCOS has been found (auto)

Executing a file with an untrusted certificate

Changes the autorun value in the registry

PHISHING has been detected (SURICATA)

REMCOS mutex has been found

SUSPICIOUS

The process creates files with name similar to system file names

Malware-specific behavior (creating "System.dll" in Temp)

Executable content was dropped or overwritten

There is functionality for taking screenshot (YARA)

Potential Corporate Privacy Violation

Connects to unusual port

INFO

Executable content was dropped or overwritten

Checks supported languages

Reads the computer name

Create files in a temporary directory

Manual execution by a user

The sample compiled with english language support

Creates files or folders in the user directory

Checks proxy server information

Reads the software policy settings

Reads security settings of Internet Explorer

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings