File name:

b247c4442eebc83bb6dd83a6f7a0327f79159507b4cc93d455d97f5215193c95.js

Full analysis: https://app.any.run/tasks/2334a53b-ea2c-4b13-9ab7-4521e86993c0
Verdict: Malicious activity
Threats:

Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 06:52:21
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
susp-powershell
payload
ta558
apt
stegocampaign
loader
reverseloader
rat
remcos
remote
stealer
evasion
ultravnc
rmm-tool
telegram
exfiltration
agenttesla
ims-api
generic
Indicators:
MIME: text/plain
File info: Unicode text, UTF-8 text, with very long lines (488), with CRLF line terminators
MD5:

4E69FF1538D93611311A3BF2674D2616

SHA1:

C2EB50F690E34D83103781FBB5423968AD7177A6

SHA256:

B247C4442EEBC83BB6DD83A6F7A0327F79159507B4CC93D455D97F5215193C95

SSDEEP:

24:UloQhgQsZoLQpessYeQaThThYeQSM3hsTuTTThzQThg/i6RqGKMcThgook7WoLUz:gbZLBRpQbyqm/dASQ1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 7236)

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 7236)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 7236)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7500)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 7500)

    • REMCOS has been detected

      • RegAsm.exe (PID: 7148)
      • RegAsm.exe (PID: 7148)

    • REMCOS mutex has been found

      • RegAsm.exe (PID: 7148)

    • REMCOS has been detected (SURICATA)

      • RegAsm.exe (PID: 7148)

    • REMCOS has been detected (YARA)

      • RegAsm.exe (PID: 7148)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 7500)

    • Actions looks like stealing of personal data

      • RegAsm.exe (PID: 3240)
      • RegAsm.exe (PID: 7148)
      • dwn.exe (PID: 3132)
      • RegAsm.exe (PID: 5892)

    • Changes the autorun value in the registry

      • dwn.exe (PID: 3132)

    • AGENTTESLA has been detected (YARA)

      • dwn.exe (PID: 3132)

  • SUSPICIOUS

    • Potential Corporate Privacy Violation

      • wscript.exe (PID: 7236)
      • powershell.exe (PID: 7500)
      • dwn.exe (PID: 3132)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7236)

    • Possibly malicious use of IEX has been detected

      • wscript.exe (PID: 7236)

    • Probably obfuscated PowerShell command line is found

      • wscript.exe (PID: 7236)

    • Base64-obfuscated command line is found

      • wscript.exe (PID: 7236)

    • Executes script without checking the security policy

      • powershell.exe (PID: 7500)

    • The process bypasses the loading of PowerShell profile settings

      • wscript.exe (PID: 7236)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 7236)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 7500)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 7500)

    • Contacting a server suspected of hosting an CnC

      • RegAsm.exe (PID: 7148)

    • There is functionality for taking screenshot (YARA)

      • RegAsm.exe (PID: 7148)

    • Likely accesses (executes) a file from the Public directory

      • cmd.exe (PID: 8160)

    • Connects to unusual port

      • RegAsm.exe (PID: 7148)

    • Reads security settings of Internet Explorer

      • RegAsm.exe (PID: 7148)

    • Application launched itself

      • RegAsm.exe (PID: 7148)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • dwn.exe (PID: 3132)

    • Executable content was dropped or overwritten

      • RegAsm.exe (PID: 7148)
      • dwn.exe (PID: 3132)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • dwn.exe (PID: 3132)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • dwn.exe (PID: 3132)

    • The process connected to a server suspected of theft

      • dwn.exe (PID: 3132)

  • INFO

    • Checks proxy server information

      • wscript.exe (PID: 7236)
      • powershell.exe (PID: 7500)
      • RegAsm.exe (PID: 7148)
      • dwn.exe (PID: 3132)
      • slui.exe (PID: 5588)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 7500)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 7500)

    • Disables trace logs

      • powershell.exe (PID: 7500)
      • dwn.exe (PID: 3132)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • powershell.exe (PID: 7500)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • powershell.exe (PID: 7500)

    • Reads the computer name

      • RegAsm.exe (PID: 7148)
      • RegAsm.exe (PID: 4696)
      • RegAsm.exe (PID: 3240)
      • RegAsm.exe (PID: 5892)
      • dwn.exe (PID: 3132)

    • Checks supported languages

      • RegAsm.exe (PID: 7148)
      • RegAsm.exe (PID: 5892)
      • RegAsm.exe (PID: 3240)
      • RegAsm.exe (PID: 4696)
      • dwn.exe (PID: 3132)

    • Reads the machine GUID from the registry

      • RegAsm.exe (PID: 7148)
      • RegAsm.exe (PID: 4696)
      • RegAsm.exe (PID: 5892)
      • dwn.exe (PID: 3132)

    • Creates files in the program directory

      • RegAsm.exe (PID: 7148)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 7500)

    • Creates files or folders in the user directory

      • RegAsm.exe (PID: 7148)
      • dwn.exe (PID: 3132)

    • Create files in a temporary directory

      • RegAsm.exe (PID: 5892)
      • RegAsm.exe (PID: 4696)
      • RegAsm.exe (PID: 3240)

    • Reads the software policy settings

      • dwn.exe (PID: 3132)
      • slui.exe (PID: 5588)

    • ULTRAVNC has been detected

      • dwn.exe (PID: 3132)

    • Attempting to use instant messaging service

      • dwn.exe (PID: 3132)
      • svchost.exe (PID: 2196)

    • Process checks computer location settings

      • RegAsm.exe (PID: 7148)

    • Failed to create an executable file in Windows directory

      • RegAsm.exe (PID: 7148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Remcos

(PID) Process(7148) RegAsm.exe
C2 (3)mxsunami.gotdns.ch:9373
82.21.158.147:9373
198.54.129.52:6623
BotnetAKPATY APRIL 27
Options
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Setup_path%LOCALAPPDATA%
Copy_fileremcos.exe
Startup_valueRemcos
Hide_fileFalse
Mutex_nameRmc-3NBATL
Keylog_flag1
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirremcos
Max_keylog_file100000

AgentTesla

(PID) Process(3132) dwn.exe
C2https://api.telegram.org/bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/

ims-api

(PID) Process(3132) dwn.exe
Telegram-Tokens (1)5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM
Telegram-Info-Links
5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM
Get info about bothttps://api.telegram.org/bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/getMe
Get incoming updateshttps://api.telegram.org/bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/getUpdates
Get webhookhttps://api.telegram.org/bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM
End-PointsendDocument
Args
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
162
Monitored processes
17
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe powershell.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs #REMCOS regasm.exe svchost.exe slui.exe regasm.exe regasm.exe no specs regasm.exe regasm.exe no specs #AGENTTESLA dwn.exe ucpdmgr.exe no specs conhost.exe no specs ucpdmgr.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1324C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\admin\AppData\Local\Temp\ffrorpmafvlbqrgrniw"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegAsm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2092"C:\WINDOWS\system32\UCPDMgr.exe"C:\Windows\System32\UCPDMgr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
User Choice Protection Manager
Exit code:
0
Version:
1.0.0.414301
Modules
Images
c:\windows\system32\ucpdmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3132"C:\Users\admin\AppData\Roaming\dwn.exe" C:\Users\admin\AppData\Roaming\dwn.exe
RegAsm.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\dwn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
AgentTesla
(PID) Process(3132) dwn.exe
C2https://api.telegram.org/bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/
ims-api
(PID) Process(3132) dwn.exe
Telegram-Tokens (1)5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM
Telegram-Info-Links
5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM
Get info about bothttps://api.telegram.org/bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/getMe
Get incoming updateshttps://api.telegram.org/bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/getUpdates
Get webhookhttps://api.telegram.org/bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token5612460560:AAHyXkizBwpknHBFsEt3GDIwhLylabAVwjM
End-PointsendDocument
Args
3176"C:\WINDOWS\system32\UCPDMgr.exe"C:\Windows\System32\UCPDMgr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
User Choice Protection Manager
Exit code:
0
Version:
1.0.0.414301
Modules
Images
c:\windows\system32\ucpdmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
3240C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\admin\AppData\Local\Temp\ffrorpmafvlbqrgrniw"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
RegAsm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
4696C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\admin\AppData\Local\Temp\hzehsiwutdegtxcvwtjztws"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegAsm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
5588C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5892C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe /stext "C:\Users\admin\AppData\Local\Temp\vllwyxbzjntoglsn"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
RegAsm.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7148"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Remcos
(PID) Process(7148) RegAsm.exe
C2 (3)mxsunami.gotdns.ch:9373
82.21.158.147:9373
198.54.129.52:6623
BotnetAKPATY APRIL 27
Options
Connect_interval1
Install_flagFalse
Install_HKCU\RunTrue
Install_HKLM\RunTrue
Install_HKLM\Explorer\Run1
Setup_path%LOCALAPPDATA%
Copy_fileremcos.exe
Startup_valueRemcos
Hide_fileFalse
Mutex_nameRmc-3NBATL
Keylog_flag1
Keylog_path%LOCALAPPDATA%
Keylog_filelogs.dat
Keylog_cryptFalse
Hide_keylogFalse
Screenshot_flagFalse
Screenshot_time5
Take_ScreenshotFalse
Screenshot_path%APPDATA%
Screenshot_fileScreenshots
Screenshot_cryptFalse
Mouse_optionFalse
Delete_fileFalse
Audio_record_time5
Audio_path%ProgramFiles%
Audio_dirMicRecords
Connect_delay0
Copy_dirRemcos
Keylog_dirremcos
Max_keylog_file100000
Total events
17 987
Read events
17 964
Write events
23
Delete events
0

Modification events

(PID) Process:(7236) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
0EC9100000000000
(PID) Process:(7500) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Path
Value:
C:\Users\Public\Downloads\tocogenetic.js
(PID) Process:(7148) RegAsm.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-3NBATL
Operation:writeName:exepath
Value:
4B7CB360D35EC2E05CDE0D9CA2FECA749C946922165B7743646B9D63114FDC45208BE69074D12C38A118D1B5DF91A5937B3955FBE37437558EF480843A2AEF2A39B393DA2C909F085513DB037CF8583C8BAB3217DA9C63C465CE30F89DB615A2688E701E6D8E7E8A773B02CD805F469FFD0B
(PID) Process:(7148) RegAsm.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-3NBATL
Operation:writeName:licence
Value:
CA48FE8439DF6A48313BF8183A29D9AB
(PID) Process:(7148) RegAsm.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7148) RegAsm.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7148) RegAsm.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3132) dwn.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\dwn_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3132) dwn.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\dwn_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3132) dwn.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\dwn_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
2
Suspicious files
7
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
5892RegAsm.exeC:\Users\admin\AppData\Local\Temp\bhv2BBB.tmp
MD5:
SHA256:
7500powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1jbysciy.rrl.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8160cmd.exeC:\Users\Public\Downloads\tocogenetic.jsbinary
MD5:AC77BF5EAFD5C708030A04D2C099B614
SHA256:3A984F61476288951933E3A9917C8593082347E7257AC515165DA1A81039C4BE
7500powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:D07C2FD08B9341A99CC3C113F0A9C8BD
SHA256:D9D4E9DC6EDD91505AB1E36D50AB897F2313A3DF446AFE42509294D8E89470C5
7148RegAsm.exeC:\Users\admin\AppData\Roaming\dwn.exeexecutable
MD5:ACCFB066306C95FEA0ED42DC99DF1634
SHA256:E6720928EA03235A4A2AE2183D8E82483EAB11C5D77EC554CA3D85CC69D244B2
7500powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ktiasy5w.kht.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3132dwn.exeC:\Users\admin\AppData\Roaming\fodkpqxl.qxd\Chrome\Default\Network\Cookiesbinary
MD5:06AD9E737639FDC745B3B65312857109
SHA256:C8925892CA8E213746633033AE95ACFB8DD9531BC376B82066E686AC6F40A404
3132dwn.exeC:\Users\admin\AppData\Roaming\fodkpqxl.qxd\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlitebinary
MD5:19BA68C3ECBCA72C2B90AFADDE745DC6
SHA256:8B3758EE2D2C0A07EE7003F902F0667ABE5D9667941F8617EDA3CDF94C78E7B8
7148RegAsm.exeC:\ProgramData\remcos\logs.datbinary
MD5:7D5C4185CDC21EEDC16759EF0420D469
SHA256:C3EBE754E69A79E3F64523D4700E39BB20C5F8DD230AF60EC0D7001102110A5B
3132dwn.exeC:\Users\admin\AppData\Roaming\mykksg\mykksg.exeexecutable
MD5:ACCFB066306C95FEA0ED42DC99DF1634
SHA256:E6720928EA03235A4A2AE2183D8E82483EAB11C5D77EC554CA3D85CC69D244B2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
64
TCP/UDP connections
101
DNS requests
28
Threats
34

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7236
wscript.exe
GET
301
23.186.113.60:80
http://paste.ee/d/hRZ3j6yD/0
unknown
shared
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
7988
SIHClient.exe
GET
200
23.216.77.20:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7988
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7988
SIHClient.exe
GET
200
23.216.77.20:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7988
SIHClient.exe
GET
200
23.216.77.20:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7988
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7988
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7988
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
200
13.95.31.18:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1852
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7236
wscript.exe
23.186.113.60:80
paste.ee
shared
7236
wscript.exe
23.186.113.60:443
paste.ee
shared
2112
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 4.231.128.59
whitelisted
paste.ee
  • 23.186.113.60
shared
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.66
  • 20.190.160.4
  • 20.190.160.2
  • 20.190.160.17
  • 20.190.160.64
  • 40.126.32.140
  • 20.190.160.3
  • 40.126.32.136
  • 20.190.159.0
  • 40.126.31.67
  • 40.126.31.129
  • 20.190.159.75
  • 40.126.31.69
  • 40.126.31.3
  • 40.126.31.73
  • 20.190.159.64
  • 40.126.32.74
  • 40.126.32.133
  • 20.190.160.20
  • 20.190.160.67
  • 20.190.160.5
  • 20.190.160.65
  • 40.126.32.76
whitelisted
glaustralia.com
  • 103.254.137.153
unknown
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
crl.microsoft.com
  • 23.216.77.20
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)
7236
wscript.exe
Potential Corporate Privacy Violation
ET INFO Pastebin-style Service (paste .ee) in TLS SNI
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
A Network Trojan was detected
PAYLOAD [ANY.RUN] Base64 encoded PE EXE file inside JPEG image
A Network Trojan was detected
PAYLOAD [ANY.RUN] Stegocampaign Jpeg with base64 added (TA558)
A Network Trojan was detected
ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2
7500
powershell.exe
Potential Corporate Privacy Violation
ET INFO Pastebin-style Service (paste .ee) in TLS SNI
Exploit Kit Activity Detected
ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound M2
Exploit Kit Activity Detected
ET EXPLOIT_KIT ReverseLoader Base64 Payload Inbound
Potentially Bad Traffic
PAYLOAD [ANY.RUN] Reverse Base64 Encoded EXE Inbound
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
b247c4442eebc83bb6dd83a6f7a0327f79159507b4cc93d455d97f5215193c95.js