URL:

https://gofile.io/d/ilae44

Full analysis: https://app.any.run/tasks/ccb5b7d8-343a-42c3-a13b-8b3efe7aae02
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: May 10, 2025, 10:09:19
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
fileshare
rat
remcos
remote
ims-api
generic
nodejs
Indicators:
MD5:

8BC7249E2DD1E0E515475707119F2A40

SHA1:

B0BB0788D5071E42DDF591FAF0B9D267DE6EFC53

SHA256:

D2B319E9D895797431CAB43CB2F672C573405EC41296A1DB8971975068B7AC95

SSDEEP:

3:N8rxL1eRR:2Zk3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1672)
      • powershell.exe (PID: 5600)
      • powershell.exe (PID: 6512)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 8068)
      • cmd.exe (PID: 7460)
      • Microsoft.exe (PID: 1012)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6512)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 6512)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 6512)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 6512)

    • REMCOS has been detected

      • WindowsPowershell.exe (PID: 7640)

    • REMCOS has been detected (SURICATA)

      • WindowsPowershell.exe (PID: 7640)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 6652)
      • cmd.exe (PID: 5244)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 8068)
      • cmd.exe (PID: 7460)
      • Microsoft.exe (PID: 1012)

    • Application launched itself

      • Microsoft.exe (PID: 1012)

    • Starts CMD.EXE for commands execution

      • Microsoft.exe (PID: 1012)

    • Uses WMIC.EXE to obtain a list of video controllers

      • cmd.exe (PID: 3240)

    • Uses WMIC.EXE to obtain local storage devices information

      • cmd.exe (PID: 7888)

    • Accesses video controller name via WMI (SCRIPT)

      • WMIC.exe (PID: 8000)

    • Drops 7-zip archiver for unpacking

      • Microsoft.exe (PID: 1012)
      • 7zr1.exe (PID: 7356)

    • Executable content was dropped or overwritten

      • Microsoft.exe (PID: 1012)
      • 7zr1.exe (PID: 7356)
      • csc.exe (PID: 7256)
      • 77zip.exe (PID: 4068)
      • cmd.exe (PID: 5244)
      • cmd.exe (PID: 2600)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • Microsoft.exe (PID: 1012)

    • There is functionality for taking screenshot (YARA)

      • Microsoft.exe (PID: 4736)

    • Likely accesses (executes) a file from the Public directory

      • cmd.exe (PID: 7500)
      • powershell.exe (PID: 6512)
      • 7zr1.exe (PID: 7356)
      • 77zip.exe (PID: 4068)
      • cmd.exe (PID: 2600)
      • cmd.exe (PID: 6988)

    • The process creates files with name similar to system file names

      • 7zr1.exe (PID: 7356)

    • Possibly malicious use of IEX has been detected

      • Microsoft.exe (PID: 1012)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 7256)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6512)

    • Reads security settings of Internet Explorer

      • WindowsPowershell.exe (PID: 7640)

    • Contacting a server suspected of hosting an CnC

      • WindowsPowershell.exe (PID: 7640)

    • Starts NET.EXE to display or manage information about active sessions

      • net.exe (PID: 5984)
      • cmd.exe (PID: 7724)
      • net.exe (PID: 4884)
      • cmd.exe (PID: 7888)

    • The executable file from the user directory is run by the CMD process

      • 77zip.exe (PID: 4068)

    • Created directory related to system

      • cmd.exe (PID: 4628)
      • cmd.exe (PID: 6960)

    • The process deletes folder contents (may hide traces)

      • Microsoft.exe (PID: 1012)

    • Connects to unusual port

      • WindowsPowershell.exe (PID: 7640)

  • INFO

    • Manual execution by a user

      • WinRAR.exe (PID: 6652)
      • Microsoft.exe (PID: 1012)

    • Application launched itself

      • chrome.exe (PID: 5176)

    • Reads product name

      • Microsoft.exe (PID: 1012)

    • Reads Environment values

      • Microsoft.exe (PID: 1012)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 6652)
      • Microsoft.exe (PID: 1012)
      • 7zr1.exe (PID: 7356)
      • cmd.exe (PID: 5244)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 6652)

    • Checks supported languages

      • Microsoft.exe (PID: 1012)
      • Microsoft.exe (PID: 4736)
      • Microsoft.exe (PID: 4336)
      • WindowsPowershell.exe (PID: 7640)
      • 7zr1.exe (PID: 7356)
      • cvtres.exe (PID: 7228)
      • csc.exe (PID: 7256)
      • 77zip.exe (PID: 4068)

    • Process checks computer location settings

      • Microsoft.exe (PID: 1012)

    • Reads the computer name

      • Microsoft.exe (PID: 1012)
      • Microsoft.exe (PID: 4336)
      • Microsoft.exe (PID: 4736)
      • 7zr1.exe (PID: 7356)
      • WindowsPowershell.exe (PID: 7640)
      • 77zip.exe (PID: 4068)

    • Checks proxy server information

      • Microsoft.exe (PID: 1012)
      • slui.exe (PID: 7868)
      • WindowsPowershell.exe (PID: 7640)

    • Reads the machine GUID from the registry

      • Microsoft.exe (PID: 1012)
      • csc.exe (PID: 7256)
      • WindowsPowershell.exe (PID: 7640)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 8000)
      • WMIC.exe (PID: 2192)

    • Creates files in the program directory

      • Microsoft.exe (PID: 1012)

    • Creates files or folders in the user directory

      • Microsoft.exe (PID: 1012)
      • WindowsPowershell.exe (PID: 7640)

    • Node.js compiler has been detected

      • Microsoft.exe (PID: 1012)
      • Microsoft.exe (PID: 4736)

    • Reads the software policy settings

      • slui.exe (PID: 7748)
      • slui.exe (PID: 7868)

    • Create files in a temporary directory

      • csc.exe (PID: 7256)
      • cvtres.exe (PID: 7228)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6512)

    • Creates a new folder

      • cmd.exe (PID: 6960)
      • cmd.exe (PID: 4628)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(1012) Microsoft.exe
Telegram-Tokens (2)7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw
7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E
Telegram-Info-Links
7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw
Get info about bothttps://api.telegram.org/bot7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw/getMe
Get incoming updateshttps://api.telegram.org/bot7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw/getUpdates
Get webhookhttps://api.telegram.org/bot7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw/deleteWebhook?drop_pending_updates=true
7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E
Get info about bothttps://api.telegram.org/bot7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E/getMe
Get incoming updateshttps://api.telegram.org/bot7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E/getUpdates
Get webhookhttps://api.telegram.org/bot7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E/deleteWebhook?drop_pending_updates=true
Telegram-Tokens (3)7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw
7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E
7921253212:AAFCixoXl3DFA-JYirPUAwnHXj5-5Y4_skY
Telegram-Info-Links
7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw
Get info about bothttps://api.telegram.org/bot7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw/getMe
Get incoming updateshttps://api.telegram.org/bot7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw/getUpdates
Get webhookhttps://api.telegram.org/bot7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw/deleteWebhook?drop_pending_updates=true
7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E
Get info about bothttps://api.telegram.org/bot7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E/getMe
Get incoming updateshttps://api.telegram.org/bot7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E/getUpdates
Get webhookhttps://api.telegram.org/bot7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E/deleteWebhook?drop_pending_updates=true
7921253212:AAFCixoXl3DFA-JYirPUAwnHXj5-5Y4_skY
Get info about bothttps://api.telegram.org/bot7921253212:AAFCixoXl3DFA-JYirPUAwnHXj5-5Y4_skY/getMe
Get incoming updateshttps://api.telegram.org/bot7921253212:AAFCixoXl3DFA-JYirPUAwnHXj5-5Y4_skY/getUpdates
Get webhookhttps://api.telegram.org/bot7921253212:AAFCixoXl3DFA-JYirPUAwnHXj5-5Y4_skY/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7921253212:AAFCixoXl3DFA-JYirPUAwnHXj5-5Y4_skY/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7921253212:AAFCixoXl3DFA-JYirPUAwnHXj5-5Y4_skY/deleteWebhook?drop_pending_updates=true
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
203
Monitored processes
71
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs svchost.exe sppextcomobj.exe no specs slui.exe chrome.exe no specs chrome.exe no specs rundll32.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe microsoft.exe cmd.exe no specs conhost.exe no specs powershell.exe no specs microsoft.exe no specs microsoft.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs slui.exe cmd.exe no specs conhost.exe no specs 7zr1.exe #REMCOS windowspowershell.exe powershell.exe no specs conhost.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs 77zip.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe conhost.exe no specs cmd.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs computerdefaults.exe no specs computerdefaults.exe no specs computerdefaults.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
680"C:\Windows \System32\ComputerDefaults.exe" C:\Windows \System32\ComputerDefaults.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Set Program Access and Computer Defaults Control Panel
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows \system32\computerdefaults.exe
c:\windows\system32\ntdll.dll
1012"C:\Users\admin\Downloads\current\Microsoft.exe" C:\Users\admin\Downloads\current\Microsoft.exe
explorer.exe
User:
admin
Company:
Exodus Movement Inc
Integrity Level:
MEDIUM
Description:
Exodus
Exit code:
1
Version:
24.41.3
Modules
Images
c:\users\admin\downloads\current\microsoft.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
ims-api
(PID) Process(1012) Microsoft.exe
Telegram-Tokens (2)7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw
7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E
Telegram-Info-Links
7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw
Get info about bothttps://api.telegram.org/bot7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw/getMe
Get incoming updateshttps://api.telegram.org/bot7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw/getUpdates
Get webhookhttps://api.telegram.org/bot7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw/deleteWebhook?drop_pending_updates=true
7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E
Get info about bothttps://api.telegram.org/bot7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E/getMe
Get incoming updateshttps://api.telegram.org/bot7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E/getUpdates
Get webhookhttps://api.telegram.org/bot7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E/deleteWebhook?drop_pending_updates=true
(PID) Process(1012) Microsoft.exe
Telegram-Tokens (3)7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw
7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E
7921253212:AAFCixoXl3DFA-JYirPUAwnHXj5-5Y4_skY
Telegram-Info-Links
7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw
Get info about bothttps://api.telegram.org/bot7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw/getMe
Get incoming updateshttps://api.telegram.org/bot7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw/getUpdates
Get webhookhttps://api.telegram.org/bot7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7176866895:AAGVcL9B4Qk60Eqcz7x55oOlI05tdSKO0Tw/deleteWebhook?drop_pending_updates=true
7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E
Get info about bothttps://api.telegram.org/bot7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E/getMe
Get incoming updateshttps://api.telegram.org/bot7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E/getUpdates
Get webhookhttps://api.telegram.org/bot7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7921253212:AAFt8Y6IvR75sRCTN4WtukL-xRg_n8Akc5E/deleteWebhook?drop_pending_updates=true
7921253212:AAFCixoXl3DFA-JYirPUAwnHXj5-5Y4_skY
Get info about bothttps://api.telegram.org/bot7921253212:AAFCixoXl3DFA-JYirPUAwnHXj5-5Y4_skY/getMe
Get incoming updateshttps://api.telegram.org/bot7921253212:AAFCixoXl3DFA-JYirPUAwnHXj5-5Y4_skY/getUpdates
Get webhookhttps://api.telegram.org/bot7921253212:AAFCixoXl3DFA-JYirPUAwnHXj5-5Y4_skY/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7921253212:AAFCixoXl3DFA-JYirPUAwnHXj5-5Y4_skY/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7921253212:AAFCixoXl3DFA-JYirPUAwnHXj5-5Y4_skY/deleteWebhook?drop_pending_updates=true
1228\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1672powershell -ExecutionPolicy Bypass -Command "(Get-WmiObject Win32_OperatingSystem).OSArchitecture"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2192WMIC LOGICALDISK GET Name,Size,FreeSpaceC:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2432\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2600C:\WINDOWS\system32\cmd.exe /d /s /c "copy "C:\Users\Public\Pictures\propsys.dll" "C:\Windows \System32\""C:\Windows\System32\cmd.exe
Microsoft.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
3240C:\WINDOWS\system32\cmd.exe /d /s /c "wmic path win32_videocontroller get name"C:\Windows\System32\cmd.exeMicrosoft.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
3268C:\WINDOWS\system32\net1 sessionC:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\netutils.dll
c:\windows\system32\samcli.dll
Total events
21 130
Read events
21 113
Write events
16
Delete events
1

Modification events

(PID) Process:(5176) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(5176) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(5176) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(5176) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(5176) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(7952) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value:
0100000000000000E4980BAF93C1DB01
(PID) Process:(5176) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
1
(PID) Process:(5176) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:GoogleChromeAutoLaunch_A822CA3D40D4B8944864CFEA751D8D57
Value:
(PID) Process:(6652) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(6652) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
Executable files
16
Suspicious files
133
Text files
53
Unknown types
0

Dropped files

PID
Process
Filename
Type
5176chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RF10c8ef.TMP
MD5:
SHA256:
5176chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old
MD5:
SHA256:
5176chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old~RF10c8ef.TMP
MD5:
SHA256:
5176chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old~RF10c8ef.TMP
MD5:
SHA256:
5176chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RF10c8ef.TMP
MD5:
SHA256:
5176chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old
MD5:
SHA256:
5176chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
5176chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF10c8ff.TMP
MD5:
SHA256:
5176chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
5176chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF10c8ff.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
44
DNS requests
42
Threats
27

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
23.48.23.167:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4652
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4652
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7640
WindowsPowershell.exe
GET
200
178.237.33.50:80
http://geoplugin.net/json.gp
unknown
whitelisted
7640
WindowsPowershell.exe
GET
200
178.237.33.50:80
http://geoplugin.net/json.gp
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.167:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
239.255.255.250:1900
whitelisted
45.112.123.126:443
gofile.io
AMAZON-02
SG
whitelisted
74.125.71.84:443
accounts.google.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.48.23.167
  • 23.48.23.166
  • 23.48.23.169
  • 23.48.23.176
  • 23.48.23.178
  • 23.48.23.164
  • 23.48.23.177
  • 23.48.23.162
  • 23.48.23.180
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
google.com
  • 142.250.185.206
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
gofile.io
  • 45.112.123.126
whitelisted
accounts.google.com
  • 74.125.71.84
whitelisted
s.gofile.io
  • 51.75.242.210
whitelisted
api.gofile.io
  • 45.112.123.126
  • 51.91.7.6
whitelisted
content-autofill.googleapis.com
  • 142.250.185.74
  • 142.250.185.234
  • 172.217.18.10
  • 142.250.185.106
  • 142.250.185.202
  • 142.250.185.170
  • 142.250.186.106
  • 142.250.186.74
  • 142.250.186.170
  • 172.217.18.106
  • 142.250.186.138
  • 142.250.185.138
  • 172.217.16.138
  • 216.58.206.74
  • 142.250.184.234
  • 142.250.184.202
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://gofile.io/d/ilae44