Windows Analysis Report
https://remotescripps.org/?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTcxNDE1Mzc1OSwiaWF0IjoxNzE0MTQ2NTU5LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIydjR0dWRtOGRsODdyZnRzMjAwaGg0czciLCJuYmYiOjE3MTQxNDY1NTksInRzIjoxNzE0MTQ2NTU5NTc0OTUxfQ.4QAtENw-EyGdzGdXpnWXNKSArwdeAYageduFz

Overview

General Information

Sample URL:	https://remotescripps.org/?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTcxNDE1Mzc1OSwiaWF0IjoxNzE0MTQ2NTU5LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIydjR0dWRtOGRsODdyZnRzMjAw
Analysis ID:	1432298
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Classification

Signatures

Source: chromecache_75.2.dr	String found in binary or memory: http://104.154.23.126/data-ingest
Source: chromecache_60.2.dr	String found in binary or memory: https://api-js.mixpanel.com
Source: chromecache_60.2.dr	String found in binary or memory: https://cdn.mxpnl.com
Source: chromecache_61.2.dr	String found in binary or memory: https://cdn.mxpnl.com/libs/mixpanel-2-latest.min.js
Source: chromecache_61.2.dr	String found in binary or memory: https://dtools.zautils.online/geturl/PrivacyGuard/intpgdirect
Source: chromecache_61.2.dr	String found in binary or memory: https://fonts.googleapis.com
Source: chromecache_61.2.dr	String found in binary or memory: https://fonts.googleapis.com/css2?family=Inter:wght
Source: chromecache_61.2.dr	String found in binary or memory: https://fonts.gstatic.com
Source: chromecache_74.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/inter/v13/UcC73FwrK3iLTeHuS_fvQtMwCp50KnMa0ZL7SUc.woff2)
Source: chromecache_74.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/inter/v13/UcC73FwrK3iLTeHuS_fvQtMwCp50KnMa1ZL7.woff2)
Source: chromecache_74.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/inter/v13/UcC73FwrK3iLTeHuS_fvQtMwCp50KnMa1pL7SUc.woff2)
Source: chromecache_74.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/inter/v13/UcC73FwrK3iLTeHuS_fvQtMwCp50KnMa25L7SUc.woff2)
Source: chromecache_74.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/inter/v13/UcC73FwrK3iLTeHuS_fvQtMwCp50KnMa2JL7SUc.woff2)
Source: chromecache_74.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/inter/v13/UcC73FwrK3iLTeHuS_fvQtMwCp50KnMa2ZL7SUc.woff2)
Source: chromecache_74.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/inter/v13/UcC73FwrK3iLTeHuS_fvQtMwCp50KnMa2pL7SUc.woff2)
Source: chromecache_61.2.dr	String found in binary or memory: https://impr.zautils.online/impression?c=intpgdirect
Source: chromecache_73.2.dr	String found in binary or memory: https://mc.yandex.
Source: chromecache_73.2.dr	String found in binary or memory: https://mc.yandex.md/cc
Source: chromecache_60.2.dr	String found in binary or memory: https://mixpanel.com
Source: chromecache_61.2.dr	String found in binary or memory: https://red.zautils.online/downloadproxy/intpgdirect/
Source: chromecache_73.2.dr	String found in binary or memory: https://s3.mds.yandex.net/internal-metrika-betas
Source: chromecache_73.2.dr	String found in binary or memory: https://yandex.com/an/sync_cookie
Source: chromecache_73.2.dr	String found in binary or memory: https://yastatic.net/s3/gdpr/v3/gdpr
Source: chromecache_73.2.dr	String found in binary or memory: https://yastatic.net/s3/metrika
Source: chromecache_73.2.dr	String found in binary or memory: https://yastatic.net/s3/taxi-front/yango-gdpr-popup/
Source: chromecache_73.2.dr	String found in binary or memory: https://ymetrica1.com/watch/3/1

Source: classification engine

Classification label: clean1.win@22/39@0/21

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\9a25b646-7ba5-4e95-ba13-3c430acbcc9e.tmp

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6372:120:WilError_03

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1812 --field-trial-handle=1984,i,4643450290400954545,2623845929518352052,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://remotescripps.org/?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTcxNDE1Mzc1OSwiaWF0IjoxNzE0MTQ2NTU5LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIydjR0dWRtOGRsODdyZnRzMjAwaGg0czciLCJuYmYiOjE3MTQxNDY1NTksInRzIjoxNzE0MTQ2NTU5NTc0OTUxfQ.4QAtENw-EyGdzGdXpnWXNKSArwdeAYageduFzSwX3pI&sid=8b44beca-03e4-11ef-af17-3cc94e56dea0"
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c "C:\Users\user\Desktop\"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1812 --field-trial-handle=1984,i,4643450290400954545,2623845929518352052,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.254.207.52	unknown	United States	29066	VELIANET-ASvelianetInternetdiensteGmbHDE	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
35.186.241.51	unknown	United States	15169	GOOGLEUS	false
192.178.50.46	unknown	United States	15169	GOOGLEUS	false
172.217.2.195	unknown	United States	15169	GOOGLEUS	false
87.250.250.119	unknown	Russian Federation	13238	YANDEXRU	false
142.250.64.138	unknown	United States	15169	GOOGLEUS	false
142.250.64.195	unknown	United States	15169	GOOGLEUS	false
130.211.5.208	unknown	United States	15169	GOOGLEUS	false
172.67.136.85	unknown	United States	13335	CLOUDFLARENETUS	false
107.178.240.159	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
206.189.225.178	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
93.158.134.119	unknown	Russian Federation	13238	YANDEXRU	false
142.251.35.228	unknown	United States	15169	GOOGLEUS	false
3.220.57.224	unknown	United States	14618	AMAZON-AESUS	false
142.251.162.84	unknown	United States	15169	GOOGLEUS	false
77.88.21.119	unknown	Russian Federation	13238	YANDEXRU	false
172.217.3.67	unknown	United States	15169	GOOGLEUS	false
13.35.116.53	unknown	United States	16509	AMAZON-02US	false

Private

IP
192.168.2.4

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://cintlp.zautils.online/?subid=90818143905&cid=8899&tag=dm&dkw=remotescripps.org&rhi=0bc29bef-b9ff-47fa-9c64-762e9458389c	false		unknown

ID:	1432298
Product:	CloudBasic
Start time:	20:14:38
Start date:	26.04.2024
Cookbook:	browseurl.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\Users\user\Downloads\9a25b646-7ba5-4e95-ba13-3c430acbcc9e.tmp	Zip archive data, at least v4.5 to extract, compression method=store	8DF5B7A363F7F482FE7555D2FDEE9692	9E598D6F209E3FFD3B44B51E4340FF9BB3C6C3DB	AD4A23E001E6A4AE07D410550ED8E1DCD03ED9DA4F24FAD4DB7A6DE284332D96
C:\Users\user\Downloads\PrivacyGuardBrowser.1.10.78.0.Msix (copy)	Zip archive data, at least v4.5 to extract, compression method=store	042CC51594DB860354C47A4E8CDCA37D	6104CAE9FA3DA2802CF1A7F3898A3292E49A497A	0A0B6D419AA7520FF29AC5CEC8D1A4A89096319774CF481127A92048566EEB91
C:\Users\user\Downloads\Unconfirmed 403941.crdownload	Zip archive data, at least v4.5 to extract, compression method=store	042CC51594DB860354C47A4E8CDCA37D	6104CAE9FA3DA2802CF1A7F3898A3292E49A497A	0A0B6D419AA7520FF29AC5CEC8D1A4A89096319774CF481127A92048566EEB91
Chrome Cache Entry: 57	ISO Media, MP4 v2 [ISO 14496-14]	3AAEE7F420524EFF68682C381B1F511E	36BE9AB3C2456366A22465E613364586C9A802A0	92CE26FC5B606509C9D96ED8005B2225B1A8C846AD35151EF0EE935A27FBDBFA
Chrome Cache Entry: 58	ASCII text, with no line terminators	444BCB3A3FCF8389296C49467F27E1D6	7A85F4764BBD6DAF1C3545EFBBF0F279A6DC0BEB	2689367B205C16CE32ED4200942B8B8B1E262DFC70D9BC9FBC77C49699A4F1DF
Chrome Cache Entry: 59	Web Open Font Format (Version 2), TrueType, length 46704, version 1.0	30A274CD01B6EEB0B082C918B0697F1E	393311BDE26B99A4AD935FA55BAD1DCE7994388B	88DF0B5A7BC397DBC13A26BB8B3742CC62CD1C9B0DDED57DA7832416D6F52F42
Chrome Cache Entry: 60	ASCII text, with very long lines (607)	45A6749860B806A0ED77ED08DFA90B99	C533D7544452DBD40907306BAFAC435541D4E2BF	7C690A6EBB2EEF51E8CCC66161B02197C22F388F1FC23C89E0F5C7B70E1EAC50
Chrome Cache Entry: 61	HTML document, Unicode text, UTF-8 text, with very long lines (2013)	6DAD94BBF5D939576A7BB9CF2A584C56	81EFE9E78E21F7980A8C6183658B727C73178A3B	8C358DDFA7EEFE1BF89B35BD7FCEEAEDB329A194D980224B335404C6B4E37C1E
Chrome Cache Entry: 62	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	65A5E6CFCA5E73A002CFFC719873A149	E911BC089EA96E29C193456D5F5FF061819D0AAB	C482472C562D96C5798FC44FAE1074DAF1C1650736F4CAC3B0D5C5B869AB9D15
Chrome Cache Entry: 63	ISO Media, MP4 v2 [ISO 14496-14]	DE1721491B68CDEDA81D5962D76FEB0C	6E18521195B7D03D2FC32CC6D2C09B1FDFF210AA	8D7EE21B859CAB3E743BAD155EBEAF1971DCABEDAF5A780E258C447D7F000A8F
Chrome Cache Entry: 64	GIF image data, version 89a, 1 x 1	DF3E567D6F16D040326C7A0EA29A4F41	EA7DF583983133B62712B5E73BFFBCD45CC53736	548F2D6F4D0D820C6C5FFBEFFCBD7F0E73193E2932EEFE542ACCC84762DEEC87
Chrome Cache Entry: 65	ASCII text	7B997B2E607A5F9AAE1CFEC963E5C14E	CA24A2A58FBD21CDA177F9AA5191CEC3A6000D1C	7BBEB300C0D5F67D015F26EAB0F4E9CEBA57F41F79298D7473D82A30D358DAC4
Chrome Cache Entry: 66	ASCII text, with no line terminators	E0AA021E21DDDBD6D8CECEC71E9CF564	9CE3BD4224C8C1780DB56B4125ECF3F24BF748B7	565339BC4D33D72817B583024112EB7F5CDF3E5EEF0252D6EC1B9C9A94E12BB3
Chrome Cache Entry: 67	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	65A5E6CFCA5E73A002CFFC719873A149	E911BC089EA96E29C193456D5F5FF061819D0AAB	C482472C562D96C5798FC44FAE1074DAF1C1650736F4CAC3B0D5C5B869AB9D15
Chrome Cache Entry: 68	GIF image data, version 89a, 1 x 1	DF3E567D6F16D040326C7A0EA29A4F41	EA7DF583983133B62712B5E73BFFBCD45CC53736	548F2D6F4D0D820C6C5FFBEFFCBD7F0E73193E2932EEFE542ACCC84762DEEC87
Chrome Cache Entry: 69	ASCII text, with no line terminators	E0AA021E21DDDBD6D8CECEC71E9CF564	9CE3BD4224C8C1780DB56B4125ECF3F24BF748B7	565339BC4D33D72817B583024112EB7F5CDF3E5EEF0252D6EC1B9C9A94E12BB3
Chrome Cache Entry: 70	GIF image data, version 89a, 1 x 1	DF3E567D6F16D040326C7A0EA29A4F41	EA7DF583983133B62712B5E73BFFBCD45CC53736	548F2D6F4D0D820C6C5FFBEFFCBD7F0E73193E2932EEFE542ACCC84762DEEC87
Chrome Cache Entry: 71	ASCII text	B5EAB7AC77B571385845042F9B48594F	EEF93163E4188F9EB3E0B88011DB13DD480B18E4	1E354FB4D88E323D4E8FAC552E3A97A532485B3811CC139D1AF76FDD6B4D321A
Chrome Cache Entry: 72	GIF image data, version 89a, 1 x 1	DF3E567D6F16D040326C7A0EA29A4F41	EA7DF583983133B62712B5E73BFFBCD45CC53736	548F2D6F4D0D820C6C5FFBEFFCBD7F0E73193E2932EEFE542ACCC84762DEEC87
Chrome Cache Entry: 73	Unicode text, UTF-8 (with BOM) text, with very long lines (547)	34B80871634D0CAB0CE096201F1562E6	1AAA8870E27B161121A2025A750DF7473BA153CD	06733AE2076F97B3446F974C4E4C6EA88BE551D12543FD3D7FECCBBF83ED3575
Chrome Cache Entry: 74	ASCII text	F93FFE3E7659336BDBABD70A7D00A995	24E4ACC6239D78C313521A4B3795E6B18E4DAF72	6B8A445DBDDFB9B7C56FFD4F34B6CA628A0D2C85B6A8F4DA1EDA376694377C3C
Chrome Cache Entry: 75	ASCII text	1F49E3A9C13B729B59E3C645E8EF603F	197D79EB78ED88FDAFBEE9896C23361829DC9E2F	0DCB23E1EEE1EF86D6ED12FE95182A3A2FD6035C778A9C46E6EE8E81FD86C838
Chrome Cache Entry: 76	PNG image data, 1440 x 1024, 8-bit/color RGBA, non-interlaced	249E0547586A4D640C9E456D65BB7D15	96A1EE9AE0B757C3B6DBE2409E40C361C9977D26	65460F10B9F2022AD931FE2B97A99D5845ADF2D69FFB691A999FD9B7173BE323
Chrome Cache Entry: 77	PNG image data, 1440 x 1024, 8-bit/color RGBA, non-interlaced	249E0547586A4D640C9E456D65BB7D15	96A1EE9AE0B757C3B6DBE2409E40C361C9977D26	65460F10B9F2022AD931FE2B97A99D5845ADF2D69FFB691A999FD9B7173BE323

Overview

General Information

Detection

Signatures

Classification

Signatures

Networking

System Summary

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs