File name:

Bill_2755134646.html (1).zip

Full analysis: https://app.any.run/tasks/0954edab-541a-4bd8-8cf0-e498ceaba65b
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: March 16, 2024, 15:26:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
asyncrat
rat
remote
Indicators:
MIME: application/zip
File info: Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:

8EB23E80AF0747DA1A19ED95421A6EC4

SHA1:

1D5FA68D1CB13DC146ED8626462978FB79884ADF

SHA256:

39D5E3C50B28CCFEFE68C2EB1A178CC7000F557C9C377327E5A642E4CC1BF70F

SSDEEP:

384:2QwhpU1z8GrjnR+rsTXisneExiUTulFzN9mv:v1z8G/crsTSsbxiGWg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Probably downloads file via BitsAdmin

      • powershell.exe (PID: 3416)

    • Extracts files to directory (POWERSHELL)

      • wscript.exe (PID: 3020)

    • Unusual connection from system programs

      • wscript.exe (PID: 3020)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3200)
      • powershell.exe (PID: 2560)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 2820)
      • cmd.exe (PID: 2724)

    • ASYNCRAT has been detected (MUTEX)

      • aspnet_compiler.exe (PID: 1092)
      • aspnet_compiler.exe (PID: 3192)

    • ASYNCRAT has been detected (SURICATA)

      • aspnet_compiler.exe (PID: 1092)

    • Creates a new scheduled task (SCRIPT)

      • powershell.exe (PID: 1864)

    • Actions looks like stealing of personal data

      • aspnet_compiler.exe (PID: 1092)

    • ASYNCRAT has been detected (YARA)

      • aspnet_compiler.exe (PID: 1092)

  • SUSPICIOUS

    • Reads the Internet Settings

      • powershell.exe (PID: 3416)
      • wscript.exe (PID: 3020)
      • cmd.exe (PID: 3708)
      • wscript.exe (PID: 1196)
      • wscript.exe (PID: 3904)
      • wscript.exe (PID: 4008)
      • aspnet_compiler.exe (PID: 1092)

    • Likely accesses (executes) a file from the Public directory

      • cmd.exe (PID: 3708)
      • powershell.exe (PID: 3416)
      • wscript.exe (PID: 1196)
      • wscript.exe (PID: 3904)
      • cmd.exe (PID: 864)
      • cmd.exe (PID: 2820)
      • cmd.exe (PID: 2724)
      • wscript.exe (PID: 4008)
      • powershell.exe (PID: 3200)
      • powershell.exe (PID: 1864)
      • powershell.exe (PID: 2560)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 3020)
      • cmd.exe (PID: 2820)
      • cmd.exe (PID: 864)
      • cmd.exe (PID: 2724)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 3020)
      • wscript.exe (PID: 1196)
      • wscript.exe (PID: 3904)
      • wscript.exe (PID: 4008)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 3020)
      • wscript.exe (PID: 1196)
      • wscript.exe (PID: 3904)
      • wscript.exe (PID: 4008)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 3020)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 3020)
      • wscript.exe (PID: 1196)
      • wscript.exe (PID: 3904)
      • wscript.exe (PID: 4008)

    • The process executes JS scripts

      • cmd.exe (PID: 3708)
      • cmd.exe (PID: 864)

    • The process executes Powershell scripts

      • cmd.exe (PID: 2820)
      • cmd.exe (PID: 2724)

    • Creates a scheduled task using COM

      • powershell.exe (PID: 1864)

    • Extracts substring from string (POWERSHELL)

      • powershell.exe (PID: 3200)
      • powershell.exe (PID: 2560)

    • Gets context to manipulate scheduled tasks (SCRIPT)

      • powershell.exe (PID: 1864)

    • Reads settings of System Certificates

      • aspnet_compiler.exe (PID: 1092)

    • Connects to unusual port

      • aspnet_compiler.exe (PID: 1092)

    • Converts data to Integer (POWERSHELL)

      • powershell.exe (PID: 2560)
      • powershell.exe (PID: 3200)

    • Gets a folder of registered tasks (SCRIPT)

      • powershell.exe (PID: 1864)

  • INFO

    • The process uses the downloaded file

      • msedge.exe (PID: 3276)
      • msedge.exe (PID: 2740)

    • Application launched itself

      • msedge.exe (PID: 3276)

    • Checks proxy server information

      • wscript.exe (PID: 3020)

    • Encodes string to ASCII (POWERSHELL)

      • powershell.exe (PID: 3200)
      • powershell.exe (PID: 2560)

    • Reads the computer name

      • aspnet_compiler.exe (PID: 1092)
      • aspnet_compiler.exe (PID: 3192)

    • Checks supported languages

      • aspnet_compiler.exe (PID: 3192)
      • aspnet_compiler.exe (PID: 1092)

    • Reads the machine GUID from the registry

      • aspnet_compiler.exe (PID: 1092)
      • aspnet_compiler.exe (PID: 3192)

    • Reads Environment values

      • aspnet_compiler.exe (PID: 1092)

    • Reads the software policy settings

      • aspnet_compiler.exe (PID: 1092)

    • Create files in a temporary directory

      • aspnet_compiler.exe (PID: 1092)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(1092) aspnet_compiler.exe
C2 (1)hassan.webhop.net
Ports (1)5055
BotnetNew
VersionAWS | 3Losh
Options
AutoRunfalse
MutexAsyncMutex_alosh
InstallFolder%AppData%
BSoDfalse
AntiVMfalse
Certificates
Cert1MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhY+g1tekZ8/F29gsEIDgf/8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGva...
Server_SignatureDBW+nY08DS9GPYky3emWfG3X2UfcshlDvMGAnJmP7DurO1GljnVBIlbwq7kvt5fr0vxhkjRqf3v7vQ/yFEoec50URlUcrxGhe2D0mBuHtq7p/hVazL7ZgQy115iH4S7XU0xKF7ma1mH/ClIqqfqs7CMNt+GWuCpTOCxHw2et3mDMEKfL4jg2BRvsrjAhMbBsUpgCJFHdVi2fp6O3D7N3qzyybqu66Tz6Tacmk3YhyMsEBs9LziKqfPIktuW5LBdNls/KkH6W+/2kNC6rliYQkV8f3jQdhT7jcmLBIFB2fYK/...
Keys
AES3ba19f5745707765622685da09069cc136aa4bab50332d61ed039d571eac5931
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 51
ZipBitFlag: 0x0009
ZipCompression: Unknown (99)
ZipModifyDate: 2024:03:12 05:53:58
ZipCRC: 0x7b81fa60
ZipCompressedSize: 9869
ZipUncompressedSize: 34410
ZipFileName: Bill_2755134646.html
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
78
Monitored processes
35
Malicious processes
14
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs wscript.exe powershell.exe no specs cmd.exe no specs wscript.exe no specs wscript.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs wscript.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs #ASYNCRAT aspnet_compiler.exe THREAT aspnet_compiler.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
124"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4364 --field-trial-handle=1352,i,14259957167152711850,793287415789943488,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
128"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3868 --field-trial-handle=1352,i,14259957167152711850,793287415789943488,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
748"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1656 --field-trial-handle=1352,i,14259957167152711850,793287415789943488,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
864C:\Windows\system32\cmd.exe /c ""C:\Users\Public\node.bat" C:\Users\Public\"C:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
948"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4240 --field-trial-handle=1352,i,14259957167152711850,793287415789943488,131072 /prefetch:8C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1092"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
aspnet_compiler.exe
Exit code:
0
Version:
4.8.3761.0 built by: NET48REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\aspnet_compiler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
AsyncRat
(PID) Process(1092) aspnet_compiler.exe
C2 (1)hassan.webhop.net
Ports (1)5055
BotnetNew
VersionAWS | 3Losh
Options
AutoRunfalse
MutexAsyncMutex_alosh
InstallFolder%AppData%
BSoDfalse
AntiVMfalse
Certificates
Cert1MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhY+g1tekZ8/F29gsEIDgf/8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGva...
Server_SignatureDBW+nY08DS9GPYky3emWfG3X2UfcshlDvMGAnJmP7DurO1GljnVBIlbwq7kvt5fr0vxhkjRqf3v7vQ/yFEoec50URlUcrxGhe2D0mBuHtq7p/hVazL7ZgQy115iH4S7XU0xKF7ma1mH/ClIqqfqs7CMNt+GWuCpTOCxHw2et3mDMEKfL4jg2BRvsrjAhMbBsUpgCJFHdVi2fp6O3D7N3qzyybqu66Tz6Tacmk3YhyMsEBs9LziKqfPIktuW5LBdNls/KkH6W+/2kNC6rliYQkV8f3jQdhT7jcmLBIFB2fYK/...
Keys
AES3ba19f5745707765622685da09069cc136aa4bab50332d61ed039d571eac5931
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
1196"C:\Windows\System32\WScript.exe" "C:\Users\Public\app.js" C:\Windows\System32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1544"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3424 --field-trial-handle=1352,i,14259957167152711850,793287415789943488,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1576"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2352 --field-trial-handle=1352,i,14259957167152711850,793287415789943488,131072 /prefetch:1C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1656"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1328 --field-trial-handle=1352,i,14259957167152711850,793287415789943488,131072 /prefetch:2C:\Program Files\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
109.0.1518.115
Modules
Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
31 805
Read events
31 617
Write events
176
Delete events
12

Modification events

(PID) Process:(3936) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3936) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3936) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3936) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3936) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3936) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3936) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Bill_2755134646.html (1).zip
(PID) Process:(3936) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3936) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3936) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
1
Suspicious files
27
Text files
71
Unknown types
28

Dropped files

PID
Process
Filename
Type
3276msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF186bb5.TMP
MD5:
SHA256:
3276msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
3276msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF186bd4.TMP
MD5:
SHA256:
3276msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
3276msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF186be4.TMP
MD5:
SHA256:
3276msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF186c22.TMP
MD5:
SHA256:
3276msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old
MD5:
SHA256:
3276msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datbinary
MD5:DF0BCCD68449F07F531D76F53C718178
SHA256:12025F4DA9E53A8B91892D4F6E6A9B89513F3488BFE9F1EEEC3C05F7EF96BDD8
3276msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Variationsbinary
MD5:961E3604F228B0D10541EBF921500C86
SHA256:F7B24F2EB3D5EB0550527490395D2F61C3D2FE74BB9CB345197DAD81B58B5FED
3276msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:72265FBF816F9AAE473C0CEB421DE724
SHA256:C549BD4A176A3744A5D91391D311E28F0503BB69213E38835A1CB213038D938C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
19
DNS requests
17
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3020
wscript.exe
GET
200
37.1.211.139:80
http://transfers.ath.cx/2222/g4.txt
unknown
text
665 b
unknown
856
svchost.exe
HEAD
200
37.1.211.139:80
http://transfers.ath.cx/2222/kkk.jpg
unknown
unknown
856
svchost.exe
GET
200
37.1.211.139:80
http://transfers.ath.cx/2222/kkk.jpg
unknown
compressed
111 Kb
unknown
1092
aspnet_compiler.exe
GET
200
2.19.198.57:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?04114ebd06f1fcc9
unknown
compressed
67.5 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
2372
msedge.exe
13.107.22.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3276
msedge.exe
239.255.255.250:1900
unknown
2372
msedge.exe
52.123.243.221:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3276
msedge.exe
224.0.0.251:5353
unknown
2372
msedge.exe
131.253.33.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2372
msedge.exe
152.199.21.175:443
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com
EDGECAST
DE
whitelisted

DNS requests

Domain
IP
Reputation
config.edge.skype.com
  • 52.123.243.221
  • 52.123.224.66
  • 52.123.224.64
whitelisted
edge.microsoft.com
  • 13.107.22.239
  • 131.253.33.239
whitelisted
msedgeextensions.sf.tlu.dl.delivery.mp.microsoft.com
  • 152.199.21.175
whitelisted
www.bing.com
  • 92.123.104.21
  • 92.123.104.6
  • 92.123.104.64
  • 92.123.104.32
  • 92.123.104.33
  • 92.123.104.40
  • 92.123.104.34
  • 92.123.104.59
  • 92.123.104.67
  • 104.126.37.153
  • 104.126.37.139
  • 104.126.37.131
  • 104.126.37.136
  • 104.126.37.137
  • 104.126.37.154
  • 104.126.37.144
  • 104.126.37.145
  • 104.126.37.155
whitelisted
transfers.ath.cx
  • 37.1.211.139
unknown
self.events.data.microsoft.com
  • 13.89.178.27
whitelisted
hassan.webhop.net
  • 37.1.212.230
malicious
ctldl.windowsupdate.com
  • 2.19.198.57
  • 23.32.238.152
  • 23.32.238.144
  • 23.32.238.113
whitelisted

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to ath .cx Domain
3020
wscript.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.ath .cx Domain
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.ath .cx Domain
856
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.ath .cx Domain
1080
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.webhop .net Domain
1092
aspnet_compiler.exe
Domain Observed Used for C2 Detected
REMOTE [ANY.RUN] AsyncRAT SSL certificate
1092
aspnet_compiler.exe
Domain Observed Used for C2 Detected
ET MALWARE Generic AsyncRAT Style SSL Cert
1092
aspnet_compiler.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
1092
aspnet_compiler.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] AsyncRAT Successful Connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Bill_2755134646.html (1).zip