File name:

powershell payload.txt

Full analysis: https://app.any.run/tasks/32d45102-1fe1-4846-95bd-77042ae94fa9
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: January 31, 2024, 17:29:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
asyncrat
remote
Indicators:
MIME: text/plain
File info: Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
MD5:

4A6EAEBF9BBDA278AF047EA44C85373D

SHA1:

03CDE01EE5FE0F1A0BE9886CD04B46CDFF367C35

SHA256:

54FB920C90A80446A0382C2109F9D3F28743FBDCC7A68F501CD8FC1B18E0DB38

SSDEEP:

12288:Z/rv57RCRYnBjWIdsFh0H2klKh4E/ESaFoz+wswIVkURjzq66/ByOYSRSCQYPiEk:ZzvVRMYBddTWuUzESYoz+MIVfFe6XSRm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts Visual C# compiler

      • powershell.exe (PID: 1028)

    • Drops the executable file immediately after the start

      • csc.exe (PID: 3596)

    • ASYNCRAT has been detected (SURICATA)

      • powershell.exe (PID: 1028)

  • SUSPICIOUS

    • Reads the Internet Settings

      • powershell.exe (PID: 1028)
      • notepad.exe (PID: 1044)

    • Uses .NET C# to load dll

      • powershell.exe (PID: 1028)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 3596)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 1028)

    • Connects to unusual port

      • powershell.exe (PID: 1028)

    • Unusual connection from system programs

      • powershell.exe (PID: 1028)

  • INFO

    • Manual execution by a user

      • powershell.exe (PID: 1028)

    • Checks supported languages

      • cvtres.exe (PID: 3600)
      • csc.exe (PID: 3596)

    • Create files in a temporary directory

      • cvtres.exe (PID: 3600)
      • csc.exe (PID: 3596)

    • Reads the machine GUID from the registry

      • cvtres.exe (PID: 3600)
      • csc.exe (PID: 3596)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.txt | Text - UTF-16 (LE) encoded (66.6)
.mp3 | MP3 audio (33.3)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start notepad.exe no specs #ASYNCRAT powershell.exe csc.exe cvtres.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1028"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1044"C:\Windows\system32\NOTEPAD.EXE" "C:\Users\admin\AppData\Local\Temp\powershell payload.txt"C:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3596"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\q0fflboh.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.3761.0 built by: NET48REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll
3600C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESC827.tmp" "c:\Users\admin\AppData\Local\Temp\CSCFBB2E916464744EB9B5596A5CD5C77E.TMP"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.10.25028.0 built by: VCTOOLSD15RTM
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\vcruntime140_clr0400.dll
c:\windows\system32\ucrtbase_clr0400.dll
Total events
8 018
Read events
7 888
Write events
128
Delete events
2

Modification events

(PID) Process:(1044) notepad.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
0202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(1044) notepad.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
010000000200000006000000000000000B000000070000000C0000000D0000000A0000000900000008000000030000000500000004000000FFFFFFFF
(PID) Process:(1044) notepad.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
020000000100000006000000000000000B000000070000000C0000000D0000000A0000000900000008000000030000000500000004000000FFFFFFFF
(PID) Process:(1044) notepad.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
Operation:writeName:TV_FolderType
Value:
{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}
(PID) Process:(1044) notepad.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
Operation:writeName:TV_TopViewID
Value:
{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
(PID) Process:(1044) notepad.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\50\ComDlg
Operation:writeName:TV_TopViewVersion
Value:
0
(PID) Process:(1044) notepad.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1044) notepad.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Operation:writeName:Mode
Value:
4
(PID) Process:(1044) notepad.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Operation:writeName:LogicalViewMode
Value:
1
(PID) Process:(1044) notepad.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}
Operation:writeName:FFlags
Value:
1
Executable files
1
Suspicious files
12
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
1028powershell.exeC:\Users\admin\AppData\Local\Temp\q0fflboh.cmdlinetext
MD5:FD651418D67E211C519CA4FAC4859B67
SHA256:57E7582346897220AA9D3E0C65CC26D2840AA6EA17248B18F5A716FF8753F593
3600cvtres.exeC:\Users\admin\AppData\Local\Temp\RESC827.tmpbinary
MD5:ACD99718042DB7BFA2B37601D3904B87
SHA256:8A18BD74B742754E059213A8DF24F93590789A5901FB6BEA8B893C2F135A7084
1028powershell.exeC:\Users\admin\AppData\Local\Temp\rrzkpa1m.thl.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1028powershell.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:F661BF0E66B741A581CAFECF7AE85C7A
SHA256:74C5AC6CFAAABFEC630BC9C73A6FDEBF9145E3C985C27B3F175BB55B396BC8EF
1028powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:67BC9011476C87B42100EDEB9660C156
SHA256:1332A0F6F56E228FD1BF8D1756BBA448C457E74C26A8E2DDA9F0BA80BE65F1BC
1028powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1FXLATJMY7BUV6ZZ2Z9S.tempbinary
MD5:67BC9011476C87B42100EDEB9660C156
SHA256:1332A0F6F56E228FD1BF8D1756BBA448C457E74C26A8E2DDA9F0BA80BE65F1BC
1028powershell.exeC:\Users\admin\AppData\Local\Temp\q0fflboh.0.cstext
MD5:67A804398B333C4A0D8DD6CF668D03EF
SHA256:26850A6C164460EC00B49F0E509C38C6457F223A2C487C790084C3FB98716DD2
3596csc.exeC:\Users\admin\AppData\Local\Temp\q0fflboh.dllexecutable
MD5:2B96BD724E0C572B29101B3BDF27608A
SHA256:83388C4FD5CEBE33AE2E42701B6F82A983A8A6F8B5D7312D0AA420526E55C083
1028powershell.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:AC05D27423A85ADC1622C714F2CB6184
SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
1028powershell.exeC:\Users\admin\AppData\Local\Temp\CabD91F.tmpcompressed
MD5:AC05D27423A85ADC1622C714F2CB6184
SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
7
DNS requests
3
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1028
powershell.exe
GET
200
184.24.77.205:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?011afa2a3692420e
unknown
compressed
65.2 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
1028
powershell.exe
5.161.113.150:25658
w89tu45t8e7dqzo.top
Hetzner Online GmbH
US
unknown
1028
powershell.exe
184.24.77.205:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1028
powershell.exe
104.237.62.212:443
api.ipify.org
WEBNX
US
unknown

DNS requests

Domain
IP
Reputation
w89tu45t8e7dqzo.top
  • 5.161.113.150
malicious
ctldl.windowsupdate.com
  • 184.24.77.205
  • 184.24.77.173
  • 184.24.77.187
whitelisted
api.ipify.org
  • 104.237.62.212
  • 64.185.227.156
  • 173.231.16.76
shared

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
1028
powershell.exe
Domain Observed Used for C2 Detected
ET MALWARE Generic AsyncRAT Style SSL Cert
1080
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
powershell payload.txt