Malware analysis AUTO ADMISORIO DEMANDA LABORAL.SVG Malicious activity

Add for printing

File name:	AUTO ADMISORIO DEMANDA LABORAL.SVG
Full analysis:	https://app.any.run/tasks/7a81a92f-415b-4fda-9fd5-92e3f841e3f7
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	November 26, 2024, 18:21:18
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	asyncrat rat
Indicators:
MIME:	image/svg+xml
File info:	SVG Scalable Vector Graphics image
MD5:	51BB8E20ED473A08553C7DBD575050DE
SHA1:	0C8506C50AA891298D665B7F6927215A2668150C
SHA256:	81CED42E28C0BCC03F07E227D3357BCCF5AE9666979DF6B3AF06E4F315C1A8E7
SSDEEP:	3072:O7ZHKZA/YokgsUW5eMQATO/iHhokPWm20ftLT719zmdkg+EK/AT9Ic7x8kg36zTD:+HKuZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Executing a file with an untrusted certificate
  - 006 NotificacionElectronica.exe (PID: 7976)
- ASYNCRAT has been detected (YARA)
  - MSBuild.exe (PID: 4724)
- ASYNCRAT has been detected (MUTEX)
  - MSBuild.exe (PID: 4724)
SUSPICIOUS
- Process drops legitimate windows executable
  - WinRAR.exe (PID: 3524)
  - 006 NotificacionElectronica.exe (PID: 7976)
- Executable content was dropped or overwritten
  - 006 NotificacionElectronica.exe (PID: 7976)
- The process drops C-runtime libraries
  - 006 NotificacionElectronica.exe (PID: 7976)
- Starts CMD.EXE for commands execution
  - 006 NotificacionElectronica.exe (PID: 7976)
- Connects to unusual port
  - MSBuild.exe (PID: 4724)
INFO
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 3524)
- Sends debugging messages
  - mmc.exe (PID: 7948)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.svg	\|	Scalable Vector Graphics (var.1) (100)

EXIF

SVG

Fill:	none
Stroke:	none
Stroke-linecap:	square
Stroke-miterlimit:	10
SVGVersion:	1.1
Viewbox:	0.0 0.0 960.0 720.0
Xmlns:	http://www.w3.org/2000/svg

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

191

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2192

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

3524

"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Downloads\NOTIFICACIÓN ELECTRÓNICA JUDICIAL AUTO ADMISORIO DEMANDA LABORAL.tar.uue.tar" C:\Users\admin\Downloads\

C:\Program Files\WinRAR\WinRAR.exe

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

3768

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4724

C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

MSBuild.exe

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\syswow64\mshtml.dll
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll

5208

C:\WINDOWS\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

—

006 NotificacionElectronica.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

6568

"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Downloads\NOTIFICACIÓN ELECTRÓNICA JUDICIAL AUTO ADMISORIO DEMANDA LABORAL.tar.uue.tar.001" C:\Users\admin\Downloads\

C:\Program Files\WinRAR\WinRAR.exe

—

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

7368

"C:\WINDOWS\system32\mmc.exe" "C:\WINDOWS\system32\taskschd.msc" /s

C:\Windows\System32\mmc.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Management Console

Exit code:

3221226540

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\mmc.exe
c:\windows\system32\ntdll.dll

7948

"C:\WINDOWS\system32\mmc.exe" "C:\WINDOWS\system32\taskschd.msc" /s

C:\Windows\System32\mmc.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Management Console

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\mmc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

7976

"C:\Users\admin\Downloads\NOTIFICACIÓN ELECTRÓNICA JUDICIAL AUTO ADMISORIO DEMANDA LABORAL\006 NotificacionElectronica.exe"

C:\Users\admin\Downloads\NOTIFICACIÓN ELECTRÓNICA JUDICIAL AUTO ADMISORIO DEMANDA LABORAL\006 NotificacionElectronica.exe

explorer.exe

User:

admin

Company:

ICQ, Inc.

Integrity Level:

MEDIUM

Description:

ICQ Library

Exit code:

Version:

6.5.0.1005

Modules

Images
c:\users\admin\downloads\notificación electrónica judicial auto admisorio demanda laboral\006 notificacionelectronica.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

Add for printing

Total events

1 927

Read events

1 912

Write events

Delete events

Modification events


(PID) Process:	(6568) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(6568) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6568) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6568) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6568) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3524) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3524) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(3524) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(3524) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(7948) mmc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MMC\SnapIns\FX:{c7b8fb06-bfe1-4c2e-9217-7a69a95bbac4}
Operation:	write	Name:	HelpTopic
Value: C:\WINDOWS\Help\taskscheduler.chm

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6568	WinRAR.exe	C:\Users\admin\Downloads\NOTIFICACIÓN ELECTRÓNICA JUDICIAL AUTO ADMISORIO DEMANDA LABORAL.tar.uue.tar		—
		MD5:—	SHA256:—
3524	WinRAR.exe	C:\Users\admin\Downloads\NOTIFICACIÓN ELECTRÓNICA JUDICIAL AUTO ADMISORIO DEMANDA LABORAL\hxirh		binary
		MD5:70FC27B068DDE93C2B74BEEC42CD62DA	SHA256:908294A6E49B8B4395708422AE6203A8DA74C7D4E56ABD28F5071EC6BFE1A8A4
3524	WinRAR.exe	C:\Users\admin\Downloads\NOTIFICACIÓN ELECTRÓNICA JUDICIAL AUTO ADMISORIO DEMANDA LABORAL\MDb.dll		executable
		MD5:BE1262B27FF4A4349B337CC95B7746E7	SHA256:AB47F3A52C1C2A7F1855C48E2D085E87345590B1FB78353C7070C3B6600843FD
3524	WinRAR.exe	C:\Users\admin\Downloads\NOTIFICACIÓN ELECTRÓNICA JUDICIAL AUTO ADMISORIO DEMANDA LABORAL\coolcore49.dll		executable
		MD5:02DDCE012B021879D5B3E980C48F2D2F	SHA256:4E38D88A59FC49EC56AAFB207777D1987A9711B457514F09FED221DBF640111A
3524	WinRAR.exe	C:\Users\admin\Downloads\NOTIFICACIÓN ELECTRÓNICA JUDICIAL AUTO ADMISORIO DEMANDA LABORAL\MCoreLib.dll		executable
		MD5:815B07C37C83B13457D37CA8C6A7A561	SHA256:153C1B5E96E7BC4C9F858C3CC3BC6CD5E09EF68776D95871CA38824C430654C4
7976	006 NotificacionElectronica.exe	C:\Users\admin\AppData\Roaming\PFX_system_x86\msvcp71.dll		executable
		MD5:561FA2ABB31DFA8FAB762145F81667C2	SHA256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B
7976	006 NotificacionElectronica.exe	C:\Users\admin\AppData\Roaming\PFX_system_x86\MDb.dll		executable
		MD5:BE1262B27FF4A4349B337CC95B7746E7	SHA256:AB47F3A52C1C2A7F1855C48E2D085E87345590B1FB78353C7070C3B6600843FD
7976	006 NotificacionElectronica.exe	C:\Users\admin\AppData\Roaming\PFX_system_x86\MCoreLib.dll		executable
		MD5:815B07C37C83B13457D37CA8C6A7A561	SHA256:153C1B5E96E7BC4C9F858C3CC3BC6CD5E09EF68776D95871CA38824C430654C4
7976	006 NotificacionElectronica.exe	C:\Users\admin\AppData\Roaming\PFX_system_x86\hxirh		binary
		MD5:70FC27B068DDE93C2B74BEEC42CD62DA	SHA256:908294A6E49B8B4395708422AE6203A8DA74C7D4E56ABD28F5071EC6BFE1A8A4
5208	cmd.exe	C:\Users\admin\AppData\Local\Temp\hqqxjkrgnm		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
8088	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
8088	SIHClient.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6680	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
4556	svchost.exe	HEAD	200	2.19.126.155:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fb6dd03b-99d7-4cc8-a878-91c8e655c2d3?P1=1733060243&P2=404&P3=2&P4=KexvhwabL%2frGn53mCz8hPfKKQPglWGykb2TofQgS6atnEoU6aDnKEV4CFLyBBqO%2bpCGW%2bYrLad1R0LwHod9pIw%3d%3d	unknown	—	—	whitelisted
4556	svchost.exe	GET	206	2.19.126.155:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fb6dd03b-99d7-4cc8-a878-91c8e655c2d3?P1=1733060243&P2=404&P3=2&P4=KexvhwabL%2frGn53mCz8hPfKKQPglWGykb2TofQgS6atnEoU6aDnKEV4CFLyBBqO%2bpCGW%2bYrLad1R0LwHod9pIw%3d%3d	unknown	—	—	whitelisted
4556	svchost.exe	GET	206	2.19.126.155:80	http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/fb6dd03b-99d7-4cc8-a878-91c8e655c2d3?P1=1733060243&P2=404&P3=2&P4=KexvhwabL%2frGn53mCz8hPfKKQPglWGykb2TofQgS6atnEoU6aDnKEV4CFLyBBqO%2bpCGW%2bYrLad1R0LwHod9pIw%3d%3d	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	2.23.209.182:443	www.bing.com	Akamai International B.V.	GB	whitelisted
5064	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	239.255.255.250:1900	—	—	—	whitelisted
—	—	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	204.79.197.239:443	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
crl.microsoft.com	2.16.241.12 2.16.241.19	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
google.com	142.250.186.174	whitelisted
www.bing.com	2.23.209.182 2.23.209.183 2.23.209.133 2.23.209.130 2.23.209.187 2.23.209.131 2.23.209.185 2.23.209.189 2.23.209.181 2.23.209.135 2.23.209.161 2.23.209.148 2.23.209.193 2.23.209.150 2.23.209.177 2.23.209.176 2.23.209.158 2.23.209.179 2.23.209.160 2.23.209.140 2.23.209.149	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
edge.microsoft.com	204.79.197.239 13.107.21.239	whitelisted
edge-mobile-static.azureedge.net	13.107.246.45	whitelisted
business.bing.com	13.107.6.158	whitelisted

Threats

PID	Process	Class	Message
6964	msedge.exe	Misc activity	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
6964	msedge.exe	Misc activity	ET INFO DropBox User Content Domain (dl .dropboxusercontent .com in TLS SNI)
2192	svchost.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
2192	svchost.exe	Misc activity	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2192	svchost.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
2192	svchost.exe	Misc activity	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2192	svchost.exe	Misc activity	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2192	svchost.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain

Add for printing

Process	Message
mmc.exe	Constructor: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe	OnInitialize: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe	AddIcons: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn
mmc.exe	ProcessCommandLineArguments: Microsoft.TaskScheduler.SnapIn.TaskSchedulerSnapIn

General Info

AUTO ADMISORIO DEMANDA LABORAL.SVG

51BB8E20ED473A08553C7DBD575050DE

0C8506C50AA891298D665B7F6927215A2668150C

81CED42E28C0BCC03F07E227D3357BCCF5AE9666979DF6B3AF06E4F315C1A8E7

3072:O7ZHKZA/YokgsUW5eMQATO/iHhokPWm20ftLT719zmdkg+EK/AT9Ic7x8kg36zTD:+HKuZ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executing a file with an untrusted certificate

ASYNCRAT has been detected (YARA)

ASYNCRAT has been detected (MUTEX)

SUSPICIOUS

Process drops legitimate windows executable

Executable content was dropped or overwritten

The process drops C-runtime libraries

Starts CMD.EXE for commands execution

Connects to unusual port

INFO

Executable content was dropped or overwritten

Sends debugging messages

Malware configuration

Static information

TRiD

EXIF

SVG

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings