File name:

StatementNumber#vfnwfrsysl.wsf

Full analysis: https://app.any.run/tasks/24494137-79d6-47f1-ab50-16844ecab24b
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: February 12, 2024, 17:26:15
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
rat
asyncrat
remote
Indicators:
MIME: text/plain
File info: Unicode text, UTF-8 text, with very long lines (4923)
MD5:

41895B624BC77C2921E6E1BEBE1B6CED

SHA1:

E920FB9EC50C2EC43591BD2D8C99B6E6D70270B5

SHA256:

C5C76A901DFE2FE33A01F3D1E3B3F82C99A5B0E4898E1B78B76AC6E7A48E5419

SSDEEP:

384:UIvIvIvIvIvIvIvIvIvIvIvIgIvIvIvIvIvIvIvIvIvIvIvIrIvIvIvIvIvIvIvr:Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Probably downloads file via BitsAdmin

      • powershell.exe (PID: 3888)
      • powershell.exe (PID: 5928)
      • powershell.exe (PID: 6868)

    • Scans artifacts that could help determine the target

      • wscript.exe (PID: 5924)

    • ASYNCRAT has been detected (SURICATA)

      • wscript.exe (PID: 5924)

    • Unusual connection from system programs

      • wscript.exe (PID: 5924)

  • SUSPICIOUS

    • Likely accesses (executes) a file from the Public directory

      • powershell.exe (PID: 3888)
      • wscript.exe (PID: 4540)
      • cmd.exe (PID: 1040)
      • powershell.exe (PID: 5928)
      • cmd.exe (PID: 6808)
      • powershell.exe (PID: 6868)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 5924)
      • cmd.exe (PID: 1040)
      • cmd.exe (PID: 6808)
      • cmd.exe (PID: 6152)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 5924)
      • wscript.exe (PID: 4540)
      • wscript.exe (PID: 6660)

    • The process executes VB scripts

      • wscript.exe (PID: 5924)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 4540)
      • wscript.exe (PID: 6660)

    • Application launched itself

      • wscript.exe (PID: 5924)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 4540)
      • wscript.exe (PID: 6660)

    • Reads security settings of Internet Explorer

      • TextInputHost.exe (PID: 5892)

    • The process executes Powershell scripts

      • cmd.exe (PID: 6152)

  • INFO

    • Checks proxy server information

      • wscript.exe (PID: 5924)

    • Manual execution by a user

      • msedge.exe (PID: 1544)
      • wscript.exe (PID: 6660)
      • cmd.exe (PID: 6152)
      • wscript.exe (PID: 6412)
      • wscript.exe (PID: 6572)
      • notepad.exe (PID: 7096)

    • Application launched itself

      • msedge.exe (PID: 1544)

    • Checks supported languages

      • TextInputHost.exe (PID: 5892)
      • curl.exe (PID: 6244)
      • identity_helper.exe (PID: 4468)

    • Reads the computer name

      • TextInputHost.exe (PID: 5892)
      • identity_helper.exe (PID: 4468)
      • curl.exe (PID: 6244)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 1544)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 7096)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
175
Monitored processes
41
Malicious processes
3
Suspicious processes
3

Behavior graph

Click at the process to see the details
start #ASYNCRAT wscript.exe powershell.exe no specs conhost.exe no specs wscript.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs filecoauth.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs textinputhost.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs curl.exe wscript.exe no specs wscript.exe no specs wscript.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs notepad.exe no specs msedge.exe no specs powershell.exe no specs aspnet_compiler.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
504"C:\Windows\System32\net.exe" sessionC:\Windows\System32\net.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\wkscli.dll
784"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1964 --field-trial-handle=2040,i,181056473905788032,4278744245337240341,131072 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
107.0.1418.26
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\107.0.1418.26\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
848\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1040C:\WINDOWS\system32\cmd.exe /c ""C:\Users\Public\node.bat" "C:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1480"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2516 --field-trial-handle=2040,i,181056473905788032,4278744245337240341,131072 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
107.0.1418.26
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\107.0.1418.26\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
1544"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
107.0.1418.26
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\107.0.1418.26\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
2276"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 --field-trial-handle=2040,i,181056473905788032,4278744245337240341,131072 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
107.0.1418.26
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\107.0.1418.26\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
3024"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=107.0.5304.90 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=107.0.1418.26 --initial-client-data=0xfc,0x100,0x104,0xd8,0x110,0x7ffb88aeb208,0x7ffb88aeb218,0x7ffb88aeb228C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
107.0.1418.26
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\107.0.1418.26\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
3116\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3216"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=3780 --field-trial-handle=2040,i,181056473905788032,4278744245337240341,131072 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
107.0.1418.26
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\107.0.1418.26\msedge_elf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
Total events
40 273
Read events
40 181
Write events
90
Delete events
2

Modification events

(PID) Process:(5924) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(5924) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(5924) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(5924) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(5924) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5924) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5924) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3888) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3888) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3888) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
0
Suspicious files
26
Text files
66
Unknown types
40

Dropped files

PID
Process
Filename
Type
3888powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_uluwfezl.rok.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3888powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_aow4hdg3.xxx.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3888powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ecocbi04.mox.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3888powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_l1ylofaa.rug.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3888powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_are4b00l.adn.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3888powershell.exeC:\Users\Public\msg.dlltext
MD5:A4BFB12DBF9DA83178AE54E82BA3A432
SHA256:27D5BD8CB077905BE7AB576F344C27F140B5585EF471F68638A8791C07FDA0CE
3888powershell.exeC:\Users\Public\node.battext
MD5:5AB047C9EEB2B24CBCD05D36C2EE3D6E
SHA256:18934EF2AFE41B258428A1558BD69AD71F8629BE67F1F01559F6A952B2080129
3888powershell.exeC:\Users\Public\load.dlltext
MD5:F19DBF2EDB3A0BD74B0524D960FF21EB
SHA256:8A6BDB6B18DA586FE7F2ACBD8F1055533F2CD97A3681B3652BCD712224DF45C3
5924wscript.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\D9H4GX35\g4[1].txttext
MD5:8471B9F9D9E51433F25D31823A43A59C
SHA256:14B1DD86E80AD1148017CDA4DCDAF6CD03CC3487722FA1EE1C36C4B54AC425B1
3888powershell.exeC:\Users\Public\shell.jstext
MD5:D71E2D55EE0534B06313F71AEFD921B9
SHA256:43BDD5E0B846271A4BAE3A4F74C8310B914497ABD2FFE0E1886EC9FEC9F25ECD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
65
DNS requests
34
Threats
29

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5924
wscript.exe
GET
200
37.1.214.209:80
http://37.1.214.209/g4.txt
unknown
text
546 b
2592
wermgr.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
binary
1.01 Kb
2420
svchost.exe
HEAD
200
37.1.214.209:80
http://newhost.dyndns.info/f.jpg
unknown
2420
svchost.exe
GET
200
37.1.214.209:80
http://newhost.dyndns.info/f.jpg
unknown
compressed
223 Kb
2592
wermgr.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
binary
814 b
4128
CompatTelRunner.exe
GET
200
88.221.110.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
binary
824 b
4128
CompatTelRunner.exe
GET
200
2.18.97.123:80
http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl
unknown
binary
564 b
5476
msedge.exe
GET
204
13.107.6.158:80
http://edge-http.microsoft.com/captiveportal/generate_204
unknown
5476
msedge.exe
GET
200
37.1.214.209:80
http://newhost.dyndns.info/f.jpg
unknown
compressed
223 Kb
5476
msedge.exe
GET
200
37.1.214.209:80
http://newhost.dyndns.info/favicon.ico
unknown
image
30.1 Kb
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
5924
wscript.exe
37.1.214.209:80
newhost.dyndns.info
HVC-AS
US
unknown
2592
wermgr.exe
52.182.143.212:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2592
wermgr.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
3012
svchost.exe
239.255.255.250:1900
unknown
2592
wermgr.exe
23.218.209.163:80
www.microsoft.com
AKAMAI-AS
DE
unknown
2592
wermgr.exe
20.189.173.20:443
umwatson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2420
svchost.exe
37.1.214.209:80
newhost.dyndns.info
HVC-AS
US
unknown
2420
svchost.exe
104.20.23.46:443
nodejs.org
CLOUDFLARENET
unknown
2592
wermgr.exe
20.42.65.92:443
umwatson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
  • 88.221.110.114
  • 88.221.110.122
unknown
www.microsoft.com
  • 23.218.209.163
  • 2.18.97.123
unknown
umwatson.events.data.microsoft.com
  • 20.189.173.20
  • 20.42.65.92
unknown
newhost.dyndns.info
  • 37.1.214.209
unknown
nodejs.org
  • 104.20.23.46
  • 104.20.22.46
unknown
self.events.data.microsoft.com
  • 20.42.65.89
unknown
ntp.msn.com
  • 204.79.197.203
unknown
config.edge.skype.com
  • 13.107.42.16
unknown
edge-http.microsoft.com
  • 13.107.6.158
unknown
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
unknown

Threats

PID
Process
Class
Message
A Network Trojan was detected
SUSPICIOUS [ANY.RUN] VBS is used to run Shell
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.dyndns .info Domain
Misc activity
AV INFO DYNAMIC_DNS Query to *.dyndns. Domain
Misc activity
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
Misc activity
ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns.* domain
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .info Domain
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .info Domain
Misc activity
ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns.* domain
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.dyndns .info Domain
Misc activity
AV INFO DYNAMIC_DNS Query to *.dyndns. Domain
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
StatementNumber#vfnwfrsysl.wsf