File name:

lawlead.hta

Full analysis: https://app.any.run/tasks/a653d130-8b53-4c9d-bbe1-a353daa51d0a
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: June 03, 2025, 07:36:18
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
auto-reg
vidar
stealer
telegram
emmenhtal
rat
asyncrat
remote
purehvnc
netreactor
Indicators:
MD5:

35E56BE94682A26AE1716B5A9A90E864

SHA1:

0BF1829477A1F146177CA52E04D973056A43DCCC

SHA256:

CE413076BD4212FE671FE3CD3DA55F426BC4A8A198630F3F1A8AA51B973AF62B

SSDEEP:

1536:D+fYsBsIDjBL2ykEfUbl+d32aFd3ZaDVJwGsyIBI9qhb05Cede0yO:D+fYsvSESkme0V

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads files via BITSADMIN.EXE

      • mshta.exe (PID: 5344)

    • EMMENHTAL has been detected (YARA)

      • mshta.exe (PID: 5344)

    • Changes the autorun value in the registry

      • reallyworkplace.exe (PID: 7604)

    • VIDAR mutex has been found

      • AppLaunch.exe (PID: 4776)

    • Actions looks like stealing of personal data

      • AddInProcess32.exe (PID: 7660)
      • AppLaunch.exe (PID: 4776)

    • VIDAR has been detected (SURICATA)

      • AppLaunch.exe (PID: 4776)

    • Steals credentials from Web Browsers

      • AppLaunch.exe (PID: 4776)

    • ASYNCRAT has been detected (SURICATA)

      • AddInProcess32.exe (PID: 7660)

    • PUREHVNC has been detected (YARA)

      • AddInProcess32.exe (PID: 7660)

  • SUSPICIOUS

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 1056)

    • Process requests binary or script from the Internet

      • svchost.exe (PID: 1056)

    • Connects to the server without a host name

      • svchost.exe (PID: 1056)

    • Process drops legitimate windows executable

      • ittechnical.exe (PID: 7512)
      • reallyworkplace.exe (PID: 7604)
      • focusprospect.exe (PID: 7432)

    • The process drops C-runtime libraries

      • ittechnical.exe (PID: 7512)
      • reallyworkplace.exe (PID: 7604)
      • focusprospect.exe (PID: 7432)

    • Executable content was dropped or overwritten

      • ittechnical.exe (PID: 7512)
      • svchost.exe (PID: 1056)
      • reallyworkplace.exe (PID: 7604)
      • focusprospect.exe (PID: 7432)
      • csc.exe (PID: 968)
      • csc.exe (PID: 6404)
      • csc.exe (PID: 4572)
      • csc.exe (PID: 7848)
      • csc.exe (PID: 5892)
      • csc.exe (PID: 1184)
      • csc.exe (PID: 4212)
      • csc.exe (PID: 5416)
      • csc.exe (PID: 4212)
      • csc.exe (PID: 2852)
      • csc.exe (PID: 5864)

    • Executes application which crashes

      • reallyworkplace.exe (PID: 7816)

    • Connects to unusual port

      • AddInProcess32.exe (PID: 7660)

    • Contacting a server suspected of hosting an CnC

      • AddInProcess32.exe (PID: 7660)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • AppLaunch.exe (PID: 4776)

    • Reads security settings of Internet Explorer

      • AppLaunch.exe (PID: 4776)

    • Searches for installed software

      • AppLaunch.exe (PID: 4776)

    • BASE64 encoded PowerShell command has been detected

      • AppLaunch.exe (PID: 4776)

    • Starts POWERSHELL.EXE for commands execution

      • AppLaunch.exe (PID: 4776)

    • Gets content of a file (POWERSHELL)

      • powershell.exe (PID: 7488)
      • powershell.exe (PID: 4784)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 968)
      • csc.exe (PID: 6404)
      • csc.exe (PID: 1184)
      • csc.exe (PID: 4572)
      • csc.exe (PID: 7848)
      • csc.exe (PID: 5892)
      • csc.exe (PID: 2852)
      • csc.exe (PID: 5416)
      • csc.exe (PID: 4212)
      • csc.exe (PID: 4212)
      • csc.exe (PID: 5864)

    • The process hide an interactive prompt from the user

      • AppLaunch.exe (PID: 4776)

    • Base64-obfuscated command line is found

      • AppLaunch.exe (PID: 4776)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 7488)
      • powershell.exe (PID: 4784)

    • Multiple wallet extension IDs have been found

      • AddInProcess32.exe (PID: 7660)

    • The process bypasses the loading of PowerShell profile settings

      • AppLaunch.exe (PID: 4776)

  • INFO

    • Create files in a temporary directory

      • svchost.exe (PID: 1056)
      • ittechnical.exe (PID: 7512)
      • focusprospect.exe (PID: 7432)
      • powershell.exe (PID: 7488)
      • csc.exe (PID: 968)
      • cvtres.exe (PID: 6240)
      • AppLaunch.exe (PID: 4776)
      • cvtres.exe (PID: 4892)
      • csc.exe (PID: 6404)
      • powershell.exe (PID: 4784)
      • powershell.exe (PID: 7608)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 5344)

    • Checks supported languages

      • ittechnical.exe (PID: 7512)
      • reallyworkplace.exe (PID: 7604)
      • AddInProcess32.exe (PID: 7660)
      • reallyworkplace.exe (PID: 7816)
      • nextspecialist.exe (PID: 6192)
      • AddInProcess32.exe (PID: 1184)
      • AppLaunch.exe (PID: 4776)
      • focusprospect.exe (PID: 7432)
      • csc.exe (PID: 968)
      • cvtres.exe (PID: 6240)
      • csc.exe (PID: 6404)
      • cvtres.exe (PID: 4892)

    • The sample compiled with english language support

      • ittechnical.exe (PID: 7512)
      • svchost.exe (PID: 1056)
      • reallyworkplace.exe (PID: 7604)
      • focusprospect.exe (PID: 7432)

    • Reads the computer name

      • reallyworkplace.exe (PID: 7604)
      • AddInProcess32.exe (PID: 7660)
      • AppLaunch.exe (PID: 4776)
      • AddInProcess32.exe (PID: 1184)

    • Launch of the file from Registry key

      • reallyworkplace.exe (PID: 7604)

    • Manual execution by a user

      • cmd.exe (PID: 7756)
      • AppLaunch.exe (PID: 4776)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 7952)
      • AppLaunch.exe (PID: 4776)

    • Reads the machine GUID from the registry

      • AddInProcess32.exe (PID: 1184)
      • AddInProcess32.exe (PID: 7660)
      • AppLaunch.exe (PID: 4776)
      • csc.exe (PID: 968)
      • csc.exe (PID: 6404)

    • Checks proxy server information

      • AppLaunch.exe (PID: 4776)

    • Reads the software policy settings

      • AddInProcess32.exe (PID: 7660)
      • AppLaunch.exe (PID: 4776)
      • powershell.exe (PID: 7488)
      • powershell.exe (PID: 4784)
      • powershell.exe (PID: 7608)

    • Reads Environment values

      • AppLaunch.exe (PID: 4776)

    • Reads product name

      • AppLaunch.exe (PID: 4776)

    • Reads CPU info

      • AppLaunch.exe (PID: 4776)

    • Creates files in the program directory

      • AppLaunch.exe (PID: 4776)

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 7488)
      • powershell.exe (PID: 4784)
      • powershell.exe (PID: 7608)

    • Application launched itself

      • chrome.exe (PID: 7316)
      • chrome.exe (PID: 1228)
      • chrome.exe (PID: 7668)
      • chrome.exe (PID: 8064)
      • chrome.exe (PID: 7496)
      • chrome.exe (PID: 7868)
      • chrome.exe (PID: 5280)
      • chrome.exe (PID: 7404)
      • chrome.exe (PID: 7416)
      • chrome.exe (PID: 6240)
      • chrome.exe (PID: 2796)

    • .NET Reactor protector has been detected

      • AddInProcess32.exe (PID: 7660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
315
Monitored processes
179
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start #EMMENHTAL mshta.exe bitsadmin.exe no specs conhost.exe no specs bitsadmin.exe no specs conhost.exe no specs svchost.exe ittechnical.exe bitsadmin.exe no specs conhost.exe no specs reallyworkplace.exe conhost.exe no specs #ASYNCRAT addinprocess32.exe cmd.exe no specs conhost.exe no specs reallyworkplace.exe conhost.exe no specs werfault.exe no specs focusprospect.exe nextspecialist.exe no specs conhost.exe no specs addinprocess32.exe no specs #VIDAR applaunch.exe chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs slui.exe chrome.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
444"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3408 --field-trial-handle=2084,i,5207016373265523249,15466093620098059637,262144 --variations-seed-version /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
496"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4436 --field-trial-handle=1984,i,1183437505619318941,9797488704749067970,262144 --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
644"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=2116 --field-trial-handle=1884,i,8698115896851077757,4894765569486950941,262144 --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
660"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1912,i,13149193663991232625,3757959813021146651,262144 --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
684"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=4816 --field-trial-handle=2068,i,11540199767983464957,5473834229159094101,262144 --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
716"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=122.0.6261.70 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ffc88b6dc40,0x7ffc88b6dc4c,0x7ffc88b6dc58C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
968"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\k02fxmhb.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
968"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1884,i,8698115896851077757,4894765569486950941,262144 --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1056C:\WINDOWS\System32\svchost.exe -k netsvcs -p -s BITSC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
1132C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
96 060
Read events
96 001
Write events
59
Delete events
0

Modification events

(PID) Process:(1056) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
Operation:writeName:PerfMMFileName
Value:
Global\MMF_BITSdfa04116-d9e4-448a-938a-d0a97e4021df
(PID) Process:(7604) reallyworkplace.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:reallyworkplace
Value:
cmd.exe /C start "" /D "C:\Users\admin\SystemRootDoc" "C:\Users\admin\SystemRootDoc\reallyworkplace.exe"
(PID) Process:(5344) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5344) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5344) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4776) AppLaunch.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4776) AppLaunch.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4776) AppLaunch.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1228) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(1228) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
Executable files
24
Suspicious files
55
Text files
294
Unknown types
98

Dropped files

PID
Process
Filename
Type
7952WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_reallyworkplace._688f3999559353f34b896d422e323d3c257111b_cb45ab4d_0f44ae60-5eec-4553-b452-58fc122d648d\Report.wer
MD5:
SHA256:
1056svchost.exeC:\Users\admin\AppData\Local\Temp\BITB171.tmphtml
MD5:7964E1D2D086AFC1B6E7BF4D7801E444
SHA256:AA1217E2BA8F58338045054D861C10A4404A7F169F799CCF665454D69508DCD9
1056svchost.exeC:\ProgramData\Microsoft\Network\Downloader\qmgr.dbedb
MD5:A6680A2D84C7DDED9821764210521764
SHA256:87DEF3134A566C7AEA4A2C6AABCE9C49C5213FE80578B6E2C67879FD33103FC1
1056svchost.exeC:\Users\admin\AppData\Local\Temp\BITB150.tmpexecutable
MD5:657AEC20E632D4A19670B8A144C2E7A9
SHA256:C1DCA23A37750E7D9ED551B3529CBDE04EDBC84D066BC8074B1CCDEF0C9EBC94
7512ittechnical.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\jli.dllexecutable
MD5:3DDBD787C36CDED90502DCA0B1AD4BF9
SHA256:536F3DCE08820839FA70CA6E67E7C2DCECD2455967C248FF9113B5A0260C094A
7512ittechnical.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\msvcp1403.dllpi2
MD5:A5A094456EE89F7E39227CE1B02E4F82
SHA256:17AF0C5DE2E60C44263FEBE7F488C54733219663842676D028547F8717844CB6
7604reallyworkplace.exeC:\Users\admin\SystemRootDoc\msvcp1403.dllpi2
MD5:A5A094456EE89F7E39227CE1B02E4F82
SHA256:17AF0C5DE2E60C44263FEBE7F488C54733219663842676D028547F8717844CB6
1056svchost.exeC:\Users\admin\AppData\Local\Temp\ittechnical.exeexecutable
MD5:657AEC20E632D4A19670B8A144C2E7A9
SHA256:C1DCA23A37750E7D9ED551B3529CBDE04EDBC84D066BC8074B1CCDEF0C9EBC94
7512ittechnical.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\reallyworkplace.exeexecutable
MD5:05550AF47A67A6FBD58E3F8E24423517
SHA256:9811697DB89F5A251833AF25FA949E001EEDA086845078329204E75FCFAA5616
1056svchost.exeC:\Users\admin\AppData\Local\Temp\BITE979.tmpexecutable
MD5:F178CC05BEE53F2A882FFB959D774B52
SHA256:6BEA65194265C5BE125057323D34C9CBA20D19F11986AD614C045D0254A8374A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
121
DNS requests
124
Threats
20

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.16.168.200:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1056
svchost.exe
HEAD
200
195.82.147.93:80
http://195.82.147.93/adm005/052925-sg/ittechnical.exe
unknown
unknown
1056
svchost.exe
GET
200
195.82.147.93:80
http://195.82.147.93/adm005/052925-sg/ittechnical.exe
unknown
unknown
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1056
svchost.exe
HEAD
200
195.82.147.93:80
http://195.82.147.93/adm005/052925-sgv/focusprospect.exe
unknown
unknown
8120
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1056
svchost.exe
GET
200
195.82.147.93:80
http://195.82.147.93/adm005/052925-sgv/focusprospect.exe
unknown
unknown
8120
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.16.168.200:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5496
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
5796
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6456
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5344
mshta.exe
104.21.32.1:443
ms-team-connect.com
CLOUDFLARENET
unknown
4
System
192.168.100.255:138
whitelisted
3812
svchost.exe
239.255.255.250:1900
whitelisted
1056
svchost.exe
104.21.32.1:443
ms-team-connect.com
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 2.16.168.200
  • 2.16.168.199
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
ms-team-connect.com
  • 104.21.32.1
  • 104.21.48.1
  • 104.21.96.1
  • 104.21.64.1
  • 104.21.112.1
  • 104.21.80.1
  • 104.21.16.1
unknown
login.live.com
  • 20.190.159.4
  • 40.126.31.69
  • 20.190.159.130
  • 20.190.159.23
  • 20.190.159.2
  • 40.126.31.0
  • 40.126.31.1
  • 20.190.159.75
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

PID
Process
Class
Message
1056
svchost.exe
Misc activity
ET HUNTING Suspicious BITS EXE DL From Dotted Quad
1056
svchost.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
1056
svchost.exe
Misc activity
ET HUNTING Suspicious BITS EXE DL From Dotted Quad
1056
svchost.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
1056
svchost.exe
Misc activity
ET INFO Packed Executable Download
1056
svchost.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
1056
svchost.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
1056
svchost.exe
Misc Attack
ET DROP Dshield Block Listed Source group 1
1056
svchost.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
1056
svchost.exe
Misc activity
ET HUNTING Suspicious BITS EXE DL From Dotted Quad
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
lawlead.hta