File name:	async_modified.zip
Full analysis:	https://app.any.run/tasks/32e8f5b7-d2b4-48c0-8d45-7ac467c987c1
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Malware Trends Tracker >>>
Analysis date:	November 23, 2024, 22:22:43
OS:	Windows 11 Professional (build: 22000, 64 bit)
Tags:	arch-exec anydesk tool adware asyncrat
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	E37FA9593121CC84AEB257F51E83F2F6
SHA1:	BDE5DDE707A62B66EDF968890AF7EF49B637675F
SHA256:	D9A3252D8AA1CE8786FD29D68C4D77018A61C51073AAFF82DB00AE5355704110
SSDEEP:	393216:/35Q4iemP/9W78wdMkf5e2ARlTEsYOR7ceR:xv7zdn5ePRN3R7cY

ZipRequiredVersion:	20
ZipBitFlag:	0x0002
ZipCompression:	Deflated
ZipModifyDate:	2023:02:10 08:09:24
ZipCRC:	0x471efb00
ZipCompressedSize:	37369
ZipUncompressedSize:	237056
ZipFileName:	async_modified/BackProxyUI.exe


(PID) Process:	(1600) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(1600) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(1600) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(1600) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(1600) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\async_modified.zip
(PID) Process:	(1600) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(1600) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(1600) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(1600) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(2400) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:

PID	Process	Filename		Type
5904	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BackProxyUI.exe_477aaf8d7f38de298b1c8b7a64ef51344e3fbe6_9c733296_f7583022-3bb4-4c97-81c8-444dc04abce3\Report.wer		—
		MD5:—	SHA256:—
5904	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\BackProxyUI.exe.1056.dmp		—
		MD5:—	SHA256:—
1220	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Stub.exe_6450a6e7d5d44cb43cc147722c2a43a784981f1_f7fb6c67_5b33455a-32d4-4da3-96fd-1348ab509739\Report.wer		—
		MD5:—	SHA256:—
1220	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\Stub.exe.5776.dmp		—
		MD5:—	SHA256:—
1220	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER.af63e832-0459-4948-a4e7-8d8e823afdc8.tmp.dmp		binary
		MD5:712F3830C6907DA0248CCB727AB83915	SHA256:F8EF33CB5E142DCA7E7C14D74E83BFBE0520B8A849BADBAFDBEC947177FE1C9E
1220	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER.a1f7ac76-b40d-4013-b59b-819f87df7b31.tmp.xml		xml
		MD5:232E02D791CBA35E5292E354FDD80FF2	SHA256:3A531CEB56E99912CA0100BA22878A05573093550D5AD3F6EEAAD70CD780F92C
5904	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER.847014b8-5a82-477f-a99c-08e62f721263.tmp.dmp		binary
		MD5:8D153CACFFE83EEB76A9B7A446946BD6	SHA256:125F7B8EDFDBD9606681DCF3B8F01B6AA754FACF2EA31F269CAB61C40A5576D5
1220	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER.649141a3-c097-4671-a7b9-f34a50f4e441.tmp.WERInternalMetadata.xml		xml
		MD5:28515B39E24391E3BA08C9A24FBFE0CC	SHA256:2A3D50AD1C96C3D64B032E5DE034F6FFA440C9623661DDDB5471391ACD7737C2
5904	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER.a336ecda-23dc-439c-90af-23cd63a3cd72.tmp.WERInternalMetadata.xml		xml
		MD5:78C32BE118A9185E3F42AFB591B57927	SHA256:8D9A0FD98C69256357DBCED7CCC4F83695C5D4A963D0B80998F8D396EAFDC4EA
1028	AnyDesk.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DGE9UMLCL8JD9NKS172A.temp		binary
		MD5:279CF40A79F61B90C2E2EAD431C0C0EE	SHA256:526CD866C3E9E765392A648A4D887466C160133EABD07D130606AA5C2129A0A7

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	304	199.232.210.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f9a4bd63d3afea63	unknown	—	—	whitelisted
4980	MoUsoCoreWorker.exe	GET	304	199.232.210.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?4bee9aca38d7fab2	unknown	—	—	whitelisted
1296	svchost.exe	GET	200	2.18.121.71:80	http://www.msftconnecttest.com/connecttest.txt	unknown	—	—	whitelisted
5488	firefox.exe	POST	200	2.16.202.121:80	http://r10.o.lencr.org/	unknown	—	—	whitelisted
5488	firefox.exe	POST	200	192.229.221.95:80	http://ocsp.digicert.com/	unknown	—	—	whitelisted
5488	firefox.exe	POST	200	2.16.202.121:80	http://r10.o.lencr.org/	unknown	—	—	whitelisted
5488	firefox.exe	POST	200	2.16.202.121:80	http://r10.o.lencr.org/	unknown	—	—	whitelisted
—	—	HEAD	200	23.213.164.137:443	https://fs.microsoft.com/fs/windows/config.json	unknown	—	—	—
6208	AnyDesk.exe	POST	—	18.245.86.79:80	http://api.playanext.com/httpapi	unknown	—	—	whitelisted
2860	svchost.exe	GET	304	199.232.214.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?bdb78aa50ddaee77	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	52.109.76.240:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	239.255.255.250:1900	—	—	—	whitelisted
5488	firefox.exe	34.120.208.123:443	incoming.telemetry.mozilla.org	GOOGLE-CLOUD-PLATFORM	US	whitelisted
—	—	34.149.100.209:443	firefox.settings.services.mozilla.com	GOOGLE	US	whitelisted
5488	firefox.exe	34.149.100.209:443	firefox.settings.services.mozilla.com	GOOGLE	US	whitelisted
—	—	34.120.208.123:443	incoming.telemetry.mozilla.org	GOOGLE-CLOUD-PLATFORM	US	whitelisted
—	—	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1296	svchost.exe	2.18.121.71:80	—	AKAMAI-AS	FR	unknown
—	—	199.232.210.172:80	ctldl.windowsupdate.com	FASTLY	US	whitelisted

Domain	IP	Reputation
officeclient.microsoft.com	52.109.76.240	whitelisted
firefox.settings.services.mozilla.com	34.149.100.209	whitelisted
incoming.telemetry.mozilla.org	34.120.208.123	whitelisted
telemetry-incoming.r53-2.services.mozilla.com	34.120.208.123	whitelisted
prod.remote-settings.prod.webservices.mozgcp.net	34.149.100.209	whitelisted
google.com	216.58.206.46	whitelisted
ctldl.windowsupdate.com	199.232.210.172 199.232.214.172	whitelisted
r10.o.lencr.org	2.16.202.121 95.101.54.131	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
fp2e7a.wpc.phicdn.net	192.229.221.95 2606:2800:233:fa02:67b:9ff6:6107:833	whitelisted

PID	Process	Class	Message
1296	svchost.exe	Misc activity	ET INFO Microsoft Connection Test
6208	AnyDesk.exe	Potential Corporate Privacy Violation	ET USER_AGENTS AnyDesk Remote Desktop Software User-Agent
6208	AnyDesk.exe	Possibly Unwanted Program Detected	ADWARE [ANY.RUN] Driver Updater Setup Process

General Info

async_modified.zip

E37FA9593121CC84AEB257F51E83F2F6

BDE5DDE707A62B66EDF968890AF7EF49B637675F

D9A3252D8AA1CE8786FD29D68C4D77018A61C51073AAFF82DB00AE5355704110

393216:/35Q4iemP/9W78wdMkf5e2ARlTEsYOR7ceR:xv7zdn5ePRN3R7cY

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ADWARE has been detected (SURICATA)

ASYNCRAT has been detected (YARA)

SUSPICIOUS

Executes application which crashes

ANYDESK has been found

Found AnyDesk certificate that may have been compromised

Application launched itself

Reads the Internet Settings

Executable content was dropped or overwritten

Access to an unwanted program domain was detected

Potential Corporate Privacy Violation

INFO

Checks supported languages

Manual execution by a user

Reads the computer name

The process uses the downloaded file

Process checks whether UAC notifications are on

Creates files or folders in the user directory

Reads CPU info

Reads the machine GUID from the registry

Reads security settings of Internet Explorer

Checks proxy server information

Reads Microsoft Office registry keys

Reads the software policy settings

Reads the Internet Settings

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings