File name:

RV ACTA REFERENTE Y DETALLES DE LA DEMANDA..msg

Full analysis: https://app.any.run/tasks/1e2818a9-8b34-4a9b-af6a-5e861b12a491
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: July 17, 2024, 16:07:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
rat
asyncrat
remote
Indicators:
MIME: application/vnd.ms-outlook
File info: CDFV2 Microsoft Outlook Message
MD5:

DFF3D0BFA2644F32B31E6D551AC6ECFC

SHA1:

14F54DFDFE0A1A0548F5311A168AFD74AE8CF5EF

SHA256:

DD4DF2885B12CB84FB7B448DA4E0C3A9D6177F27740317FEB402E258EF930CD1

SSDEEP:

1536:iWsXmusONOkicJZCq4v8QtwGugsHObVjmYGh6WbWHfna3UaiQWSWbWjcy9AW/d9f:iWcmujJTqwGJfJavd9nIQxrt4i

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts Visual C# compiler

      • EXPEDIENTE DEL PROCESO N° 4528-2932-22.exe (PID: 7524)
      • EXPEDIENTE DEL PROCESO N° 4528-2932-22.exe (PID: 7640)

    • Changes the autorun value in the registry

      • EXPEDIENTE DEL PROCESO N° 4528-2932-22.exe (PID: 7524)
      • EXPEDIENTE DEL PROCESO N° 4528-2932-22.exe (PID: 7640)

    • ASYNCRAT has been detected (SURICATA)

      • csc.exe (PID: 7660)

    • ASYNCRAT has been detected (YARA)

      • csc.exe (PID: 7660)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 7832)
      • ShellExperienceHost.exe (PID: 7040)

    • Connects to unusual port

      • csc.exe (PID: 7660)

    • Contacting a server suspected of hosting an CnC

      • csc.exe (PID: 7660)

  • INFO

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 7008)

    • Reads the computer name

      • identity_helper.exe (PID: 7360)
      • csc.exe (PID: 7660)
      • ShellExperienceHost.exe (PID: 7040)
      • csc.exe (PID: 3832)

    • Checks supported languages

      • identity_helper.exe (PID: 7360)
      • EXPEDIENTE DEL PROCESO N° 4528-2932-22.exe (PID: 7524)
      • csc.exe (PID: 7660)
      • ShellExperienceHost.exe (PID: 7040)
      • csc.exe (PID: 3832)
      • EXPEDIENTE DEL PROCESO N° 4528-2932-22.exe (PID: 7640)

    • The process uses the downloaded file

      • msedge.exe (PID: 7384)
      • msedge.exe (PID: 7008)
      • WinRAR.exe (PID: 7832)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 7832)
      • msedge.exe (PID: 7600)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7832)

    • Reads the software policy settings

      • slui.exe (PID: 3832)
      • csc.exe (PID: 7660)
      • slui.exe (PID: 7452)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 7660)
      • csc.exe (PID: 3832)

    • Reads Environment values

      • csc.exe (PID: 7660)

    • Application launched itself

      • msedge.exe (PID: 7008)

    • Manual execution by a user

      • EXPEDIENTE DEL PROCESO N° 4528-2932-22.exe (PID: 7640)

    • Checks proxy server information

      • slui.exe (PID: 7452)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(7660) csc.exe
C2 (1)pinchiec.duckdns.org
Ports (1)2245
Version1.0.7
Options
AutoRunfalse
MutexDcRatMutex_qwqdanchun
InstallFolder%AppData%
Certificates
Cert1MIICMDCCAZmgAwIBAgIVALHnIPqvO0ejsIiXRAS4cjBZw0S5MA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMTAxMzE2NDExOFoXDTMzMDcyMjE2NDExOFowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0A...
Server_Signaturef+lO0R7wUJLMIxhZa0xEo0TVhyhA2tBY8FNXUjw7lz4NF3mDXzPJFo2CQD8+Z6FPpOxR0Nh+0gb3xY6ZCa1OL0hSBc8nNVmX4UK9jQ/B6+7zcSxsXn7FbfvIsLbcB5l7YWKlPRrljw5fRbuHm/nWA2j+xKPlcqQTL7oXZhVtczU=
Keys
AES8b51197aa1670e2ec4df53e5e2af4d3e22daef2d256da858c7e60115d448fcdc
SaltDcRatByqwqdanchun
No Malware configuration.

TRiD

.msg | Outlook Message (58.9)
.oft | Outlook Form Template (34.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
220
Monitored processes
72
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
start outlook.exe ai.exe no specs sppextcomobj.exe no specs slui.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs winrar.exe no specs winrar.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs expediente del proceso n° 4528-2932-22.exe slui.exe #ASYNCRAT csc.exe msedge.exe no specs msedge.exe no specs shellexperiencehost.exe no specs systemsettingsbroker.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs expediente del proceso n° 4528-2932-22.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs csc.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
736"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4208 --field-trial-handle=2272,i,15895262647506042483,1819260806027930216,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
764"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=8100 --field-trial-handle=2272,i,15895262647506042483,1819260806027930216,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
836"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7448 --field-trial-handle=2272,i,15895262647506042483,1819260806027930216,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1140"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=8052 --field-trial-handle=2272,i,15895262647506042483,1819260806027930216,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2360"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5704 --field-trial-handle=2272,i,15895262647506042483,1819260806027930216,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2648"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=8148 --field-trial-handle=2272,i,15895262647506042483,1819260806027930216,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2848"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7444 --field-trial-handle=2272,i,15895262647506042483,1819260806027930216,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2888"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6968 --field-trial-handle=2272,i,15895262647506042483,1819260806027930216,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3088"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7412 --field-trial-handle=2272,i,15895262647506042483,1819260806027930216,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3628"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=8036 --field-trial-handle=2272,i,15895262647506042483,1819260806027930216,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
51 700
Read events
50 961
Write events
656
Delete events
83

Modification events

(PID) Process:(5396) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:writeName:6
Value:
01941A000000001000B24E9A3E05000000000000000500000000000000
(PID) Process:(5396) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\5396
Operation:writeName:0
Value:
0B0E100933DE8FB6594745903F4EDC3C2B44D0230046F198C5D5B78CB6ED016A04102400449A7D64B29D01008500A907556E6B6E6F776EC906022222CA0DC2190000C91003783634C511942AD2120B6F00750074006C006F006F006B002E00650078006500C51620C517808004C91808323231322D44656300
(PID) Process:(5396) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:delete valueName:BootCommand
Value:
(PID) Process:(5396) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:delete valueName:BootFailureCount
Value:
(PID) Process:(5396) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:delete keyName:(default)
Value:
(PID) Process:(5396) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:CantBootResolution
Value:
BootSuccess
(PID) Process:(5396) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:ProfileBeingOpened
Value:
Outlook
(PID) Process:(5396) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:SessionId
Value:
90DAD708-B605-4845-A6C4-89376D82CD0B
(PID) Process:(5396) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
Operation:writeName:BootDiagnosticsLogFile
Value:
C:\Users\admin\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16026_20146-20230209T1802460432-6544.etl
(PID) Process:(5396) OUTLOOK.EXEKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:delete valueName:ProfileBeingOpened
Value:
Executable files
15
Suspicious files
652
Text files
157
Unknown types
11

Dropped files

PID
Process
Filename
Type
5396OUTLOOK.EXEC:\USERS\ADMIN\DOCUMENTS\OUTLOOK FILES\OUTLOOK1.PST
MD5:
SHA256:
5396OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\FORMS\FRMDATA64.DATbinary
MD5:6D4DE3C5917BAA7B9B0C272974B2FD4E
SHA256:EA295E017CCCD7A740EE9B7BFED3CC7C0FBBE82C991C26C051F8B3F549AB2F14
5396OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbresbinary
MD5:EF217B4BBADD50AE85F71FB97691503D
SHA256:63CBD25B3DEF8ADB94C6CB370DE866376E80FBD16C37FEA04D60895230F1DD85
5396OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmabr
MD5:32E9ABA2F6EDCC254F56B7CE1C2C48B7
SHA256:CF582EB8BA8C072EFAD944596AA08C2058A5D721F9B7FE288E17C2D156F95770
5396OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9binary
MD5:2871E00FA381DEEDDD526C49C9DD0251
SHA256:8F04299146952F54957C31FAA7FE83B47E984201BDF58A02FDF3A87307A55E1A
5396OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bintext
MD5:EB4209652048C1BD81B51D0A094E81F0
SHA256:F2474560664203F3A86115ABC70CA50534323D50CB6B98C1F7FC50E809362D53
5396OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187der
MD5:08C8BAB0115A8C6AEC75C4F68832B5F9
SHA256:E32B6DA18A96EF611EB75722AF09CD2EA06A6EC1E0583C86A759E8993424676A
7008msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF1d669c.TMP
MD5:
SHA256:
7008msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF1d669c.TMP
MD5:
SHA256:
7008msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF1d669c.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
47
TCP/UDP connections
177
DNS requests
176
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7396
svchost.exe
GET
206
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/aad09a72-80db-4ffe-81ce-9b317e7d891b?P1=1721432276&P2=404&P3=2&P4=dt72b2Rq2dPoGqCWemCMBOvv6t7ObWxCjsPQdt1uM3Fdagypl63ww2QysvC6BUmihtUae8h86hXkrCyBKznC1w%3d%3d
unknown
whitelisted
7396
svchost.exe
GET
206
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/aad09a72-80db-4ffe-81ce-9b317e7d891b?P1=1721432276&P2=404&P3=2&P4=dt72b2Rq2dPoGqCWemCMBOvv6t7ObWxCjsPQdt1uM3Fdagypl63ww2QysvC6BUmihtUae8h86hXkrCyBKznC1w%3d%3d
unknown
whitelisted
7396
svchost.exe
GET
206
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/aad09a72-80db-4ffe-81ce-9b317e7d891b?P1=1721432276&P2=404&P3=2&P4=dt72b2Rq2dPoGqCWemCMBOvv6t7ObWxCjsPQdt1uM3Fdagypl63ww2QysvC6BUmihtUae8h86hXkrCyBKznC1w%3d%3d
unknown
whitelisted
7396
svchost.exe
GET
206
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/aad09a72-80db-4ffe-81ce-9b317e7d891b?P1=1721432276&P2=404&P3=2&P4=dt72b2Rq2dPoGqCWemCMBOvv6t7ObWxCjsPQdt1uM3Fdagypl63ww2QysvC6BUmihtUae8h86hXkrCyBKznC1w%3d%3d
unknown
whitelisted
4656
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5396
OUTLOOK.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
3992
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5396
OUTLOOK.EXE
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6704
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
3396
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
188
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4032
svchost.exe
239.255.255.250:1900
whitelisted
2080
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3396
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4656
SearchApp.exe
2.23.209.182:443
www.bing.com
Akamai International B.V.
GB
unknown
4656
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
5396
OUTLOOK.EXE
52.113.194.132:443
ecs.office.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
3992
svchost.exe
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
www.bing.com
  • 2.23.209.182
  • 2.23.209.187
  • 2.23.209.135
  • 2.23.209.189
  • 2.23.209.130
  • 2.23.209.133
  • 2.23.209.179
  • 2.23.209.183
  • 2.23.209.185
  • 92.123.104.17
  • 92.123.104.28
  • 92.123.104.31
  • 92.123.104.27
  • 92.123.104.29
  • 92.123.104.32
  • 92.123.104.30
  • 92.123.104.18
  • 92.123.104.21
  • 2.23.209.181
  • 2.23.209.144
  • 2.23.209.158
  • 2.23.209.150
  • 2.23.209.149
  • 2.23.209.141
  • 2.23.209.177
  • 2.23.209.176
  • 92.123.104.14
  • 92.123.104.8
  • 92.123.104.15
  • 92.123.104.11
  • 92.123.104.9
  • 92.123.104.10
  • 92.123.104.16
  • 92.123.104.33
  • 92.123.104.59
  • 92.123.104.65
  • 92.123.104.61
  • 92.123.104.38
  • 92.123.104.62
  • 92.123.104.34
  • 92.123.104.37
  • 92.123.104.35
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
login.live.com
  • 20.190.159.68
  • 20.190.159.64
  • 40.126.31.69
  • 40.126.31.73
  • 20.190.159.75
  • 20.190.159.23
  • 20.190.159.4
  • 20.190.159.73
  • 40.126.32.134
  • 20.190.160.17
  • 40.126.32.72
  • 40.126.32.140
  • 40.126.32.136
  • 40.126.32.138
  • 40.126.32.76
  • 20.190.160.20
whitelisted
go.microsoft.com
  • 23.35.238.131
  • 184.28.89.167
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted
roaming.officeapps.live.com
  • 52.109.68.129
whitelisted
omex.cdn.office.net
  • 23.48.23.11
  • 23.48.23.66
  • 23.48.23.18
  • 23.48.23.62
  • 23.48.23.30
  • 23.48.23.43
whitelisted
messaging.lifecycle.office.com
  • 52.111.243.12
whitelisted

Threats

PID
Process
Class
Message
2168
svchost.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
2168
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
7660
csc.exe
Domain Observed Used for C2 Detected
REMOTE [ANY.RUN] AsyncRAT SSL certificate
7660
csc.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Malicious SSL Cert (AsyncRAT)
7660
csc.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] AsyncRAT Successful Connection
3840
msedge.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
3840
msedge.exe
Potentially Bad Traffic
ET DNS Query for .cc TLD
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RV ACTA REFERENTE Y DETALLES DE LA DEMANDA..msg