File name:

09f9239ecacfd97c6f2fa98b0c322cfdca361d0164529e95378db63723ba0cf2.ps1

Full analysis: https://app.any.run/tasks/7e9ecac6-135d-4164-a01a-8fc39e50794f
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: April 22, 2025, 17:47:33
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
stealer
rat
asyncrat
remote
purehvnc
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (1180), with no line terminators
MD5:

4402948E078A76B46E1A34649FAEC16B

SHA1:

532C18FA69E43EF37802B6F5843C8E0C5AFD5B3F

SHA256:

09F9239ECACFD97C6F2FA98B0C322CFDCA361D0164529E95378DB63723BA0CF2

SSDEEP:

24:qGwLyf/16uSseKj5kjcGBbyy42F9NFKaaGB49t4y1n7oRnIpby:qGwLG/1TEe2cGBbA2v6a9Bst4yl7opIs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 7576)

    • Changes the autorun value in the registry

      • NVmicroserviceX32checksSystx.exe (PID: 7972)

    • Actions looks like stealing of personal data

      • AddInProcess32.exe (PID: 8032)

    • ASYNCRAT has been detected (SURICATA)

      • AddInProcess32.exe (PID: 8032)

    • PUREHVNC has been detected (YARA)

      • AddInProcess32.exe (PID: 8032)

  • SUSPICIOUS

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 7576)

    • Process drops legitimate windows executable

      • powershell.exe (PID: 7576)
      • NVmicroserviceX32checksSystx.exe (PID: 7972)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7576)
      • NVmicroserviceX32checksSystx.exe (PID: 7972)

    • The process drops C-runtime libraries

      • powershell.exe (PID: 7576)
      • NVmicroserviceX32checksSystx.exe (PID: 7972)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 7576)

    • Contacting a server suspected of hosting an CnC

      • AddInProcess32.exe (PID: 8032)

    • Connects to unusual port

      • AddInProcess32.exe (PID: 8032)

    • Multiple wallet extension IDs have been found

      • AddInProcess32.exe (PID: 8032)

  • INFO

    • Checks proxy server information

      • powershell.exe (PID: 7576)
      • slui.exe (PID: 2392)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 7576)

    • Disables trace logs

      • powershell.exe (PID: 7576)

    • The sample compiled with english language support

      • powershell.exe (PID: 7576)
      • NVmicroserviceX32checksSystx.exe (PID: 7972)

    • The executable file from the user directory is run by the Powershell process

      • NVmicroserviceX32checksSystx.exe (PID: 7972)

    • Checks supported languages

      • NVmicroserviceX32checksSystx.exe (PID: 7972)
      • NVmicroserviceX32checksSystx.exe (PID: 8144)
      • AddInProcess32.exe (PID: 8188)
      • AddInProcess32.exe (PID: 8032)

    • Reads the computer name

      • NVmicroserviceX32checksSystx.exe (PID: 7972)
      • AddInProcess32.exe (PID: 8032)
      • NVmicroserviceX32checksSystx.exe (PID: 8144)
      • AddInProcess32.exe (PID: 8188)

    • Auto-launch of the file from Registry key

      • NVmicroserviceX32checksSystx.exe (PID: 7972)

    • Manual execution by a user

      • cmd.exe (PID: 8072)

    • Reads the machine GUID from the registry

      • AddInProcess32.exe (PID: 8032)
      • AddInProcess32.exe (PID: 8188)

    • Reads the software policy settings

      • AddInProcess32.exe (PID: 8032)
      • slui.exe (PID: 2392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
10
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start powershell.exe conhost.exe no specs nvmicroservicex32checkssystx.exe #ASYNCRAT addinprocess32.exe cmd.exe no specs conhost.exe no specs nvmicroservicex32checkssystx.exe no specs addinprocess32.exe no specs addinprocess32.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2392C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7576"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\Desktop\09f9239ecacfd97c6f2fa98b0c322cfdca361d0164529e95378db63723ba0cf2.ps1C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7584\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7972"C:\Users\admin\AppData\Local\Temp\TmpynMFyVqs\NVmicroserviceX32checksSystx.exe" C:\Users\admin\AppData\Local\Temp\TmpynMFyVqs\NVmicroserviceX32checksSystx.exe
powershell.exe
User:
admin
Company:
JetBrains s.r.o.
Integrity Level:
MEDIUM
Description:
OpenJDK Platform binary
Exit code:
0
Version:
21.0.5.0
Modules
Images
c:\users\admin\appdata\local\temp\tmpynmfyvqs\nvmicroservicex32checkssystx.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\appdata\local\temp\tmpynmfyvqs\jli.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\users\admin\appdata\local\temp\tmpynmfyvqs\vcruntime140.dll
c:\windows\system32\sechost.dll
8032"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
NVmicroserviceX32checksSystx.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
8072cmd.exe /C start "" /D "C:\Users\admin\SystemRootDoc" "C:\Users\admin\SystemRootDoc\NVmicroserviceX32checksSystx.exe"C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
8080\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8144"C:\Users\admin\SystemRootDoc\NVmicroserviceX32checksSystx.exe" C:\Users\admin\SystemRootDoc\NVmicroserviceX32checksSystx.execmd.exe
User:
admin
Company:
JetBrains s.r.o.
Integrity Level:
MEDIUM
Description:
OpenJDK Platform binary
Exit code:
0
Version:
21.0.5.0
Modules
Images
c:\users\admin\systemrootdoc\nvmicroservicex32checkssystx.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\users\admin\systemrootdoc\vcruntime140.dll
c:\users\admin\systemrootdoc\jli.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
8180"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeNVmicroserviceX32checksSystx.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Version:
4.8.9037.0 built by: NET481REL1
8188"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeNVmicroserviceX32checksSystx.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AddInProcess.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\addinprocess32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
Total events
12 226
Read events
12 223
Write events
3
Delete events
0

Modification events

(PID) Process:(7972) NVmicroserviceX32checksSystx.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications
Operation:writeName:ToastEnabled
Value:
0
(PID) Process:(7972) NVmicroserviceX32checksSystx.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:NVmicroserviceX32checksSystx
Value:
cmd.exe /C start "" /D "C:\Users\admin\SystemRootDoc" "C:\Users\admin\SystemRootDoc\NVmicroserviceX32checksSystx.exe"
(PID) Process:(8144) NVmicroserviceX32checksSystx.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications
Operation:writeName:ToastEnabled
Value:
0
Executable files
26
Suspicious files
7
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
7576powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DYIENDL5VAA3DT6CG4B3.tempbinary
MD5:BFC0B2E5410C75FAC4D079D9048F7E64
SHA256:3A0C08CEA2FB78A2E6C57737CDE3EA333AA7AA02CB2806E5E8AFF57A0AC9C4DA
7576powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1kjnwsxu.dbq.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7576powershell.exeC:\Users\admin\AppData\Local\Temp\TmpynMFyVqs\api-ms-win-crt-environment-l1-1-0.dllexecutable
MD5:B365355962481D079B3D78915BD08DB4
SHA256:DDD98A6B3200A7EE51A85F06AE380A0D2BE76CCDF24DFFAB1F99C595A16DD4B2
7576powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msbinary
MD5:BFC0B2E5410C75FAC4D079D9048F7E64
SHA256:3A0C08CEA2FB78A2E6C57737CDE3EA333AA7AA02CB2806E5E8AFF57A0AC9C4DA
7576powershell.exeC:\Users\admin\AppData\Local\Temp\TmpynMFyVqs\api-ms-win-crt-filesystem-l1-1-0.dllexecutable
MD5:94E4024FEEAE519B9BD58D87E39A4611
SHA256:57F0B83D6B9D17094538915117A41A85ABE04671E56B132AB6A3B8AF8811844C
7576powershell.exeC:\Users\admin\AppData\Local\Temp\TmpynMFyVqs\api-ms-win-crt-runtime-l1-1-0.dllexecutable
MD5:D41FA685D914F811BA43CCA106D9258E
SHA256:8B337DBFB8BE5042FDD744D8806C1F79CAEC9E79FB82F3032392615427B3843F
7576powershell.exeC:\Users\admin\AppData\Local\Temp\TmpynMFyVqs\api-ms-win-crt-math-l1-1-0.dllexecutable
MD5:130E0A664D187C84447912BC681588D4
SHA256:85B0EB99620C45FD1DEA34061A9AD17C5B7944E8AA1FAC680432FFAE4AAF2F8C
7576powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF10d16b.TMPbinary
MD5:D040F64E9E7A2BB91ABCA5613424598E
SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670
7576powershell.exeC:\Users\admin\AppData\Local\Temp\TmpynMFyVqs\api-ms-win-crt-convert-l1-1-0.dllexecutable
MD5:D9BDDB4EB3FEFE4E66B4FF59A0B54B93
SHA256:8153472F9F19DFB13A0C62C3E2AA303F7D1FCE5B9CF14A43C7C6D3DE1F46F148
7576powershell.exeC:\Users\admin\AppData\Local\Temp\TmpynMFyVqs\api-ms-win-crt-locale-l1-1-0.dllexecutable
MD5:E8A5929E5F797025E59176633252646A
SHA256:85FCF08D290C2F1778B74D44E4BE32B3B834BF67E7784D0D539E7A6E3EF4116A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
25
DNS requests
4
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
7576
powershell.exe
27.124.114.163:443
fionakemp.com
Dreamscape Networks Limited
AU
unknown
4
System
192.168.100.255:137
whitelisted
8032
AddInProcess32.exe
185.7.214.3:56002
Chang Way Technologies Co. Limited
RU
malicious
7484
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2392
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.110
whitelisted
fionakemp.com
  • 27.124.114.163
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
8032
AddInProcess32.exe
Domain Observed Used for C2 Detected
ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert
8032
AddInProcess32.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 31
8032
AddInProcess32.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] AsyncRAT Successful Connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
09f9239ecacfd97c6f2fa98b0c322cfdca361d0164529e95378db63723ba0cf2.ps1