File name:

1163719b31dc76d5d197a4df306ed06523039823a19c86da5c6b1f0650600599

Full analysis: https://app.any.run/tasks/f4b07198-12c2-4107-b4c6-f53e4c24d45b
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 11:08:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-startup
asyncrat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

D63664D4B36E26E3CCF309B5A9ADCD41

SHA1:

00DFB4F50E2A09A9A8C19E4A2AAFC55A188E7E5A

SHA256:

1163719B31DC76D5D197A4DF306ED06523039823A19C86DA5C6B1F0650600599

SSDEEP:

98304:Lmnj+nD81OsgoaHwih40bitF8JCrrBibfy9lxh7E6mCfdNlt0G2dn8AO1s14SBsL:woRUy/4WHrg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • 1163719b31dc76d5d197a4df306ed06523039823a19c86da5c6b1f0650600599.exe (PID: 5596)

    • ASYNCRAT has been detected (YARA)

      • MSBuild.exe (PID: 4488)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • csc.exe (PID: 720)

    • Connects to unusual port

      • MSBuild.exe (PID: 4488)

  • INFO

    • Reads the computer name

      • 1163719b31dc76d5d197a4df306ed06523039823a19c86da5c6b1f0650600599.exe (PID: 5596)
      • MSBuild.exe (PID: 4488)

    • Checks supported languages

      • 1163719b31dc76d5d197a4df306ed06523039823a19c86da5c6b1f0650600599.exe (PID: 5596)
      • cvtres.exe (PID: 4172)
      • csc.exe (PID: 720)
      • MSBuild.exe (PID: 4488)

    • Reads the machine GUID from the registry

      • 1163719b31dc76d5d197a4df306ed06523039823a19c86da5c6b1f0650600599.exe (PID: 5596)
      • csc.exe (PID: 720)
      • MSBuild.exe (PID: 4488)

    • Create files in a temporary directory

      • cvtres.exe (PID: 4172)
      • 1163719b31dc76d5d197a4df306ed06523039823a19c86da5c6b1f0650600599.exe (PID: 5596)
      • csc.exe (PID: 720)

    • Creates files or folders in the user directory

      • 1163719b31dc76d5d197a4df306ed06523039823a19c86da5c6b1f0650600599.exe (PID: 5596)

    • Auto-launch of the file from Startup directory

      • 1163719b31dc76d5d197a4df306ed06523039823a19c86da5c6b1f0650600599.exe (PID: 5596)

    • Reads the software policy settings

      • slui.exe (PID: 5508)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(4488) MSBuild.exe
C2 (20)hsjafklweqmn.click
qweiozmnxvla.click
lkjzmxnqpwer.click
asdkjczxmeuw.click
zxvnqwejlkgh.click
mznvqiweurty.click
plmzxqwieruo.click
vxmnsdkjweqz.click
qpwalskdjzmx.click
zmxncvaoiwqe.click
xnzwoeirplad.click
qwenmzlxktyu.click
nmasdqwpeiru.click
qowuensmzxcv.click
wqemzxncpiou.click
zbqwmnzxopru.click
xpoiwnzqlaks.click
qpeuwmxnzvka.click
zcnvqpweoriu.click
lksmzqwenxop.click
Ports (1)7777
VersionLoaderPanel
Options
AutoRunfalse
Mutexstwnzbelgqwovdtm
InstallFolder%AppData%
Certificates
Cert1MIICMDCCAZmgAwIBAgIVALJH4bdfPPE5dyMevD9KJERdSx3xMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDExvYWRlciBQYW5lbDETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTI0MDczMDE2NDgyM1oXDTM1MDUwOTE2NDgyM1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0A...
Server_SignatureQJYFVX7kAXoJy2RXio2uLrBgAPPjOh+4EGL0a0bkF4kXp+j9G7g7wqySwyYUIYmV4H75Z+3tXsCGzAMnxAniFV7muWWpHR8F9oT/0p73tq5vt1heB9+qvHPI+p9C/pNFd1D/HvvQ1JddR2mHJ9y3ZvQ9JIvTtDoTDHU3gNK31vw=
Keys
AES14147354d298d2376717df3d2a486fd418addff6407c7e05ce463f040b6bd254
SaltLoaderPanel
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:04:23 19:36:15+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.38
CodeSize: 132096
InitializedDataSize: 5886976
UninitializedDataSize: -
EntryPoint: 0x6528
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
10
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 1163719b31dc76d5d197a4df306ed06523039823a19c86da5c6b1f0650600599.exe csc.exe conhost.exe no specs cvtres.exe no specs sppextcomobj.exe no specs slui.exe msbuild.exe no specs msbuild.exe no specs #ASYNCRAT msbuild.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
720"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\bbmjtdqk.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
1163719b31dc76d5d197a4df306ed06523039823a19c86da5c6b1f0650600599.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1164C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1276C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
4172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESBAC6.tmp" "c:\Users\admin\AppData\Local\Temp\CSCDC881B289CA441448E4099CC805C275.TMP"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
14.32.31326.0
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4488"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
1163719b31dc76d5d197a4df306ed06523039823a19c86da5c6b1f0650600599.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
AsyncRat
(PID) Process(4488) MSBuild.exe
C2 (20)hsjafklweqmn.click
qweiozmnxvla.click
lkjzmxnqpwer.click
asdkjczxmeuw.click
zxvnqwejlkgh.click
mznvqiweurty.click
plmzxqwieruo.click
vxmnsdkjweqz.click
qpwalskdjzmx.click
zmxncvaoiwqe.click
xnzwoeirplad.click
qwenmzlxktyu.click
nmasdqwpeiru.click
qowuensmzxcv.click
wqemzxncpiou.click
zbqwmnzxopru.click
xpoiwnzqlaks.click
qpeuwmxnzvka.click
zcnvqpweoriu.click
lksmzqwenxop.click
Ports (1)7777
VersionLoaderPanel
Options
AutoRunfalse
Mutexstwnzbelgqwovdtm
InstallFolder%AppData%
Certificates
Cert1MIICMDCCAZmgAwIBAgIVALJH4bdfPPE5dyMevD9KJERdSx3xMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDExvYWRlciBQYW5lbDETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTI0MDczMDE2NDgyM1oXDTM1MDUwOTE2NDgyM1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0A...
Server_SignatureQJYFVX7kAXoJy2RXio2uLrBgAPPjOh+4EGL0a0bkF4kXp+j9G7g7wqySwyYUIYmV4H75Z+3tXsCGzAMnxAniFV7muWWpHR8F9oT/0p73tq5vt1heB9+qvHPI+p9C/pNFd1D/HvvQ1JddR2mHJ9y3ZvQ9JIvTtDoTDHU3gNK31vw=
Keys
AES14147354d298d2376717df3d2a486fd418addff6407c7e05ce463f040b6bd254
SaltLoaderPanel
5072\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5112"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe1163719b31dc76d5d197a4df306ed06523039823a19c86da5c6b1f0650600599.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
4294967295
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5508"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5596"C:\Users\admin\AppData\Local\Temp\1163719b31dc76d5d197a4df306ed06523039823a19c86da5c6b1f0650600599.exe" C:\Users\admin\AppData\Local\Temp\1163719b31dc76d5d197a4df306ed06523039823a19c86da5c6b1f0650600599.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\1163719b31dc76d5d197a4df306ed06523039823a19c86da5c6b1f0650600599.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
5680"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe1163719b31dc76d5d197a4df306ed06523039823a19c86da5c6b1f0650600599.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
4294967295
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
1 568
Read events
1 568
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
3
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
720csc.exeC:\Users\admin\AppData\Local\Temp\CSCDC881B289CA441448E4099CC805C275.TMPbinary
MD5:82CB805CCFCFDD148E588511A49C257D
SHA256:EB48DE6304F0A838B331500346CEA858B458520620AF236875D90E64811A24E7
55961163719b31dc76d5d197a4df306ed06523039823a19c86da5c6b1f0650600599.exeC:\Users\admin\AppData\Local\Temp\bbmjtdqk.0.cstext
MD5:89CB28815D828E56E654BD4346F183CD
SHA256:7ACEBEEFD3E61F917E60CFFFDA9945A17AC37293935BB98ACE532224E8F4A267
4172cvtres.exeC:\Users\admin\AppData\Local\Temp\RESBAC6.tmpbinary
MD5:E1B0DA112C9CEA17138F4D75BFF7A69B
SHA256:DAAFDBA255E901B57CD522EF496A367B5C1232A6F263AE45EEB57A1E3EF67B42
55961163719b31dc76d5d197a4df306ed06523039823a19c86da5c6b1f0650600599.exeC:\Users\admin\AppData\Local\Temp\bbmjtdqk.cmdlinetext
MD5:515C03DBCC7EF46F9C5DC52DB8894F13
SHA256:58DDE77503FE8B77B7BAA9E2F45D8621E6E99A3400A73512EF2D54C5CC5ABB70
720csc.exeC:\Users\admin\AppData\Local\Temp\bbmjtdqk.outtext
MD5:C81CDF2F91193CB3D26296451D9575D6
SHA256:0054780041D127A95F6B4DC4391E82E7C27A097EDB78408FFAEF7B2ED6E569FC
720csc.exeC:\Users\admin\AppData\Local\Temp\bbmjtdqk.dllexecutable
MD5:9115BEFAA60801A8077A92245B5671D6
SHA256:C9EB37C30824060AB6FC8A2505613A229B96547E26851784822CC6B6E049902B
55961163719b31dc76d5d197a4df306ed06523039823a19c86da5c6b1f0650600599.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DeleteApp.urlurl
MD5:4B21DCF7C6AE610BD4B1F79B70DFCD17
SHA256:9C891E9DC6FECE95B44BB64123F89DDEAB7C5EFC95BF071FB4457996050F10A0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
23
DNS requests
23
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5124
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5124
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4488
MSBuild.exe
212.113.122.89:7777
mznvqiweurty.click
INSYS LLC
RU
unknown
6544
svchost.exe
20.190.160.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.185.174
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
mznvqiweurty.click
  • 212.113.122.89
unknown
login.live.com
  • 20.190.160.64
  • 20.190.160.5
  • 20.190.160.66
  • 20.190.160.2
  • 20.190.160.17
  • 20.190.160.132
  • 20.190.160.20
  • 40.126.32.134
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
1163719b31dc76d5d197a4df306ed06523039823a19c86da5c6b1f0650600599