File name:	22a92a0a90c35740ee54d53c110119e055372b620ffb903cefcd37ae686069c9
Full analysis:	https://app.any.run/tasks/40261a68-4abd-45ea-bb77-398b34d3a03f
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Malware Trends Tracker >>>
Analysis date:	June 21, 2025, 19:08:50
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto-reg asyncrat
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	92B64C4122012BAE1687C15A9470CB19
SHA1:	779191F09A989D8DCC08717ECA4CA155E1FE25A7
SHA256:	22A92A0A90C35740EE54D53C110119E055372B620FFB903CEFCD37AE686069C9
SSDEEP:	3072:RVlReD33GfP2PPDpp6XzNUhSwFV1pWGlKRA/b9Hr73PgPFZGHE80X9GxxpjThW9Y:xNdwFVzzVlObS/m4A

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe	\|	Win64 Executable (generic) (21.3)
.scr	\|	Windows screen saver (10.1)
.dll	\|	Win32 Dynamic Link Library (generic) (5)
.exe	\|	Win32 Executable (generic) (3.4)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2021:05:05 21:11:39+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	8
CodeSize:	316928
InitializedDataSize:	4608
UninitializedDataSize:	-
EntryPoint:	0x4f46e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	10.0.19041.5794
ProductVersionNumber:	10.0.19041.5794
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	Microsoft Corporation
FileDescription:	Application
FileVersion:	10.0.19041.5794
InternalName:	Runtime Broker.exe
LegalCopyright:	©Microsoft Corporation. All rights reserved.
LegalTrademarks:	©Microsoft Corporation. All rights reserved.
OriginalFileName:	Runtime Broker.exe
ProductName:	Runtime Broker
ProductVersion:	10.0.19041.5794
AssemblyVersion:	10.0.19041.5794


(PID) Process:	(4412) 22a92a0a90c35740ee54d53c110119e055372b620ffb903cefcd37ae686069c9.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Runtime Broker
Value: "C:\Users\admin\AppData\Roaming\Runtime Broker.exe"

PID	Process	Filename		Type
4412	22a92a0a90c35740ee54d53c110119e055372b620ffb903cefcd37ae686069c9.exe	C:\Users\admin\AppData\Local\Temp\tmp81C2.tmp.bat		text
		MD5:5872DCB8D32A56F29E71ED30094E1327	SHA256:DA144BF4A78592E92D5AB4946B20F529981F9E1D73068208AFA55EA4DB67372E
4412	22a92a0a90c35740ee54d53c110119e055372b620ffb903cefcd37ae686069c9.exe	C:\Users\admin\AppData\Roaming\Runtime Broker.exe		executable
		MD5:92B64C4122012BAE1687C15A9470CB19	SHA256:22A92A0A90C35740EE54D53C110119E055372B620FFB903CEFCD37AE686069C9

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5944	MoUsoCoreWorker.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	200	20.190.160.3:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	POST	200	20.190.160.65:443	https://login.live.com/RST2.srf	unknown	xml	11.1 Kb	whitelisted
—	—	POST	200	20.190.160.64:443	https://login.live.com/RST2.srf	unknown	xml	10.3 Kb	whitelisted
—	—	GET	200	4.245.163.56:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	compressed	23.9 Kb	whitelisted
—	—	POST	200	20.190.160.22:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	16.7 Kb	whitelisted
—	—	POST	200	20.190.160.4:443	https://login.live.com/RST2.srf	unknown	xml	11.0 Kb	whitelisted
6172	RUXIMICS.exe	GET	200	23.53.40.176:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	200	20.190.160.17:443	https://login.live.com/RST2.srf	unknown	xml	11.1 Kb	whitelisted
—	—	GET	304	4.245.163.56:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6172	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6172	RUXIMICS.exe	23.53.40.176:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6172	RUXIMICS.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5944	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 4.231.128.59	whitelisted
google.com	142.250.184.206	whitelisted
crl.microsoft.com	23.53.40.176 23.53.40.178	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
client.wns.windows.com	172.211.123.250 172.211.123.249	whitelisted
login.live.com	20.190.160.3 40.126.32.133 20.190.160.14 20.190.160.4 20.190.160.64 20.190.160.17 20.190.160.65 20.190.160.22	whitelisted
nexusrules.officeapps.live.com	52.111.243.29	whitelisted
slscr.update.microsoft.com	4.245.163.56	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

General Info

22a92a0a90c35740ee54d53c110119e055372b620ffb903cefcd37ae686069c9

92B64C4122012BAE1687C15A9470CB19

779191F09A989D8DCC08717ECA4CA155E1FE25A7

22A92A0A90C35740EE54D53C110119E055372B620FFB903CEFCD37AE686069C9

3072:RVlReD33GfP2PPDpp6XzNUhSwFV1pWGlKRA/b9Hr73PgPFZGHE80X9GxxpjThW9Y:xNdwFVzzVlObS/m4A

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

ASYNCRAT has been detected (YARA)

SUSPICIOUS

Starts a Microsoft application from unusual location

Process drops legitimate windows executable

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Executable content was dropped or overwritten

Uses TIMEOUT.EXE to delay execution

The executable file from the user directory is run by the CMD process

INFO

Reads the computer name

Reads the machine GUID from the registry

Checks supported languages

Creates files or folders in the user directory

Launching a file from a Registry key

Create files in a temporary directory

Manual execution by a user

Checks proxy server information

Reads the software policy settings

Malware configuration

AsyncRat

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Malware configuration

AsyncRat

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings