File name:

AsyncRAT.exe

Full analysis: https://app.any.run/tasks/d39d0740-4dbb-48ea-acf2-c4e0e4c16bda
Verdict: Malicious activity
Analysis date: April 26, 2025, 12:41:30
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
jeefo
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

E7D3634EB2399421A014527496B5872F

SHA1:

233B0C96F6755108003EF576EA29246B727D2EAF

SHA256:

22B1CA6433848DA71A05D0DA208A89AC038D754BA1D7338DA5A83EDE7FFB8C80

SSDEEP:

98304:5cVCP2rfyknqA6I4+bMxoeb4NKz/0HQmL/K+i5qIkN/ryB5YGNe0zjfIL18t+I+O:r7vwiGil

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JEEFO has been detected

      • AsyncRAT.exe (PID: 7576)
      • icsys.icn.exe (PID: 7724)
      • asyncrat.exe  (PID: 7624)
      • explorer.exe (PID: 7744)
      • svchost.exe (PID: 7796)

    • Changes the autorun value in the registry

      • svchost.exe (PID: 7796)
      • explorer.exe (PID: 7744)

  • SUSPICIOUS

    • Starts itself from another location

      • icsys.icn.exe (PID: 7724)
      • AsyncRAT.exe (PID: 7576)
      • explorer.exe (PID: 7744)
      • spoolsv.exe (PID: 7764)
      • svchost.exe (PID: 7796)

    • Executable content was dropped or overwritten

      • icsys.icn.exe (PID: 7724)
      • AsyncRAT.exe (PID: 7576)
      • explorer.exe (PID: 7744)
      • spoolsv.exe (PID: 7764)

    • Starts application with an unusual extension

      • AsyncRAT.exe (PID: 7576)

    • The process creates files with name similar to system file names

      • icsys.icn.exe (PID: 7724)
      • spoolsv.exe (PID: 7764)

    • Executes as Windows Service

      • WmiApSrv.exe (PID: 8036)

    • The process checks if it is being run in the virtual environment

      • asyncrat.exe  (PID: 7624)

    • Reads security settings of Internet Explorer

      • asyncrat.exe  (PID: 7624)

    • Creates or modifies Windows services

      • svchost.exe (PID: 7796)

  • INFO

    • The sample compiled with english language support

      • AsyncRAT.exe (PID: 7576)

    • Create files in a temporary directory

      • icsys.icn.exe (PID: 7724)
      • explorer.exe (PID: 7744)
      • AsyncRAT.exe (PID: 7576)
      • svchost.exe (PID: 7796)
      • spoolsv.exe (PID: 7876)
      • spoolsv.exe (PID: 7764)

    • Reads the computer name

      • asyncrat.exe  (PID: 7624)
      • svchost.exe (PID: 7796)

    • Reads the machine GUID from the registry

      • asyncrat.exe  (PID: 7624)

    • Checks supported languages

      • AsyncRAT.exe (PID: 7576)
      • icsys.icn.exe (PID: 7724)
      • spoolsv.exe (PID: 7764)
      • explorer.exe (PID: 7744)
      • svchost.exe (PID: 7796)
      • spoolsv.exe (PID: 7876)
      • asyncrat.exe  (PID: 7624)

    • Auto-launch of the file from Registry key

      • explorer.exe (PID: 7744)
      • svchost.exe (PID: 7796)

    • Reads the time zone

      • asyncrat.exe  (PID: 7624)

    • Reads CPU info

      • asyncrat.exe  (PID: 7624)

    • Reads Environment values

      • asyncrat.exe  (PID: 7624)

    • Manual execution by a user

      • svchost.exe (PID: 5736)
      • explorer.exe (PID: 904)
      • explorer.exe (PID: 1072)

    • Checks proxy server information

      • slui.exe (PID: 5376)

    • Reads the software policy settings

      • slui.exe (PID: 5376)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
13
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #JEEFO asyncrat.exe #JEEFO asyncrat.exe  no specs #JEEFO icsys.icn.exe #JEEFO explorer.exe spoolsv.exe #JEEFO svchost.exe spoolsv.exe no specs wmiapsrv.exe no specs svchost.exe no specs explorer.exe no specs explorer.exe no specs slui.exe asyncrat.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
904c:\windows\resources\themes\explorer.exe ROC:\Windows\Resources\Themes\explorer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1072c:\windows\resources\themes\explorer.exe ROC:\Windows\Resources\Themes\explorer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5376C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5736c:\windows\resources\svchost.exe ROC:\Windows\Resources\svchost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7488"C:\Users\admin\Desktop\AsyncRAT.exe" C:\Users\admin\Desktop\AsyncRAT.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\users\admin\desktop\asyncrat.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7576"C:\Users\admin\Desktop\AsyncRAT.exe" C:\Users\admin\Desktop\AsyncRAT.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\asyncrat.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
7624c:\users\admin\desktop\asyncrat.exe  C:\Users\admin\Desktop\asyncrat.exe 
AsyncRAT.exe
User:
admin
Integrity Level:
HIGH
Description:
AsyncRAT
Exit code:
0
Version:
0.5.7.0
Modules
Images
c:\users\admin\desktop\asyncrat.exe 
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
7724C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe
AsyncRAT.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\themes\icsys.icn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
7744c:\windows\resources\themes\explorer.exeC:\Windows\Resources\Themes\explorer.exe
icsys.icn.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
7764c:\windows\resources\spoolsv.exe SEC:\Windows\Resources\spoolsv.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
Total events
5 837
Read events
5 807
Write events
26
Delete events
4

Modification events

(PID) Process:(7624) asyncrat.exe Key:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET Memory Cache 4.0\Linkage
Operation:writeName:Export
Value:
.NET Memory Cache 4.0
(PID) Process:(7624) asyncrat.exe Key:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 3.0.0.0\Linkage
Operation:writeName:Export
Value:
MSDTC Bridge 3.0.0.0
(PID) Process:(7624) asyncrat.exe Key:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 4.0.0.0\Linkage
Operation:writeName:Export
Value:
MSDTC Bridge 4.0.0.0
(PID) Process:(7624) asyncrat.exe Key:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServiceModelEndpoint 3.0.0.0\Linkage
Operation:writeName:Export
Value:
ServiceModelEndpoint 3.0.0.0
(PID) Process:(7624) asyncrat.exe Key:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServiceModelOperation 3.0.0.0\Linkage
Operation:writeName:Export
Value:
ServiceModelOperation 3.0.0.0
(PID) Process:(7624) asyncrat.exe Key:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServiceModelService 3.0.0.0\Linkage
Operation:writeName:Export
Value:
ServiceModelService 3.0.0.0
(PID) Process:(7624) asyncrat.exe Key:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SMSvcHost 3.0.0.0\Linkage
Operation:writeName:Export
Value:
SMSvcHost 3.0.0.0
(PID) Process:(7624) asyncrat.exe Key:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SMSvcHost 4.0.0.0\Linkage
Operation:writeName:Export
Value:
SMSvcHost 4.0.0.0
(PID) Process:(7624) asyncrat.exe Key:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Workflow Foundation 3.0.0.0\Linkage
Operation:writeName:Export
Value:
Windows Workflow Foundation 3.0.0.0
(PID) Process:(7624) asyncrat.exe Key:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Workflow Foundation 4.0.0.0\Linkage
Operation:writeName:Export
Value:
Windows Workflow Foundation 4.0.0.0
Executable files
5
Suspicious files
4
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7576AsyncRAT.exeC:\Windows\Resources\Themes\icsys.icn.exeexecutable
MD5:5B2C5D698F9CFB50428F6EBBECD29025
SHA256:67CD6EFFAF28B11EE8C856FD84AF698C5CC18BCD74C12CACCE5461B1B269EB96
7764spoolsv.exeC:\Windows\Resources\svchost.exeexecutable
MD5:7007B902F19269F9F17A893CF10380BC
SHA256:FD76C2264DB316584A5C55B0095355598198C6DB919322064C9B26F08D248E55
7764spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DF2B9305698C43C96A.TMPbinary
MD5:17B4958969F3114F469C65E9F8722E07
SHA256:3F2F5D09F7D18DA1311054E2ED23BEACF8DD266966C84A2A3B3361909301F881
7724icsys.icn.exeC:\Windows\Resources\Themes\explorer.exeexecutable
MD5:B167BB58CF31D575B58F686BD86D83CD
SHA256:302A1DDABC62132E016AFD754C32E692349EDCDF51AFDB2F90426510F0131D0B
7576AsyncRAT.exeC:\Users\admin\Desktop\asyncrat.exe executable
MD5:36E71813A30B96F64943EB8CEA2C52EC
SHA256:BB1F2C2C9B279790B67EAEA6AB0BBCE3A4D4432BBE1BD716750F2F9BA3337F7E
7624asyncrat.exe C:\Users\admin\Desktop\Fixer.battext
MD5:52AB2690A33A51804764BE81820504AA
SHA256:5255FA89BA49C5F1F2C81D66D42E3B16305296945683954EAB1492ED11B90B4C
7744explorer.exeC:\Windows\Resources\spoolsv.exeexecutable
MD5:00621604707FF25F79D92043D7E80F18
SHA256:BBD7F2A6E592FC872161514ADE42F57DB24BE4975200E8619751A7DB1A178AD7
7876spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DF31EA9005F71561DD.TMPbinary
MD5:A8D2AE7821144FB34FBACD7DCB00B1F3
SHA256:2DBE61BD8D067E198C74F81B7C7945A419B2EF8DE481EBB188E573BA153D9265
7724icsys.icn.exeC:\Users\admin\AppData\Local\Temp\~DFE1443AD4C093FE3F.TMPbinary
MD5:D3A67CF113B0A8A328822B4A18843C21
SHA256:E9D85BC25FEAC6638067E0456731A458AAAE1DC9F6B4F3B6E231B995E253AD9F
7576AsyncRAT.exeC:\Users\admin\AppData\Local\Temp\~DF264D178F7EB38495.TMPbinary
MD5:F0ACD7C6E1A81463730C3EABD762BCD2
SHA256:9FAFDA33AB1B8C80FD270EA3858EA19294899CC28C338F057F73922B101E1335
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
43
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5404
RUXIMICS.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5404
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.242.39.171:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
7048
SIHClient.exe
GET
200
23.216.77.32:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7048
SIHClient.exe
GET
200
23.216.77.32:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7048
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7048
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7048
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5404
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5404
RUXIMICS.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5404
RUXIMICS.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
3812
svchost.exe
239.255.255.250:1900
whitelisted
7048
SIHClient.exe
4.175.87.197:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7048
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.78
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
  • 23.216.77.32
  • 23.216.77.22
  • 23.216.77.27
  • 23.216.77.30
  • 23.216.77.20
  • 23.216.77.28
  • 23.216.77.21
  • 23.216.77.31
  • 23.216.77.23
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 184.30.21.171
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.48
whitelisted
login.live.com
  • 40.126.31.73
  • 20.190.159.130
  • 20.190.159.4
  • 20.190.159.68
  • 40.126.31.67
  • 40.126.31.3
  • 20.190.159.73
  • 20.190.159.64
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AsyncRAT.exe