File name:

syshelp.exe

Full analysis: https://app.any.run/tasks/2f3cd2ac-65e8-4c91-bea9-7f6c53febd41
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: March 08, 2025, 20:45:05
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
pastebin
asyncrat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

ABE313B3A9D69E80C61E7A4B2DF0304F

SHA1:

C3BB51C118EA1BD3FBE9854D295FF346CC6288ED

SHA256:

3735E49B6212CF731B7EB5FA94506C5E1ECF6751F47A12DF970E53695DDD66CC

SSDEEP:

1536:OFWeV4weJXJNa9TCMzdRH6hCqx3LbNiao7tB2kmOf+:OFWeV4weJXJRCqx3LbNUf2wm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ASYNCRAT has been detected (YARA)

      • syshelp.exe (PID: 7428)

  • SUSPICIOUS

    • Connects to unusual port

      • syshelp.exe (PID: 7428)

  • INFO

    • Reads the computer name

      • syshelp.exe (PID: 7428)

    • Reads the machine GUID from the registry

      • syshelp.exe (PID: 7428)

    • Reads the software policy settings

      • syshelp.exe (PID: 7428)
      • slui.exe (PID: 7692)

    • Checks supported languages

      • syshelp.exe (PID: 7428)

    • Disables trace logs

      • syshelp.exe (PID: 7428)

    • Checks proxy server information

      • syshelp.exe (PID: 7428)
      • slui.exe (PID: 7692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(7428) syshelp.exe
C2 (1)null
Ports (1)null
Version0.5.8
BotnetDefault
Options
AutoRunfalse
MutexllUbmlhn3BKt
InstallFolder%AppData%
BSoDfalse
AntiVMfalse
Certificates
Cert1MIIE4DCCAsigAwIBAgIQAIGchQ7W9DY+u2+mqUfY1zANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTZXJ2ZXIwIBcNMjQwMjAzMDkyMjU3WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMDLRMdW/pEm39gRLXp69nGY+5TzYB+wsoWC0sHrCJSSHfETnJs5BqyoWEFx+znBMX99wy8IdsHiy1+1CF9WbPXEy7OOoxm6jfkA...
Server_SignaturelL6lipxcb0zp+wWpAuoiQmTQjMXc7Cn5WpDlpQtiuwldG8vH3OZRmSwdRDphqPtJ40fNUEGmKgc7jJKdvtNwS8lSowxcv9mjzVKJvjuIaUafCWwhBUyJ2PFpQbKgY/ToDgAjWB1DhfClLyF6C8rweOFcWiED9k1i1v+eSrK2M8YOC0Xst8WPS67zgqv6AQVcSqD/R0WDLN3tMD3IUkE6S0ctP8QxZ865D3mzABgDEQRsIhCEMd20k7w4PvGlNd+3GxRl6TfpZOa/GGBAEL+xzy6H2/VEWggqKPXnBOTTsKfS...
Keys
AES6c0242f5b05adc34b263f239f0be1c8d1ac06c8d1b3301a4f140dbe25a2f0132
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
Credentials
Protocolpastebin
URLhttps://pastebin.com/raw/ftknPNF7
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:08:15 20:29:09+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 45568
InitializedDataSize: 2560
UninitializedDataSize: -
EntryPoint: 0xd01e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: -
FileVersion: 1.0.0.0
InternalName: Stub.exe
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: Stub.exe
ProductName: -
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ASYNCRAT syshelp.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7428"C:\Users\admin\Desktop\syshelp.exe" C:\Users\admin\Desktop\syshelp.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\syshelp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
AsyncRat
(PID) Process(7428) syshelp.exe
C2 (1)null
Ports (1)null
Version0.5.8
BotnetDefault
Options
AutoRunfalse
MutexllUbmlhn3BKt
InstallFolder%AppData%
BSoDfalse
AntiVMfalse
Certificates
Cert1MIIE4DCCAsigAwIBAgIQAIGchQ7W9DY+u2+mqUfY1zANBgkqhkiG9w0BAQ0FADARMQ8wDQYDVQQDDAZTZXJ2ZXIwIBcNMjQwMjAzMDkyMjU3WhgPOTk5OTEyMzEyMzU5NTlaMBExDzANBgNVBAMMBlNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMDLRMdW/pEm39gRLXp69nGY+5TzYB+wsoWC0sHrCJSSHfETnJs5BqyoWEFx+znBMX99wy8IdsHiy1+1CF9WbPXEy7OOoxm6jfkA...
Server_SignaturelL6lipxcb0zp+wWpAuoiQmTQjMXc7Cn5WpDlpQtiuwldG8vH3OZRmSwdRDphqPtJ40fNUEGmKgc7jJKdvtNwS8lSowxcv9mjzVKJvjuIaUafCWwhBUyJ2PFpQbKgY/ToDgAjWB1DhfClLyF6C8rweOFcWiED9k1i1v+eSrK2M8YOC0Xst8WPS67zgqv6AQVcSqD/R0WDLN3tMD3IUkE6S0ctP8QxZ865D3mzABgDEQRsIhCEMd20k7w4PvGlNd+3GxRl6TfpZOa/GGBAEL+xzy6H2/VEWggqKPXnBOTTsKfS...
Keys
AES6c0242f5b05adc34b263f239f0be1c8d1ac06c8d1b3301a4f140dbe25a2f0132
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
Credentials
Protocolpastebin
URLhttps://pastebin.com/raw/ftknPNF7
7692C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
7 114
Read events
7 100
Write events
14
Delete events
0

Modification events

(PID) Process:(7428) syshelp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\syshelp_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7428) syshelp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\syshelp_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7428) syshelp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\syshelp_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7428) syshelp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\syshelp_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7428) syshelp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\syshelp_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7428) syshelp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\syshelp_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7428) syshelp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\syshelp_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7428) syshelp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\syshelp_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7428) syshelp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\syshelp_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7428) syshelp.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\syshelp_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
49
DNS requests
6
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
172.67.19.24:443
https://pastebin.com/raw/ftknPNF7
US
text
18 b
whitelisted
GET
200
104.20.4.235:443
https://pastebin.com/raw/ftknPNF7
US
text
18 b
whitelisted
GET
200
104.20.3.235:443
https://pastebin.com/raw/ftknPNF7
US
text
18 b
whitelisted
GET
200
172.67.19.24:443
https://pastebin.com/raw/ftknPNF7
US
text
18 b
whitelisted
GET
200
104.20.4.235:443
https://pastebin.com/raw/ftknPNF7
US
text
18 b
whitelisted
GET
200
104.20.3.235:443
https://pastebin.com/raw/ftknPNF7
US
text
18 b
whitelisted
GET
200
172.67.19.24:443
https://pastebin.com/raw/ftknPNF7
US
text
18 b
whitelisted
GET
200
104.20.4.235:443
https://pastebin.com/raw/ftknPNF7
US
text
18 b
whitelisted
GET
200
104.20.3.235:443
https://pastebin.com/raw/ftknPNF7
US
text
18 b
whitelisted
GET
200
172.67.19.24:443
https://pastebin.com/raw/ftknPNF7
US
text
18 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7428
syshelp.exe
172.67.19.24:443
pastebin.com
CLOUDFLARENET
US
whitelisted
7428
syshelp.exe
101.99.76.120:7707
MY
malicious
7256
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7692
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 142.250.184.238
whitelisted
pastebin.com
  • 172.67.19.24
  • 104.20.3.235
  • 104.20.4.235
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
syshelp.exe