File name:

63d855658b466365a24661d02f253577d4339f1ce8f7a0ae48341b34603d7e1c

Full analysis: https://app.any.run/tasks/a5dd5e9e-c491-4df3-9bf8-618f9923a073
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: April 19, 2025, 19:37:38
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
asyncrat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

E18F648682AEFE8A256079FA8DE0F4FC

SHA1:

143819F96ABA2667775F72F113E50E72A3120CF4

SHA256:

63D855658B466365A24661D02F253577D4339F1CE8F7A0AE48341B34603D7E1C

SSDEEP:

1536:WSStO82Vz2GrX9vqy2YUbdh9E93AKQ5GdpqKmY7:WSStOJz2GrXZqy2YUbdwpA4Gz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ASYNCRAT has been detected (YARA)

      • 63d855658b466365a24661d02f253577d4339f1ce8f7a0ae48341b34603d7e1c.exe (PID: 2088)

  • SUSPICIOUS

    • Connects to unusual port

      • 63d855658b466365a24661d02f253577d4339f1ce8f7a0ae48341b34603d7e1c.exe (PID: 2088)

  • INFO

    • Reads the computer name

      • 63d855658b466365a24661d02f253577d4339f1ce8f7a0ae48341b34603d7e1c.exe (PID: 2088)

    • Checks supported languages

      • 63d855658b466365a24661d02f253577d4339f1ce8f7a0ae48341b34603d7e1c.exe (PID: 2088)

    • Reads Environment values

      • 63d855658b466365a24661d02f253577d4339f1ce8f7a0ae48341b34603d7e1c.exe (PID: 2088)

    • Reads the machine GUID from the registry

      • 63d855658b466365a24661d02f253577d4339f1ce8f7a0ae48341b34603d7e1c.exe (PID: 2088)

    • Checks proxy server information

      • slui.exe (PID: 6392)

    • Reads the software policy settings

      • slui.exe (PID: 6392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(2088) 63d855658b466365a24661d02f253577d4339f1ce8f7a0ae48341b34603d7e1c.exe
C2 (3)127.0.0.1
summer-malaysia.gl.at.ply.gg
technical-equally.gl.at.ply.gg
Ports (2)3232
45518
Version
Options
AutoRunfalse
Mutex西eΔwΒתΒaب3sץΔilNofrΗP
InstallFolder%AppData%
Certificates
Cert1MIICKTCCAZKgAwIBAgIVAJ7nqy/NkvDXzIHhy6J2rRfKZhX5MA0GCSqGSIb3DQEBDQUAMF0xDjAMBgNVBAMMBUVCT0xBMRMwEQYDVQQLDApxd3FkYW5jaHVuMRwwGgYDVQQKDBNEY1JhdCBCeSBxd3FkYW5jaHVuMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjQwNDEzMDgyMzIyWhcNMzUwMTIxMDgyMzIyWjAQMQ4wDAYDVQQDDAVEY1JhdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA...
Server_SignatureaqeRQHiJYd1fVoKfq1iny13ALoD/Vo/k7VREFPb4Xm1KZQ6MeLm3HKc0Ysk/wSnKp5Ftws1bTtn1Vf3w6nHQ0QrtW44MWnch5sQYMqeOV7OCIFfosYmwS6IJrHvYY134S2NKxCpD0LW8RuOO7piK5QlnogkSdFvWliBTeazMHQ8=
Keys
AES538ed579ec9f79c040bcdf5d935b1ca607b7d9f5faacb8c47a7aee0f1bef9ba0
SaltDcRatByqwqdanchun
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:04:24 17:30:14+00:00
ImageFileCharacteristics: Executable
PEType: PE32
LinkerVersion: 8
CodeSize: 60416
InitializedDataSize: 4096
UninitializedDataSize: -
EntryPoint: 0x10a3e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.6.0.0
ProductVersionNumber: 3.6.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: -
FileVersion: 3.6.0.0
InternalName: Client.exe
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: Client.exe
ProductName: -
ProductVersion: 3.6.0.0
AssemblyVersion: 3.6.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ASYNCRAT 63d855658b466365a24661d02f253577d4339f1ce8f7a0ae48341b34603d7e1c.exe svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2088"C:\Users\admin\Desktop\63d855658b466365a24661d02f253577d4339f1ce8f7a0ae48341b34603d7e1c.exe" C:\Users\admin\Desktop\63d855658b466365a24661d02f253577d4339f1ce8f7a0ae48341b34603d7e1c.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Version:
3.6.0.0
Modules
Images
c:\users\admin\desktop\63d855658b466365a24661d02f253577d4339f1ce8f7a0ae48341b34603d7e1c.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
AsyncRat
(PID) Process(2088) 63d855658b466365a24661d02f253577d4339f1ce8f7a0ae48341b34603d7e1c.exe
C2 (3)127.0.0.1
summer-malaysia.gl.at.ply.gg
technical-equally.gl.at.ply.gg
Ports (2)3232
45518
Version
Options
AutoRunfalse
Mutex西eΔwΒתΒaب3sץΔilNofrΗP
InstallFolder%AppData%
Certificates
Cert1MIICKTCCAZKgAwIBAgIVAJ7nqy/NkvDXzIHhy6J2rRfKZhX5MA0GCSqGSIb3DQEBDQUAMF0xDjAMBgNVBAMMBUVCT0xBMRMwEQYDVQQLDApxd3FkYW5jaHVuMRwwGgYDVQQKDBNEY1JhdCBCeSBxd3FkYW5jaHVuMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjQwNDEzMDgyMzIyWhcNMzUwMTIxMDgyMzIyWjAQMQ4wDAYDVQQDDAVEY1JhdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA...
Server_SignatureaqeRQHiJYd1fVoKfq1iny13ALoD/Vo/k7VREFPb4Xm1KZQ6MeLm3HKc0Ysk/wSnKp5Ftws1bTtn1Vf3w6nHQ0QrtW44MWnch5sQYMqeOV7OCIFfosYmwS6IJrHvYY134S2NKxCpD0LW8RuOO7piK5QlnogkSdFvWliBTeazMHQ8=
Keys
AES538ed579ec9f79c040bcdf5d935b1ca607b7d9f5faacb8c47a7aee0f1bef9ba0
SaltDcRatByqwqdanchun
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6392C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 827
Read events
3 827
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
44
DNS requests
17
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
5008
SIHClient.exe
GET
200
23.48.23.159:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5008
SIHClient.exe
GET
200
23.48.23.159:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5008
SIHClient.exe
GET
200
23.48.23.159:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
5008
SIHClient.exe
GET
200
23.38.73.129:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5008
SIHClient.exe
GET
200
23.38.73.129:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5008
SIHClient.exe
GET
200
23.38.73.129:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
5008
SIHClient.exe
GET
200
23.38.73.129:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
200
52.165.164.15:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2088
63d855658b466365a24661d02f253577d4339f1ce8f7a0ae48341b34603d7e1c.exe
147.185.221.27:45518
technical-equally.gl.at.ply.gg
PLAYIT-GG
US
malicious
4
System
192.168.100.255:137
whitelisted
5008
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5008
SIHClient.exe
23.48.23.159:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5008
SIHClient.exe
23.38.73.129:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2088
63d855658b466365a24661d02f253577d4339f1ce8f7a0ae48341b34603d7e1c.exe
147.185.221.27:3232
technical-equally.gl.at.ply.gg
PLAYIT-GG
US
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 172.217.18.14
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.250
whitelisted
technical-equally.gl.at.ply.gg
  • 147.185.221.27
unknown
summer-malaysia.gl.at.ply.gg
  • 147.185.221.27
unknown
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
crl.microsoft.com
  • 23.48.23.159
  • 23.48.23.158
  • 23.48.23.162
  • 23.48.23.166
  • 23.48.23.156
  • 23.48.23.150
  • 23.48.23.183
  • 23.48.23.161
  • 23.48.23.169
whitelisted
www.microsoft.com
  • 23.38.73.129
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg)
2196
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
2196
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
2196
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.ply .gg)
2196
svchost.exe
Potentially Bad Traffic
ET INFO playit .gg Tunneling Domain in DNS Lookup
2196
svchost.exe
Misc activity
ET TA_ABUSED_SERVICES Tunneling Service in DNS Lookup (* .ply .gg)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
63d855658b466365a24661d02f253577d4339f1ce8f7a0ae48341b34603d7e1c