File name:	83babee77db36512c0eab8ea6b35e981aa4288a4095985d69b3841f8b684fe11.ps1
Full analysis:	https://app.any.run/tasks/e5d85e3c-a1c9-4d1d-88bb-21f1bda073c9
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	July 16, 2025, 18:21:15
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	psloramyra loader asyncrat rat
Indicators:
MIME:	text/plain
File info:	Unicode text, UTF-8 (with BOM) text, with very long lines (65514), with CRLF line terminators
MD5:	99C23706A4BD973EBDA4BDB88B87C834
SHA1:	672A6A80BD7484229111364C73CA1973E76803F3
SHA256:	83BABEE77DB36512C0EAB8EA6B35E981AA4288A4095985D69B3841F8B684FE11
SSDEEP:	3072:RGLx9EwczhNbwXibYsKk/1g3/cNvTGFJgdqoZ3zKSGd7qfuQTUfWwLC5ImBK5W9N:RGLx9EPzhNbwXQYsKkpGyTUOwqYyfbT

PID	Process	Filename		Type
3656	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MP5Z8REZIG6T7PSWXOV8.temp		binary
		MD5:EB6E44AFD03302A6552B2B20EBCC7472	SHA256:470C355E40398348DCBBCEAAC57FD65D033C1CE70BB252386FEC4968523D750A
3656	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_slwgzoo5.r2s.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3656	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms		binary
		MD5:EB6E44AFD03302A6552B2B20EBCC7472	SHA256:470C355E40398348DCBBCEAAC57FD65D033C1CE70BB252386FEC4968523D750A
3656	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bod3uoth.qzl.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3656	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF18d963.TMP		binary
		MD5:00A03B286E6E0EBFF8D9C492365D5EC2	SHA256:4DBFC417D053BA6867308671F1C61F4DCAFC61F058D4044DB532DA6D3BDE3615
3656	powershell.exe	C:\Users\Public\Conted.ps1		text
		MD5:089315EBEAC43E1A45DA3014F56C5006	SHA256:3A0A477030EABA84883193EDE461D8595C3CA4345811632E295D9C2D136C1593
3656	powershell.exe	C:\Users\Public\Conted.vbs		text
		MD5:110DA9D3474BA64FA1A18C173685C25D	SHA256:A31DBD6F7416F150403C19BE69F02D5E8608F5E7FAE88A29831D40DB15849B60
3656	powershell.exe	C:\Users\Public\Conted.bat		text
		MD5:759278DD3DC3679BF7EFD1EC681C0AA1	SHA256:CBA344447D8228D88C93D64FFDCDA1DE8562EF41ADC4901191548E00BBFC5F19
5348	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_dtgbxk51.i22.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3656	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:834D31983D4408203A815BDAB88B230D	SHA256:F8F00F0E47767AE23EA299982B38DCE6EE852B1D3F11D976611A07968C97D2C1

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3768	SIHClient.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
3768	SIHClient.exe	GET	200	23.216.77.25:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
3768	SIHClient.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
236	RUXIMICS.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	304	20.12.23.50:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
—	—	GET	200	20.12.23.50:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
—	—	GET	200	20.12.23.50:443	https://slscr.update.microsoft.com/sls/ping	unknown	—	—	—
—	—	GET	304	20.12.23.50:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
1268	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
236	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	69.192.161.161:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
236	RUXIMICS.exe	69.192.161.161:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
6024	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6756	slui.exe	20.83.72.98:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
google.com	172.217.18.110	whitelisted
crl.microsoft.com	23.216.77.28 23.216.77.17 23.216.77.20 23.216.77.27 23.216.77.19 23.216.77.26 23.216.77.18 23.216.77.21 23.216.77.30 23.216.77.25 23.216.77.7 23.216.77.22 23.216.77.6 23.216.77.13 23.216.77.16	whitelisted
www.microsoft.com	69.192.161.161	whitelisted
self.events.data.microsoft.com	40.79.141.154	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted
login.live.com	20.190.159.130 40.126.31.131 20.190.159.128 40.126.31.67 40.126.31.129 40.126.31.3 40.126.31.73 40.126.31.71	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted
madmrx.duckdns.org	192.169.69.26	malicious
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted

PID	Process	Class	Message
2200	svchost.exe	Potentially Bad Traffic	ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2200	svchost.exe	Misc activity	ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
2200	svchost.exe	Potentially Bad Traffic	ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2200	svchost.exe	Misc activity	ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain

General Info

83babee77db36512c0eab8ea6b35e981aa4288a4095985d69b3841f8b684fe11.ps1

99C23706A4BD973EBDA4BDB88B87C834

672A6A80BD7484229111364C73CA1973E76803F3

83BABEE77DB36512C0EAB8EA6B35E981AA4288A4095985D69B3841F8B684FE11

3072:RGLx9EwczhNbwXibYsKk/1g3/cNvTGFJgdqoZ3zKSGd7qfuQTUfWwLC5ImBK5W9N:RGLx9EPzhNbwXQYsKkpGyTUOwqYyfbT

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

PSLORAMYRA has been detected

Changes powershell execution policy (Bypass)

Bypass execution policy to execute commands

Run PowerShell with an invisible window

ASYNCRAT has been detected (MUTEX)

SUSPICIOUS

Writes data into a file (POWERSHELL)

Likely accesses (executes) a file from the Public directory

The process executes via Task Scheduler

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

Starts POWERSHELL.EXE for commands execution

Runs shell command (SCRIPT)

Uses sleep to delay execution (POWERSHELL)

The process bypasses the loading of PowerShell profile settings

Converts a specified value to an integer (POWERSHELL)

The process executes Powershell scripts

Connects to unusual port

INFO

Reads the software policy settings

Checks proxy server information

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings