File name:

NOTEPAD.exe

Full analysis: https://app.any.run/tasks/b2bf07b3-637e-4476-94bd-7d57f450a525
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Analysis date: April 15, 2025, 19:36:52
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
dcrat
rat
asyncrat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

358798D21F56B50374A8D8304783E881

SHA1:

6685C3D0D86966A5552AB1786EC4F289DB98A16C

SHA256:

8912C96A3242C4D17C343100C936F07E51C7E049A53E086500571A91970641AD

SSDEEP:

384:DbTeH18yV/rekegvG9FV5zynS1heVuZZYjlu15ma/9vm9auXC7jZSjnrzheUrphU:DXeVl/reke79FDzynSzrAauCcrJNVeP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executing a file with an untrusted certificate

      • NOTEPAD.exe (PID: 6640)
      • NOTEPAD.exe (PID: 6708)
    • Create files in the Startup directory

      • NOTEPAD.exe (PID: 6640)
    • ASYNCRAT has been detected (YARA)

      • NOTEPAD.exe (PID: 6708)
    • DCRAT mutex has been found

      • NOTEPAD.exe (PID: 6708)
  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • NOTEPAD.exe (PID: 6640)
    • Executable content was dropped or overwritten

      • NOTEPAD.exe (PID: 6640)
    • Connects to the server without a host name

      • NOTEPAD.exe (PID: 6640)
    • Connects to unusual port

      • NOTEPAD.exe (PID: 6708)
  • INFO

    • Disables trace logs

      • NOTEPAD.exe (PID: 6640)
    • Reads the machine GUID from the registry

      • NOTEPAD.exe (PID: 6640)
      • NOTEPAD.exe (PID: 6708)
    • Reads the computer name

      • NOTEPAD.exe (PID: 6640)
      • NOTEPAD.exe (PID: 6708)
    • Checks supported languages

      • NOTEPAD.exe (PID: 6640)
      • NOTEPAD.exe (PID: 6708)
    • Creates files or folders in the user directory

      • NOTEPAD.exe (PID: 6640)
    • Checks proxy server information

      • NOTEPAD.exe (PID: 6640)
      • slui.exe (PID: 3156)
    • Manual execution by a user

      • NOTEPAD.exe (PID: 6708)
    • Reads the software policy settings

      • slui.exe (PID: 5008)
      • slui.exe (PID: 3156)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(6708) NOTEPAD.exe
C2 (1)fidodido.ddns.net
Ports (1)4545
Version1.0.7
Options
AutoRunfalse
MutexDcRatMutex_qwqdanchun
InstallFolder%AppData%
Certificates
Cert1MIICJzCCAZCgAwIBAgIVANWkW/DwRfI1qxKTvr4H2UEJm+4nMA0GCSqGSIb3DQEBDQUAMFsxDDAKBgNVBAMMA3BvcDETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTI0MDcwMjEzMjQ1MVoXDTM1MDQxMTEzMjQ1MVowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJRx...
Server_SignatureLZ9D/J3PrXOEdalU4HOfq4hFMlyM4yzOqt2/5jkVL6I3D3rugMLj7RDXmygM7FdkRP3Z65Uc9e/ooL2rWLmxFw5GsbC1/EIKLUQpPcSByTwU4T4npA+gZgfKhDETiTtWU2mj4m/iHBpOaNIa6H9lGXT/NTFThYmMynL9FOdbKks=
Keys
AES8fcdf99079b0504d5311fb91ef8d2614ae12c6a58fdd6ce418723014317f993f
SaltDcRatByqwqdanchun
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:04:13 21:45:21+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 19968
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x6dce
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.6227.727
ProductVersionNumber: 1.0.6227.727
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: Pepxwsbgo
FileVersion: 1.0.6227.727
InternalName: Pepxwsbgo.exe
LegalCopyright: Copyright © 2015
LegalTrademarks: -
OriginalFileName: Pepxwsbgo.exe
ProductName: Pepxwsbgo
ProductVersion: 1.0.6227.727
AssemblyVersion: 1.0.9133.6032
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start notepad.exe sppextcomobj.exe no specs slui.exe #ASYNCRAT notepad.exe slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
896C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3156C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5008"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6640"C:\Users\admin\AppData\Local\Temp\NOTEPAD.exe" C:\Users\admin\AppData\Local\Temp\NOTEPAD.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Pepxwsbgo
Exit code:
4294967295
Version:
1.0.6227.727
Modules
Images
c:\users\admin\appdata\local\temp\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6708"C:\Users\admin\AppData\Local\Temp\NOTEPAD.exe"C:\Users\admin\AppData\Local\Temp\NOTEPAD.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Pepxwsbgo
Version:
1.0.6227.727
Modules
Images
c:\users\admin\appdata\local\temp\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
AsyncRat
(PID) Process(6708) NOTEPAD.exe
C2 (1)fidodido.ddns.net
Ports (1)4545
Version1.0.7
Options
AutoRunfalse
MutexDcRatMutex_qwqdanchun
InstallFolder%AppData%
Certificates
Cert1MIICJzCCAZCgAwIBAgIVANWkW/DwRfI1qxKTvr4H2UEJm+4nMA0GCSqGSIb3DQEBDQUAMFsxDDAKBgNVBAMMA3BvcDETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTI0MDcwMjEzMjQ1MVoXDTM1MDQxMTEzMjQ1MVowEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJRx...
Server_SignatureLZ9D/J3PrXOEdalU4HOfq4hFMlyM4yzOqt2/5jkVL6I3D3rugMLj7RDXmygM7FdkRP3Z65Uc9e/ooL2rWLmxFw5GsbC1/EIKLUQpPcSByTwU4T4npA+gZgfKhDETiTtWU2mj4m/iHBpOaNIa6H9lGXT/NTFThYmMynL9FOdbKks=
Keys
AES8fcdf99079b0504d5311fb91ef8d2614ae12c6a58fdd6ce418723014317f993f
SaltDcRatByqwqdanchun
Total events
2 229
Read events
2 215
Write events
14
Delete events
0

Modification events

(PID) Process:(6640) NOTEPAD.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NOTEPAD_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6640) NOTEPAD.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NOTEPAD_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6640) NOTEPAD.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NOTEPAD_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6640) NOTEPAD.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NOTEPAD_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(6640) NOTEPAD.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NOTEPAD_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(6640) NOTEPAD.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NOTEPAD_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(6640) NOTEPAD.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NOTEPAD_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(6640) NOTEPAD.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NOTEPAD_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6640) NOTEPAD.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NOTEPAD_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6640) NOTEPAD.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\NOTEPAD_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6640NOTEPAD.exeC:\Users\admin\AppData\Roaming\NOTEPAD.exeexecutable
MD5:358798D21F56B50374A8D8304783E881
SHA256:0B5EA3334F8C9D43CA5927F78C74BD0D9595CB97E5E4CAACF507C3D1D80678E2
6640NOTEPAD.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NOTEPAD.vbstext
MD5:EF4A2CF84719E18C381EE05D23683656
SHA256:C6F0809CA5D0FB7B3F8448FF27CAB6E3D92B2A2D86BC5DD0462B28561E7ADE3C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
35
DNS requests
19
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6640
NOTEPAD.exe
GET
200
147.45.221.109:80
http://147.45.221.109/Wcjeaqxsil.dat
unknown
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1020
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1020
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
5496
MoUsoCoreWorker.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6640
NOTEPAD.exe
147.45.221.109:80
OOO FREEnet Group
RU
unknown
6544
svchost.exe
20.190.159.73:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
6708
NOTEPAD.exe
50.28.107.105:4545
fidodido.ddns.net
LIQUIDWEB
US
malicious
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
login.live.com
  • 20.190.159.73
  • 20.190.159.71
  • 40.126.31.129
  • 20.190.159.128
  • 20.190.159.68
  • 40.126.31.1
  • 40.126.31.128
  • 20.190.159.0
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
fidodido.ddns.net
  • 50.28.107.105
malicious
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
No debug info