Malware analysis CrackSoftware.exe Malicious activity

Add for printing

File name:	CrackSoftware.exe
Full analysis:	https://app.any.run/tasks/3c7c85dd-98f4-4eb1-838e-be986a7c622a
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Malware Trends Tracker >>>
Analysis date:	May 15, 2025, 12:58:24
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	delphi asyncrat github
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	7D3173723E130D5EF87A234E8B6B525A
SHA1:	B2B16F2954DC1E7EDE3B7C49400FAB6104198CE9
SHA256:	8F53789C4E0E06032BCF0B3DA0643B187AD8F1D60BFA2091E2A2A249BE596154
SSDEEP:	98304:eJDPe5JhSUrIVOOOv+5A+9ZmnlvoRri2VNjGb4YzBTmwTC0e9cusK9NI6iyHp2Ia:DkPQ9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- ASYNCRAT has been detected (YARA)
  - CrackSoftware.exe (PID: 7616)
SUSPICIOUS
- Executable content was dropped or overwritten
  - CrackSoftware.exe (PID: 7616)
- Reads security settings of Internet Explorer
  - CrackSoftware.exe (PID: 7616)
  - MyExeFile.exe (PID: 8088)
- Reads the BIOS version
  - MyExeFile.exe (PID: 8088)
- Connects to unusual port
  - CrackSoftware.exe (PID: 7616)
INFO
- Checks supported languages
  - CrackSoftware.exe (PID: 7616)
  - MyExeFile.exe (PID: 8088)
- Reads the computer name
  - CrackSoftware.exe (PID: 7616)
  - MyExeFile.exe (PID: 8088)
- Reads the machine GUID from the registry
  - CrackSoftware.exe (PID: 7616)
  - MyExeFile.exe (PID: 8088)
- Creates files or folders in the user directory
  - CrackSoftware.exe (PID: 7616)
  - MyExeFile.exe (PID: 8088)
- Disables trace logs
  - CrackSoftware.exe (PID: 7616)
- Create files in a temporary directory
  - CrackSoftware.exe (PID: 7616)
- Checks proxy server information
  - CrackSoftware.exe (PID: 7616)
  - MyExeFile.exe (PID: 8088)
- Process checks computer location settings
  - CrackSoftware.exe (PID: 7616)
- Process checks whether UAC notifications are on
  - MyExeFile.exe (PID: 8088)
- Compiled with Borland Delphi (YARA)
  - CrackSoftware.exe (PID: 7616)
- Reads CPU info
  - MyExeFile.exe (PID: 8088)
- Reads the software policy settings
  - MyExeFile.exe (PID: 8088)
- Creates files in the program directory
  - MyExeFile.exe (PID: 8088)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

AsyncRat

(PID) Process(7616) CrackSoftware.exe

C2 (1)206.206.77.63

Ports (3)6606

7707

8808

Version0.5.8

BotnetFree1

Options

AutoRunfalse

MutexKw6rtGd3h9UZ

InstallFolder%AppData%

BSoDtrue

AntiVMtrue

Certificates

Cert1MIIE5jCCAs6gAwIBAgIQAM2HoLVRRIDi1g2hfnnn7TANBgkqhkiG9w0BAQ0FADAUMRIwEAYDVQQDDAlRTCBTZXJ2ZXIwIBcNMjUwNTA0MTczMDE2WhgPOTk5OTEyMzEyMzU5NTlaMBQxEjAQBgNVBAMMCVFMIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKPm9cMAneGWF3gsiX45rXDar/l3mV+vb3fEuUr1hFmPDJUKGOX6fAJhEQH6c+SF7iG8Yx8Twa52NtbBiuKv2TqLPVZV...

Server_SignatureL0WAP2wJ/8pe4YY033iBJWmMW6GuQ6KFU8/IT7001sF5aXj5yLMmxb2KgcWhVgPvBkj0vT+71rSsSnC6WWMvbv3M3lQEjODxQog6rbpY48Hk1zX+augACXLs4uSo19+89Lu8c+ONtLgSKiuSDacjJ1tSrOKu3WjPL0MJzhadThOuB+6M5fRYESjqwVGRCZPBgwzxYXCeq1yapfHSmsKdhvm1oFNSo4OzsC26/Hf6Eu1lO2USjwjdp1+1nEa4S6Dj23eENgnGU7V5Ou0reWOtUwaWY11xln9KjwkOQteU3iAi...

Keys

AES4da4f707cefca472038c47c402c61bd5ef4a12a57b108f09bc75541d9d570c65

Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (64.5)
.dll	\|	Win32 Dynamic Link Library (generic) (13.6)
.exe	\|	Win32 Executable (generic) (9.3)
.exe	\|	Win16/32 Executable Delphi generic (4.2)
.exe	\|	Generic Win/DOS Executable (4.1)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:05:11 03:50:46+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	8
CodeSize:	6691840
InitializedDataSize:	3072
UninitializedDataSize:	-
EntryPoint:	0x663b0e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	6.2.19041.1766
ProductVersionNumber:	6.2.19041.1766
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	Microsoft Corporation
FileDescription:	XblGameSave Standby Task
FileVersion:	6.2.19041.1766
InternalName:	XblGameSave Standby Task
LegalCopyright:	© Microsoft Corporation. All rights reserved.
LegalTrademarks:	-
OriginalFileName:	XblGameSave Standby Task
ProductName:	Microsoft® Windows® Operating System
ProductVersion:	6.2.19041.1766
AssemblyVersion:	6.2.19041.1766

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

132

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2196

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

3676

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

7500

"C:\Users\admin\Downloads\CrackSoftware.exe"

C:\Users\admin\Downloads\CrackSoftware.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

XblGameSave Standby Task

Exit code:

3221226540

Version:

6.2.19041.1766

Modules

Images
c:\users\admin\downloads\cracksoftware.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

7616

"C:\Users\admin\Downloads\CrackSoftware.exe"

C:\Users\admin\Downloads\CrackSoftware.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

XblGameSave Standby Task

Version:

6.2.19041.1766

Modules

Images
c:\users\admin\downloads\cracksoftware.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

AsyncRat

(PID) Process(7616) CrackSoftware.exe

C2 (1)206.206.77.63

Ports (3)6606

7707

8808

Version0.5.8

BotnetFree1

Options

AutoRunfalse

MutexKw6rtGd3h9UZ

InstallFolder%AppData%

BSoDtrue

AntiVMtrue

Certificates

Keys

AES4da4f707cefca472038c47c402c61bd5ef4a12a57b108f09bc75541d9d570c65

Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941

8088

"C:\Users\admin\AppData\Local\Temp\MyExeFile.exe"

C:\Users\admin\AppData\Local\Temp\MyExeFile.exe

—

CrackSoftware.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\myexefile.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

Add for printing

Total events

3 301

Read events

3 281

Write events

Delete events

Modification events


(PID) Process:	(7616) CrackSoftware.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(7616) CrackSoftware.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(7616) CrackSoftware.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(7616) CrackSoftware.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_RASAPI32
Operation:	write	Name:	FileTracingMask
Value:
(PID) Process:	(7616) CrackSoftware.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value:
(PID) Process:	(7616) CrackSoftware.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(7616) CrackSoftware.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(7616) CrackSoftware.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(7616) CrackSoftware.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_RASMANCS
Operation:	write	Name:	EnableAutoFileTracing
Value: 0
(PID) Process:	(7616) CrackSoftware.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
7616	CrackSoftware.exe	C:\MU\A2.PNG		image
		MD5:B746074943272FEE5A206E2EC835C424	SHA256:03FCE0F28B91048B7238BE08207660CE54643859E595DEE97AF7F0D6C71B27CB
7616	CrackSoftware.exe	C:\MU\Aida.png		image
		MD5:EC943AFD0B61FA187041D96E4FB1CA76	SHA256:0DAA51199EACC356FAB666BF802DC5A767B6E91935483939FDF1AB72965BF8DE
7616	CrackSoftware.exe	C:\MU\Doppelganger3.png		image
		MD5:DF43AF02EE858EF5FE68A199F092C618	SHA256:D3E5E020542D1E758EE20CB772720609C4AA0326AE643F4FEE5C33091DE623BF
7616	CrackSoftware.exe	C:\MU\Elbeland.png		image
		MD5:2EB4E53B2CBD9AAF88F960C05E8C6CDC	SHA256:0752BA1A1FEBF0E9FC96C6C97989912910696B58A0EC736075256E7C6BD92CA3
7616	CrackSoftware.exe	C:\MU\Dungeon.png		image
		MD5:F541B7C60D9270C44C6386F7787BBACC	SHA256:9FD3DDFAB7BFDC5BB52A8337BBE5CEC3A7760596A953CE8F5CC7EDFC603B503A
7616	CrackSoftware.exe	C:\MU\DuelArena.png		image
		MD5:5F3765A786FC8F01FD7BD2AAB6611109	SHA256:48389941D2EB297C207906C513B45321E7DFA68EBC301F8C881979C9C9D0E58F
7616	CrackSoftware.exe	C:\MU\Crywolf.png		image
		MD5:AC89AB927C61EA4BB993E20ED61B8631	SHA256:1CDADB93BA052A4F5391EE7A6E6DF451C97E3B3F5C9610CE9B2822A70CFAD975
7616	CrackSoftware.exe	C:\MU\Exile.png		image
		MD5:A6AC624A5EF875CCFEA303EAB97E7DEC	SHA256:FAC0F8A018A074D565FD7C9332DBD1AF72D9BD7DA47A1BA723AD8D007997038F
7616	CrackSoftware.exe	C:\MU\ImperialGuardian1.png		image
		MD5:84AD1CFB2082513F8E85EA28EBD85159	SHA256:2656D130204B2439554C0FEA1CE6B1D0DA7E877915176CAB4E0C6511B62CA345
7616	CrackSoftware.exe	C:\MU\Arena.png		image
		MD5:DF9D12151BA55662868FEC38AFD87F4F	SHA256:59CE7F4134C89B95F3F07FF96553FE515FEB95F3AB998928BC5636472577F395

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.19.11.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	2.19.11.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	23.218.209.163:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.218.209.163:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6544	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7616	CrackSoftware.exe	GET	200	104.18.38.233:80	http://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBSr83eyJy3njhjVpn5bEpfc6MXawQQUOuEJhtTPGcKWdnRJdtzgNcZjY5oCEQDzZE5rbgBQI34JRr174fUd	unknown	—	—	whitelisted
7616	CrackSoftware.exe	GET	404	14.225.204.125:80	http://bdcam.net/NEW/NEW.php	unknown	—	—	malicious
7616	CrackSoftware.exe	GET	200	172.64.149.23:80	http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEFZnHQTqT5lMbxCBR1nSdZQ%3D	unknown	—	—	whitelisted
7616	CrackSoftware.exe	GET	200	172.64.149.23:80	http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTPlNxcMEqnlIVyH5VuZ4lawhZX3QQU9oUKOxGG4QR9DqoLLNLuzGR7e64CEQCrZoa1YnvoBZaCEzAShkn1	unknown	—	—	whitelisted
7616	CrackSoftware.exe	GET	200	172.64.149.23:80	http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5496	MoUsoCoreWorker.exe	2.19.11.120:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
—	—	2.19.11.120:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
5496	MoUsoCoreWorker.exe	23.218.209.163:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	23.218.209.163:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2104	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2112	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	2.19.11.120 2.19.11.105	whitelisted
www.microsoft.com	23.218.209.163 95.101.149.131	whitelisted
google.com	216.58.206.46	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
login.live.com	40.126.32.136 40.126.32.76 20.190.160.17 20.190.160.131 40.126.32.134 20.190.160.64 20.190.160.66 20.190.160.2	whitelisted
ocsp.digicert.com	2.23.77.188	whitelisted
811092dcc98648d790a1730d08245b4b.monitor-eqatec.com	—	unknown
bdcam.net	14.225.204.125	malicious
settings-win.data.microsoft.com	51.124.78.146	whitelisted
github.com	140.82.121.3	whitelisted

Threats

PID	Process	Class	Message
2196	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub

Add for printing

No debug info

General Info

CrackSoftware.exe

7D3173723E130D5EF87A234E8B6B525A

B2B16F2954DC1E7EDE3B7C49400FAB6104198CE9

8F53789C4E0E06032BCF0B3DA0643B187AD8F1D60BFA2091E2A2A249BE596154

98304:eJDPe5JhSUrIVOOOv+5A+9ZmnlvoRri2VNjGb4YzBTmwTC0e9cusK9NI6iyHp2Ia:DkPQ9

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ASYNCRAT has been detected (YARA)

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Reads the BIOS version

Connects to unusual port

INFO

Checks supported languages

Reads the computer name

Reads the machine GUID from the registry

Creates files or folders in the user directory

Disables trace logs

Create files in a temporary directory

Checks proxy server information

Process checks computer location settings

Process checks whether UAC notifications are on

Compiled with Borland Delphi (YARA)

Reads CPU info

Reads the software policy settings

Creates files in the program directory

Malware configuration

AsyncRat

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

AsyncRat

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings