File name:

CrackSoftware_unpacked2.exe.exe

Full analysis: https://app.any.run/tasks/b9e746a1-e0c8-45bc-b57d-6ebf2ea6aa8c
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 19:25:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
asyncrat
github
themida
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

65C31D53F794838AFA70FA8D1576DEFD

SHA1:

62D03420B73FAC1C04B175E6DC569135D41C0016

SHA256:

D4057F97F8896BC2D5C3153A1C24CD4A7430E4A895B5F937CC42D857960F80A2

SSDEEP:

98304:wJDPe5JhSUrIVOOOv+5A+9ZmnlvoRri2VNjGb4YzBTmwTC0e9cusK9NI6iyHp2Is:5kPQ9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ASYNCRAT has been detected (YARA)

      • CrackSoftware_unpacked2.exe.exe (PID: 2108)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • CrackSoftware_unpacked2.exe.exe (PID: 2108)

    • Starts a Microsoft application from unusual location

      • CrackSoftware_unpacked2.exe.exe (PID: 2108)
      • CrackSoftware_unpacked2.exe.exe (PID: 1056)

    • Executable content was dropped or overwritten

      • CrackSoftware_unpacked2.exe.exe (PID: 2108)

    • Reads security settings of Internet Explorer

      • CrackSoftware_unpacked2.exe.exe (PID: 2108)
      • MyExeFile.exe (PID: 7036)

    • Reads the BIOS version

      • MyExeFile.exe (PID: 7036)

  • INFO

    • Reads the machine GUID from the registry

      • CrackSoftware_unpacked2.exe.exe (PID: 2108)
      • MyExeFile.exe (PID: 7036)

    • Reads the computer name

      • CrackSoftware_unpacked2.exe.exe (PID: 2108)
      • MyExeFile.exe (PID: 7036)

    • Creates files or folders in the user directory

      • CrackSoftware_unpacked2.exe.exe (PID: 2108)
      • MyExeFile.exe (PID: 7036)

    • Disables trace logs

      • CrackSoftware_unpacked2.exe.exe (PID: 2108)

    • Create files in a temporary directory

      • CrackSoftware_unpacked2.exe.exe (PID: 2108)

    • Checks proxy server information

      • CrackSoftware_unpacked2.exe.exe (PID: 2108)
      • MyExeFile.exe (PID: 7036)
      • slui.exe (PID: 6816)

    • Process checks computer location settings

      • CrackSoftware_unpacked2.exe.exe (PID: 2108)

    • Checks supported languages

      • CrackSoftware_unpacked2.exe.exe (PID: 2108)
      • MyExeFile.exe (PID: 7036)

    • Process checks whether UAC notifications are on

      • MyExeFile.exe (PID: 7036)

    • Reads CPU info

      • MyExeFile.exe (PID: 7036)

    • Creates files in the program directory

      • MyExeFile.exe (PID: 7036)

    • Reads the software policy settings

      • MyExeFile.exe (PID: 7036)
      • slui.exe (PID: 6816)

    • Themida protector has been detected

      • MyExeFile.exe (PID: 7036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(2108) CrackSoftware_unpacked2.exe.exe
C2 (1)206.206.77.63
Ports (3)6606
7707
8808
Version0.5.8
BotnetFree1
Options
AutoRunfalse
MutexKw6rtGd3h9UZ
InstallFolder%AppData%
BSoDtrue
AntiVMtrue
Certificates
Cert1MIIE5jCCAs6gAwIBAgIQAM2HoLVRRIDi1g2hfnnn7TANBgkqhkiG9w0BAQ0FADAUMRIwEAYDVQQDDAlRTCBTZXJ2ZXIwIBcNMjUwNTA0MTczMDE2WhgPOTk5OTEyMzEyMzU5NTlaMBQxEjAQBgNVBAMMCVFMIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKPm9cMAneGWF3gsiX45rXDar/l3mV+vb3fEuUr1hFmPDJUKGOX6fAJhEQH6c+SF7iG8Yx8Twa52NtbBiuKv2TqLPVZV...
Server_SignatureL0WAP2wJ/8pe4YY033iBJWmMW6GuQ6KFU8/IT7001sF5aXj5yLMmxb2KgcWhVgPvBkj0vT+71rSsSnC6WWMvbv3M3lQEjODxQog6rbpY48Hk1zX+augACXLs4uSo19+89Lu8c+ONtLgSKiuSDacjJ1tSrOKu3WjPL0MJzhadThOuB+6M5fRYESjqwVGRCZPBgwzxYXCeq1yapfHSmsKdhvm1oFNSo4OzsC26/Hf6Eu1lO2USjwjdp1+1nEa4S6Dj23eENgnGU7V5Ou0reWOtUwaWY11xln9KjwkOQteU3iAi...
Keys
AES4da4f707cefca472038c47c402c61bd5ef4a12a57b108f09bc75541d9d570c65
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:11 03:50:46+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 6686208
InitializedDataSize: 3072
UninitializedDataSize: -
EntryPoint: 0x66255e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.2.19041.1766
ProductVersionNumber: 6.2.19041.1766
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: Microsoft Corporation
FileDescription: XblGameSave Standby Task
FileVersion: 6.2.19041.1766
InternalName: XblGameSave Standby Task
LegalCopyright: © Microsoft Corporation. All rights reserved.
LegalTrademarks: -
OriginalFileName: XblGameSave Standby Task
ProductName: Microsoft® Windows® Operating System
ProductVersion: 6.2.19041.1766
AssemblyVersion: 6.2.19041.1766
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
5
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #ASYNCRAT cracksoftware_unpacked2.exe.exe myexefile.exe no specs slui.exe no specs cracksoftware_unpacked2.exe.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1056"C:\Users\admin\Desktop\CrackSoftware_unpacked2.exe.exe" C:\Users\admin\Desktop\CrackSoftware_unpacked2.exe.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
XblGameSave Standby Task
Exit code:
3221226540
Version:
6.2.19041.1766
Modules
Images
c:\users\admin\desktop\cracksoftware_unpacked2.exe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2108"C:\Users\admin\Desktop\CrackSoftware_unpacked2.exe.exe" C:\Users\admin\Desktop\CrackSoftware_unpacked2.exe.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
XblGameSave Standby Task
Version:
6.2.19041.1766
Modules
Images
c:\users\admin\desktop\cracksoftware_unpacked2.exe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
AsyncRat
(PID) Process(2108) CrackSoftware_unpacked2.exe.exe
C2 (1)206.206.77.63
Ports (3)6606
7707
8808
Version0.5.8
BotnetFree1
Options
AutoRunfalse
MutexKw6rtGd3h9UZ
InstallFolder%AppData%
BSoDtrue
AntiVMtrue
Certificates
Cert1MIIE5jCCAs6gAwIBAgIQAM2HoLVRRIDi1g2hfnnn7TANBgkqhkiG9w0BAQ0FADAUMRIwEAYDVQQDDAlRTCBTZXJ2ZXIwIBcNMjUwNTA0MTczMDE2WhgPOTk5OTEyMzEyMzU5NTlaMBQxEjAQBgNVBAMMCVFMIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKPm9cMAneGWF3gsiX45rXDar/l3mV+vb3fEuUr1hFmPDJUKGOX6fAJhEQH6c+SF7iG8Yx8Twa52NtbBiuKv2TqLPVZV...
Server_SignatureL0WAP2wJ/8pe4YY033iBJWmMW6GuQ6KFU8/IT7001sF5aXj5yLMmxb2KgcWhVgPvBkj0vT+71rSsSnC6WWMvbv3M3lQEjODxQog6rbpY48Hk1zX+augACXLs4uSo19+89Lu8c+ONtLgSKiuSDacjJ1tSrOKu3WjPL0MJzhadThOuB+6M5fRYESjqwVGRCZPBgwzxYXCeq1yapfHSmsKdhvm1oFNSo4OzsC26/Hf6Eu1lO2USjwjdp1+1nEa4S6Dj23eENgnGU7V5Ou0reWOtUwaWY11xln9KjwkOQteU3iAi...
Keys
AES4da4f707cefca472038c47c402c61bd5ef4a12a57b108f09bc75541d9d570c65
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6816C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7036"C:\Users\admin\AppData\Local\Temp\MyExeFile.exe" C:\Users\admin\AppData\Local\Temp\MyExeFile.exeCrackSoftware_unpacked2.exe.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\myexefile.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
8 880
Read events
8 860
Write events
20
Delete events
0

Modification events

(PID) Process:(2108) CrackSoftware_unpacked2.exe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_unpacked2_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2108) CrackSoftware_unpacked2.exe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_unpacked2_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2108) CrackSoftware_unpacked2.exe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_unpacked2_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2108) CrackSoftware_unpacked2.exe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_unpacked2_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2108) CrackSoftware_unpacked2.exe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_unpacked2_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2108) CrackSoftware_unpacked2.exe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_unpacked2_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2108) CrackSoftware_unpacked2.exe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_unpacked2_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2108) CrackSoftware_unpacked2.exe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_unpacked2_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2108) CrackSoftware_unpacked2.exe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_unpacked2_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2108) CrackSoftware_unpacked2.exe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_unpacked2_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
1
Suspicious files
4
Text files
46
Unknown types
0

Dropped files

PID
Process
Filename
Type
2108CrackSoftware_unpacked2.exe.exeC:\MU\Aida.pngimage
MD5:EC943AFD0B61FA187041D96E4FB1CA76
SHA256:0DAA51199EACC356FAB666BF802DC5A767B6E91935483939FDF1AB72965BF8DE
2108CrackSoftware_unpacked2.exe.exeC:\MU\A2.PNGimage
MD5:B746074943272FEE5A206E2EC835C424
SHA256:03FCE0F28B91048B7238BE08207660CE54643859E595DEE97AF7F0D6C71B27CB
2108CrackSoftware_unpacked2.exe.exeC:\MU\BalgassRefuge.pngimage
MD5:0A951863D40B38180BAAF839FAC74DA8
SHA256:CBEBF3D5F1FC34B8B6200E2226D714793FB19E335865FC0DD13A57609C88B4EF
2108CrackSoftware_unpacked2.exe.exeC:\MU\ChaosCastle.pngimage
MD5:0E16CE45CFAD9F1884BDFABF082CCBA2
SHA256:A23D617559CEDE640908EA82BBDF7B3CB22D5B41C5F4F41561EEC2411118906A
2108CrackSoftware_unpacked2.exe.exeC:\MU\Doppelganger3.pngimage
MD5:DF43AF02EE858EF5FE68A199F092C618
SHA256:D3E5E020542D1E758EE20CB772720609C4AA0326AE643F4FEE5C33091DE623BF
2108CrackSoftware_unpacked2.exe.exeC:\MU\Doppelganger1.pngimage
MD5:E902C15743D28E4002F504854BBCB90C
SHA256:CA2349AB75292B1B7B986B67AE4F04E3BADDEA8E3098E3A2059BEF818AEFA965
2108CrackSoftware_unpacked2.exe.exeC:\MU\Devias.pngimage
MD5:FB140E82EB7891B83D8EFCD75E16A72A
SHA256:30A55165F4D4B9AA1882DE29AEE7DB0CA1814A335D1F11C4E2A128FC1C67490E
2108CrackSoftware_unpacked2.exe.exeC:\MU\Crywolf.pngimage
MD5:AC89AB927C61EA4BB993E20ED61B8631
SHA256:1CDADB93BA052A4F5391EE7A6E6DF451C97E3B3F5C9610CE9B2822A70CFAD975
2108CrackSoftware_unpacked2.exe.exeC:\MU\Doppelganger2.pngimage
MD5:15962699ADC3B6B43B14F87D451346E7
SHA256:19C773879939762AB2965005A2E0C2E720140BD0D15E030CEF2D3B31078F0398
2108CrackSoftware_unpacked2.exe.exeC:\MU\Doppelganger4.pngimage
MD5:262EC182C2DD8644ECF9495B3022B738
SHA256:F4487F089CC7B498FFD362B781970F1AFE372BB3D8B7B4C41B4CF4696019F75A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
55
DNS requests
24
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
40.126.31.71:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
40.126.31.129:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.31.71:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.31.131:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.23:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
2108
CrackSoftware_unpacked2.exe.exe
GET
404
14.225.204.125:80
http://bdcam.net/NEW/NEW.php
unknown
malicious
GET
302
140.82.121.4:443
https://github.com/nhabado/QuanLy/raw/main/Abc1
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
2104
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
6544
svchost.exe
40.126.32.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2196
svchost.exe
224.0.0.252:5355
whitelisted
2196
svchost.exe
224.0.0.251:5353
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.78
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.249
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 95.101.149.131
whitelisted
811092dcc98648d790a1730d08245b4b.monitor-eqatec.com
unknown
login.live.com
  • 40.126.32.68
  • 20.190.160.128
  • 40.126.32.76
  • 20.190.160.64
  • 20.190.160.65
  • 20.190.160.2
  • 20.190.160.131
  • 20.190.160.4
whitelisted
bdcam.net
  • 14.225.204.125
malicious
github.com
  • 140.82.121.4
whitelisted
raw.githubusercontent.com
  • 185.199.109.133
  • 185.199.110.133
  • 185.199.108.133
  • 185.199.111.133
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CrackSoftware_unpacked2.exe.exe