File name:

CrackSoftware_unpacked2.exe.exe

Full analysis: https://app.any.run/tasks/b9e746a1-e0c8-45bc-b57d-6ebf2ea6aa8c
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 19:25:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
asyncrat
github
themida
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

65C31D53F794838AFA70FA8D1576DEFD

SHA1:

62D03420B73FAC1C04B175E6DC569135D41C0016

SHA256:

D4057F97F8896BC2D5C3153A1C24CD4A7430E4A895B5F937CC42D857960F80A2

SSDEEP:

98304:wJDPe5JhSUrIVOOOv+5A+9ZmnlvoRri2VNjGb4YzBTmwTC0e9cusK9NI6iyHp2Is:5kPQ9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ASYNCRAT has been detected (YARA)

      • CrackSoftware_unpacked2.exe.exe (PID: 2108)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • CrackSoftware_unpacked2.exe.exe (PID: 2108)

    • Starts a Microsoft application from unusual location

      • CrackSoftware_unpacked2.exe.exe (PID: 1056)
      • CrackSoftware_unpacked2.exe.exe (PID: 2108)

    • Executable content was dropped or overwritten

      • CrackSoftware_unpacked2.exe.exe (PID: 2108)

    • Reads security settings of Internet Explorer

      • CrackSoftware_unpacked2.exe.exe (PID: 2108)
      • MyExeFile.exe (PID: 7036)

    • Reads the BIOS version

      • MyExeFile.exe (PID: 7036)

  • INFO

    • Reads the computer name

      • CrackSoftware_unpacked2.exe.exe (PID: 2108)
      • MyExeFile.exe (PID: 7036)

    • Reads the machine GUID from the registry

      • CrackSoftware_unpacked2.exe.exe (PID: 2108)
      • MyExeFile.exe (PID: 7036)

    • Creates files or folders in the user directory

      • CrackSoftware_unpacked2.exe.exe (PID: 2108)
      • MyExeFile.exe (PID: 7036)

    • Disables trace logs

      • CrackSoftware_unpacked2.exe.exe (PID: 2108)

    • Checks proxy server information

      • CrackSoftware_unpacked2.exe.exe (PID: 2108)
      • MyExeFile.exe (PID: 7036)
      • slui.exe (PID: 6816)

    • Create files in a temporary directory

      • CrackSoftware_unpacked2.exe.exe (PID: 2108)

    • Process checks computer location settings

      • CrackSoftware_unpacked2.exe.exe (PID: 2108)

    • Checks supported languages

      • CrackSoftware_unpacked2.exe.exe (PID: 2108)
      • MyExeFile.exe (PID: 7036)

    • Process checks whether UAC notifications are on

      • MyExeFile.exe (PID: 7036)

    • Reads CPU info

      • MyExeFile.exe (PID: 7036)

    • Reads the software policy settings

      • MyExeFile.exe (PID: 7036)
      • slui.exe (PID: 6816)

    • Creates files in the program directory

      • MyExeFile.exe (PID: 7036)

    • Themida protector has been detected

      • MyExeFile.exe (PID: 7036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(2108) CrackSoftware_unpacked2.exe.exe
C2 (1)206.206.77.63
Ports (3)6606
7707
8808
Version0.5.8
BotnetFree1
Options
AutoRunfalse
MutexKw6rtGd3h9UZ
InstallFolder%AppData%
BSoDtrue
AntiVMtrue
Certificates
Cert1MIIE5jCCAs6gAwIBAgIQAM2HoLVRRIDi1g2hfnnn7TANBgkqhkiG9w0BAQ0FADAUMRIwEAYDVQQDDAlRTCBTZXJ2ZXIwIBcNMjUwNTA0MTczMDE2WhgPOTk5OTEyMzEyMzU5NTlaMBQxEjAQBgNVBAMMCVFMIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKPm9cMAneGWF3gsiX45rXDar/l3mV+vb3fEuUr1hFmPDJUKGOX6fAJhEQH6c+SF7iG8Yx8Twa52NtbBiuKv2TqLPVZV...
Server_SignatureL0WAP2wJ/8pe4YY033iBJWmMW6GuQ6KFU8/IT7001sF5aXj5yLMmxb2KgcWhVgPvBkj0vT+71rSsSnC6WWMvbv3M3lQEjODxQog6rbpY48Hk1zX+augACXLs4uSo19+89Lu8c+ONtLgSKiuSDacjJ1tSrOKu3WjPL0MJzhadThOuB+6M5fRYESjqwVGRCZPBgwzxYXCeq1yapfHSmsKdhvm1oFNSo4OzsC26/Hf6Eu1lO2USjwjdp1+1nEa4S6Dj23eENgnGU7V5Ou0reWOtUwaWY11xln9KjwkOQteU3iAi...
Keys
AES4da4f707cefca472038c47c402c61bd5ef4a12a57b108f09bc75541d9d570c65
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:11 03:50:46+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 6686208
InitializedDataSize: 3072
UninitializedDataSize: -
EntryPoint: 0x66255e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.2.19041.1766
ProductVersionNumber: 6.2.19041.1766
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: Microsoft Corporation
FileDescription: XblGameSave Standby Task
FileVersion: 6.2.19041.1766
InternalName: XblGameSave Standby Task
LegalCopyright: © Microsoft Corporation. All rights reserved.
LegalTrademarks: -
OriginalFileName: XblGameSave Standby Task
ProductName: Microsoft® Windows® Operating System
ProductVersion: 6.2.19041.1766
AssemblyVersion: 6.2.19041.1766
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
5
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #ASYNCRAT cracksoftware_unpacked2.exe.exe myexefile.exe no specs slui.exe no specs cracksoftware_unpacked2.exe.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1056"C:\Users\admin\Desktop\CrackSoftware_unpacked2.exe.exe" C:\Users\admin\Desktop\CrackSoftware_unpacked2.exe.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
XblGameSave Standby Task
Exit code:
3221226540
Version:
6.2.19041.1766
Modules
Images
c:\users\admin\desktop\cracksoftware_unpacked2.exe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2108"C:\Users\admin\Desktop\CrackSoftware_unpacked2.exe.exe" C:\Users\admin\Desktop\CrackSoftware_unpacked2.exe.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
XblGameSave Standby Task
Version:
6.2.19041.1766
Modules
Images
c:\users\admin\desktop\cracksoftware_unpacked2.exe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
AsyncRat
(PID) Process(2108) CrackSoftware_unpacked2.exe.exe
C2 (1)206.206.77.63
Ports (3)6606
7707
8808
Version0.5.8
BotnetFree1
Options
AutoRunfalse
MutexKw6rtGd3h9UZ
InstallFolder%AppData%
BSoDtrue
AntiVMtrue
Certificates
Cert1MIIE5jCCAs6gAwIBAgIQAM2HoLVRRIDi1g2hfnnn7TANBgkqhkiG9w0BAQ0FADAUMRIwEAYDVQQDDAlRTCBTZXJ2ZXIwIBcNMjUwNTA0MTczMDE2WhgPOTk5OTEyMzEyMzU5NTlaMBQxEjAQBgNVBAMMCVFMIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKPm9cMAneGWF3gsiX45rXDar/l3mV+vb3fEuUr1hFmPDJUKGOX6fAJhEQH6c+SF7iG8Yx8Twa52NtbBiuKv2TqLPVZV...
Server_SignatureL0WAP2wJ/8pe4YY033iBJWmMW6GuQ6KFU8/IT7001sF5aXj5yLMmxb2KgcWhVgPvBkj0vT+71rSsSnC6WWMvbv3M3lQEjODxQog6rbpY48Hk1zX+augACXLs4uSo19+89Lu8c+ONtLgSKiuSDacjJ1tSrOKu3WjPL0MJzhadThOuB+6M5fRYESjqwVGRCZPBgwzxYXCeq1yapfHSmsKdhvm1oFNSo4OzsC26/Hf6Eu1lO2USjwjdp1+1nEa4S6Dj23eENgnGU7V5Ou0reWOtUwaWY11xln9KjwkOQteU3iAi...
Keys
AES4da4f707cefca472038c47c402c61bd5ef4a12a57b108f09bc75541d9d570c65
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6816C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7036"C:\Users\admin\AppData\Local\Temp\MyExeFile.exe" C:\Users\admin\AppData\Local\Temp\MyExeFile.exeCrackSoftware_unpacked2.exe.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\myexefile.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
8 880
Read events
8 860
Write events
20
Delete events
0

Modification events

(PID) Process:(2108) CrackSoftware_unpacked2.exe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_unpacked2_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2108) CrackSoftware_unpacked2.exe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_unpacked2_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2108) CrackSoftware_unpacked2.exe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_unpacked2_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2108) CrackSoftware_unpacked2.exe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_unpacked2_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2108) CrackSoftware_unpacked2.exe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_unpacked2_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2108) CrackSoftware_unpacked2.exe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_unpacked2_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2108) CrackSoftware_unpacked2.exe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_unpacked2_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(2108) CrackSoftware_unpacked2.exe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_unpacked2_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2108) CrackSoftware_unpacked2.exe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_unpacked2_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2108) CrackSoftware_unpacked2.exe.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\CrackSoftware_unpacked2_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
1
Suspicious files
4
Text files
46
Unknown types
0

Dropped files

PID
Process
Filename
Type
2108CrackSoftware_unpacked2.exe.exeC:\MU\A2.PNGimage
MD5:B746074943272FEE5A206E2EC835C424
SHA256:03FCE0F28B91048B7238BE08207660CE54643859E595DEE97AF7F0D6C71B27CB
2108CrackSoftware_unpacked2.exe.exeC:\MU\Aida.pngimage
MD5:EC943AFD0B61FA187041D96E4FB1CA76
SHA256:0DAA51199EACC356FAB666BF802DC5A767B6E91935483939FDF1AB72965BF8DE
2108CrackSoftware_unpacked2.exe.exeC:\MU\Icarus.pngimage
MD5:17D922D6326EC6AC6D631C4D0B359C38
SHA256:BBD134AF615FB8905B447340D20FEC586C63FB197294F03257DA362538A0A2C1
2108CrackSoftware_unpacked2.exe.exeC:\MU\Elbeland.pngimage
MD5:2EB4E53B2CBD9AAF88F960C05E8C6CDC
SHA256:0752BA1A1FEBF0E9FC96C6C97989912910696B58A0EC736075256E7C6BD92CA3
2108CrackSoftware_unpacked2.exe.exeC:\MU\Doppelganger2.pngimage
MD5:15962699ADC3B6B43B14F87D451346E7
SHA256:19C773879939762AB2965005A2E0C2E720140BD0D15E030CEF2D3B31078F0398
2108CrackSoftware_unpacked2.exe.exeC:\MU\Doppelganger4.pngimage
MD5:262EC182C2DD8644ECF9495B3022B738
SHA256:F4487F089CC7B498FFD362B781970F1AFE372BB3D8B7B4C41B4CF4696019F75A
2108CrackSoftware_unpacked2.exe.exeC:\MU\Dungeon.pngimage
MD5:F541B7C60D9270C44C6386F7787BBACC
SHA256:9FD3DDFAB7BFDC5BB52A8337BBE5CEC3A7760596A953CE8F5CC7EDFC603B503A
2108CrackSoftware_unpacked2.exe.exeC:\MU\Doppelganger1.pngimage
MD5:E902C15743D28E4002F504854BBCB90C
SHA256:CA2349AB75292B1B7B986B67AE4F04E3BADDEA8E3098E3A2059BEF818AEFA965
2108CrackSoftware_unpacked2.exe.exeC:\MU\DuelArena.pngimage
MD5:5F3765A786FC8F01FD7BD2AAB6611109
SHA256:48389941D2EB297C207906C513B45321E7DFA68EBC301F8C881979C9C9D0E58F
2108CrackSoftware_unpacked2.exe.exeC:\MU\Exile.pngimage
MD5:A6AC624A5EF875CCFEA303EAB97E7DEC
SHA256:FAC0F8A018A074D565FD7C9332DBD1AF72D9BD7DA47A1BA723AD8D007997038F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
55
DNS requests
24
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
40.126.31.71:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
2104
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
400
40.126.31.129:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.31.71:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.31.131:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.23:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
GET
302
140.82.121.4:443
https://github.com/nhabado/QuanLy/raw/main/Abc1
unknown
unknown
GET
200
140.82.121.4:443
https://raw.githubusercontent.com/nhabado/QuanLy/main/Abc1
unknown
binary
55.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
2104
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
6544
svchost.exe
40.126.32.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2196
svchost.exe
224.0.0.252:5355
whitelisted
2196
svchost.exe
224.0.0.251:5353
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.78
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.249
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 95.101.149.131
whitelisted
811092dcc98648d790a1730d08245b4b.monitor-eqatec.com
unknown
login.live.com
  • 40.126.32.68
  • 20.190.160.128
  • 40.126.32.76
  • 20.190.160.64
  • 20.190.160.65
  • 20.190.160.2
  • 20.190.160.131
  • 20.190.160.4
whitelisted
bdcam.net
  • 14.225.204.125
malicious
github.com
  • 140.82.121.4
whitelisted
raw.githubusercontent.com
  • 185.199.109.133
  • 185.199.110.133
  • 185.199.108.133
  • 185.199.111.133
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CrackSoftware_unpacked2.exe.exe