File name:

ea7ce466cc91e2a979e65e2306f640e9884a22a394550d7b5fe81169779a0f8c

Full analysis: https://app.any.run/tasks/ae8104a3-4af4-4420-a6a9-7ffabc58099d
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 19:51:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
pastebin
asyncrat
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

16F73D2DD8E9363E79BE11A6B327220B

SHA1:

650AF6EE70294018D5F21D4EA13D7E05E9E9CA0C

SHA256:

EA7CE466CC91E2A979E65E2306F640E9884A22A394550D7B5FE81169779A0F8C

SSDEEP:

1536:KkFUmt/4krQvDambwUgWUzamOsRo3IUuKmVcl:KQUmpMDpbwU9fWR2IvK8Y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ASYNCRAT has been detected (YARA)

      • ea7ce466cc91e2a979e65e2306f640e9884a22a394550d7b5fe81169779a0f8c.exe (PID: 1324)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Checks supported languages

      • ea7ce466cc91e2a979e65e2306f640e9884a22a394550d7b5fe81169779a0f8c.exe (PID: 1324)

    • Reads Environment values

      • ea7ce466cc91e2a979e65e2306f640e9884a22a394550d7b5fe81169779a0f8c.exe (PID: 1324)

    • Reads the software policy settings

      • slui.exe (PID: 3100)
      • ea7ce466cc91e2a979e65e2306f640e9884a22a394550d7b5fe81169779a0f8c.exe (PID: 1324)

    • Disables trace logs

      • ea7ce466cc91e2a979e65e2306f640e9884a22a394550d7b5fe81169779a0f8c.exe (PID: 1324)

    • Reads the machine GUID from the registry

      • ea7ce466cc91e2a979e65e2306f640e9884a22a394550d7b5fe81169779a0f8c.exe (PID: 1324)

    • Checks proxy server information

      • slui.exe (PID: 3100)
      • ea7ce466cc91e2a979e65e2306f640e9884a22a394550d7b5fe81169779a0f8c.exe (PID: 1324)

    • Reads the computer name

      • ea7ce466cc91e2a979e65e2306f640e9884a22a394550d7b5fe81169779a0f8c.exe (PID: 1324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(1324) ea7ce466cc91e2a979e65e2306f640e9884a22a394550d7b5fe81169779a0f8c.exe
C2 (1)null
Ports (1)null
Version0.5.4H
Options
AutoRunfalse
Mutexqqorexwfnetsrl
InstallFolder%AppData%
Certificates
Cert1MIIE2jCCAsKgAwIBAgIQAMR7qv0Q8pGF0GD++5HkyzANBgkqhkiG9w0BAQ0FADAOMQwwCgYDVQQDDANnZmMwIBcNMTkxMTI1MTkxMTIyWhgPOTk5OTEyMzEyMzU5NTlaMA4xDDAKBgNVBAMMA2dmYzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAP66xI0pTn9gUbdHEAzCuYlfr8Tm9a6riEDJLEvDIg42Qqnb8+eAX7yq9DOwiwxwo5AnazkR89IradIfv7a05sw+R0/l2Q9p0JR+P4coXOr7...
Server_Signature9F53WUfoGXnT5KlKD/A9vp0niWmOTpsadfHq90dvEr8WRalDuDQoZEzXu66UO6jsRwiyjSgTQ7/rthxmfMTQ4hFZnn9wr6MwK1mArbsvLcyjtRQoJlwR1L2HtqLTZCqZuxnNG2PS4WQmCfiMSgvYcSYV8FiKR4C6bdQS65Q9cvjjsGLG+qPf+FBNPCnktTAEW/6YeS5nyP6HzmqZhA/T+jxX0iV+7RUK3iq/95zNzWahk2soOolNq6GXtXi3/WWKipgAt+4JA0wR2NO+FHjGTNDVZ5NTuYi7LjJ5PSe85dRI...
Keys
AESa2c2a23ea710cc8114c29767d6d8ded6eef0c8397b122024644da2954ea6c994
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2063:04:24 01:42:21+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 45056
InitializedDataSize: 4608
UninitializedDataSize: -
EntryPoint: 0xcece
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: -
FileVersion: 1.0.0.0
InternalName: Stub.exe
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: Stub.exe
ProductName: -
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ASYNCRAT ea7ce466cc91e2a979e65e2306f640e9884a22a394550d7b5fe81169779a0f8c.exe svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1324"C:\Users\admin\Desktop\ea7ce466cc91e2a979e65e2306f640e9884a22a394550d7b5fe81169779a0f8c.exe" C:\Users\admin\Desktop\ea7ce466cc91e2a979e65e2306f640e9884a22a394550d7b5fe81169779a0f8c.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\ea7ce466cc91e2a979e65e2306f640e9884a22a394550d7b5fe81169779a0f8c.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
AsyncRat
(PID) Process(1324) ea7ce466cc91e2a979e65e2306f640e9884a22a394550d7b5fe81169779a0f8c.exe
C2 (1)null
Ports (1)null
Version0.5.4H
Options
AutoRunfalse
Mutexqqorexwfnetsrl
InstallFolder%AppData%
Certificates
Cert1MIIE2jCCAsKgAwIBAgIQAMR7qv0Q8pGF0GD++5HkyzANBgkqhkiG9w0BAQ0FADAOMQwwCgYDVQQDDANnZmMwIBcNMTkxMTI1MTkxMTIyWhgPOTk5OTEyMzEyMzU5NTlaMA4xDDAKBgNVBAMMA2dmYzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAP66xI0pTn9gUbdHEAzCuYlfr8Tm9a6riEDJLEvDIg42Qqnb8+eAX7yq9DOwiwxwo5AnazkR89IradIfv7a05sw+R0/l2Q9p0JR+P4coXOr7...
Server_Signature9F53WUfoGXnT5KlKD/A9vp0niWmOTpsadfHq90dvEr8WRalDuDQoZEzXu66UO6jsRwiyjSgTQ7/rthxmfMTQ4hFZnn9wr6MwK1mArbsvLcyjtRQoJlwR1L2HtqLTZCqZuxnNG2PS4WQmCfiMSgvYcSYV8FiKR4C6bdQS65Q9cvjjsGLG+qPf+FBNPCnktTAEW/6YeS5nyP6HzmqZhA/T+jxX0iV+7RUK3iq/95zNzWahk2soOolNq6GXtXi3/WWKipgAt+4JA0wR2NO+FHjGTNDVZ5NTuYi7LjJ5PSe85dRI...
Keys
AESa2c2a23ea710cc8114c29767d6d8ded6eef0c8397b122024644da2954ea6c994
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3100C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
8 024
Read events
8 009
Write events
15
Delete events
0

Modification events

(PID) Process:(1324) ea7ce466cc91e2a979e65e2306f640e9884a22a394550d7b5fe81169779a0f8c.exeKey:HKEY_CURRENT_USER\SOFTWARE\3C54740F7CC0F23B53E5
Operation:writeName:3C54740F7CC0F23B53E5
Value:
0
(PID) Process:(1324) ea7ce466cc91e2a979e65e2306f640e9884a22a394550d7b5fe81169779a0f8c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1324) ea7ce466cc91e2a979e65e2306f640e9884a22a394550d7b5fe81169779a0f8c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1324) ea7ce466cc91e2a979e65e2306f640e9884a22a394550d7b5fe81169779a0f8c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1324) ea7ce466cc91e2a979e65e2306f640e9884a22a394550d7b5fe81169779a0f8c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1324) ea7ce466cc91e2a979e65e2306f640e9884a22a394550d7b5fe81169779a0f8c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(1324) ea7ce466cc91e2a979e65e2306f640e9884a22a394550d7b5fe81169779a0f8c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(1324) ea7ce466cc91e2a979e65e2306f640e9884a22a394550d7b5fe81169779a0f8c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(1324) ea7ce466cc91e2a979e65e2306f640e9884a22a394550d7b5fe81169779a0f8c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1324) ea7ce466cc91e2a979e65e2306f640e9884a22a394550d7b5fe81169779a0f8c.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
38
TCP/UDP connections
20
DNS requests
16
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
104.20.3.235:443
https://pastebin.com/raw/Jd8cP7B0
unknown
text
94 b
whitelisted
GET
200
104.20.4.235:443
https://pastebin.com/raw/Jd8cP7B0
unknown
text
94 b
whitelisted
GET
200
104.20.3.235:443
https://pastebin.com/raw/Jd8cP7B0
unknown
text
94 b
whitelisted
GET
200
104.20.4.235:443
https://pastebin.com/raw/Jd8cP7B0
unknown
text
94 b
whitelisted
GET
200
172.67.19.24:443
https://pastebin.com/raw/Jd8cP7B0
unknown
text
94 b
whitelisted
GET
200
172.67.19.24:443
https://pastebin.com/raw/Jd8cP7B0
unknown
text
94 b
whitelisted
GET
200
172.67.19.24:443
https://pastebin.com/raw/Jd8cP7B0
unknown
text
94 b
whitelisted
GET
200
104.20.3.235:443
https://pastebin.com/raw/Jd8cP7B0
unknown
text
94 b
whitelisted
GET
200
104.20.3.235:443
https://pastebin.com/raw/Jd8cP7B0
unknown
text
94 b
whitelisted
GET
200
104.20.3.235:443
https://pastebin.com/raw/Jd8cP7B0
unknown
text
94 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1324
ea7ce466cc91e2a979e65e2306f640e9884a22a394550d7b5fe81169779a0f8c.exe
172.67.19.24:443
pastebin.com
CLOUDFLARENET
US
whitelisted
6480
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3100
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.142
whitelisted
pastebin.com
  • 172.67.19.24
  • 104.20.4.235
  • 104.20.3.235
whitelisted
5461458.ddns.net
malicious
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
2196
svchost.exe
Potentially Bad Traffic
ET DYN_DNS DNS Query to DynDNS Domain *.ddns .net
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ea7ce466cc91e2a979e65e2306f640e9884a22a394550d7b5fe81169779a0f8c