File name:

Liquidation.Loader.exe

Full analysis: https://app.any.run/tasks/03d6a8d2-d29b-4225-a0c4-e709189ccf4f
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: August 25, 2024, 10:11:47
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
rat
dcrat
remote
darkcrystal
stealer
netreactor
wmi-base64
api-base64
exfiltration
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

3AAE32F5784F7D899B27C17B5240A814

SHA1:

A4EBE15D0AE04238CF8EC5690228D57197168374

SHA256:

76B1E79C01EF9F081CCA3151BA9C0230FF8B478EF42F70F61259797E04CB5023

SSDEEP:

98304:Byi37m6LatpOr5VsJjH1t2zkelBWD45zyu4BtAsc8ioq/j6UWmM5MGVXYMYj78FK:Z5iod

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 6720)

    • Actions looks like stealing of personal data

      • dasHost.exe (PID: 4692)

    • DCRAT has been detected (YARA)

      • dasHost.exe (PID: 4692)

    • Connects to the CnC server

      • dasHost.exe (PID: 4692)

    • Steals credentials from Web Browsers

      • dasHost.exe (PID: 4692)

    • DARKCRYSTAL has been detected (SURICATA)

      • dasHost.exe (PID: 4692)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • Liquidation.Loader.exe (PID: 6676)
      • MsNet.exe (PID: 6868)
      • dasHost.exe (PID: 4692)

    • Reads security settings of Internet Explorer

      • Liquidation.Loader.exe (PID: 6676)
      • MsNet.exe (PID: 6868)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 6720)
      • MsNet.exe (PID: 6868)

    • Executable content was dropped or overwritten

      • Liquidation.Loader.exe (PID: 6676)
      • MsNet.exe (PID: 6868)
      • dasHost.exe (PID: 4692)

    • Reads the date of Windows installation

      • Liquidation.Loader.exe (PID: 6676)
      • MsNet.exe (PID: 6868)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 6720)
      • MsNet.exe (PID: 6868)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6720)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6780)

    • The process creates files with name similar to system file names

      • MsNet.exe (PID: 6868)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7096)

    • Probably delay the execution using 'w32tm.exe'

      • cmd.exe (PID: 7096)

    • Loads DLL from Mozilla Firefox

      • dasHost.exe (PID: 4692)

    • Connects to the server without a host name

      • dasHost.exe (PID: 4692)

  • INFO

    • Checks supported languages

      • Liquidation.Loader.exe (PID: 6676)
      • MsNet.exe (PID: 6868)
      • chcp.com (PID: 7164)
      • dasHost.exe (PID: 4692)

    • Reads the computer name

      • Liquidation.Loader.exe (PID: 6676)
      • MsNet.exe (PID: 6868)
      • dasHost.exe (PID: 4692)

    • Process checks computer location settings

      • Liquidation.Loader.exe (PID: 6676)
      • MsNet.exe (PID: 6868)

    • Reads the machine GUID from the registry

      • MsNet.exe (PID: 6868)
      • dasHost.exe (PID: 4692)

    • Reads Environment values

      • MsNet.exe (PID: 6868)
      • dasHost.exe (PID: 4692)

    • Create files in a temporary directory

      • MsNet.exe (PID: 6868)
      • dasHost.exe (PID: 4692)

    • Changes the display of characters in the console

      • chcp.com (PID: 7164)

    • Disables trace logs

      • dasHost.exe (PID: 4692)

    • Checks proxy server information

      • dasHost.exe (PID: 4692)

    • .NET Reactor protector has been detected

      • dasHost.exe (PID: 4692)

    • Potential library load (Base64 Encoded 'LoadLibrary')

      • dasHost.exe (PID: 4692)

    • Found Base64 encoded reference to AntiVirus WMI classes (YARA)

      • dasHost.exe (PID: 4692)

    • Found Base64 encoded reference to WMI classes (YARA)

      • dasHost.exe (PID: 4692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

DcRat

(PID) Process(4692) dasHost.exe
C2 (1)http://212.109.199.34/PollJs/game/Cpu/Linux_/external/provider4Localjavascript/Datalife/43Vm5/central/BaseLongpoll/Multi57/BigloadUniversal1Flower/Track/Sql/3_/_Universaluploads
Options
PluginConfigs
0{SYSTEMDRIVE}/Users/
1false
2false
3true
4true
5true
6true
7true
8true
9true
10true
11true
12false
13true
14true
Version5.0.4
Plugins (18)TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAKX/2QAAAAAAAAAAOAAIiALAQgAAEYBAAAGAAAAAAAA7mUBAAAgAAAAgAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADAAQAAAgAAm0ACAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAGra72QAAAAAAAAAAOAAAiELAQgAAK4AAAAGAAAAAAAAHs0AAAAgAAAA4AAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAAAgAQAAAgAAiGgBAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAPze72QAAAAAAAAAAOAAAiELAQgAAJQAAAAGAAAAAAAAPrIAAAAgAAAAwAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAAAAAQAAAgAA5AwBAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDANLV72QAAAAAAAAAAOAAAiELAQgAAJAAAAAGAAAAAAAAvq4AAAAgAAAAwAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAAAAAQAAAgAAA/8AAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAG7c72QAAAAAAAAAAOAAAiELAQgAAJQAAAAGAAAAAAAA7rIAAAAgAAAAwAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAAAAAQAAAgAAEroAAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAMvY72QAAAAAAAAAAOAAAiELAQgAAIYAAAAGAAAAAAAAHqUAAAAgAAAAwAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAAAAAQAAAgAAhvEAAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAPHb72QAAAAAAAAAAOAAAiELAQgAAJoAAAAGAAAAAAAAzrgAAAAgAAAAwAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAAAAAQAAAgAA794AAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAMzf72QAAAAAAAAAAOAAIiALAQgAAAoBAAAGAAAAAAAALikBAAAgAAAAQAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAQAAAgAAOPMBAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAHbb72QAAAAAAAAAAOAAAiELAQgAAIAAAAAGAAAAAAAAvp4AAAAgAAAAoAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADgAAAAAgAAzVsBAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALI7+mQAAAAAAAAAAOAAIiALAQgAAAgBAAAGAAAAAAAAricBAAAgAAAAQAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAQAAAgAArNABAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAGPW72QAAAAAAAAAAOAAAiELAQgAAI4AAAAGAAAAAAAAHq0AAAAgAAAAwAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAAAAAQAAAgAAHroAAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAbY72QAAAAAAAAAAOAAAiELAQgAALwAAAAGAAAAAAAA/tkAAAAgAAAA4AAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAAAgAQAAAgAA32UBAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAMXZ72QAAAAAAAAAAOAAIiALAQgAAPIAAAAGAAAAAAAAThABAAAgAAAAIAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAABgAQAAAgAARYYBAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDACLT72QAAAAAAAAAAOAAAiELAQgAAJYAAAAGAAAAAAAAbrUAAAAgAAAAwAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAAAAAQAAAgAAEvAAAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAMIE8GQAAAAAAAAAAOAAAiELAQgAAHwAAAAGAAAAAAAArpoAAAAgAAAAoAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADgAAAAAgAAqtoAAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAGve72QAAAAAAAAAAOAAAiELAQgAAHoAAAAGAAAAAAAAvpkAAAAgAAAAoAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADgAAAAAgAA3OEAAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDANzW72QAAAAAAAAAAOAAAiELAQgAAH4AAAAGAAAAAAAAbpwAAAAgAAAAoAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADgAAAAAgAA9UcBAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAOjQ72QAAAAAAAAAAOAAAiELAQgAAHYAAAAGAAAAAAAAbpQAAAAgAAAAoAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADgAAAAAgAACOMAAAMAQIUA...
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:03:03 13:15:57+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.3
CodeSize: 203776
InitializedDataSize: 271872
UninitializedDataSize: -
EntryPoint: 0x1f530
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
13
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start liquidation.loader.exe wscript.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs msnet.exe cmd.exe no specs conhost.exe no specs chcp.com no specs w32tm.exe no specs #DARKCRYSTAL dashost.exe ucpdmgr.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4168\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUCPDMgr.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4692"C:\bridgeMsbrowserreviewsvc\dasHost.exe" C:\bridgeMsbrowserreviewsvc\dasHost.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Version:
16.10.31418.88
Modules
Images
c:\bridgemsbrowserreviewsvc\dashost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
DcRat
(PID) Process(4692) dasHost.exe
C2 (1)http://212.109.199.34/PollJs/game/Cpu/Linux_/external/provider4Localjavascript/Datalife/43Vm5/central/BaseLongpoll/Multi57/BigloadUniversal1Flower/Track/Sql/3_/_Universaluploads
Options
PluginConfigs
0{SYSTEMDRIVE}/Users/
1false
2false
3true
4true
5true
6true
7true
8true
9true
10true
11true
12false
13true
14true
Version5.0.4
Plugins (18)TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAKX/2QAAAAAAAAAAOAAIiALAQgAAEYBAAAGAAAAAAAA7mUBAAAgAAAAgAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADAAQAAAgAAm0ACAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAGra72QAAAAAAAAAAOAAAiELAQgAAK4AAAAGAAAAAAAAHs0AAAAgAAAA4AAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAAAgAQAAAgAAiGgBAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAPze72QAAAAAAAAAAOAAAiELAQgAAJQAAAAGAAAAAAAAPrIAAAAgAAAAwAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAAAAAQAAAgAA5AwBAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDANLV72QAAAAAAAAAAOAAAiELAQgAAJAAAAAGAAAAAAAAvq4AAAAgAAAAwAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAAAAAQAAAgAAA/8AAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAG7c72QAAAAAAAAAAOAAAiELAQgAAJQAAAAGAAAAAAAA7rIAAAAgAAAAwAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAAAAAQAAAgAAEroAAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAMvY72QAAAAAAAAAAOAAAiELAQgAAIYAAAAGAAAAAAAAHqUAAAAgAAAAwAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAAAAAQAAAgAAhvEAAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAPHb72QAAAAAAAAAAOAAAiELAQgAAJoAAAAGAAAAAAAAzrgAAAAgAAAAwAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAAAAAQAAAgAA794AAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAMzf72QAAAAAAAAAAOAAIiALAQgAAAoBAAAGAAAAAAAALikBAAAgAAAAQAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAQAAAgAAOPMBAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAHbb72QAAAAAAAAAAOAAAiELAQgAAIAAAAAGAAAAAAAAvp4AAAAgAAAAoAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADgAAAAAgAAzVsBAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALI7+mQAAAAAAAAAAOAAIiALAQgAAAgBAAAGAAAAAAAAricBAAAgAAAAQAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAQAAAgAArNABAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAGPW72QAAAAAAAAAAOAAAiELAQgAAI4AAAAGAAAAAAAAHq0AAAAgAAAAwAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAAAAAQAAAgAAHroAAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAbY72QAAAAAAAAAAOAAAiELAQgAALwAAAAGAAAAAAAA/tkAAAAgAAAA4AAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAAAgAQAAAgAA32UBAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAMXZ72QAAAAAAAAAAOAAIiALAQgAAPIAAAAGAAAAAAAAThABAAAgAAAAIAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAABgAQAAAgAARYYBAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDACLT72QAAAAAAAAAAOAAAiELAQgAAJYAAAAGAAAAAAAAbrUAAAAgAAAAwAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAAAAAQAAAgAAEvAAAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAMIE8GQAAAAAAAAAAOAAAiELAQgAAHwAAAAGAAAAAAAArpoAAAAgAAAAoAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADgAAAAAgAAqtoAAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAGve72QAAAAAAAAAAOAAAiELAQgAAHoAAAAGAAAAAAAAvpkAAAAgAAAAoAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADgAAAAAgAA3OEAAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDANzW72QAAAAAAAAAAOAAAiELAQgAAH4AAAAGAAAAAAAAbpwAAAAgAAAAoAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADgAAAAAgAA9UcBAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAOjQ72QAAAAAAAAAAOAAAiELAQgAAHYAAAAGAAAAAAAAbpQAAAAgAAAAoAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADgAAAAAgAACOMAAAMAQIUA...
6464w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 C:\Windows\System32\w32tm.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Time Service Diagnostic Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\w32tm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\advapi32.dll
6676"C:\Liquidation.Loader.exe" C:\Liquidation.Loader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\liquidation.loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
6716"C:\WINDOWS\system32\UCPDMgr.exe"C:\Windows\System32\UCPDMgr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
User Choice Protection Manager
Exit code:
0
Version:
1.0.0.414301
Modules
Images
c:\windows\system32\ucpdmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6720"C:\WINDOWS\System32\WScript.exe" "C:\bridgeMsbrowserreviewsvc\oiMPcYVAmYYm2IsiHOTq6nA7LWzCegtCBklBjYlm1kjHxH8qUYkvoRpc.vbe" C:\Windows\SysWOW64\wscript.exeLiquidation.Loader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6780C:\WINDOWS\system32\cmd.exe /c ""C:\bridgeMsbrowserreviewsvc\Q4HubEmWLBUckvwOq4ahSgaOTgOLYOptHHIAoKXcIB7Nk.bat" "C:\Windows\SysWOW64\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6796\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6848reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /fC:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
6868"C:\bridgeMsbrowserreviewsvc/MsNet.exe"C:\bridgeMsbrowserreviewsvc\MsNet.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
16.10.31418.88
Modules
Images
c:\bridgemsbrowserreviewsvc\msnet.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
9 616
Read events
9 574
Write events
42
Delete events
0

Modification events

(PID) Process:(6676) Liquidation.Loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts
Operation:writeName:VBEFile_.vbe
Value:
0
(PID) Process:(6676) Liquidation.Loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:writeName:VBEFile
Value:
(PID) Process:(6676) Liquidation.Loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6676) Liquidation.Loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6676) Liquidation.Loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6676) Liquidation.Loader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6720) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6720) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6720) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6720) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
48
Suspicious files
25
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
6676Liquidation.Loader.exeC:\bridgeMsbrowserreviewsvc\MsNet.exeexecutable
MD5:DBC6EC888C91FC1C396E556B2A70DE02
SHA256:4B9294DD75AE6CE3B750DE669EBE9792B95E8B0D8EA96D5BC88EDE97868B1A45
6868MsNet.exeC:\Users\admin\Desktop\qkbaGlCV.logexecutable
MD5:D8BF2A0481C0A17A634D066A711C12E9
SHA256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
6676Liquidation.Loader.exeC:\bridgeMsbrowserreviewsvc\Q4HubEmWLBUckvwOq4ahSgaOTgOLYOptHHIAoKXcIB7Nk.battext
MD5:0CBD0ED3204CF56D149BE9A0AEDB402F
SHA256:273375CFB64A5C6EC32051A85926DBC31EFAD281BC8001AA68BCFB79A1F36311
6868MsNet.exeC:\Users\admin\Desktop\gBIKWIxn.logexecutable
MD5:E9CE850DB4350471A62CC24ACB83E859
SHA256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
6676Liquidation.Loader.exeC:\bridgeMsbrowserreviewsvc\oiMPcYVAmYYm2IsiHOTq6nA7LWzCegtCBklBjYlm1kjHxH8qUYkvoRpc.vbevbe
MD5:63CD7784D088CE0FCB23F59DC66EAAD6
SHA256:9F86775ADA37B8F86C40D26D80C04181EE2FC95549024E0510CE6F8452A9A575
6868MsNet.exeC:\Users\admin\Desktop\VfkmBSvI.logexecutable
MD5:996BD447A16F0A20F238A611484AFE86
SHA256:0CB182B9F8BD0804FC3BBA016926199C536BD7491BA577E089271DC1A63B07BE
6868MsNet.exeC:\Users\admin\Desktop\smOIcUGQ.logexecutable
MD5:5EE7E079F998F80293B3467CE6A5B4AE
SHA256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
6868MsNet.exeC:\Users\admin\Desktop\aamDIylB.logexecutable
MD5:3601048DFB8C4A69313A593E74E5A2DE
SHA256:F5F1BA9E344B2F2E9CF90978C6D3518DFB55B316489E360874E3A1144BAC3C05
6868MsNet.exeC:\Users\admin\Desktop\TtFVuFlP.logexecutable
MD5:240E98D38E0B679F055470167D247022
SHA256:C200E1BE39C35F8E57A0E1E241723FDB956089BC8EAD1235042456C7A3C4AD28
6868MsNet.exeC:\Users\admin\Desktop\JtenvGmf.logexecutable
MD5:94DA5073CCC14DCF4766DF6781485937
SHA256:B81B9FA9B7017BE34F62D30CB16BAAB33757F04CC94EF4D6459C9D3BC768FD18
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
168
TCP/UDP connections
40
DNS requests
16
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4692
dasHost.exe
POST
200
212.109.199.34:80
http://212.109.199.34/PollJs/game/Cpu/Linux_/external/provider4Localjavascript/Datalife/43Vm5/central/BaseLongpoll/Multi57/BigloadUniversal1Flower/Track/Sql/3_/_Universaluploads.php
unknown
unknown
4692
dasHost.exe
POST
200
212.109.199.34:80
http://212.109.199.34/PollJs/game/Cpu/Linux_/external/provider4Localjavascript/Datalife/43Vm5/central/BaseLongpoll/Multi57/BigloadUniversal1Flower/Track/Sql/3_/_Universaluploads.php
unknown
unknown
4692
dasHost.exe
POST
200
212.109.199.34:80
http://212.109.199.34/PollJs/game/Cpu/Linux_/external/provider4Localjavascript/Datalife/43Vm5/central/BaseLongpoll/Multi57/BigloadUniversal1Flower/Track/Sql/3_/_Universaluploads.php
unknown
unknown
4692
dasHost.exe
POST
200
212.109.199.34:80
http://212.109.199.34/PollJs/game/Cpu/Linux_/external/provider4Localjavascript/Datalife/43Vm5/central/BaseLongpoll/Multi57/BigloadUniversal1Flower/Track/Sql/3_/_Universaluploads.php
unknown
unknown
4692
dasHost.exe
POST
200
212.109.199.34:80
http://212.109.199.34/PollJs/game/Cpu/Linux_/external/provider4Localjavascript/Datalife/43Vm5/central/BaseLongpoll/Multi57/BigloadUniversal1Flower/Track/Sql/3_/_Universaluploads.php
unknown
unknown
4692
dasHost.exe
POST
200
212.109.199.34:80
http://212.109.199.34/PollJs/game/Cpu/Linux_/external/provider4Localjavascript/Datalife/43Vm5/central/BaseLongpoll/Multi57/BigloadUniversal1Flower/Track/Sql/3_/_Universaluploads.php
unknown
unknown
4692
dasHost.exe
POST
200
212.109.199.34:80
http://212.109.199.34/PollJs/game/Cpu/Linux_/external/provider4Localjavascript/Datalife/43Vm5/central/BaseLongpoll/Multi57/BigloadUniversal1Flower/Track/Sql/3_/_Universaluploads.php
unknown
unknown
4692
dasHost.exe
POST
200
212.109.199.34:80
http://212.109.199.34/PollJs/game/Cpu/Linux_/external/provider4Localjavascript/Datalife/43Vm5/central/BaseLongpoll/Multi57/BigloadUniversal1Flower/Track/Sql/3_/_Universaluploads.php
unknown
unknown
4692
dasHost.exe
POST
200
212.109.199.34:80
http://212.109.199.34/PollJs/game/Cpu/Linux_/external/provider4Localjavascript/Datalife/43Vm5/central/BaseLongpoll/Multi57/BigloadUniversal1Flower/Track/Sql/3_/_Universaluploads.php
unknown
unknown
6300
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2212
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
192.168.100.255:138
whitelisted
2008
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2212
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3260
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4692
dasHost.exe
212.109.199.34:80
JSC IOT
RU
unknown
6300
SIHClient.exe
40.127.169.103:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 216.58.206.78
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
slscr.update.microsoft.com
  • 40.127.169.103
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
login.live.com
  • 40.126.31.69
  • 20.190.159.4
  • 20.190.159.23
  • 20.190.159.0
  • 20.190.159.68
  • 20.190.159.71
  • 20.190.159.75
  • 20.190.159.2
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.14
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted

Threats

PID
Process
Class
Message
4692
dasHost.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)
4692
dasHost.exe
A Network Trojan was detected
REMOTE [ANY.RUN] DarkCrystal Rat Check-in (POST)
4692
dasHost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible DarkCrystal Rat Encrypted Connection
4692
dasHost.exe
A suspicious string was detected
SUSPICIOUS [ANY.RUN] Sending an HTTP request body with a Base64 encoded ZIP file
4692
dasHost.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] DarkCrystal Rat Exfiltration (POST)
4692
dasHost.exe
A Network Trojan was detected
REMOTE [ANY.RUN] DarkCrystal Rat Exfiltration (POST)
4692
dasHost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible DarkCrystal Rat Encrypted Connection
4692
dasHost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible DarkCrystal Rat Encrypted Connection
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Liquidation.Loader.exe