File name: | NjRat Lime Edition 0.8.0.exe |
Full analysis: | https://app.any.run/tasks/4614692d-8465-41d6-886d-542dc66f8fa9 |
Verdict: | Malicious activity |
Threats: | DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. |
Analysis date: | May 21, 2022, 08:54:16 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 36E563C6A8405072DE58882A27C315AC |
SHA1: | 18A5EF02A1A2FFF820D060E6E35CD07C7C785B7E |
SHA256: | C78556DC92F624B44BAA17BF39EE503E1C703F3BD3A9C328B79912F493EC2CE7 |
SSDEEP: | 6144:08JsLcpjzTDDmHayakLkrb4NSarQWM4DXB:RzxzTDWikLSb4NS794DXB |
.exe | | | Win64 Executable (generic) (64.6) |
---|---|---|
.dll | | | Win32 Dynamic Link Library (generic) (15.4) |
.exe | | | Win32 Executable (generic) (10.5) |
.exe | | | Generic Win/DOS Executable (4.6) |
.exe | | | DOS Executable Generic (4.6) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x1eef0 |
UninitializedDataSize: | - |
InitializedDataSize: | 93184 |
CodeSize: | 201728 |
LinkerVersion: | 14 |
PEType: | PE32 |
TimeStamp: | 2021:06:11 11:16:47+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 11-Jun-2021 09:16:47 |
Detected languages: |
|
Debug artifacts: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000110 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 11-Jun-2021 09:16:47 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000313BA | 0x00031400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.70981 |
.rdata | 0x00033000 | 0x0000A622 | 0x0000A800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.22268 |
.data | 0x0003E000 | 0x00023728 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.70882 |
.didat | 0x00062000 | 0x0000018C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.35543 |
.rsrc | 0x00063000 | 0x00008C08 | 0x00008E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.27269 |
.reloc | 0x0006C000 | 0x0000227C | 0x00002400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.56418 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.26192 | 1875 | Latin 1 / Western European | UNKNOWN | RT_MANIFEST |
7 | 3.66634 | 508 | Latin 1 / Western European | UNKNOWN | RT_STRING |
8 | 3.71728 | 582 | Latin 1 / Western European | UNKNOWN | RT_STRING |
9 | 3.73856 | 422 | Latin 1 / Western European | UNKNOWN | RT_STRING |
10 | 3.55807 | 220 | Latin 1 / Western European | UNKNOWN | RT_STRING |
11 | 3.89762 | 1124 | Latin 1 / Western European | UNKNOWN | RT_STRING |
12 | 3.68258 | 356 | Latin 1 / Western European | UNKNOWN | RT_STRING |
13 | 3.61824 | 272 | Latin 1 / Western European | UNKNOWN | RT_STRING |
14 | 3.61995 | 344 | Latin 1 / Western European | UNKNOWN | RT_STRING |
15 | 3.4037 | 232 | Latin 1 / Western European | UNKNOWN | RT_STRING |
KERNEL32.dll |
USER32.dll (delay-loaded) |
gdiplus.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2764 | "C:\Users\admin\AppData\Local\Temp\NjRat Lime Edition 0.8.0.exe" | C:\Users\admin\AppData\Local\Temp\NjRat Lime Edition 0.8.0.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
3472 | "C:\Users\admin\AppData\Local\Temp\NjRat Lime Edition 0.8.0.exe" | C:\Users\admin\AppData\Local\Temp\NjRat Lime Edition 0.8.0.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
508 | "C:\Users\admin\AppData\Local\Temp\RarSFX0\NjRat Lime Edition 0.8.0.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX0\NjRat Lime Edition 0.8.0.exe | NjRat Lime Edition 0.8.0.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Exit code: 0 Version: 0.0.0.0 Modules
| |||||||||||||||
1008 | "C:\Users\admin\AppData\Local\Temp\njrat_main.exe" | C:\Users\admin\AppData\Local\Temp\njrat_main.exe | NjRat Lime Edition 0.8.0.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
3192 | "C:\Users\admin\AppData\Local\Temp\RarSFX1\NjRat Lime Edition 0.8.0.exe" | C:\Users\admin\AppData\Local\Temp\RarSFX1\NjRat Lime Edition 0.8.0.exe | — | njrat_main.exe | |||||||||||
User: admin Integrity Level: HIGH Description: njRAT Lime Edition Exit code: 3221225547 Version: 0.8.0.0 Modules
| |||||||||||||||
3524 | "C:\Users\admin\AppData\Local\Temp\njrat_hook.exe" | C:\Users\admin\AppData\Local\Temp\njrat_hook.exe | NjRat Lime Edition 0.8.0.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 2019.4.15.16511847 Modules
| |||||||||||||||
2104 | schtasks.exe /create /tn "SearchFilterHost" /sc ONLOGON /tr "'C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\SearchFilterHost.exe'" /rl HIGHEST /f | C:\Windows\system32\schtasks.exe | — | wmiprvse.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
876 | schtasks.exe /create /tn "SearchFilterHost" /sc MINUTE /mo 8 /tr "'C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\SearchFilterHost.exe'" /rl HIGHEST /f | C:\Windows\system32\schtasks.exe | — | wmiprvse.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2876 | schtasks.exe /create /tn "taskeng" /sc ONLOGON /tr "'C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\taskeng.exe'" /rl HIGHEST /f | C:\Windows\system32\schtasks.exe | — | wmiprvse.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2192 | schtasks.exe /create /tn "taskeng" /sc MINUTE /mo 11 /tr "'C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\taskeng.exe'" /rl HIGHEST /f | C:\Windows\system32\schtasks.exe | — | wmiprvse.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (3472) NjRat Lime Edition 0.8.0.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (3472) NjRat Lime Edition 0.8.0.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (3472) NjRat Lime Edition 0.8.0.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (3472) NjRat Lime Edition 0.8.0.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (508) NjRat Lime Edition 0.8.0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\NjRat Lime Edition 0_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (508) NjRat Lime Edition 0.8.0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\NjRat Lime Edition 0_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (508) NjRat Lime Edition 0.8.0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\NjRat Lime Edition 0_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: | |||
(PID) Process: | (508) NjRat Lime Edition 0.8.0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\NjRat Lime Edition 0_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
(PID) Process: | (508) NjRat Lime Edition 0.8.0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\NjRat Lime Edition 0_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (508) NjRat Lime Edition 0.8.0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\NjRat Lime Edition 0_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing |
PID | Process | Filename | Type | |
---|---|---|---|---|
508 | NjRat Lime Edition 0.8.0.exe | C:\Users\admin\AppData\Local\Temp\njrat_main.exe | executable | |
MD5:3839845E48928DC6B8CC660185C53CA6 | SHA256:928B41B877A3C51A26431C21A478B8C4A9CE75CD02FB22FE2432847A13BEAF1F | |||
3472 | NjRat Lime Edition 0.8.0.exe | C:\Users\admin\AppData\Local\Temp\RarSFX0\NjRat Lime Edition 0.8.0.exe | executable | |
MD5:28B78D31066935CD3C65E733A55C1311 | SHA256:A5EE3DFFC68E53CE285078175729EAF5E186BFF88165DE59F41061071606DF65 | |||
3524 | njrat_hook.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\taskeng.exe | executable | |
MD5:F90C3EEFFB7A6287BD2CF2FDCAB062F2 | SHA256:D3E72086B27FEF2EA7838ADC903EC0EEC2B6E8308F9283C8190B2CB83E447039 | |||
1008 | njrat_main.exe | C:\Users\admin\AppData\Local\Temp\RarSFX1\Plugin\ch.dll | executable | |
MD5:76C5688CD2EDE7B2F71AC5CFF2B61798 | SHA256:AB0D773CCDB036010866C252DEDBEC7ECAC897E2E18147BE95A55342E3ACA165 | |||
3524 | njrat_hook.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\SearchFilterHost.exe | executable | |
MD5:F90C3EEFFB7A6287BD2CF2FDCAB062F2 | SHA256:D3E72086B27FEF2EA7838ADC903EC0EEC2B6E8308F9283C8190B2CB83E447039 | |||
3524 | njrat_hook.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\617403385cfa57 | text | |
MD5:9C1FF7055672119B862BC1AF09A1F48E | SHA256:5156CAC1A74A71151AAC11550F2B2B09AE0B1988763D1961D2067C2D47C18DDD | |||
1008 | njrat_main.exe | C:\Users\admin\AppData\Local\Temp\RarSFX1\NjRat Lime Edition 0.8.0.exe | executable | |
MD5:482C73CA6C64073D877CF9C510B872CA | SHA256:1C617CFB5D8A252E015F9937AF47D84F5557D7EBE25F2B2ACFEB03671BF08ED9 | |||
1008 | njrat_main.exe | C:\Users\admin\AppData\Local\Temp\RarSFX1\Plugin\reactor.exe | executable | |
MD5:7429E30CAA2A8B41D926FFEF1A05B347 | SHA256:1EFC5368BCD9704D7DF85E2E143936D6EE4509AC31A7CA6D3EB4CF3B18C5EF27 | |||
1008 | njrat_main.exe | C:\Users\admin\AppData\Local\Temp\RarSFX1\WinMM.Net.dll | executable | |
MD5:D4B80052C7B4093E10CE1F40CE74F707 | SHA256:59E2AC1B79840274BDFCEF412A10058654E42F4285D732D1487E65E60FFBFB46 | |||
1008 | njrat_main.exe | C:\Users\admin\AppData\Local\Temp\RarSFX1\GeoIP.dat | binary | |
MD5:A0A228C187329AD148F33C81DDB430BB | SHA256:B4BFD1EBC50F0EAAB3D3F4C2152FEAE7AA8EFAD380B85064153A6BFD006C6210 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
508 | NjRat Lime Edition 0.8.0.exe | GET | 200 | 31.31.196.189:80 | http://u1405914.isp.regruhosting.ru/nj/njrat_hook.exe | RU | executable | 1.46 Mb | suspicious |
2744 | csrss.exe | GET | 200 | 62.182.157.170:80 | http://62.182.157.170/PublictempLongpoll6/centralUniversalserver/publicdownloadsWordpressTraffic/linuxSqlgeneratorDownloads/Temporaryprocessor/privatePacket82/longpollPubliccdnMulti/Traffic8Baseexternal/videoJsPacketAsyncTraffic.php?5xHHHcv9umj8=A9fM78kv3x0gBN1yJBTGW80Ek08&5adb305be6b57d114eefcc8ce6719f85=QOwI2MlVWMlV2NwMTZzADMlBDOlFmY2cTY4EjNyEjMyYDN1QGO3EDO0gzM2kDMykzMzQTM4ITM&af2456c33ff92b00ccbdb00daccbf388=gY1UGOxImNmNmMyQ2MjBTNwM2YkZzY5QjM0MDZ4YzYllTN5MGZhdzN&18b1e2605681a7b5474eae64e9281479=d1nI3I2MiVmM1QWNiRzYjFDMhVjZyM2MyQDOxYjY0EmN1kDZmNWNjJGOiJiOiETYkRjZmRGNzMTOxYDN3MGM1QzYiZWNhZmYykDO3IDOiwiI5cjY1Y2YiZjY3YWZmV2NyMzYxcTMlBjZjZGMhhzNwYDZ5cTMxEjY5IiOiMzMkBTMiJGO3cjYzQmNwcTZyMWOxAzYlJDNjdjNllzYis3W&77784164bcd789654b592e0546a81f4f=0VfiIiOikzM3gjYwIDO4kzNzQGZ5UDO0ETO2gjY4IjMilTZ0Y2YiwiI3I2MiVmM1QWNiRzYjFDMhVjZyM2MyQDOxYjY0EmN1kDZmNWNjJGOiJiOiETYkRjZmRGNzMTOxYDN3MGM1QzYiZWNhZmYykDO3IDOiwiI5cjY1Y2YiZjY3YWZmV2NyMzYxcTMlBjZjZGMhhzNwYDZ5cTMxEjY5IiOiMzMkBTMiJGO3cjYzQmNwcTZyMWOxAzYlJDNjdjNllzYisHL9JSOWp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaV1GZwJ1MZJkSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFRKNETptWaiNTOtJmc1clVvFUaiNTOtJmc1clVp9maJxWMXl1TWZUVIp0QMl2aslkNJlmYwFzRaJkTYFWa3lWSp9maJhkRFZVa3lWSwwWbRdWS610Z3dVW1lzVhpnTYpVb502YRJUeOdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulEakdVYTlzUadXOtNWMWtWS2k0UaVXOtVGbxcVYwo0QMlWQE10dBRUT3lUaPl2dXlFMONjY3p0QMlWRXFmMShVWNJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJNlT5dXeOFTSp9UaNJjYzp0QMlWWGRVavpWS1oESkVnVzImaKNETplUaPlGNyIGckdlW5p0QMlWSp9UarhEZw5UbJNXSp5UdJRlT1lFVPhHNp5UNFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETpVkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOikzM3gjYwIDO4kzNzQGZ5UDO0ETO2gjY4IjMilTZ0Y2YiwiIjZTYwImM0MmNjlDZ1UmMjZGNzU2Y2ATOjljMiJDM3UjZjVjNyYmN0IiOiETYkRjZmRGNzMTOxYDN3MGM1QzYiZWNhZmYykDO3IDOiwiI5cjY1Y2YiZjY3YWZmV2NyMzYxcTMlBjZjZGMhhzNwYDZ5cTMxEjY5IiOiMzMkBTMiJGO3cjYzQmNwcTZyMWOxAzYlJDNjdjNllzYis3W | unknown | text | 104 b | malicious |
2744 | csrss.exe | GET | 200 | 62.182.157.170:80 | http://62.182.157.170/PublictempLongpoll6/centralUniversalserver/publicdownloadsWordpressTraffic/linuxSqlgeneratorDownloads/Temporaryprocessor/privatePacket82/longpollPubliccdnMulti/Traffic8Baseexternal/videoJsPacketAsyncTraffic.php?5xHHHcv9umj8=A9fM78kv3x0gBN1yJBTGW80Ek08&5adb305be6b57d114eefcc8ce6719f85=QOwI2MlVWMlV2NwMTZzADMlBDOlFmY2cTY4EjNyEjMyYDN1QGO3EDO0gzM2kDMykzMzQTM4ITM&af2456c33ff92b00ccbdb00daccbf388=gY1UGOxImNmNmMyQ2MjBTNwM2YkZzY5QjM0MDZ4YzYllTN5MGZhdzN&2a3eea263f67cdf1363195b196a26677=QX9JSUmlGNyIGcShVW0p0Mi1WNXN1Z3dkYoJ1MjVHbtJmV4ZEW6Z1RiBnWFlEdG12YulTbjFFeGhlNNtWS2k0QhBjRHVVa3lWS1R2MiVHdtJmVKl2Tpd2RkhmQGpVe5ITW6x2RSl2dplUavpWSvJFWZFVMXlVekdlWzZ1RWl2dplUavpWS6JESjJUMXlFbSNTVpdXaJVHZzIWd01mYWpUaPlWUVNVeWJzYWFzVZxmUzUVa3lWS6ljMaBnSIpFaKNDWzZ1VhlnSXllbKl2TplEWapnVWJGaWdEZUp0QMNHeXRWdwpWSuVzVZ1UMXlFbSNTVpdXaJRnRXpFMONDT6Z1RiBnWHlEdG12YulTbjdXOp9kaKl2Tpd2RkhmQWJGaWdEZUp0QMl2a5JGcSdFZCJUeOVzY5FlQClXYsJFSihmVtV1bBlmYKJ0UaVHbHRVd4x2YjlzVhtmVYF1ZjR1Tu1UVRd2cXpFM4dVWspkRLdWVtJmdod0Y2p0MZBXMrlkNJl3YsVjMi9mQzIWeOdVYOp0QMlWSp9UaNhlYo5UbZxGZsl0cJlmYjpESYh3aWFVTCFTVKJVRYNWNDh1Y4ZEWp9maJpXNXpFbKNTWUp0QMlWSqxUM0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOikzM3gjYwIDO4kzNzQGZ5UDO0ETO2gjY4IjMilTZ0Y2YiwiImN2NjRmY4EmYiFjNzUTYiFWN4MGM2cTY1IzN3QWN2gjYkNmMxMzNyIiOiETYkRjZmRGNzMTOxYDN3MGM1QzYiZWNhZmYykDO3IDOiwiI5cjY1Y2YiZjY3YWZmV2NyMzYxcTMlBjZjZGMhhzNwYDZ5cTMxEjY5IiOiMzMkBTMiJGO3cjYzQmNwcTZyMWOxAzYlJDNjdjNllzYis3W | unknown | text | 2.00 Kb | malicious |
2744 | csrss.exe | GET | 200 | 62.182.157.170:80 | http://62.182.157.170/PublictempLongpoll6/centralUniversalserver/publicdownloadsWordpressTraffic/linuxSqlgeneratorDownloads/Temporaryprocessor/privatePacket82/longpollPubliccdnMulti/Traffic8Baseexternal/videoJsPacketAsyncTraffic.php?5xHHHcv9umj8=A9fM78kv3x0gBN1yJBTGW80Ek08&5adb305be6b57d114eefcc8ce6719f85=QOwI2MlVWMlV2NwMTZzADMlBDOlFmY2cTY4EjNyEjMyYDN1QGO3EDO0gzM2kDMykzMzQTM4ITM&af2456c33ff92b00ccbdb00daccbf388=gY1UGOxImNmNmMyQ2MjBTNwM2YkZzY5QjM0MDZ4YzYllTN5MGZhdzN&77784164bcd789654b592e0546a81f4f=0VfiIiOikzM3gjYwIDO4kzNzQGZ5UDO0ETO2gjY4IjMilTZ0Y2YiwiImN2NjRmY4EmYiFjNzUTYiFWN4MGM2cTY1IzN3QWN2gjYkNmMxMzNyIiOiETYkRjZmRGNzMTOxYDN3MGM1QzYiZWNhZmYykDO3IDOiwiI5cjY1Y2YiZjY3YWZmV2NyMzYxcTMlBjZjZGMhhzNwYDZ5cTMxEjY5IiOiMzMkBTMiJGO3cjYzQmNwcTZyMWOxAzYlJDNjdjNllzYis3W | unknown | text | 2.00 Kb | malicious |
2744 | csrss.exe | GET | 200 | 62.182.157.170:80 | http://62.182.157.170/PublictempLongpoll6/centralUniversalserver/publicdownloadsWordpressTraffic/linuxSqlgeneratorDownloads/Temporaryprocessor/privatePacket82/longpollPubliccdnMulti/Traffic8Baseexternal/videoJsPacketAsyncTraffic.php?5xHHHcv9umj8=A9fM78kv3x0gBN1yJBTGW80Ek08&5adb305be6b57d114eefcc8ce6719f85=QOwI2MlVWMlV2NwMTZzADMlBDOlFmY2cTY4EjNyEjMyYDN1QGO3EDO0gzM2kDMykzMzQTM4ITM&af2456c33ff92b00ccbdb00daccbf388=gY1UGOxImNmNmMyQ2MjBTNwM2YkZzY5QjM0MDZ4YzYllTN5MGZhdzN&18b1e2605681a7b5474eae64e9281479=d1nI3I2MiVmM1QWNiRzYjFDMhVjZyM2MyQDOxYjY0EmN1kDZmNWNjJGOiJiOiETYkRjZmRGNzMTOxYDN3MGM1QzYiZWNhZmYykDO3IDOiwiI5cjY1Y2YiZjY3YWZmV2NyMzYxcTMlBjZjZGMhhzNwYDZ5cTMxEjY5IiOiMzMkBTMiJGO3cjYzQmNwcTZyMWOxAzYlJDNjdjNllzYis3W&77784164bcd789654b592e0546a81f4f=0VfiIiOikzM3gjYwIDO4kzNzQGZ5UDO0ETO2gjY4IjMilTZ0Y2YiwiI3I2MiVmM1QWNiRzYjFDMhVjZyM2MyQDOxYjY0EmN1kDZmNWNjJGOiJiOiETYkRjZmRGNzMTOxYDN3MGM1QzYiZWNhZmYykDO3IDOiwiI5cjY1Y2YiZjY3YWZmV2NyMzYxcTMlBjZjZGMhhzNwYDZ5cTMxEjY5IiOiMzMkBTMiJGO3cjYzQmNwcTZyMWOxAzYlJDNjdjNllzYisHL9JSOWp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaV1GZwJ1MZJkSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFRKNETptWaiNTOtJmc1clVvFUaiNTOtJmc1clVp9maJxWMXl1TWZUVIp0QMl2aslkNJlmYwFzRaJkTYFWa3lWSp9maJhkRFZVa3lWSwwWbRdWS610Z3dVW1lzVhpnTYpVb502YRJUeOdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulEakdVYTlzUadXOtNWMWtWS2k0UaVXOtVGbxcVYwo0QMlWQE10dBRUT3lUaPl2dXlFMONjY3p0QMlWRXFmMShVWNJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJNlT5dXeOFTSp9UaNJjYzp0QMlWWGRVavpWS1oESkVnVzImaKNETplUaPlGNyIGckdlW5p0QMlWSp9UarhEZw5UbJNXSp5UdJRlT1lFVPhHNp5UNFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETpVkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOikzM3gjYwIDO4kzNzQGZ5UDO0ETO2gjY4IjMilTZ0Y2YiwiIjZTYwImM0MmNjlDZ1UmMjZGNzU2Y2ATOjljMiJDM3UjZjVjNyYmN0IiOiETYkRjZmRGNzMTOxYDN3MGM1QzYiZWNhZmYykDO3IDOiwiI5cjY1Y2YiZjY3YWZmV2NyMzYxcTMlBjZjZGMhhzNwYDZ5cTMxEjY5IiOiMzMkBTMiJGO3cjYzQmNwcTZyMWOxAzYlJDNjdjNllzYis3W | unknown | text | 104 b | malicious |
2744 | csrss.exe | GET | 200 | 62.182.157.170:80 | http://62.182.157.170/PublictempLongpoll6/centralUniversalserver/publicdownloadsWordpressTraffic/linuxSqlgeneratorDownloads/Temporaryprocessor/privatePacket82/longpollPubliccdnMulti/Traffic8Baseexternal/videoJsPacketAsyncTraffic.php?5xHHHcv9umj8=A9fM78kv3x0gBN1yJBTGW80Ek08&5adb305be6b57d114eefcc8ce6719f85=QOwI2MlVWMlV2NwMTZzADMlBDOlFmY2cTY4EjNyEjMyYDN1QGO3EDO0gzM2kDMykzMzQTM4ITM&af2456c33ff92b00ccbdb00daccbf388=gY1UGOxImNmNmMyQ2MjBTNwM2YkZzY5QjM0MDZ4YzYllTN5MGZhdzN&18b1e2605681a7b5474eae64e9281479=d1nI3I2MiVmM1QWNiRzYjFDMhVjZyM2MyQDOxYjY0EmN1kDZmNWNjJGOiJiOiETYkRjZmRGNzMTOxYDN3MGM1QzYiZWNhZmYykDO3IDOiwiI5cjY1Y2YiZjY3YWZmV2NyMzYxcTMlBjZjZGMhhzNwYDZ5cTMxEjY5IiOiMzMkBTMiJGO3cjYzQmNwcTZyMWOxAzYlJDNjdjNllzYis3W&77784164bcd789654b592e0546a81f4f=0VfiIiOikzM3gjYwIDO4kzNzQGZ5UDO0ETO2gjY4IjMilTZ0Y2YiwiI3I2MiVmM1QWNiRzYjFDMhVjZyM2MyQDOxYjY0EmN1kDZmNWNjJGOiJiOiETYkRjZmRGNzMTOxYDN3MGM1QzYiZWNhZmYykDO3IDOiwiI5cjY1Y2YiZjY3YWZmV2NyMzYxcTMlBjZjZGMhhzNwYDZ5cTMxEjY5IiOiMzMkBTMiJGO3cjYzQmNwcTZyMWOxAzYlJDNjdjNllzYisHL9JSOWp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaV1GZwJ1MZJkSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFRKNETptWaiNTOtJmc1clVvFUaiNTOtJmc1clVp9maJxWMXl1TWZUVIp0QMl2aslkNJlmYwFzRaJkTYFWa3lWSp9maJhkRFZVa3lWSwwWbRdWS610Z3dVW1lzVhpnTYpVb502YRJUeOdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulEakdVYTlzUadXOtNWMWtWS2k0UaVXOtVGbxcVYwo0QMlWQE10dBRUT3lUaPl2dXlFMONjY3p0QMlWRXFmMShVWNJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJNlT5dXeOFTSp9UaNJjYzp0QMlWWGRVavpWS1oESkVnVzImaKNETplUaPlGNyIGckdlW5p0QMlWSp9UarhEZw5UbJNXSp5UdJRlT1lFVPhHNp5UNFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETpVkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOikzM3gjYwIDO4kzNzQGZ5UDO0ETO2gjY4IjMilTZ0Y2YiwiIjZTYwImM0MmNjlDZ1UmMjZGNzU2Y2ATOjljMiJDM3UjZjVjNyYmN0IiOiETYkRjZmRGNzMTOxYDN3MGM1QzYiZWNhZmYykDO3IDOiwiI5cjY1Y2YiZjY3YWZmV2NyMzYxcTMlBjZjZGMhhzNwYDZ5cTMxEjY5IiOiMzMkBTMiJGO3cjYzQmNwcTZyMWOxAzYlJDNjdjNllzYis3W | unknown | text | 104 b | malicious |
2744 | csrss.exe | GET | 200 | 62.182.157.170:80 | http://62.182.157.170/PublictempLongpoll6/centralUniversalserver/publicdownloadsWordpressTraffic/linuxSqlgeneratorDownloads/Temporaryprocessor/privatePacket82/longpollPubliccdnMulti/Traffic8Baseexternal/videoJsPacketAsyncTraffic.php?5xHHHcv9umj8=A9fM78kv3x0gBN1yJBTGW80Ek08&5adb305be6b57d114eefcc8ce6719f85=QOwI2MlVWMlV2NwMTZzADMlBDOlFmY2cTY4EjNyEjMyYDN1QGO3EDO0gzM2kDMykzMzQTM4ITM&af2456c33ff92b00ccbdb00daccbf388=gY1UGOxImNmNmMyQ2MjBTNwM2YkZzY5QjM0MDZ4YzYllTN5MGZhdzN&18b1e2605681a7b5474eae64e9281479=d1nI3I2MiVmM1QWNiRzYjFDMhVjZyM2MyQDOxYjY0EmN1kDZmNWNjJGOiJiOiETYkRjZmRGNzMTOxYDN3MGM1QzYiZWNhZmYykDO3IDOiwiI5cjY1Y2YiZjY3YWZmV2NyMzYxcTMlBjZjZGMhhzNwYDZ5cTMxEjY5IiOiMzMkBTMiJGO3cjYzQmNwcTZyMWOxAzYlJDNjdjNllzYis3W&77784164bcd789654b592e0546a81f4f=0VfiIiOikzM3gjYwIDO4kzNzQGZ5UDO0ETO2gjY4IjMilTZ0Y2YiwiI3I2MiVmM1QWNiRzYjFDMhVjZyM2MyQDOxYjY0EmN1kDZmNWNjJGOiJiOiETYkRjZmRGNzMTOxYDN3MGM1QzYiZWNhZmYykDO3IDOiwiI5cjY1Y2YiZjY3YWZmV2NyMzYxcTMlBjZjZGMhhzNwYDZ5cTMxEjY5IiOiMzMkBTMiJGO3cjYzQmNwcTZyMWOxAzYlJDNjdjNllzYisHL9JSOWp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaV1GZwJ1MZJkSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFRKNETptWaiNTOtJmc1clVvFUaiNTOtJmc1clVp9maJxWMXl1TWZUVIp0QMl2aslkNJlmYwFzRaJkTYFWa3lWSp9maJhkRFZVa3lWSwwWbRdWS610Z3dVW1lzVhpnTYpVb502YRJUeOdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulEakdVYTlzUadXOtNWMWtWS2k0UaVXOtVGbxcVYwo0QMlWQE10dBRUT3lUaPl2dXlFMONjY3p0QMlWRXFmMShVWNJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJNlT5dXeOFTSp9UaNJjYzp0QMlWWGRVavpWS1oESkVnVzImaKNETplUaPlGNyIGckdlW5p0QMlWSp9UarhEZw5UbJNXSp5UdJRlT1lFVPhHNp5UNFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETpVkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOikzM3gjYwIDO4kzNzQGZ5UDO0ETO2gjY4IjMilTZ0Y2YiwiIjZTYwImM0MmNjlDZ1UmMjZGNzU2Y2ATOjljMiJDM3UjZjVjNyYmN0IiOiETYkRjZmRGNzMTOxYDN3MGM1QzYiZWNhZmYykDO3IDOiwiI5cjY1Y2YiZjY3YWZmV2NyMzYxcTMlBjZjZGMhhzNwYDZ5cTMxEjY5IiOiMzMkBTMiJGO3cjYzQmNwcTZyMWOxAzYlJDNjdjNllzYis3W | unknown | text | 104 b | malicious |
2744 | csrss.exe | GET | 200 | 62.182.157.170:80 | http://62.182.157.170/PublictempLongpoll6/centralUniversalserver/publicdownloadsWordpressTraffic/linuxSqlgeneratorDownloads/Temporaryprocessor/privatePacket82/longpollPubliccdnMulti/Traffic8Baseexternal/videoJsPacketAsyncTraffic.php?DasNF29U8RskkCARlFO4KlkP2d=Ja&HAD80XHT6V1eKtlfw60x=vtmnbzcVm103WKrhmLmKSI3Dpb1oWqE&d2cb1795e5b98ed9565fe1fe0324d6d9=dde7d1b8b532b1d5fa1cdd60ac760a8f&af2456c33ff92b00ccbdb00daccbf388=QM3ADM2MzMzImYkJTZiZDOiVmZilDZkJTN5cTZ0EmMyIDOkhTZxMGZ&DasNF29U8RskkCARlFO4KlkP2d=Ja&HAD80XHT6V1eKtlfw60x=vtmnbzcVm103WKrhmLmKSI3Dpb1oWqE | unknown | text | 2.00 Kb | malicious |
2744 | csrss.exe | GET | 200 | 62.182.157.170:80 | http://62.182.157.170/PublictempLongpoll6/centralUniversalserver/publicdownloadsWordpressTraffic/linuxSqlgeneratorDownloads/Temporaryprocessor/privatePacket82/longpollPubliccdnMulti/Traffic8Baseexternal/videoJsPacketAsyncTraffic.php?5xHHHcv9umj8=A9fM78kv3x0gBN1yJBTGW80Ek08&5adb305be6b57d114eefcc8ce6719f85=QOwI2MlVWMlV2NwMTZzADMlBDOlFmY2cTY4EjNyEjMyYDN1QGO3EDO0gzM2kDMykzMzQTM4ITM&af2456c33ff92b00ccbdb00daccbf388=gY1UGOxImNmNmMyQ2MjBTNwM2YkZzY5QjM0MDZ4YzYllTN5MGZhdzN&18b1e2605681a7b5474eae64e9281479=d1nI3I2MiVmM1QWNiRzYjFDMhVjZyM2MyQDOxYjY0EmN1kDZmNWNjJGOiJiOiETYkRjZmRGNzMTOxYDN3MGM1QzYiZWNhZmYykDO3IDOiwiI5cjY1Y2YiZjY3YWZmV2NyMzYxcTMlBjZjZGMhhzNwYDZ5cTMxEjY5IiOiMzMkBTMiJGO3cjYzQmNwcTZyMWOxAzYlJDNjdjNllzYis3W&77784164bcd789654b592e0546a81f4f=0VfiIiOikzM3gjYwIDO4kzNzQGZ5UDO0ETO2gjY4IjMilTZ0Y2YiwiI3I2MiVmM1QWNiRzYjFDMhVjZyM2MyQDOxYjY0EmN1kDZmNWNjJGOiJiOiETYkRjZmRGNzMTOxYDN3MGM1QzYiZWNhZmYykDO3IDOiwiI5cjY1Y2YiZjY3YWZmV2NyMzYxcTMlBjZjZGMhhzNwYDZ5cTMxEjY5IiOiMzMkBTMiJGO3cjYzQmNwcTZyMWOxAzYlJDNjdjNllzYisHL9JSOWp2TpFFWkZnVXJGcSZ0YsZ1RiRlSDxUaV1GZwJ1MZJkSp9UaNhFZwY0RkRFbIRGcahVYw40VRl2dplUeWJjWoVzVZ5kQTJGaKNjW2pESVl2bql0M5ckW1xmMWVlTVFVa3lWSPpUaPlGMXllaKdlWY5EWhl2dplkWKl2TpVVbiZHaHNmdKNTWwFDMjBnSDxUarlmYzkTbiJXNXZ1bBlmYzkTbiJXNXZVavpWSsFzVZ9kVGVFRKNETptWaiNTOtJmc1clVvFUaiNTOtJmc1clVp9maJxWMXl1TWZUVIp0QMl2aslkNJlmYwFzRaJkTYFWa3lWSp9maJhkRFZVa3lWSwwWbRdWS610Z3dVW1lzVhpnTYpVb502YRJUeOdWTzQmdS1mYwRGbJZTSpNGbaxmYwRGbJNHMulEakdVYTlzUadXOtNWMWtWS2k0UaVXOtVGbxcVYwo0QMlWQE10dBRUT3lUaPl2dXlFMONjY3p0QMlWRXFmMShVWNJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJNlT5dXeOFTSp9UaNJjYzp0QMlWWGRVavpWS1oESkVnVzImaKNETplUaPlGNyIGckdlW5p0QMlWSp9UarhEZw5UbJNXSp5UdJRlT1lFVPhHNp5UNFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETpVkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOikzM3gjYwIDO4kzNzQGZ5UDO0ETO2gjY4IjMilTZ0Y2YiwiIjZTYwImM0MmNjlDZ1UmMjZGNzU2Y2ATOjljMiJDM3UjZjVjNyYmN0IiOiETYkRjZmRGNzMTOxYDN3MGM1QzYiZWNhZmYykDO3IDOiwiI5cjY1Y2YiZjY3YWZmV2NyMzYxcTMlBjZjZGMhhzNwYDZ5cTMxEjY5IiOiMzMkBTMiJGO3cjYzQmNwcTZyMWOxAzYlJDNjdjNllzYis3W | unknown | text | 104 b | malicious |
508 | NjRat Lime Edition 0.8.0.exe | GET | 200 | 31.31.196.189:80 | http://u1405914.isp.regruhosting.ru/nj/njrat_main.exe | RU | executable | 9.68 Mb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2352 | chrome.exe | 142.251.36.97:443 | clients2.googleusercontent.com | Google Inc. | US | unknown |
2352 | chrome.exe | 142.250.186.67:443 | fonts.gstatic.com | Google Inc. | US | whitelisted |
2352 | chrome.exe | 142.250.185.109:443 | accounts.google.com | Google Inc. | US | suspicious |
2744 | csrss.exe | 62.182.157.170:80 | — | — | — | malicious |
2352 | chrome.exe | 216.58.212.142:443 | apis.google.com | Google Inc. | US | whitelisted |
2352 | chrome.exe | 142.250.74.195:443 | www.gstatic.com | Google Inc. | US | whitelisted |
2352 | chrome.exe | 142.250.185.195:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
2352 | chrome.exe | 142.250.186.46:443 | clients2.google.com | Google Inc. | US | whitelisted |
2352 | chrome.exe | 142.250.185.138:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
508 | NjRat Lime Edition 0.8.0.exe | 31.31.196.189:80 | u1405914.isp.regruhosting.ru | Domain names registrar REG.RU, Ltd | RU | malicious |
Domain | IP | Reputation |
---|---|---|
u1405914.isp.regruhosting.ru |
| suspicious |
clients2.google.com |
| whitelisted |
www.google.com |
| whitelisted |
accounts.google.com |
| shared |
clients2.googleusercontent.com |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
fonts.gstatic.com |
| whitelisted |
apis.google.com |
| whitelisted |
clientservices.googleapis.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
508 | NjRat Lime Edition 0.8.0.exe | Potential Corporate Privacy Violation | AV POLICY HTTP request for .exe file with no User-Agent |
508 | NjRat Lime Edition 0.8.0.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
508 | NjRat Lime Edition 0.8.0.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
508 | NjRat Lime Edition 0.8.0.exe | Misc activity | ET INFO Packed Executable Download |
508 | NjRat Lime Edition 0.8.0.exe | Potential Corporate Privacy Violation | AV POLICY HTTP request for .exe file with no User-Agent |
2744 | csrss.exe | A Network Trojan was detected | ET TROJAN DCRAT Activity (GET) |