File name:

DiagPlugin_user.002163.exe

Full analysis: https://app.any.run/tasks/50d51bd8-e6a9-40fe-9a3c-6657aba51984
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: January 16, 2025, 12:46:33
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-scr
ftp
ms-smartcard
opendir
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

EF9A5EBA1859738F6403CC663EC3A7A7

SHA1:

D5882B774449F7F25C50193734C224DFA5269380

SHA256:

9A8971779CBE7D1BD2320664B0D1065E420C52552A60F7A25C386FE0BA4A229E

SSDEEP:

98304:xb7WaWD/4p4T2/4WROJAf5LfkpkOiQd1jYNBGNulBX2DBjEtKXW5Vmi/53bUa74i:xb+D8obTDMBf2Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • DiagPlugin_user.002163.exe (PID: 2612)
      • DiagPlugin_user.exe (PID: 3464)
      • DiagPlugin_admin.exe (PID: 6544)
      • rtcomlite.exe (PID: 132)

    • Uses Task Scheduler to run other applications

      • kontur.updater.exe (PID: 4120)
      • kontur.updater.admin.exe (PID: 6312)
      • DiagPlugin_admin.exe (PID: 6544)
      • kontur.updater.exe (PID: 6764)
      • kontur.plugin.exe (PID: 736)
      • kontur.updater.admin.exe (PID: 8084)

    • Actions looks like stealing of personal data

      • kdnchost.exe (PID: 4336)
      • kdnchost.exe (PID: 4384)
      • kdnchost.exe (PID: 7788)

    • Steals credentials from Web Browsers

      • kdnchost.exe (PID: 7788)

    • Executing a file with an untrusted certificate

      • rtcomlite.exe (PID: 132)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • kontur.updater.exe (PID: 4120)
      • DiagPlugin_user.002163.exe (PID: 2612)
      • DiagPlugin_user.exe (PID: 3464)
      • DiagPlugin_admin.exe (PID: 6544)
      • Kontur.Dostup.Abonent.exe (PID: 7108)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • kontur.updater.exe (PID: 4120)
      • DiagPlugin_user.002163.exe (PID: 2612)
      • DiagPlugin_user.exe (PID: 3464)
      • DiagPlugin_admin.exe (PID: 6544)
      • kontur.updater.admin.exe (PID: 6312)
      • Kontur.Dostup.Abonent.exe (PID: 7108)
      • RegOids.exe (PID: 6992)
      • kontur.plugin.exe (PID: 736)
      • uninstaller.exe (PID: 1472)
      • kontur.updater.exe (PID: 6764)
      • uninstaller.exe (PID: 6568)

    • Executable content was dropped or overwritten

      • DiagPlugin_user.002163.exe (PID: 2612)
      • kontur.updater.exe (PID: 4120)
      • kdnchost.exe (PID: 4336)
      • DiagPlugin_user.exe (PID: 3464)
      • kdnchost.exe (PID: 4384)
      • DiagPlugin_admin.exe (PID: 6544)
      • kontur.updater.admin.exe (PID: 6312)
      • Kontur.Dostup.Abonent.exe (PID: 7108)
      • RegOids.exe (PID: 6992)
      • CSPSetup50R3.exe (PID: 3848)
      • uninstaller.exe (PID: 1472)
      • kontur.updater.exe (PID: 6764)
      • kontur.plugin.exe (PID: 736)
      • drvinst.exe (PID: 7852)
      • kontur.autodiag.k.exe (PID: 7500)
      • rtDrivers.exe (PID: 5340)
      • rtDrivers.exe (PID: 7240)
      • rtcomlite.exe (PID: 132)
      • kdnchost.exe (PID: 7788)
      • RegOids.exe (PID: 4864)
      • uninstaller.exe (PID: 6568)
      • kontur.plugin.admin.exe (PID: 6544)
      • rtDrivers.exe (PID: 1080)
      • drvinst.exe (PID: 364)
      • drvinst.exe (PID: 8332)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 3080)
      • regsvr32.exe (PID: 3920)
      • regsvr32.exe (PID: 5604)
      • kontur.plugin.exe (PID: 736)
      • msiexec.exe (PID: 7288)

    • Creates a software uninstall entry

      • DiagPlugin_user.002163.exe (PID: 2612)
      • DiagPlugin_user.exe (PID: 3464)
      • DiagPlugin_admin.exe (PID: 6544)
      • kontur.plugin.exe (PID: 736)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 4864)
      • schtasks.exe (PID: 3824)
      • schtasks.exe (PID: 4640)
      • schtasks.exe (PID: 3220)
      • schtasks.exe (PID: 3936)
      • schtasks.exe (PID: 1472)
      • schtasks.exe (PID: 7876)
      • schtasks.exe (PID: 7948)
      • schtasks.exe (PID: 1868)

    • Potential Corporate Privacy Violation

      • firefox.exe (PID: 6624)
      • kdnchost.exe (PID: 4384)
      • kontur.autodiag.diag_tool.exe (PID: 7664)
      • QtWebEngineProcess.exe (PID: 7464)
      • kdnchost.exe (PID: 7788)

    • Reads security settings of Internet Explorer

      • kdnchost.exe (PID: 1852)
      • kdnchost.exe (PID: 4336)
      • kdnchost.exe (PID: 4384)

    • Searches for installed software

      • kdnchost.exe (PID: 4336)
      • kdnchost.exe (PID: 4384)

    • Checks Windows Trust Settings

      • kdnchost.exe (PID: 4384)
      • drvinst.exe (PID: 7852)

    • Smart Card resource manager service initialization

      • CertFix_Host.exe (PID: 3208)

    • Reads the Windows owner or organization settings

      • kdnchost.exe (PID: 4384)
      • Setup.exe (PID: 1192)

    • Connects to unusual port

      • ncftpput.exe (PID: 6988)
      • ncftpget.exe (PID: 2680)

    • Connects to FTP

      • ncftpput.exe (PID: 6988)
      • ncftpget.exe (PID: 2680)

    • Adds/modifies Windows certificates

      • Certificates_Kontur_Admin.exe (PID: 2008)
      • msiexec.exe (PID: 5556)
      • Setup.exe (PID: 1192)

    • Process drops legitimate windows executable

      • CSPSetup50R3.exe (PID: 3848)
      • kontur.autodiag.k.exe (PID: 7500)

    • Drops a system driver (possible attempt to evade defenses)

      • CSPSetup50R3.exe (PID: 3848)
      • msiexec.exe (PID: 5556)
      • drvinst.exe (PID: 7852)
      • msiexec.exe (PID: 7356)
      • drvinst.exe (PID: 364)
      • msiexec.exe (PID: 3824)
      • drvinst.exe (PID: 8332)

    • The process drops C-runtime libraries

      • kontur.autodiag.k.exe (PID: 7500)

    • Executes as Windows Service

      • kontur.autodiag.service.exe (PID: 3996)
      • kontur.autodiag.service.exe (PID: 7316)
      • VSSVC.exe (PID: 6760)

    • Uses ICACLS.EXE to modify access control lists

      • kdnchost.exe (PID: 7788)

    • Uses QUSER.EXE to read information about current user sessions

      • query.exe (PID: 8040)

    • Starts itself from another location

      • rtDrivers.exe (PID: 7240)

  • INFO

    • The sample compiled with russian language support

      • DiagPlugin_user.002163.exe (PID: 2612)
      • kdnchost.exe (PID: 4336)
      • DiagPlugin_user.exe (PID: 3464)
      • kontur.updater.exe (PID: 4120)
      • kdnchost.exe (PID: 4384)
      • DiagPlugin_admin.exe (PID: 6544)
      • kontur.updater.admin.exe (PID: 6312)
      • Kontur.Dostup.Abonent.exe (PID: 7108)
      • kontur.updater.exe (PID: 6764)
      • CSPSetup50R3.exe (PID: 3848)
      • kontur.plugin.exe (PID: 736)
      • msiexec.exe (PID: 5556)
      • drvinst.exe (PID: 7852)
      • msiexec.exe (PID: 7356)
      • kontur.autodiag.k.exe (PID: 7500)
      • kdnchost.exe (PID: 7788)
      • rtcomlite.exe (PID: 132)
      • kontur.plugin.admin.exe (PID: 6544)

    • Reads the computer name

      • kontur.updater.exe (PID: 4120)
      • DiagPlugin_user.002163.exe (PID: 2612)
      • kdnchost.exe (PID: 1852)
      • kdnchost.exe (PID: 4336)
      • CertFix_Host.exe (PID: 3208)
      • kontur.plugin.exe (PID: 736)
      • msiexec.exe (PID: 5556)
      • kontur.autodiag.service.exe (PID: 7852)

    • Creates files or folders in the user directory

      • DiagPlugin_user.002163.exe (PID: 2612)
      • DiagPlugin_user.exe (PID: 3464)
      • kontur.updater.exe (PID: 4120)
      • Kontur.Dostup.Abonent.exe (PID: 7108)
      • kontur.plugin.exe (PID: 736)
      • msiexec.exe (PID: 5556)

    • Checks supported languages

      • DiagPlugin_user.002163.exe (PID: 2612)
      • kdnchost.exe (PID: 1852)
      • kdnchost.exe (PID: 4336)
      • kontur.updater.exe (PID: 3656)
      • CertFix_Host.exe (PID: 3208)
      • kontur.updater.exe (PID: 4120)
      • kdnchost.exe (PID: 4384)
      • DiagPlugin_admin.exe (PID: 6544)
      • Certificates_Kontur_Admin.exe (PID: 2008)
      • Kontur.Dostup.Abonent.exe (PID: 7108)
      • cpverify.exe (PID: 4516)
      • kontur.plugin.exe (PID: 736)
      • Setup.exe (PID: 1192)
      • pkcs11check.exe (PID: 5872)
      • pkcs11check.exe (PID: 6488)
      • msiexec.exe (PID: 5556)
      • msiexec.exe (PID: 7288)
      • kontur.plugin.host.exe (PID: 6324)
      • kontur.autodiag.k.exe (PID: 7500)
      • drvinst.exe (PID: 7852)
      • cpverify.exe (PID: 7936)
      • cpverify.exe (PID: 8148)
      • cpverify.exe (PID: 7284)
      • cpverify.exe (PID: 7352)
      • kontur.autodiag.service.exe (PID: 7852)
      • kontur.autodiag.center.exe (PID: 7648)
      • kontur.autodiag.service.exe (PID: 7316)

    • The sample compiled with english language support

      • DiagPlugin_user.002163.exe (PID: 2612)
      • DiagPlugin_user.exe (PID: 3464)
      • kontur.updater.exe (PID: 4120)
      • kdnchost.exe (PID: 4384)
      • DiagPlugin_admin.exe (PID: 6544)
      • kontur.updater.admin.exe (PID: 6312)
      • Kontur.Dostup.Abonent.exe (PID: 7108)
      • CSPSetup50R3.exe (PID: 3848)
      • kontur.updater.exe (PID: 6764)
      • kontur.plugin.exe (PID: 736)
      • msiexec.exe (PID: 5556)
      • kontur.autodiag.k.exe (PID: 7500)
      • kdnchost.exe (PID: 7788)
      • rtDrivers.exe (PID: 5340)
      • rtcomlite.exe (PID: 132)
      • kontur.plugin.admin.exe (PID: 6544)
      • uninstaller.exe (PID: 6568)
      • rtDrivers.exe (PID: 1080)
      • msiexec.exe (PID: 3824)
      • drvinst.exe (PID: 364)
      • drvinst.exe (PID: 8332)
      • rtDrivers.exe (PID: 7240)

    • Manual execution by a user

      • firefox.exe (PID: 6604)

    • Application launched itself

      • firefox.exe (PID: 6624)
      • firefox.exe (PID: 6604)
      • msiexec.exe (PID: 5556)
      • msedge.exe (PID: 7148)

    • Reads the machine GUID from the registry

      • kdnchost.exe (PID: 1852)
      • kdnchost.exe (PID: 4384)
      • CertFix_Host.exe (PID: 3208)
      • msiexec.exe (PID: 7288)
      • drvinst.exe (PID: 7852)
      • kontur.autodiag.service.exe (PID: 7316)

    • Reads the software policy settings

      • kdnchost.exe (PID: 1852)
      • kdnchost.exe (PID: 4336)
      • kdnchost.exe (PID: 4384)
      • CertFix_Host.exe (PID: 3208)
      • kddisphost.exe (PID: 1292)
      • msiexec.exe (PID: 5556)

    • Process checks whether UAC notifications are on

      • kdnchost.exe (PID: 1852)
      • kdnchost.exe (PID: 4336)
      • kdnchost.exe (PID: 4384)
      • kddisphost.exe (PID: 1292)

    • Create files in a temporary directory

      • DiagPlugin_user.exe (PID: 3464)
      • kdnchost.exe (PID: 4336)
      • kontur.updater.exe (PID: 4120)
      • ncftpget.exe (PID: 2680)
      • kdnchost.exe (PID: 4384)
      • DiagPlugin_admin.exe (PID: 6544)
      • kontur.updater.admin.exe (PID: 6312)
      • Kontur.Dostup.Abonent.exe (PID: 7108)
      • kontur.updater.exe (PID: 6764)
      • kontur.plugin.exe (PID: 736)
      • kontur.plugin.host.exe (PID: 6324)
      • uninstaller.exe (PID: 7340)
      • kontur.updater.admin.exe (PID: 8084)
      • Setup.exe (PID: 1192)
      • kdnchost.exe (PID: 7788)
      • uninstaller.exe (PID: 6568)

    • Reads CPU info

      • kdnchost.exe (PID: 4384)

    • Checks proxy server information

      • kdnchost.exe (PID: 4384)

    • The process uses the downloaded file

      • kdnchost.exe (PID: 4384)
      • rtDrivers.exe (PID: 7240)

    • Creates files in the program directory

      • DiagPlugin_admin.exe (PID: 6544)
      • kontur.updater.admin.exe (PID: 6312)
      • CSPSetup50R3.exe (PID: 3848)
      • kontur.autodiag.k.exe (PID: 7500)
      • kontur.updater.admin.exe (PID: 8084)
      • kontur.autodiag.service.exe (PID: 7316)
      • kdnchost.exe (PID: 7788)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 5556)
      • firefox.exe (PID: 6624)
      • msiexec.exe (PID: 7356)
      • msiexec.exe (PID: 3824)

    • Reads Microsoft Office registry keys

      • msiexec.exe (PID: 5556)

    • Adds/modifies Windows certificates

      • drvinst.exe (PID: 7852)

    • Manages system restore points

      • SrTasks.exe (PID: 4672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:07:02 02:11:21+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 29184
InitializedDataSize: 195072
UninitializedDataSize: 2048
EntryPoint: 0x39b6
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.0.27.759
ProductVersionNumber: 3.0.27.759
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Russian
CharacterSet: Windows, Cyrillic
CompanyName: АО «ПФ «СКБ Контур»
CompanyWebsite: https://kontur.ru/
FileDescription: Установка Диаг.Плагин
FileVersion: 3.0.27.759
LegalCopyright: © 2014-2024 АО «ПФ «СКБ Контур»
ProductName: Установка Диаг.Плагин
ProductVersion: 3.0.27.759
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
362
Monitored processes
217
Malicious processes
19
Suspicious processes
8

Behavior graph

Click at the process to see the details
start diagplugin_user.002163.exe regsvr32.exe no specs regsvr32.exe no specs kontur.updater.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs kdnchost.exe no specs conhost.exe no specs firefox.exe no specs kdnchost.exe conhost.exe no specs diagplugin_user.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs kontur.updater.exe no specs kdnchost.exe conhost.exe no specs certfix_host.exe ncftpput.exe conhost.exe no specs ncftpget.exe conhost.exe no specs kddisphost.exe conhost.exe no specs diagplugin_admin.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs certificates_kontur_admin.exe no specs regsvr32.exe no specs regsvr32.exe no specs kontur.updater.admin.exe kontur.dostup.abonent.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs regoids.exe kontur.updater.exe no specs cpverify.exe no specs conhost.exe no specs cspsetup50r3.exe kontur.plugin.exe kontur.updater.exe uninstaller.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs setup.exe no specs schtasks.exe no specs conhost.exe no specs msiexec.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs msiexec.exe no specs pkcs11check.exe no specs conhost.exe no specs pkcs11check.exe no specs conhost.exe no specs pkcs11check.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe no specs kontur.plugin.host.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe no specs kontur.autodiag.k.exe msiexec.exe no specs msiexec.exe no specs drvinst.exe cpverify.exe no specs conhost.exe no specs cpverify.exe no specs cpverify.exe no specs conhost.exe no specs conhost.exe no specs cpverify.exe no specs conhost.exe no specs cpverify.exe no specs conhost.exe no specs cpverify.exe no specs cpverify.exe no specs conhost.exe no specs cpverify.exe no specs conhost.exe no specs conhost.exe no specs cpverify.exe no specs conhost.exe no specs cpverify.exe no specs conhost.exe no specs cpverify.exe no specs cpverify.exe no specs conhost.exe no specs conhost.exe no specs cpverify.exe no specs cpverify.exe no specs conhost.exe no specs conhost.exe no specs cpverify.exe no specs cpverify.exe no specs conhost.exe no specs conhost.exe no specs kontur.autodiag.service.exe no specs conhost.exe no specs kontur.autodiag.service.exe no specs conhost.exe no specs csptest.exe no specs conhost.exe no specs kontur.updater.admin.exe no specs csptest.exe no specs conhost.exe no specs uninstaller.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs kontur.autodiag.service.exe no specs conhost.exe no specs kontur.autodiag.service.exe kontur.autodiag.center.exe kontur.autodiag.service.exe kontur.autodiag.diag_tool.exe conhost.exe no specs qtwebengineprocess.exe qtwebengineprocess.exe no specs kdnchost.exe conhost.exe no specs icacls.exe no specs conhost.exe no specs certfix_host.exe conhost.exe no specs query.exe no specs conhost.exe no specs quser.exe no specs rtdrivers.exe rtcomlite.exe rtdrivers.exe regsvr32.exe no specs regoids.exe rtdrivers.exe SPPSurrogate no specs vssvc.exe no specs uninstaller.exe schtasks.exe no specs conhost.exe no specs kontur.plugin.admin.exe pkcs11check.exe no specs conhost.exe no specs pkcs11check.exe no specs conhost.exe no specs pkcs11check.exe no specs conhost.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs srtasks.exe no specs conhost.exe no specs msedge.exe no specs msiexec.exe no specs msiexec.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs drvinst.exe drvinst.exe no specs drvinst.exe

Process information

PID
CMD
Path
Indicators
Parent process
132"C:\Program Files (x86)\SkbKontur\Autodiag K\0.5.0.1248\Temp\HelpKonturAuto\m5zbxcng\rtcomlite.exe" /SC:\Program Files (x86)\SkbKontur\Autodiag K\0.5.0.1248\Temp\HelpKonturAuto\m5zbxcng\rtcomlite.exe
kdnchost.exe
User:
SYSTEM
Company:
Компания "Актив", ЗАО «ПФ «СКБ Контур»
Integrity Level:
SYSTEM
Exit code:
0
Version:
1.0.3.1
364DrvInst.exe "4" "29" "C:\WINDOWS\system32\Aktiv Co\rtIFDH\rtIFDH.inf" "9" "463d9a7f7" "00000000000001E0" "WinSta0\Default" "00000000000001E4" "208" "C:\WINDOWS\system32\Aktiv Co\rtIFDH"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
420\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exencftpput.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
520"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6212 --field-trial-handle=2316,i,12612042457555298215,14942217917123189978,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
520\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
736"C:\Users\admin\AppData\Local\Temp\HelpKontur\m5zbunlg\kontur.plugin.exe" /S /F /KT3_ONLYC:\Users\admin\AppData\Local\Temp\HelpKontur\m5zbunlg\kontur.plugin.exe
kdnchost.exe
User:
admin
Company:
АО «ПФ «СКБ Контур»
Integrity Level:
MEDIUM
Description:
Контур.Плагин 4.7.1.1274
Exit code:
0
Version:
4.7.1.1274
736"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6228 --field-trial-handle=2316,i,12612042457555298215,14942217917123189978,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
1080"C:\WINDOWS\Temp\{99830443-C5A2-4EDD-9355-5D17854027E6}\.be\rtDrivers.exe" -q -burn.elevated BurnPipe.{2E5465A4-2471-445E-8347-6035C7CD5A35} {CE4672FA-5D52-40E4-AE6A-D41B32B85A3E} 7240C:\Windows\Temp\{99830443-C5A2-4EDD-9355-5D17854027E6}\.be\rtDrivers.exe
rtDrivers.exe
User:
SYSTEM
Company:
Aktiv Co.
Integrity Level:
SYSTEM
Description:
Rutoken Drivers
Version:
4.18.5.0
1192"C:\ProgramData\Crypto Pro\Installer Cache\CryptoPro_CSP_5.0.13000\Setup.exe" -filename "CSPSetup50R3.exe" -firstrundlg -root -restartcproctrl -disablerm -skipinstallvalidate -nodlg -silent -noreboot -lang eng -restartcproctrl -args "/quiet /norestart /l*vx C:\Users\admin\AppData\Local\Temp\HelpKontur\m5zbumar\CSPSetup50R3.exe.log KCLEVEL=1 DISABLEEXTENDEDMASTERSECRET=0 NOBIO=\"\" REGBIO=1 NOCRYPTOKI=\"\" REGPNPCRYPTOKI=1 REGPNPCRYPTOKIRUTOKEN=1 REGPNPCRYPTOKIJACARTA=1 REGPNPCRYPTOKIESMART=1 NOFLOPPY=\"\" REGPNPFLOPPY=1 NOREGISTRY=\"\" REGREGISTRY=1 NORUTOKEN=\"\" REGRUTOKEN=1 NOPCSC=\"\" REGPNPPCSC=1 VIPNETFOUND=0 NOETOKENWL=1 NORUTOKENWL=1 LICERRORLEVEL=6 APPCONFLICT=IGNORE MSIRESTARTMANAGERCONTROL=Disable REBOOT=ReallySuppress"C:\ProgramData\Crypto Pro\Installer Cache\CryptoPro_CSP_5.0.13000\Setup.exeCSPSetup50R3.exe
User:
admin
Company:
Crypto-Pro LLC
Integrity Level:
HIGH
Description:
Crypto-Pro Setup Application
Exit code:
0
Version:
5.0.21456.0
1292"C:\Users\admin\AppData\Local\SkbKontur\DiagPlugin\3.0.27.773\kddisphost.exe" 000001946F28E6B5 pipeC:\Users\admin\AppData\Local\SkbKontur\DiagPlugin\3.0.27.773\kddisphost.exe
kdnchost.exe
User:
admin
Company:
АО "ПФ "СКБ Контур"
Integrity Level:
HIGH
Description:
Диаг.Плагин - хост-приложение диспетчера сообщений
Exit code:
0
Version:
1.773.30.972
Modules
Images
c:\users\admin\appdata\local\skbkontur\diagplugin\3.0.27.773\kddisphost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\crypt32.dll
Total events
388 632
Read events
382 422
Write events
5 587
Delete events
623

Modification events

(PID) Process:(2612) DiagPlugin_user.002163.exeKey:HKEY_CURRENT_USER\SOFTWARE\MozillaPlugins\@skbkontur.ru/diagplugin
Operation:writeName:ProductName
Value:
SkbKontur.DiagPlugin
(PID) Process:(2612) DiagPlugin_user.002163.exeKey:HKEY_CURRENT_USER\SOFTWARE\MozillaPlugins\@skbkontur.ru/diagplugin
Operation:writeName:Vendor
Value:
PF SKB Kontur AO
(PID) Process:(2612) DiagPlugin_user.002163.exeKey:HKEY_CURRENT_USER\SOFTWARE\MozillaPlugins\@skbkontur.ru/diagplugin
Operation:writeName:Description
Value:
SKB Kontur Diagnostics
(PID) Process:(2612) DiagPlugin_user.002163.exeKey:HKEY_CURRENT_USER\SOFTWARE\SKBKontur\DiagPlugin
Operation:writeName:Path
Value:
C:\Users\admin\AppData\Local\SkbKontur\DiagPlugin\3.0.27.759
(PID) Process:(2612) DiagPlugin_user.002163.exeKey:HKEY_CURRENT_USER\SOFTWARE\SKBKontur\DiagPlugin
Operation:writeName:Version
Value:
3.0.27.759
(PID) Process:(2612) DiagPlugin_user.002163.exeKey:HKEY_CURRENT_USER\SOFTWARE\SKBKontur\DiagPlugin\PeSecurity
Operation:writeName:9d3a0279fc9c330ac9792325c3d36894959112cba9d7407940a10e075de9b9d4
Value:
3.0.27.759
(PID) Process:(2612) DiagPlugin_user.002163.exeKey:HKEY_CURRENT_USER\SOFTWARE\SKBKontur\DiagPlugin\PeSecurity
Operation:writeName:1b9ec53e215ec416be906ce2c8784182a72b4c5b8b3e19f0714810ced1b1d641
Value:
3.0.27.759
(PID) Process:(2612) DiagPlugin_user.002163.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\kontur.ru
Operation:writeName:https
Value:
2
(PID) Process:(2612) DiagPlugin_user.002163.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\kontur.ru
Operation:writeName:https
Value:
2
(PID) Process:(2612) DiagPlugin_user.002163.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BD1BE633-6B1A-4160-AA29-F9B243621BA9}
Operation:writeName:Flags
Value:
0
Executable files
749
Suspicious files
651
Text files
165
Unknown types
67

Dropped files

PID
Process
Filename
Type
2612DiagPlugin_user.002163.exeC:\Users\admin\AppData\Local\Temp\nsu89D5.tmp\System.dllexecutable
MD5:4ADD245D4BA34B04F213409BFE504C07
SHA256:9111099EFE9D5C9B391DC132B2FAF0A3851A760D4106D5368E30AC744EB42706
2612DiagPlugin_user.002163.exeC:\Users\admin\AppData\Local\Temp\nsu89D5.tmp\ioSpecial.iniini
MD5:E2D5070BC28DB1AC745613689FF86067
SHA256:D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0
2612DiagPlugin_user.002163.exeC:\Users\admin\AppData\Local\SkbKontur\DiagPlugin\3.0.27.759\CertFix_Host.exeexecutable
MD5:18AB938AF2099E58291E3881834F54CD
SHA256:0F2F8E8A3EB87F5902DEFAA463D1C6D54FB1D5B67E905AF33FA0162529965834
2612DiagPlugin_user.002163.exeC:\Users\admin\AppData\Local\Temp\nsu89D5.tmp\InstallOptions.dllexecutable
MD5:D095B082B7C5BA4665D40D9C5042AF6D
SHA256:B2091205E225FC07DAF1101218C64CE62A4690CACAC9C3D0644D12E93E4C213C
2612DiagPlugin_user.002163.exeC:\Users\admin\AppData\Local\Temp\nsu89D5.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
2612DiagPlugin_user.002163.exeC:\Users\admin\AppData\Local\SkbKontur\DiagPlugin\3.0.27.759\rtPKCS11.cf.dllexecutable
MD5:07753D3B148AE48739CB01460AA0E272
SHA256:D4576E34A5014A6CA74F58743315CB68A539861B503E2F8702D82BB42F924A23
2612DiagPlugin_user.002163.exeC:\Users\admin\AppData\Local\SkbKontur\DiagPlugin\3.0.27.759\isbc_pkcs11_main.dllexecutable
MD5:12FC9CFD1A02DE23C0282F81FC1A9FA7
SHA256:F56FA28BADC6D4A6FFDC25380E5AA54C4E701436D4D702BD04FBFBA4A16B3E39
2612DiagPlugin_user.002163.exeC:\Users\admin\AppData\Local\SkbKontur\DiagPlugin\3.0.27.759\rtPKCS11ECP.cf.dllexecutable
MD5:3D764A3A965494BC6E395834E8C1C7EA
SHA256:4F7CAD19AD317989BA62C8D6D848920DE27477AE8E83F6847BA1FBB3AE83A146
2612DiagPlugin_user.002163.exeC:\Users\admin\AppData\Local\SkbKontur\DiagPlugin\3.0.27.759\jcPKCS11-2.cf.dllexecutable
MD5:A1C446A81484E933BE0441109DA3CBF8
SHA256:A498882892E9433082110682E97CE7243B3731163F8D2500701D46D984EE01F8
2612DiagPlugin_user.002163.exeC:\Users\admin\AppData\Local\SkbKontur\DiagPlugin\3.0.27.759\kdaxapi-3.0.27.759.dllexecutable
MD5:5916C3E75EACA8EE969EB7F5D6F529FE
SHA256:72B172FF78BCE51721CAE066DA344479A4599421569C954BF67FDD19AF1B1484
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
187
TCP/UDP connections
399
DNS requests
375
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5864
svchost.exe
GET
200
2.16.164.18:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5864
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6424
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3992
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6424
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6624
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
6624
firefox.exe
POST
200
95.101.54.106:80
http://r11.o.lencr.org/
unknown
whitelisted
6624
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4500
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.18:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5864
svchost.exe
2.16.164.18:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5864
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5064
SearchApp.exe
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 2.16.164.18
  • 2.16.164.24
  • 2.16.164.99
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
login.live.com
  • 40.126.32.138
  • 40.126.32.68
  • 20.190.160.20
  • 40.126.32.74
  • 40.126.32.76
  • 20.190.160.14
  • 40.126.32.140
  • 40.126.32.134
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
arc.msn.com
  • 20.74.47.205
whitelisted

Threats

PID
Process
Class
Message
6988
ncftpput.exe
Misc activity
INFO [ANY.RUN] FTP protocol command for uploading a file
9 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DiagPlugin_user.002163.exe