File name:

DiagPlugin_user.002163.exe

Full analysis: https://app.any.run/tasks/50d51bd8-e6a9-40fe-9a3c-6657aba51984
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: January 16, 2025, 12:46:33
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-scr
ftp
ms-smartcard
opendir
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

EF9A5EBA1859738F6403CC663EC3A7A7

SHA1:

D5882B774449F7F25C50193734C224DFA5269380

SHA256:

9A8971779CBE7D1BD2320664B0D1065E420C52552A60F7A25C386FE0BA4A229E

SSDEEP:

98304:xb7WaWD/4p4T2/4WROJAf5LfkpkOiQd1jYNBGNulBX2DBjEtKXW5Vmi/53bUa74i:xb+D8obTDMBf2Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • DiagPlugin_user.002163.exe (PID: 2612)
      • DiagPlugin_user.exe (PID: 3464)
      • DiagPlugin_admin.exe (PID: 6544)
      • rtcomlite.exe (PID: 132)

    • Uses Task Scheduler to run other applications

      • kontur.updater.exe (PID: 4120)
      • kontur.updater.admin.exe (PID: 6312)
      • DiagPlugin_admin.exe (PID: 6544)
      • kontur.updater.exe (PID: 6764)
      • kontur.plugin.exe (PID: 736)
      • kontur.updater.admin.exe (PID: 8084)

    • Actions looks like stealing of personal data

      • kdnchost.exe (PID: 4336)
      • kdnchost.exe (PID: 4384)
      • kdnchost.exe (PID: 7788)

    • Steals credentials from Web Browsers

      • kdnchost.exe (PID: 7788)

    • Executing a file with an untrusted certificate

      • rtcomlite.exe (PID: 132)

  • SUSPICIOUS

    • Malware-specific behavior (creating "System.dll" in Temp)

      • DiagPlugin_user.002163.exe (PID: 2612)
      • kontur.updater.exe (PID: 4120)
      • DiagPlugin_user.exe (PID: 3464)
      • DiagPlugin_admin.exe (PID: 6544)
      • kontur.updater.admin.exe (PID: 6312)
      • Kontur.Dostup.Abonent.exe (PID: 7108)
      • RegOids.exe (PID: 6992)
      • kontur.plugin.exe (PID: 736)
      • uninstaller.exe (PID: 1472)
      • kontur.updater.exe (PID: 6764)
      • uninstaller.exe (PID: 6568)

    • The process creates files with name similar to system file names

      • DiagPlugin_user.002163.exe (PID: 2612)
      • DiagPlugin_user.exe (PID: 3464)
      • kontur.updater.exe (PID: 4120)
      • DiagPlugin_admin.exe (PID: 6544)
      • Kontur.Dostup.Abonent.exe (PID: 7108)

    • Executable content was dropped or overwritten

      • DiagPlugin_user.002163.exe (PID: 2612)
      • kontur.updater.exe (PID: 4120)
      • kdnchost.exe (PID: 4336)
      • DiagPlugin_user.exe (PID: 3464)
      • kdnchost.exe (PID: 4384)
      • kontur.updater.admin.exe (PID: 6312)
      • Kontur.Dostup.Abonent.exe (PID: 7108)
      • CSPSetup50R3.exe (PID: 3848)
      • RegOids.exe (PID: 6992)
      • uninstaller.exe (PID: 1472)
      • kontur.updater.exe (PID: 6764)
      • kontur.plugin.exe (PID: 736)
      • DiagPlugin_admin.exe (PID: 6544)
      • drvinst.exe (PID: 7852)
      • kontur.autodiag.k.exe (PID: 7500)
      • rtDrivers.exe (PID: 5340)
      • rtcomlite.exe (PID: 132)
      • rtDrivers.exe (PID: 7240)
      • kdnchost.exe (PID: 7788)
      • RegOids.exe (PID: 4864)
      • uninstaller.exe (PID: 6568)
      • kontur.plugin.admin.exe (PID: 6544)
      • rtDrivers.exe (PID: 1080)
      • drvinst.exe (PID: 364)
      • drvinst.exe (PID: 8332)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 5604)
      • regsvr32.exe (PID: 3080)
      • regsvr32.exe (PID: 3920)
      • kontur.plugin.exe (PID: 736)
      • msiexec.exe (PID: 7288)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 4864)
      • schtasks.exe (PID: 4640)
      • schtasks.exe (PID: 3824)
      • schtasks.exe (PID: 3936)
      • schtasks.exe (PID: 3220)
      • schtasks.exe (PID: 1472)
      • schtasks.exe (PID: 7876)
      • schtasks.exe (PID: 7948)
      • schtasks.exe (PID: 1868)

    • Potential Corporate Privacy Violation

      • firefox.exe (PID: 6624)
      • kdnchost.exe (PID: 4384)
      • kontur.autodiag.diag_tool.exe (PID: 7664)
      • QtWebEngineProcess.exe (PID: 7464)
      • kdnchost.exe (PID: 7788)

    • Reads security settings of Internet Explorer

      • kdnchost.exe (PID: 1852)
      • kdnchost.exe (PID: 4336)
      • kdnchost.exe (PID: 4384)

    • Creates a software uninstall entry

      • DiagPlugin_user.002163.exe (PID: 2612)
      • DiagPlugin_user.exe (PID: 3464)
      • DiagPlugin_admin.exe (PID: 6544)
      • kontur.plugin.exe (PID: 736)

    • Searches for installed software

      • kdnchost.exe (PID: 4336)
      • kdnchost.exe (PID: 4384)

    • Checks Windows Trust Settings

      • kdnchost.exe (PID: 4384)
      • drvinst.exe (PID: 7852)

    • Smart Card resource manager service initialization

      • CertFix_Host.exe (PID: 3208)

    • Connects to FTP

      • ncftpput.exe (PID: 6988)
      • ncftpget.exe (PID: 2680)

    • Connects to unusual port

      • ncftpput.exe (PID: 6988)
      • ncftpget.exe (PID: 2680)

    • Adds/modifies Windows certificates

      • Certificates_Kontur_Admin.exe (PID: 2008)
      • msiexec.exe (PID: 5556)
      • Setup.exe (PID: 1192)

    • Reads the Windows owner or organization settings

      • kdnchost.exe (PID: 4384)
      • Setup.exe (PID: 1192)

    • Process drops legitimate windows executable

      • CSPSetup50R3.exe (PID: 3848)
      • kontur.autodiag.k.exe (PID: 7500)

    • Drops a system driver (possible attempt to evade defenses)

      • CSPSetup50R3.exe (PID: 3848)
      • msiexec.exe (PID: 5556)
      • drvinst.exe (PID: 7852)
      • msiexec.exe (PID: 7356)
      • drvinst.exe (PID: 364)
      • msiexec.exe (PID: 3824)
      • drvinst.exe (PID: 8332)

    • The process drops C-runtime libraries

      • kontur.autodiag.k.exe (PID: 7500)

    • Executes as Windows Service

      • kontur.autodiag.service.exe (PID: 3996)
      • kontur.autodiag.service.exe (PID: 7316)
      • VSSVC.exe (PID: 6760)

    • Uses ICACLS.EXE to modify access control lists

      • kdnchost.exe (PID: 7788)

    • Uses QUSER.EXE to read information about current user sessions

      • query.exe (PID: 8040)

    • Starts itself from another location

      • rtDrivers.exe (PID: 7240)

  • INFO

    • The sample compiled with english language support

      • DiagPlugin_user.002163.exe (PID: 2612)
      • kontur.updater.exe (PID: 4120)
      • DiagPlugin_user.exe (PID: 3464)
      • kdnchost.exe (PID: 4384)
      • DiagPlugin_admin.exe (PID: 6544)
      • kontur.updater.admin.exe (PID: 6312)
      • Kontur.Dostup.Abonent.exe (PID: 7108)
      • CSPSetup50R3.exe (PID: 3848)
      • kontur.updater.exe (PID: 6764)
      • kontur.plugin.exe (PID: 736)
      • msiexec.exe (PID: 5556)
      • kdnchost.exe (PID: 7788)
      • rtDrivers.exe (PID: 5340)
      • rtDrivers.exe (PID: 7240)
      • rtcomlite.exe (PID: 132)
      • uninstaller.exe (PID: 6568)
      • kontur.plugin.admin.exe (PID: 6544)
      • rtDrivers.exe (PID: 1080)
      • drvinst.exe (PID: 364)
      • msiexec.exe (PID: 3824)
      • drvinst.exe (PID: 8332)
      • kontur.autodiag.k.exe (PID: 7500)

    • The sample compiled with russian language support

      • kontur.updater.exe (PID: 4120)
      • DiagPlugin_user.002163.exe (PID: 2612)
      • kdnchost.exe (PID: 4336)
      • DiagPlugin_user.exe (PID: 3464)
      • kdnchost.exe (PID: 4384)
      • DiagPlugin_admin.exe (PID: 6544)
      • kontur.updater.admin.exe (PID: 6312)
      • Kontur.Dostup.Abonent.exe (PID: 7108)
      • kontur.updater.exe (PID: 6764)
      • CSPSetup50R3.exe (PID: 3848)
      • kontur.plugin.exe (PID: 736)
      • msiexec.exe (PID: 5556)
      • drvinst.exe (PID: 7852)
      • msiexec.exe (PID: 7356)
      • kontur.autodiag.k.exe (PID: 7500)
      • rtcomlite.exe (PID: 132)
      • kontur.plugin.admin.exe (PID: 6544)
      • kdnchost.exe (PID: 7788)

    • Checks supported languages

      • DiagPlugin_user.002163.exe (PID: 2612)
      • kontur.updater.exe (PID: 4120)
      • kdnchost.exe (PID: 1852)
      • kdnchost.exe (PID: 4336)
      • kontur.updater.exe (PID: 3656)
      • kdnchost.exe (PID: 4384)
      • CertFix_Host.exe (PID: 3208)
      • DiagPlugin_admin.exe (PID: 6544)
      • Certificates_Kontur_Admin.exe (PID: 2008)
      • Kontur.Dostup.Abonent.exe (PID: 7108)
      • cpverify.exe (PID: 4516)
      • kontur.plugin.exe (PID: 736)
      • Setup.exe (PID: 1192)
      • msiexec.exe (PID: 5556)
      • kontur.plugin.host.exe (PID: 6324)
      • msiexec.exe (PID: 7288)
      • kontur.autodiag.k.exe (PID: 7500)
      • drvinst.exe (PID: 7852)
      • cpverify.exe (PID: 7936)
      • cpverify.exe (PID: 7352)
      • cpverify.exe (PID: 8148)
      • cpverify.exe (PID: 7284)
      • kontur.autodiag.service.exe (PID: 7852)
      • kontur.autodiag.center.exe (PID: 7648)
      • kontur.autodiag.service.exe (PID: 7316)
      • pkcs11check.exe (PID: 5872)
      • pkcs11check.exe (PID: 6488)

    • Creates files or folders in the user directory

      • kontur.updater.exe (PID: 4120)
      • DiagPlugin_user.002163.exe (PID: 2612)
      • DiagPlugin_user.exe (PID: 3464)
      • Kontur.Dostup.Abonent.exe (PID: 7108)
      • kontur.plugin.exe (PID: 736)
      • msiexec.exe (PID: 5556)

    • Reads the computer name

      • kontur.updater.exe (PID: 4120)
      • kdnchost.exe (PID: 1852)
      • kdnchost.exe (PID: 4336)
      • DiagPlugin_user.002163.exe (PID: 2612)
      • CertFix_Host.exe (PID: 3208)
      • kontur.plugin.exe (PID: 736)
      • msiexec.exe (PID: 5556)
      • kontur.autodiag.service.exe (PID: 7852)

    • Create files in a temporary directory

      • kontur.updater.exe (PID: 4120)
      • kdnchost.exe (PID: 4336)
      • DiagPlugin_user.exe (PID: 3464)
      • ncftpget.exe (PID: 2680)
      • kdnchost.exe (PID: 4384)
      • DiagPlugin_admin.exe (PID: 6544)
      • kontur.updater.admin.exe (PID: 6312)
      • Kontur.Dostup.Abonent.exe (PID: 7108)
      • kontur.updater.exe (PID: 6764)
      • kontur.plugin.exe (PID: 736)
      • kontur.plugin.host.exe (PID: 6324)
      • Setup.exe (PID: 1192)
      • kontur.updater.admin.exe (PID: 8084)
      • uninstaller.exe (PID: 7340)
      • kdnchost.exe (PID: 7788)
      • uninstaller.exe (PID: 6568)

    • Application launched itself

      • firefox.exe (PID: 6604)
      • firefox.exe (PID: 6624)
      • msiexec.exe (PID: 5556)
      • msedge.exe (PID: 7148)

    • Manual execution by a user

      • firefox.exe (PID: 6604)

    • Reads the software policy settings

      • kdnchost.exe (PID: 1852)
      • kdnchost.exe (PID: 4336)
      • CertFix_Host.exe (PID: 3208)
      • kddisphost.exe (PID: 1292)
      • kdnchost.exe (PID: 4384)
      • msiexec.exe (PID: 5556)

    • Process checks whether UAC notifications are on

      • kdnchost.exe (PID: 1852)
      • kdnchost.exe (PID: 4336)
      • kdnchost.exe (PID: 4384)
      • kddisphost.exe (PID: 1292)

    • Reads the machine GUID from the registry

      • kdnchost.exe (PID: 1852)
      • kdnchost.exe (PID: 4384)
      • CertFix_Host.exe (PID: 3208)
      • drvinst.exe (PID: 7852)
      • kontur.autodiag.service.exe (PID: 7316)
      • msiexec.exe (PID: 7288)

    • Checks proxy server information

      • kdnchost.exe (PID: 4384)

    • Reads CPU info

      • kdnchost.exe (PID: 4384)

    • The process uses the downloaded file

      • kdnchost.exe (PID: 4384)
      • rtDrivers.exe (PID: 7240)

    • Creates files in the program directory

      • DiagPlugin_admin.exe (PID: 6544)
      • kontur.updater.admin.exe (PID: 6312)
      • CSPSetup50R3.exe (PID: 3848)
      • kontur.autodiag.k.exe (PID: 7500)
      • kontur.updater.admin.exe (PID: 8084)
      • kontur.autodiag.service.exe (PID: 7316)
      • kdnchost.exe (PID: 7788)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 5556)
      • firefox.exe (PID: 6624)
      • msiexec.exe (PID: 7356)
      • msiexec.exe (PID: 3824)

    • Reads Microsoft Office registry keys

      • msiexec.exe (PID: 5556)

    • Adds/modifies Windows certificates

      • drvinst.exe (PID: 7852)

    • Manages system restore points

      • SrTasks.exe (PID: 4672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:07:02 02:11:21+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 29184
InitializedDataSize: 195072
UninitializedDataSize: 2048
EntryPoint: 0x39b6
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.0.27.759
ProductVersionNumber: 3.0.27.759
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Russian
CharacterSet: Windows, Cyrillic
CompanyName: АО «ПФ «СКБ Контур»
CompanyWebsite: https://kontur.ru/
FileDescription: Установка Диаг.Плагин
FileVersion: 3.0.27.759
LegalCopyright: © 2014-2024 АО «ПФ «СКБ Контур»
ProductName: Установка Диаг.Плагин
ProductVersion: 3.0.27.759
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
362
Monitored processes
217
Malicious processes
19
Suspicious processes
8

Behavior graph

Click at the process to see the details
start diagplugin_user.002163.exe regsvr32.exe no specs regsvr32.exe no specs kontur.updater.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs kdnchost.exe no specs conhost.exe no specs firefox.exe no specs kdnchost.exe conhost.exe no specs diagplugin_user.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs kontur.updater.exe no specs kdnchost.exe conhost.exe no specs certfix_host.exe ncftpput.exe conhost.exe no specs ncftpget.exe conhost.exe no specs kddisphost.exe conhost.exe no specs diagplugin_admin.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs certificates_kontur_admin.exe no specs regsvr32.exe no specs regsvr32.exe no specs kontur.updater.admin.exe kontur.dostup.abonent.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs regoids.exe kontur.updater.exe no specs cpverify.exe no specs conhost.exe no specs cspsetup50r3.exe kontur.plugin.exe kontur.updater.exe uninstaller.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs setup.exe no specs schtasks.exe no specs conhost.exe no specs msiexec.exe schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs msiexec.exe no specs pkcs11check.exe no specs conhost.exe no specs pkcs11check.exe no specs conhost.exe no specs pkcs11check.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe no specs kontur.plugin.host.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe no specs kontur.autodiag.k.exe msiexec.exe no specs msiexec.exe no specs drvinst.exe cpverify.exe no specs conhost.exe no specs cpverify.exe no specs cpverify.exe no specs conhost.exe no specs conhost.exe no specs cpverify.exe no specs conhost.exe no specs cpverify.exe no specs conhost.exe no specs cpverify.exe no specs cpverify.exe no specs conhost.exe no specs cpverify.exe no specs conhost.exe no specs conhost.exe no specs cpverify.exe no specs conhost.exe no specs cpverify.exe no specs conhost.exe no specs cpverify.exe no specs cpverify.exe no specs conhost.exe no specs conhost.exe no specs cpverify.exe no specs cpverify.exe no specs conhost.exe no specs conhost.exe no specs cpverify.exe no specs cpverify.exe no specs conhost.exe no specs conhost.exe no specs kontur.autodiag.service.exe no specs conhost.exe no specs kontur.autodiag.service.exe no specs conhost.exe no specs csptest.exe no specs conhost.exe no specs kontur.updater.admin.exe no specs csptest.exe no specs conhost.exe no specs uninstaller.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs schtasks.exe no specs conhost.exe no specs kontur.autodiag.service.exe no specs conhost.exe no specs kontur.autodiag.service.exe kontur.autodiag.center.exe kontur.autodiag.service.exe kontur.autodiag.diag_tool.exe conhost.exe no specs qtwebengineprocess.exe qtwebengineprocess.exe no specs kdnchost.exe conhost.exe no specs icacls.exe no specs conhost.exe no specs certfix_host.exe conhost.exe no specs query.exe no specs conhost.exe no specs quser.exe no specs rtdrivers.exe rtcomlite.exe rtdrivers.exe regsvr32.exe no specs regoids.exe rtdrivers.exe SPPSurrogate no specs vssvc.exe no specs uninstaller.exe schtasks.exe no specs conhost.exe no specs kontur.plugin.admin.exe pkcs11check.exe no specs conhost.exe no specs pkcs11check.exe no specs conhost.exe no specs pkcs11check.exe no specs conhost.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs srtasks.exe no specs conhost.exe no specs msedge.exe no specs msiexec.exe no specs msiexec.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs drvinst.exe drvinst.exe no specs drvinst.exe

Process information

PID
CMD
Path
Indicators
Parent process
132"C:\Program Files (x86)\SkbKontur\Autodiag K\0.5.0.1248\Temp\HelpKonturAuto\m5zbxcng\rtcomlite.exe" /SC:\Program Files (x86)\SkbKontur\Autodiag K\0.5.0.1248\Temp\HelpKonturAuto\m5zbxcng\rtcomlite.exe
kdnchost.exe
User:
SYSTEM
Company:
Компания "Актив", ЗАО «ПФ «СКБ Контур»
Integrity Level:
SYSTEM
Exit code:
0
Version:
1.0.3.1
364DrvInst.exe "4" "29" "C:\WINDOWS\system32\Aktiv Co\rtIFDH\rtIFDH.inf" "9" "463d9a7f7" "00000000000001E0" "WinSta0\Default" "00000000000001E4" "208" "C:\WINDOWS\system32\Aktiv Co\rtIFDH"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
420\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exencftpput.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
520"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6212 --field-trial-handle=2316,i,12612042457555298215,14942217917123189978,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
520\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
736"C:\Users\admin\AppData\Local\Temp\HelpKontur\m5zbunlg\kontur.plugin.exe" /S /F /KT3_ONLYC:\Users\admin\AppData\Local\Temp\HelpKontur\m5zbunlg\kontur.plugin.exe
kdnchost.exe
User:
admin
Company:
АО «ПФ «СКБ Контур»
Integrity Level:
MEDIUM
Description:
Контур.Плагин 4.7.1.1274
Exit code:
0
Version:
4.7.1.1274
736"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6228 --field-trial-handle=2316,i,12612042457555298215,14942217917123189978,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
1080"C:\WINDOWS\Temp\{99830443-C5A2-4EDD-9355-5D17854027E6}\.be\rtDrivers.exe" -q -burn.elevated BurnPipe.{2E5465A4-2471-445E-8347-6035C7CD5A35} {CE4672FA-5D52-40E4-AE6A-D41B32B85A3E} 7240C:\Windows\Temp\{99830443-C5A2-4EDD-9355-5D17854027E6}\.be\rtDrivers.exe
rtDrivers.exe
User:
SYSTEM
Company:
Aktiv Co.
Integrity Level:
SYSTEM
Description:
Rutoken Drivers
Version:
4.18.5.0
1192"C:\ProgramData\Crypto Pro\Installer Cache\CryptoPro_CSP_5.0.13000\Setup.exe" -filename "CSPSetup50R3.exe" -firstrundlg -root -restartcproctrl -disablerm -skipinstallvalidate -nodlg -silent -noreboot -lang eng -restartcproctrl -args "/quiet /norestart /l*vx C:\Users\admin\AppData\Local\Temp\HelpKontur\m5zbumar\CSPSetup50R3.exe.log KCLEVEL=1 DISABLEEXTENDEDMASTERSECRET=0 NOBIO=\"\" REGBIO=1 NOCRYPTOKI=\"\" REGPNPCRYPTOKI=1 REGPNPCRYPTOKIRUTOKEN=1 REGPNPCRYPTOKIJACARTA=1 REGPNPCRYPTOKIESMART=1 NOFLOPPY=\"\" REGPNPFLOPPY=1 NOREGISTRY=\"\" REGREGISTRY=1 NORUTOKEN=\"\" REGRUTOKEN=1 NOPCSC=\"\" REGPNPPCSC=1 VIPNETFOUND=0 NOETOKENWL=1 NORUTOKENWL=1 LICERRORLEVEL=6 APPCONFLICT=IGNORE MSIRESTARTMANAGERCONTROL=Disable REBOOT=ReallySuppress"C:\ProgramData\Crypto Pro\Installer Cache\CryptoPro_CSP_5.0.13000\Setup.exeCSPSetup50R3.exe
User:
admin
Company:
Crypto-Pro LLC
Integrity Level:
HIGH
Description:
Crypto-Pro Setup Application
Exit code:
0
Version:
5.0.21456.0
1292"C:\Users\admin\AppData\Local\SkbKontur\DiagPlugin\3.0.27.773\kddisphost.exe" 000001946F28E6B5 pipeC:\Users\admin\AppData\Local\SkbKontur\DiagPlugin\3.0.27.773\kddisphost.exe
kdnchost.exe
User:
admin
Company:
АО "ПФ "СКБ Контур"
Integrity Level:
HIGH
Description:
Диаг.Плагин - хост-приложение диспетчера сообщений
Exit code:
0
Version:
1.773.30.972
Modules
Images
c:\users\admin\appdata\local\skbkontur\diagplugin\3.0.27.773\kddisphost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\crypt32.dll
Total events
388 632
Read events
382 422
Write events
5 587
Delete events
623

Modification events

(PID) Process:(2612) DiagPlugin_user.002163.exeKey:HKEY_CURRENT_USER\SOFTWARE\MozillaPlugins\@skbkontur.ru/diagplugin
Operation:writeName:ProductName
Value:
SkbKontur.DiagPlugin
(PID) Process:(2612) DiagPlugin_user.002163.exeKey:HKEY_CURRENT_USER\SOFTWARE\MozillaPlugins\@skbkontur.ru/diagplugin
Operation:writeName:Vendor
Value:
PF SKB Kontur AO
(PID) Process:(2612) DiagPlugin_user.002163.exeKey:HKEY_CURRENT_USER\SOFTWARE\MozillaPlugins\@skbkontur.ru/diagplugin
Operation:writeName:Description
Value:
SKB Kontur Diagnostics
(PID) Process:(2612) DiagPlugin_user.002163.exeKey:HKEY_CURRENT_USER\SOFTWARE\SKBKontur\DiagPlugin
Operation:writeName:Path
Value:
C:\Users\admin\AppData\Local\SkbKontur\DiagPlugin\3.0.27.759
(PID) Process:(2612) DiagPlugin_user.002163.exeKey:HKEY_CURRENT_USER\SOFTWARE\SKBKontur\DiagPlugin
Operation:writeName:Version
Value:
3.0.27.759
(PID) Process:(2612) DiagPlugin_user.002163.exeKey:HKEY_CURRENT_USER\SOFTWARE\SKBKontur\DiagPlugin\PeSecurity
Operation:writeName:9d3a0279fc9c330ac9792325c3d36894959112cba9d7407940a10e075de9b9d4
Value:
3.0.27.759
(PID) Process:(2612) DiagPlugin_user.002163.exeKey:HKEY_CURRENT_USER\SOFTWARE\SKBKontur\DiagPlugin\PeSecurity
Operation:writeName:1b9ec53e215ec416be906ce2c8784182a72b4c5b8b3e19f0714810ced1b1d641
Value:
3.0.27.759
(PID) Process:(2612) DiagPlugin_user.002163.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\kontur.ru
Operation:writeName:https
Value:
2
(PID) Process:(2612) DiagPlugin_user.002163.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\kontur.ru
Operation:writeName:https
Value:
2
(PID) Process:(2612) DiagPlugin_user.002163.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BD1BE633-6B1A-4160-AA29-F9B243621BA9}
Operation:writeName:Flags
Value:
0
Executable files
749
Suspicious files
651
Text files
165
Unknown types
67

Dropped files

PID
Process
Filename
Type
2612DiagPlugin_user.002163.exeC:\Users\admin\AppData\Local\Temp\nsu89D5.tmp\InstallOptions.dllexecutable
MD5:D095B082B7C5BA4665D40D9C5042AF6D
SHA256:B2091205E225FC07DAF1101218C64CE62A4690CACAC9C3D0644D12E93E4C213C
2612DiagPlugin_user.002163.exeC:\Users\admin\AppData\Local\SkbKontur\DiagPlugin\3.0.27.759\jcPKCS11-2.cf.dllexecutable
MD5:A1C446A81484E933BE0441109DA3CBF8
SHA256:A498882892E9433082110682E97CE7243B3731163F8D2500701D46D984EE01F8
2612DiagPlugin_user.002163.exeC:\Users\admin\AppData\Local\SkbKontur\DiagPlugin\3.0.27.759\kddi.exeexecutable
MD5:1E09E7869CA9E793DF0ACDC6678F32E4
SHA256:B89EC680CE604930CA38FCE91B65BA9BB152178F783A042AB9B159B98FCB337D
2612DiagPlugin_user.002163.exeC:\Users\admin\AppData\Local\SkbKontur\DiagPlugin\3.0.27.759\manifest_webkit.jsonbinary
MD5:E5B35FEB0F8D034FBB6E738258497893
SHA256:045C5CF557B1EE8D136D202BDB4662173CAD74C6CA96600FEA0ED4ED23ED9833
2612DiagPlugin_user.002163.exeC:\Users\admin\AppData\Local\SkbKontur\DiagPlugin\3.0.27.759\kddi64.exeexecutable
MD5:2BFF30A56698C0D526F00C8CFD1B9295
SHA256:C5C09B6FFB33AEA47698CAF6D18CCBB4AA7D15BCD7F4AD9A93513C537DA80F54
2612DiagPlugin_user.002163.exeC:\Users\admin\AppData\Local\Temp\nsu89D5.tmp\ioSpecial.iniini
MD5:E2D5070BC28DB1AC745613689FF86067
SHA256:D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0
2612DiagPlugin_user.002163.exeC:\Users\admin\AppData\Local\Temp\nsu89D5.tmp\System.dllexecutable
MD5:4ADD245D4BA34B04F213409BFE504C07
SHA256:9111099EFE9D5C9B391DC132B2FAF0A3851A760D4106D5368E30AC744EB42706
2612DiagPlugin_user.002163.exeC:\Users\admin\AppData\Local\SkbKontur\DiagPlugin\3.0.27.759\rtPKCS11ECP.cf.dllexecutable
MD5:3D764A3A965494BC6E395834E8C1C7EA
SHA256:4F7CAD19AD317989BA62C8D6D848920DE27477AE8E83F6847BA1FBB3AE83A146
2612DiagPlugin_user.002163.exeC:\Users\admin\AppData\Local\SkbKontur\DiagPlugin\3.0.27.759\manifest_gecko.jsonbinary
MD5:0CB398E8498462B3F72C768F90931BCF
SHA256:7F68C2B6915DC5A7097B55D85565206C321BD4225F44356B416F44ABAB40F128
2612DiagPlugin_user.002163.exeC:\Users\admin\AppData\Local\SkbKontur\DiagPlugin\3.0.27.759\kdncapi.dllexecutable
MD5:C70590D5BE820B58C0FBAAEF2B2C8E12
SHA256:944402E533C6A32387348BC1547F30D2DB55A33C129B3AC728C9ABF020E3F746
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
187
TCP/UDP connections
399
DNS requests
375
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5864
svchost.exe
GET
200
2.16.164.18:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.18:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6624
firefox.exe
POST
142.250.181.227:80
http://o.pki.goog/wr2
unknown
whitelisted
6424
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6624
firefox.exe
POST
200
95.101.54.106:80
http://r11.o.lencr.org/
unknown
whitelisted
6624
firefox.exe
POST
200
142.250.181.227:80
http://o.pki.goog/wr2
unknown
whitelisted
3992
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6624
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4500
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.18:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5864
svchost.exe
2.16.164.18:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5864
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5064
SearchApp.exe
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 2.16.164.18
  • 2.16.164.24
  • 2.16.164.99
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
login.live.com
  • 40.126.32.138
  • 40.126.32.68
  • 20.190.160.20
  • 40.126.32.74
  • 40.126.32.76
  • 20.190.160.14
  • 40.126.32.140
  • 40.126.32.134
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
arc.msn.com
  • 20.74.47.205
whitelisted

Threats

PID
Process
Class
Message
6988
ncftpput.exe
Misc activity
INFO [ANY.RUN] FTP protocol command for uploading a file
9 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DiagPlugin_user.002163.exe