Malware analysis https://wdho.ru/fsSp Malicious activity

Add for printing

URL:	https://wdho.ru/fsSp
Full analysis:	https://app.any.run/tasks/ed4beb58-4f31-4010-a700-38b73974b35c
Verdict:	Malicious activity
Threats:	A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	December 26, 2023, 04:49:42
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	rat backdoor dcrat remote stealer
Indicators:
MD5:	7DD55AA3C48E0ECF099CF978A88A6D1E
SHA1:	37CD7D218686E2F35E90D065E97A5348C6FF61FC
SHA256:	DB158E55C08ED3796788861C2408A86F0510EEAF808BD4AB392B68A45B105128
SSDEEP:	3:N8QNKjCyn:2QNKjf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Uses sleep, probably for evasion detection (SCRIPT)
  - wscript.exe (PID: 1996)
  - wscript.exe (PID: 3100)
  - wscript.exe (PID: 1996)
  - wscript.exe (PID: 1992)
  - wscript.exe (PID: 3860)
  - wscript.exe (PID: 2560)
  - wscript.exe (PID: 3816)
  - wscript.exe (PID: 1904)
  - wscript.exe (PID: 3508)
  - wscript.exe (PID: 3404)
  - wscript.exe (PID: 1572)
- DCRAT has been detected (SURICATA)
  - firefox.exe (PID: 3812)
  - SearchFilterHost.exe (PID: 2240)
SUSPICIOUS
- The process creates files with name similar to system file names
  - WinRAR.exe (PID: 4040)
  - NVIDIA Container.exe (PID: 4000)
  - NVIDIA Container.exe (PID: 3764)
  - NVIDIA Container.exe (PID: 3612)
  - NVIDIA Container.exe (PID: 848)
- Reads the Internet Settings
  - NVIDIA Container.exe (PID: 3824)
  - Police_by_LuckyKazya.exe (PID: 3396)
  - wscript.exe (PID: 1996)
  - wscript.exe (PID: 3100)
  - Police_by_LuckyKazya.exe (PID: 2828)
  - NVIDIA Container.exe (PID: 4000)
  - Idle.exe (PID: 3112)
  - Police_by_LuckyKazya.exe (PID: 584)
  - NVIDIA Container.exe (PID: 3868)
  - wscript.exe (PID: 1996)
  - Meatspin_v6_MIN_by_LuckyKazya.exe (PID: 2108)
  - NVIDIA Container.exe (PID: 3864)
  - NVIDIA Container.exe (PID: 3764)
  - wscript.exe (PID: 1992)
  - NVIDIA Container.exe (PID: 3584)
  - wscript.exe (PID: 3860)
  - Meatspin_v6_MIN_by_LuckyKazya.exe (PID: 3720)
  - NVIDIA Container.exe (PID: 1216)
  - wscript.exe (PID: 2560)
  - Meatspin_v6_MIN_by_LuckyKazya.exe (PID: 2156)
  - Meatspin_v6_MIN_by_LuckyKazya.exe (PID: 2644)
  - firefox.exe (PID: 3812)
  - NVIDIA Container.exe (PID: 296)
  - wscript.exe (PID: 3816)
  - Dirochka_by_LuckyKazya.exe (PID: 584)
  - NVIDIA Container.exe (PID: 2816)
  - Dirochka_by_LuckyKazya.exe (PID: 2520)
  - wscript.exe (PID: 1904)
  - Dirochka_by_LuckyKazya.exe (PID: 3228)
  - wscript.exe (PID: 3508)
  - wscript.exe (PID: 3404)
  - NVIDIA Container.exe (PID: 1804)
  - NVIDIA Container.exe (PID: 3612)
  - SearchFilterHost.exe (PID: 2240)
  - NVIDIA Container.exe (PID: 4088)
  - cmd.exe (PID: 1904)
  - Очко несёт смерть.exe (PID: 4036)
  - Очко несёт смерть.exe (PID: 3648)
  - wscript.exe (PID: 1572)
  - NVIDIA Container.exe (PID: 848)
- The process executes VB scripts
  - Police_by_LuckyKazya.exe (PID: 3396)
  - Dirochka_by_LuckyKazya.exe (PID: 2520)
- Executing commands from a ".bat" file
  - wscript.exe (PID: 1996)
  - wscript.exe (PID: 1996)
  - wscript.exe (PID: 1992)
  - wscript.exe (PID: 3860)
  - wscript.exe (PID: 2560)
  - wscript.exe (PID: 3816)
  - wscript.exe (PID: 1904)
  - wscript.exe (PID: 3404)
  - NVIDIA Container.exe (PID: 3612)
  - Очко несёт смерть.exe (PID: 3648)
  - wscript.exe (PID: 1572)
- Starts CMD.EXE for commands execution
  - wscript.exe (PID: 1996)
  - wscript.exe (PID: 1996)
  - wscript.exe (PID: 1992)
  - wscript.exe (PID: 3860)
  - wscript.exe (PID: 2560)
  - wscript.exe (PID: 3816)
  - wscript.exe (PID: 1904)
  - wscript.exe (PID: 3404)
  - NVIDIA Container.exe (PID: 3612)
  - Очко несёт смерть.exe (PID: 3648)
  - wscript.exe (PID: 1572)
- Runs shell command (SCRIPT)
  - wscript.exe (PID: 1996)
  - wscript.exe (PID: 1996)
  - wscript.exe (PID: 3860)
  - wscript.exe (PID: 2560)
  - wscript.exe (PID: 3816)
  - wscript.exe (PID: 1904)
  - wscript.exe (PID: 3404)
  - wscript.exe (PID: 1992)
  - wscript.exe (PID: 1572)
- The process checks if it is being run in the virtual environment
  - WinRAR.exe (PID: 4040)
- Probably delay the execution using 'w32tm.exe'
  - cmd.exe (PID: 2992)
INFO
- Application launched itself
  - firefox.exe (PID: 120)
  - firefox.exe (PID: 128)
  - msedge.exe (PID: 2596)
  - msedge.exe (PID: 3604)
- The process uses the downloaded file
  - WinRAR.exe (PID: 4040)
  - firefox.exe (PID: 128)
- Drops the executable file immediately after the start
  - firefox.exe (PID: 128)
  - WinRAR.exe (PID: 4040)
  - NVIDIA Container.exe (PID: 3824)
  - Police_by_LuckyKazya.exe (PID: 2828)
  - NVIDIA Container.exe (PID: 4000)
  - Police_by_LuckyKazya.exe (PID: 584)
  - Meatspin_v6_MIN_by_LuckyKazya.exe (PID: 2108)
  - NVIDIA Container.exe (PID: 3764)
  - Meatspin_v6_MIN_by_LuckyKazya.exe (PID: 3720)
  - Meatspin_v6_MIN_by_LuckyKazya.exe (PID: 2156)
  - Meatspin_v6_MIN_by_LuckyKazya.exe (PID: 2644)
  - Dirochka_by_LuckyKazya.exe (PID: 584)
  - Dirochka_by_LuckyKazya.exe (PID: 3228)
  - NVIDIA Container.exe (PID: 3612)
  - Очко несёт смерть.exe (PID: 4036)
  - NVIDIA Container.exe (PID: 848)
- Manual execution by a user
  - WinRAR.exe (PID: 4040)
  - Police_by_LuckyKazya.exe (PID: 2828)
  - Police_by_LuckyKazya.exe (PID: 584)
  - Meatspin_v6_MIN_by_LuckyKazya.exe (PID: 2108)
  - Meatspin_v6_MIN_by_LuckyKazya.exe (PID: 3720)
  - Meatspin_v6_MIN_by_LuckyKazya.exe (PID: 2156)
  - Meatspin_v6_MIN_by_LuckyKazya.exe (PID: 2644)
  - Dirochka_by_LuckyKazya.exe (PID: 584)
  - Dirochka_by_LuckyKazya.exe (PID: 3228)
  - Очко несёт смерть.exe (PID: 4036)
  - msedge.exe (PID: 3604)
- Reads the computer name
  - NVIDIA Container.exe (PID: 3824)
  - Police_by_LuckyKazya.exe (PID: 3396)
  - NVIDIA Container.exe (PID: 4000)
  - Police_by_LuckyKazya.exe (PID: 2828)
  - Idle.exe (PID: 3112)
  - NVIDIA Container.exe (PID: 3868)
  - Meatspin_v6_MIN_by_LuckyKazya.exe (PID: 2108)
  - Police_by_LuckyKazya.exe (PID: 584)
  - NVIDIA Container.exe (PID: 3764)
  - NVIDIA Container.exe (PID: 3864)
  - firefox.exe (PID: 3812)
  - NVIDIA Container.exe (PID: 3412)
  - Meatspin_v6_MIN_by_LuckyKazya.exe (PID: 3720)
  - NVIDIA Container.exe (PID: 3584)
  - NVIDIA Container.exe (PID: 2908)
  - Meatspin_v6_MIN_by_LuckyKazya.exe (PID: 2156)
  - NVIDIA Container.exe (PID: 1216)
  - Meatspin_v6_MIN_by_LuckyKazya.exe (PID: 2644)
  - NVIDIA Container.exe (PID: 3996)
  - NVIDIA Container.exe (PID: 296)
  - NVIDIA Container.exe (PID: 2092)
  - Dirochka_by_LuckyKazya.exe (PID: 584)
  - Dirochka_by_LuckyKazya.exe (PID: 2520)
  - NVIDIA Container.exe (PID: 2816)
  - NVIDIA Container.exe (PID: 1032)
  - Dirochka_by_LuckyKazya.exe (PID: 3228)
  - NVIDIA Container.exe (PID: 3612)
  - NVIDIA Container.exe (PID: 1804)
  - Очко несёт смерть.exe (PID: 4036)
  - SearchFilterHost.exe (PID: 2240)
  - NVIDIA Container.exe (PID: 4088)
  - Очко несёт смерть.exe (PID: 3648)
  - NVIDIA Container.exe (PID: 848)
  - firefox.exe (PID: 4468)
- Checks supported languages
  - NVIDIA Container.exe (PID: 3824)
  - NVIDIA Container.exe (PID: 4000)
  - Police_by_LuckyKazya.exe (PID: 2828)
  - Police_by_LuckyKazya.exe (PID: 3396)
  - Idle.exe (PID: 3112)
  - NVIDIA Container.exe (PID: 3868)
  - Meatspin_v6_MIN_by_LuckyKazya.exe (PID: 2108)
  - NVIDIA Container.exe (PID: 3764)
  - Police_by_LuckyKazya.exe (PID: 584)
  - NVIDIA Container.exe (PID: 3864)
  - firefox.exe (PID: 3812)
  - NVIDIA Container.exe (PID: 3412)
  - Meatspin_v6_MIN_by_LuckyKazya.exe (PID: 3720)
  - NVIDIA Container.exe (PID: 3584)
  - NVIDIA Container.exe (PID: 2908)
  - Meatspin_v6_MIN_by_LuckyKazya.exe (PID: 2156)
  - NVIDIA Container.exe (PID: 1216)
  - Meatspin_v6_MIN_by_LuckyKazya.exe (PID: 2644)
  - NVIDIA Container.exe (PID: 3996)
  - NVIDIA Container.exe (PID: 296)
  - NVIDIA Container.exe (PID: 2092)
  - Dirochka_by_LuckyKazya.exe (PID: 584)
  - NVIDIA Container.exe (PID: 2816)
  - Dirochka_by_LuckyKazya.exe (PID: 2520)
  - NVIDIA Container.exe (PID: 1032)
  - Dirochka_by_LuckyKazya.exe (PID: 3228)
  - NVIDIA Container.exe (PID: 1804)
  - NVIDIA Container.exe (PID: 3612)
  - Очко несёт смерть.exe (PID: 4036)
  - SearchFilterHost.exe (PID: 2240)
  - Очко несёт смерть.exe (PID: 3648)
  - NVIDIA Container.exe (PID: 4088)
  - NVIDIA Container.exe (PID: 848)
  - firefox.exe (PID: 4468)
- Checks proxy server information
  - wscript.exe (PID: 3100)
  - wscript.exe (PID: 3508)
- Create files in a temporary directory
  - Police_by_LuckyKazya.exe (PID: 3396)
  - Police_by_LuckyKazya.exe (PID: 2828)
  - Police_by_LuckyKazya.exe (PID: 584)
  - Meatspin_v6_MIN_by_LuckyKazya.exe (PID: 2108)
  - Meatspin_v6_MIN_by_LuckyKazya.exe (PID: 3720)
  - Meatspin_v6_MIN_by_LuckyKazya.exe (PID: 2644)
  - Meatspin_v6_MIN_by_LuckyKazya.exe (PID: 2156)
  - Dirochka_by_LuckyKazya.exe (PID: 584)
  - Dirochka_by_LuckyKazya.exe (PID: 2520)
  - Dirochka_by_LuckyKazya.exe (PID: 3228)
  - NVIDIA Container.exe (PID: 3612)
  - Очко несёт смерть.exe (PID: 4036)
  - Очко несёт смерть.exe (PID: 3648)
- Reads the machine GUID from the registry
  - NVIDIA Container.exe (PID: 4000)
  - Idle.exe (PID: 3112)
  - NVIDIA Container.exe (PID: 3764)
  - NVIDIA Container.exe (PID: 3412)
  - firefox.exe (PID: 3812)
  - NVIDIA Container.exe (PID: 2908)
  - NVIDIA Container.exe (PID: 3996)
  - NVIDIA Container.exe (PID: 2092)
  - NVIDIA Container.exe (PID: 1032)
  - NVIDIA Container.exe (PID: 3612)
  - SearchFilterHost.exe (PID: 2240)
  - NVIDIA Container.exe (PID: 848)
  - firefox.exe (PID: 4468)
- Reads Environment values
  - NVIDIA Container.exe (PID: 4000)
  - Idle.exe (PID: 3112)
  - NVIDIA Container.exe (PID: 3764)
  - firefox.exe (PID: 3812)
  - NVIDIA Container.exe (PID: 3412)
  - NVIDIA Container.exe (PID: 2908)
  - NVIDIA Container.exe (PID: 3996)
  - NVIDIA Container.exe (PID: 2092)
  - NVIDIA Container.exe (PID: 1032)
  - NVIDIA Container.exe (PID: 3612)
  - SearchFilterHost.exe (PID: 2240)
  - NVIDIA Container.exe (PID: 848)
  - firefox.exe (PID: 4468)
- Reads product name
  - NVIDIA Container.exe (PID: 4000)
  - Idle.exe (PID: 3112)
  - NVIDIA Container.exe (PID: 3764)
  - firefox.exe (PID: 3812)
  - NVIDIA Container.exe (PID: 3412)
  - NVIDIA Container.exe (PID: 2908)
  - NVIDIA Container.exe (PID: 2092)
  - NVIDIA Container.exe (PID: 3996)
  - NVIDIA Container.exe (PID: 1032)
  - NVIDIA Container.exe (PID: 3612)
  - SearchFilterHost.exe (PID: 2240)
  - NVIDIA Container.exe (PID: 848)
  - firefox.exe (PID: 4468)
- Executed via WMI
  - schtasks.exe (PID: 3956)
  - schtasks.exe (PID: 3088)
  - schtasks.exe (PID: 3984)
  - schtasks.exe (PID: 2480)
  - schtasks.exe (PID: 296)
  - schtasks.exe (PID: 3772)
  - schtasks.exe (PID: 3388)
  - schtasks.exe (PID: 2676)
  - schtasks.exe (PID: 2124)
  - schtasks.exe (PID: 4056)
  - schtasks.exe (PID: 1976)
  - schtasks.exe (PID: 1904)
  - schtasks.exe (PID: 1812)
  - schtasks.exe (PID: 3212)
  - schtasks.exe (PID: 2324)
  - schtasks.exe (PID: 2176)
  - schtasks.exe (PID: 2948)
  - schtasks.exe (PID: 2860)
  - schtasks.exe (PID: 2952)
  - schtasks.exe (PID: 2364)
  - schtasks.exe (PID: 4048)
  - schtasks.exe (PID: 2492)
  - schtasks.exe (PID: 2260)
  - schtasks.exe (PID: 3864)
  - schtasks.exe (PID: 4056)
  - schtasks.exe (PID: 3384)
  - schtasks.exe (PID: 3908)
  - schtasks.exe (PID: 2656)
  - schtasks.exe (PID: 2176)
  - schtasks.exe (PID: 2620)
  - schtasks.exe (PID: 4048)
  - schtasks.exe (PID: 2616)
  - schtasks.exe (PID: 2816)
  - schtasks.exe (PID: 2364)
  - schtasks.exe (PID: 3508)
  - schtasks.exe (PID: 2544)
  - schtasks.exe (PID: 3344)
  - schtasks.exe (PID: 4044)
  - schtasks.exe (PID: 3408)
  - schtasks.exe (PID: 3908)
  - schtasks.exe (PID: 1556)
  - schtasks.exe (PID: 3792)
  - schtasks.exe (PID: 2364)
  - schtasks.exe (PID: 2644)
  - schtasks.exe (PID: 1848)
  - schtasks.exe (PID: 992)
  - schtasks.exe (PID: 3304)
  - schtasks.exe (PID: 3136)
  - schtasks.exe (PID: 1904)
  - schtasks.exe (PID: 2240)
  - schtasks.exe (PID: 3820)
  - schtasks.exe (PID: 3992)
  - schtasks.exe (PID: 2156)
  - schtasks.exe (PID: 2828)
  - schtasks.exe (PID: 3764)
  - schtasks.exe (PID: 752)
  - schtasks.exe (PID: 3624)
  - schtasks.exe (PID: 1624)
  - schtasks.exe (PID: 2124)
  - schtasks.exe (PID: 332)
  - schtasks.exe (PID: 3228)
  - schtasks.exe (PID: 3600)
  - schtasks.exe (PID: 3468)
  - schtasks.exe (PID: 3448)
  - schtasks.exe (PID: 900)
  - schtasks.exe (PID: 3776)
  - schtasks.exe (PID: 1924)
  - schtasks.exe (PID: 4064)
  - schtasks.exe (PID: 2676)
  - schtasks.exe (PID: 3848)
  - schtasks.exe (PID: 664)
  - schtasks.exe (PID: 568)
  - schtasks.exe (PID: 1216)
  - schtasks.exe (PID: 2860)
  - schtasks.exe (PID: 1976)
  - schtasks.exe (PID: 2952)
  - schtasks.exe (PID: 3752)
  - schtasks.exe (PID: 2004)
  - schtasks.exe (PID: 3964)
  - schtasks.exe (PID: 2828)
  - schtasks.exe (PID: 2368)
  - schtasks.exe (PID: 2728)
  - schtasks.exe (PID: 3860)
  - schtasks.exe (PID: 3908)
  - schtasks.exe (PID: 3224)
  - schtasks.exe (PID: 2324)
  - schtasks.exe (PID: 2332)
  - schtasks.exe (PID: 3888)
  - schtasks.exe (PID: 3772)
  - schtasks.exe (PID: 1572)
  - schtasks.exe (PID: 3812)
  - schtasks.exe (PID: 2520)
  - schtasks.exe (PID: 4008)
  - schtasks.exe (PID: 3888)
  - schtasks.exe (PID: 4064)
  - schtasks.exe (PID: 4112)
  - schtasks.exe (PID: 4132)
  - schtasks.exe (PID: 4200)
  - schtasks.exe (PID: 4236)
  - schtasks.exe (PID: 4344)
  - schtasks.exe (PID: 4312)
  - schtasks.exe (PID: 4356)
  - schtasks.exe (PID: 3128)
  - schtasks.exe (PID: 4152)
  - schtasks.exe (PID: 4368)
  - schtasks.exe (PID: 4412)
  - schtasks.exe (PID: 4432)
  - schtasks.exe (PID: 4396)
- Creates files or folders in the user directory
  - NVIDIA Container.exe (PID: 4000)
  - NVIDIA Container.exe (PID: 3764)
- Starts itself from another location
  - NVIDIA Container.exe (PID: 4000)
  - NVIDIA Container.exe (PID: 3764)
  - NVIDIA Container.exe (PID: 848)
- Creates files in the program directory
  - NVIDIA Container.exe (PID: 3764)
  - NVIDIA Container.exe (PID: 3612)
  - NVIDIA Container.exe (PID: 848)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

252

Monitored processes

194

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

120

"C:\Program Files\Mozilla Firefox\firefox.exe" "https://wdho.ru/fsSp"

C:\Program Files\Mozilla Firefox\firefox.exe

—

explorer.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

115.0.2

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

128

"C:\Program Files\Mozilla Firefox\firefox.exe" https://wdho.ru/fsSp

C:\Program Files\Mozilla Firefox\firefox.exe

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

115.0.2

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll

296

schtasks.exe /create /tn "taskeng" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\taskeng.exe'" /rl HIGHEST /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

296

"C:\Users\admin\AppData\Local\Temp\NVIDIA Container.exe"

C:\Users\admin\AppData\Local\Temp\NVIDIA Container.exe

—

Meatspin_v6_MIN_by_LuckyKazya.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221225547

Modules

Images
c:\users\admin\appdata\local\temp\nvidia container.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

332

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\services.exe'" /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

452

"C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=109.0.5414.149 "--annotation=exe=C:\Program Files\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win32 "--annotation=prod=Microsoft Edge" --annotation=ver=109.0.1518.115 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd8,0x6615f598,0x6615f5a8,0x6615f5b4

C:\Program Files\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft Edge

Exit code:

Version:

109.0.1518.115

Modules

Images
c:\program files\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\microsoft\edge\application\109.0.1518.115\msedge_elf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

568

schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 6 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\firefox.exe'" /rl HIGHEST /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

584

"C:\Users\admin\Desktop\Пак Приколов\Pack by LuckyKazya\Police_by_LuckyKazya.exe"

C:\Users\admin\Desktop\Пак Приколов\Pack by LuckyKazya\Police_by_LuckyKazya.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Exit code:

Version:

0.0.0.0

Modules

Images
c:\users\admin\desktop\пак приколов\pack by luckykazya\police_by_luckykazya.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

584

"C:\Users\admin\Desktop\Пак Приколов\Pack by LuckyKazya\Dirochka_by_LuckyKazya.exe"

C:\Users\admin\Desktop\Пак Приколов\Pack by LuckyKazya\Dirochka_by_LuckyKazya.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Exit code:

Version:

0.0.0.0

Modules

Images
c:\users\admin\desktop\пак приколов\pack by luckykazya\dirochka_by_luckykazya.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

664

schtasks.exe /create /tn "firefoxf" /sc MINUTE /mo 9 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\firefox.exe'" /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

Add for printing

Total events

37 224

Read events

36 809

Write events

413

Delete events

Modification events


(PID) Process:	(120) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Launcher
Value: 2166C0A101000000
(PID) Process:	(128) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Browser
Value: 044CC1A101000000
(PID) Process:	(128) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Telemetry
Value: 0
(PID) Process:	(128) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\DllPrefetchExperiment
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe
Value: 0
(PID) Process:	(128) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Theme
Value: 1
(PID) Process:	(128) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\PreXULSkeletonUISettings
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\firefox.exe\|Enabled
Value: 1
(PID) Process:	(128) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\|DisableTelemetry
Value: 1
(PID) Process:	(128) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\|DisableDefaultBrowserAgent
Value: 0
(PID) Process:	(128) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\|SetDefaultBrowserUserChoice
Value: 1
(PID) Process:	(128) firefox.exe	Key:	HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent
Operation:	write	Name:	C:\Program Files\Mozilla Firefox\|AppLastRunTime
Value: D14E5F3C23B0D901

Add for printing

Executable files

125

Suspicious files

202

Text files

121

Unknown types

Dropped files

PID	Process	Filename		Type
128	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.bin		binary
		MD5:B7A3C61D0C144CC5E166B1E769CA8F8C	SHA256:7FADCB77FFACA6B9E9F15C6F1CD3AAD4C20DCD90FA92429A627A3A7110CA2644
128	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp		binary
		MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A	SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
128	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json		binary
		MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A	SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
128	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js		text
		MD5:60E0DE9E05EC76C749D80F0D15A81B21	SHA256:08252FA62CCCCD316474E20CC7317A6B5C932B2C972234318E8CCDA39EC2EF48
128	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
128	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js		text
		MD5:60E0DE9E05EC76C749D80F0D15A81B21	SHA256:08252FA62CCCCD316474E20CC7317A6B5C932B2C972234318E8CCDA39EC2EF48
128	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
128	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite		—
		MD5:—	SHA256:—
128	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
128	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\datareporting\glean\db\data.safe.bin		binary
		MD5:63B1BB87284EFE954E1C3AE390E7EE44	SHA256:B017EE25A7F5C09EB4BF359CA721D67E6E9D9F95F8CE6F741D47F33BDE6EF73A

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

115

DNS requests

208

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
128	firefox.exe	POST	200	184.24.77.54:80	http://r3.o.lencr.org/	DE	binary	503 b	unknown
128	firefox.exe	POST	200	142.250.185.131:80	http://ocsp.pki.goog/gts1c3	US	binary	471 b	unknown
128	firefox.exe	POST	200	142.250.185.131:80	http://ocsp.pki.goog/gts1c3	US	binary	471 b	unknown
128	firefox.exe	POST	200	13.32.26.76:80	http://ocsp.r2m02.amazontrust.com/	US	binary	471 b	unknown
128	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	US	text	90 b	unknown
128	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/success.txt?ipv4	US	text	8 b	unknown
128	firefox.exe	POST	200	184.24.77.54:80	http://r3.o.lencr.org/	DE	binary	503 b	unknown
128	firefox.exe	POST	200	184.24.77.54:80	http://r3.o.lencr.org/	DE	binary	503 b	unknown
128	firefox.exe	POST	200	104.18.20.226:80	http://ocsp.globalsign.com/gseccovsslca2018	unknown	binary	937 b	unknown
128	firefox.exe	POST	200	142.250.185.131:80	http://ocsp.pki.goog/gts1c3	US	binary	471 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
128	firefox.exe	91.122.205.219:443	wdho.ru	Rostelecom	RU	unknown
128	firefox.exe	34.107.221.82:80	detectportal.firefox.com	GOOGLE	US	whitelisted
128	firefox.exe	34.117.237.239:443	contile.services.mozilla.com	GOOGLE-CLOUD-PLATFORM	US	unknown
128	firefox.exe	34.224.179.141:443	spocs.getpocket.com	AMAZON-AES	US	unknown
128	firefox.exe	34.149.100.209:443	firefox.settings.services.mozilla.com	GOOGLE	US	unknown
128	firefox.exe	184.24.77.54:80	r3.o.lencr.org	Akamai International B.V.	DE	unknown
128	firefox.exe	184.24.77.48:80	r3.o.lencr.org	Akamai International B.V.	DE	unknown

DNS requests

Domain	IP	Reputation
wdho.ru	91.122.205.219	whitelisted
detectportal.firefox.com	34.107.221.82	whitelisted
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82 2600:1901:0:38d7::	whitelisted
contile.services.mozilla.com	34.117.237.239	whitelisted
example.org	93.184.216.34	whitelisted
ipv4only.arpa	192.0.0.170 192.0.0.171	whitelisted
spocs.getpocket.com	34.224.179.141 18.208.89.118 18.208.238.156 18.235.156.0	shared
proxyserverecs-1736642167.us-east-1.elb.amazonaws.com	34.224.179.141 18.208.89.118 18.208.238.156 18.235.156.0	shared
r3.o.lencr.org	184.24.77.54 184.24.77.48 95.101.54.112 95.101.54.107 95.101.54.137 95.101.54.123 2.16.202.121 95.101.54.122 95.101.54.145 95.101.54.195 95.101.54.114	shared
firefox.settings.services.mozilla.com	34.149.100.209	whitelisted

Threats

PID	Process	Class	Message
—	—	A Network Trojan was detected	ET MALWARE DCRAT Activity (GET)
3812	firefox.exe	A Network Trojan was detected	ET MALWARE DCRAT Activity (GET)
2240	SearchFilterHost.exe	A Network Trojan was detected	ET MALWARE DCRAT Activity (GET)

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

https://wdho.ru/fsSp

7DD55AA3C48E0ECF099CF978A88A6D1E

37CD7D218686E2F35E90D065E97A5348C6FF61FC

DB158E55C08ED3796788861C2408A86F0510EEAF808BD4AB392B68A45B105128

3:N8QNKjCyn:2QNKjf

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Uses sleep, probably for evasion detection (SCRIPT)

DCRAT has been detected (SURICATA)

SUSPICIOUS

The process creates files with name similar to system file names

Reads the Internet Settings

The process executes VB scripts

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Runs shell command (SCRIPT)

The process checks if it is being run in the virtual environment

Probably delay the execution using 'w32tm.exe'

INFO

Application launched itself

The process uses the downloaded file

Drops the executable file immediately after the start

Manual execution by a user

Reads the computer name

Checks supported languages

Checks proxy server information

Create files in a temporary directory

Reads the machine GUID from the registry

Reads Environment values

Reads product name

Executed via WMI

Creates files or folders in the user directory

Starts itself from another location

Creates files in the program directory

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings