Malware analysis Paranoid Checker 4.1.7.zip Malicious activity

Add for printing

File name:	Paranoid Checker 4.1.7.zip
Full analysis:	https://app.any.run/tasks/b451f34e-d303-4800-93b3-f4ff9e585e1e
Verdict:	Malicious activity
Threats:	DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. Malware Trends Tracker >>>
Analysis date:	March 29, 2024, 10:40:36
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	dcrat
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=store
MD5:	604ADFEACE617392A885BAE5BA91DEF9
SHA1:	75F6FB6DD88F2057850D4DBE6038D22BB068223B
SHA256:	FB63A03E752329D09522C7813CB212331AF2D18430B8CD2E9DB937CB555C382D
SSDEEP:	98304:OadcEE9a2ur1GbsJrEjhPT9tQYqKOtPBLRQBdfhRk9f3OwLb4k/N8GDEEIJt0qUr:FrXTmrt86rraVGvJItBhUgX9eXZOYQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.110 (8.110)
Skype version 8.110 (8.110)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - WinRAR.exe (PID: 1696)
  - Paranoid Checker 4.1.7.exe (PID: 1496)
  - msComponentsaves.exe (PID: 3400)
  - System.exe (PID: 3520)
- Uses sleep, probably for evasion detection (SCRIPT)
  - wscript.exe (PID: 2364)
  - wscript.exe (PID: 748)
  - wscript.exe (PID: 3292)
  - wscript.exe (PID: 2616)
  - wscript.exe (PID: 908)
  - wscript.exe (PID: 3480)
  - wscript.exe (PID: 3828)
  - wscript.exe (PID: 3844)
  - wscript.exe (PID: 2208)
  - wscript.exe (PID: 2888)
  - wscript.exe (PID: 2320)
  - wscript.exe (PID: 1408)
  - wscript.exe (PID: 2308)
  - wscript.exe (PID: 1936)
  - wscript.exe (PID: 2768)
- DCRAT has been detected (YARA)
  - System.exe (PID: 3520)
  - System.exe (PID: 1536)
  - System.exe (PID: 3304)
  - System.exe (PID: 3488)
  - System.exe (PID: 1900)
- Deletes a file (SCRIPT)
  - wscript.exe (PID: 2616)
  - wscript.exe (PID: 2768)
  - wscript.exe (PID: 3844)
  - wscript.exe (PID: 2320)
SUSPICIOUS
- Process drops legitimate windows executable
  - WinRAR.exe (PID: 1696)
- Reads security settings of Internet Explorer
  - Paranoid Checker 4.1.7.exe (PID: 1496)
  - Paranoid Checker 4.1.7.exe (PID: 3684)
  - msComponentsaves.exe (PID: 3400)
  - System.exe (PID: 3520)
  - System.exe (PID: 1536)
  - Paranoid Checker 4.1.7.exe (PID: 3568)
  - System.exe (PID: 3304)
  - Paranoid Checker 4.1.7.exe (PID: 2648)
  - System.exe (PID: 3488)
  - Paranoid Checker 4.1.7.exe (PID: 3820)
  - System.exe (PID: 1900)
- Reads the Internet Settings
  - Paranoid Checker 4.1.7.exe (PID: 1496)
  - Paranoid Checker 4.1.7.exe (PID: 3684)
  - wscript.exe (PID: 2364)
  - msComponentsaves.exe (PID: 3400)
  - System.exe (PID: 3520)
  - wscript.exe (PID: 748)
  - System.exe (PID: 1536)
  - Paranoid Checker 4.1.7.exe (PID: 3568)
  - wscript.exe (PID: 3480)
  - System.exe (PID: 3304)
  - Paranoid Checker 4.1.7.exe (PID: 2648)
  - wscript.exe (PID: 2208)
  - System.exe (PID: 3488)
  - Paranoid Checker 4.1.7.exe (PID: 3820)
  - wscript.exe (PID: 1408)
  - System.exe (PID: 1900)
- Runs shell command (SCRIPT)
  - wscript.exe (PID: 2364)
  - wscript.exe (PID: 2616)
  - wscript.exe (PID: 748)
  - wscript.exe (PID: 3480)
  - wscript.exe (PID: 2768)
  - wscript.exe (PID: 2208)
  - wscript.exe (PID: 3844)
  - wscript.exe (PID: 2320)
  - wscript.exe (PID: 1408)
- Executing commands from a ".bat" file
  - wscript.exe (PID: 2364)
  - wscript.exe (PID: 748)
  - wscript.exe (PID: 3480)
  - wscript.exe (PID: 2208)
  - wscript.exe (PID: 1408)
- Starts CMD.EXE for commands execution
  - wscript.exe (PID: 2364)
  - wscript.exe (PID: 748)
  - wscript.exe (PID: 3480)
  - wscript.exe (PID: 2208)
  - wscript.exe (PID: 1408)
- The process creates files with name similar to system file names
  - msComponentsaves.exe (PID: 3400)
- Executed via WMI
  - schtasks.exe (PID: 2888)
  - schtasks.exe (PID: 2484)
  - schtasks.exe (PID: 2384)
  - schtasks.exe (PID: 880)
  - schtasks.exe (PID: 680)
  - schtasks.exe (PID: 1772)
  - schtasks.exe (PID: 1848)
  - schtasks.exe (PID: 2972)
  - schtasks.exe (PID: 3028)
  - schtasks.exe (PID: 1780)
  - schtasks.exe (PID: 1404)
  - schtasks.exe (PID: 3088)
  - schtasks.exe (PID: 2040)
  - schtasks.exe (PID: 3616)
  - schtasks.exe (PID: 1540)
  - schtasks.exe (PID: 2772)
  - schtasks.exe (PID: 2172)
  - schtasks.exe (PID: 1596)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 3912)
  - cmd.exe (PID: 3760)
  - cmd.exe (PID: 2924)
  - cmd.exe (PID: 2044)
  - cmd.exe (PID: 2384)
- Starts itself from another location
  - msComponentsaves.exe (PID: 3400)
- Creates FileSystem object to access computer's file system (SCRIPT)
  - wscript.exe (PID: 2616)
  - wscript.exe (PID: 3292)
  - wscript.exe (PID: 2768)
  - wscript.exe (PID: 908)
  - wscript.exe (PID: 3844)
  - wscript.exe (PID: 3828)
  - wscript.exe (PID: 2320)
  - wscript.exe (PID: 2888)
  - wscript.exe (PID: 1936)
  - wscript.exe (PID: 2308)
- Uses WMI to retrieve WMI-managed resources (SCRIPT)
  - wscript.exe (PID: 2616)
  - wscript.exe (PID: 2768)
  - wscript.exe (PID: 3844)
  - wscript.exe (PID: 2320)
  - wscript.exe (PID: 1936)
- Reads settings of System Certificates
  - System.exe (PID: 3520)
  - System.exe (PID: 1536)
  - System.exe (PID: 3304)
  - System.exe (PID: 3488)
  - System.exe (PID: 1900)
- The process executes VB scripts
  - System.exe (PID: 3520)
  - System.exe (PID: 1536)
  - System.exe (PID: 3304)
  - System.exe (PID: 3488)
  - System.exe (PID: 1900)
- Executes WMI query (SCRIPT)
  - wscript.exe (PID: 2616)
  - wscript.exe (PID: 2768)
  - wscript.exe (PID: 3844)
  - wscript.exe (PID: 2320)
  - wscript.exe (PID: 1936)
- Checks whether a specific file exists (SCRIPT)
  - wscript.exe (PID: 3292)
  - wscript.exe (PID: 908)
  - wscript.exe (PID: 3828)
  - wscript.exe (PID: 2888)
  - wscript.exe (PID: 2308)
- Gets full path of the running script (SCRIPT)
  - wscript.exe (PID: 2616)
  - wscript.exe (PID: 2768)
  - wscript.exe (PID: 3844)
  - wscript.exe (PID: 2320)
INFO
- Checks supported languages
  - Paranoid Checker 4.1.7.exe (PID: 1496)
  - Paranoid Checker 4.1.7.exe (PID: 3684)
  - msComponentsaves.exe (PID: 3400)
  - System.exe (PID: 3520)
  - System.exe (PID: 1536)
  - msComponentsaves.exe (PID: 1264)
  - Paranoid Checker 4.1.7.exe (PID: 3568)
  - msComponentsaves.exe (PID: 4028)
  - System.exe (PID: 3304)
  - Paranoid Checker 4.1.7.exe (PID: 2648)
  - msComponentsaves.exe (PID: 3772)
  - Paranoid Checker 4.1.7.exe (PID: 3820)
  - System.exe (PID: 3488)
  - msComponentsaves.exe (PID: 2668)
  - System.exe (PID: 1900)
- Manual execution by a user
  - Paranoid Checker 4.1.7.exe (PID: 1496)
  - Paranoid Checker 4.1.7.exe (PID: 3684)
  - Paranoid Checker 4.1.7.exe (PID: 3568)
  - Paranoid Checker 4.1.7.exe (PID: 2648)
  - Paranoid Checker 4.1.7.exe (PID: 3820)
- Reads the computer name
  - Paranoid Checker 4.1.7.exe (PID: 1496)
  - Paranoid Checker 4.1.7.exe (PID: 3684)
  - msComponentsaves.exe (PID: 3400)
  - System.exe (PID: 3520)
  - System.exe (PID: 1536)
  - msComponentsaves.exe (PID: 1264)
  - Paranoid Checker 4.1.7.exe (PID: 3568)
  - msComponentsaves.exe (PID: 4028)
  - System.exe (PID: 3304)
  - Paranoid Checker 4.1.7.exe (PID: 2648)
  - msComponentsaves.exe (PID: 3772)
  - System.exe (PID: 3488)
  - Paranoid Checker 4.1.7.exe (PID: 3820)
  - System.exe (PID: 1900)
  - msComponentsaves.exe (PID: 2668)
- Reads Environment values
  - msComponentsaves.exe (PID: 3400)
  - System.exe (PID: 3520)
  - msComponentsaves.exe (PID: 1264)
  - System.exe (PID: 1536)
  - msComponentsaves.exe (PID: 4028)
  - System.exe (PID: 3304)
  - msComponentsaves.exe (PID: 3772)
  - System.exe (PID: 3488)
  - msComponentsaves.exe (PID: 2668)
  - System.exe (PID: 1900)
- Reads the machine GUID from the registry
  - msComponentsaves.exe (PID: 3400)
  - System.exe (PID: 3520)
  - msComponentsaves.exe (PID: 1264)
  - System.exe (PID: 1536)
  - System.exe (PID: 3304)
  - msComponentsaves.exe (PID: 4028)
  - msComponentsaves.exe (PID: 3772)
  - System.exe (PID: 3488)
  - msComponentsaves.exe (PID: 2668)
  - System.exe (PID: 1900)
- Reads product name
  - msComponentsaves.exe (PID: 3400)
  - System.exe (PID: 3520)
  - msComponentsaves.exe (PID: 1264)
  - System.exe (PID: 1536)
  - System.exe (PID: 3304)
  - msComponentsaves.exe (PID: 4028)
  - System.exe (PID: 3488)
  - msComponentsaves.exe (PID: 3772)
  - msComponentsaves.exe (PID: 2668)
  - System.exe (PID: 1900)
- Reads the software policy settings
  - System.exe (PID: 3520)
  - System.exe (PID: 1536)
  - System.exe (PID: 3304)
  - System.exe (PID: 3488)
  - System.exe (PID: 1900)
- Create files in a temporary directory
  - System.exe (PID: 3520)
  - System.exe (PID: 1536)
  - System.exe (PID: 3304)
  - System.exe (PID: 3488)
  - System.exe (PID: 1900)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

DcRat

(PID) Process(3520) System.exe

C2 (1)https://pastebin.com/raw/Gbnj27pi

Options

MutexDCR_MUTEX-P1ZqoYzVZVLOM11zKbBJ

savebrowsersdatatosinglefilefalse

ignorepartiallyemptydatafalse

cookiestrue

passwordstrue

formstrue

cctrue

historyfalse

telegramtrue

steamtrue

discordtrue

filezillatrue

screenshottrue

clipboardtrue

sysinfotrue

searchpath%UsersFolder% - Fast

Targetru

(PID) Process(1536) System.exe

C2 (1)https://pastebin.com/raw/Gbnj27pi

Options

MutexDCR_MUTEX-P1ZqoYzVZVLOM11zKbBJ

savebrowsersdatatosinglefilefalse

ignorepartiallyemptydatafalse

cookiestrue

passwordstrue

formstrue

cctrue

historyfalse

telegramtrue

steamtrue

discordtrue

filezillatrue

screenshottrue

clipboardtrue

sysinfotrue

searchpath%UsersFolder% - Fast

Targetru

(PID) Process(3304) System.exe

C2 (1)https://pastebin.com/raw/Gbnj27pi

Options

MutexDCR_MUTEX-P1ZqoYzVZVLOM11zKbBJ

savebrowsersdatatosinglefilefalse

ignorepartiallyemptydatafalse

cookiestrue

passwordstrue

formstrue

cctrue

historyfalse

telegramtrue

steamtrue

discordtrue

filezillatrue

screenshottrue

clipboardtrue

sysinfotrue

searchpath%UsersFolder% - Fast

Targetru

(PID) Process(3488) System.exe

C2 (1)https://pastebin.com/raw/Gbnj27pi

Options

MutexDCR_MUTEX-P1ZqoYzVZVLOM11zKbBJ

savebrowsersdatatosinglefilefalse

ignorepartiallyemptydatafalse

cookiestrue

passwordstrue

formstrue

cctrue

historyfalse

telegramtrue

steamtrue

discordtrue

filezillatrue

screenshottrue

clipboardtrue

sysinfotrue

searchpath%UsersFolder% - Fast

Targetru

(PID) Process(1900) System.exe

C2 (1)https://pastebin.com/raw/Gbnj27pi

Options

MutexDCR_MUTEX-P1ZqoYzVZVLOM11zKbBJ

savebrowsersdatatosinglefilefalse

ignorepartiallyemptydatafalse

cookiestrue

passwordstrue

formstrue

cctrue

historyfalse

telegramtrue

steamtrue

discordtrue

filezillatrue

screenshottrue

clipboardtrue

sysinfotrue

searchpath%UsersFolder% - Fast

Targetru

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	None
ZipModifyDate:	2023:09:22 03:22:54
ZipCRC:	0x00000000
ZipCompressedSize:	-
ZipUncompressedSize:	-
ZipFileName:	Paranoid Checker 4.1.7/

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

102

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

680

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\ServerwebRefmonitorDhcp\lsm.exe'" /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

748

"C:\Windows\System32\WScript.exe" "C:\ServerwebRefmonitorDhcp\Oj1Ch.vbe"

C:\Windows\System32\wscript.exe

—

Paranoid Checker 4.1.7.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft ® Windows Based Script Host

Exit code:

Version:

5.8.7600.16385

Modules

Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

880

schtasks.exe /create /tn "ctfmonc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0017-0412-0000-0000000FF1CE}-C\ctfmon.exe'" /rl HIGHEST /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

908

"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\3b6aeb52-5329-4b63-beb0-a465a3e0dcfd.vbs"

C:\Windows\System32\wscript.exe

—

System.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft ® Windows Based Script Host

Version:

5.8.7600.16385

Modules

Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

1264

"C:\ServerwebRefmonitorDhcp\msComponentsaves.exe"

C:\ServerwebRefmonitorDhcp\msComponentsaves.exe

—

cmd.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Version:

5.15.2.0

Modules

Images
c:\serverwebrefmonitordhcp\mscomponentsaves.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

1404

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\admin\Pictures\winlogon.exe'" /rl HIGHEST /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

1408

"C:\Windows\System32\WScript.exe" "C:\ServerwebRefmonitorDhcp\Oj1Ch.vbe"

C:\Windows\System32\wscript.exe

—

Paranoid Checker 4.1.7.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft ® Windows Based Script Host

Exit code:

Version:

5.8.7600.16385

Modules

Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

1496

"C:\Users\admin\Desktop\Paranoid Checker 4.1.7\Paranoid Checker 4.1.7.exe"

C:\Users\admin\Desktop\Paranoid Checker 4.1.7\Paranoid Checker 4.1.7.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\desktop\paranoid checker 4.1.7\paranoid checker 4.1.7.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.24542_none_5c0717c7a00ddc6d\gdiplus.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

1536

"C:\MSOCache\All Users\{90140000-0019-0C0A-0000-0000000FF1CE}-C\System.exe"

C:\MSOCache\All Users\{90140000-0019-0C0A-0000-0000000FF1CE}-C\System.exe

wscript.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Version:

5.15.2.0

Modules

Images
c:\msocache\all users\{90140000-0019-0c0a-0000-0000000ff1ce}-c\system.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll

DcRat

(PID) Process(1536) System.exe

C2 (1)https://pastebin.com/raw/Gbnj27pi

Options

MutexDCR_MUTEX-P1ZqoYzVZVLOM11zKbBJ

savebrowsersdatatosinglefilefalse

ignorepartiallyemptydatafalse

cookiestrue

passwordstrue

formstrue

cctrue

historyfalse

telegramtrue

steamtrue

discordtrue

filezillatrue

screenshottrue

clipboardtrue

sysinfotrue

searchpath%UsersFolder% - Fast

Targetru

1540

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

Add for printing

Total events

54 947

Read events

54 532

Write events

342

Delete events

Modification events


(PID) Process:	(1696) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(1696) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(1696) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US
(PID) Process:	(1696) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\phacker.zip
(PID) Process:	(1696) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:	(1696) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:	(1696) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\Paranoid Checker 4.1.7.zip
(PID) Process:	(1696) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(1696) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(1696) WinRAR.exe	Key:	HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1696	WinRAR.exe	C:\Users\admin\Desktop\Paranoid Checker 4.1.7\AlphaFS.dll		executable
		MD5:—	SHA256:—
1696	WinRAR.exe	C:\Users\admin\Desktop\Paranoid Checker 4.1.7\Extreme.Net.dll		executable
		MD5:—	SHA256:—
1696	WinRAR.exe	C:\Users\admin\Desktop\Paranoid Checker 4.1.7\libGLESv2.dll		—
		MD5:—	SHA256:—
1696	WinRAR.exe	C:\Users\admin\Desktop\Paranoid Checker 4.1.7\License.dll		text
		MD5:—	SHA256:—
1696	WinRAR.exe	C:\Users\admin\Desktop\Paranoid Checker 4.1.7\Newtonsoft.Json.dll		executable
		MD5:—	SHA256:—
1696	WinRAR.exe	C:\Users\admin\Desktop\Paranoid Checker 4.1.7\Ookii.Dialogs.Wpf.dll		executable
		MD5:—	SHA256:—
1696	WinRAR.exe	C:\Users\admin\Desktop\Paranoid Checker 4.1.7\Paranoid Checker 4.1.7.exe		executable
		MD5:—	SHA256:—
1696	WinRAR.exe	C:\Users\admin\Desktop\Paranoid Checker 4.1.7\Pastel.dll		executable
		MD5:—	SHA256:—
1696	WinRAR.exe	C:\Users\admin\Desktop\Paranoid Checker 4.1.7\SMDiagnostics.dll		executable
		MD5:—	SHA256:—
1696	WinRAR.exe	C:\Users\admin\Desktop\Paranoid Checker 4.1.7\System.ServiceModel.Internals.dll		executable
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	224.0.0.252:5355	—	—	—	unknown
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
3520	System.exe	104.20.68.143:443	pastebin.com	CLOUDFLARENET	—	unknown
3520	System.exe	49.13.77.253:80	cw08653.tw1.ru	Hetzner Online GmbH	DE	unknown
1536	System.exe	104.20.68.143:443	pastebin.com	CLOUDFLARENET	—	unknown
1536	System.exe	49.13.77.253:80	cw08653.tw1.ru	Hetzner Online GmbH	DE	unknown
3304	System.exe	104.20.68.143:443	pastebin.com	CLOUDFLARENET	—	unknown
3304	System.exe	49.13.77.253:80	cw08653.tw1.ru	Hetzner Online GmbH	DE	unknown

DNS requests

Domain	IP	Reputation
pastebin.com	104.20.68.143 104.20.67.143 172.67.34.170	shared
cw08653.tw1.ru	49.13.77.253	unknown
dns.msftncsi.com	131.107.255.255	shared

Threats

No threats detected

Add for printing

No debug info

General Info

Paranoid Checker 4.1.7.zip

604ADFEACE617392A885BAE5BA91DEF9

75F6FB6DD88F2057850D4DBE6038D22BB068223B

FB63A03E752329D09522C7813CB212331AF2D18430B8CD2E9DB937CB555C382D

98304:OadcEE9a2ur1GbsJrEjhPT9tQYqKOtPBLRQBdfhRk9f3OwLb4k/N8GDEEIJt0qUr:FrXTmrt86rraVGvJItBhUgX9eXZOYQ

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Uses sleep, probably for evasion detection (SCRIPT)

DCRAT has been detected (YARA)

Deletes a file (SCRIPT)

SUSPICIOUS

Process drops legitimate windows executable

Reads security settings of Internet Explorer

Reads the Internet Settings

Runs shell command (SCRIPT)

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

The process creates files with name similar to system file names

Executed via WMI

Uses REG/REGEDIT.EXE to modify registry

Starts itself from another location

Creates FileSystem object to access computer's file system (SCRIPT)

Uses WMI to retrieve WMI-managed resources (SCRIPT)

Reads settings of System Certificates

The process executes VB scripts

Executes WMI query (SCRIPT)

Checks whether a specific file exists (SCRIPT)

Gets full path of the running script (SCRIPT)

INFO

Checks supported languages

Manual execution by a user

Reads the computer name

Reads Environment values

Reads the machine GUID from the registry

Reads product name

Reads the software policy settings

Create files in a temporary directory

Malware configuration

DcRat

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

DcRat

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity