| File name: | fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe |
| Full analysis: | https://app.any.run/tasks/578618bf-b83c-4ac7-bfc7-1b61b36ef1ba |
| Verdict: | Malicious activity |
| Threats: | DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. |
| Analysis date: | June 13, 2024, 14:38:59 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 0CE36B19FD7D0DC505076D90B54AFD5C |
| SHA1: | 91CA6268E0676C2D985B96F1D431A52DB6165CBC |
| SHA256: | FE97C8C1E0A639E51FE0FA1D9AA863067B19B37D10D78D5BCF7D2B1D69550708 |
| SSDEEP: | 49152:bKIBBGwWx+Pf9p2VAWY/FPOPrDJfu4MxNVX2DYH2DYH2DYH2DYH2DY:bPGnx+PFp2E9Pcmfxbs6s6s6s6s |
MALICIOUS
Drops the executable file immediately after the start
- fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe (PID: 6352)
- autohotkey.exe (PID: 6412)
- chaindllNet.exe (PID: 7092)
Uses sleep, probably for evasion detection (SCRIPT)
- wscript.exe (PID: 6460)
DARKCRYSTAL has been detected (SURICATA)
- fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe (PID: 5620)
Actions looks like stealing of personal data
- fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe (PID: 5620)
Connects to the CnC server
- fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe (PID: 5620)
DCRAT has been detected (YARA)
- fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe (PID: 5620)
SUSPICIOUS
Reads security settings of Internet Explorer
- fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe (PID: 6352)
- autohotkey.exe (PID: 6412)
- chaindllNet.exe (PID: 7092)
Executable content was dropped or overwritten
- fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe (PID: 6352)
- autohotkey.exe (PID: 6412)
- chaindllNet.exe (PID: 7092)
Reads the date of Windows installation
- autohotkey.exe (PID: 6412)
- chaindllNet.exe (PID: 7092)
Potential Corporate Privacy Violation
- fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe (PID: 6352)
Runs shell command (SCRIPT)
- wscript.exe (PID: 6460)
Executing commands from a ".bat" file
- wscript.exe (PID: 6460)
Starts CMD.EXE for commands execution
- wscript.exe (PID: 6460)
Executed via WMI
- schtasks.exe (PID: 4536)
- schtasks.exe (PID: 3700)
- schtasks.exe (PID: 1280)
- schtasks.exe (PID: 6284)
- schtasks.exe (PID: 4988)
- schtasks.exe (PID: 6176)
- schtasks.exe (PID: 3500)
- schtasks.exe (PID: 5064)
- schtasks.exe (PID: 4724)
- schtasks.exe (PID: 2084)
- schtasks.exe (PID: 2684)
- schtasks.exe (PID: 896)
- schtasks.exe (PID: 4360)
- schtasks.exe (PID: 2620)
- schtasks.exe (PID: 1512)
- schtasks.exe (PID: 3956)
- schtasks.exe (PID: 5108)
- schtasks.exe (PID: 4852)
- schtasks.exe (PID: 5996)
- schtasks.exe (PID: 5920)
- schtasks.exe (PID: 6148)
- schtasks.exe (PID: 4548)
- schtasks.exe (PID: 2680)
- schtasks.exe (PID: 6308)
- schtasks.exe (PID: 4936)
- schtasks.exe (PID: 5840)
- schtasks.exe (PID: 1864)
- schtasks.exe (PID: 6212)
- schtasks.exe (PID: 6240)
- schtasks.exe (PID: 3728)
- schtasks.exe (PID: 5852)
- schtasks.exe (PID: 6252)
- schtasks.exe (PID: 6688)
- schtasks.exe (PID: 6436)
- schtasks.exe (PID: 6988)
- schtasks.exe (PID: 6420)
- schtasks.exe (PID: 6416)
- schtasks.exe (PID: 6472)
- schtasks.exe (PID: 5404)
- schtasks.exe (PID: 5932)
- schtasks.exe (PID: 6480)
- schtasks.exe (PID: 7044)
- schtasks.exe (PID: 5964)
- schtasks.exe (PID: 6152)
- schtasks.exe (PID: 6324)
- schtasks.exe (PID: 2508)
- schtasks.exe (PID: 1204)
- schtasks.exe (PID: 5064)
- schtasks.exe (PID: 2084)
- schtasks.exe (PID: 3500)
- schtasks.exe (PID: 4620)
- schtasks.exe (PID: 4148)
- schtasks.exe (PID: 5100)
- schtasks.exe (PID: 1108)
- schtasks.exe (PID: 712)
- schtasks.exe (PID: 5552)
- schtasks.exe (PID: 1112)
The process creates files with name similar to system file names
- chaindllNet.exe (PID: 7092)
Likely accesses (executes) a file from the Public directory
- schtasks.exe (PID: 1864)
- schtasks.exe (PID: 896)
- schtasks.exe (PID: 2684)
Starts itself from another location
- chaindllNet.exe (PID: 7092)
Contacting a server suspected of hosting an CnC
- fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe (PID: 5620)
INFO
Checks proxy server information
- fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe (PID: 6352)
- fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe (PID: 5620)
Reads the computer name
- fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe (PID: 6352)
- autohotkey.exe (PID: 6412)
- chaindllNet.exe (PID: 7092)
- fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe (PID: 5620)
Checks supported languages
- fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe (PID: 6352)
- autohotkey.exe (PID: 6412)
- chaindllNet.exe (PID: 7092)
- fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe (PID: 5620)
Creates files in the program directory
- fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe (PID: 6352)
- chaindllNet.exe (PID: 7092)
Process checks computer location settings
- autohotkey.exe (PID: 6412)
- chaindllNet.exe (PID: 7092)
Reads Environment values
- chaindllNet.exe (PID: 7092)
- fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe (PID: 5620)
Reads the machine GUID from the registry
- chaindllNet.exe (PID: 7092)
- fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe (PID: 5620)
Reads the software policy settings
- fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe (PID: 5620)
Disables trace logs
- fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe (PID: 5620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
DcRat
(PID) Process(5620) fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe
C2 (1)https://pastebin.com/raw/gPWQezp5
Options
MutexDCR_MUTEX-Klwp32wcGXMv50RNxN4v
searchpath%UsersFolder% - Fast
Targetals
C2 (1)http://a0992844.xsph.ru/L1nc0In
Options
MutexDCR_MUTEX-Klwp32wcGXMv50RNxN4v
Debugfalse
ServerConfigReplacementTable
0;
1%
6@
L,
b_
i`
D<
N>
m-
X!
c.
B~
U)
w|
I
J$
y^
W(
o*
l#
E&
PluginConfigReplacementTable
0@
6-
=`
I*
x$
i<
e,
j)
w&
y_
S#
M;
c^
Q%
X|
b.
p>
f!
D(
l~
GetWebcamsfalse
SleepTimeout5
InactivityTimeout2
CacheStorageRegistry
AutoRunSmart
StealerConfig
searchpath%UsersFolder% - Fast
StealerEnabledfalse
StealerOptionsfalse
SelfDeletefalse
Version4.5.32
ServerTypeC#
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (35.8) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (31.7) |
| .scr | | | Windows screen saver (15) |
| .dll | | | Win32 Dynamic Link Library (generic) (7.5) |
| .exe | | | Win32 Executable (generic) (5.1) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:07:08 05:25:30+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 10 |
| CodeSize: | 704512 |
| InitializedDataSize: | 444928 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x9d2f0 |
| OSVersion: | 5 |
| ImageVersion: | - |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.1.37.1 |
| ProductVersionNumber: | 1.1.37.1 |
| FileFlagsMask: | 0x0017 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| FileVersion: | 1.1.37.01 |
| ProductVersion: | 1.1.37.01 |
Total processes
187
Monitored processes
64
Malicious processes
6
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 712 | schtasks.exe /create /tn "fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708" /sc ONLOGON /tr "'C:\componentsvc\fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe'" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 896 | schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 11 /tr "'C:\Users\Public\AccountPictures\WaaSMedicAgent.exe'" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1108 | schtasks.exe /create /tn "fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708f" /sc MINUTE /mo 7 /tr "'C:\componentsvc\fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe'" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1112 | schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Users\Default\Recent\MoUsoCoreWorker.exe'" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1204 | schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\componentsvc\MoUsoCoreWorker.exe'" /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1280 | schtasks.exe /create /tn "dasHost" /sc ONLOGON /tr "'C:\componentsvc\dasHost.exe'" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1512 | schtasks.exe /create /tn "fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708f" /sc MINUTE /mo 7 /tr "'C:\componentsvc\fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe'" /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1864 | schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\WaaSMedicAgent.exe'" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2084 | schtasks.exe /create /tn "dasHost" /sc ONLOGON /tr "'C:\componentsvc\dasHost.exe'" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2084 | schtasks.exe /create /tn "SystemSettings" /sc ONLOGON /tr "'C:\componentsvc\SystemSettings.exe'" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
9 619
Read events
9 569
Write events
50
Delete events
0
Modification events
| (PID) Process: | (6352) fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (6352) fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (6352) fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (6352) fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (6412) autohotkey.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts |
| Operation: | write | Name: | VBEFile_.vbe |
Value: 0 | |||
| (PID) Process: | (6412) autohotkey.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids |
| Operation: | write | Name: | VBEFile |
Value: | |||
| (PID) Process: | (6412) autohotkey.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (6412) autohotkey.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (6412) autohotkey.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (6412) autohotkey.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
Executable files
18
Suspicious files
1
Text files
17
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7092 | chaindllNet.exe | C:\componentsvc\dasHost.exe | executable | |
MD5:858CDA722C93131A66F356DC0EB69BFF | SHA256:F1B46592E22829A3313996673869726465277D4AEF5B619DBC52A194C8BBE91B | |||
| 6412 | autohotkey.exe | C:\componentsvc\chaindllNet.exe | executable | |
MD5:858CDA722C93131A66F356DC0EB69BFF | SHA256:F1B46592E22829A3313996673869726465277D4AEF5B619DBC52A194C8BBE91B | |||
| 7092 | chaindllNet.exe | C:\ProgramData\Comms\backgroundTaskHost.exe | executable | |
MD5:858CDA722C93131A66F356DC0EB69BFF | SHA256:F1B46592E22829A3313996673869726465277D4AEF5B619DBC52A194C8BBE91B | |||
| 6352 | fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe | C:\ProgramData\autohotkey.exe | executable | |
MD5:70F256537F96AAA18B20837A4E90144B | SHA256:42AEBCEB7C6B4CE838877CF2D0B4D2305EAD1E0CC34BB9A87D743D98BD908666 | |||
| 6412 | autohotkey.exe | C:\componentsvc\uV2QaNs0DJabkDJnku.bat | text | |
MD5:5D27D53EFE63A68146DA8DB9DFB31275 | SHA256:55A9573A14B03D74DE941BCC2C6105F88291EE35C403ECB18E2F1C0D25336002 | |||
| 7092 | chaindllNet.exe | C:\Windows\Tasks\9e60a5f7a3bd80 | text | |
MD5:C30CD4EC2D8DAF650652A6FECB3B70B5 | SHA256:958123FE45E65D8ACE160526125639E9E7FD48C53717F7AB0CC1E2AF0CF021CB | |||
| 7092 | chaindllNet.exe | C:\componentsvc\fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe | executable | |
MD5:858CDA722C93131A66F356DC0EB69BFF | SHA256:F1B46592E22829A3313996673869726465277D4AEF5B619DBC52A194C8BBE91B | |||
| 7092 | chaindllNet.exe | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Memory Compression.exe | executable | |
MD5:858CDA722C93131A66F356DC0EB69BFF | SHA256:F1B46592E22829A3313996673869726465277D4AEF5B619DBC52A194C8BBE91B | |||
| 7092 | chaindllNet.exe | C:\Users\admin\Music\ea9f0e6c9e2dcd | text | |
MD5:C9250B2116018592B09AD708674F2FB0 | SHA256:D5E0E84BC9343BC7BE5BDD7F005BEDBB604C617F295E023C93EBB4C332159EE9 | |||
| 7092 | chaindllNet.exe | C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\1a5d5b8dcee3d8 | text | |
MD5:25B0E4E74150637EB82E1B943FFC250B | SHA256:7E2DA678D678C9EBB476AC1B75DC66352FFA90962DE5892DB0D622B780F5F19A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
41
TCP/UDP connections
66
DNS requests
22
Threats
7
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5548 | svchost.exe | GET | 200 | 2.16.2.82:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
6352 | fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe | GET | 200 | 141.8.192.103:80 | http://a0992844.xsph.ru/autohotkey/autohotkey.exe | unknown | — | — | unknown |
5548 | svchost.exe | GET | 200 | 23.61.152.46:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
5056 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | unknown |
4680 | SearchApp.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D | unknown | — | — | unknown |
5620 | fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe | GET | 200 | 141.8.192.103:80 | http://a0992844.xsph.ru/L1nc0In.php?NBRv8ttAuqVD4L=VycFn691uEXJ5XlkN&jKMMpJJGXiaLiTzIDZSpMcNKhrkjy=JGIJVATJIT5giabjfEUx&MRhrG6Cp7ik=uZUDZ7yy4Q9&c481e0d242f048f9b86cea4601756d81=aed46008058fad7a8fb61656ef827ca9&85f4c5a30df1adc7f9a53a07f235a274=QZxEzMlVTNxcTMhJ2YmZmMzYDO0QzMwEGNlZWN0MWOhJWZhJzYlVmM&NBRv8ttAuqVD4L=VycFn691uEXJ5XlkN&jKMMpJJGXiaLiTzIDZSpMcNKhrkjy=JGIJVATJIT5giabjfEUx&MRhrG6Cp7ik=uZUDZ7yy4Q9 | unknown | — | — | unknown |
5620 | fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe | GET | 200 | 141.8.192.103:80 | http://a0992844.xsph.ru/L1nc0In.php?8dUS8RqlKjwyW8v8XOe=H30YTHgmOAoYNvu&23e63400e973094661d00abb91ee383c=gY0IGZ1EDNxkDN0YmNilDOyUWO1M2MhdTM1IWY4ETNxYWMmdjM1QWN0YTO4YDNyMDMyQjMwETM&85f4c5a30df1adc7f9a53a07f235a274=wN2kDNmBTN2czY5cTO1ETOkBTZlNzM5IzM3ATYxgTMhFjY3kDNyQDZ&20621311360bf783adb08c3b64c5c7c0=0VfiIiOiAzY0QGZ0EWY2ETMmZ2Y5UjY3QmMxYmMhRzM1EDNhljYiwiI4IWY0YWNhhzMyY2YjJzYzYDOlVzM0MGZyIWZlJmYhFTZzMTNiZWYkJiOiUzMyUzNjVjN2IjZ2gDM5MGMzIGMkZGOwczNxYzMzAzNiwiI2gjYmVWNwMzNzcjZiRDOkJGM5ATZkNjN3YjMmRzY2kTY4E2NxkTNiJiOiImYjJTO2UTZ4MmYyUjYmFjYiJGN3AjZjVWMjhTN1MjZis3W | unknown | — | — | unknown |
5620 | fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe | GET | 200 | 141.8.192.103:80 | http://a0992844.xsph.ru/L1nc0In.php?8dUS8RqlKjwyW8v8XOe=H30YTHgmOAoYNvu&23e63400e973094661d00abb91ee383c=gY0IGZ1EDNxkDN0YmNilDOyUWO1M2MhdTM1IWY4ETNxYWMmdjM1QWN0YTO4YDNyMDMyQjMwETM&85f4c5a30df1adc7f9a53a07f235a274=wN2kDNmBTN2czY5cTO1ETOkBTZlNzM5IzM3ATYxgTMhFjY3kDNyQDZ&96fd5cbb193cb580254189392e4c39c1=d1nIzMzNwcjYmdTMkVGMiNTN4UDN1MGZ2UDN2EGMwMmM3gzM3EmMlFWNxIiOiUzMyUzNjVjN2IjZ2gDM5MGMzIGMkZGOwczNxYzMzAzNiwiI2gjYmVWNwMzNzcjZiRDOkJGM5ATZkNjN3YjMmRzY2kTY4E2NxkTNiJiOiImYjJTO2UTZ4MmYyUjYmFjYiJGN3AjZjVWMjhTN1MjZis3W&20621311360bf783adb08c3b64c5c7c0=d1nIiojIwMGNkRGNhFmNxEjZmNWO1I2NkJTMmJTY0MTNxQTY5ImIsIyMzcDM3ImZ3EDZlBjYzUDO1QTNjRmN1QjNhBDMjJzN4MzNhJTZhVTMiojI1MjM1czY1YjNyYmN4ATOjBzMiBDZmhDM3cTM2MzMwcjIsIiN4ImZlVDMzczM3YmY0gDZiBTOwUGZzYzN2IjZ0MmN5EGOhdTM5UjYiojIiJ2YykjN1UGOjJmM1ImZxImYiRzNwY2YlFzY4UTNzYmI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSspFWhBjTXFVavpWS6ZFSkhmUzUVNShVYyw2RkpmRrl0cJlWS2kUekZnUtJGckZkVEZ0aJNXSpRVavpWS0ZkMZlmVyYles1WSzl0UXl2bqlEb1IjYvJ0MilnTXFmTOhVYpdXaJBHNyQmd1ITY1ZlRLdGNyQmd1ITY1ZFbJZTSTpFdG1GVWJUMRl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxIVa3lWSPpUaPlGNXFGdSdVU6xWbJNXSplkNJlnUCJFbJNXSDRGcKVUSwkFRJxmTYFWeC52YsJlbiZkQD1EeBl3YzkzRaVHbyYVavpWS5ZVbWVHbyYVa3NlZpRzVhNnSYp1Q5MlW3lTbjFjVrlkNJNlW1lTblxWMXFGMKNETpFERNdXQE10dJl2Tpd3VZBjTzI2dKNETptmbihWMtNGbkVUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplUNZRUTwQTeNh3dp5UNFRlT1lEVOl2bqlka5ckYpdXaJZkUrlkNJNVZ5JlbiFTOykVa3lWS1x2RilnVtF1ZR1mYoh3aJZTSpJmdsJjWspkbJNXSpJGc412Ysp0aJZTSTVGMsJTWpdXaJFTQU1UdNpnT4RzQOhXSqxEenRVTp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiAzY0QGZ0EWY2ETMmZ2Y5UjY3QmMxYmMhRzM1EDNhljYiwiIkJGMidDN3ITYkNzN0ATNxIWZxUjMjhDZlRGMjdjMzcTZjFGNxMGZlJiOiUzMyUzNjVjN2IjZ2gDM5MGMzIGMkZGOwczNxYzMzAzNiwiI2gjYmVWNwMzNzcjZiRDOkJGM5ATZkNjN3YjMmRzY2kTY4E2NxkTNiJiOiImYjJTO2UTZ4MmYyUjYmFjYiJGN3AjZjVWMjhTN1MjZis3W | unknown | — | — | unknown |
5620 | fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe | GET | 200 | 141.8.192.103:80 | http://a0992844.xsph.ru/L1nc0In.php?8dUS8RqlKjwyW8v8XOe=H30YTHgmOAoYNvu&23e63400e973094661d00abb91ee383c=gY0IGZ1EDNxkDN0YmNilDOyUWO1M2MhdTM1IWY4ETNxYWMmdjM1QWN0YTO4YDNyMDMyQjMwETM&85f4c5a30df1adc7f9a53a07f235a274=wN2kDNmBTN2czY5cTO1ETOkBTZlNzM5IzM3ATYxgTMhFjY3kDNyQDZ&6e1f636c3ddb7b1f8e6f68e21584be2a=0VfiElZp1UbkpnUuJGb1IjY3FjMipGeGhlNNtWS2k0QhBjRHVVa3lWS1R2MiVHdtJmVKl2Tpd2RkhmQGpVe5ITW6x2RSl2dplUavpWSvJFWZFVMXlVekdlWzZ1RWl2dplUavpWS6JESjJUMXlFbSNTVpdXaJVHZzIWd01mYWpUaPlWUVNVeWJzYWFzVZxmUzUVa3lWS1R2MiVHdtJmVKl2TplEWapnVWJGaWdEZUp0QMlGNyQmd1ITY1ZFbJZTS5pVdGdEV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWSvJFWZFVMXlFbSNTVpdXaJZHbHpVMGVUSzsmeKRkRFlkcWdEZzZ0VaNlQTxUenNUS1xWRJxWNXFWT1cEW5hnVkJkQ55UNjlXUCJUehxmUIJGaW1WVnBTaN9WQTpVd5cUY3lTbjpGbXRVavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiAzY0QGZ0EWY2ETMmZ2Y5UjY3QmMxYmMhRzM1EDNhljYiwiI4IWY0YWNhhzMyY2YjJzYzYDOlVzM0MGZyIWZlJmYhFTZzMTNiZWYkJiOiUzMyUzNjVjN2IjZ2gDM5MGMzIGMkZGOwczNxYzMzAzNiwiI2gjYmVWNwMzNzcjZiRDOkJGM5ATZkNjN3YjMmRzY2kTY4E2NxkTNiJiOiImYjJTO2UTZ4MmYyUjYmFjYiJGN3AjZjVWMjhTN1MjZis3W | unknown | — | — | unknown |
5620 | fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe | GET | 200 | 141.8.192.103:80 | http://a0992844.xsph.ru/L1nc0In.php?8dUS8RqlKjwyW8v8XOe=H30YTHgmOAoYNvu&23e63400e973094661d00abb91ee383c=gY0IGZ1EDNxkDN0YmNilDOyUWO1M2MhdTM1IWY4ETNxYWMmdjM1QWN0YTO4YDNyMDMyQjMwETM&85f4c5a30df1adc7f9a53a07f235a274=wN2kDNmBTN2czY5cTO1ETOkBTZlNzM5IzM3ATYxgTMhFjY3kDNyQDZ&96fd5cbb193cb580254189392e4c39c1=d1nIzMzNwcjYmdTMkVGMiNTN4UDN1MGZ2UDN2EGMwMmM3gzM3EmMlFWNxIiOiUzMyUzNjVjN2IjZ2gDM5MGMzIGMkZGOwczNxYzMzAzNiwiI2gjYmVWNwMzNzcjZiRDOkJGM5ATZkNjN3YjMmRzY2kTY4E2NxkTNiJiOiImYjJTO2UTZ4MmYyUjYmFjYiJGN3AjZjVWMjhTN1MjZis3W&20621311360bf783adb08c3b64c5c7c0=d1nIiojIwMGNkRGNhFmNxEjZmNWO1I2NkJTMmJTY0MTNxQTY5ImIsIyMzcDM3ImZ3EDZlBjYzUDO1QTNjRmN1QjNhBDMjJzN4MzNhJTZhVTMiojI1MjM1czY1YjNyYmN4ATOjBzMiBDZmhDM3cTM2MzMwcjIsIiN4ImZlVDMzczM3YmY0gDZiBTOwUGZzYzN2IjZ0MmN5EGOhdTM5UjYiojIiJ2YykjN1UGOjJmM1ImZxImYiRzNwY2YlFzY4UTNzYmI7xSfiElZx8maJBjVzIGbxcVYVJEWaxGeyUVa3lWSspFWhBjTXFVavpWS6ZFSkhmUzUVNShVYyw2RkpmRrl0cJlWS2kUekZnUtJGckZkVEZ0aJNXSpRVavpWS0ZkMZlmVyYles1WSzl0UXl2bqlEb1IjYvJ0MilnTXFmTOhVYpdXaJBHNyQmd1ITY1ZlRLdGNyQmd1ITY1ZFbJZTSTpFdG1GVWJUMRl2dplEc0IDZ2VjMhVnVGt0Z0IDZ2VjMhVnVslkNJNlW0ZUbUZlQxIVa3lWSPpUaPlGNXFGdSdVU6xWbJNXSplkNJlnUCJFbJNXSDRGcKVUSwkFRJxmTYFWeC52YsJlbiZkQD1EeBl3YzkzRaVHbyYVavpWS5ZVbWVHbyYVa3NlZpRzVhNnSYp1Q5MlW3lTbjFjVrlkNJNlW1lTblxWMXFGMKNETpFERNdXQE10dJl2Tpd3VZBjTzI2dKNETptmbihWMtNGbkVUS0F0QaxGbtpFcOdlW35ESJBTOtRVavpWSup0Mil2dplUNZRUTwQTeNh3dp5UNFRlT1lEVOl2bqlka5ckYpdXaJZkUrlkNJNVZ5JlbiFTOykVa3lWS1x2RilnVtF1ZR1mYoh3aJZTSpJmdsJjWspkbJNXSpJGc412Ysp0aJZTSTVGMsJTWpdXaJFTQU1UdNpnT4RzQOhXSqxEenRVTp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiAzY0QGZ0EWY2ETMmZ2Y5UjY3QmMxYmMhRzM1EDNhljYiwiIkJGMidDN3ITYkNzN0ATNxIWZxUjMjhDZlRGMjdjMzcTZjFGNxMGZlJiOiUzMyUzNjVjN2IjZ2gDM5MGMzIGMkZGOwczNxYzMzAzNiwiI2gjYmVWNwMzNzcjZiRDOkJGM5ATZkNjN3YjMmRzY2kTY4E2NxkTNiJiOiImYjJTO2UTZ4MmYyUjYmFjYiJGN3AjZjVWMjhTN1MjZis3W | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2384 | RUXIMICS.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5140 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4364 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |
6352 | fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe | 141.8.192.103:80 | a0992844.xsph.ru | Sprinthost.ru LLC | RU | unknown |
5548 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5548 | svchost.exe | 2.16.2.82:80 | crl.microsoft.com | Akamai International B.V. | CZ | whitelisted |
5548 | svchost.exe | 23.61.152.46:80 | www.microsoft.com | AKAMAI-AS | BR | unknown |
4680 | SearchApp.exe | 23.212.110.161:443 | www.bing.com | Akamai International B.V. | CZ | unknown |
4680 | SearchApp.exe | 23.212.110.162:443 | www.bing.com | Akamai International B.V. | CZ | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
a0992844.xsph.ru |
| unknown |
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
r.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
login.live.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
pastebin.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2184 | svchost.exe | Misc activity | ET INFO Observed DNS Query to xsph .ru Domain |
6352 | fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
6352 | fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe | A Network Trojan was detected | ET USER_AGENTS Suspicious User-Agent (AutoHotkey) |
5620 | fe97c8c1e0a639e51fe0fa1d9aa863067b19b37d10d78d5bcf7d2b1d69550708.exe | A Network Trojan was detected | ET MALWARE DCRAT Activity (GET) |
3 ETPRO signatures available at the full report