File name:

0bc68db77e687fa52b2f367994c5bc6f.exe

Full analysis: https://app.any.run/tasks/05d69c9d-2523-40d2-9b83-281eabd14f43
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 02:54:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
rat
dcrat
remote
darkcrystal
netreactor
susp-powershell
wmi-base64
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

0BC68DB77E687FA52B2F367994C5BC6F

SHA1:

ECF69C28AA53920F6279AD29D5BC9BB02542E841

SHA256:

3055D261F05A0656B1B92D9FA8ED3A72111A3A5C6D036D13D3D3A304CA99B987

SSDEEP:

98304:ZFrKdQD56mtoFgfhJiJ5zPHY+Pewr+XMg27aQ4Y27ieBxu++LAYj6gNIKe3y7kls:ZudcpA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • UAC/LUA settings modification

      • SavesintoHost.exe (PID: 936)
      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)
      • csrss.exe (PID: 3296)

    • Changes the login/logoff helper path in the registry

      • SavesintoHost.exe (PID: 936)

    • Changes the autorun value in the registry

      • SavesintoHost.exe (PID: 936)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 4548)
      • wscript.exe (PID: 6780)
      • wscript.exe (PID: 6748)
      • wscript.exe (PID: 7024)
      • wscript.exe (PID: 7056)
      • wscript.exe (PID: 6284)
      • wscript.exe (PID: 6252)
      • wscript.exe (PID: 2076)
      • wscript.exe (PID: 2972)
      • wscript.exe (PID: 5560)
      • wscript.exe (PID: 3620)
      • wscript.exe (PID: 6912)
      • wscript.exe (PID: 6952)
      • wscript.exe (PID: 1400)
      • wscript.exe (PID: 7012)
      • wscript.exe (PID: 5992)
      • wscript.exe (PID: 7164)
      • wscript.exe (PID: 6388)
      • wscript.exe (PID: 3840)
      • wscript.exe (PID: 5592)
      • wscript.exe (PID: 3928)

    • DARKCRYSTAL has been detected (SURICATA)

      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)

    • Deletes a file (SCRIPT)

      • wscript.exe (PID: 6748)
      • wscript.exe (PID: 7024)
      • wscript.exe (PID: 6252)
      • wscript.exe (PID: 2972)
      • wscript.exe (PID: 5560)
      • wscript.exe (PID: 6952)
      • wscript.exe (PID: 7012)
      • wscript.exe (PID: 7164)
      • wscript.exe (PID: 3840)
      • wscript.exe (PID: 5592)

    • DCRAT has been detected (YARA)

      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 6340)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • 0bc68db77e687fa52b2f367994c5bc6f.exe (PID: 6132)
      • SavesintoHost.exe (PID: 936)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 4548)
      • SavesintoHost.exe (PID: 936)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 4548)
      • SavesintoHost.exe (PID: 936)

    • Executable content was dropped or overwritten

      • 0bc68db77e687fa52b2f367994c5bc6f.exe (PID: 6132)
      • SavesintoHost.exe (PID: 936)
      • csrss.exe (PID: 6572)

    • Reads security settings of Internet Explorer

      • 0bc68db77e687fa52b2f367994c5bc6f.exe (PID: 6132)
      • ShellExperienceHost.exe (PID: 6016)
      • SavesintoHost.exe (PID: 936)
      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)
      • csrss.exe (PID: 3296)

    • Executed via WMI

      • schtasks.exe (PID: 5040)
      • schtasks.exe (PID: 2792)
      • schtasks.exe (PID: 3736)
      • schtasks.exe (PID: 5604)
      • schtasks.exe (PID: 836)
      • schtasks.exe (PID: 3808)
      • schtasks.exe (PID: 5788)
      • schtasks.exe (PID: 5488)
      • schtasks.exe (PID: 5604)
      • schtasks.exe (PID: 2144)
      • schtasks.exe (PID: 4132)
      • schtasks.exe (PID: 1520)
      • schtasks.exe (PID: 3736)
      • schtasks.exe (PID: 1328)
      • schtasks.exe (PID: 1576)
      • schtasks.exe (PID: 5432)
      • schtasks.exe (PID: 3620)
      • schtasks.exe (PID: 5788)
      • schtasks.exe (PID: 3680)
      • schtasks.exe (PID: 1612)
      • schtasks.exe (PID: 5432)
      • schtasks.exe (PID: 5096)
      • schtasks.exe (PID: 6204)
      • schtasks.exe (PID: 6172)
      • schtasks.exe (PID: 5000)
      • schtasks.exe (PID: 6224)
      • schtasks.exe (PID: 2008)
      • schtasks.exe (PID: 5000)
      • schtasks.exe (PID: 4188)
      • schtasks.exe (PID: 6288)
      • schtasks.exe (PID: 6268)
      • schtasks.exe (PID: 6388)
      • schtasks.exe (PID: 6304)
      • schtasks.exe (PID: 6332)
      • schtasks.exe (PID: 6368)
      • schtasks.exe (PID: 6352)
      • schtasks.exe (PID: 6416)
      • schtasks.exe (PID: 6432)
      • schtasks.exe (PID: 6240)

    • Probably delay the execution using 'w32tm.exe'

      • cmd.exe (PID: 6480)

    • The process executes VB scripts

      • 0bc68db77e687fa52b2f367994c5bc6f.exe (PID: 6132)
      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)
      • csrss.exe (PID: 3296)

    • Reads the date of Windows installation

      • SavesintoHost.exe (PID: 936)
      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)
      • csrss.exe (PID: 3296)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 6748)
      • wscript.exe (PID: 6780)
      • wscript.exe (PID: 7024)
      • wscript.exe (PID: 7056)
      • wscript.exe (PID: 6252)
      • wscript.exe (PID: 6284)
      • wscript.exe (PID: 2972)
      • wscript.exe (PID: 2076)
      • wscript.exe (PID: 5560)
      • wscript.exe (PID: 3620)
      • wscript.exe (PID: 6952)
      • wscript.exe (PID: 6912)
      • wscript.exe (PID: 7012)
      • wscript.exe (PID: 1400)
      • wscript.exe (PID: 7164)
      • wscript.exe (PID: 5992)
      • wscript.exe (PID: 3840)
      • wscript.exe (PID: 6388)
      • wscript.exe (PID: 5592)
      • wscript.exe (PID: 3928)
      • wscript.exe (PID: 6680)
      • wscript.exe (PID: 6776)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 4548)
      • wscript.exe (PID: 6748)
      • wscript.exe (PID: 7024)
      • wscript.exe (PID: 6252)
      • wscript.exe (PID: 2972)
      • wscript.exe (PID: 5560)
      • wscript.exe (PID: 6952)
      • wscript.exe (PID: 7012)
      • wscript.exe (PID: 7164)
      • wscript.exe (PID: 3840)
      • wscript.exe (PID: 5592)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • wscript.exe (PID: 6748)
      • wscript.exe (PID: 7024)
      • wscript.exe (PID: 6252)
      • wscript.exe (PID: 2972)
      • wscript.exe (PID: 5560)
      • wscript.exe (PID: 6952)
      • wscript.exe (PID: 7012)
      • wscript.exe (PID: 7164)
      • wscript.exe (PID: 3840)
      • wscript.exe (PID: 5592)
      • wscript.exe (PID: 6776)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 6748)
      • wscript.exe (PID: 7024)
      • wscript.exe (PID: 6252)
      • wscript.exe (PID: 2972)
      • wscript.exe (PID: 5560)
      • wscript.exe (PID: 6952)
      • wscript.exe (PID: 7012)
      • wscript.exe (PID: 7164)
      • wscript.exe (PID: 3840)
      • wscript.exe (PID: 5592)

  • INFO

    • Checks supported languages

      • 0bc68db77e687fa52b2f367994c5bc6f.exe (PID: 6132)
      • ShellExperienceHost.exe (PID: 6016)
      • SavesintoHost.exe (PID: 936)
      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)
      • csrss.exe (PID: 3296)

    • Reads the machine GUID from the registry

      • SavesintoHost.exe (PID: 936)
      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)
      • csrss.exe (PID: 3296)

    • Reads Environment values

      • SavesintoHost.exe (PID: 936)
      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)
      • csrss.exe (PID: 3296)

    • Reads the computer name

      • 0bc68db77e687fa52b2f367994c5bc6f.exe (PID: 6132)
      • ShellExperienceHost.exe (PID: 6016)
      • SavesintoHost.exe (PID: 936)
      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)
      • csrss.exe (PID: 3296)

    • The sample compiled with english language support

      • 0bc68db77e687fa52b2f367994c5bc6f.exe (PID: 6132)
      • SavesintoHost.exe (PID: 936)
      • csrss.exe (PID: 6572)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • 0bc68db77e687fa52b2f367994c5bc6f.exe (PID: 6132)
      • wscript.exe (PID: 4548)

    • The process uses the downloaded file

      • 0bc68db77e687fa52b2f367994c5bc6f.exe (PID: 6132)
      • SavesintoHost.exe (PID: 936)
      • csrss.exe (PID: 6572)
      • wscript.exe (PID: 4548)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)
      • csrss.exe (PID: 3296)

    • Process checks whether UAC notifications are on

      • SavesintoHost.exe (PID: 936)
      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)
      • csrss.exe (PID: 3296)

    • Creates files in the program directory

      • SavesintoHost.exe (PID: 936)

    • Process checks computer location settings

      • SavesintoHost.exe (PID: 936)
      • csrss.exe (PID: 6572)
      • 0bc68db77e687fa52b2f367994c5bc6f.exe (PID: 6132)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)
      • csrss.exe (PID: 3296)

    • Create files in a temporary directory

      • SavesintoHost.exe (PID: 936)
      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)
      • csrss.exe (PID: 3296)

    • Reads Microsoft Office registry keys

      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)
      • csrss.exe (PID: 3296)

    • Disables trace logs

      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)

    • Checks proxy server information

      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)

    • .NET Reactor protector has been detected

      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 6340)

    • Found Base64 encoded reference to WMI classes (YARA)

      • csrss.exe (PID: 6864)

    • Found Base64 encoded access to Windows Defender via PowerShell (YARA)

      • csrss.exe (PID: 6864)

    • Found Base64 encoded reference to AntiVirus WMI classes (YARA)

      • csrss.exe (PID: 6864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:12:01 18:00:55+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 201216
InitializedDataSize: 114176
UninitializedDataSize: -
EntryPoint: 0x1ec40
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
203
Monitored processes
84
Malicious processes
27
Suspicious processes
11

Behavior graph

Click at the process to see the details
start 0bc68db77e687fa52b2f367994c5bc6f.exe wscript.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs savesintohost.exe shellexperiencehost.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs w32tm.exe no specs #DARKCRYSTAL csrss.exe wscript.exe no specs wscript.exe no specs #DARKCRYSTAL csrss.exe wscript.exe no specs wscript.exe no specs #DARKCRYSTAL csrss.exe wscript.exe no specs wscript.exe no specs #DARKCRYSTAL csrss.exe wscript.exe no specs wscript.exe no specs #DARKCRYSTAL csrss.exe wscript.exe no specs wscript.exe no specs #DARKCRYSTAL csrss.exe wscript.exe no specs wscript.exe no specs #DARKCRYSTAL csrss.exe wscript.exe no specs wscript.exe no specs #DARKCRYSTAL csrss.exe wscript.exe no specs wscript.exe no specs #DARKCRYSTAL csrss.exe wscript.exe no specs wscript.exe no specs #DARKCRYSTAL csrss.exe wscript.exe no specs wscript.exe no specs csrss.exe no specs wscript.exe no specs wscript.exe no specs svchost.exe 0bc68db77e687fa52b2f367994c5bc6f.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
628\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
836schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\OfficeClickToRun.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
936"C:\comSurrogatecontainercomponentRef\SavesintoHost.exe"C:\comSurrogatecontainercomponentRef\SavesintoHost.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\comsurrogatecontainercomponentref\savesintohost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1328schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 5 /tr "'C:\comSurrogatecontainercomponentRef\Memory Compression.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1400"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\af9efa2c-f635-409a-a1a8-0a9371ff83d7.vbs" C:\Windows\System32\wscript.execsrss.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1520schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\comSurrogatecontainercomponentRef\dwm.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1576schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\OfficeClickToRun.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1612schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Multimedia Platform\sihost.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2008schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\en-US\TextInputHost.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2040"C:\Program Files\CCleaner\Setup\csrss.exe"C:\Program Files\CCleaner\Setup\csrss.exe
wscript.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\program files\ccleaner\setup\csrss.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
40 549
Read events
40 418
Write events
131
Delete events
0

Modification events

(PID) Process:(6132) 0bc68db77e687fa52b2f367994c5bc6f.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:writeName:VBEFile
Value:
(PID) Process:(6132) 0bc68db77e687fa52b2f367994c5bc6f.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
(PID) Process:(936) SavesintoHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(936) SavesintoHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:ConsentPromptBehaviorAdmin
Value:
0
(PID) Process:(936) SavesintoHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:PromptOnSecureDesktop
Value:
0
(PID) Process:(936) SavesintoHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F00620000000000000000000000010000000000000000000000
(PID) Process:(936) SavesintoHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Memory Compression
Value:
"C:\comSurrogatecontainercomponentRef\Memory Compression.exe"
(PID) Process:(936) SavesintoHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Memory Compression
Value:
"C:\comSurrogatecontainercomponentRef\Memory Compression.exe"
(PID) Process:(936) SavesintoHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Shell
Value:
explorer.exe, "C:\comSurrogatecontainercomponentRef\Memory Compression.exe"
(PID) Process:(936) SavesintoHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:OfficeClickToRun
Value:
"C:\Program Files\Windows Portable Devices\OfficeClickToRun.exe"
Executable files
15
Suspicious files
1
Text files
39
Unknown types
0

Dropped files

PID
Process
Filename
Type
61320bc68db77e687fa52b2f367994c5bc6f.exeC:\comSurrogatecontainercomponentRef\4Vp3r4P.vbebinary
MD5:5D646684DEBBC53C0C7EC5FA65F23216
SHA256:CDDD4A030F867ACB39A0E7697732CBD57BB2E5E9F0D81FC1E7D752D57C1EE195
61320bc68db77e687fa52b2f367994c5bc6f.exeC:\comSurrogatecontainercomponentRef\QZY1IZ9a6YLs5.battext
MD5:CBBA91293FED3DFB5A3A0CD0EC53B505
SHA256:062CFF19B7BE8C7D9C9941F75B9225982EB3799A766EE73659251F7D0C0B299D
936SavesintoHost.exeC:\comSurrogatecontainercomponentRef\1a5d5b8dcee3d8text
MD5:8A77E148AD5523E1B52351C2B34B2F27
SHA256:372EABE926B4184F12FB88310F38CCBA5EE12AD6CF977B4590B5A02C77863356
936SavesintoHost.exeC:\comSurrogatecontainercomponentRef\dwm.exeexecutable
MD5:3AA1BBD17D68B0B67B7423F1FE09B05B
SHA256:7362F82084BCDF47B0927674AD678F66214E8D4F2783A0B9338EE4EB773C3474
936SavesintoHost.exeC:\Program Files\Windows Portable Devices\OfficeClickToRun.exeexecutable
MD5:3AA1BBD17D68B0B67B7423F1FE09B05B
SHA256:7362F82084BCDF47B0927674AD678F66214E8D4F2783A0B9338EE4EB773C3474
936SavesintoHost.exeC:\Program Files\Windows Portable Devices\e6c9b481da804ftext
MD5:C3CE177066BD717D8C6DCA8136E6C4B3
SHA256:28E31DFB6BCC9DCF3EE8479E8AFC9E0A4C4F0FBB49AA54F91C1CBCDE9C1F52E4
936SavesintoHost.exeC:\Recovery\Logs\TextInputHost.exeexecutable
MD5:3AA1BBD17D68B0B67B7423F1FE09B05B
SHA256:7362F82084BCDF47B0927674AD678F66214E8D4F2783A0B9338EE4EB773C3474
936SavesintoHost.exeC:\comSurrogatecontainercomponentRef\6cb0b6c459d5d3text
MD5:FE69D4F39FDD2E403B2397A82B5EA344
SHA256:0BAEC4DD3DD24D3E963E05141A45A222CCEC562E37FA4030AEB0587938B6F6EC
936SavesintoHost.exeC:\Users\Default\Music\SearchApp.exeexecutable
MD5:3AA1BBD17D68B0B67B7423F1FE09B05B
SHA256:7362F82084BCDF47B0927674AD678F66214E8D4F2783A0B9338EE4EB773C3474
936SavesintoHost.exeC:\Program Files (x86)\Windows Defender\en-US\22eafd247d37c3text
MD5:749E6DC8DB1DC677765D2B323575145C
SHA256:FD4E91DB004EBCC4FC03C913F5D54F275BA9573449D0711C37D1E909DA3C2905
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
29
DNS requests
7
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2736
svchost.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2736
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6572
csrss.exe
GET
403
141.8.192.138:80
http://a1063683.xsph.ru/2172ee40.php?Gq4j=XBcV5RGJb5b5ANjMXMC&c890477b200ba1ffc8ef461f54aaad3b=c3ccc9b0173ab12b589ddb5b569d75e1&61cb0d9d4a37c6ca1c8fa3a413f36a41=gYxEWNxQmZxcDOjJmNihTZzImNkRzNiFzMldjMzQWYhhTNmhzYjNWO&Gq4j=XBcV5RGJb5b5ANjMXMC
unknown
malicious
6572
csrss.exe
GET
403
141.8.192.138:80
http://a1063683.xsph.ru/2172ee40.php?Gq4j=XBcV5RGJb5b5ANjMXMC&c890477b200ba1ffc8ef461f54aaad3b=c3ccc9b0173ab12b589ddb5b569d75e1&61cb0d9d4a37c6ca1c8fa3a413f36a41=gYxEWNxQmZxcDOjJmNihTZzImNkRzNiFzMldjMzQWYhhTNmhzYjNWO&Gq4j=XBcV5RGJb5b5ANjMXMC
unknown
whitelisted
6864
csrss.exe
GET
403
141.8.192.138:80
http://a1063683.xsph.ru/2172ee40.php?YVfVOmyJyI=7wr5G0btj0q4fECwzy9m&c890477b200ba1ffc8ef461f54aaad3b=c3ccc9b0173ab12b589ddb5b569d75e1&61cb0d9d4a37c6ca1c8fa3a413f36a41=gYxEWNxQmZxcDOjJmNihTZzImNkRzNiFzMldjMzQWYhhTNmhzYjNWO&YVfVOmyJyI=7wr5G0btj0q4fECwzy9m
unknown
whitelisted
6864
csrss.exe
GET
403
141.8.192.138:80
http://a1063683.xsph.ru/2172ee40.php?YVfVOmyJyI=7wr5G0btj0q4fECwzy9m&c890477b200ba1ffc8ef461f54aaad3b=c3ccc9b0173ab12b589ddb5b569d75e1&61cb0d9d4a37c6ca1c8fa3a413f36a41=gYxEWNxQmZxcDOjJmNihTZzImNkRzNiFzMldjMzQWYhhTNmhzYjNWO&YVfVOmyJyI=7wr5G0btj0q4fECwzy9m
unknown
malicious
6340
csrss.exe
GET
403
141.8.192.138:80
http://a1063683.xsph.ru/2172ee40.php?6fF3AjFmOccPCKrveL=DQRG&iWjIU=JWLG5FUju09JftfpmN&Zqx2xRpY9UnA6SpSGD5Pmb5b=EGwXl2uWZ&c890477b200ba1ffc8ef461f54aaad3b=c3ccc9b0173ab12b589ddb5b569d75e1&61cb0d9d4a37c6ca1c8fa3a413f36a41=gYxEWNxQmZxcDOjJmNihTZzImNkRzNiFzMldjMzQWYhhTNmhzYjNWO&6fF3AjFmOccPCKrveL=DQRG&iWjIU=JWLG5FUju09JftfpmN&Zqx2xRpY9UnA6SpSGD5Pmb5b=EGwXl2uWZ
unknown
whitelisted
7132
csrss.exe
GET
403
141.8.192.138:80
http://a1063683.xsph.ru/2172ee40.php?BEG4M0RUNFJgGRYCC3FZIvWwrAVH=B14T6iuMi&c890477b200ba1ffc8ef461f54aaad3b=c3ccc9b0173ab12b589ddb5b569d75e1&61cb0d9d4a37c6ca1c8fa3a413f36a41=gYxEWNxQmZxcDOjJmNihTZzImNkRzNiFzMldjMzQWYhhTNmhzYjNWO&BEG4M0RUNFJgGRYCC3FZIvWwrAVH=B14T6iuMi
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
2736
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2736
svchost.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2736
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2736
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 2.16.164.106
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
a1063683.xsph.ru
  • 141.8.192.138
malicious
self.events.data.microsoft.com
  • 20.52.64.200
whitelisted

Threats

PID
Process
Class
Message
2192
svchost.exe
Misc activity
ET INFO Observed DNS Query to xsph .ru Domain
6572
csrss.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
6864
csrss.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
7132
csrss.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
6340
csrss.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
6548
csrss.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
6616
csrss.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
2084
csrss.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
6152
csrss.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
2040
csrss.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
0bc68db77e687fa52b2f367994c5bc6f.exe