File name:

0bc68db77e687fa52b2f367994c5bc6f.exe

Full analysis: https://app.any.run/tasks/05d69c9d-2523-40d2-9b83-281eabd14f43
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: December 14, 2024, 02:54:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
rat
dcrat
remote
darkcrystal
netreactor
susp-powershell
wmi-base64
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

0BC68DB77E687FA52B2F367994C5BC6F

SHA1:

ECF69C28AA53920F6279AD29D5BC9BB02542E841

SHA256:

3055D261F05A0656B1B92D9FA8ED3A72111A3A5C6D036D13D3D3A304CA99B987

SSDEEP:

98304:ZFrKdQD56mtoFgfhJiJ5zPHY+Pewr+XMg27aQ4Y27ieBxu++LAYj6gNIKe3y7kls:ZudcpA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 4548)
      • wscript.exe (PID: 6748)
      • wscript.exe (PID: 6780)
      • wscript.exe (PID: 7024)
      • wscript.exe (PID: 7056)
      • wscript.exe (PID: 6252)
      • wscript.exe (PID: 6284)
      • wscript.exe (PID: 2972)
      • wscript.exe (PID: 2076)
      • wscript.exe (PID: 5560)
      • wscript.exe (PID: 3620)
      • wscript.exe (PID: 6912)
      • wscript.exe (PID: 6952)
      • wscript.exe (PID: 7012)
      • wscript.exe (PID: 1400)
      • wscript.exe (PID: 7164)
      • wscript.exe (PID: 5992)
      • wscript.exe (PID: 3840)
      • wscript.exe (PID: 6388)
      • wscript.exe (PID: 5592)
      • wscript.exe (PID: 3928)

    • UAC/LUA settings modification

      • SavesintoHost.exe (PID: 936)
      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)
      • csrss.exe (PID: 3296)

    • Changes the autorun value in the registry

      • SavesintoHost.exe (PID: 936)

    • Changes the login/logoff helper path in the registry

      • SavesintoHost.exe (PID: 936)

    • Deletes a file (SCRIPT)

      • wscript.exe (PID: 6748)
      • wscript.exe (PID: 7024)
      • wscript.exe (PID: 6252)
      • wscript.exe (PID: 2972)
      • wscript.exe (PID: 5560)
      • wscript.exe (PID: 6952)
      • wscript.exe (PID: 7012)
      • wscript.exe (PID: 7164)
      • wscript.exe (PID: 3840)
      • wscript.exe (PID: 5592)

    • DARKCRYSTAL has been detected (SURICATA)

      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)

    • DCRAT has been detected (YARA)

      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 6340)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • 0bc68db77e687fa52b2f367994c5bc6f.exe (PID: 6132)
      • SavesintoHost.exe (PID: 936)

    • Executable content was dropped or overwritten

      • 0bc68db77e687fa52b2f367994c5bc6f.exe (PID: 6132)
      • SavesintoHost.exe (PID: 936)
      • csrss.exe (PID: 6572)

    • Reads security settings of Internet Explorer

      • 0bc68db77e687fa52b2f367994c5bc6f.exe (PID: 6132)
      • ShellExperienceHost.exe (PID: 6016)
      • SavesintoHost.exe (PID: 936)
      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)
      • csrss.exe (PID: 3296)

    • The process executes VB scripts

      • 0bc68db77e687fa52b2f367994c5bc6f.exe (PID: 6132)
      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)
      • csrss.exe (PID: 3296)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 4548)
      • SavesintoHost.exe (PID: 936)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 4548)
      • wscript.exe (PID: 6748)
      • wscript.exe (PID: 7024)
      • wscript.exe (PID: 6252)
      • wscript.exe (PID: 2972)
      • wscript.exe (PID: 5560)
      • wscript.exe (PID: 6952)
      • wscript.exe (PID: 7012)
      • wscript.exe (PID: 7164)
      • wscript.exe (PID: 3840)
      • wscript.exe (PID: 5592)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 4548)
      • SavesintoHost.exe (PID: 936)

    • Executed via WMI

      • schtasks.exe (PID: 5040)
      • schtasks.exe (PID: 1328)
      • schtasks.exe (PID: 3736)
      • schtasks.exe (PID: 2792)
      • schtasks.exe (PID: 836)
      • schtasks.exe (PID: 1576)
      • schtasks.exe (PID: 5604)
      • schtasks.exe (PID: 3808)
      • schtasks.exe (PID: 4132)
      • schtasks.exe (PID: 5788)
      • schtasks.exe (PID: 5488)
      • schtasks.exe (PID: 2008)
      • schtasks.exe (PID: 2144)
      • schtasks.exe (PID: 3736)
      • schtasks.exe (PID: 5604)
      • schtasks.exe (PID: 5432)
      • schtasks.exe (PID: 1520)
      • schtasks.exe (PID: 5788)
      • schtasks.exe (PID: 5000)
      • schtasks.exe (PID: 5432)
      • schtasks.exe (PID: 5096)
      • schtasks.exe (PID: 1612)
      • schtasks.exe (PID: 3620)
      • schtasks.exe (PID: 5000)
      • schtasks.exe (PID: 6172)
      • schtasks.exe (PID: 4188)
      • schtasks.exe (PID: 3680)
      • schtasks.exe (PID: 6204)
      • schtasks.exe (PID: 6240)
      • schtasks.exe (PID: 6224)
      • schtasks.exe (PID: 6332)
      • schtasks.exe (PID: 6268)
      • schtasks.exe (PID: 6352)
      • schtasks.exe (PID: 6388)
      • schtasks.exe (PID: 6304)
      • schtasks.exe (PID: 6416)
      • schtasks.exe (PID: 6288)
      • schtasks.exe (PID: 6368)
      • schtasks.exe (PID: 6432)

    • Probably delay the execution using 'w32tm.exe'

      • cmd.exe (PID: 6480)

    • Reads the date of Windows installation

      • SavesintoHost.exe (PID: 936)
      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)
      • csrss.exe (PID: 3296)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 6748)
      • wscript.exe (PID: 6780)
      • wscript.exe (PID: 7056)
      • wscript.exe (PID: 7024)
      • wscript.exe (PID: 6252)
      • wscript.exe (PID: 6284)
      • wscript.exe (PID: 2972)
      • wscript.exe (PID: 2076)
      • wscript.exe (PID: 5560)
      • wscript.exe (PID: 3620)
      • wscript.exe (PID: 6952)
      • wscript.exe (PID: 6912)
      • wscript.exe (PID: 7012)
      • wscript.exe (PID: 1400)
      • wscript.exe (PID: 7164)
      • wscript.exe (PID: 5992)
      • wscript.exe (PID: 6388)
      • wscript.exe (PID: 3840)
      • wscript.exe (PID: 5592)
      • wscript.exe (PID: 3928)
      • wscript.exe (PID: 6776)
      • wscript.exe (PID: 6680)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • wscript.exe (PID: 6748)
      • wscript.exe (PID: 7024)
      • wscript.exe (PID: 6252)
      • wscript.exe (PID: 2972)
      • wscript.exe (PID: 5560)
      • wscript.exe (PID: 6952)
      • wscript.exe (PID: 7012)
      • wscript.exe (PID: 7164)
      • wscript.exe (PID: 3840)
      • wscript.exe (PID: 5592)
      • wscript.exe (PID: 6776)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 6748)
      • wscript.exe (PID: 7024)
      • wscript.exe (PID: 6252)
      • wscript.exe (PID: 2972)
      • wscript.exe (PID: 5560)
      • wscript.exe (PID: 6952)
      • wscript.exe (PID: 7012)
      • wscript.exe (PID: 7164)
      • wscript.exe (PID: 3840)
      • wscript.exe (PID: 5592)

  • INFO

    • Checks supported languages

      • 0bc68db77e687fa52b2f367994c5bc6f.exe (PID: 6132)
      • ShellExperienceHost.exe (PID: 6016)
      • SavesintoHost.exe (PID: 936)
      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)
      • csrss.exe (PID: 3296)

    • The sample compiled with english language support

      • 0bc68db77e687fa52b2f367994c5bc6f.exe (PID: 6132)
      • SavesintoHost.exe (PID: 936)
      • csrss.exe (PID: 6572)

    • Reads the computer name

      • 0bc68db77e687fa52b2f367994c5bc6f.exe (PID: 6132)
      • SavesintoHost.exe (PID: 936)
      • ShellExperienceHost.exe (PID: 6016)
      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)
      • csrss.exe (PID: 3296)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • 0bc68db77e687fa52b2f367994c5bc6f.exe (PID: 6132)
      • wscript.exe (PID: 4548)

    • Process checks computer location settings

      • 0bc68db77e687fa52b2f367994c5bc6f.exe (PID: 6132)
      • SavesintoHost.exe (PID: 936)
      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)
      • csrss.exe (PID: 3296)

    • The process uses the downloaded file

      • 0bc68db77e687fa52b2f367994c5bc6f.exe (PID: 6132)
      • wscript.exe (PID: 4548)
      • SavesintoHost.exe (PID: 936)
      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)
      • csrss.exe (PID: 3296)

    • Reads Environment values

      • SavesintoHost.exe (PID: 936)
      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)
      • csrss.exe (PID: 3296)

    • Reads the machine GUID from the registry

      • SavesintoHost.exe (PID: 936)
      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)
      • csrss.exe (PID: 3296)

    • Process checks whether UAC notifications are on

      • SavesintoHost.exe (PID: 936)
      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)
      • csrss.exe (PID: 3296)

    • Creates files in the program directory

      • SavesintoHost.exe (PID: 936)

    • Create files in a temporary directory

      • SavesintoHost.exe (PID: 936)
      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)
      • csrss.exe (PID: 3296)

    • Reads Microsoft Office registry keys

      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)
      • csrss.exe (PID: 3296)

    • Disables trace logs

      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)

    • Checks proxy server information

      • csrss.exe (PID: 6572)
      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 7132)
      • csrss.exe (PID: 6340)
      • csrss.exe (PID: 6548)
      • csrss.exe (PID: 6616)
      • csrss.exe (PID: 2084)
      • csrss.exe (PID: 6152)
      • csrss.exe (PID: 2040)
      • csrss.exe (PID: 2612)

    • .NET Reactor protector has been detected

      • csrss.exe (PID: 6864)
      • csrss.exe (PID: 6340)

    • Found Base64 encoded reference to AntiVirus WMI classes (YARA)

      • csrss.exe (PID: 6864)

    • Found Base64 encoded reference to WMI classes (YARA)

      • csrss.exe (PID: 6864)

    • Found Base64 encoded access to Windows Defender via PowerShell (YARA)

      • csrss.exe (PID: 6864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x1ec40
UninitializedDataSize: -
InitializedDataSize: 114176
CodeSize: 201216
LinkerVersion: 14
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2020:12:01 18:00:55+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
203
Monitored processes
84
Malicious processes
27
Suspicious processes
11

Behavior graph

Click at the process to see the details
start svchost.exe 0bc68db77e687fa52b2f367994c5bc6f.exe no specs 0bc68db77e687fa52b2f367994c5bc6f.exe wscript.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs savesintohost.exe shellexperiencehost.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs w32tm.exe no specs #DARKCRYSTAL csrss.exe wscript.exe no specs wscript.exe no specs #DARKCRYSTAL csrss.exe wscript.exe no specs wscript.exe no specs #DARKCRYSTAL csrss.exe wscript.exe no specs wscript.exe no specs #DARKCRYSTAL csrss.exe wscript.exe no specs wscript.exe no specs #DARKCRYSTAL csrss.exe wscript.exe no specs wscript.exe no specs #DARKCRYSTAL csrss.exe wscript.exe no specs wscript.exe no specs #DARKCRYSTAL csrss.exe wscript.exe no specs wscript.exe no specs #DARKCRYSTAL csrss.exe wscript.exe no specs wscript.exe no specs #DARKCRYSTAL csrss.exe wscript.exe no specs wscript.exe no specs #DARKCRYSTAL csrss.exe wscript.exe no specs wscript.exe no specs csrss.exe no specs wscript.exe no specs wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
5432"C:\Users\admin\Desktop\0bc68db77e687fa52b2f367994c5bc6f.exe" C:\Users\admin\Desktop\0bc68db77e687fa52b2f367994c5bc6f.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\0bc68db77e687fa52b2f367994c5bc6f.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6132"C:\Users\admin\Desktop\0bc68db77e687fa52b2f367994c5bc6f.exe" C:\Users\admin\Desktop\0bc68db77e687fa52b2f367994c5bc6f.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\0bc68db77e687fa52b2f367994c5bc6f.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3996_none_d954cb49e10154a6\gdiplus.dll
4548"C:\WINDOWS\System32\WScript.exe" "C:\comSurrogatecontainercomponentRef\4Vp3r4P.vbe" C:\Windows\SysWOW64\wscript.exe0bc68db77e687fa52b2f367994c5bc6f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5828"C:\WINDOWS\System32\WScript.exe" "C:\comSurrogatecontainercomponentRef\file.vbs" C:\Windows\SysWOW64\wscript.exe0bc68db77e687fa52b2f367994c5bc6f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4308C:\WINDOWS\system32\cmd.exe /c ""C:\comSurrogatecontainercomponentRef\QZY1IZ9a6YLs5.bat" "C:\Windows\SysWOW64\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
628\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
936"C:\comSurrogatecontainercomponentRef\SavesintoHost.exe"C:\comSurrogatecontainercomponentRef\SavesintoHost.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\comsurrogatecontainercomponentref\savesintohost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6016"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wincorlib.dll
5040schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 7 /tr "'C:\comSurrogatecontainercomponentRef\Memory Compression.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
40 549
Read events
40 418
Write events
131
Delete events
0

Modification events

(PID) Process:(6132) 0bc68db77e687fa52b2f367994c5bc6f.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:writeName:VBEFile
Value:
(PID) Process:(6132) 0bc68db77e687fa52b2f367994c5bc6f.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
(PID) Process:(936) SavesintoHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(936) SavesintoHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:ConsentPromptBehaviorAdmin
Value:
0
(PID) Process:(936) SavesintoHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:PromptOnSecureDesktop
Value:
0
(PID) Process:(936) SavesintoHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F00620000000000000000000000010000000000000000000000
(PID) Process:(936) SavesintoHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Memory Compression
Value:
"C:\comSurrogatecontainercomponentRef\Memory Compression.exe"
(PID) Process:(936) SavesintoHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Memory Compression
Value:
"C:\comSurrogatecontainercomponentRef\Memory Compression.exe"
(PID) Process:(936) SavesintoHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Shell
Value:
explorer.exe, "C:\comSurrogatecontainercomponentRef\Memory Compression.exe"
(PID) Process:(936) SavesintoHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:OfficeClickToRun
Value:
"C:\Program Files\Windows Portable Devices\OfficeClickToRun.exe"
Executable files
15
Suspicious files
1
Text files
39
Unknown types
0

Dropped files

PID
Process
Filename
Type
61320bc68db77e687fa52b2f367994c5bc6f.exeC:\comSurrogatecontainercomponentRef\SavesintoHost.exeexecutable
MD5:3AA1BBD17D68B0B67B7423F1FE09B05B
SHA256:7362F82084BCDF47B0927674AD678F66214E8D4F2783A0B9338EE4EB773C3474
936SavesintoHost.exeC:\Users\Default\Music\38384e6a620884text
MD5:25C50C8A7A62B2B3F42222E373B5FA7C
SHA256:44C822ACC942B19B1515CFD0443CB85276067C4183BD4E4E70A7EC128C6E2C7D
936SavesintoHost.exeC:\Program Files\Windows Portable Devices\OfficeClickToRun.exeexecutable
MD5:3AA1BBD17D68B0B67B7423F1FE09B05B
SHA256:7362F82084BCDF47B0927674AD678F66214E8D4F2783A0B9338EE4EB773C3474
936SavesintoHost.exeC:\Program Files\Windows Portable Devices\e6c9b481da804ftext
MD5:C3CE177066BD717D8C6DCA8136E6C4B3
SHA256:28E31DFB6BCC9DCF3EE8479E8AFC9E0A4C4F0FBB49AA54F91C1CBCDE9C1F52E4
61320bc68db77e687fa52b2f367994c5bc6f.exeC:\comSurrogatecontainercomponentRef\file.vbstext
MD5:677CC4360477C72CB0CE00406A949C61
SHA256:F1CCCB5AE4AA51D293BD3C7D2A1A04CB7847D22C5DB8E05AC64E9A6D7455AA0B
936SavesintoHost.exeC:\Recovery\Logs\22eafd247d37c3text
MD5:5BA35E044B7B3F88C9A25B779DB0B940
SHA256:701DC60537FB8D0A3DBB038B8F4A680867A776AE372190517D6DBDE5F6E31F60
936SavesintoHost.exeC:\comSurrogatecontainercomponentRef\Memory Compression.exeexecutable
MD5:3AA1BBD17D68B0B67B7423F1FE09B05B
SHA256:7362F82084BCDF47B0927674AD678F66214E8D4F2783A0B9338EE4EB773C3474
61320bc68db77e687fa52b2f367994c5bc6f.exeC:\comSurrogatecontainercomponentRef\QZY1IZ9a6YLs5.battext
MD5:CBBA91293FED3DFB5A3A0CD0EC53B505
SHA256:062CFF19B7BE8C7D9C9941F75B9225982EB3799A766EE73659251F7D0C0B299D
936SavesintoHost.exeC:\Users\Default\Music\SearchApp.exeexecutable
MD5:3AA1BBD17D68B0B67B7423F1FE09B05B
SHA256:7362F82084BCDF47B0927674AD678F66214E8D4F2783A0B9338EE4EB773C3474
936SavesintoHost.exeC:\ProgramData\PLUG\Logs\6dd19aba3e2428text
MD5:59E16918A6EE92D876553BFE5EC6AE9D
SHA256:7CBBA43AAEF2A272C2E8729F412CE54F8755DC62EB36A95E6BC2300988C4A31F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
29
DNS requests
7
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2736
svchost.exe
GET
200
2.16.164.106:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6864
csrss.exe
GET
403
141.8.192.138:80
http://a1063683.xsph.ru/2172ee40.php?YVfVOmyJyI=7wr5G0btj0q4fECwzy9m&c890477b200ba1ffc8ef461f54aaad3b=c3ccc9b0173ab12b589ddb5b569d75e1&61cb0d9d4a37c6ca1c8fa3a413f36a41=gYxEWNxQmZxcDOjJmNihTZzImNkRzNiFzMldjMzQWYhhTNmhzYjNWO&YVfVOmyJyI=7wr5G0btj0q4fECwzy9m
unknown
whitelisted
7132
csrss.exe
GET
403
141.8.192.138:80
http://a1063683.xsph.ru/2172ee40.php?BEG4M0RUNFJgGRYCC3FZIvWwrAVH=B14T6iuMi&c890477b200ba1ffc8ef461f54aaad3b=c3ccc9b0173ab12b589ddb5b569d75e1&61cb0d9d4a37c6ca1c8fa3a413f36a41=gYxEWNxQmZxcDOjJmNihTZzImNkRzNiFzMldjMzQWYhhTNmhzYjNWO&BEG4M0RUNFJgGRYCC3FZIvWwrAVH=B14T6iuMi
unknown
whitelisted
7132
csrss.exe
GET
403
141.8.192.138:80
http://a1063683.xsph.ru/2172ee40.php?BEG4M0RUNFJgGRYCC3FZIvWwrAVH=B14T6iuMi&c890477b200ba1ffc8ef461f54aaad3b=c3ccc9b0173ab12b589ddb5b569d75e1&61cb0d9d4a37c6ca1c8fa3a413f36a41=gYxEWNxQmZxcDOjJmNihTZzImNkRzNiFzMldjMzQWYhhTNmhzYjNWO&BEG4M0RUNFJgGRYCC3FZIvWwrAVH=B14T6iuMi
unknown
whitelisted
2736
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6572
csrss.exe
GET
403
141.8.192.138:80
http://a1063683.xsph.ru/2172ee40.php?Gq4j=XBcV5RGJb5b5ANjMXMC&c890477b200ba1ffc8ef461f54aaad3b=c3ccc9b0173ab12b589ddb5b569d75e1&61cb0d9d4a37c6ca1c8fa3a413f36a41=gYxEWNxQmZxcDOjJmNihTZzImNkRzNiFzMldjMzQWYhhTNmhzYjNWO&Gq4j=XBcV5RGJb5b5ANjMXMC
unknown
whitelisted
6864
csrss.exe
GET
403
141.8.192.138:80
http://a1063683.xsph.ru/2172ee40.php?YVfVOmyJyI=7wr5G0btj0q4fECwzy9m&c890477b200ba1ffc8ef461f54aaad3b=c3ccc9b0173ab12b589ddb5b569d75e1&61cb0d9d4a37c6ca1c8fa3a413f36a41=gYxEWNxQmZxcDOjJmNihTZzImNkRzNiFzMldjMzQWYhhTNmhzYjNWO&YVfVOmyJyI=7wr5G0btj0q4fECwzy9m
unknown
malicious
6572
csrss.exe
GET
403
141.8.192.138:80
http://a1063683.xsph.ru/2172ee40.php?Gq4j=XBcV5RGJb5b5ANjMXMC&c890477b200ba1ffc8ef461f54aaad3b=c3ccc9b0173ab12b589ddb5b569d75e1&61cb0d9d4a37c6ca1c8fa3a413f36a41=gYxEWNxQmZxcDOjJmNihTZzImNkRzNiFzMldjMzQWYhhTNmhzYjNWO&Gq4j=XBcV5RGJb5b5ANjMXMC
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
2736
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2736
svchost.exe
2.16.164.106:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2736
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2736
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 2.16.164.106
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
a1063683.xsph.ru
  • 141.8.192.138
malicious
self.events.data.microsoft.com
  • 20.52.64.200
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Observed DNS Query to xsph .ru Domain
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
0bc68db77e687fa52b2f367994c5bc6f.exe