Malware analysis 581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe Malicious activity

Add for printing

File name:	581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe
Full analysis:	https://app.any.run/tasks/6b3a1529-39f4-441b-a50c-a0227c44a4bb
Verdict:	Malicious activity
Threats:	DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	June 16, 2024, 23:57:52
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	rat dcrat remote darkcrystal
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	2F555468F2B76F26648AE61C418EAD8A
SHA1:	94B1A5F05715682D6BD747C4A8029006490D88D2
SHA256:	581A31B1DDAA6EEA7B78A57B4615D8DEF8C688AEB0DD38DA8A0EF3D248E88892
SSDEEP:	98304:eFrKdVVtRGMYiOxJ8lb76qUewzE+WexFr/I5oGkfitcXDPrhXEm8Zd2EjOp9eZsd:ezmQBvwhM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - 581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe (PID: 4360)
  - Everything-1.4.1.1024.x64-Setup.exe (PID: 3712)
  - DCRatBuild.exe (PID: 2332)
  - Everything.exe (PID: 5940)
- Uses sleep, probably for evasion detection (SCRIPT)
  - wscript.exe (PID: 712)
- Changes the autorun value in the registry
  - Everything.exe (PID: 5704)
- Actions looks like stealing of personal data
  - Everything.exe (PID: 5940)
SUSPICIOUS
- Reads the date of Windows installation
  - 581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe (PID: 4360)
  - DCRatBuild.exe (PID: 2332)
  - Everything.exe (PID: 2288)
  - Everything.exe (PID: 5940)
- Reads security settings of Internet Explorer
  - 581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe (PID: 4360)
  - DCRatBuild.exe (PID: 2332)
  - Everything.exe (PID: 2288)
  - Everything.exe (PID: 5940)
- Executable content was dropped or overwritten
  - 581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe (PID: 4360)
  - Everything-1.4.1.1024.x64-Setup.exe (PID: 3712)
  - DCRatBuild.exe (PID: 2332)
  - Everything.exe (PID: 5940)
- Malware-specific behavior (creating "System.dll" in Temp)
  - Everything-1.4.1.1024.x64-Setup.exe (PID: 3712)
- The process creates files with name similar to system file names
  - Everything-1.4.1.1024.x64-Setup.exe (PID: 3712)
- Executed via WMI
  - schtasks.exe (PID: 5064)
  - schtasks.exe (PID: 3608)
  - schtasks.exe (PID: 3376)
  - schtasks.exe (PID: 5940)
  - schtasks.exe (PID: 5944)
  - schtasks.exe (PID: 4932)
  - schtasks.exe (PID: 4216)
  - schtasks.exe (PID: 2332)
  - schtasks.exe (PID: 3808)
  - schtasks.exe (PID: 1204)
  - schtasks.exe (PID: 5612)
  - schtasks.exe (PID: 5528)
  - schtasks.exe (PID: 928)
  - schtasks.exe (PID: 5504)
  - schtasks.exe (PID: 4380)
  - schtasks.exe (PID: 428)
  - schtasks.exe (PID: 4544)
  - schtasks.exe (PID: 3688)
- Starts CMD.EXE for commands execution
  - wscript.exe (PID: 712)
- Executing commands from a ".bat" file
  - wscript.exe (PID: 712)
- Probably delay the execution using 'w32tm.exe'
  - cmd.exe (PID: 1012)
- The executable file from the user directory is run by the CMD process
  - UsoClient.exe (PID: 3376)
- Application launched itself
  - Everything.exe (PID: 2288)
- Creates a software uninstall entry
  - Everything.exe (PID: 5940)
- Starts itself from another location
  - Everything.exe (PID: 5940)
- Executes as Windows Service
  - Everything.exe (PID: 2280)
INFO
- Checks supported languages
  - 581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe (PID: 4360)
  - DCRatBuild.exe (PID: 2332)
  - Everything-1.4.1.1024.x64-Setup.exe (PID: 3712)
  - UsoClient.exe (PID: 3376)
  - Everything.exe (PID: 2288)
  - Everything.exe (PID: 5940)
  - Everything.exe (PID: 5704)
  - Everything.exe (PID: 2280)
  - Everything.exe (PID: 2332)
  - Everything.exe (PID: 5940)
- Reads the computer name
  - 581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe (PID: 4360)
  - DCRatBuild.exe (PID: 2332)
  - Everything-1.4.1.1024.x64-Setup.exe (PID: 3712)
  - UsoClient.exe (PID: 3376)
  - Everything.exe (PID: 2288)
  - Everything.exe (PID: 2280)
  - Everything.exe (PID: 2332)
  - Everything.exe (PID: 5704)
  - Everything.exe (PID: 5940)
  - Everything.exe (PID: 5940)
- Process checks computer location settings
  - 581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe (PID: 4360)
  - DCRatBuild.exe (PID: 2332)
  - Everything.exe (PID: 2288)
  - Everything.exe (PID: 5940)
- Create files in a temporary directory
  - 581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe (PID: 4360)
  - Everything-1.4.1.1024.x64-Setup.exe (PID: 3712)
- Reads Environment values
  - UsoClient.exe (PID: 3376)
- Reads the machine GUID from the registry
  - UsoClient.exe (PID: 3376)
- Creates files or folders in the user directory
  - Everything.exe (PID: 2332)
- Creates files in the program directory
  - Everything.exe (PID: 5704)
  - Everything.exe (PID: 5940)
- Disables trace logs
  - UsoClient.exe (PID: 3376)
- Checks proxy server information
  - UsoClient.exe (PID: 3376)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	InstallShield setup (53.2)
.exe	\|	Win32 Executable Delphi generic (17.5)
.scr	\|	Windows screen saver (16.1)
.exe	\|	Win32 Executable (generic) (5.5)
.exe	\|	Win16/32 Executable Delphi generic (2.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	1992:06:19 22:22:17+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	5120
InitializedDataSize:	3182592
UninitializedDataSize:	-
EntryPoint:	0x20cc
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

157

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

208

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\w32tm.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Time Service Diagnostic Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\w32tm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\advapi32.dll

428

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Documents\fontdrvhost.exe'" /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

628

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

712

"C:\WINDOWS\System32\WScript.exe" "C:\comsurrogatecommon\h6khYLQAm3C9Gvan2yaD6Idxz.vbe"

C:\Windows\SysWOW64\wscript.exe

—

DCRatBuild.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft ® Windows Based Script Host

Version:

5.812.10240.16384

Modules

Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

712

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

928

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Pictures\sppsvc.exe'" /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1012

C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\pr9LagrNX6.bat" "

C:\Windows\System32\cmd.exe

—

containerbrokerSvc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll

1204

schtasks.exe /create /tn "UsoClientU" /sc MINUTE /mo 10 /tr "'C:\Users\admin\Saved Games\UsoClient.exe'" /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2280

C:\WINDOWS\system32\cmd.exe /c ""C:\comsurrogatecommon\ndyJqdcK3gAQnUI3h5cTrzbsXo5.bat" "

C:\Windows\SysWOW64\cmd.exe

—

wscript.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

2280

"C:\Program Files\Everything\Everything.exe" -svc

C:\Program Files\Everything\Everything.exe

—

services.exe

User:

SYSTEM

Company:

voidtools

Integrity Level:

SYSTEM

Description:

Everything

Version:

1.4.1.1024

Modules

Images
c:\program files\everything\everything.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll

Add for printing

Total events

21 930

Read events

21 836

Write events

Delete events

Modification events


(PID) Process:	(4360) 581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(4360) 581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(4360) 581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(4360) 581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(4360) 581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2332) DCRatBuild.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts
Operation:	write	Name:	VBEFile_.vbe
Value: 0
(PID) Process:	(2332) DCRatBuild.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:	write	Name:	VBEFile
Value:
(PID) Process:	(2332) DCRatBuild.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2332) DCRatBuild.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2332) DCRatBuild.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3712	Everything-1.4.1.1024.x64-Setup.exe	C:\Users\admin\AppData\Local\Temp\nsn49D9.tmp\InstallOptions.dll		executable
		MD5:ECE25721125D55AA26CDFE019C871476	SHA256:C7FEF6457989D97FECC0616A69947927DA9D8C493F7905DC8475C748F044F3CF
4360	581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe	C:\Users\admin\AppData\Local\Temp\DCRatBuild.exe		executable
		MD5:1B0D74D91E3556B4296FDFA8E2026027	SHA256:8ED1D39FA5617F5F79C94BE770549A88452829B56C7A878AF030BAA1AE060F9B
3712	Everything-1.4.1.1024.x64-Setup.exe	C:\Users\admin\AppData\Local\Temp\nsn49D9.tmp\System.dll		executable
		MD5:CFF85C549D536F651D4FB8387F1976F2	SHA256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
2332	DCRatBuild.exe	C:\comsurrogatecommon\containerbrokerSvc.exe		executable
		MD5:30F9E0FF5A6F1343D0828E74F8D4D442	SHA256:88A7DB7AE820D84729CA9D9376848544BDE2788F300D4303FD1B19C50C4C348D
2332	DCRatBuild.exe	C:\comsurrogatecommon\h6khYLQAm3C9Gvan2yaD6Idxz.vbe		vbe
		MD5:C2CEBB18805A35AA4F1DC912DC6FF0D2	SHA256:D178FAB8FA489F9F67902F5B777145C321B6F614641C573EDEB2DA8F22127351
4360	581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe	C:\Users\admin\AppData\Local\Temp\Everything-1.4.1.1024.x64-Setup.exe		executable
		MD5:5036E609163E98F3AC06D5E82B677DF8	SHA256:B2AFE799584C913532C673F99ADE45113BF5A5B605A964CE9FA837F563B6FC21
5940	Everything.exe	C:\Program Files\Everything\Everything.exe		executable
		MD5:0170601E27117E9639851A969240B959	SHA256:35CEFE4BC4A98AD73DDA4444C700AAC9F749EFDE8F9DE6A643A57A5B605BD4E7
3712	Everything-1.4.1.1024.x64-Setup.exe	C:\Users\admin\AppData\Local\Temp\nsn49D9.tmp\Everything\License.txt		text
		MD5:2D8C6B891BEA32E7FA64B381CF3064C2	SHA256:2E017A9C091CF5293E978E796C81025DAB6973AF96CB8ACD56A04EF29703550B
3712	Everything-1.4.1.1024.x64-Setup.exe	C:\Users\admin\AppData\Local\Temp\nsn49D9.tmp\Everything\Everything.lng		binary
		MD5:BA118BDF7118802BEEA188727B155D5F	SHA256:270C2DBD55642543479C7E7E62F99EC11BBC65496010B1354A2BE9482269D471
5940	Everything.exe	C:\Program Files\Everything\License.txt		text
		MD5:2D8C6B891BEA32E7FA64B381CF3064C2	SHA256:2E017A9C091CF5293E978E796C81025DAB6973AF96CB8ACD56A04EF29703550B

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.16.164.72:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	unknown
—	—	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	unknown
4680	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D	unknown	—	—	unknown
1104	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	unknown
3376	UsoClient.exe	GET	400	141.8.197.42:80	http://a0986288.xsph.ru/a32875a6.php?A7ZUpyl1cxRcUhTS=wXjtE1IyZBYxYPCkh4iMX9I&057293214dd1e1c8ca29d6306d5eecdb=3fef7bfc090daea77e647b5c9726d235&7966bddc4cb0c27e99e46630873ba211=gMxQjY2YTO3YGNhVGNiZWOycDO1UDOzUTYlFjNkFGN0UTMycjNldTO&A7ZUpyl1cxRcUhTS=wXjtE1IyZBYxYPCkh4iMX9I	unknown	—	—	unknown
3376	UsoClient.exe	GET	400	141.8.197.42:80	http://a0986288.xsph.ru/a32875a6.php?A7ZUpyl1cxRcUhTS=wXjtE1IyZBYxYPCkh4iMX9I&057293214dd1e1c8ca29d6306d5eecdb=3fef7bfc090daea77e647b5c9726d235&7966bddc4cb0c27e99e46630873ba211=gMxQjY2YTO3YGNhVGNiZWOycDO1UDOzUTYlFjNkFGN0UTMycjNldTO&A7ZUpyl1cxRcUhTS=wXjtE1IyZBYxYPCkh4iMX9I	unknown	—	—	unknown
6012	SIHClient.exe	GET	200	104.119.109.218:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	unknown
6012	SIHClient.exe	GET	200	104.119.109.218:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	unknown
2908	OfficeClickToRun.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	unknown
2764	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	239.255.255.250:1900	—	—	—	unknown
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
1440	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5140	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4312	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.16.164.72:80	crl.microsoft.com	Akamai International B.V.	NL	unknown
—	—	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4680	SearchApp.exe	2.16.100.131:443	www.bing.com	Akamai International B.V.	DE	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
crl.microsoft.com	2.16.164.72 2.16.164.49	whitelisted
www.microsoft.com	95.101.149.131 104.119.109.218	whitelisted
www.bing.com	2.16.100.131 2.16.101.107 2.16.101.114	whitelisted
r.bing.com	2.16.100.131 2.16.101.114 2.16.101.107	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	40.126.32.140 20.190.160.17 40.126.32.133 40.126.32.68 20.190.160.22 40.126.32.74 40.126.32.76 40.126.32.134	whitelisted
go.microsoft.com	184.28.89.167	whitelisted
a0986288.xsph.ru	141.8.197.42	unknown
slscr.update.microsoft.com	52.165.165.26	whitelisted

Threats

PID	Process	Class	Message
2184	svchost.exe	Misc activity	ET INFO Observed DNS Query to xsph .ru Domain
3376	UsoClient.exe	A Network Trojan was detected	ET MALWARE DCRAT Activity (GET)

Add for printing

No debug info

General Info

581a31b1ddaa6eea7b78a57b4615d8def8c688aeb0dd38da8a0ef3d248e88892.exe

2F555468F2B76F26648AE61C418EAD8A

94B1A5F05715682D6BD747C4A8029006490D88D2

581A31B1DDAA6EEA7B78A57B4615D8DEF8C688AEB0DD38DA8A0EF3D248E88892

98304:eFrKdVVtRGMYiOxJ8lb76qUewzE+WexFr/I5oGkfitcXDPrhXEm8Zd2EjOp9eZsd:ezmQBvwhM

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Uses sleep, probably for evasion detection (SCRIPT)

Changes the autorun value in the registry

Actions looks like stealing of personal data

SUSPICIOUS

Reads the date of Windows installation

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Malware-specific behavior (creating "System.dll" in Temp)

The process creates files with name similar to system file names

Executed via WMI

Starts CMD.EXE for commands execution

Executing commands from a ".bat" file

Probably delay the execution using 'w32tm.exe'

The executable file from the user directory is run by the CMD process

Application launched itself

Creates a software uninstall entry

Starts itself from another location

Executes as Windows Service

INFO

Checks supported languages

Reads the computer name

Process checks computer location settings

Create files in a temporary directory

Reads Environment values

Reads the machine GUID from the registry

Creates files or folders in the user directory

Creates files in the program directory

Disables trace logs

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings