File name:

dControl.zip

Full analysis: https://app.any.run/tasks/e3f8aaa5-47fa-4346-bf18-fadf0b700df3
Verdict: Malicious activity
Analysis date: October 08, 2021, 03:14:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

D185E09570314D645275E4C3D29108AC

SHA1:

DD1D9B61CBDFB9179DA7899E1A66000F6D8CE8DD

SHA256:

947998E52A0F9CECA6F40B25C69E67A765E42B5A462A61485A388F284F75B162

SSDEEP:

12288:WzZX7u/zAPiNOfviWyNJuB08RfQFbHmynmyNMMn9aM5zY/M:+ZX7MAqNLWBQFbHCKNj5zEM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • dfControl.exe (PID: 2448)
      • dfControl.exe (PID: 396)
      • dfControl.exe (PID: 2064)
      • dfControl.exe (PID: 3068)
      • dfControl.exe (PID: 3852)

    • Disables Windows Defender

      • dfControl.exe (PID: 3068)

    • Modifies Windows Defender service settings

      • dfControl.exe (PID: 3068)

  • SUSPICIOUS

    • Application launched itself

      • dfControl.exe (PID: 2448)
      • dfControl.exe (PID: 2064)
      • dfControl.exe (PID: 3068)

    • Checks supported languages

      • dfControl.exe (PID: 2448)
      • WinRAR.exe (PID: 1388)
      • dfControl.exe (PID: 2064)
      • dfControl.exe (PID: 3068)
      • dfControl.exe (PID: 3852)
      • MSASCui.exe (PID: 2244)
      • MSASCui.exe (PID: 1868)
      • MSASCui.exe (PID: 2372)

    • Reads mouse settings

      • dfControl.exe (PID: 2448)
      • dfControl.exe (PID: 2064)
      • dfControl.exe (PID: 3068)
      • dfControl.exe (PID: 3852)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1388)

    • Reads the computer name

      • WinRAR.exe (PID: 1388)
      • dfControl.exe (PID: 2448)
      • dfControl.exe (PID: 2064)
      • dfControl.exe (PID: 3852)
      • dfControl.exe (PID: 3068)
      • MSASCui.exe (PID: 2372)

    • Creates files in the Windows directory

      • dfControl.exe (PID: 2064)
      • dfControl.exe (PID: 3068)
      • dfControl.exe (PID: 3852)

    • Removes files from Windows directory

      • dfControl.exe (PID: 2064)
      • dfControl.exe (PID: 3068)
      • dfControl.exe (PID: 3852)

    • Executed via COM

      • explorer.exe (PID: 2484)

  • INFO

    • Manual execution by user

      • dfControl.exe (PID: 396)
      • dfControl.exe (PID: 2448)
      • MSASCui.exe (PID: 2372)
      • MSASCui.exe (PID: 1868)

    • Checks supported languages

      • Explorer.exe (PID: 3472)
      • explorer.exe (PID: 2484)

    • Reads the computer name

      • Explorer.exe (PID: 3472)
      • explorer.exe (PID: 2484)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2021:09:15 15:16:00
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: dControl/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
11
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe dfcontrol.exe no specs dfcontrol.exe dfcontrol.exe dfcontrol.exe no specs explorer.exe no specs dfcontrol.exe no specs explorer.exe no specs msascui.exe no specs msascui.exe no specs msascui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
396"C:\Users\admin\Desktop\dControl\dfControl.exe" C:\Users\admin\Desktop\dControl\dfControl.exeExplorer.EXE
User:
admin
Company:
www.sordum.org
Integrity Level:
MEDIUM
Description:
dfControl v2.0
Exit code:
3221226540
Version:
2.0.0.0
Modules
Images
c:\users\admin\desktop\dcontrol\dfcontrol.exe
c:\windows\system32\ntdll.dll
1388"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\dControl.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1868"C:\Program Files\Windows Defender\MSASCui.exe" C:\Program Files\Windows Defender\MSASCui.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Defender User Interface
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows defender\msascui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\program files\windows defender\mpclient.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
2064C:\Users\admin\Desktop\dControl\dfControl.exeC:\Users\admin\Desktop\dControl\dfControl.exe
dfControl.exe
User:
SYSTEM
Company:
www.sordum.org
Integrity Level:
SYSTEM
Description:
dfControl v2.0
Exit code:
0
Version:
2.0.0.0
Modules
Images
c:\users\admin\desktop\dcontrol\dfcontrol.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
2244"C:\Program Files\Windows Defender\MSASCui.exe" C:\Program Files\Windows Defender\MSASCui.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Defender User Interface
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows defender\msascui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\program files\windows defender\mpclient.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
2372"C:\Program Files\Windows Defender\MSASCui.exe" C:\Program Files\Windows Defender\MSASCui.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Defender User Interface
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows defender\msascui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\program files\windows defender\mpclient.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
2448"C:\Users\admin\Desktop\dControl\dfControl.exe" C:\Users\admin\Desktop\dControl\dfControl.exe
Explorer.EXE
User:
admin
Company:
www.sordum.org
Integrity Level:
HIGH
Description:
dfControl v2.0
Exit code:
0
Version:
2.0.0.0
Modules
Images
c:\users\admin\desktop\dcontrol\dfcontrol.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
2484C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
3068"C:\Users\admin\Desktop\dControl\dfControl.exe" /TI C:\Users\admin\Desktop\dControl\dfControl.exedfControl.exe
User:
SYSTEM
Company:
www.sordum.org
Integrity Level:
SYSTEM
Description:
dfControl v2.0
Exit code:
0
Version:
2.0.0.0
Modules
Images
c:\users\admin\desktop\dcontrol\dfcontrol.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
3472"C:\Windows\Explorer.exe" C:\Program Files\Windows Defender\MSASCui.exeC:\Windows\Explorer.exedfControl.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
1 555
Read events
1 479
Write events
64
Delete events
12

Modification events

(PID) Process:(1388) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1388) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1388) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1388) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(1388) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\dControl.zip
(PID) Process:(1388) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1388) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1388) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1388) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1388) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
Executable files
1
Suspicious files
13
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
2064dfControl.exeC:\Windows\TEMP\aut7593.tmpbinary
MD5:A0AB548853AAFD090DB3C6AAE10F6B5E
SHA256:8FAF739B926D56FB5125041C8BEE45289C86127A10DFB68FB9DF8D58360C3542
3068dfControl.exeC:\Windows\TEMP\aut768D.tmpbinary
MD5:A0AB548853AAFD090DB3C6AAE10F6B5E
SHA256:8FAF739B926D56FB5125041C8BEE45289C86127A10DFB68FB9DF8D58360C3542
2448dfControl.exeC:\Users\admin\AppData\Local\Temp\aut746B.tmpbinary
MD5:A0AB548853AAFD090DB3C6AAE10F6B5E
SHA256:8FAF739B926D56FB5125041C8BEE45289C86127A10DFB68FB9DF8D58360C3542
2448dfControl.exeC:\Users\admin\AppData\Local\Temp\eytujxvu.tmptext
MD5:D18F74579C2DD589DAC1711DF140341F
SHA256:1DAA4306AC4B7C7265CA3A2A12CABC400F4884D3AFE71F8264B62EC3DA2DC924
2448dfControl.exeC:\Users\admin\AppData\Local\Temp\aut7449.tmpbinary
MD5:93E42DAECB6275F7FC49A8F5B12A7EDF
SHA256:3DCC465363E157B36198A5F8649F57B0F5FA950287EA4959903E637A0CD8A79A
2064dfControl.exeC:\Windows\TEMP\aut7572.tmpbinary
MD5:93E42DAECB6275F7FC49A8F5B12A7EDF
SHA256:3DCC465363E157B36198A5F8649F57B0F5FA950287EA4959903E637A0CD8A79A
2448dfControl.exeC:\Users\admin\AppData\Local\Temp\aut745A.tmpbinary
MD5:7A8207B501B20A0EF6B7F631B40E3BDF
SHA256:EAC3CEAFE46B52057B7F370E7290DD0905C50C2CE772B76E3FAB3886FC6B3DD1
3068dfControl.exeC:\Windows\TEMP\aut75FF.tmpbinary
MD5:93E42DAECB6275F7FC49A8F5B12A7EDF
SHA256:3DCC465363E157B36198A5F8649F57B0F5FA950287EA4959903E637A0CD8A79A
2064dfControl.exeC:\Windows\TEMP\eytujxvu.tmptext
MD5:D18F74579C2DD589DAC1711DF140341F
SHA256:1DAA4306AC4B7C7265CA3A2A12CABC400F4884D3AFE71F8264B62EC3DA2DC924
1388WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1388.2316\dControl\dfControl.initext
MD5:68B8D43DDFD7502386FB1510E35096F6
SHA256:69A0DC793736C5D75F0149EEC0547B4A992A7D1F10413697481527B884AC01EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
Microsoft Corporation
GB
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dControl.zip