File name:

2025-05-27_e99c064a23270272d1f8cc12fa9f19f8_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer

Full analysis: https://app.any.run/tasks/5ddaa5c1-1d9b-410a-9241-5e8885bb3c87
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: May 27, 2025, 19:43:49
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
dcrat
rat
evasion
auto-reg
telegram
exfiltration
stealer
auto-sch
remote
darkcrystal
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

E99C064A23270272D1F8CC12FA9F19F8

SHA1:

3FE01F7324837E3EBE90FFD56CFF22925810F7DD

SHA256:

B3F008DC3EC56D6E7D991CC97E5E3241B6D71A7D0D5BA64A35498E7B9F6128A2

SSDEEP:

98304:5yi3h8kdMUYVrZuvI1Qsjx8uf7xhh/LLSTEtcOSMnKrBoOkcvofXGkkVxFZ7Nofx:zhQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 7300)

    • DCRAT mutex has been found

      • comrefBrokermonitor.exe (PID: 7460)
      • comrefBrokermonitor.exe (PID: 7648)
      • sihost.exe (PID: 976)
      • RuntimeBroker.exe (PID: 8400)
      • comrefBrokermonitor.exe (PID: 7200)
      • comrefBrokermonitor.exe (PID: 8528)
      • sihost.exe (PID: 8628)
      • audiodg.exe (PID: 8704)
      • RuntimeBroker.exe (PID: 8664)
      • comrefBrokermonitor.exe (PID: 8788)
      • audiodg.exe (PID: 9008)
      • RuntimeBroker.exe (PID: 8740)

    • Changes the login/logoff helper path in the registry

      • comrefBrokermonitor.exe (PID: 7648)

    • Changes the autorun value in the registry

      • comrefBrokermonitor.exe (PID: 7648)

    • Adds path to the Windows Defender exclusion list

      • comrefBrokermonitor.exe (PID: 7648)

    • Changes Windows Defender settings

      • comrefBrokermonitor.exe (PID: 7648)

    • DARKCRYSTAL has been detected (SURICATA)

      • audiodg.exe (PID: 7360)

    • Connects to the CnC server

      • audiodg.exe (PID: 7360)

  • SUSPICIOUS

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7300)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 7300)
      • comrefBrokermonitor.exe (PID: 7460)
      • comrefBrokermonitor.exe (PID: 7648)

    • Reads security settings of Internet Explorer

      • comrefBrokermonitor.exe (PID: 7460)
      • 2025-05-27_e99c064a23270272d1f8cc12fa9f19f8_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe (PID: 7256)
      • comrefBrokermonitor.exe (PID: 7648)

    • Executable content was dropped or overwritten

      • comrefBrokermonitor.exe (PID: 7460)
      • 2025-05-27_e99c064a23270272d1f8cc12fa9f19f8_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe (PID: 7256)
      • comrefBrokermonitor.exe (PID: 7648)
      • csc.exe (PID: 7856)
      • csc.exe (PID: 7948)
      • csc.exe (PID: 8028)
      • csc.exe (PID: 8116)
      • audiodg.exe (PID: 7360)

    • Reads the date of Windows installation

      • comrefBrokermonitor.exe (PID: 7460)
      • comrefBrokermonitor.exe (PID: 7648)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 7300)
      • comrefBrokermonitor.exe (PID: 7648)

    • Executed via WMI

      • schtasks.exe (PID: 7804)
      • schtasks.exe (PID: 7772)
      • schtasks.exe (PID: 7828)
      • schtasks.exe (PID: 1276)
      • schtasks.exe (PID: 6108)
      • schtasks.exe (PID: 6372)
      • schtasks.exe (PID: 4620)
      • schtasks.exe (PID: 1072)
      • schtasks.exe (PID: 5608)
      • schtasks.exe (PID: 1812)
      • schtasks.exe (PID: 1188)
      • schtasks.exe (PID: 4696)
      • schtasks.exe (PID: 5528)
      • schtasks.exe (PID: 1184)
      • schtasks.exe (PID: 2656)
      • schtasks.exe (PID: 6156)
      • schtasks.exe (PID: 672)
      • schtasks.exe (PID: 7208)

    • The process creates files with name similar to system file names

      • comrefBrokermonitor.exe (PID: 7648)

    • Process drops legitimate windows executable

      • comrefBrokermonitor.exe (PID: 7648)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • comrefBrokermonitor.exe (PID: 7648)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • comrefBrokermonitor.exe (PID: 7648)

    • Script adds exclusion path to Windows Defender

      • comrefBrokermonitor.exe (PID: 7648)

    • The process connected to a server suspected of theft

      • comrefBrokermonitor.exe (PID: 7648)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2600)

    • Starts POWERSHELL.EXE for commands execution

      • comrefBrokermonitor.exe (PID: 7648)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 2600)

  • INFO

    • Checks supported languages

      • 2025-05-27_e99c064a23270272d1f8cc12fa9f19f8_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe (PID: 7256)
      • comrefBrokermonitor.exe (PID: 7460)
      • comrefBrokermonitor.exe (PID: 7648)
      • csc.exe (PID: 7856)
      • cvtres.exe (PID: 7916)
      • csc.exe (PID: 7948)
      • cvtres.exe (PID: 7996)
      • csc.exe (PID: 8028)
      • cvtres.exe (PID: 8084)
      • csc.exe (PID: 8116)
      • cvtres.exe (PID: 8176)
      • sihost.exe (PID: 976)
      • comrefBrokermonitor.exe (PID: 7200)
      • comrefBrokermonitor.exe (PID: 8528)
      • RuntimeBroker.exe (PID: 8400)
      • sihost.exe (PID: 8628)
      • chcp.com (PID: 8692)
      • RuntimeBroker.exe (PID: 8664)
      • audiodg.exe (PID: 8704)
      • comrefBrokermonitor.exe (PID: 8788)
      • RuntimeBroker.exe (PID: 8740)
      • audiodg.exe (PID: 9008)

    • Reads the computer name

      • comrefBrokermonitor.exe (PID: 7460)
      • 2025-05-27_e99c064a23270272d1f8cc12fa9f19f8_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe (PID: 7256)
      • comrefBrokermonitor.exe (PID: 7648)
      • sihost.exe (PID: 976)
      • comrefBrokermonitor.exe (PID: 7200)
      • RuntimeBroker.exe (PID: 8400)
      • comrefBrokermonitor.exe (PID: 8528)
      • sihost.exe (PID: 8628)
      • RuntimeBroker.exe (PID: 8664)
      • audiodg.exe (PID: 8704)
      • comrefBrokermonitor.exe (PID: 8788)
      • RuntimeBroker.exe (PID: 8740)
      • audiodg.exe (PID: 9008)

    • Reads Environment values

      • comrefBrokermonitor.exe (PID: 7460)
      • comrefBrokermonitor.exe (PID: 7648)
      • sihost.exe (PID: 976)
      • comrefBrokermonitor.exe (PID: 7200)
      • RuntimeBroker.exe (PID: 8400)
      • comrefBrokermonitor.exe (PID: 8528)
      • sihost.exe (PID: 8628)
      • RuntimeBroker.exe (PID: 8664)
      • audiodg.exe (PID: 8704)
      • RuntimeBroker.exe (PID: 8740)
      • audiodg.exe (PID: 9008)
      • comrefBrokermonitor.exe (PID: 8788)

    • Reads the machine GUID from the registry

      • comrefBrokermonitor.exe (PID: 7460)
      • comrefBrokermonitor.exe (PID: 7648)
      • csc.exe (PID: 7856)
      • csc.exe (PID: 7948)
      • csc.exe (PID: 8028)
      • csc.exe (PID: 8116)
      • sihost.exe (PID: 976)
      • comrefBrokermonitor.exe (PID: 7200)
      • RuntimeBroker.exe (PID: 8400)
      • comrefBrokermonitor.exe (PID: 8528)
      • RuntimeBroker.exe (PID: 8664)
      • sihost.exe (PID: 8628)
      • audiodg.exe (PID: 8704)
      • comrefBrokermonitor.exe (PID: 8788)
      • RuntimeBroker.exe (PID: 8740)
      • audiodg.exe (PID: 9008)

    • Process checks computer location settings

      • comrefBrokermonitor.exe (PID: 7460)
      • 2025-05-27_e99c064a23270272d1f8cc12fa9f19f8_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe (PID: 7256)
      • comrefBrokermonitor.exe (PID: 7648)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • 2025-05-27_e99c064a23270272d1f8cc12fa9f19f8_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe (PID: 7256)

    • The sample compiled with english language support

      • comrefBrokermonitor.exe (PID: 7648)

    • Create files in a temporary directory

      • comrefBrokermonitor.exe (PID: 7648)
      • cvtres.exe (PID: 7916)
      • cvtres.exe (PID: 7996)
      • cvtres.exe (PID: 8084)
      • cvtres.exe (PID: 8176)

    • Creates files or folders in the user directory

      • csc.exe (PID: 7856)

    • Creates files in the program directory

      • csc.exe (PID: 7948)
      • csc.exe (PID: 8028)
      • csc.exe (PID: 8116)

    • Launch of the file from Registry key

      • comrefBrokermonitor.exe (PID: 7648)

    • Disables trace logs

      • comrefBrokermonitor.exe (PID: 7648)

    • Reads the software policy settings

      • comrefBrokermonitor.exe (PID: 7648)

    • Manual execution by a user

      • sihost.exe (PID: 976)
      • comrefBrokermonitor.exe (PID: 7200)
      • RuntimeBroker.exe (PID: 8400)
      • comrefBrokermonitor.exe (PID: 8528)
      • sihost.exe (PID: 8628)
      • audiodg.exe (PID: 8704)
      • RuntimeBroker.exe (PID: 8740)
      • RuntimeBroker.exe (PID: 8664)
      • comrefBrokermonitor.exe (PID: 8788)
      • audiodg.exe (PID: 9008)

    • Changes the display of characters in the console

      • cmd.exe (PID: 2600)

    • Checks proxy server information

      • comrefBrokermonitor.exe (PID: 7648)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:03:03 13:15:57+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.3
CodeSize: 203776
InitializedDataSize: 343040
UninitializedDataSize: -
EntryPoint: 0x1f530
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
219
Monitored processes
95
Malicious processes
18
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-05-27_e99c064a23270272d1f8cc12fa9f19f8_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe wscript.exe no specs cmd.exe no specs conhost.exe no specs #DCRAT comrefbrokermonitor.exe cmd.exe conhost.exe no specs #DCRAT comrefbrokermonitor.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs svchost.exe #DCRAT sihost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs #DCRAT comrefbrokermonitor.exe no specs #DCRAT runtimebroker.exe no specs #DCRAT comrefbrokermonitor.exe no specs #DCRAT sihost.exe no specs #DCRAT runtimebroker.exe no specs chcp.com no specs #DCRAT audiodg.exe no specs #DCRAT runtimebroker.exe no specs #DCRAT comrefbrokermonitor.exe no specs #DCRAT audiodg.exe no specs ping.exe no specs #DARKCRYSTAL audiodg.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
672schtasks.exe /create /tn "comrefBrokermonitorc" /sc MINUTE /mo 6 /tr "'C:\AgentfontSaves\comrefBrokermonitor.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
976C:\found.000\dir0000.chk\sihost.exeC:\found.000\dir0000.chk\sihost.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.2.7.1277
Modules
Images
c:\found.000\dir0000.chk\sihost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1012"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execomrefBrokermonitor.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1040"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execomrefBrokermonitor.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1072schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Users\Administrator\TextInputHost.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1128\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1184schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\apppatch\AppPatch64\audiodg.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1188schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\apppatch\AppPatch64\audiodg.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1276schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\Logs\csrss.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1568\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
122 393
Read events
122 342
Write events
51
Delete events
0

Modification events

(PID) Process:(7256) 2025-05-27_e99c064a23270272d1f8cc12fa9f19f8_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:writeName:VBEFile
Value:
(PID) Process:(7648) comrefBrokermonitor.exeKey:HKEY_CURRENT_USER\SOFTWARE\99e3c7dec2e52a9ac861aa911579793346b73d86
Operation:writeName:1054436a23bf955cdbcd039e4fa60ae6c204cd8e
Value:
H4sIAAAAAAAEAGWOvQ7CMAyEXwV1RlUHxMBWYACJAfEjBswQNW4blcaR45Ty9qRlKWKyfff5dPdkswIoKVidZlkGoA3HmaVF3QB4U5OXFHtM5iN4woI65DfAgSoPUHj2fuJfPXKUc90aa7ywEmKAC/ayty7I7jftZqymV+SVc05JUcdP547DtlxENWhDuvqP32KpwlNmwxk7BSumxTVTgzyB8wqtlGTlrDoculLLWH6xlqyJ1Ub68QHe1t6DBAEAAA==
(PID) Process:(7648) comrefBrokermonitor.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:sihost
Value:
"C:\found.000\dir0000.chk\sihost.exe"
(PID) Process:(7648) comrefBrokermonitor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:sihost
Value:
"C:\found.000\dir0000.chk\sihost.exe"
(PID) Process:(7648) comrefBrokermonitor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Shell
Value:
explorer.exe, "C:\found.000\dir0000.chk\sihost.exe"
(PID) Process:(7648) comrefBrokermonitor.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:csrss
Value:
"C:\Recovery\Logs\csrss.exe"
(PID) Process:(7648) comrefBrokermonitor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:csrss
Value:
"C:\Recovery\Logs\csrss.exe"
(PID) Process:(7648) comrefBrokermonitor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Shell
Value:
explorer.exe, "C:\found.000\dir0000.chk\sihost.exe", "C:\Recovery\Logs\csrss.exe"
(PID) Process:(7648) comrefBrokermonitor.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:TextInputHost
Value:
"C:\Users\Administrator\TextInputHost.exe"
(PID) Process:(7648) comrefBrokermonitor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:TextInputHost
Value:
"C:\Users\Administrator\TextInputHost.exe"
Executable files
89
Suspicious files
1
Text files
61
Unknown types
9

Dropped files

PID
Process
Filename
Type
7460comrefBrokermonitor.exeC:\Users\admin\Desktop\yFqeoYfe.logexecutable
MD5:16B480082780CC1D8C23FB05468F64E7
SHA256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
72562025-05-27_e99c064a23270272d1f8cc12fa9f19f8_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exeC:\AgentfontSaves\6wj3NtTapL2Gw4rjKpNX8twQCaI1y6Q71yJPi7J6UKnaZQ.vbevbe
MD5:BE0C2187D938BF123121F69F1E2FBE94
SHA256:F000F41E1F3541AAC0715A2FE924B669B921DC51AEDD7B6C73F32F10FEA265DD
7460comrefBrokermonitor.exeC:\Users\admin\Desktop\yWxxCuZh.logexecutable
MD5:87765D141228784AE91334BAE25AD743
SHA256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
7460comrefBrokermonitor.exeC:\Users\admin\Desktop\IFQNmWeO.logexecutable
MD5:9E910782CA3E88B3F87826609A21A54E
SHA256:3B311986251EE5A303671108AFBAF43E0255C4CAE1C26CC9600BB0C7D22D3864
7460comrefBrokermonitor.exeC:\Users\admin\Desktop\niSGSiez.logexecutable
MD5:9B25959D6CD6097C0EF36D2496876249
SHA256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
72562025-05-27_e99c064a23270272d1f8cc12fa9f19f8_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exeC:\AgentfontSaves\y9fctaWMk.battext
MD5:03B2BDCA1DF40683BDCEE17D77459588
SHA256:A198A54436A10A0423CAEC37775246E2F854384C037A715BCBC0BE646C0C07F8
7460comrefBrokermonitor.exeC:\Users\admin\Desktop\VWrBzMJk.logexecutable
MD5:A4F19ADB89F8D88DBDF103878CF31608
SHA256:D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
7460comrefBrokermonitor.exeC:\Users\admin\Desktop\QjZCWQuw.logexecutable
MD5:F4B38D0F95B7E844DD288B441EBC9AAF
SHA256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
72562025-05-27_e99c064a23270272d1f8cc12fa9f19f8_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exeC:\AgentfontSaves\comrefBrokermonitor.exeexecutable
MD5:2A577C19629CFF4F915A5E14F51ADE29
SHA256:6E1AFD912CBDE74D8E254E679BD9D054B17045F8AD0374F2C89F8F5183CA42F1
7460comrefBrokermonitor.exeC:\Users\admin\Desktop\kAMiqVFL.logexecutable
MD5:D8BF2A0481C0A17A634D066A711C12E9
SHA256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
81
TCP/UDP connections
54
DNS requests
20
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
compressed
23.9 Kb
whitelisted
9032
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
9032
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
9032
SIHClient.exe
GET
200
23.48.23.162:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
9032
SIHClient.exe
GET
200
23.48.23.162:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.48.23.158:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.160.3:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
40.126.32.68:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.48.23.158:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
6544
svchost.exe
40.126.32.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7648
comrefBrokermonitor.exe
34.117.59.81:443
ipinfo.io
GOOGLE-CLOUD-PLATFORM
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.78
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
crl.microsoft.com
  • 23.48.23.158
  • 23.48.23.156
  • 23.48.23.147
  • 23.48.23.155
  • 23.48.23.145
  • 23.48.23.161
  • 23.48.23.143
  • 23.48.23.149
  • 23.48.23.146
  • 23.48.23.162
  • 23.48.23.160
  • 23.48.23.150
  • 23.48.23.169
  • 23.48.23.168
  • 23.48.23.166
  • 23.48.23.171
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
login.live.com
  • 40.126.32.68
  • 40.126.32.138
  • 20.190.160.65
  • 20.190.160.66
  • 20.190.160.22
  • 20.190.160.4
  • 20.190.160.128
  • 20.190.160.3
whitelisted
ipinfo.io
  • 34.117.59.81
whitelisted
api.telegram.org
  • 149.154.167.220
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

PID
Process
Class
Message
7648
comrefBrokermonitor.exe
Device Retrieving External IP Address Detected
ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
7648
comrefBrokermonitor.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup SSL Cert Observed (ipinfo .io)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ipinfo.io
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ipinfo.io
2196
svchost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
7648
comrefBrokermonitor.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
7648
comrefBrokermonitor.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-27_e99c064a23270272d1f8cc12fa9f19f8_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer