File name:

2025-05-27_e99c064a23270272d1f8cc12fa9f19f8_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer

Full analysis: https://app.any.run/tasks/5ddaa5c1-1d9b-410a-9241-5e8885bb3c87
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: May 27, 2025, 19:43:49
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
dcrat
rat
evasion
auto-reg
telegram
exfiltration
stealer
auto-sch
remote
darkcrystal
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

E99C064A23270272D1F8CC12FA9F19F8

SHA1:

3FE01F7324837E3EBE90FFD56CFF22925810F7DD

SHA256:

B3F008DC3EC56D6E7D991CC97E5E3241B6D71A7D0D5BA64A35498E7B9F6128A2

SSDEEP:

98304:5yi3h8kdMUYVrZuvI1Qsjx8uf7xhh/LLSTEtcOSMnKrBoOkcvofXGkkVxFZ7Nofx:zhQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 7300)

    • DCRAT mutex has been found

      • comrefBrokermonitor.exe (PID: 7460)
      • comrefBrokermonitor.exe (PID: 7648)
      • sihost.exe (PID: 976)
      • comrefBrokermonitor.exe (PID: 7200)
      • RuntimeBroker.exe (PID: 8400)
      • comrefBrokermonitor.exe (PID: 8528)
      • RuntimeBroker.exe (PID: 8664)
      • sihost.exe (PID: 8628)
      • audiodg.exe (PID: 8704)
      • comrefBrokermonitor.exe (PID: 8788)
      • RuntimeBroker.exe (PID: 8740)
      • audiodg.exe (PID: 9008)

    • Changes the login/logoff helper path in the registry

      • comrefBrokermonitor.exe (PID: 7648)

    • Changes the autorun value in the registry

      • comrefBrokermonitor.exe (PID: 7648)

    • Adds path to the Windows Defender exclusion list

      • comrefBrokermonitor.exe (PID: 7648)

    • Changes Windows Defender settings

      • comrefBrokermonitor.exe (PID: 7648)

    • DARKCRYSTAL has been detected (SURICATA)

      • audiodg.exe (PID: 7360)

    • Connects to the CnC server

      • audiodg.exe (PID: 7360)

  • SUSPICIOUS

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 7300)
      • comrefBrokermonitor.exe (PID: 7648)

    • Reads security settings of Internet Explorer

      • 2025-05-27_e99c064a23270272d1f8cc12fa9f19f8_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe (PID: 7256)
      • comrefBrokermonitor.exe (PID: 7460)
      • comrefBrokermonitor.exe (PID: 7648)

    • Executable content was dropped or overwritten

      • 2025-05-27_e99c064a23270272d1f8cc12fa9f19f8_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe (PID: 7256)
      • comrefBrokermonitor.exe (PID: 7460)
      • comrefBrokermonitor.exe (PID: 7648)
      • csc.exe (PID: 7856)
      • csc.exe (PID: 7948)
      • csc.exe (PID: 8028)
      • csc.exe (PID: 8116)
      • audiodg.exe (PID: 7360)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 7300)
      • comrefBrokermonitor.exe (PID: 7460)
      • comrefBrokermonitor.exe (PID: 7648)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7300)

    • Reads the date of Windows installation

      • comrefBrokermonitor.exe (PID: 7460)
      • comrefBrokermonitor.exe (PID: 7648)

    • Executed via WMI

      • schtasks.exe (PID: 7828)
      • schtasks.exe (PID: 7772)
      • schtasks.exe (PID: 7804)
      • schtasks.exe (PID: 1276)
      • schtasks.exe (PID: 6108)
      • schtasks.exe (PID: 1184)
      • schtasks.exe (PID: 6372)
      • schtasks.exe (PID: 5608)
      • schtasks.exe (PID: 1072)
      • schtasks.exe (PID: 4620)
      • schtasks.exe (PID: 5528)
      • schtasks.exe (PID: 1812)
      • schtasks.exe (PID: 1188)
      • schtasks.exe (PID: 672)
      • schtasks.exe (PID: 4696)
      • schtasks.exe (PID: 6156)
      • schtasks.exe (PID: 7208)
      • schtasks.exe (PID: 2656)

    • The process creates files with name similar to system file names

      • comrefBrokermonitor.exe (PID: 7648)

    • Process drops legitimate windows executable

      • comrefBrokermonitor.exe (PID: 7648)

    • Checks for external IP

      • comrefBrokermonitor.exe (PID: 7648)
      • svchost.exe (PID: 2196)

    • The process connected to a server suspected of theft

      • comrefBrokermonitor.exe (PID: 7648)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • comrefBrokermonitor.exe (PID: 7648)

    • Script adds exclusion path to Windows Defender

      • comrefBrokermonitor.exe (PID: 7648)

    • Starts POWERSHELL.EXE for commands execution

      • comrefBrokermonitor.exe (PID: 7648)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2600)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 2600)

  • INFO

    • Process checks computer location settings

      • 2025-05-27_e99c064a23270272d1f8cc12fa9f19f8_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe (PID: 7256)
      • comrefBrokermonitor.exe (PID: 7460)
      • comrefBrokermonitor.exe (PID: 7648)

    • Reads the computer name

      • 2025-05-27_e99c064a23270272d1f8cc12fa9f19f8_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe (PID: 7256)
      • comrefBrokermonitor.exe (PID: 7460)
      • comrefBrokermonitor.exe (PID: 7648)
      • sihost.exe (PID: 976)
      • comrefBrokermonitor.exe (PID: 7200)
      • comrefBrokermonitor.exe (PID: 8528)
      • RuntimeBroker.exe (PID: 8400)
      • sihost.exe (PID: 8628)
      • audiodg.exe (PID: 8704)
      • RuntimeBroker.exe (PID: 8740)
      • comrefBrokermonitor.exe (PID: 8788)
      • RuntimeBroker.exe (PID: 8664)
      • audiodg.exe (PID: 9008)

    • Checks supported languages

      • 2025-05-27_e99c064a23270272d1f8cc12fa9f19f8_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe (PID: 7256)
      • comrefBrokermonitor.exe (PID: 7460)
      • comrefBrokermonitor.exe (PID: 7648)
      • csc.exe (PID: 7856)
      • cvtres.exe (PID: 7916)
      • csc.exe (PID: 7948)
      • csc.exe (PID: 8116)
      • cvtres.exe (PID: 7996)
      • csc.exe (PID: 8028)
      • cvtres.exe (PID: 8084)
      • cvtres.exe (PID: 8176)
      • sihost.exe (PID: 976)
      • comrefBrokermonitor.exe (PID: 7200)
      • comrefBrokermonitor.exe (PID: 8528)
      • RuntimeBroker.exe (PID: 8400)
      • sihost.exe (PID: 8628)
      • RuntimeBroker.exe (PID: 8664)
      • audiodg.exe (PID: 8704)
      • chcp.com (PID: 8692)
      • RuntimeBroker.exe (PID: 8740)
      • comrefBrokermonitor.exe (PID: 8788)
      • audiodg.exe (PID: 9008)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • 2025-05-27_e99c064a23270272d1f8cc12fa9f19f8_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe (PID: 7256)

    • Reads Environment values

      • comrefBrokermonitor.exe (PID: 7460)
      • comrefBrokermonitor.exe (PID: 7648)
      • sihost.exe (PID: 976)
      • comrefBrokermonitor.exe (PID: 7200)
      • RuntimeBroker.exe (PID: 8400)
      • comrefBrokermonitor.exe (PID: 8528)
      • sihost.exe (PID: 8628)
      • RuntimeBroker.exe (PID: 8664)
      • RuntimeBroker.exe (PID: 8740)
      • comrefBrokermonitor.exe (PID: 8788)
      • audiodg.exe (PID: 9008)
      • audiodg.exe (PID: 8704)

    • Reads the machine GUID from the registry

      • comrefBrokermonitor.exe (PID: 7460)
      • comrefBrokermonitor.exe (PID: 7648)
      • csc.exe (PID: 7856)
      • csc.exe (PID: 7948)
      • csc.exe (PID: 8028)
      • csc.exe (PID: 8116)
      • sihost.exe (PID: 976)
      • comrefBrokermonitor.exe (PID: 7200)
      • RuntimeBroker.exe (PID: 8400)
      • comrefBrokermonitor.exe (PID: 8528)
      • sihost.exe (PID: 8628)
      • RuntimeBroker.exe (PID: 8664)
      • RuntimeBroker.exe (PID: 8740)
      • comrefBrokermonitor.exe (PID: 8788)
      • audiodg.exe (PID: 9008)
      • audiodg.exe (PID: 8704)

    • Creates files or folders in the user directory

      • csc.exe (PID: 7856)

    • The sample compiled with english language support

      • comrefBrokermonitor.exe (PID: 7648)

    • Create files in a temporary directory

      • comrefBrokermonitor.exe (PID: 7648)
      • cvtres.exe (PID: 7916)
      • cvtres.exe (PID: 7996)
      • cvtres.exe (PID: 8084)
      • cvtres.exe (PID: 8176)

    • Creates files in the program directory

      • csc.exe (PID: 7948)
      • csc.exe (PID: 8028)
      • csc.exe (PID: 8116)

    • Launch of the file from Registry key

      • comrefBrokermonitor.exe (PID: 7648)

    • Checks proxy server information

      • comrefBrokermonitor.exe (PID: 7648)

    • Disables trace logs

      • comrefBrokermonitor.exe (PID: 7648)

    • Reads the software policy settings

      • comrefBrokermonitor.exe (PID: 7648)

    • Manual execution by a user

      • sihost.exe (PID: 976)
      • comrefBrokermonitor.exe (PID: 7200)
      • RuntimeBroker.exe (PID: 8400)
      • comrefBrokermonitor.exe (PID: 8528)
      • sihost.exe (PID: 8628)
      • RuntimeBroker.exe (PID: 8664)
      • audiodg.exe (PID: 8704)
      • RuntimeBroker.exe (PID: 8740)
      • comrefBrokermonitor.exe (PID: 8788)
      • audiodg.exe (PID: 9008)

    • Changes the display of characters in the console

      • cmd.exe (PID: 2600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:03:03 13:15:57+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.3
CodeSize: 203776
InitializedDataSize: 343040
UninitializedDataSize: -
EntryPoint: 0x1f530
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
219
Monitored processes
95
Malicious processes
18
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-05-27_e99c064a23270272d1f8cc12fa9f19f8_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exe wscript.exe no specs cmd.exe no specs conhost.exe no specs #DCRAT comrefbrokermonitor.exe cmd.exe conhost.exe no specs #DCRAT comrefbrokermonitor.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs svchost.exe #DCRAT sihost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs #DCRAT comrefbrokermonitor.exe no specs #DCRAT runtimebroker.exe no specs #DCRAT comrefbrokermonitor.exe no specs #DCRAT sihost.exe no specs #DCRAT runtimebroker.exe no specs chcp.com no specs #DCRAT audiodg.exe no specs #DCRAT runtimebroker.exe no specs #DCRAT comrefbrokermonitor.exe no specs #DCRAT audiodg.exe no specs ping.exe no specs #DARKCRYSTAL audiodg.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
672schtasks.exe /create /tn "comrefBrokermonitorc" /sc MINUTE /mo 6 /tr "'C:\AgentfontSaves\comrefBrokermonitor.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
976C:\found.000\dir0000.chk\sihost.exeC:\found.000\dir0000.chk\sihost.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.2.7.1277
Modules
Images
c:\found.000\dir0000.chk\sihost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1012"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execomrefBrokermonitor.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1040"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execomrefBrokermonitor.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1072schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Users\Administrator\TextInputHost.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1128\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1184schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\apppatch\AppPatch64\audiodg.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1188schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\apppatch\AppPatch64\audiodg.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1276schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\Logs\csrss.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1568\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
122 393
Read events
122 342
Write events
51
Delete events
0

Modification events

(PID) Process:(7256) 2025-05-27_e99c064a23270272d1f8cc12fa9f19f8_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:writeName:VBEFile
Value:
(PID) Process:(7648) comrefBrokermonitor.exeKey:HKEY_CURRENT_USER\SOFTWARE\99e3c7dec2e52a9ac861aa911579793346b73d86
Operation:writeName:1054436a23bf955cdbcd039e4fa60ae6c204cd8e
Value:
H4sIAAAAAAAEAGWOvQ7CMAyEXwV1RlUHxMBWYACJAfEjBswQNW4blcaR45Ty9qRlKWKyfff5dPdkswIoKVidZlkGoA3HmaVF3QB4U5OXFHtM5iN4woI65DfAgSoPUHj2fuJfPXKUc90aa7ywEmKAC/ayty7I7jftZqymV+SVc05JUcdP547DtlxENWhDuvqP32KpwlNmwxk7BSumxTVTgzyB8wqtlGTlrDoculLLWH6xlqyJ1Ub68QHe1t6DBAEAAA==
(PID) Process:(7648) comrefBrokermonitor.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:sihost
Value:
"C:\found.000\dir0000.chk\sihost.exe"
(PID) Process:(7648) comrefBrokermonitor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:sihost
Value:
"C:\found.000\dir0000.chk\sihost.exe"
(PID) Process:(7648) comrefBrokermonitor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Shell
Value:
explorer.exe, "C:\found.000\dir0000.chk\sihost.exe"
(PID) Process:(7648) comrefBrokermonitor.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:csrss
Value:
"C:\Recovery\Logs\csrss.exe"
(PID) Process:(7648) comrefBrokermonitor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:csrss
Value:
"C:\Recovery\Logs\csrss.exe"
(PID) Process:(7648) comrefBrokermonitor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:Shell
Value:
explorer.exe, "C:\found.000\dir0000.chk\sihost.exe", "C:\Recovery\Logs\csrss.exe"
(PID) Process:(7648) comrefBrokermonitor.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:TextInputHost
Value:
"C:\Users\Administrator\TextInputHost.exe"
(PID) Process:(7648) comrefBrokermonitor.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:TextInputHost
Value:
"C:\Users\Administrator\TextInputHost.exe"
Executable files
89
Suspicious files
1
Text files
61
Unknown types
9

Dropped files

PID
Process
Filename
Type
7460comrefBrokermonitor.exeC:\Users\admin\Desktop\yFqeoYfe.logexecutable
MD5:16B480082780CC1D8C23FB05468F64E7
SHA256:7A080D8BD178EC02C7F39F7F941479074C450C4FDD8E963C993D2FB5537C7708
72562025-05-27_e99c064a23270272d1f8cc12fa9f19f8_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exeC:\AgentfontSaves\comrefBrokermonitor.exeexecutable
MD5:2A577C19629CFF4F915A5E14F51ADE29
SHA256:6E1AFD912CBDE74D8E254E679BD9D054B17045F8AD0374F2C89F8F5183CA42F1
7460comrefBrokermonitor.exeC:\Users\admin\Desktop\niSGSiez.logexecutable
MD5:9B25959D6CD6097C0EF36D2496876249
SHA256:4DBA0293B2BA9478EC0738BAD92F0E56CB7CF800B0CA4FDA8261EE2C0C91E217
7460comrefBrokermonitor.exeC:\Users\admin\Desktop\DKPvfrpV.logexecutable
MD5:BBDE7073BAAC996447F749992D65FFBA
SHA256:1FAE639DF1C497A54C9F42A8366EDAE3C0A6FEB4EB917ECAD9323EF8D87393E8
7460comrefBrokermonitor.exeC:\Users\admin\Desktop\WbCbzwzk.logexecutable
MD5:8AE2B8FA17C9C4D99F76693A627307D9
SHA256:0B093D4935BD51AC404C2CD2BB59E2C4525B97A4D925807606B04C2D3338A9BE
72562025-05-27_e99c064a23270272d1f8cc12fa9f19f8_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer.exeC:\AgentfontSaves\y9fctaWMk.battext
MD5:03B2BDCA1DF40683BDCEE17D77459588
SHA256:A198A54436A10A0423CAEC37775246E2F854384C037A715BCBC0BE646C0C07F8
7460comrefBrokermonitor.exeC:\Users\admin\Desktop\yWxxCuZh.logexecutable
MD5:87765D141228784AE91334BAE25AD743
SHA256:9A121719F71383CF66FC36453679B36C8D24CC61EB335D0C304536E5D72AAAEB
7460comrefBrokermonitor.exeC:\Users\admin\Desktop\sWkFvfun.logexecutable
MD5:5EE7E079F998F80293B3467CE6A5B4AE
SHA256:A3AE7E97703E694C479E3B460F89C16B4A511626E351145532D1A2F3BA051779
7460comrefBrokermonitor.exeC:\Users\admin\Desktop\NsiLPTuC.logexecutable
MD5:2E116FC64103D0F0CF47890FD571561E
SHA256:25EEEA99DCA05BF7651264FA0C07E0E91D89E0DA401C387284E9BE9AFDF79625
7460comrefBrokermonitor.exeC:\Users\admin\Desktop\VWrBzMJk.logexecutable
MD5:A4F19ADB89F8D88DBDF103878CF31608
SHA256:D0613773A711634434DB30F2E35C6892FF54EBEADF49CD254377CAECB204EAA4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
81
TCP/UDP connections
54
DNS requests
20
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.158:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.160.3:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
40.126.32.68:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.32.133:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.160.3:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.160.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.160.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.160.22:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
GET
200
34.117.59.81:443
https://ipinfo.io/ip
unknown
text
13 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.48.23.158:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
6544
svchost.exe
40.126.32.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7648
comrefBrokermonitor.exe
34.117.59.81:443
ipinfo.io
GOOGLE-CLOUD-PLATFORM
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.78
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
crl.microsoft.com
  • 23.48.23.158
  • 23.48.23.156
  • 23.48.23.147
  • 23.48.23.155
  • 23.48.23.145
  • 23.48.23.161
  • 23.48.23.143
  • 23.48.23.149
  • 23.48.23.146
  • 23.48.23.162
  • 23.48.23.160
  • 23.48.23.150
  • 23.48.23.169
  • 23.48.23.168
  • 23.48.23.166
  • 23.48.23.171
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
login.live.com
  • 40.126.32.68
  • 40.126.32.138
  • 20.190.160.65
  • 20.190.160.66
  • 20.190.160.22
  • 20.190.160.4
  • 20.190.160.128
  • 20.190.160.3
whitelisted
ipinfo.io
  • 34.117.59.81
whitelisted
api.telegram.org
  • 149.154.167.220
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

PID
Process
Class
Message
7648
comrefBrokermonitor.exe
Device Retrieving External IP Address Detected
ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
7648
comrefBrokermonitor.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup SSL Cert Observed (ipinfo .io)
2196
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ipinfo.io
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ipinfo.io
2196
svchost.exe
Misc activity
SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
7648
comrefBrokermonitor.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
7648
comrefBrokermonitor.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-27_e99c064a23270272d1f8cc12fa9f19f8_amadey_black-basta_cova_cryptbot_dcrat_elex_luca-stealer