File name:

bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6

Full analysis: https://app.any.run/tasks/da8650e8-32f8-4e1e-9283-b9bfb626ba47
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: May 24, 2024, 22:06:29
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
rat
dcrat
remote
darkcrystal
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

D1BFFB7DFD0CCFE6AA48313B65C2EB11

SHA1:

5D2EA43954CA796AB1B9C8852E89AA34188C045B

SHA256:

BC65E00E7CFB6F9DE5C996B3D60DFF8012DB0217A5AFD288DC1F29C53EB76DA6

SSDEEP:

98304:PdBQLtVbRMwj60PNahlEzEJ8pyd8phwDx5Z6xaLlJEQf:n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6308)
      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)
      • dasHost.exe (PID: 7260)

    • UAC/LUA settings modification

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)
      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 8012)
      • wscript.exe (PID: 7988)
      • wscript.exe (PID: 7348)
      • wscript.exe (PID: 3640)
      • wscript.exe (PID: 7456)
      • wscript.exe (PID: 6932)
      • wscript.exe (PID: 8172)
      • wscript.exe (PID: 7512)
      • wscript.exe (PID: 7292)
      • wscript.exe (PID: 6420)
      • wscript.exe (PID: 3732)
      • wscript.exe (PID: 6448)
      • wscript.exe (PID: 7460)
      • wscript.exe (PID: 8068)
      • wscript.exe (PID: 7748)
      • wscript.exe (PID: 6660)

    • Deletes a file (SCRIPT)

      • wscript.exe (PID: 7988)
      • wscript.exe (PID: 7348)
      • wscript.exe (PID: 6932)
      • wscript.exe (PID: 7512)
      • wscript.exe (PID: 6420)
      • wscript.exe (PID: 3732)
      • wscript.exe (PID: 7460)

    • Adds path to the Windows Defender exclusion list

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)

    • DARKCRYSTAL has been detected (SURICATA)

      • dasHost.exe (PID: 7260)

    • DCRAT has been detected (YARA)

      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6308)
      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)

    • Starts CMD.EXE for commands execution

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6308)

    • Reads security settings of Internet Explorer

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6308)
      • ShellExperienceHost.exe (PID: 6684)
      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)
      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)

    • The process creates files with name similar to system file names

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)

    • Executed via WMI

      • schtasks.exe (PID: 6876)
      • schtasks.exe (PID: 6944)
      • schtasks.exe (PID: 6980)
      • schtasks.exe (PID: 7004)
      • schtasks.exe (PID: 3608)
      • schtasks.exe (PID: 4936)
      • schtasks.exe (PID: 3624)
      • schtasks.exe (PID: 4952)
      • schtasks.exe (PID: 6112)
      • schtasks.exe (PID: 4996)
      • schtasks.exe (PID: 6916)
      • schtasks.exe (PID: 4416)
      • schtasks.exe (PID: 2736)
      • schtasks.exe (PID: 4140)
      • schtasks.exe (PID: 72)
      • schtasks.exe (PID: 2592)
      • schtasks.exe (PID: 5536)
      • schtasks.exe (PID: 5932)
      • schtasks.exe (PID: 6156)
      • schtasks.exe (PID: 2332)
      • schtasks.exe (PID: 636)

    • Likely accesses (executes) a file from the Public directory

      • schtasks.exe (PID: 4936)

    • Executable content was dropped or overwritten

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)
      • dasHost.exe (PID: 7260)

    • Script adds exclusion path to Windows Defender

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)

    • Starts POWERSHELL.EXE for commands execution

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)

    • Creates file in the systems drive root

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)

    • The process executes VB scripts

      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 7988)
      • wscript.exe (PID: 8012)
      • wscript.exe (PID: 7348)
      • wscript.exe (PID: 3640)
      • wscript.exe (PID: 6932)
      • wscript.exe (PID: 7456)
      • wscript.exe (PID: 7512)
      • wscript.exe (PID: 8172)
      • wscript.exe (PID: 6420)
      • wscript.exe (PID: 7292)
      • wscript.exe (PID: 6448)
      • wscript.exe (PID: 3732)
      • wscript.exe (PID: 7460)
      • wscript.exe (PID: 8068)
      • wscript.exe (PID: 6660)
      • wscript.exe (PID: 7748)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • wscript.exe (PID: 7988)
      • wscript.exe (PID: 7348)
      • wscript.exe (PID: 6932)
      • wscript.exe (PID: 7512)
      • wscript.exe (PID: 6420)
      • wscript.exe (PID: 3732)
      • wscript.exe (PID: 7460)
      • wscript.exe (PID: 6660)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 7988)
      • wscript.exe (PID: 7348)
      • wscript.exe (PID: 6932)
      • wscript.exe (PID: 7512)
      • wscript.exe (PID: 6420)
      • wscript.exe (PID: 3732)
      • wscript.exe (PID: 7460)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7988)
      • wscript.exe (PID: 7348)
      • wscript.exe (PID: 6932)
      • wscript.exe (PID: 7512)
      • wscript.exe (PID: 6420)
      • wscript.exe (PID: 3732)
      • wscript.exe (PID: 7460)

  • INFO

    • Reads Environment values

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6308)
      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)
      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)

    • Reads the machine GUID from the registry

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6308)
      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)
      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)

    • Process checks computer location settings

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6308)
      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)

    • Reads the computer name

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)
      • ShellExperienceHost.exe (PID: 6684)
      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6308)
      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)

    • Process checks whether UAC notifications are on

      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)
      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)

    • Checks supported languages

      • ShellExperienceHost.exe (PID: 6684)
      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6308)
      • bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe (PID: 6520)
      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)

    • Reads Microsoft Office registry keys

      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)

    • Create files in a temporary directory

      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)

    • Disables trace logs

      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)

    • Checks proxy server information

      • dasHost.exe (PID: 7260)
      • dasHost.exe (PID: 7724)
      • dasHost.exe (PID: 5656)
      • dasHost.exe (PID: 7196)
      • dasHost.exe (PID: 2304)
      • dasHost.exe (PID: 308)
      • dasHost.exe (PID: 324)
      • dasHost.exe (PID: 7908)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7072)
      • powershell.exe (PID: 7060)
      • powershell.exe (PID: 6880)
      • powershell.exe (PID: 6944)
      • powershell.exe (PID: 6620)
      • powershell.exe (PID: 7048)
      • powershell.exe (PID: 6980)
      • powershell.exe (PID: 6592)
      • powershell.exe (PID: 6584)
      • powershell.exe (PID: 6920)
      • powershell.exe (PID: 6876)
      • powershell.exe (PID: 7028)
      • powershell.exe (PID: 7004)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

DcRat

(PID) Process(308) dasHost.exe
C2 (1)http://a0949311.xsph.ru/_Defaultwindows
Options
TagF
Mutexadw-Kfpdv2jonhNaGxe7D96L
searchpath%UsersFolder% - Fast
Targetals
C2 (1)http://a0949311.xsph.ru/_Defaultwindows
Options
Mutexadw-Kfpdv2jonhNaGxe7D96L
TagF
Debugfalse
ServerConfigReplacementTable
0-
2
6^
E!
k;
a#
j%
c$
O>
w.
F(
i&
y`
R,
H~
I<
M*
L@
p|
A)
V_
PluginConfigReplacementTable
1_
2|
U)
V@
b!
G%
r-
Q(
T~
S;
J*
q
B,
W#
c<
Z^
i`
d>
h&
N$
F.
GetWebcamsfalse
SleepTimeout5
InactivityTimeout2
CacheStorageRegistry
AutoRunSmart
StealerConfig
searchpath%UsersFolder% - Fast
StealerEnabledfalse
StealerOptionsfalse
SelfDeletefalse
(PID) Process(324) dasHost.exe
C2 (1)http://a0949311.xsph.ru/_Defaultwindows
Options
TagF
Mutexadw-Kfpdv2jonhNaGxe7D96L
searchpath%UsersFolder% - Fast
Targetals
C2 (1)http://a0949311.xsph.ru/_Defaultwindows
Options
Mutexadw-Kfpdv2jonhNaGxe7D96L
TagF
Debugfalse
ServerConfigReplacementTable
0-
2
6^
E!
k;
a#
j%
c$
O>
w.
F(
i&
y`
R,
H~
I<
M*
L@
p|
A)
V_
PluginConfigReplacementTable
1_
2|
U)
V@
b!
G%
r-
Q(
T~
S;
J*
q
B,
W#
c<
Z^
i`
d>
h&
N$
F.
GetWebcamsfalse
SleepTimeout5
InactivityTimeout2
CacheStorageRegistry
AutoRunSmart
StealerConfig
searchpath%UsersFolder% - Fast
StealerEnabledfalse
StealerOptionsfalse
SelfDeletefalse
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (45.1)
.exe | Win32 Executable MS Visual C++ (generic) (19.2)
.exe | Win64 Executable (generic) (17)
.scr | Windows screen saver (8)
.dll | Win32 Dynamic Link Library (generic) (4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:05:04 16:03:35+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 1951744
InitializedDataSize: 13824
UninitializedDataSize: -
EntryPoint: 0x1de6de
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 774.479.801.351
ProductVersionNumber: 166.535.459.901
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: L3Wl9txpfPeE7pTZeDBnEJd0ARder
CompanyName: 9fEIdVaVzhSWJ4KUn4r6
InternalName: rwF4CQulk1SF7PmAm68mH.exe
LegalCopyright: VulAlhhrl8i
Comments: uM8OaEDfBn9QLgVU97yGaIFpMBo1
OriginalFileName: OIT.exe
ProductVersion: 166.535.459.901
FileVersion: 774.479.801.351
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
195
Monitored processes
76
Malicious processes
19
Suspicious processes
8

Behavior graph

Click at the process to see the details
start bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe no specs cmd.exe conhost.exe no specs bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe shellexperiencehost.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs #DARKCRYSTAL dashost.exe wscript.exe no specs wscript.exe no specs dashost.exe wscript.exe no specs wscript.exe no specs dashost.exe wscript.exe no specs wscript.exe no specs dashost.exe wscript.exe no specs wscript.exe no specs dashost.exe wscript.exe no specs wscript.exe no specs #DCRAT dashost.exe wscript.exe no specs wscript.exe no specs #DCRAT dashost.exe wscript.exe no specs wscript.exe no specs dashost.exe wscript.exe no specs wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
72schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\admin\wininit.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
308C:\found.000\dir_00000002.chk\dasHost.exeC:\found.000\dir_00000002.chk\dasHost.exe
wscript.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\found.000\dir_00000002.chk\dashost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
DcRat
(PID) Process(308) dasHost.exe
C2 (1)http://a0949311.xsph.ru/_Defaultwindows
Options
TagF
Mutexadw-Kfpdv2jonhNaGxe7D96L
searchpath%UsersFolder% - Fast
Targetals
(PID) Process(308) dasHost.exe
C2 (1)http://a0949311.xsph.ru/_Defaultwindows
Options
Mutexadw-Kfpdv2jonhNaGxe7D96L
TagF
Debugfalse
ServerConfigReplacementTable
0-
2
6^
E!
k;
a#
j%
c$
O>
w.
F(
i&
y`
R,
H~
I<
M*
L@
p|
A)
V_
PluginConfigReplacementTable
1_
2|
U)
V@
b!
G%
r-
Q(
T~
S;
J*
q
B,
W#
c<
Z^
i`
d>
h&
N$
F.
GetWebcamsfalse
SleepTimeout5
InactivityTimeout2
CacheStorageRegistry
AutoRunSmart
StealerConfig
searchpath%UsersFolder% - Fast
StealerEnabledfalse
StealerOptionsfalse
SelfDeletefalse
324C:\found.000\dir_00000002.chk\dasHost.exeC:\found.000\dir_00000002.chk\dasHost.exe
wscript.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\found.000\dir_00000002.chk\dashost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
DcRat
(PID) Process(324) dasHost.exe
C2 (1)http://a0949311.xsph.ru/_Defaultwindows
Options
TagF
Mutexadw-Kfpdv2jonhNaGxe7D96L
searchpath%UsersFolder% - Fast
Targetals
(PID) Process(324) dasHost.exe
C2 (1)http://a0949311.xsph.ru/_Defaultwindows
Options
Mutexadw-Kfpdv2jonhNaGxe7D96L
TagF
Debugfalse
ServerConfigReplacementTable
0-
2
6^
E!
k;
a#
j%
c$
O>
w.
F(
i&
y`
R,
H~
I<
M*
L@
p|
A)
V_
PluginConfigReplacementTable
1_
2|
U)
V@
b!
G%
r-
Q(
T~
S;
J*
q
B,
W#
c<
Z^
i`
d>
h&
N$
F.
GetWebcamsfalse
SleepTimeout5
InactivityTimeout2
CacheStorageRegistry
AutoRunSmart
StealerConfig
searchpath%UsersFolder% - Fast
StealerEnabledfalse
StealerOptionsfalse
SelfDeletefalse
608\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
636schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\found.000\dir0001.chk\csrss.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1116\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2304C:\found.000\dir_00000002.chk\dasHost.exeC:\found.000\dir_00000002.chk\dasHost.exe
wscript.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\found.000\dir_00000002.chk\dashost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2332schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\found.000\dir0001.chk\csrss.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2592schtasks.exe /create /tn "RUXIMICSR" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\RUXIMICS.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2736schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\admin\RuntimeBroker.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
135 769
Read events
135 614
Write events
155
Delete events
0

Modification events

(PID) Process:(6308) bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6308) bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6308) bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6308) bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6520) bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(6520) bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:ConsentPromptBehaviorAdmin
Value:
0
(PID) Process:(6520) bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:PromptOnSecureDesktop
Value:
0
(PID) Process:(6520) bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F00620000000000000000000000010000000000000000000000
(PID) Process:(6684) ShellExperienceHost.exeKey:\REGISTRY\A\{70cc3777-706b-aa22-e810-b2bbcfafda65}\LocalState
Operation:writeName:PeekBadges
Value:
5B005D00000085E275AA26AEDA01
(PID) Process:(6684) ShellExperienceHost.exeKey:\REGISTRY\A\{70cc3777-706b-aa22-e810-b2bbcfafda65}\LocalState
Operation:writeName:PeekBadges
Value:
5B005D0000004C3378AA26AEDA01
Executable files
32
Suspicious files
1
Text files
52
Unknown types
0

Dropped files

PID
Process
Filename
Type
6520bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeC:\found.000\dir_00000002.chk\dasHost.exeexecutable
MD5:D1BFFB7DFD0CCFE6AA48313B65C2EB11
SHA256:BC65E00E7CFB6F9DE5C996B3D60DFF8012DB0217A5AFD288DC1F29C53EB76DA6
6520bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeC:\Users\admin\56085415360792text
MD5:B6A32F4FF5D5ECE42A442022A58812B0
SHA256:277247FAAD7C67DADAB203956A36BFF6FA293F155BD0F8F816E37C3701802609
6520bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exe
MD5:
SHA256:
6520bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeC:\found.000\dir0001.chk\886983d96e3d3etext
MD5:33D01515C5A8968CFCD7765571FE847E
SHA256:6C2EAA2349ECDE377CB08B887423B3FDEC93DCC11F4138A258AF56F83C788372
6520bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeC:\found.000\dir0000.chk\System.exeexecutable
MD5:D1BFFB7DFD0CCFE6AA48313B65C2EB11
SHA256:BC65E00E7CFB6F9DE5C996B3D60DFF8012DB0217A5AFD288DC1F29C53EB76DA6
6520bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeC:\Users\Public\Pictures\886983d96e3d3etext
MD5:30D021F1052A6FB16DF182717C1FBF58
SHA256:0CDCE18C2A24BBB91A7CCFA579A1CB400437A198F8FF3F11557F93D9D282AFB8
6520bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeC:\Users\admin\RuntimeBroker.exeexecutable
MD5:D1BFFB7DFD0CCFE6AA48313B65C2EB11
SHA256:BC65E00E7CFB6F9DE5C996B3D60DFF8012DB0217A5AFD288DC1F29C53EB76DA6
6520bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeC:\Users\Public\Pictures\csrss.exeexecutable
MD5:D1BFFB7DFD0CCFE6AA48313B65C2EB11
SHA256:BC65E00E7CFB6F9DE5C996B3D60DFF8012DB0217A5AFD288DC1F29C53EB76DA6
6520bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeC:\found.000\dir0000.chk\27d1bcfc3c54e0text
MD5:215E403362744B7A9C11721A1E243837
SHA256:5EC08DD077D3403B5B05AD7AC9DE65CCD6E52EED0A1901EE696974E5AB2CF1F8
6520bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6.exeC:\Users\Public\Videos\taskhostw.exeexecutable
MD5:D1BFFB7DFD0CCFE6AA48313B65C2EB11
SHA256:BC65E00E7CFB6F9DE5C996B3D60DFF8012DB0217A5AFD288DC1F29C53EB76DA6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
29
DNS requests
5
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2392
svchost.exe
GET
200
2.16.164.82:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
7260
dasHost.exe
GET
403
141.8.192.82:80
http://a0949311.xsph.ru/_Defaultwindows.php?SlepH9=sZPFLCP846P58k8xPFk13h&d25768f30c698c24efd3caf1c2a93bcb=7f778e433ec7c51341864efceb684f99&d10d153e77fe36211bd0a60ff3c00895=AOxETZxMWN1YDO2YjYiVGN1YzM2UWZiFjZwIWYxIDZlZDO0cTYjRGZ&SlepH9=sZPFLCP846P58k8xPFk13h
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
2.16.164.82:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
7260
dasHost.exe
GET
403
141.8.192.82:80
http://a0949311.xsph.ru/_Defaultwindows.php?SlepH9=sZPFLCP846P58k8xPFk13h&d25768f30c698c24efd3caf1c2a93bcb=7f778e433ec7c51341864efceb684f99&d10d153e77fe36211bd0a60ff3c00895=AOxETZxMWN1YDO2YjYiVGN1YzM2UWZiFjZwIWYxIDZlZDO0cTYjRGZ&SlepH9=sZPFLCP846P58k8xPFk13h
unknown
unknown
2392
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
7724
dasHost.exe
GET
403
141.8.192.82:80
http://a0949311.xsph.ru/_Defaultwindows.php?k1z6lifha3Idda=zJqsGbE9fMU9rrosWdn6UVtijiQ1Xya&Tl=2I0f9g1TuQiyzvKvA0eneaIJiLM&d25768f30c698c24efd3caf1c2a93bcb=7f778e433ec7c51341864efceb684f99&d10d153e77fe36211bd0a60ff3c00895=AOxETZxMWN1YDO2YjYiVGN1YzM2UWZiFjZwIWYxIDZlZDO0cTYjRGZ&k1z6lifha3Idda=zJqsGbE9fMU9rrosWdn6UVtijiQ1Xya&Tl=2I0f9g1TuQiyzvKvA0eneaIJiLM
unknown
unknown
5656
dasHost.exe
GET
403
141.8.192.82:80
http://a0949311.xsph.ru/_Defaultwindows.php?n7pWWum=Meg9Acz1o2jnHp7Lu3fyJoFSUWuGmwR&93LfN1zANPZI89E8Aemd=xzhYOonrs&d25768f30c698c24efd3caf1c2a93bcb=7f778e433ec7c51341864efceb684f99&d10d153e77fe36211bd0a60ff3c00895=AOxETZxMWN1YDO2YjYiVGN1YzM2UWZiFjZwIWYxIDZlZDO0cTYjRGZ&n7pWWum=Meg9Acz1o2jnHp7Lu3fyJoFSUWuGmwR&93LfN1zANPZI89E8Aemd=xzhYOonrs
unknown
unknown
7196
dasHost.exe
GET
403
141.8.192.82:80
http://a0949311.xsph.ru/_Defaultwindows.php?hsUTkWeMunIKFod=fTsIy&SRaOxN4ld5K0OmuZz5=LXlmG6&j7kEu1n8ZD2ViQ=JJNAOa0VGe&d25768f30c698c24efd3caf1c2a93bcb=7f778e433ec7c51341864efceb684f99&d10d153e77fe36211bd0a60ff3c00895=AOxETZxMWN1YDO2YjYiVGN1YzM2UWZiFjZwIWYxIDZlZDO0cTYjRGZ&hsUTkWeMunIKFod=fTsIy&SRaOxN4ld5K0OmuZz5=LXlmG6&j7kEu1n8ZD2ViQ=JJNAOa0VGe
unknown
unknown
2304
dasHost.exe
GET
403
141.8.192.82:80
http://a0949311.xsph.ru/_Defaultwindows.php?9gOcAJBzR0suqq=3OWG0lVxc0VgSI3QWn&PbU1Vz9EVgH64UAug40Hyotwl=msqXjWH2aGiWBQ0h9RV4b&RYXWff9l=iPqNQX86uzB34LJ2jQQocbr&d25768f30c698c24efd3caf1c2a93bcb=7f778e433ec7c51341864efceb684f99&d10d153e77fe36211bd0a60ff3c00895=AOxETZxMWN1YDO2YjYiVGN1YzM2UWZiFjZwIWYxIDZlZDO0cTYjRGZ&9gOcAJBzR0suqq=3OWG0lVxc0VgSI3QWn&PbU1Vz9EVgH64UAug40Hyotwl=msqXjWH2aGiWBQ0h9RV4b&RYXWff9l=iPqNQX86uzB34LJ2jQQocbr
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
239.255.255.250:1900
unknown
2392
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5140
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2916
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2392
svchost.exe
2.16.164.82:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5140
MoUsoCoreWorker.exe
2.16.164.82:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
2916
RUXIMICS.exe
2.16.164.82:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
5140
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown
2392
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.164.82
  • 2.16.164.96
  • 2.16.164.81
  • 2.16.164.48
  • 2.16.164.97
  • 2.16.164.67
  • 2.16.164.83
  • 2.16.164.88
  • 2.16.164.43
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
a0949311.xsph.ru
  • 141.8.192.82
unknown
self.events.data.microsoft.com
  • 20.189.173.26
whitelisted

Threats

PID
Process
Class
Message
2184
svchost.exe
Misc activity
ET INFO Observed DNS Query to xsph .ru Domain
7260
dasHost.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
7260
dasHost.exe
A Network Trojan was detected
REMOTE [ANY.RUN] DarkCrystal HTTP GET Request
7260
dasHost.exe
A Network Trojan was detected
REMOTE [ANY.RUN] DarkCrystal HTTP GET Request
7724
dasHost.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
5656
dasHost.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
bc65e00e7cfb6f9de5c996b3d60dff8012db0217a5afd288dc1f29c53eb76da6