File name:

MinecraftFpsMod.exe

Full analysis: https://app.any.run/tasks/b3fc1edf-c062-4125-b76c-93a963f4711f
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: September 12, 2024, 13:36:38
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
dyndns
dcrat
rat
remote
darkcrystal
netreactor
wmi-base64
susp-powershell
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

73D7E637CD16F1F807930FA6442436DF

SHA1:

26C13B2C29065485CE1858D85D9DC792C06ED052

SHA256:

CD0F7FB1020A931C98C7C258241F06292CB9B7CAB8E9ACDB4010F4D56F076EF6

SSDEEP:

98304:ar7ayGJ6kHOScyi35C6FCsVe+u3HzdT3RV4nGPU1lnlakMbayrnk+WEMaI8aInoS:tJXHL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • MinecraftFpsMod.exe (PID: 5712)
      • Bridgesurrogate.exe (PID: 2384)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 5544)

    • DcRAT is detected

      • Bridgesurrogate.exe (PID: 2384)
      • dasHost.exe (PID: 6696)
      • dasHost.exe (PID: 4680)
      • dasHost.exe (PID: 4540)
      • dasHost.exe (PID: 6780)

    • Connects to the CnC server

      • Synaptics.exe (PID: 7096)
      • dasHost.exe (PID: 6696)
      • dasHost.exe (PID: 4680)
      • dasHost.exe (PID: 4540)
      • dasHost.exe (PID: 6780)

    • DARKCRYSTAL has been detected (SURICATA)

      • dasHost.exe (PID: 6696)
      • dasHost.exe (PID: 4680)
      • dasHost.exe (PID: 4540)
      • dasHost.exe (PID: 6780)

    • DCRAT has been detected (YARA)

      • dasHost.exe (PID: 4680)
      • dasHost.exe (PID: 6780)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • MinecraftFpsMod.exe (PID: 5712)
      • ._cache_MinecraftFpsMod.exe (PID: 4252)
      • Synaptics.exe (PID: 7096)
      • Bridgesurrogate.exe (PID: 2384)
      • dasHost.exe (PID: 6696)
      • dasHost.exe (PID: 4680)
      • dasHost.exe (PID: 4540)

    • Executable content was dropped or overwritten

      • MinecraftFpsMod.exe (PID: 5712)
      • ._cache_MinecraftFpsMod.exe (PID: 4252)
      • Bridgesurrogate.exe (PID: 2384)
      • csc.exe (PID: 6288)
      • csc.exe (PID: 6192)
      • dasHost.exe (PID: 6696)
      • dasHost.exe (PID: 4680)
      • dasHost.exe (PID: 4540)
      • dasHost.exe (PID: 6780)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 5544)
      • Bridgesurrogate.exe (PID: 2384)
      • dasHost.exe (PID: 6696)
      • dasHost.exe (PID: 4680)
      • dasHost.exe (PID: 4540)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 5544)
      • Bridgesurrogate.exe (PID: 2384)
      • dasHost.exe (PID: 6696)
      • dasHost.exe (PID: 4680)
      • dasHost.exe (PID: 4540)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 5544)

    • Executed via WMI

      • schtasks.exe (PID: 4284)
      • schtasks.exe (PID: 488)
      • schtasks.exe (PID: 6808)
      • schtasks.exe (PID: 7024)
      • schtasks.exe (PID: 4060)
      • schtasks.exe (PID: 6368)
      • schtasks.exe (PID: 1044)
      • schtasks.exe (PID: 6980)
      • schtasks.exe (PID: 5464)
      • schtasks.exe (PID: 2460)
      • schtasks.exe (PID: 4668)
      • schtasks.exe (PID: 4092)
      • schtasks.exe (PID: 5044)
      • schtasks.exe (PID: 6544)
      • schtasks.exe (PID: 1292)
      • schtasks.exe (PID: 6480)
      • schtasks.exe (PID: 2724)
      • schtasks.exe (PID: 6768)

    • The process creates files with name similar to system file names

      • Bridgesurrogate.exe (PID: 2384)

    • Process drops legitimate windows executable

      • Bridgesurrogate.exe (PID: 2384)

    • Likely accesses (executes) a file from the Public directory

      • schtasks.exe (PID: 1044)
      • schtasks.exe (PID: 6980)
      • schtasks.exe (PID: 2724)

    • Reads the date of Windows installation

      • Bridgesurrogate.exe (PID: 2384)
      • dasHost.exe (PID: 6696)
      • dasHost.exe (PID: 4680)
      • dasHost.exe (PID: 4540)

    • Starts application with an unusual extension

      • cmd.exe (PID: 4540)
      • cmd.exe (PID: 3160)
      • cmd.exe (PID: 4252)
      • cmd.exe (PID: 6260)

    • Probably delay the execution using 'w32tm.exe'

      • cmd.exe (PID: 4540)
      • cmd.exe (PID: 4252)
      • cmd.exe (PID: 6260)

    • There is functionality for communication over UDP network (YARA)

      • Synaptics.exe (PID: 7096)

    • There is functionality for taking screenshot (YARA)

      • Synaptics.exe (PID: 7096)

    • There is functionality for communication dyndns network (YARA)

      • Synaptics.exe (PID: 7096)

    • Contacting a server suspected of hosting an CnC

      • Synaptics.exe (PID: 7096)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 3160)

    • Checks Windows Trust Settings

      • Synaptics.exe (PID: 7096)

  • INFO

    • Reads the computer name

      • MinecraftFpsMod.exe (PID: 5712)
      • ._cache_MinecraftFpsMod.exe (PID: 4252)
      • Synaptics.exe (PID: 7096)
      • Bridgesurrogate.exe (PID: 2384)
      • dasHost.exe (PID: 6696)
      • dasHost.exe (PID: 4680)
      • dasHost.exe (PID: 4540)
      • dasHost.exe (PID: 6780)

    • Checks supported languages

      • MinecraftFpsMod.exe (PID: 5712)
      • ._cache_MinecraftFpsMod.exe (PID: 4252)
      • Synaptics.exe (PID: 7096)
      • Bridgesurrogate.exe (PID: 2384)
      • cvtres.exe (PID: 5484)
      • cvtres.exe (PID: 4824)
      • csc.exe (PID: 6288)
      • csc.exe (PID: 6192)
      • dasHost.exe (PID: 6696)
      • chcp.com (PID: 5264)
      • chcp.com (PID: 3332)
      • dasHost.exe (PID: 4680)
      • dasHost.exe (PID: 4540)
      • chcp.com (PID: 7000)
      • dasHost.exe (PID: 6780)
      • chcp.com (PID: 5980)

    • Create files in a temporary directory

      • MinecraftFpsMod.exe (PID: 5712)
      • cvtres.exe (PID: 4824)
      • Bridgesurrogate.exe (PID: 2384)
      • cvtres.exe (PID: 5484)
      • dasHost.exe (PID: 6696)
      • Synaptics.exe (PID: 7096)
      • dasHost.exe (PID: 4680)
      • dasHost.exe (PID: 4540)

    • The process uses the downloaded file

      • MinecraftFpsMod.exe (PID: 5712)
      • ._cache_MinecraftFpsMod.exe (PID: 4252)
      • wscript.exe (PID: 5544)
      • Bridgesurrogate.exe (PID: 2384)
      • dasHost.exe (PID: 6696)
      • dasHost.exe (PID: 4680)
      • dasHost.exe (PID: 4540)

    • Process checks computer location settings

      • MinecraftFpsMod.exe (PID: 5712)
      • ._cache_MinecraftFpsMod.exe (PID: 4252)
      • Bridgesurrogate.exe (PID: 2384)
      • dasHost.exe (PID: 6696)
      • dasHost.exe (PID: 4680)
      • dasHost.exe (PID: 4540)

    • Creates files in the program directory

      • MinecraftFpsMod.exe (PID: 5712)
      • Synaptics.exe (PID: 7096)
      • csc.exe (PID: 6288)

    • Checks proxy server information

      • Synaptics.exe (PID: 7096)
      • dasHost.exe (PID: 6696)
      • dasHost.exe (PID: 4680)
      • dasHost.exe (PID: 4540)
      • dasHost.exe (PID: 6780)

    • Reads the machine GUID from the registry

      • Bridgesurrogate.exe (PID: 2384)
      • csc.exe (PID: 6192)
      • csc.exe (PID: 6288)
      • dasHost.exe (PID: 6696)
      • dasHost.exe (PID: 4680)
      • Synaptics.exe (PID: 7096)
      • dasHost.exe (PID: 4540)
      • dasHost.exe (PID: 6780)

    • Reads Environment values

      • Bridgesurrogate.exe (PID: 2384)
      • dasHost.exe (PID: 6696)
      • dasHost.exe (PID: 4680)
      • dasHost.exe (PID: 4540)
      • dasHost.exe (PID: 6780)

    • Creates files or folders in the user directory

      • csc.exe (PID: 6192)
      • Synaptics.exe (PID: 7096)

    • Changes the display of characters in the console

      • cmd.exe (PID: 4540)
      • cmd.exe (PID: 3160)
      • cmd.exe (PID: 4252)
      • cmd.exe (PID: 6260)

    • Disables trace logs

      • dasHost.exe (PID: 6696)
      • dasHost.exe (PID: 4680)
      • dasHost.exe (PID: 4540)
      • dasHost.exe (PID: 6780)

    • .NET Reactor protector has been detected

      • dasHost.exe (PID: 4680)
      • dasHost.exe (PID: 6780)

    • Found Base64 encoded reference to WMI classes (YARA)

      • dasHost.exe (PID: 4680)
      • dasHost.exe (PID: 6780)

    • Found Base64 encoded access to Windows Defender via PowerShell (YARA)

      • dasHost.exe (PID: 4680)
      • dasHost.exe (PID: 6780)

    • Reads the software policy settings

      • Synaptics.exe (PID: 7096)
      • slui.exe (PID: 1076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

DcRat

(PID) Process(4680) dasHost.exe
C2 (1)http://noburo.top/phpJavascriptSecurecpuupdateFlowerAsyncUniversaltrack
C2 (1)http://noburo.top/phpJavascriptSecurecpuupdateFlowerAsyncUniversaltrack
Options
Plugins (2)TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALI7+mQAAAAAAAAAAOAAIiALAQgAAAgBAAAGAAAAAAAAricBAAAgAAAAQAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAQAAAgAArNABAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAKX/2QAAAAAAAAAAOAAIiALAQgAAEYBAAAGAAAAAAAA7mUBAAAgAAAAgAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADAAQAAAgAAm0ACAAMAQIUA...
(PID) Process(6780) dasHost.exe
C2 (1)http://noburo.top/phpJavascriptSecurecpuupdateFlowerAsyncUniversaltrack
Options
Plugins (2)TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDALI7+mQAAAAAAAAAAOAAIiALAQgAAAgBAAAGAAAAAAAAricBAAAgAAAAQAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAQAAAgAArNABAAMAQIUA...
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAAKX/2QAAAAAAAAAAOAAIiALAQgAAEYBAAAGAAAAAAAA7mUBAAAgAAAAgAEAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAADAAQAAAgAAm0ACAAMAQIUA...
C2 (1)http://noburo.top/phpJavascriptSecurecpuupdateFlowerAsyncUniversaltrack
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (90.7)
.exe | InstallShield setup (5.8)
.exe | Win32 Executable Delphi generic (1.9)
.exe | Win32 Executable (generic) (0.6)
.exe | Win16/32 Executable Delphi generic (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 629760
InitializedDataSize: 6340096
UninitializedDataSize: -
EntryPoint: 0x9ab80
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 1.0.0.0
FileDescription: 易语言程序
ProductName: 易语言程序
ProductVersion: 1.0.0.0
LegalCopyright: 作者版权所有 请尊重并使用正版
Comments: 本程序使用易语言编写(http://www.eyuyan.com)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
179
Monitored processes
55
Malicious processes
12
Suspicious processes
1

Behavior graph

Click at the process to see the details
start minecraftfpsmod.exe ._cache_minecraftfpsmod.exe wscript.exe no specs THREAT synaptics.exe cmd.exe no specs conhost.exe no specs #DCRAT bridgesurrogate.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs csc.exe conhost.exe no specs cvtres.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs w32tm.exe no specs #DCRAT dashost.exe svchost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs sppextcomobj.exe no specs slui.exe #DCRAT dashost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs w32tm.exe no specs #DCRAT dashost.exe cmd.exe no specs conhost.exe no specs chcp.com no specs w32tm.exe no specs #DCRAT dashost.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
488schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MsAgentBrowserdhcp\dllhost.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1044schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\smss.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1076"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1292schtasks.exe /create /tn "BridgesurrogateB" /sc MINUTE /mo 9 /tr "'C:\MsAgentBrowserdhcp\Bridgesurrogate.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1776w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 C:\Windows\System32\w32tm.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Time Service Diagnostic Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\w32tm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\advapi32.dll
2228\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2256C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2384"C:\MsAgentBrowserdhcp/Bridgesurrogate.exe"C:\MsAgentBrowserdhcp\Bridgesurrogate.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.2.7.1277
Modules
Images
c:\msagentbrowserdhcp\bridgesurrogate.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2460schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MsAgentBrowserdhcp\spoolsv.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2580\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
12 571
Read events
12 540
Write events
31
Delete events
0

Modification events

(PID) Process:(5712) MinecraftFpsMod.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(5712) MinecraftFpsMod.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:?????
Value:
C:\ProgramData\Synaptics\Synaptics.exe
(PID) Process:(5712) MinecraftFpsMod.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A7803901000010901EF8A46ECE11A7FF00AA003CA9F6AC000000
(PID) Process:(5712) MinecraftFpsMod.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
72EEE26600000000
(PID) Process:(4252) ._cache_MinecraftFpsMod.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:writeName:VBEFile
Value:
(PID) Process:(2384) Bridgesurrogate.exeKey:HKEY_CURRENT_USER\SOFTWARE\b0655bbd0c4c61bc2ceb54a836ca6af98732ab8c
Operation:writeName:6c301ebcb941da1736bd7aea0f488b660b21fbce
Value:
H4sIAAAAAAAEAIXOsQ7CMAwE0H/pjPgANtqlA0gsnTBD2lipJYMrX1r4/EZMLCjr3dPp7k13IrrinPiVW7c32OM8LURRdTbkI3+4OfxVA6xTKemPG0oLots6qkxEFxk9uHCJ8AQqg1jMFFtFxYC+fq51iYmxulsKmb/6sQP2lNZU8gAAAA==
(PID) Process:(2384) Bridgesurrogate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:dllhost
Value:
"C:\MsAgentBrowserdhcp\dllhost.exe"
(PID) Process:(2384) Bridgesurrogate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:UsoClient
Value:
"C:\MsAgentBrowserdhcp\UsoClient.exe"
(PID) Process:(2384) Bridgesurrogate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:smss
Value:
"C:\Users\Public\Libraries\smss.exe"
(PID) Process:(2384) Bridgesurrogate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:spoolsv
Value:
"C:\MsAgentBrowserdhcp\spoolsv.exe"
Executable files
34
Suspicious files
8
Text files
22
Unknown types
5

Dropped files

PID
Process
Filename
Type
5712MinecraftFpsMod.exeC:\ProgramData\Synaptics\RCXBBC6.tmpexecutable
MD5:72582E1152710DD8FD17C22FC6117094
SHA256:7FC7A9EF9FFFF42C18143F3C8F02BB3C7980708E08439B1ED5269B1125BDD8A0
4252._cache_MinecraftFpsMod.exeC:\MsAgentBrowserdhcp\6tdiKxJ4vs339LB2ENkEUF6gwXbV.battext
MD5:F0817915454C14A131A03BB1E970A3D9
SHA256:9983F72CA78BEE90D64610D7BD9BCE46C075674F22307494AD40982FF760978D
5712MinecraftFpsMod.exeC:\ProgramData\Synaptics\Synaptics.exeexecutable
MD5:73D7E637CD16F1F807930FA6442436DF
SHA256:CD0F7FB1020A931C98C7C258241F06292CB9B7CAB8E9ACDB4010F4D56F076EF6
4252._cache_MinecraftFpsMod.exeC:\MsAgentBrowserdhcp\Bridgesurrogate.exeexecutable
MD5:D5EB73597ED0A278E1A993EE15C5CDB1
SHA256:B6B9517B7429AFEA6D33AE62A1CFF9CE8290B160F9F5544B1D9DD3AB0F620404
4252._cache_MinecraftFpsMod.exeC:\MsAgentBrowserdhcp\RJohyDXhI3BukXB8LZtFph4xzxsRiCFy2OHMYmU5wvokqlpzCh.vbevbe
MD5:E6AA5A9A61E5A14929496CC623751FCB
SHA256:4518EAB1E079194970BEE0B64F0DC5151E2208A48A94672E9A98FBE046E6A7D9
2384Bridgesurrogate.exeC:\MsAgentBrowserdhcp\spoolsv.exeexecutable
MD5:D5EB73597ED0A278E1A993EE15C5CDB1
SHA256:B6B9517B7429AFEA6D33AE62A1CFF9CE8290B160F9F5544B1D9DD3AB0F620404
2384Bridgesurrogate.exeC:\Users\admin\Desktop\ClozIQZe.logexecutable
MD5:D8BF2A0481C0A17A634D066A711C12E9
SHA256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
2384Bridgesurrogate.exeC:\Users\admin\Desktop\FsmIeiTa.logexecutable
MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
2384Bridgesurrogate.exeC:\MsAgentBrowserdhcp\dbfa0bd15ad253text
MD5:7D414EB7413A2281011F49FFCE51CBA1
SHA256:A1798561378B53BD88DF19823A93B1980F62E9A2C3037C7F8AA98EA6C82B20D2
2384Bridgesurrogate.exeC:\Users\Public\Libraries\smss.exeexecutable
MD5:D5EB73597ED0A278E1A993EE15C5CDB1
SHA256:B6B9517B7429AFEA6D33AE62A1CFF9CE8290B160F9F5544B1D9DD3AB0F620404
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
40
DNS requests
24
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6780
dasHost.exe
POST
404
80.211.144.156:80
http://noburo.top/phpJavascriptSecurecpuupdateFlowerAsyncUniversaltrack.php
unknown
unknown
7096
Synaptics.exe
GET
200
69.42.215.252:80
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
unknown
whitelisted
1356
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2024
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2476
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6696
dasHost.exe
POST
404
80.211.144.156:80
http://noburo.top/phpJavascriptSecurecpuupdateFlowerAsyncUniversaltrack.php
unknown
unknown
2476
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4680
dasHost.exe
POST
404
80.211.144.156:80
http://noburo.top/phpJavascriptSecurecpuupdateFlowerAsyncUniversaltrack.php
unknown
unknown
7096
Synaptics.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
whitelisted
7096
Synaptics.exe
GET
200
142.250.186.67:80
http://c.pki.goog/r/r1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1356
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1084
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1356
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7096
Synaptics.exe
69.42.215.252:80
freedns.afraid.org
AWKNET
US
whitelisted
1356
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2256
svchost.exe
224.0.0.251:5353
unknown
4
System
192.168.100.255:137
whitelisted
2256
svchost.exe
224.0.0.252:5355
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.142
whitelisted
xred.mooo.com
whitelisted
freedns.afraid.org
  • 69.42.215.252
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 184.30.21.171
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
login.live.com
  • 40.126.32.138
  • 20.190.160.14
  • 40.126.32.76
  • 20.190.160.17
  • 40.126.32.136
  • 20.190.160.22
  • 40.126.32.68
  • 40.126.32.72
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
noburo.top
  • 80.211.144.156
unknown
slscr.update.microsoft.com
  • 52.165.165.26
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com
2256
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
6696
dasHost.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
6696
dasHost.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)
6696
dasHost.exe
A Network Trojan was detected
REMOTE [ANY.RUN] DarkCrystal Rat Check-in (POST)
4680
dasHost.exe
A Network Trojan was detected
REMOTE [ANY.RUN] DarkCrystal Rat Check-in (POST)
4680
dasHost.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)
4540
dasHost.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
4540
dasHost.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)
4540
dasHost.exe
A Network Trojan was detected
REMOTE [ANY.RUN] DarkCrystal Rat Check-in (POST)
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MinecraftFpsMod.exe