File name:

gamingservices.exe

Full analysis: https://app.any.run/tasks/f62fc867-f7c4-4e86-8ec6-6aa01e55f311
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: December 16, 2024, 10:28:42
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
dcrat
rat
netreactor
wmi-base64
remote
darkcrystal
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

7E1CBD229AE163375FC55065690E27B4

SHA1:

F1CECAFDE4F843B03F3DEFFFCAC7FD6950B582A6

SHA256:

4A3E0402F692A391300BB5DD374086E2AE642725918FCE5A703D686899024559

SSDEEP:

49152:0nhHVIIsZdPaELCWQdurwOYAfj7QfDGIrvtnSUJq/qCpfrZgdMQHjRX2Jn7hDh71:+hcLCWQduYAffQasS+BotgeQHjt25phR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DcRAT is detected

      • gamingservices.exe (PID: 5880)
      • SystemSettings.exe (PID: 836)
      • SystemSettings.exe (PID: 4952)
      • SystemSettings.exe (PID: 1856)
      • SystemSettings.exe (PID: 4420)
      • SystemSettings.exe (PID: 4188)

    • DCRAT has been detected (YARA)

      • SystemSettings.exe (PID: 836)
      • SystemSettings.exe (PID: 4952)
      • SystemSettings.exe (PID: 1856)

    • Connects to the CnC server

      • SystemSettings.exe (PID: 836)
      • SystemSettings.exe (PID: 4952)
      • SystemSettings.exe (PID: 1856)
      • SystemSettings.exe (PID: 4188)
      • SystemSettings.exe (PID: 4420)

    • DARKCRYSTAL has been detected (SURICATA)

      • SystemSettings.exe (PID: 836)
      • SystemSettings.exe (PID: 4952)
      • SystemSettings.exe (PID: 1856)
      • SystemSettings.exe (PID: 4420)
      • SystemSettings.exe (PID: 4188)

  • SUSPICIOUS

    • Executed via WMI

      • schtasks.exe (PID: 3988)
      • schtasks.exe (PID: 5788)
      • schtasks.exe (PID: 4052)
      • schtasks.exe (PID: 4144)
      • schtasks.exe (PID: 2672)
      • schtasks.exe (PID: 4520)
      • schtasks.exe (PID: 3820)
      • schtasks.exe (PID: 1344)
      • schtasks.exe (PID: 5920)
      • schtasks.exe (PID: 4652)
      • schtasks.exe (PID: 2216)
      • schtasks.exe (PID: 2164)
      • schtasks.exe (PID: 4592)
      • schtasks.exe (PID: 3700)
      • schtasks.exe (PID: 5888)
      • schtasks.exe (PID: 1620)
      • schtasks.exe (PID: 2380)
      • schtasks.exe (PID: 4980)

    • Executable content was dropped or overwritten

      • gamingservices.exe (PID: 5880)
      • SystemSettings.exe (PID: 836)
      • SystemSettings.exe (PID: 4952)
      • SystemSettings.exe (PID: 1856)
      • SystemSettings.exe (PID: 4420)
      • SystemSettings.exe (PID: 4188)

    • Likely accesses (executes) a file from the Public directory

      • schtasks.exe (PID: 4652)
      • schtasks.exe (PID: 4592)
      • schtasks.exe (PID: 2164)

    • Executing commands from a ".bat" file

      • gamingservices.exe (PID: 5880)
      • SystemSettings.exe (PID: 836)
      • SystemSettings.exe (PID: 4952)
      • SystemSettings.exe (PID: 1856)
      • SystemSettings.exe (PID: 4420)

    • Reads security settings of Internet Explorer

      • SystemSettings.exe (PID: 836)
      • SystemSettings.exe (PID: 4952)
      • SystemSettings.exe (PID: 1856)
      • SystemSettings.exe (PID: 4420)

    • Reads the date of Windows installation

      • SystemSettings.exe (PID: 836)
      • SystemSettings.exe (PID: 4952)
      • SystemSettings.exe (PID: 1856)

    • Probably delay the execution using 'w32tm.exe'

      • cmd.exe (PID: 2672)
      • cmd.exe (PID: 3928)
      • cmd.exe (PID: 5080)

    • Starts application with an unusual extension

      • cmd.exe (PID: 2672)
      • cmd.exe (PID: 936)
      • cmd.exe (PID: 3928)
      • cmd.exe (PID: 5080)
      • cmd.exe (PID: 1064)

    • Starts CMD.EXE for commands execution

      • gamingservices.exe (PID: 5880)
      • SystemSettings.exe (PID: 836)
      • SystemSettings.exe (PID: 4952)
      • SystemSettings.exe (PID: 1856)
      • SystemSettings.exe (PID: 4420)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 936)
      • cmd.exe (PID: 1064)

  • INFO

    • Creates files or folders in the user directory

      • gamingservices.exe (PID: 5880)

    • Creates files in the program directory

      • gamingservices.exe (PID: 5880)

    • Reads the computer name

      • gamingservices.exe (PID: 5880)
      • SystemSettings.exe (PID: 836)
      • SystemSettings.exe (PID: 4952)
      • SystemSettings.exe (PID: 4420)
      • SystemSettings.exe (PID: 1856)

    • Checks supported languages

      • gamingservices.exe (PID: 5880)
      • SystemSettings.exe (PID: 836)
      • chcp.com (PID: 2496)
      • chcp.com (PID: 5208)
      • SystemSettings.exe (PID: 4952)
      • SystemSettings.exe (PID: 1856)
      • chcp.com (PID: 2744)
      • SystemSettings.exe (PID: 4420)
      • chcp.com (PID: 5236)
      • SystemSettings.exe (PID: 4188)

    • Reads Environment values

      • gamingservices.exe (PID: 5880)
      • SystemSettings.exe (PID: 836)
      • SystemSettings.exe (PID: 4952)
      • SystemSettings.exe (PID: 1856)
      • SystemSettings.exe (PID: 4420)

    • Reads the machine GUID from the registry

      • gamingservices.exe (PID: 5880)
      • SystemSettings.exe (PID: 836)
      • SystemSettings.exe (PID: 4952)
      • SystemSettings.exe (PID: 1856)
      • SystemSettings.exe (PID: 4420)
      • SystemSettings.exe (PID: 4188)

    • Create files in a temporary directory

      • gamingservices.exe (PID: 5880)
      • SystemSettings.exe (PID: 836)
      • SystemSettings.exe (PID: 1856)
      • SystemSettings.exe (PID: 4420)

    • Checks proxy server information

      • SystemSettings.exe (PID: 836)
      • SystemSettings.exe (PID: 4420)

    • .NET Reactor protector has been detected

      • SystemSettings.exe (PID: 836)
      • SystemSettings.exe (PID: 4952)
      • SystemSettings.exe (PID: 1856)

    • Found Base64 encoded reference to WMI classes (YARA)

      • SystemSettings.exe (PID: 836)
      • SystemSettings.exe (PID: 4952)
      • SystemSettings.exe (PID: 1856)

    • Changes the display of characters in the console

      • cmd.exe (PID: 2672)
      • cmd.exe (PID: 936)
      • cmd.exe (PID: 3928)
      • cmd.exe (PID: 5080)
      • cmd.exe (PID: 1064)

    • The process uses the downloaded file

      • gamingservices.exe (PID: 5880)
      • SystemSettings.exe (PID: 4952)
      • SystemSettings.exe (PID: 1856)

    • Disables trace logs

      • SystemSettings.exe (PID: 836)
      • SystemSettings.exe (PID: 4952)
      • SystemSettings.exe (PID: 1856)
      • SystemSettings.exe (PID: 4420)

    • Process checks computer location settings

      • SystemSettings.exe (PID: 836)
      • SystemSettings.exe (PID: 4952)
      • SystemSettings.exe (PID: 1856)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe | Win64 Executable (generic) (21.3)
.scr | Windows screen saver (10.1)
.dll | Win32 Dynamic Link Library (generic) (5)
.exe | Win32 Executable (generic) (3.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:12:12 20:39:29+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 1880064
InitializedDataSize: 1536
UninitializedDataSize: -
EntryPoint: 0x1ccece
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.2.7.1277
ProductVersionNumber: 1.2.7.1277
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: -
FileDescription: -
FileVersion: 1.2.7.1277
InternalName: SpotifyStartupTask
LegalCopyright: Copyright (c) 2023, Spotify Ltd
OriginalFileName: SpotifyStartupTask.exe
ProductName: -
ProductVersion: 1.2.7.1277
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
161
Monitored processes
45
Malicious processes
10
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #DCRAT gamingservices.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs w32tm.exe no specs #DCRAT systemsettings.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs #DCRAT systemsettings.exe cmd.exe no specs conhost.exe no specs chcp.com no specs w32tm.exe no specs #DCRAT systemsettings.exe cmd.exe no specs conhost.exe no specs chcp.com no specs w32tm.exe no specs #DCRAT systemsettings.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs #DCRAT systemsettings.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
308\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
768w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 C:\Windows\System32\w32tm.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Time Service Diagnostic Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\w32tm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
836"C:\Users\All Users\SystemSettings.exe" C:\ProgramData\SystemSettings.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.2.7.1277
Modules
Images
c:\programdata\systemsettings.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
936C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\QtbRvp1Luy.bat" "C:\Windows\System32\cmd.exeSystemSettings.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
1064C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\rxsaiZFWJV.bat" "C:\Windows\System32\cmd.exeSystemSettings.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
1344schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Documents\dwm.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1596w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 C:\Windows\System32\w32tm.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Time Service Diagnostic Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\w32tm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
1620schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Documents\ApplicationFrameHost.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1856"C:\Users\All Users\SystemSettings.exe" C:\ProgramData\SystemSettings.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.2.7.1277
Modules
Images
c:\programdata\systemsettings.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2164schtasks.exe /create /tn "SystemSettingsS" /sc MINUTE /mo 11 /tr "'C:\Users\Public\SystemSettings.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
9 928
Read events
9 927
Write events
1
Delete events
0

Modification events

(PID) Process:(5880) gamingservices.exeKey:HKEY_CURRENT_USER\SOFTWARE\666d515c947e33fc2a0cd2f5d3765fadfd5063e9
Operation:writeName:eb9647df1c0248051947eebe2bc18e2a4e9612b4
Value:
H4sIAAAAAAAEAIWPzQoCMQyEX2XZs/gA3sQiXhRh8WQ81G5cik1bmtSft7fiHgqreBvCzHyTY7taABwYEwMsnWtG2T1ZkDoUsX7gOT6wndVW3ZP1JRGjs0aLDb5RWjTANvMuiL2M12mygqhgMqGXIvs7Ta37fC7t/8d8r6y2rZMm3ASWn48o5KuECDBoekMw3azBD+v0Anvl+1UlAQAA
Executable files
23
Suspicious files
0
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
5880gamingservices.exeC:\Users\Public\Documents\6dd19aba3e2428text
MD5:7607BE81A89BF4C54E6C5526C88014FB
SHA256:562D9F387867D500BA86264A7A39EAD4B6D63A46BF251F5EE129C93DF3833D08
5880gamingservices.exeC:\Users\admin\Desktop\ZtWfVdqw.logexecutable
MD5:E9CE850DB4350471A62CC24ACB83E859
SHA256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
836SystemSettings.exeC:\Users\admin\AppData\Local\Temp\fvCdeMEktztext
MD5:B5A780A14ACC42B2F6CDA95615CA5386
SHA256:9BFCEC1941B3B4DF48669C5788F33F3F620BB034181F4E832446D3B109301D95
5880gamingservices.exeC:\Users\Public\Documents\6cb0b6c459d5d3text
MD5:45354687340387F99A9D5474ECEA6F21
SHA256:86ED293BEB3970DE1ADDB34DF58ED290859B25A49A277196C0B5C001FD4E49F6
5880gamingservices.exeC:\Users\admin\Desktop\QPOpljaP.logexecutable
MD5:F4B38D0F95B7E844DD288B441EBC9AAF
SHA256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
5880gamingservices.exeC:\Users\Public\SystemSettings.exeexecutable
MD5:7E1CBD229AE163375FC55065690E27B4
SHA256:4A3E0402F692A391300BB5DD374086E2AE642725918FCE5A703D686899024559
5880gamingservices.exeC:\Users\admin\Desktop\46700999cfac38text
MD5:0ABCA04F3C28D2D3D49D70A5CF3F5824
SHA256:EA0DFB133D2F89A61271E4159347A4DBBBF58886B7653BEF9DCDCE79154B66F4
5880gamingservices.exeC:\Users\Public\Documents\ApplicationFrameHost.exeexecutable
MD5:7E1CBD229AE163375FC55065690E27B4
SHA256:4A3E0402F692A391300BB5DD374086E2AE642725918FCE5A703D686899024559
5880gamingservices.exeC:\Users\Public\9e60a5f7a3bd80text
MD5:051943A760F9E8D3A0FF3DCE7B7D5EC3
SHA256:4B04C15B3FF5AF2A970A86EB66068115C1DB2A859A5E7DE8382864968AFE339D
5880gamingservices.exeC:\Users\admin\AppData\Local\Temp\Y1jXhEzCKE.battext
MD5:86309533A4A6F2122F55101E9993E3B8
SHA256:3EF382F6D3F788676A37B7E0AC2ED36ED6E4A9C19D0D7A25F625D3F2DADA6579
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
27
DNS requests
8
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5004
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
836
SystemSettings.exe
POST
37.44.238.250:80
http://bobaprog.ru/cpuserversqlTrafficUniversalUploads.php
unknown
malicious
4952
SystemSettings.exe
POST
37.44.238.250:80
http://bobaprog.ru/cpuserversqlTrafficUniversalUploads.php
unknown
malicious
1856
SystemSettings.exe
POST
37.44.238.250:80
http://bobaprog.ru/cpuserversqlTrafficUniversalUploads.php
unknown
malicious
4420
SystemSettings.exe
POST
37.44.238.250:80
http://bobaprog.ru/cpuserversqlTrafficUniversalUploads.php
unknown
malicious
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5004
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.186:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5004
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5004
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5004
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 104.126.37.186
  • 104.126.37.179
  • 104.126.37.128
  • 104.126.37.123
  • 104.126.37.130
  • 104.126.37.178
  • 104.126.37.185
  • 104.126.37.136
  • 104.126.37.184
whitelisted
google.com
  • 216.58.212.174
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
bobaprog.ru
  • 37.44.238.250
malicious
self.events.data.microsoft.com
  • 13.89.178.26
whitelisted

Threats

PID
Process
Class
Message
836
SystemSettings.exe
A Network Trojan was detected
REMOTE [ANY.RUN] DarkCrystal Rat Check-in (POST)
836
SystemSettings.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)
4952
SystemSettings.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)
4952
SystemSettings.exe
A Network Trojan was detected
REMOTE [ANY.RUN] DarkCrystal Rat Check-in (POST)
1856
SystemSettings.exe
A Network Trojan was detected
REMOTE [ANY.RUN] DarkCrystal Rat Check-in (POST)
1856
SystemSettings.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)
4420
SystemSettings.exe
A Network Trojan was detected
REMOTE [ANY.RUN] DarkCrystal Rat Check-in (POST)
4420
SystemSettings.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)
4188
SystemSettings.exe
A Network Trojan was detected
REMOTE [ANY.RUN] DarkCrystal Rat Check-in (POST)
4188
SystemSettings.exe
A Network Trojan was detected
ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
gamingservices.exe