| File name: | 59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573 |
| Full analysis: | https://app.any.run/tasks/4ce2a37f-54cc-41f5-9dd4-a6f97818c94e |
| Verdict: | Malicious activity |
| Threats: | DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. |
| Analysis date: | March 24, 2025, 14:18:52 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections |
| MD5: | C4C3DDA932F1F288A7091EB1B6BFCC8F |
| SHA1: | 63216A8FC66477860834A280B812B170863AF11A |
| SHA256: | 59435C6B2D1BD3DFD8DAF2FEAE93CDCBA6F1E3BBEBE2A6012FE9E82671279573 |
| SSDEEP: | 49152:grQWHnXFjHOXEw41C774M0rF1elS5IyVgZug9gmQB2P9nTNeL9ebM6iFKiHRB/Qt:qHIUw4CL0rLeKVUrYB2P9nRqebfiFFBM |
MALICIOUS
Uses sleep, probably for evasion detection (SCRIPT)
- wscript.exe (PID: 7652)
DCRAT mutex has been found
- WebRuntimeDll.exe (PID: 7940)
- WebRuntimeDll.exe (PID: 5332)
- spoolsv.exe (PID: 7452)
DCRAT has been detected (YARA)
- WebRuntimeDll.exe (PID: 7940)
- spoolsv.exe (PID: 7452)
DARKCRYSTAL has been detected (SURICATA)
- spoolsv.exe (PID: 7452)
Actions looks like stealing of personal data
- spoolsv.exe (PID: 7452)
SUSPICIOUS
Executable content was dropped or overwritten
- 59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe (PID: 7508)
- Snace.exe (PID: 7564)
- WebRuntimeDll.exe (PID: 7940)
- WebRuntimeDll.exe (PID: 5332)
Reads the date of Windows installation
- 59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe (PID: 7508)
- WebRuntimeDll.exe (PID: 5332)
Reads security settings of Internet Explorer
- 59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe (PID: 7508)
- Snace.exe (PID: 7564)
Runs shell command (SCRIPT)
- wscript.exe (PID: 7652)
Starts CMD.EXE for commands execution
- wscript.exe (PID: 7652)
- WebRuntimeDll.exe (PID: 5332)
Executed via WMI
- schtasks.exe (PID: 8136)
- schtasks.exe (PID: 8108)
- schtasks.exe (PID: 8164)
- schtasks.exe (PID: 8184)
- schtasks.exe (PID: 7188)
- schtasks.exe (PID: 8084)
- schtasks.exe (PID: 7452)
- schtasks.exe (PID: 7292)
- schtasks.exe (PID: 7304)
- schtasks.exe (PID: 5048)
- schtasks.exe (PID: 7180)
- schtasks.exe (PID: 7184)
- schtasks.exe (PID: 7564)
- schtasks.exe (PID: 3884)
- schtasks.exe (PID: 7496)
- schtasks.exe (PID: 7540)
- schtasks.exe (PID: 1128)
- schtasks.exe (PID: 2772)
- schtasks.exe (PID: 3008)
- schtasks.exe (PID: 7780)
- schtasks.exe (PID: 6824)
- schtasks.exe (PID: 7788)
- schtasks.exe (PID: 7820)
- schtasks.exe (PID: 8008)
- schtasks.exe (PID: 7656)
- schtasks.exe (PID: 8096)
- schtasks.exe (PID: 8112)
- schtasks.exe (PID: 7208)
- schtasks.exe (PID: 8136)
- schtasks.exe (PID: 8168)
- schtasks.exe (PID: 7172)
- schtasks.exe (PID: 1012)
- schtasks.exe (PID: 2984)
- schtasks.exe (PID: 7752)
- schtasks.exe (PID: 5680)
- schtasks.exe (PID: 1168)
The process creates files with name similar to system file names
- WebRuntimeDll.exe (PID: 7940)
- WebRuntimeDll.exe (PID: 5332)
There is functionality for taking screenshot (YARA)
- WebRuntimeDll.exe (PID: 7940)
- spoolsv.exe (PID: 7452)
Executing commands from a ".bat" file
- wscript.exe (PID: 7652)
- WebRuntimeDll.exe (PID: 5332)
Application launched itself
- WebRuntimeDll.exe (PID: 7940)
Likely accesses (executes) a file from the Public directory
- schtasks.exe (PID: 7172)
- schtasks.exe (PID: 1168)
- schtasks.exe (PID: 5680)
- OpenWith.exe (PID: 5528)
- OpenWith.exe (PID: 660)
- spoolsv.exe (PID: 7452)
Probably delay the execution using 'w32tm.exe'
- cmd.exe (PID: 3268)
INFO
Reads the computer name
- 59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe (PID: 7508)
- Snace.exe (PID: 7564)
- Змейка by ДК and AS.exe (PID: 7576)
- WebRuntimeDll.exe (PID: 7940)
Reads the machine GUID from the registry
- 59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe (PID: 7508)
Creates files or folders in the user directory
- 59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe (PID: 7508)
Process checks computer location settings
- 59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe (PID: 7508)
- Snace.exe (PID: 7564)
- WebRuntimeDll.exe (PID: 5332)
Checks supported languages
- 59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe (PID: 7508)
- Змейка by ДК and AS.exe (PID: 7576)
- Snace.exe (PID: 7564)
- WebRuntimeDll.exe (PID: 7940)
- WebRuntimeDll.exe (PID: 5332)
Create files in a temporary directory
- Змейка by ДК and AS.exe (PID: 7576)
Drops encrypted VBS script (Microsoft Script Encoder)
- Snace.exe (PID: 7564)
Failed to create an executable file in Windows directory
- WebRuntimeDll.exe (PID: 7940)
- WebRuntimeDll.exe (PID: 5332)
Reads Environment values
- WebRuntimeDll.exe (PID: 7940)
Manual execution by a user
- OpenWith.exe (PID: 6028)
- OpenWith.exe (PID: 728)
- OpenWith.exe (PID: 1388)
- OpenWith.exe (PID: 7876)
- OpenWith.exe (PID: 7828)
- OpenWith.exe (PID: 5528)
- OpenWith.exe (PID: 2908)
- OpenWith.exe (PID: 7148)
- OpenWith.exe (PID: 1052)
- OpenWith.exe (PID: 1532)
- OpenWith.exe (PID: 7384)
- OpenWith.exe (PID: 660)
Reads Microsoft Office registry keys
- OpenWith.exe (PID: 728)
- OpenWith.exe (PID: 1388)
- OpenWith.exe (PID: 5528)
- OpenWith.exe (PID: 1052)
.NET Reactor protector has been detected
- WebRuntimeDll.exe (PID: 7940)
- spoolsv.exe (PID: 7452)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
DcRat
(PID) Process(7940) WebRuntimeDll.exe
C2 (1)http://cr32765.tw1.ru/L1nc0In
Options
MutexDCR_MUTEX-q9yj4DVsde0H033B3hFm
searchpath%UsersFolder% - Fast
Targetals
(PID) Process(7452) spoolsv.exe
C2 (1)http://cr32765.tw1.ru/L1nc0In
Options
MutexDCR_MUTEX-q9yj4DVsde0H033B3hFm
searchpath%UsersFolder% - Fast
Targetals
C2 (1)http://cr32765.tw1.ru/L1nc0In
Options
MutexDCR_MUTEX-q9yj4DVsde0H033B3hFm
Debugfalse
ServerConfigReplacementTable
0`
1@
6%
9,
I(
i<
R>
M;
d&
n$
z)
e^
C.
S|
E*
u_
c!
s#
h-
L~
k
PluginConfigReplacementTable
0|
6!
i%
c-
b.
M
D,
S`
I&
Q*
x$
X)
j>
w(
y@
l~
e<
=;
p^
f_
GetWebcamsfalse
SleepTimeout5
InactivityTimeout2
CacheStorageRegistry
AutoRunSmart
StealerConfig
searchpath%UsersFolder% - Fast
StealerEnabledfalse
StealerOptionsfalse
SelfDeletefalse
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (63.1) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (23.8) |
| .dll | | | Win32 Dynamic Link Library (generic) (5.6) |
| .exe | | | Win32 Executable (generic) (3.8) |
| .exe | | | Generic Win/DOS Executable (1.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2025:03:24 11:56:46+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 11 |
| CodeSize: | 1387520 |
| InitializedDataSize: | 10240 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1549fe |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| FileDescription: | |
| FileVersion: | 1.0.0.0 |
| InternalName: | Змейка by ДК and AS.exe |
| LegalCopyright: | |
| OriginalFileName: | Змейка by ДК and AS.exe |
| ProductVersion: | 1.0.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Total processes
189
Monitored processes
62
Malicious processes
8
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 660 | "C:\WINDOWS\System32\OpenWith.exe" C:\Users\Public\Downloads\spoolsv.exe' | C:\Windows\System32\OpenWith.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 2147943623 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 720 | w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2 | C:\Windows\System32\w32tm.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Time Service Diagnostic Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 728 | "C:\WINDOWS\System32\OpenWith.exe" C:\reviewWinrefperfsvc\dllhost.exe' | C:\Windows\System32\OpenWith.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 2147943623 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1012 | schtasks.exe /create /tn "uhssvc" /sc ONLOGON /tr "'C:\Users\admin\Searches\uhssvc.exe'" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1052 | "C:\WINDOWS\System32\OpenWith.exe" C:\Windows\tracing\WebRuntimeDll.exe' | C:\Windows\System32\OpenWith.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 2147943623 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1128 | schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\reviewWinrefperfsvc\sppsvc.exe'" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1168 | schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Downloads\spoolsv.exe'" /rl HIGHEST /f | C:\Windows\System32\schtasks.exe | — | WmiPrvSE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1188 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1388 | "C:\WINDOWS\System32\OpenWith.exe" C:\Users\admin\Desktop\Idle.exe' | C:\Windows\System32\OpenWith.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 2147943623 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1532 | "C:\WINDOWS\System32\OpenWith.exe" "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\StartMenuExperienceHost.exe'" | C:\Windows\System32\OpenWith.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Pick an app Exit code: 2147943623 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
14 915
Read events
14 897
Write events
18
Delete events
0
Modification events
| (PID) Process: | (7564) Snace.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids |
| Operation: | write | Name: | VBEFile |
Value: | |||
| (PID) Process: | (7940) WebRuntimeDll.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\5ca7693a118a386b6973b9ae6005c9f96cd27b75 |
| Operation: | write | Name: | 31b8ceb16151eb745902675e6a1b0f7d643699e4 |
Value: WyJDOlxccmV2aWV3V2lucmVmcGVyZnN2Y1xcV2ViUnVudGltZURsbC5leGUiLCJDOlxccmV2aWV3V2lucmVmcGVyZnN2Y1xcc3Bwc3ZjLmV4ZSIsIkM6XFxyZXZpZXdXaW5yZWZwZXJmc3ZjXFxkbGxob3N0LmV4ZSIsIkM6XFxVc2Vyc1xcYWRtaW5cXERlc2t0b3BcXElkbGUuZXhlIiwiQzpcXHJldmlld1dpbnJlZnBlcmZzdmNcXFNwcEV4dENvbU9iai5leGUiLCJDOlxccmV2aWV3V2lucmVmcGVyZnN2Y1xcY29uaG9zdC5leGUiXQ== | |||
| (PID) Process: | (5332) WebRuntimeDll.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\5ca7693a118a386b6973b9ae6005c9f96cd27b75 |
| Operation: | write | Name: | 31b8ceb16151eb745902675e6a1b0f7d643699e4 |
Value: WyJDOlxccmV2aWV3V2lucmVmcGVyZnN2Y1xcV2ViUnVudGltZURsbC5leGUiLCJDOlxccmV2aWV3V2lucmVmcGVyZnN2Y1xcc3Bwc3ZjLmV4ZSIsIkM6XFxVc2Vyc1xcYWRtaW5cXFNlYXJjaGVzXFx1aHNzdmMuZXhlIiwiQzpcXHJldmlld1dpbnJlZnBlcmZzdmNcXHNlcnZpY2VzLmV4ZSIsIkM6XFxVc2Vyc1xcQWxsIFVzZXJzXFxNb3ppbGxhLTFkZTRlZWM4LTEyNDEtNDE3Ny1hODY0LWU1OTRlOGQxZmIzOFxcdXBkYXRlc1xcMzA4MDQ2QjBBRjRBMzlDQlxcU3RhcnRNZW51RXhwZXJpZW5jZUhvc3QuZXhlIiwiQzpcXFdpbmRvd3NcXHRyYWNpbmdcXFdlYlJ1bnRpbWVEbGwuZXhlIiwiQzpcXHJldmlld1dpbnJlZnBlcmZzdmNcXHNwcHN2Yy5leGUiLCJDOlxcVXNlcnNcXFB1YmxpY1xcRG93bmxvYWRzXFxzcG9vbHN2LmV4ZSJd | |||
| (PID) Process: | (7452) spoolsv.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\spoolsv_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (7452) spoolsv.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\spoolsv_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (7452) spoolsv.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\spoolsv_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (7452) spoolsv.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\spoolsv_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (7452) spoolsv.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\spoolsv_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (7452) spoolsv.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\spoolsv_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
| (PID) Process: | (7452) spoolsv.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\spoolsv_RASAPI32 |
| Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
Executable files
13
Suspicious files
1
Text files
13
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7508 | 59435c6b2d1bd3dfd8daf2feae93cdcba6f1e3bbebe2a6012fe9e82671279573.exe | C:\Users\admin\AppData\Roaming\Snace.exe | executable | |
MD5:886EC8F57236B11553CBB8DE98CF1B69 | SHA256:958A4807D4C38B89256F1094B72703E7BDEC8CA424443E9DB71CC271EC75200E | |||
| 7940 | WebRuntimeDll.exe | C:\reviewWinrefperfsvc\0a1fd5f707cd16 | text | |
MD5:B4352DE7600A5102D11220CA083726FA | SHA256:3138991039ACDD3944022FDDF0188B7EFA9266C418A045ADA41B967EE37FAA5D | |||
| 7940 | WebRuntimeDll.exe | C:\reviewWinrefperfsvc\dllhost.exe | executable | |
MD5:6307EA5399FDC7482C17C3AC5E287D13 | SHA256:28F505924FD457B5499B2CB41D203C4A540C532C5A7563C393A508244D47DC5F | |||
| 7940 | WebRuntimeDll.exe | C:\reviewWinrefperfsvc\sppsvc.exe | executable | |
MD5:6307EA5399FDC7482C17C3AC5E287D13 | SHA256:28F505924FD457B5499B2CB41D203C4A540C532C5A7563C393A508244D47DC5F | |||
| 7940 | WebRuntimeDll.exe | C:\reviewWinrefperfsvc\SppExtComObj.exe | executable | |
MD5:6307EA5399FDC7482C17C3AC5E287D13 | SHA256:28F505924FD457B5499B2CB41D203C4A540C532C5A7563C393A508244D47DC5F | |||
| 7564 | Snace.exe | C:\reviewWinrefperfsvc\JyFFgHmHFgHO7gB8l.bat | text | |
MD5:3F6E29BBBF283829BB2DC00AEB600BFB | SHA256:775DC60B73FA023BA0A7D4B394A4D911C74AF2951E0F6379D337EE566A81CD2B | |||
| 7564 | Snace.exe | C:\reviewWinrefperfsvc\NHaFmwJEQMsxRcKOggYq.vbe | binary | |
MD5:60BB10E1B4C6BE7987AF6CDB164A2EA7 | SHA256:139FCB96F7B9FCE0DDE74056A75940D5CD131571A1CE3005476EFEC24824DF39 | |||
| 7940 | WebRuntimeDll.exe | C:\reviewWinrefperfsvc\5940a34987c991 | text | |
MD5:61693BAC1334D26D01FDD303F9C5E171 | SHA256:5F787AFCB99346BCC3BA527BE7F262BF607E2665B3BEEED31CD90BD24DCF5C3D | |||
| 7940 | WebRuntimeDll.exe | C:\reviewWinrefperfsvc\conhost.exe | executable | |
MD5:6307EA5399FDC7482C17C3AC5E287D13 | SHA256:28F505924FD457B5499B2CB41D203C4A540C532C5A7563C393A508244D47DC5F | |||
| 5332 | WebRuntimeDll.exe | C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\StartMenuExperienceHost.exe | executable | |
MD5:6307EA5399FDC7482C17C3AC5E287D13 | SHA256:28F505924FD457B5499B2CB41D203C4A540C532C5A7563C393A508244D47DC5F | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
129
TCP/UDP connections
58
DNS requests
15
Threats
2
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 304 | 20.109.210.53:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | — |
4040 | SIHClient.exe | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
4040 | SIHClient.exe | GET | 200 | 23.48.23.159:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 20.223.35.26:443 | https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=280815&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20250324T141915Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=b99cfdd5188f451db46b0e5b44c994b7&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3967578&metered=false&nettype=ethernet&npid=sc-280815&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=122.0.2365.59&tl=2&tsu=1358108&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2 | unknown | binary | 2.97 Kb | whitelisted |
— | — | POST | 400 | 20.190.159.73:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | — | — | whitelisted |
— | — | POST | 200 | 40.126.31.67:443 | https://login.live.com/RST2.srf | unknown | xml | 10.3 Kb | whitelisted |
— | — | POST | 200 | 20.190.159.2:443 | https://login.live.com/RST2.srf | unknown | xml | 1.35 Kb | whitelisted |
— | — | GET | 200 | 20.109.210.53:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | compressed | 23.9 Kb | whitelisted |
— | — | GET | 200 | 20.223.35.26:443 | https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=88000045&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20250324T141916Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=a2713201cd244846830d53bb294097ca&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3967578&metered=false&nettype=ethernet&npid=sc-88000045&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=122.0.2365.59&tl=2&tsu=1358108&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2 | unknown | binary | 2.97 Kb | whitelisted |
— | — | POST | 400 | 20.190.159.71:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6544 | svchost.exe | 20.190.159.64:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 40.113.103.199:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 20.190.159.64:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2112 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5512 | backgroundTaskHost.exe | 20.31.169.57:443 | arc.msn.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2104 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3216 | svchost.exe | 40.113.103.199:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
login.live.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
google.com |
| whitelisted |
arc.msn.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
cr32765.tw1.ru |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2196 | svchost.exe | A Network Trojan was detected | MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.tw1 .ru) |
7452 | spoolsv.exe | A Network Trojan was detected | ET MALWARE DCRAT Activity (GET) |