File name:

8d0c8954abeaa3c75c922544e9798171de09868a3a1f9300e07465672ada3da4.exe.sample

Full analysis: https://app.any.run/tasks/7a8f902f-256c-4fbd-8c1c-0326bcd0e36a
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: January 10, 2025, 18:18:02
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
auto
dcrat
rat
remote
darkcrystal
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:

C8228B107DFAD48C1A7DE8147FA1F6E4

SHA1:

7F6D1D3C48D891CCCC4B0DD57504DB216AC681A8

SHA256:

8D0C8954ABEAA3C75C922544E9798171DE09868A3A1F9300E07465672ADA3DA4

SSDEEP:

98304:wejdruhJbuBaFJ5w8aKq6fXVivHUb7ooytsbjK9L6WB0vaC02KvEzhKdZ4/bVufk:EAy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • RAT has been found (auto)

      • 8d0c8954abeaa3c75c922544e9798171de09868a3a1f9300e07465672ada3da4.exe.sample.exe (PID: 6060)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 2996)

    • DCRAT mutex has been found

      • agentFont.exe (PID: 3812)
      • agentFont.exe (PID: 6336)
      • csrss.exe (PID: 1412)

    • Adds path to the Windows Defender exclusion list

      • agentFont.exe (PID: 6336)

    • DARKCRYSTAL has been detected (SURICATA)

      • csrss.exe (PID: 1412)

    • Connects to the CnC server

      • csrss.exe (PID: 1412)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • f5Mb10zb.exe (PID: 5916)
      • 8d0c8954abeaa3c75c922544e9798171de09868a3a1f9300e07465672ada3da4.exe.sample.exe (PID: 6060)
      • agentFont.exe (PID: 3812)
      • agentFont.exe (PID: 6336)
      • csrss.exe (PID: 1412)

    • The process drops C-runtime libraries

      • 8d0c8954abeaa3c75c922544e9798171de09868a3a1f9300e07465672ada3da4.exe.sample.exe (PID: 6060)

    • Process drops legitimate windows executable

      • 8d0c8954abeaa3c75c922544e9798171de09868a3a1f9300e07465672ada3da4.exe.sample.exe (PID: 6060)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 2996)
      • agentFont.exe (PID: 6336)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 2996)
      • agentFont.exe (PID: 3812)
      • agentFont.exe (PID: 6336)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 2996)

    • Reads the date of Windows installation

      • agentFont.exe (PID: 3812)

    • Reads security settings of Internet Explorer

      • agentFont.exe (PID: 3812)
      • agentFont.exe (PID: 6336)

    • Executed via WMI

      • schtasks.exe (PID: 6648)
      • schtasks.exe (PID: 6680)
      • schtasks.exe (PID: 6588)
      • schtasks.exe (PID: 6620)
      • schtasks.exe (PID: 6708)
      • schtasks.exe (PID: 6736)
      • schtasks.exe (PID: 6880)
      • schtasks.exe (PID: 6828)
      • schtasks.exe (PID: 6764)
      • schtasks.exe (PID: 6796)
      • schtasks.exe (PID: 6852)
      • schtasks.exe (PID: 7068)
      • schtasks.exe (PID: 6948)
      • schtasks.exe (PID: 7096)
      • schtasks.exe (PID: 6980)
      • schtasks.exe (PID: 7032)
      • schtasks.exe (PID: 7004)
      • schtasks.exe (PID: 6916)

    • The process creates files with name similar to system file names

      • agentFont.exe (PID: 6336)

    • Script adds exclusion path to Windows Defender

      • agentFont.exe (PID: 6336)

    • Starts POWERSHELL.EXE for commands execution

      • agentFont.exe (PID: 6336)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6468)

    • Probably delay the execution using 'w32tm.exe'

      • cmd.exe (PID: 6468)

  • INFO

    • Checks supported languages

      • f5Mb10zb.exe (PID: 5916)
      • 8d0c8954abeaa3c75c922544e9798171de09868a3a1f9300e07465672ada3da4.exe.sample.exe (PID: 6060)
      • agentFont.exe (PID: 3812)
      • agentFont.exe (PID: 6336)
      • csrss.exe (PID: 1412)

    • The sample compiled with english language support

      • 8d0c8954abeaa3c75c922544e9798171de09868a3a1f9300e07465672ada3da4.exe.sample.exe (PID: 6060)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • wscript.exe (PID: 2996)

    • Reads the computer name

      • f5Mb10zb.exe (PID: 5916)
      • 8d0c8954abeaa3c75c922544e9798171de09868a3a1f9300e07465672ada3da4.exe.sample.exe (PID: 6060)
      • agentFont.exe (PID: 3812)
      • agentFont.exe (PID: 6336)

    • Reads Environment values

      • agentFont.exe (PID: 3812)
      • agentFont.exe (PID: 6336)

    • The process uses the downloaded file

      • agentFont.exe (PID: 3812)

    • Reads the machine GUID from the registry

      • agentFont.exe (PID: 3812)
      • agentFont.exe (PID: 6336)
      • csrss.exe (PID: 1412)

    • Process checks computer location settings

      • agentFont.exe (PID: 3812)

    • Creates files in the program directory

      • agentFont.exe (PID: 6336)

    • Changes the display of characters in the console

      • cmd.exe (PID: 6468)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6172)
      • powershell.exe (PID: 7164)
      • powershell.exe (PID: 7120)
      • powershell.exe (PID: 1856)
      • powershell.exe (PID: 7148)
      • powershell.exe (PID: 7128)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 1856)
      • powershell.exe (PID: 7164)
      • powershell.exe (PID: 7120)
      • powershell.exe (PID: 7128)
      • powershell.exe (PID: 6172)
      • powershell.exe (PID: 7148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:12:24 09:42:13+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.41
CodeSize: 287744
InitializedDataSize: 171520
UninitializedDataSize: -
EntryPoint: 0x327e0
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
167
Monitored processes
45
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 8d0c8954abeaa3c75c922544e9798171de09868a3a1f9300e07465672ada3da4.exe.sample.exe f5mb10zb.exe wscript.exe no specs cmd.exe no specs conhost.exe no specs #DCRAT agentfont.exe cmd.exe conhost.exe no specs #DCRAT agentfont.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs w32tm.exe no specs #DCRAT csrss.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
6060"C:\Users\admin\AppData\Local\Temp\8d0c8954abeaa3c75c922544e9798171de09868a3a1f9300e07465672ada3da4.exe.sample.exe" C:\Users\admin\AppData\Local\Temp\8d0c8954abeaa3c75c922544e9798171de09868a3a1f9300e07465672ada3da4.exe.sample.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\8d0c8954abeaa3c75c922544e9798171de09868a3a1f9300e07465672ada3da4.exe.sample.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5916"C:\Users\admin\AppData\Local\Temp\RarSFX0\cNeeds\cData\o4e4cli\f5Mb10zb.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\cNeeds\cData\o4e4cli\f5Mb10zb.exe
8d0c8954abeaa3c75c922544e9798171de09868a3a1f9300e07465672ada3da4.exe.sample.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\cneeds\cdata\o4e4cli\f5mb10zb.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
2996"C:\WINDOWS\System32\WScript.exe" "C:\mshypercomponentSavesdll\kNSe5xQ3wI9ft6pWJZ9EeFYPDfgbdbVMsQk13JHxpBJ7xdPC40.vbe" C:\Windows\SysWOW64\wscript.exef5Mb10zb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2280C:\WINDOWS\system32\cmd.exe /c ""C:\mshypercomponentSavesdll\1fgSUpJ8Uk5BF.bat" "C:\Windows\SysWOW64\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
4548\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3812"C:\mshypercomponentSavesdll/agentFont.exe"C:\mshypercomponentSavesdll\agentFont.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.2.7.1277
Modules
Images
c:\mshypercomponentsavesdll\agentfont.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6212"C:\Windows\System32\cmd.exe" /c "C:\mshypercomponentSavesdll\agentFont.exe"C:\Windows\System32\cmd.exe
agentFont.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
6220\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6336C:\mshypercomponentSavesdll\agentFont.exeC:\mshypercomponentSavesdll\agentFont.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.2.7.1277
Modules
Images
c:\mshypercomponentsavesdll\agentfont.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6588schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\Provisioning\wininit.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
37 525
Read events
37 506
Write events
19
Delete events
0

Modification events

(PID) Process:(5916) f5Mb10zb.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:writeName:VBEFile
Value:
(PID) Process:(6336) agentFont.exeKey:HKEY_CURRENT_USER\SOFTWARE\000e8114dab6badcc03fe652fd99762cd2a8cffa
Operation:writeName:fd3d709e264a2408002fc055ad4465fa3c0a85b0
Value:
H4sIAAAAAAAEAI2PTQvCMAyG/0rxpCBjXkS8iaCXCYMhHoyHssYt2DbSdFP/vcUvdvT0voE85MlxtF4CHMgbvglAGbgnIfbkG4AbpaSY4R1H09fimTtvsjzPAQyFlLOsbi8A1UMiugpjTKAMACft44qhZndljz5Wukcx1n6RwepeMCSFlbXqU8tivwUouEk9MS3L0CW5NkE7tSGLosb3xXzy+0TtOhvJoSGtSqvjmYMDqCXIf3K6SeOG/fve6QnLXvwUJgEAAA==
(PID) Process:(6336) agentFont.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value:
Windows Command Processor
(PID) Process:(6336) agentFont.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value:
Microsoft Corporation
(PID) Process:(1412) csrss.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\csrss_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1412) csrss.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\csrss_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1412) csrss.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\csrss_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1412) csrss.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\csrss_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1412) csrss.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\csrss_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(1412) csrss.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\csrss_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
Executable files
17
Suspicious files
2
Text files
21
Unknown types
0

Dropped files

PID
Process
Filename
Type
6336agentFont.exeC:\mshypercomponentSavesdll\27d1bcfc3c54e0text
MD5:197CE29E8EC98AA712883E8E62A48B1A
SHA256:45B3DD5904372D006DFD20A30EE9C3FDD5A9A5DA4FEB0652E0CE51FD1B7E8F83
6336agentFont.exeC:\Program Files (x86)\Windows Multimedia Platform\886983d96e3d3etext
MD5:15654E93F9801EDE51E4C8F643A21AF7
SHA256:9E69A76DD65C53E22016151AADAA44127BACE53589CE4697450900CCAE980599
6336agentFont.exeC:\ProgramData\PLUG\Logs\5940a34987c991text
MD5:906BDD37D63666EEFC0B41D9A3D915C9
SHA256:010E92395AF76B28EC0864DDE4671DC22D606CEC7781081183D13A3E3A31B613
3812agentFont.exeC:\Users\admin\Desktop\FzVjqPOJ.logexecutable
MD5:D8BF2A0481C0A17A634D066A711C12E9
SHA256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
6336agentFont.exeC:\Users\admin\Desktop\gUvWtVBF.logexecutable
MD5:D8BF2A0481C0A17A634D066A711C12E9
SHA256:2B93377EA087225820A9F8E4F331005A0C600D557242366F06E0C1EAE003D669
6336agentFont.exeC:\mshypercomponentSavesdll\e6dd04281f4893text
MD5:3AA8DF7BD1BF125FAF9C41F7812A3C23
SHA256:D6BFA336DD1E7D412C1A9F51BFC361FC8409C046116F3764866ED7BC26097BE3
6336agentFont.exeC:\Users\admin\Desktop\XdsoeKVS.logexecutable
MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
5916f5Mb10zb.exeC:\mshypercomponentSavesdll\kNSe5xQ3wI9ft6pWJZ9EeFYPDfgbdbVMsQk13JHxpBJ7xdPC40.vbebinary
MD5:06FA0952379DC4DB1439AF29A13D89BE
SHA256:CFE1D4E4F8C609281567BCBA5CC5117FA957D53721B817F979092DEC7FC44852
5916f5Mb10zb.exeC:\mshypercomponentSavesdll\agentFont.exeexecutable
MD5:0D30B2D3FD8DB7AE5EDC0455DA8DC8E9
SHA256:23DFBD08FCA53DCB25B0F76B6D24ABF02EB2349BC43C975BACD3776B52241FAF
3812agentFont.exeC:\Users\admin\Desktop\XcEHZHdb.logexecutable
MD5:0B2AFABFAF0DD55AD21AC76FBF03B8A0
SHA256:DD4560987BD87EF3E6E8FAE220BA22AA08812E9743352523C846553BD99E4254
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
48
TCP/UDP connections
34
DNS requests
15
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.169:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.169:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.48.23.169:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1412
csrss.exe
POST
200
37.44.238.250:80
http://487997cm.renyash.top/VideoFlowergeneratorTestpublic.php
unknown
malicious
1412
csrss.exe
POST
200
37.44.238.250:80
http://487997cm.renyash.top/VideoFlowergeneratorTestpublic.php
unknown
malicious
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1412
csrss.exe
POST
200
37.44.238.250:80
http://487997cm.renyash.top/VideoFlowergeneratorTestpublic.php
unknown
malicious
6968
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.169:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.48.23.169:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
20.190.159.4:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1076
svchost.exe
23.213.166.81:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.48.23.169
  • 23.48.23.193
  • 23.48.23.194
  • 23.48.23.159
  • 23.48.23.139
  • 23.48.23.167
  • 23.48.23.158
  • 23.48.23.143
  • 23.48.23.173
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
login.live.com
  • 20.190.159.4
  • 40.126.31.69
  • 20.190.159.75
  • 40.126.31.67
  • 20.190.159.64
  • 20.190.159.2
  • 20.190.159.73
  • 20.190.159.68
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.213.166.81
whitelisted
487997cm.renyash.top
  • 37.44.238.250
malicious
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
A Network Trojan was detected
ET MALWARE [ANY.RUN] DarkCrystal Rat Check-in (POST)
A Network Trojan was detected
REMOTE [ANY.RUN] DarkCrystal Rat Check-in (POST)
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
8d0c8954abeaa3c75c922544e9798171de09868a3a1f9300e07465672ada3da4.exe.sample