File name:

CHATGPTVSTUNGTUNG.exe

Full analysis: https://app.any.run/tasks/c3566610-a6fb-4394-aafe-32306ac73be3
Verdict: Malicious activity
Threats:

DarkComet RAT is a malicious program designed to remotely control or administer a victim's computer, steal private data and spy on the victim.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 14:47:08
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
darkcomet
rat
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 9 sections
MD5:

34960F869AA933675A70C0C7C17ADDFE

SHA1:

B01EC370B3571D70A2D111F35D5514CC7A18D422

SHA256:

9343339FADFE0F62D6FD46C6131ED9FDF01978D817192984E69A8BBECFB406D2

SSDEEP:

12288:G9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hy:iZ1xuVVjfFoynPaVBUR8f+kN10EB4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DARKCOMET mutex has been found

      • CHATGPTVSTUNGTUNG.exe (PID: 6124)

    • DARKCOMET has been detected (YARA)

      • CHATGPTVSTUNGTUNG.exe (PID: 6124)

  • SUSPICIOUS

    • There is functionality for communication over UDP network (YARA)

      • CHATGPTVSTUNGTUNG.exe (PID: 6124)

    • There is functionality for taking screenshot (YARA)

      • CHATGPTVSTUNGTUNG.exe (PID: 6124)

  • INFO

    • Reads the computer name

      • CHATGPTVSTUNGTUNG.exe (PID: 6124)

    • The sample compiled with english language support

      • CHATGPTVSTUNGTUNG.exe (PID: 6124)

    • Compiled with Borland Delphi (YARA)

      • CHATGPTVSTUNGTUNG.exe (PID: 6124)

    • Checks supported languages

      • CHATGPTVSTUNGTUNG.exe (PID: 6124)

    • Reads the software policy settings

      • slui.exe (PID: 6892)

    • Checks proxy server information

      • slui.exe (PID: 6892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (31.9)
.scr | Windows screen saver (29.4)
.dll | Win32 Dynamic Link Library (generic) (14.8)
.exe | Win32 Executable (generic) (10.1)
.exe | Win16/32 Executable Delphi generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:06:07 15:59:53+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 586752
InitializedDataSize: 85504
UninitializedDataSize: -
EntryPoint: 0x8f888
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.0.0.0
ProductVersionNumber: 4.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: Remote Service Application
CompanyName: Microsoft Corp.
FileDescription: Remote Service Application
FileVersion: 1, 0, 0, 1
InternalName: MSRSAAPP
LegalCopyright: Copyright (C) 1999
OriginalFileName: MSRSAAP.EXE
ProductName: Remote Service Application
ProductVersion: 4, 0, 0, 0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #DARKCOMET chatgptvstungtung.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
6124"C:\Users\admin\Desktop\CHATGPTVSTUNGTUNG.exe" C:\Users\admin\Desktop\CHATGPTVSTUNGTUNG.exe
explorer.exe
User:
admin
Company:
Microsoft Corp.
Integrity Level:
MEDIUM
Description:
Remote Service Application
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\desktop\chatgptvstungtung.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
6892C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 735
Read events
3 735
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
19
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
184.24.77.16:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4760
RUXIMICS.exe
GET
200
184.24.77.16:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.24.77.16:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4760
RUXIMICS.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4760
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
184.24.77.16:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4760
RUXIMICS.exe
184.24.77.16:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
184.24.77.16:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4760
RUXIMICS.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 184.24.77.16
  • 184.24.77.10
  • 184.24.77.6
  • 184.24.77.35
  • 184.24.77.34
  • 184.24.77.22
  • 184.24.77.13
  • 184.24.77.37
  • 184.24.77.40
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.189.173.28
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CHATGPTVSTUNGTUNG.exe