File name:

xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe

Full analysis: https://app.any.run/tasks/e74ddadd-ccb9-4e3f-96f1-ddff4f707c52
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: February 21, 2026, 09:38:29
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
dcrat
rat
auto-sch
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

E0E35C950F1DC4FDC71D6D2A0E8E71BC

SHA1:

6D0D3DAB3E760D81E23E5E1D76AE7260EA37BDA1

SHA256:

B9F435B0359CE36215907E0B78199771BC541DB43E6FECEB4F55063564ACB3BB

SSDEEP:

98304:hAfpO5iGuEfKpLDNX5LcBNO/M2AEqm6CnKdVdQbzQg+CrsqGXHDaNQcEBakTt5J7:hn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DCRAT mutex has been found

      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 8352)
      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 2376)

    • UAC/LUA settings modification

      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 2376)
      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 8352)

    • Changes the autorun value in the registry

      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 2376)

    • Changes Windows Defender settings

      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 2376)

    • Adds path to the Windows Defender exclusion list

      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 2376)

  • SUSPICIOUS

    • Executed via WMI

      • schtasks.exe (PID: 3440)
      • schtasks.exe (PID: 3192)
      • schtasks.exe (PID: 8328)
      • schtasks.exe (PID: 8544)
      • schtasks.exe (PID: 936)
      • schtasks.exe (PID: 1040)
      • schtasks.exe (PID: 752)
      • schtasks.exe (PID: 8448)
      • schtasks.exe (PID: 552)
      • schtasks.exe (PID: 4120)
      • schtasks.exe (PID: 5220)
      • schtasks.exe (PID: 1340)

    • Modifies hosts file to alter network resolution

      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 2376)

    • Creates scheduled task with highest privileges

      • schtasks.exe (PID: 3192)
      • schtasks.exe (PID: 8328)
      • schtasks.exe (PID: 936)
      • schtasks.exe (PID: 1040)
      • schtasks.exe (PID: 8448)
      • schtasks.exe (PID: 552)
      • schtasks.exe (PID: 5220)
      • schtasks.exe (PID: 1340)

    • The process creates files with name similar to system file names

      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 2376)

    • Executable content was dropped or overwritten

      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 2376)

    • Script adds exclusion path to Windows Defender

      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 2376)

    • Starts POWERSHELL.EXE for commands execution

      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 2376)

    • Starts itself from another location

      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 2376)

    • Creates file in the systems drive root

      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 2376)

  • INFO

    • Checks supported languages

      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 8352)
      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 2376)
      • fontdrvhost.exe (PID: 6936)
      • conhost.exe (PID: 2036)
      • MusNotifyIcon.exe (PID: 6172)
      • fontdrvhost.exe (PID: 8312)
      • slui.exe (PID: 6952)
      • conhost.exe (PID: 4876)
      • MusNotifyIcon.exe (PID: 9064)
      • fontdrvhost.exe (PID: 7832)
      • slui.exe (PID: 4660)

    • Reads the machine GUID from the registry

      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 8352)
      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 2376)
      • fontdrvhost.exe (PID: 6936)
      • fontdrvhost.exe (PID: 8312)
      • conhost.exe (PID: 2036)
      • MusNotifyIcon.exe (PID: 6172)
      • slui.exe (PID: 6952)
      • conhost.exe (PID: 4876)
      • slui.exe (PID: 4660)
      • MusNotifyIcon.exe (PID: 9064)
      • fontdrvhost.exe (PID: 7832)

    • Reads security settings of Internet Explorer

      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 8352)
      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 2376)

    • Process checks computer location settings

      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 8352)
      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 2376)

    • Reads the computer name

      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 2376)
      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 8352)
      • fontdrvhost.exe (PID: 6936)
      • fontdrvhost.exe (PID: 8312)
      • conhost.exe (PID: 2036)
      • MusNotifyIcon.exe (PID: 6172)
      • slui.exe (PID: 6952)
      • conhost.exe (PID: 4876)
      • MusNotifyIcon.exe (PID: 9064)
      • slui.exe (PID: 4660)
      • fontdrvhost.exe (PID: 7832)

    • Process checks whether UAC notifications are on

      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 2376)
      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 8352)

    • Launching a file from a Registry key

      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 2376)

    • The sample compiled with english language support

      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 2376)
      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 8352)

    • Creates files in the program directory

      • xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe (PID: 2376)

    • Manual execution by a user

      • fontdrvhost.exe (PID: 6936)
      • MusNotifyIcon.exe (PID: 6172)
      • fontdrvhost.exe (PID: 8312)
      • slui.exe (PID: 6952)
      • conhost.exe (PID: 2036)
      • conhost.exe (PID: 4876)
      • MusNotifyIcon.exe (PID: 9064)
      • slui.exe (PID: 4660)

    • Drops script file

      • powershell.exe (PID: 8320)
      • powershell.exe (PID: 1944)
      • powershell.exe (PID: 2052)
      • powershell.exe (PID: 3636)
      • powershell.exe (PID: 4596)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 3636)
      • powershell.exe (PID: 1944)
      • powershell.exe (PID: 4596)
      • powershell.exe (PID: 8320)
      • powershell.exe (PID: 2052)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 8320)
      • powershell.exe (PID: 3636)
      • powershell.exe (PID: 4596)
      • powershell.exe (PID: 2052)
      • powershell.exe (PID: 1944)

    • Checks proxy server information

      • slui.exe (PID: 3436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:07:13 22:47:16+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 104448
InitializedDataSize: 1973248
UninitializedDataSize: -
EntryPoint: 0xcd2f
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 5.15.2.0
ProductVersionNumber: 5.15.2.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileVersion: 5.15.2.0
OriginalFileName: libGLESv2.dll
ProductName: libGLESv2
ProductVersion: 5.15.2.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
182
Monitored processes
36
Malicious processes
3
Suspicious processes
8

Behavior graph

Click at the process to see the details
start #DCRAT xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe no specs cmd.exe conhost.exe no specs #DCRAT xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs fontdrvhost.exe no specs conhost.exe no specs musnotifyicon.exe no specs fontdrvhost.exe no specs slui.exe no specs conhost.exe no specs musnotifyicon.exe no specs slui.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs fontdrvhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
552schtasks.exe /create /tn "MusNotifyIconM" /sc MINUTE /mo 8 /tr "'C:\found.000\dir0001.chk\MusNotifyIcon.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
752schtasks.exe /create /tn "MusNotifyIconM" /sc MINUTE /mo 7 /tr "'C:\found.000\dir0001.chk\MusNotifyIcon.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
936schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\found.000\dir0000.chk\fontdrvhost.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1040schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\found.000\dir0000.chk\fontdrvhost.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1340schtasks.exe /create /tn "sluis" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\en-US\slui.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1944"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\admin\Desktop\xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exexb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2036"C:\Users\Default User\conhost.exe"C:\Users\Default\conhost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\users\default\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
2052"powershell" -Command Add-MpPreference -ExclusionPath 'C:\found.000\dir0000.chk\fontdrvhost.exe'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exexb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2376C:\Users\admin\Desktop\xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exeC:\Users\admin\Desktop\xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe
cmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\users\admin\desktop\xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
2856\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
32 935
Read events
32 919
Write events
16
Delete events
0

Modification events

(PID) Process:(8352) xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(2376) xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(2376) xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:ConsentPromptBehaviorAdmin
Value:
0
(PID) Process:(2376) xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:PromptOnSecureDesktop
Value:
0
(PID) Process:(2376) xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F00620000000000000000000000010000000000000000000000
(PID) Process:(2376) xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exeKey:HKEY_CURRENT_USER\SOFTWARE\9b90c88d90d65a05eea12d70abda15b8
Operation:writeName:9b90c88d90d65a05eea12d70abda15b8
Value:
9b90c88d90d65a05eea12d70abda15b8
(PID) Process:(2376) xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:fontdrvhost
Value:
"C:\found.000\dir0000.chk\fontdrvhost.exe"
(PID) Process:(2376) xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:fontdrvhost
Value:
"C:\found.000\dir0000.chk\fontdrvhost.exe"
(PID) Process:(2376) xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:conhost
Value:
"C:\Users\Default User\conhost.exe"
(PID) Process:(2376) xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:conhost
Value:
"C:\Users\Default User\conhost.exe"
Executable files
15
Suspicious files
1
Text files
25
Unknown types
0

Dropped files

PID
Process
Filename
Type
2376xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe
MD5:
SHA256:
2376xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exeC:\found.000\dir0000.chk\5b884080fd4f94text
MD5:6C1CC0C65B13AC3B1034FAEC463DBE0A
SHA256:92571A9A2CB886C087FF2294AF271350197315FB86B62CB1F5C42DDD519F1E8F
2376xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exeC:\found.000\dir0001.chk\MusNotifyIcon.exeexecutable
MD5:E0E35C950F1DC4FDC71D6D2A0E8E71BC
SHA256:B9F435B0359CE36215907E0B78199771BC541DB43E6FECEB4F55063564ACB3BB
2376xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exeC:\found.000\dir0001.chk\bb88a2b99e529ftext
MD5:821F3A7E046662FB0CDDCFFE412FD182
SHA256:76ACE8F179F1FBE6AEA4CC572B4CB4D9C50EA750211024E520839F25AD450E9A
2376xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exeC:\Program Files\Windows NT\Accessories\en-US\slui.exeexecutable
MD5:E0E35C950F1DC4FDC71D6D2A0E8E71BC
SHA256:B9F435B0359CE36215907E0B78199771BC541DB43E6FECEB4F55063564ACB3BB
2376xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exeC:\Program Files\Windows NT\Accessories\en-US\a29f4157103644text
MD5:D3CB2FA2FF0A7B85D71DCA1981C14215
SHA256:067392BC7D80E8CD2EA081841D67B6C250C623DA3F6C060ED396F5F7FDC6C778
2376xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exeC:\Users\admin\Desktop\RCX7136.tmpexecutable
MD5:11750198B4B1C72D1F08469019C4FBF8
SHA256:2CE5968E1CBF35D147F205FC9D493D43AA0DAECA608117384633A347089D3364
2376xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exeC:\found.000\dir0000.chk\RCX767B.tmpexecutable
MD5:E0E35C950F1DC4FDC71D6D2A0E8E71BC
SHA256:B9F435B0359CE36215907E0B78199771BC541DB43E6FECEB4F55063564ACB3BB
2376xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exeC:\Users\admin\Desktop\RCX7156.tmpexecutable
MD5:E4AD18A0D4F1F0C326B09867A4637398
SHA256:626FB34180082A7B94CFA3AF830B04E5D25CB3A49ECB4B7C829753B08B99E657
2376xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exeC:\Users\Default\RCX73E9.tmpexecutable
MD5:45793DC862A002682FA8684954B3D63E
SHA256:7B28C8516C3BE1A0B14E95FD97F7D183B7B3B721FD2EA761D9BE985C05B9FDAF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
51
TCP/UDP connections
51
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5548
SIHClient.exe
GET
304
74.178.76.128:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
POST
200
20.190.160.65:443
https://login.live.com/RST2.srf
unknown
text
11.1 Kb
whitelisted
5548
SIHClient.exe
GET
200
135.232.92.97:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
whitelisted
3004
svchost.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.160.14:443
https://login.live.com/RST2.srf
unknown
binary
10.3 Kb
whitelisted
356
svchost.exe
POST
200
20.190.160.3:443
https://login.live.com/RST2.srf
unknown
text
11.1 Kb
whitelisted
356
svchost.exe
POST
200
20.190.160.3:443
https://login.live.com/RST2.srf
unknown
binary
10.3 Kb
whitelisted
GET
304
74.178.76.128:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
POST
200
40.126.32.140:443
https://login.live.com/RST2.srf
unknown
text
10.3 Kb
whitelisted
5548
SIHClient.exe
GET
200
74.178.76.128:443
https://slscr.update.microsoft.com/sls/ping
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
5180
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
184.86.251.30:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3004
svchost.exe
2.16.164.120:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
2.16.164.120:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5180
RUXIMICS.exe
2.16.164.120:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 184.86.251.30
  • 184.86.251.10
  • 184.86.251.15
  • 184.86.251.14
  • 184.86.251.13
  • 184.86.251.4
  • 184.86.251.27
  • 184.86.251.28
  • 184.86.251.12
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.250
whitelisted
google.com
  • 142.250.201.78
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
  • 23.216.77.30
  • 23.216.77.6
  • 23.216.77.19
  • 23.216.77.8
whitelisted
www.microsoft.com
  • 23.59.18.102
  • 23.52.181.212
whitelisted
login.live.com
  • 20.190.160.3
  • 20.190.160.128
  • 40.126.32.76
  • 40.126.32.136
  • 20.190.160.17
  • 20.190.160.5
  • 20.190.160.66
  • 20.190.160.67
  • 40.126.32.140
  • 20.190.160.14
  • 20.190.160.65
  • 40.126.32.134
  • 20.190.160.132
  • 20.190.160.20
  • 40.126.32.72
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
slscr.update.microsoft.com
  • 74.178.76.128
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 135.232.92.97
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
xb9f435b0359ce36215907e0b78199771bc541db43e6feceb4f55063564acb3bb.exe