File name:

Luno.exe

Full analysis: https://app.any.run/tasks/abeecd66-6378-4005-b1f1-622afa22bb50
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: March 11, 2025, 16:19:47
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
dcrat
rat
remote
darkcrystal
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

305DB5A255E9847FFD31AEDAE51F035C

SHA1:

EBB636355B511E4C3456FF0D4E82A767701C2877

SHA256:

F55813C3AF40669E49A77CEA37D1D303F578EF26A101417CDACF8AC4FC65DA5E

SSDEEP:

49152:HFrKj5G0lvhhneLyiN/aw3R8iUan8/EWLeZXNCJV1x+e7mEgsjN:HFrKdVvpiUan8sv9G9H7DN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DCRAT mutex has been found

      • Porthost.exe (PID: 8032)
      • Porthost.exe (PID: 4008)
      • services.exe (PID: 2772)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 7892)

    • DARKCRYSTAL has been detected (SURICATA)

      • services.exe (PID: 2772)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • Luno.exe (PID: 7848)
      • Porthost.exe (PID: 8032)
      • Porthost.exe (PID: 4008)

    • Reads security settings of Internet Explorer

      • Luno.exe (PID: 7848)
      • Porthost.exe (PID: 8032)
      • Porthost.exe (PID: 4008)

    • Executable content was dropped or overwritten

      • Luno.exe (PID: 7848)
      • Porthost.exe (PID: 8032)
      • Porthost.exe (PID: 4008)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 7892)

    • Executed via WMI

      • schtasks.exe (PID: 4688)
      • schtasks.exe (PID: 8164)
      • schtasks.exe (PID: 5868)
      • schtasks.exe (PID: 4208)
      • schtasks.exe (PID: 1072)
      • schtasks.exe (PID: 7380)
      • schtasks.exe (PID: 7420)
      • schtasks.exe (PID: 5972)
      • schtasks.exe (PID: 7364)
      • schtasks.exe (PID: 5064)
      • schtasks.exe (PID: 7012)
      • schtasks.exe (PID: 7448)
      • schtasks.exe (PID: 7460)
      • schtasks.exe (PID: 728)
      • schtasks.exe (PID: 7708)
      • schtasks.exe (PID: 7728)
      • schtasks.exe (PID: 7516)
      • schtasks.exe (PID: 7488)
      • schtasks.exe (PID: 7332)
      • schtasks.exe (PID: 6032)
      • schtasks.exe (PID: 1132)
      • schtasks.exe (PID: 5892)
      • schtasks.exe (PID: 1180)
      • schtasks.exe (PID: 5404)
      • schtasks.exe (PID: 6744)
      • schtasks.exe (PID: 5504)
      • schtasks.exe (PID: 6112)
      • schtasks.exe (PID: 3768)
      • schtasks.exe (PID: 7216)
      • schtasks.exe (PID: 7228)
      • schtasks.exe (PID: 5720)
      • schtasks.exe (PID: 7084)
      • schtasks.exe (PID: 1760)
      • schtasks.exe (PID: 5280)
      • schtasks.exe (PID: 7280)
      • schtasks.exe (PID: 7300)
      • schtasks.exe (PID: 4652)
      • schtasks.exe (PID: 4428)
      • schtasks.exe (PID: 7720)
      • schtasks.exe (PID: 976)
      • schtasks.exe (PID: 7184)
      • schtasks.exe (PID: 7672)
      • schtasks.exe (PID: 7696)
      • schtasks.exe (PID: 6436)
      • schtasks.exe (PID: 7676)
      • schtasks.exe (PID: 7560)
      • schtasks.exe (PID: 7844)
      • schtasks.exe (PID: 7556)
      • schtasks.exe (PID: 7880)
      • schtasks.exe (PID: 5936)
      • schtasks.exe (PID: 920)

    • Likely accesses (executes) a file from the Public directory

      • schtasks.exe (PID: 7728)
      • schtasks.exe (PID: 7516)
      • schtasks.exe (PID: 7488)
      • schtasks.exe (PID: 5504)
      • schtasks.exe (PID: 3768)
      • schtasks.exe (PID: 6112)
      • schtasks.exe (PID: 7084)
      • schtasks.exe (PID: 7216)
      • schtasks.exe (PID: 4428)
      • schtasks.exe (PID: 976)
      • schtasks.exe (PID: 7184)
      • schtasks.exe (PID: 7720)

    • Reads the date of Windows installation

      • Porthost.exe (PID: 8032)
      • Porthost.exe (PID: 4008)

    • Application launched itself

      • Porthost.exe (PID: 8032)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 7892)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 7892)

    • Starts itself from another location

      • Porthost.exe (PID: 4008)

  • INFO

    • Reads the computer name

      • Luno.exe (PID: 7848)
      • Porthost.exe (PID: 8032)
      • Porthost.exe (PID: 4008)
      • services.exe (PID: 2772)

    • Process checks computer location settings

      • Luno.exe (PID: 7848)
      • Porthost.exe (PID: 8032)
      • Porthost.exe (PID: 4008)

    • The sample compiled with english language support

      • Luno.exe (PID: 7848)
      • Porthost.exe (PID: 8032)
      • Porthost.exe (PID: 4008)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • Luno.exe (PID: 7848)

    • Checks supported languages

      • Luno.exe (PID: 7848)
      • Porthost.exe (PID: 8032)
      • Porthost.exe (PID: 4008)
      • services.exe (PID: 2772)

    • Reads the machine GUID from the registry

      • Porthost.exe (PID: 8032)
      • Porthost.exe (PID: 4008)
      • services.exe (PID: 2772)

    • Reads Environment values

      • Porthost.exe (PID: 8032)
      • Porthost.exe (PID: 4008)
      • services.exe (PID: 2772)

    • Failed to create an executable file in Windows directory

      • Porthost.exe (PID: 8032)
      • Porthost.exe (PID: 4008)

    • Creates files in the program directory

      • Porthost.exe (PID: 4008)

    • Checks proxy server information

      • services.exe (PID: 2772)
      • slui.exe (PID: 7904)

    • Disables trace logs

      • services.exe (PID: 2772)

    • Reads the software policy settings

      • slui.exe (PID: 7904)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:12:01 18:00:55+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 201216
InitializedDataSize: 255488
UninitializedDataSize: -
EntryPoint: 0x1ec40
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
178
Monitored processes
60
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start luno.exe wscript.exe no specs cmd.exe no specs conhost.exe no specs #DCRAT porthost.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs #DCRAT porthost.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs #DARKCRYSTAL services.exe svchost.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
728schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\Idle.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
920schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\bridgecontainerCrtnet\csrss.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
976schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Documents\My Videos\SearchApp.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1072schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\admin\Favorites\Links\fontdrvhost.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1132schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\bridgecontainerCrtnet\spoolsv.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1180schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\bridgecontainerCrtnet\csrss.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1760schtasks.exe /create /tn "dasHostd" /sc MINUTE /mo 11 /tr "'C:\bridgecontainerCrtnet\dasHost.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2772"C:\bridgecontainerCrtnet\services.exe" C:\bridgecontainerCrtnet\services.exe
Porthost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\bridgecontainercrtnet\services.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3768schtasks.exe /create /tn "dasHost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\dasHost.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
8 017
Read events
7 999
Write events
18
Delete events
0

Modification events

(PID) Process:(7848) Luno.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:writeName:VBEFile
Value:
(PID) Process:(8032) Porthost.exeKey:HKEY_CURRENT_USER\SOFTWARE\26afce736a6de91186362b839ee521211f876bbb
Operation:writeName:2cbc6209724f0e5408f5674defca0a42dd9863d4
Value:
WyJDOlxcYnJpZGdlY29udGFpbmVyQ3J0bmV0XFxQb3J0aG9zdC5leGUiLCJDOlxcYnJpZGdlY29udGFpbmVyQ3J0bmV0XFxSdW50aW1lQnJva2VyLmV4ZSIsIkM6XFxVc2Vyc1xcYWRtaW5cXHNsdWkuZXhlIiwiQzpcXFVzZXJzXFxhZG1pblxcRmF2b3JpdGVzXFxMaW5rc1xcZm9udGRydmhvc3QuZXhlIiwiQzpcXGJyaWRnZWNvbnRhaW5lckNydG5ldFxcc2lob3N0LmV4ZSIsIkM6XFxVc2Vyc1xcRGVmYXVsdFxcRGVza3RvcFxcSWRsZS5leGUiLCJDOlxcVXNlcnNcXFB1YmxpY1xcVmlkZW9zXFxTeXN0ZW0uZXhlIiwiQzpcXGJyaWRnZWNvbnRhaW5lckNydG5ldFxcc3Bvb2xzdi5leGUiXQ==
(PID) Process:(4008) Porthost.exeKey:HKEY_CURRENT_USER\SOFTWARE\26afce736a6de91186362b839ee521211f876bbb
Operation:writeName:2cbc6209724f0e5408f5674defca0a42dd9863d4
Value:
WyJDOlxcYnJpZGdlY29udGFpbmVyQ3J0bmV0XFxQb3J0aG9zdC5leGUiLCJDOlxcYnJpZGdlY29udGFpbmVyQ3J0bmV0XFxjc3Jzcy5leGUiLCJDOlxcYnJpZGdlY29udGFpbmVyQ3J0bmV0XFxTeXN0ZW0uZXhlIiwiQzpcXFVzZXJzXFxQdWJsaWNcXFBpY3R1cmVzXFxkYXNIb3N0LmV4ZSIsIkM6XFxVc2Vyc1xcUHVibGljXFxNdXNpY1xcY3RmbW9uLmV4ZSIsIkM6XFxicmlkZ2Vjb250YWluZXJDcnRuZXRcXGRhc0hvc3QuZXhlIiwiQzpcXGJyaWRnZWNvbnRhaW5lckNydG5ldFxcc2VydmljZXMuZXhlIiwiQzpcXFVzZXJzXFxQdWJsaWNcXERvY3VtZW50c1xcTXkgVmlkZW9zXFxTZWFyY2hBcHAuZXhlIiwiQzpcXGJyaWRnZWNvbnRhaW5lckNydG5ldFxcV21pUHJ2U0UuZXhlIiwiQzpcXFVzZXJzXFxBbGwgVXNlcnNcXGNzcnNzLmV4ZSIsIkM6XFxXaW5kb3dzXFxSZWdpc3RyYXRpb25cXENSTUxvZ1xcU3RhcnRNZW51RXhwZXJpZW5jZUhvc3QuZXhlIl0=
(PID) Process:(2772) services.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\services_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2772) services.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\services_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2772) services.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\services_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2772) services.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\services_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(2772) services.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\services_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(2772) services.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\services_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(2772) services.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\services_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
18
Suspicious files
1
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
8032Porthost.exeC:\Users\admin\slui.exeexecutable
MD5:81F6BD03EB55DB5C9F3B8E32F52AC261
SHA256:538600C37369CE1ABC62491E757C070765FAAFA26A013DCE5061D89E5655350E
7848Luno.exeC:\bridgecontainerCrtnet\15DZJy1sJWzJp6BTZUbI23XZpA0v.vbebinary
MD5:321AF5B2765FF534A7F88382F26D94E0
SHA256:132E69761A2757F68056DD494AC49A071FFFA218BA6F18D3FCCFD93B29816FAF
8032Porthost.exeC:\bridgecontainerCrtnet\66fc9ff0ee96c2text
MD5:125D3570262B72A4ADA05C68E3C169F9
SHA256:7CB8AFB5D944B2399FD512F07ECA3F4617FD8CE86A0967A5C2635FFA5C0D7383
7848Luno.exeC:\bridgecontainerCrtnet\WCNIplCwNKysWTR2.battext
MD5:A2998419FDE44E4B1BC0706FE928B402
SHA256:8BB05846EDDEDC9AB3A76AC11C414EACD48C491632D810138D38908C335B055F
8032Porthost.exeC:\Users\admin\a29f4157103644text
MD5:C0E6B6D49FD1AFF7422AC1E8BBEC8D17
SHA256:67BBBCF4EBD9E379C1F52E4CD93239AAD4C29CB32FA14BEBD098C3EC8924A144
8032Porthost.exeC:\Users\Default\Desktop\6ccacd8608530ftext
MD5:F0BE5DF0A362B1CD9A96BA65F5E0D859
SHA256:8C0387AA97BE132E588318E120873B662BDBB8ACC9C9410B496675CF59510450
8032Porthost.exeC:\Users\admin\Favorites\Links\fontdrvhost.exeexecutable
MD5:81F6BD03EB55DB5C9F3B8E32F52AC261
SHA256:538600C37369CE1ABC62491E757C070765FAAFA26A013DCE5061D89E5655350E
8032Porthost.exeC:\Users\Default\Desktop\Idle.exeexecutable
MD5:81F6BD03EB55DB5C9F3B8E32F52AC261
SHA256:538600C37369CE1ABC62491E757C070765FAAFA26A013DCE5061D89E5655350E
8032Porthost.exeC:\bridgecontainerCrtnet\RuntimeBroker.exeexecutable
MD5:81F6BD03EB55DB5C9F3B8E32F52AC261
SHA256:538600C37369CE1ABC62491E757C070765FAAFA26A013DCE5061D89E5655350E
8032Porthost.exeC:\bridgecontainerCrtnet\sihost.exeexecutable
MD5:81F6BD03EB55DB5C9F3B8E32F52AC261
SHA256:538600C37369CE1ABC62491E757C070765FAAFA26A013DCE5061D89E5655350E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
19
DNS requests
6
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2772
services.exe
GET
400
141.8.197.42:80
http://a1097913.xsph.ru/a1c6de26.php?3xELc3DtIyQuahx8Soxr1=Djl7QPa&2aqkfsWRTj3Wrh5sE=vZTK2QwsufkfmxSn6zEzCEmAUNy&dfn22ZeBLrhZyw81=y7FEElFoOxqxTzpcRPO1rm&f1742bb50f5b79f28188f3faa38122c0=77fff1d46fd67ec38f7a4edef8f7d53b&375de9cdf10c3d58680d477424411d8f=wY2gTO1IzMwQDM3QzY2Y2NhJmZygTNxIWY1ETZiNjMmdjNxUDN4YmN&3xELc3DtIyQuahx8Soxr1=Djl7QPa&2aqkfsWRTj3Wrh5sE=vZTK2QwsufkfmxSn6zEzCEmAUNy&dfn22ZeBLrhZyw81=y7FEElFoOxqxTzpcRPO1rm
unknown
whitelisted
2772
services.exe
GET
400
141.8.197.42:80
http://a1097913.xsph.ru/a1c6de26.php?3xELc3DtIyQuahx8Soxr1=Djl7QPa&2aqkfsWRTj3Wrh5sE=vZTK2QwsufkfmxSn6zEzCEmAUNy&dfn22ZeBLrhZyw81=y7FEElFoOxqxTzpcRPO1rm&f1742bb50f5b79f28188f3faa38122c0=77fff1d46fd67ec38f7a4edef8f7d53b&375de9cdf10c3d58680d477424411d8f=wY2gTO1IzMwQDM3QzY2Y2NhJmZygTNxIWY1ETZiNjMmdjNxUDN4YmN&3xELc3DtIyQuahx8Soxr1=Djl7QPa&2aqkfsWRTj3Wrh5sE=vZTK2QwsufkfmxSn6zEzCEmAUNy&dfn22ZeBLrhZyw81=y7FEElFoOxqxTzpcRPO1rm
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2772
services.exe
141.8.197.42:80
a1097913.xsph.ru
Sprinthost.ru LLC
RU
whitelisted
7612
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7904
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.206
whitelisted
a1097913.xsph.ru
  • 141.8.197.42
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (xsph .ru)
2196
svchost.exe
Misc activity
ET INFO Observed DNS Query to xsph .ru Domain
2772
services.exe
A Network Trojan was detected
ET MALWARE DCRAT Activity (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Luno.exe