File name:

16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe

Full analysis: https://app.any.run/tasks/47c1b6e1-d790-4bf7-b8ad-37767b6f475e
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: September 06, 2025, 22:05:02
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
dcrat
rat
auto-sch
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

580217C0A23EFCE2426F01203151A403

SHA1:

6C15408C6479EB2120516B5EC43862B2C0A42C1B

SHA256:

16B7BBA7B790720C05017317338C2730D903CAD6BDA63D0B869CEA4D807AF0E2

SSDEEP:

98304:5AfNsY3g+hna1iRRJx2gMSqqhV4btbwM+CQxxWhF7aq13xMT7aet1tE1l0i9P3w9:l+t

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DCRAT mutex has been found

      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 3656)
      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 5288)

    • UAC/LUA settings modification

      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 3656)
      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 5288)

    • Changes the autorun value in the registry

      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 5288)

    • Changes Windows Defender settings

      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 5288)

    • Adds path to the Windows Defender exclusion list

      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 5288)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 3656)
      • ShellExperienceHost.exe (PID: 4380)
      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 5288)

    • Reads the date of Windows installation

      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 3656)

    • Starts CMD.EXE for commands execution

      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 3656)

    • Executable content was dropped or overwritten

      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 5288)

    • Executed via WMI

      • schtasks.exe (PID: 3624)
      • schtasks.exe (PID: 6412)
      • schtasks.exe (PID: 5552)
      • schtasks.exe (PID: 2804)
      • schtasks.exe (PID: 1976)
      • schtasks.exe (PID: 7080)
      • schtasks.exe (PID: 3576)
      • schtasks.exe (PID: 2168)
      • schtasks.exe (PID: 5644)
      • schtasks.exe (PID: 3556)
      • schtasks.exe (PID: 5968)
      • schtasks.exe (PID: 2320)
      • schtasks.exe (PID: 6172)
      • schtasks.exe (PID: 6768)
      • schtasks.exe (PID: 2508)
      • schtasks.exe (PID: 4072)
      • schtasks.exe (PID: 5436)
      • schtasks.exe (PID: 2148)
      • schtasks.exe (PID: 3576)
      • schtasks.exe (PID: 5564)
      • schtasks.exe (PID: 3740)
      • schtasks.exe (PID: 5644)
      • schtasks.exe (PID: 4708)
      • schtasks.exe (PID: 5236)
      • schtasks.exe (PID: 3960)
      • schtasks.exe (PID: 4748)
      • schtasks.exe (PID: 1632)
      • schtasks.exe (PID: 1872)
      • schtasks.exe (PID: 5564)
      • schtasks.exe (PID: 6720)
      • schtasks.exe (PID: 3620)
      • schtasks.exe (PID: 4552)
      • schtasks.exe (PID: 5928)
      • schtasks.exe (PID: 3740)
      • schtasks.exe (PID: 6832)
      • schtasks.exe (PID: 6012)

    • The process creates files with name similar to system file names

      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 5288)

    • Script adds exclusion path to Windows Defender

      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 5288)

    • Starts itself from another location

      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 5288)

    • Creates file in the systems drive root

      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 5288)

    • Starts POWERSHELL.EXE for commands execution

      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 5288)

  • INFO

    • Reads Environment values

      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 3656)

    • The sample compiled with english language support

      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 3656)
      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 5288)

    • Checks supported languages

      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 3656)
      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 5288)
      • ShellExperienceHost.exe (PID: 4380)
      • RUXIMICS.exe (PID: 4708)
      • firefox.exe (PID: 5644)
      • smss.exe (PID: 7044)
      • Memory Compression.exe (PID: 6768)
      • RuntimeBroker.exe (PID: 2716)
      • winlogon.exe (PID: 4012)
      • lsass.exe (PID: 4844)
      • sihost.exe (PID: 436)
      • RuntimeBroker.exe (PID: 1128)
      • RUXIMICS.exe (PID: 7172)
      • smss.exe (PID: 7324)
      • sihost.exe (PID: 7492)
      • firefox.exe (PID: 7236)
      • lsass.exe (PID: 7368)
      • Memory Compression.exe (PID: 7428)
      • winlogon.exe (PID: 7588)
      • Memory Compression.exe (PID: 7848)

    • Reads the machine GUID from the registry

      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 3656)
      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 5288)
      • RUXIMICS.exe (PID: 4708)
      • Memory Compression.exe (PID: 6768)
      • firefox.exe (PID: 5644)
      • RuntimeBroker.exe (PID: 2716)
      • winlogon.exe (PID: 4012)
      • lsass.exe (PID: 4844)
      • sihost.exe (PID: 436)
      • smss.exe (PID: 7044)
      • RuntimeBroker.exe (PID: 1128)
      • firefox.exe (PID: 7236)
      • Memory Compression.exe (PID: 7428)
      • RUXIMICS.exe (PID: 7172)
      • smss.exe (PID: 7324)
      • lsass.exe (PID: 7368)
      • sihost.exe (PID: 7492)
      • winlogon.exe (PID: 7588)
      • Memory Compression.exe (PID: 7848)

    • Reads the computer name

      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 3656)
      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 5288)
      • ShellExperienceHost.exe (PID: 4380)
      • smss.exe (PID: 7044)
      • Memory Compression.exe (PID: 6768)
      • RUXIMICS.exe (PID: 4708)
      • firefox.exe (PID: 5644)
      • RuntimeBroker.exe (PID: 2716)
      • lsass.exe (PID: 4844)
      • sihost.exe (PID: 436)
      • winlogon.exe (PID: 4012)
      • RuntimeBroker.exe (PID: 1128)
      • Memory Compression.exe (PID: 7428)
      • RUXIMICS.exe (PID: 7172)
      • firefox.exe (PID: 7236)
      • smss.exe (PID: 7324)
      • lsass.exe (PID: 7368)
      • sihost.exe (PID: 7492)
      • winlogon.exe (PID: 7588)
      • Memory Compression.exe (PID: 7848)

    • Process checks whether UAC notifications are on

      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 3656)
      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 5288)

    • Process checks computer location settings

      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 3656)
      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 5288)

    • Creates files in the program directory

      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 5288)

    • Launching a file from a Registry key

      • 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe (PID: 5288)

    • Manual execution by a user

      • RUXIMICS.exe (PID: 4708)
      • firefox.exe (PID: 5644)
      • smss.exe (PID: 7044)
      • Memory Compression.exe (PID: 6768)
      • RuntimeBroker.exe (PID: 2716)
      • winlogon.exe (PID: 4012)
      • lsass.exe (PID: 4844)
      • sihost.exe (PID: 436)
      • RuntimeBroker.exe (PID: 1128)
      • RUXIMICS.exe (PID: 7172)
      • smss.exe (PID: 7324)
      • firefox.exe (PID: 7236)
      • sihost.exe (PID: 7492)
      • lsass.exe (PID: 7368)
      • Memory Compression.exe (PID: 7428)
      • winlogon.exe (PID: 7588)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7696)
      • powershell.exe (PID: 7732)
      • powershell.exe (PID: 7680)
      • powershell.exe (PID: 7788)
      • powershell.exe (PID: 7852)
      • powershell.exe (PID: 7752)
      • powershell.exe (PID: 7716)
      • powershell.exe (PID: 7824)
      • powershell.exe (PID: 7768)
      • powershell.exe (PID: 7664)
      • powershell.exe (PID: 7656)
      • powershell.exe (PID: 7880)
      • powershell.exe (PID: 7864)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7864)
      • powershell.exe (PID: 7656)
      • powershell.exe (PID: 7752)
      • powershell.exe (PID: 7716)
      • powershell.exe (PID: 7852)
      • powershell.exe (PID: 7664)
      • powershell.exe (PID: 7768)
      • powershell.exe (PID: 7788)
      • powershell.exe (PID: 7880)
      • powershell.exe (PID: 7680)
      • powershell.exe (PID: 7696)
      • powershell.exe (PID: 7824)
      • powershell.exe (PID: 7732)

    • Checks proxy server information

      • slui.exe (PID: 8628)

    • Reads the software policy settings

      • slui.exe (PID: 8628)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:07:13 22:47:16+00:00
ImageFileCharacteristics: No relocs, Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 104448
InitializedDataSize: 1668096
UninitializedDataSize: -
EntryPoint: 0xcd2f
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 5.15.2.0
ProductVersionNumber: 5.15.2.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileVersion: 5.15.2.0
OriginalFileName: libGLESv2.dll
ProductName: libGLESv2
ProductVersion: 5.15.2.0
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
219
Monitored processes
85
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #DCRAT 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe no specs cmd.exe conhost.exe no specs #DCRAT 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe shellexperiencehost.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs ruximics.exe no specs firefox.exe no specs smss.exe no specs memory compression.exe no specs runtimebroker.exe no specs winlogon.exe no specs lsass.exe no specs sihost.exe no specs runtimebroker.exe no specs ruximics.exe no specs firefox.exe no specs smss.exe no specs lsass.exe no specs memory compression.exe no specs sihost.exe no specs winlogon.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs conhost.exe no specs memory compression.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
436C:\found.000\dir0000.chk\sihost.exeC:\found.000\dir0000.chk\sihost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\found.000\dir0000.chk\sihost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll
592\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1128"C:\found.000\dir0001.chk\RuntimeBroker.exe"C:\found.000\dir0001.chk\RuntimeBroker.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\found.000\dir0001.chk\runtimebroker.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
1632schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\winlogon.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1872schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\Logs\RuntimeBroker.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1976schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\found.000\dir0001.chk\RuntimeBroker.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2148schtasks.exe /create /tn "RUXIMICSR" /sc MINUTE /mo 9 /tr "'C:\found.000\dir0001.chk\RUXIMICS.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2168schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\found.000\dir0001.chk\RuntimeBroker.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2320schtasks.exe /create /tn "Memory CompressionM" /sc MINUTE /mo 11 /tr "'C:\Windows\appcompat\Backup\Memory Compression.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2508schtasks.exe /create /tn "RUXIMICSR" /sc MINUTE /mo 10 /tr "'C:\found.000\dir0001.chk\RUXIMICS.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
75 799
Read events
75 754
Write events
45
Delete events
0

Modification events

(PID) Process:(3656) 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3656) 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3656) 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3656) 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3656) 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(5288) 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(5288) 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:ConsentPromptBehaviorAdmin
Value:
0
(PID) Process:(5288) 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:PromptOnSecureDesktop
Value:
0
(PID) Process:(5288) 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F00620000000000000000000000010000000000000000000000
(PID) Process:(5288) 16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:smss
Value:
"C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exe"
Executable files
44
Suspicious files
1
Text files
64
Unknown types
0

Dropped files

PID
Process
Filename
Type
528816b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exeC:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\smss.exeexecutable
MD5:580217C0A23EFCE2426F01203151A403
SHA256:16B7BBA7B790720C05017317338C2730D903CAD6BDA63D0B869CEA4D807AF0E2
528816b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exeC:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\69ddcba757bf72text
MD5:94B42545BAD79C87B272FA00A1010BA9
SHA256:D354FE5CBFBC5C0DD4AD728859A4D5AD813018043671334298E2E1E76BF2DAB6
528816b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exeC:\Recovery\OEM\0fc223bdacedc3text
MD5:A3E8F1E7E6DBACE4A34CE18B52380D14
SHA256:2BE5D1B64AD41EBFF758BF0A4A2DF32AFF78D0A4B05995CC6DA35C57DD2B74B2
528816b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exeC:\found.000\dir0001.chk\9e8d7a4ca61bd9text
MD5:61654BCF3B36B60A8E4EC9D9697285FB
SHA256:711DD82D0670207F7A4CC5870E220D568E0A95B459E390F9E398D98DB22DD189
528816b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exeC:\Recovery\OEM\firefox.exeexecutable
MD5:580217C0A23EFCE2426F01203151A403
SHA256:16B7BBA7B790720C05017317338C2730D903CAD6BDA63D0B869CEA4D807AF0E2
528816b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exeC:\found.000\dir0000.chk\Memory Compression.exeexecutable
MD5:580217C0A23EFCE2426F01203151A403
SHA256:16B7BBA7B790720C05017317338C2730D903CAD6BDA63D0B869CEA4D807AF0E2
528816b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe
MD5:
SHA256:
528816b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exeC:\found.000\dir0001.chk\RUXIMICS.exeexecutable
MD5:580217C0A23EFCE2426F01203151A403
SHA256:16B7BBA7B790720C05017317338C2730D903CAD6BDA63D0B869CEA4D807AF0E2
528816b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exeC:\Windows\tracing\RuntimeBroker.exeexecutable
MD5:580217C0A23EFCE2426F01203151A403
SHA256:16B7BBA7B790720C05017317338C2730D903CAD6BDA63D0B869CEA4D807AF0E2
528816b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exeC:\found.000\dir0001.chk\257bc9927e0626text
MD5:6ECC8FAACD3F205CD47925CE32363A57
SHA256:32FE0DCB3A14532C2743435D6DBAD59043E658937F491B0DAB9A37267B06A1D8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
19
DNS requests
7
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5968
RUXIMICS.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5968
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5968
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5968
RUXIMICS.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.72
  • 2.16.164.43
  • 2.16.164.49
  • 2.16.164.114
  • 2.16.164.9
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
self.events.data.microsoft.com
  • 40.79.150.122
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
16b7bba7b790720c05017317338c2730d903cad6bda63d0b869cea4d807af0e2.exe