File name:

5bc0b77237c0d189a12e0b4906835e68.exe

Full analysis: https://app.any.run/tasks/c297a4d3-53f9-46db-84e4-84df9d8c48c2
Verdict: Malicious activity
Threats:

DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common.

Malware Trends Tracker     >>>
Analysis date: August 21, 2025, 00:27:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-sch
auto-reg
dcrat
rat
netreactor
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 4 sections
MD5:

5BC0B77237C0D189A12E0B4906835E68

SHA1:

F54198AEE8F0510CBDD51C7C0A894464226BD5D7

SHA256:

DA55810C4E31AFAB9BC804090AD52CBF82B9E9577D24CBBDD42158CC7CD7E140

SSDEEP:

12288:pDmnxwATW0E5CuS1fIEdp4qwccTVtPzzTqjn1NvXJa:pD/WuS1fIEdp4qwccTVtPzqj1NvX4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DCRAT mutex has been found

      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 1392)
      • RuntimeBroker.exe (PID: 6236)

    • Changes the autorun value in the registry

      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 1392)

    • DCRAT has been detected (YARA)

      • RuntimeBroker.exe (PID: 6236)

  • SUSPICIOUS

    • Executed via WMI

      • schtasks.exe (PID: 4060)
      • schtasks.exe (PID: 3948)
      • schtasks.exe (PID: 3640)
      • schtasks.exe (PID: 2632)
      • schtasks.exe (PID: 3028)
      • schtasks.exe (PID: 4036)
      • schtasks.exe (PID: 4552)
      • schtasks.exe (PID: 2228)
      • schtasks.exe (PID: 236)
      • schtasks.exe (PID: 2728)
      • schtasks.exe (PID: 3108)
      • schtasks.exe (PID: 6572)
      • schtasks.exe (PID: 1036)
      • schtasks.exe (PID: 2628)
      • schtasks.exe (PID: 4264)
      • schtasks.exe (PID: 5236)
      • schtasks.exe (PID: 5780)
      • schtasks.exe (PID: 3932)
      • schtasks.exe (PID: 2312)
      • schtasks.exe (PID: 1660)
      • schtasks.exe (PID: 640)
      • schtasks.exe (PID: 6504)
      • schtasks.exe (PID: 5744)
      • schtasks.exe (PID: 6664)
      • schtasks.exe (PID: 6292)
      • schtasks.exe (PID: 3948)
      • schtasks.exe (PID: 4156)
      • schtasks.exe (PID: 1216)
      • schtasks.exe (PID: 1944)
      • schtasks.exe (PID: 768)
      • schtasks.exe (PID: 2464)
      • schtasks.exe (PID: 5032)
      • schtasks.exe (PID: 684)
      • schtasks.exe (PID: 236)
      • schtasks.exe (PID: 4400)
      • schtasks.exe (PID: 4832)
      • schtasks.exe (PID: 1592)
      • schtasks.exe (PID: 4540)
      • schtasks.exe (PID: 5372)

    • Likely accesses (executes) a file from the Public directory

      • schtasks.exe (PID: 4060)
      • schtasks.exe (PID: 3948)
      • schtasks.exe (PID: 3640)
      • schtasks.exe (PID: 4036)
      • schtasks.exe (PID: 3028)
      • schtasks.exe (PID: 2632)
      • schtasks.exe (PID: 236)
      • schtasks.exe (PID: 4540)
      • schtasks.exe (PID: 5372)
      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 7060)
      • wininit.exe (PID: 7304)
      • wininit.exe (PID: 7884)
      • StartMenuExperienceHost.exe (PID: 7472)
      • StartMenuExperienceHost.exe (PID: 7828)
      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 8000)

    • The process creates files with name similar to system file names

      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 1392)

    • Reads security settings of Internet Explorer

      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 1392)

    • Reads the date of Windows installation

      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 1392)

    • Starts itself from another location

      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 1392)

    • There is functionality for taking screenshot (YARA)

      • RuntimeBroker.exe (PID: 6236)

  • INFO

    • Reads Environment values

      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 1392)
      • RuntimeBroker.exe (PID: 6236)
      • dllhost.exe (PID: 4664)
      • wininit.exe (PID: 2628)
      • uhssvc.exe (PID: 3148)
      • lsass.exe (PID: 6508)
      • wininit.exe (PID: 4060)
      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 7060)
      • RuntimeBroker.exe (PID: 6656)
      • firefox.exe (PID: 1740)
      • SystemSettings.exe (PID: 684)
      • slui.exe (PID: 236)
      • firefox.exe (PID: 6292)
      • SystemSettings.exe (PID: 7192)
      • slui.exe (PID: 7248)
      • uhssvc.exe (PID: 4888)
      • wininit.exe (PID: 7304)
      • wininit.exe (PID: 7360)
      • dllhost.exe (PID: 7416)
      • StartMenuExperienceHost.exe (PID: 7472)
      • StartMenuExperienceHost.exe (PID: 7828)
      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 8000)
      • RuntimeBroker.exe (PID: 8056)
      • wininit.exe (PID: 7884)
      • lsass.exe (PID: 7944)
      • wininit.exe (PID: 8112)

    • Reads the machine GUID from the registry

      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 1392)
      • RuntimeBroker.exe (PID: 6236)
      • wininit.exe (PID: 2628)
      • uhssvc.exe (PID: 3148)
      • lsass.exe (PID: 6508)
      • dllhost.exe (PID: 4664)
      • wininit.exe (PID: 4060)
      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 7060)
      • RuntimeBroker.exe (PID: 6656)
      • firefox.exe (PID: 1740)
      • SystemSettings.exe (PID: 684)
      • slui.exe (PID: 236)
      • uhssvc.exe (PID: 4888)
      • firefox.exe (PID: 6292)
      • SystemSettings.exe (PID: 7192)
      • slui.exe (PID: 7248)
      • wininit.exe (PID: 7360)
      • dllhost.exe (PID: 7416)
      • wininit.exe (PID: 7304)
      • StartMenuExperienceHost.exe (PID: 7472)
      • StartMenuExperienceHost.exe (PID: 7828)
      • lsass.exe (PID: 7944)
      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 8000)
      • RuntimeBroker.exe (PID: 8056)
      • wininit.exe (PID: 7884)
      • wininit.exe (PID: 8112)

    • Checks supported languages

      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 1392)
      • dllhost.exe (PID: 4664)
      • RuntimeBroker.exe (PID: 6236)
      • uhssvc.exe (PID: 3148)
      • lsass.exe (PID: 6508)
      • wininit.exe (PID: 2628)
      • wininit.exe (PID: 4060)
      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 7060)
      • RuntimeBroker.exe (PID: 6656)
      • firefox.exe (PID: 1740)
      • SystemSettings.exe (PID: 684)
      • slui.exe (PID: 236)
      • uhssvc.exe (PID: 4888)
      • firefox.exe (PID: 6292)
      • SystemSettings.exe (PID: 7192)
      • slui.exe (PID: 7248)
      • wininit.exe (PID: 7304)
      • wininit.exe (PID: 7360)
      • dllhost.exe (PID: 7416)
      • wininit.exe (PID: 7884)
      • StartMenuExperienceHost.exe (PID: 7828)
      • StartMenuExperienceHost.exe (PID: 7472)
      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 8000)
      • RuntimeBroker.exe (PID: 8056)
      • lsass.exe (PID: 7944)
      • wininit.exe (PID: 8112)

    • Reads the computer name

      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 1392)
      • RuntimeBroker.exe (PID: 6236)
      • dllhost.exe (PID: 4664)
      • uhssvc.exe (PID: 3148)
      • lsass.exe (PID: 6508)
      • wininit.exe (PID: 2628)
      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 7060)
      • wininit.exe (PID: 4060)
      • RuntimeBroker.exe (PID: 6656)
      • firefox.exe (PID: 1740)
      • SystemSettings.exe (PID: 684)
      • slui.exe (PID: 236)
      • uhssvc.exe (PID: 4888)
      • firefox.exe (PID: 6292)
      • SystemSettings.exe (PID: 7192)
      • slui.exe (PID: 7248)
      • wininit.exe (PID: 7304)
      • wininit.exe (PID: 7360)
      • dllhost.exe (PID: 7416)
      • StartMenuExperienceHost.exe (PID: 7472)
      • StartMenuExperienceHost.exe (PID: 7828)
      • lsass.exe (PID: 7944)
      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 8000)
      • RuntimeBroker.exe (PID: 8056)
      • wininit.exe (PID: 7884)
      • wininit.exe (PID: 8112)

    • The sample compiled with english language support

      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 1392)

    • Launching a file from a Registry key

      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 1392)

    • Creates files in the program directory

      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 1392)

    • Failed to create an executable file in Windows directory

      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 1392)

    • Creates files or folders in the user directory

      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 1392)

    • Process checks computer location settings

      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 1392)

    • Manual execution by a user

      • dllhost.exe (PID: 4664)
      • uhssvc.exe (PID: 3148)
      • lsass.exe (PID: 6508)
      • wininit.exe (PID: 2628)
      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 7060)
      • RuntimeBroker.exe (PID: 6656)
      • wininit.exe (PID: 4060)
      • firefox.exe (PID: 1740)
      • SystemSettings.exe (PID: 684)
      • slui.exe (PID: 236)
      • firefox.exe (PID: 6292)
      • SystemSettings.exe (PID: 7192)
      • slui.exe (PID: 7248)
      • uhssvc.exe (PID: 4888)
      • wininit.exe (PID: 7360)
      • dllhost.exe (PID: 7416)
      • StartMenuExperienceHost.exe (PID: 7472)
      • wininit.exe (PID: 7304)
      • StartMenuExperienceHost.exe (PID: 7828)
      • wininit.exe (PID: 7884)
      • 5bc0b77237c0d189a12e0b4906835e68.exe (PID: 8000)
      • RuntimeBroker.exe (PID: 8056)
      • lsass.exe (PID: 7944)
      • wininit.exe (PID: 8112)

    • Disables trace logs

      • RuntimeBroker.exe (PID: 6236)

    • Checks proxy server information

      • RuntimeBroker.exe (PID: 6236)
      • slui.exe (PID: 2972)

    • .NET Reactor protector has been detected

      • RuntimeBroker.exe (PID: 6236)

    • Reads the software policy settings

      • slui.exe (PID: 2972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

DcRat

(PID) Process(6236) RuntimeBroker.exe
C2 (1)http://ca33575.tw1.ru/4a2b4413
Options
MutexDCR_MUTEX-f1tHoTatd8jDc5gv5TSm
savebrowsersdatatosinglefilefalse
ignorepartiallyemptydatafalse
cookiestrue
passwordstrue
formstrue
cctrue
historyfalse
telegramtrue
steamtrue
discordtrue
filezillatrue
screenshottrue
clipboardtrue
sysinfotrue
searchpath%UsersFolder% - Fast
Targetru
C2 (1)http://ca33575.tw1.ru/4a2b4413
Options
MutexDCR_MUTEX-f1tHoTatd8jDc5gv5TSm
Debugfalse
ServerConfigReplacementTable
1-
2#
Z%
I|
d$
U,
z;
O~
n@
i!
T
H`
e>
u&
l^
y*
v<
E.
w)
S(
M_
PluginConfigReplacementTable
0;
6%
b#
I*
y&
X>
f)
Q.
c-
e(
=,
S|
i
M`
D$
p!
w~
j<
x@
l^
GetWebcamsfalse
SleepTimeout5
InactivityTimeout2
CacheStorageRegistry
AutoRunFull
StealerConfig
savebrowsersdatatosinglefilefalse
ignorepartiallyemptydatafalse
cookiestrue
passwordstrue
formstrue
cctrue
historyfalse
telegramtrue
steamtrue
discordtrue
filezillatrue
screenshottrue
clipboardtrue
sysinfotrue
searchpath%UsersFolder% - Fast
StealerEnabledtrue
StealerOptionsfalse
SelfDeletefalse
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (45.1)
.exe | Win32 Executable MS Visual C++ (generic) (19.2)
.exe | Win64 Executable (generic) (17)
.scr | Windows screen saver (8)
.dll | Win32 Dynamic Link Library (generic) (4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:05:04 16:03:35+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 833536
InitializedDataSize: 13824
UninitializedDataSize: -
EntryPoint: 0xcd63e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.15.2.0
ProductVersionNumber: 5.15.2.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileVersion: 5.15.2.0
OriginalFileName: libGLESv2.dll
ProductName: libGLESv2
ProductVersion: 5.15.2.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
203
Monitored processes
67
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #DCRAT 5bc0b77237c0d189a12e0b4906835e68.exe schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs #DCRAT runtimebroker.exe dllhost.exe no specs wininit.exe no specs uhssvc.exe no specs lsass.exe no specs wininit.exe no specs 5bc0b77237c0d189a12e0b4906835e68.exe no specs runtimebroker.exe no specs firefox.exe no specs systemsettings.exe no specs slui.exe no specs uhssvc.exe no specs firefox.exe no specs systemsettings.exe no specs slui.exe no specs wininit.exe no specs wininit.exe no specs dllhost.exe no specs startmenuexperiencehost.exe no specs svchost.exe startmenuexperiencehost.exe no specs wininit.exe no specs lsass.exe no specs 5bc0b77237c0d189a12e0b4906835e68.exe no specs runtimebroker.exe no specs wininit.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
236schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\dllhost.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
236schtasks.exe /create /tn "5bc0b77237c0d189a12e0b4906835e685" /sc MINUTE /mo 14 /tr "'C:\Users\Public\5bc0b77237c0d189a12e0b4906835e68.exe'" /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
236"C:\Users\All Users\slui.exe"C:\ProgramData\slui.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\programdata\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
640schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\admin\PrintHood\lsass.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
684schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Users\admin\RuntimeBroker.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
684C:\Users\admin\Desktop\SystemSettings.exeC:\Users\admin\Desktop\SystemSettings.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\users\admin\desktop\systemsettings.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
768schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\tracing\fontdrvhost.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1036schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\wininit.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1216schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\fontdrvhost.exe'" /rl HIGHEST /fC:\Windows\System32\schtasks.exeWmiPrvSE.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1392"C:\Users\admin\AppData\Local\Temp\5bc0b77237c0d189a12e0b4906835e68.exe" C:\Users\admin\AppData\Local\Temp\5bc0b77237c0d189a12e0b4906835e68.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\users\admin\appdata\local\temp\5bc0b77237c0d189a12e0b4906835e68.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
5 042
Read events
5 028
Write events
14
Delete events
0

Modification events

(PID) Process:(1392) 5bc0b77237c0d189a12e0b4906835e68.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:StartMenuExperienceHost
Value:
"C:\Users\Public\AccountPictures\StartMenuExperienceHost.exe"
(PID) Process:(1392) 5bc0b77237c0d189a12e0b4906835e68.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:wininit
Value:
"C:\Users\Public\Libraries\wininit.exe"
(PID) Process:(1392) 5bc0b77237c0d189a12e0b4906835e68.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:dllhost
Value:
"C:\Users\Default\Desktop\dllhost.exe"
(PID) Process:(1392) 5bc0b77237c0d189a12e0b4906835e68.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:uhssvc
Value:
"C:\Users\Default\Documents\My Pictures\uhssvc.exe"
(PID) Process:(1392) 5bc0b77237c0d189a12e0b4906835e68.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:wininit
Value:
"C:\Users\All Users\wininit.exe"
(PID) Process:(1392) 5bc0b77237c0d189a12e0b4906835e68.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:firefox
Value:
"C:\Users\admin\MicrosoftEdgeBackups\backups\MicrosoftEdgeBackup20220824\firefox.exe"
(PID) Process:(1392) 5bc0b77237c0d189a12e0b4906835e68.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:wininit
Value:
"C:\Windows\Temp\wininit.exe"
(PID) Process:(1392) 5bc0b77237c0d189a12e0b4906835e68.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:slui
Value:
"C:\Users\All Users\slui.exe"
(PID) Process:(1392) 5bc0b77237c0d189a12e0b4906835e68.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:fontdrvhost
Value:
"C:\Windows\tracing\fontdrvhost.exe"
(PID) Process:(1392) 5bc0b77237c0d189a12e0b4906835e68.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:lsass
Value:
"C:\Users\admin\PrintHood\lsass.exe"
Executable files
13
Suspicious files
0
Text files
13
Unknown types
0

Dropped files

PID
Process
Filename
Type
13925bc0b77237c0d189a12e0b4906835e68.exeC:\Users\Default\Pictures\105eec298f1910text
MD5:0753E91BFCAE5F7135AC0CF4C7ADFB2A
SHA256:102CC8457CF7D4FF1673FD1E0482C4AC3F69FED4FAF56ED6F838A80B580A91D9
13925bc0b77237c0d189a12e0b4906835e68.exeC:\Users\Default\Pictures\uhssvc.exeexecutable
MD5:5BC0B77237C0D189A12E0B4906835E68
SHA256:DA55810C4E31AFAB9BC804090AD52CBF82B9E9577D24CBBDD42158CC7CD7E140
13925bc0b77237c0d189a12e0b4906835e68.exeC:\Users\Public\Libraries\56085415360792text
MD5:AD8840CC205ADB7B20FB52282A330BB0
SHA256:6C7C8BF03B25944ADE06B11038A34D14B60E9EC91F54E0F257CA8F2325143AD8
13925bc0b77237c0d189a12e0b4906835e68.exeC:\Users\Public\AccountPictures\StartMenuExperienceHost.exeexecutable
MD5:5BC0B77237C0D189A12E0B4906835E68
SHA256:DA55810C4E31AFAB9BC804090AD52CBF82B9E9577D24CBBDD42158CC7CD7E140
13925bc0b77237c0d189a12e0b4906835e68.exeC:\Users\Default\Desktop\5940a34987c991text
MD5:30266CE59DD1A346D72C61026C29A262
SHA256:02EDEB4D6DBE87050C911ACB19562504631A3A500454D13B0B6E23A548FDE1B0
13925bc0b77237c0d189a12e0b4906835e68.exeC:\Users\Public\Libraries\wininit.exeexecutable
MD5:5BC0B77237C0D189A12E0B4906835E68
SHA256:DA55810C4E31AFAB9BC804090AD52CBF82B9E9577D24CBBDD42158CC7CD7E140
13925bc0b77237c0d189a12e0b4906835e68.exeC:\Users\Public\AccountPictures\55b276f4edf653text
MD5:FFF3DE0C4509538FBAC6A76043FC4120
SHA256:F1A82319B9EE3D87D239F2E20B1D910A086C63381181D5A9A22141ABB537DC12
13925bc0b77237c0d189a12e0b4906835e68.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\6203df4a6bafc7text
MD5:2CF2A12A9F1FE6F7AACF7A890952FDD5
SHA256:60D9348ECDC981558609536E5F9B36DFF2504F8CBC7274F02DB5E549F8FC0637
13925bc0b77237c0d189a12e0b4906835e68.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\lsass.exeexecutable
MD5:5BC0B77237C0D189A12E0B4906835E68
SHA256:DA55810C4E31AFAB9BC804090AD52CBF82B9E9577D24CBBDD42158CC7CD7E140
13925bc0b77237c0d189a12e0b4906835e68.exeC:\Users\admin\Desktop\9e60a5f7a3bd80text
MD5:9D05C6B69879EE90878662C512D9B1DD
SHA256:6AB3BC034923928D7C6A03ED973CBBC197DC54D6CEA4301A9B3B8A35EAA02CEB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
25
DNS requests
21
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5644
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1232
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1232
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2940
svchost.exe
GET
200
2.23.197.184:80
http://x1.c.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4700
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5644
svchost.exe
20.190.160.17:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5644
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
1268
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6236
RuntimeBroker.exe
92.53.96.145:80
ca33575.tw1.ru
TimeWeb Ltd.
RU
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 172.217.18.14
whitelisted
login.live.com
  • 20.190.160.17
  • 20.190.160.2
  • 40.126.32.68
  • 40.126.32.76
  • 20.190.160.131
  • 40.126.32.74
  • 40.126.32.72
  • 20.190.160.67
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
  • 23.216.77.42
whitelisted
www.microsoft.com
  • 23.52.120.96
  • 23.35.229.160
whitelisted
ca33575.tw1.ru
  • 92.53.96.145
whitelisted
slscr.update.microsoft.com
  • 135.233.95.144
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
self.events.data.microsoft.com
  • 20.44.10.122
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected domain Associated with Malware Distribution (.tw1 .ru)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
5bc0b77237c0d189a12e0b4906835e68.exe