File name:

63a9c58779aa2cdd08bbdfee0bb0212f.exe

Full analysis: https://app.any.run/tasks/8ccd6c13-89a8-4dd6-8690-425b0016a3f7
Verdict: Malicious activity
Analysis date: May 24, 2025, 02:51:38
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

63A9C58779AA2CDD08BBDFEE0BB0212F

SHA1:

1F1F8174F0B72A8DE4906BE87688D7E0A2E22949

SHA256:

0FECA1EC2A554BE5179ECAD65D8DE9C26C3B8E46CB192C636EA19C226460ACA7

SSDEEP:

3072:BrWor5Ki/6PDBjloT0c1aVy2w3lBHtoWPdv2v7N7lmGd5v4MjsBwTiA2Wf0:BKS6Nj+aE2OBzY025v+BwTiA2M

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • userinit.exe (PID: 7236)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • 63a9c58779aa2cdd08bbdfee0bb0212f.exe (PID: 1912)
      • 63a9c58779aa2cdd08bbdfee0bb0212f.exe (PID: 536)

    • Executable content was dropped or overwritten

      • 63a9c58779aa2cdd08bbdfee0bb0212f.exe (PID: 1912)

    • Process drops legitimate windows executable

      • 63a9c58779aa2cdd08bbdfee0bb0212f.exe (PID: 1912)

    • Creates or modifies Windows services

      • userinit.exe (PID: 7236)

    • Connects to unusual port

      • userinit.exe (PID: 7236)

  • INFO

    • Checks supported languages

      • 63a9c58779aa2cdd08bbdfee0bb0212f.exe (PID: 1912)

    • The sample compiled with chinese language support

      • 63a9c58779aa2cdd08bbdfee0bb0212f.exe (PID: 1912)

    • Reads the computer name

      • 63a9c58779aa2cdd08bbdfee0bb0212f.exe (PID: 1912)

    • Create files in a temporary directory

      • 63a9c58779aa2cdd08bbdfee0bb0212f.exe (PID: 1912)

    • Reads the software policy settings

      • slui.exe (PID: 672)

    • Checks proxy server information

      • slui.exe (PID: 672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:07:14 08:48:06+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: -
InitializedDataSize: 176640
UninitializedDataSize: -
EntryPoint: 0x4eb1
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.0.0.0
ProductVersionNumber: 3.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
Comments: -
CompanyName: Microsoft Corporation
FileDescription: install
FileVersion: 3, 0, 0, 0
InternalName: Rund32
LegalCopyright: 版权所有(C) 2009
LegalTrademarks: -
OriginalFileName: install.exe
PrivateBuild: -
ProductName: Microsoft Corporation
ProductVersion: 3, 0, 0, 0
SpecialBuild: -
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 63a9c58779aa2cdd08bbdfee0bb0212f.exe userinit.exe slui.exe 63a9c58779aa2cdd08bbdfee0bb0212f.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
536"C:\Users\admin\Desktop\63a9c58779aa2cdd08bbdfee0bb0212f.exe" C:\Users\admin\Desktop\63a9c58779aa2cdd08bbdfee0bb0212f.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
install
Exit code:
3221226540
Version:
3, 0, 0, 0
Modules
Images
c:\users\admin\desktop\63a9c58779aa2cdd08bbdfee0bb0212f.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
672C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1912"C:\Users\admin\Desktop\63a9c58779aa2cdd08bbdfee0bb0212f.exe" C:\Users\admin\Desktop\63a9c58779aa2cdd08bbdfee0bb0212f.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
install
Exit code:
0
Version:
3, 0, 0, 0
Modules
Images
c:\users\admin\desktop\63a9c58779aa2cdd08bbdfee0bb0212f.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
7236userinit.exeC:\Windows\SysWOW64\userinit.exe
63a9c58779aa2cdd08bbdfee0bb0212f.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Userinit Logon Application
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\userinit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\combase.dll
Total events
3 608
Read events
3 605
Write events
2
Delete events
1

Modification events

(PID) Process:(7236) userinit.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29D975B3-B256-45a0-A146-A36594F825F7}
Operation:writeName:stubpath
Value:
(PID) Process:(7236) userinit.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCRatStact
Operation:writeName:Type
Value:
288
(PID) Process:(7236) userinit.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCRatStact
Operation:delete valueName:InstallModule
Value:
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
191263a9c58779aa2cdd08bbdfee0bb0212f.exeC:\Users\admin\AppData\Local\Temp\1168625_lang.dllexecutable
MD5:02768B116F107238954A99DAA1C4A541
SHA256:E9A8AA59AF51253E7BA25B092EF2B954D6FADF004BE4F19F0D29FF0C25DC8FFD
191263a9c58779aa2cdd08bbdfee0bb0212f.exeC:\Users\admin\AppData\Local\Temp\1168609_res.tmpexecutable
MD5:02768B116F107238954A99DAA1C4A541
SHA256:E9A8AA59AF51253E7BA25B092EF2B954D6FADF004BE4F19F0D29FF0C25DC8FFD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
44
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
304
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.109.210.53:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
2616
SIHClient.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2616
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2616
SIHClient.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
2616
SIHClient.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
2616
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2616
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2616
SIHClient.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6544
svchost.exe
20.190.160.65:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.250:443
MICROSOFT-CORP-MSN-AS-BLOCK
FR
unknown
7236
userinit.exe
175.194.143.205:8000
Korea Telecom
KR
unknown
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
3216
svchost.exe
172.211.123.250:443
MICROSOFT-CORP-MSN-AS-BLOCK
FR
unknown
4
System
192.168.100.255:137
whitelisted
2616
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2616
SIHClient.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
  • 4.231.128.59
  • 51.124.78.146
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted
google.com
  • 142.250.186.110
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
crl.microsoft.com
  • 2.20.245.137
  • 2.20.245.139
whitelisted
www.microsoft.com
  • 2.23.181.156
  • 95.101.149.131
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
63a9c58779aa2cdd08bbdfee0bb0212f.exe