File name:

1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7

Full analysis: https://app.any.run/tasks/a2f05e0b-a09e-4f96-ba72-98f4fa6ed20d
Verdict: Malicious activity
Analysis date: July 05, 2025, 21:42:10
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

6CCCDB29756BA660031CCA9D080F51F3

SHA1:

449D7B8D28F9CC3E2621CA8A2A71B4D855F2C4A5

SHA256:

1D512416CF0C42EE3D730154482C8A5568E579D7867E7E32C04E85ED3BC3E1E7

SSDEEP:

49152:c5fb5ADmd+/ykdxyzF43hdvwCQYEOFZdOFL3BA0R650U61WCZt:cRzg7gmsCQYEqZdOt+0zPDZt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • svchost.exe (PID: 2200)

  • SUSPICIOUS

    • Application launched itself

      • 1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exe (PID: 6668)

    • Reads security settings of Internet Explorer

      • 1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exe (PID: 6668)
      • 8f059292 (PID: 1512)
      • 1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exe (PID: 3780)

    • Executable content was dropped or overwritten

      • 1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exe (PID: 3780)

    • Executes as Windows Service

      • 8f059292 (PID: 1512)

    • Connects to the server without a host name

      • 8f059292 (PID: 1512)
      • 1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exe (PID: 3780)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2200)

  • INFO

    • Checks supported languages

      • 1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exe (PID: 6668)
      • 1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exe (PID: 3780)
      • 8f059292 (PID: 1512)

    • Reads the computer name

      • 1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exe (PID: 6668)
      • 1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exe (PID: 3780)
      • 8f059292 (PID: 1512)

    • The sample compiled with chinese language support

      • 1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exe (PID: 6668)
      • 1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exe (PID: 3780)

    • Process checks computer location settings

      • 1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exe (PID: 6668)

    • Reads the software policy settings

      • 8f059292 (PID: 1512)
      • slui.exe (PID: 1136)
      • 1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exe (PID: 3780)

    • Reads the machine GUID from the registry

      • 8f059292 (PID: 1512)
      • 1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exe (PID: 3780)

    • UPX packer has been detected

      • 1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exe (PID: 3780)
      • 8f059292 (PID: 1512)

    • Checks proxy server information

      • 1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exe (PID: 3780)
      • slui.exe (PID: 1136)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:05:15 17:19:27+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 143360
InitializedDataSize: 139264
UninitializedDataSize: 274432
EntryPoint: 0x65ed0
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 23.9.20.1611
ProductVersionNumber: 23.9.20.1611
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 23, 9, 20, 1611
ProductVersion: 23, 9, 20, 1611
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
5
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exe no specs 1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exe 8f059292 slui.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1136C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1512C:\Windows\Syswow64\8f059292C:\Windows\SysWOW64\8f059292
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Version:
23, 9, 20, 1611
Modules
Images
c:\windows\syswow64\8f059292
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3780"C:\Users\admin\Desktop\1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exe" C:\Users\admin\Desktop\1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exe
1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exe
User:
admin
Integrity Level:
HIGH
Version:
23, 9, 20, 1611
Modules
Images
c:\users\admin\desktop\1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6668"C:\Users\admin\Desktop\1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exe" C:\Users\admin\Desktop\1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
23, 9, 20, 1611
Modules
Images
c:\users\admin\desktop\1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
11 674
Read events
11 671
Write events
3
Delete events
0

Modification events

(PID) Process:(3780) 1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3780) 1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3780) 1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
37801d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exeC:\Windows\SysWOW64\8f059292executable
MD5:D458038460C2A9E27410D5F90CC913A5
SHA256:83B1A9CA27EE5AFF38E1D50A8AFE23B4F77E135A5927D83D06D9DA1051636A22
15128f059292C:\Windows\19e2d0text
MD5:D73EE9646423A1A30DC5F08E8F11FB4A
SHA256:F34AE21569D00A9C5513A9CA8FE96EB886F0CC5E0B1EE04DCDBDA557ECED1644
37801d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exeC:\Windows\40b708text
MD5:5A692B533BAC7E44DC7C192AAAF2EE13
SHA256:97E83E294B4B7426952130A31772D624E12E78886E6EB196D2C36209DBE503A3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
116
TCP/UDP connections
164
DNS requests
28
Threats
45

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6376
RUXIMICS.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
RU
binary
825 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
RU
binary
825 b
whitelisted
1268
svchost.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
RU
binary
825 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
6376
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
1512
8f059292
GET
200
223.5.5.5:80
http://dns.alidns.com/resolve?name=down.nugong.asia&type=1
CN
binary
257 b
whitelisted
GET
200
223.5.5.5:443
https://dns.alidns.com/resolve?name=down.nugong.asia&type=1
CN
binary
257 b
whitelisted
1512
8f059292
GET
200
223.5.5.5:80
http://223.5.5.5/resolve?name=down.nugong.asia&type=1
CN
binary
257 b
unknown
GET
200
223.6.6.6:443
https://dns.alidns.com/resolve?name=spi1.tyui54345.xyz&type=16
CN
binary
255 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6376
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
6376
RUXIMICS.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
1268
svchost.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
6376
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.78
whitelisted
down.nugong.asia
unknown
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
dns.alidns.com
  • 223.5.5.5
  • 223.6.6.6
whitelisted
down.xy58.top
  • 54.156.158.84
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
x1.c.lencr.org
  • 2.23.197.184
whitelisted
31bd9b27a24e0be9.tyui54345.xyz
unknown

Threats

PID
Process
Class
Message
1512
8f059292
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
1512
8f059292
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
1512
8f059292
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
1512
8f059292
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
1512
8f059292
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
1512
8f059292
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
1512
8f059292
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
1512
8f059292
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
3780
1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7.exe
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
1512
8f059292
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
1d512416cf0c42ee3d730154482c8a5568e579d7867e7e32c04e85ed3bc3e1e7