File name:

2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f

Full analysis: https://app.any.run/tasks/02de8a39-65e5-461e-b35d-aa441fb5639b
Verdict: Malicious activity
Analysis date: June 21, 2025, 15:18:02
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto-reg
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 4 sections
MD5:

196FEE565E1C80AF8697D440530F6065

SHA1:

C5ABD7107D2222D214681176B827F75DAC400519

SHA256:

2C7CB02BBAA6A261C6B2143A1F8CE8ED75DDBB885219503B5B8B7E1DBAB6194F

SSDEEP:

12288:wZIcQx6VTVltXcWJ4Ao+EVWOVmmmmmmmmmmmmmmmhJoVE8HyA3+8tNNNRQcssss2:wicAUtHo+hOVmmmmmmmmmmmmmmmhJK3c

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.mm (PID: 1604)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.exe (PID: 6532)

    • Executable content was dropped or overwritten

      • 2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.exe (PID: 6532)

    • Starts application with an unusual extension

      • 2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.exe (PID: 6532)

    • There is functionality for taking screenshot (YARA)

      • 2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.exe (PID: 6532)

  • INFO

    • The sample compiled with english language support

      • 2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.exe (PID: 6532)

    • Checks supported languages

      • 2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.exe (PID: 6532)
      • 2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.tmp (PID: 6704)
      • 2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.mm (PID: 1604)

    • Failed to create an executable file in Windows directory

      • 2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.mm (PID: 1604)
      • 2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.exe (PID: 6532)

    • Launching a file from a Registry key

      • 2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.mm (PID: 1604)

    • Compiled with Borland Delphi (YARA)

      • 2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.exe (PID: 6532)

    • Checks proxy server information

      • slui.exe (PID: 1132)

    • Reads the software policy settings

      • slui.exe (PID: 1132)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: 512
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x2a594
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.exe 2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.tmp no specs 2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.mm slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1132C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1604C:\Users\admin\Desktop\2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.mm /zhjC:\Users\admin\Desktop\2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.mm
2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.mm
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6532"C:\Users\admin\Desktop\2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.exe" C:\Users\admin\Desktop\2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6704C:\Users\admin\Desktop\2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.tmpC:\Users\admin\Desktop\2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.tmp2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
2147942560
Modules
Images
c:\users\admin\desktop\2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
Total events
3 522
Read events
3 521
Write events
1
Delete events
0

Modification events

(PID) Process:(1604) 2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.mmKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:GOG
Value:
C:\WINDOWS\GOG.exe
Executable files
7
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
65322c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeexecutable
MD5:5F670C1D7B3E9EB0336D0DBEE9AB2CF4
SHA256:029DBA0FD27ADEAC1BBCD780C3ABC28C1A214C73CBB3593D47BB8FD527508F7F
65322c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.exeC:\Users\admin\Desktop\2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.mmexecutable
MD5:BCB9F9979EC00AF29C989F0621AE1689
SHA256:2E8D1CD758F9CA0EEE66C0FDC853DAAFC6F31CB8BC6050815C078A33A2C6A341
65322c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeexecutable
MD5:64C141C6B4BE55A41F5B76E62B417F1C
SHA256:2E5334687DD14A45071A467572A36E0C7A117E603372DBA66C3ED785A804C0B3
65322c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exeexecutable
MD5:8FADBC83ED95443077B639F10E1FEFF0
SHA256:D3ADBAA92A460D5C729F16008BC2BCD0BA558054428874A21766FC650658A081
65322c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.exeC:\Users\admin\Desktop\2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.tmpexecutable
MD5:082DEE92D0AE380E14511920978BB986
SHA256:D8B8048ABC8C5B7E97ADA5BD057729255FDDDCB601F48281EC9CF252F228CEEF
65322c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeexecutable
MD5:0F6755CE9FA966D2A21AA34B6F8FF440
SHA256:85DE5DDE06A751C793F2D89525609BA72E92DA0835B5BD9F320A2F55FDE426FB
65322c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\OneDrive.exeexecutable
MD5:561E46D582ADC58011D784E069815E55
SHA256:5F4CBD9BCD0251DD2C8422BC7EDB6A1F8028568C1577EE65B8BCA461400EA115
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
22
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6232
RUXIMICS.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6232
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
6232
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
6232
RUXIMICS.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
5944
MoUsoCoreWorker.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
6232
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.55.104.172
  • 23.55.104.190
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
self.events.data.microsoft.com
  • 104.208.16.88
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2c7cb02bbaa6a261c6b2143a1f8ce8ed75ddbb885219503b5b8b7e1dbab6194f