File name:

3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exe

Full analysis: https://app.any.run/tasks/1adf3946-e439-4094-a892-14b22e8bda66
Verdict: Malicious activity
Analysis date: August 01, 2025, 03:29:15
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

619494B10C6C3E9B928778ADD24A72E3

SHA1:

930BA9442A80CEE96E8DED0FA8AA0112ECD0C2C7

SHA256:

3FC08AB3663F09E9A9B371CA843DAEDC3C527073C49F84579A92593408135680

SSDEEP:

6144:6J1nGDwv1tjCtJQVXNY1gFrkcLezOOrTUrW6Ov03lWCjw0FSP1RDnRseya5Iv06H:bU74E9YGRj5OrTUrXWt00LmemdYU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exe (PID: 1212)
      • 48412452 (PID: 4800)
      • 3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exe (PID: 2216)

    • Application launched itself

      • 3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exe (PID: 1212)

    • Executes as Windows Service

      • 48412452 (PID: 4800)

    • Executable content was dropped or overwritten

      • 3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exe (PID: 2216)

    • Connects to the server without a host name

      • 48412452 (PID: 4800)
      • 3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exe (PID: 2216)

  • INFO

    • Checks supported languages

      • 3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exe (PID: 1212)
      • 3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exe (PID: 2216)
      • 48412452 (PID: 4800)

    • The sample compiled with chinese language support

      • 3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exe (PID: 1212)
      • 3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exe (PID: 2216)

    • Reads the computer name

      • 3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exe (PID: 1212)
      • 3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exe (PID: 2216)
      • 48412452 (PID: 4800)

    • Process checks computer location settings

      • 3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exe (PID: 1212)

    • Reads the software policy settings

      • 48412452 (PID: 4800)
      • slui.exe (PID: 2992)
      • 3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exe (PID: 2216)

    • Reads the machine GUID from the registry

      • 48412452 (PID: 4800)
      • 3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exe (PID: 2216)

    • Checks proxy server information

      • 3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exe (PID: 2216)
      • slui.exe (PID: 2992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:01:18 10:24:03+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 145408
InitializedDataSize: 236544
UninitializedDataSize: -
EntryPoint: 0x1317f
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 23.9.20.1611
ProductVersionNumber: 23.9.20.1611
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 23, 9, 20, 1611
ProductVersion: 23, 9, 20, 1611
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exe no specs 3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exe 48412452 slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1212"C:\Users\admin\Desktop\3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exe" C:\Users\admin\Desktop\3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
23, 9, 20, 1611
Modules
Images
c:\users\admin\desktop\3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2216"C:\Users\admin\Desktop\3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exe" C:\Users\admin\Desktop\3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exe
3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exe
User:
admin
Integrity Level:
HIGH
Version:
23, 9, 20, 1611
Modules
Images
c:\users\admin\desktop\3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2992C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4800C:\Windows\Syswow64\48412452C:\Windows\SysWOW64\48412452
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Version:
23, 9, 20, 1611
Modules
Images
c:\windows\syswow64\48412452
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
12 154
Read events
12 151
Write events
3
Delete events
0

Modification events

(PID) Process:(2216) 3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2216) 3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2216) 3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
22163fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exeC:\Windows\SysWOW64\48412452executable
MD5:885C2CF47C382AA38EBF40DA29DF3BDD
SHA256:4BC74F14B65F6EBBDFEECB129F9A5E900FA2BCB603D0F8790A6A58D6E82FDB1F
22163fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exeC:\Windows\25f050text
MD5:FC63EE7DA55A325CD8BEBF709D3ECFCC
SHA256:E38FF54FF3EAAA83B3ECECD6CEB8652D2374C7BDEA1E159D59F12EB29D88140F
480048412452C:\Windows\522d80text
MD5:5A5BAAF48D59DB78D3848D75EAAABCC8
SHA256:C2F5936576776B26C0E912F6ECEFDDA32829625DCBEE0097166314B7BFE2BC96
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
305
TCP/UDP connections
400
DNS requests
68
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
40.126.31.67:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
POST
400
40.126.31.67:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
POST
400
40.126.31.1:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
whitelisted
POST
400
20.190.159.129:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
whitelisted
POST
400
40.126.31.73:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 2.16.241.12
  • 2.16.241.14
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
  • 4.231.128.59
whitelisted
login.live.com
  • 40.126.32.68
  • 20.190.160.131
  • 20.190.160.4
  • 40.126.32.138
  • 20.190.160.130
  • 40.126.32.76
  • 20.190.160.65
  • 20.190.160.2
whitelisted
down.nugong.asia
unknown
dns.alidns.com
  • 223.6.6.6
  • 223.5.5.5
whitelisted
down.xy58.top
unknown
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
3fc08ab3663f09e9a9b371ca843daedc3c527073c49f84579a92593408135680.exe