File name:

8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59

Full analysis: https://app.any.run/tasks/519d2155-4766-429c-b375-2b6eb58f7541
Verdict: Malicious activity
Threats:

Gh0st RAT is a malware with advanced trojan functionality that enables attackers to establish full control over the victim’s system. The spying capabilities of Gh0st RAT made it a go-to tool for numerous criminal groups in high-profile attacks against government and corporate organizations. The most common vector of attack involving this malware begins with spam and phishing emails.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 20:31:17
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
gh0st
rat
vmprotect
rdp
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

E61EE45EF81EED3BBD2343DD5E6F318F

SHA1:

ED8BFFD5E50E39E5E83942D90AF3905B8805FB16

SHA256:

8A22ECAF0188E3C29E57E359D0CDDFCA00123895A3817CD64F0E37DAC7C62D59

SSDEEP:

49152:ZaKoXA2V5VqZMBys8KZB6j/uDGspoHc+bi3vt2NCjE2NWgwvnfKKoTCZ+gKyEYVI:ZaKr2VHqZMR8KZB6j/vHc+bilgWEqWgJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe (PID: 7352)
      • svchcst.exe (PID: 5868)
      • svchcst.exe (PID: 664)

    • GH0ST mutex has been found

      • Ghiya.exe (PID: 7800)
      • 8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe (PID: 7452)
      • Ghiya.exe (PID: 7832)
      • Ghiya.exe (PID: 7716)
      • svchcst.exe (PID: 664)
      • Ghiya.exe (PID: 7704)

    • Starts CMD.EXE for self-deleting

      • AK74.exe (PID: 7780)
      • AK74.exe (PID: 7656)

    • GH0ST has been detected

      • AK74.exe (PID: 7780)
      • AK74.exe (PID: 7656)

    • Changes the autorun value in the registry

      • 8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe (PID: 7452)

    • Create files in the Startup directory

      • 8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe (PID: 7452)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 7996)

    • Creates or modifies Windows services

      • AK47.exe (PID: 7560)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe (PID: 7452)
      • AK47.exe (PID: 7504)
      • Ghiya.exe (PID: 7832)
      • AK47.exe (PID: 7560)
      • svchcst.exe (PID: 664)
      • AK74.exe (PID: 7780)

    • Mutex name with non-standard characters

      • AK47.exe (PID: 7504)
      • AK47.exe (PID: 7512)
      • AK47.exe (PID: 7560)
      • AK47.exe (PID: 7616)

    • Executes application which crashes

      • AK47.exe (PID: 7512)
      • AK47.exe (PID: 7504)

    • Reads security settings of Internet Explorer

      • 8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe (PID: 7452)
      • svchcst.exe (PID: 664)

    • Executes as Windows Service

      • Ghiya.exe (PID: 7800)
      • Ghiya.exe (PID: 7716)

    • Hides command output

      • cmd.exe (PID: 7820)
      • cmd.exe (PID: 7720)

    • Starts CMD.EXE for commands execution

      • AK74.exe (PID: 7780)
      • AK74.exe (PID: 7656)

    • Application launched itself

      • Ghiya.exe (PID: 7800)
      • Ghiya.exe (PID: 7716)

    • Creates or modifies Windows services

      • Ghiya.exe (PID: 7832)

    • Drops a system driver (possible attempt to evade defenses)

      • Ghiya.exe (PID: 7832)

    • The process executes VB scripts

      • 8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe (PID: 7452)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 7820)
      • cmd.exe (PID: 7720)

    • Executes WMI query (SCRIPT)

      • wscript.exe (PID: 7996)

    • Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

      • wscript.exe (PID: 7996)

    • There is functionality for enable RDP (YARA)

      • 8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe (PID: 7452)

    • There is functionality for taking screenshot (YARA)

      • 8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe (PID: 7452)
      • Ghiya.exe (PID: 7832)

    • Creates files in the driver directory

      • Ghiya.exe (PID: 7832)

    • Connects to unusual port

      • 8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe (PID: 7452)

  • INFO

    • Reads the computer name

      • 8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe (PID: 7452)
      • AK74.exe (PID: 7780)
      • Ghiya.exe (PID: 7800)
      • Ghiya.exe (PID: 7832)
      • svchcst.exe (PID: 664)
      • AK47.exe (PID: 7560)
      • AK74.exe (PID: 7656)
      • Ghiya.exe (PID: 7716)

    • Checks supported languages

      • 8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe (PID: 7452)
      • AK47.exe (PID: 7504)
      • AK47.exe (PID: 7512)
      • AK74.exe (PID: 7780)
      • Ghiya.exe (PID: 7800)
      • Ghiya.exe (PID: 7832)
      • svchcst.exe (PID: 664)
      • AK47.exe (PID: 7616)
      • AK47.exe (PID: 7560)
      • AK74.exe (PID: 7656)
      • Ghiya.exe (PID: 7716)
      • Ghiya.exe (PID: 7704)

    • The sample compiled with chinese language support

      • 8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe (PID: 7452)

    • Process checks computer location settings

      • 8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe (PID: 7452)
      • svchcst.exe (PID: 664)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 7660)
      • WerFault.exe (PID: 7632)
      • 8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe (PID: 7452)
      • WerFault.exe (PID: 7748)

    • Autorun file from Startup directory

      • 8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe (PID: 7452)

    • VMProtect protector has been detected

      • 8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe (PID: 7452)

    • Manual execution by a user

      • svchcst.exe (PID: 5868)
      • svchcst.exe (PID: 664)

    • Create files in a temporary directory

      • svchcst.exe (PID: 664)
      • 8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe (PID: 7452)

    • Checks proxy server information

      • slui.exe (PID: 7752)

    • UPX packer has been detected

      • Ghiya.exe (PID: 7832)

    • Reads the software policy settings

      • slui.exe (PID: 7752)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:03:29 14:48:39+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 3530752
InitializedDataSize: 835584
UninitializedDataSize: -
EntryPoint: 0x2dfb0a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 1.0.0.0
FileDescription: Windows 配置程序
ProductName: Windows 核心进程
ProductVersion: 1.0.0.0
LegalCopyright: 作者版权所有 请尊重并使用正版
Comments: 本程序使用易语言编写(http://www.eyuyan.com)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
155
Monitored processes
25
Malicious processes
9
Suspicious processes
3

Behavior graph

Click at the process to see the details
start #GH0ST 8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe ak47.exe ak47.exe werfault.exe no specs werfault.exe no specs werfault.exe no specs ak74.exe #GH0ST ghiya.exe no specs cmd.exe no specs #GH0ST ghiya.exe conhost.exe no specs ping.exe no specs wscript.exe no specs svchcst.exe no specs #GH0ST svchcst.exe ak47.exe ak47.exe no specs ak74.exe no specs #GH0ST ghiya.exe no specs cmd.exe no specs #GH0ST ghiya.exe no specs conhost.exe no specs ping.exe no specs slui.exe 8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
664"C:\Users\admin\AppData\Roaming\Microsoft\svchcst.exe" C:\Users\admin\AppData\Roaming\Microsoft\svchcst.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Windows 配置程序
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\svchcst.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
5868"C:\Users\admin\AppData\Roaming\Microsoft\svchcst.exe" C:\Users\admin\AppData\Roaming\Microsoft\svchcst.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Windows 配置程序
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\svchcst.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7352"C:\Users\admin\Desktop\8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe" C:\Users\admin\Desktop\8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7452"C:\Users\admin\Desktop\8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe" C:\Users\admin\Desktop\8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
7504"C:\Users\admin\AppData\Local\Temp\AK47.exe" C:\Users\admin\AppData\Local\Temp\AK47.exe
8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe
User:
admin
Company:
FEIM Studios
Integrity Level:
HIGH
Description:
A Free Enterprise Instant Messenger
Exit code:
3221225477
Version:
3, 5, 0, 1
Modules
Images
c:\users\admin\appdata\local\temp\ak47.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7512C:\Users\admin\AppData\Local\Temp\\AK47.exeC:\Users\admin\AppData\Local\Temp\AK47.exe
8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe
User:
admin
Company:
FEIM Studios
Integrity Level:
HIGH
Description:
A Free Enterprise Instant Messenger
Exit code:
0
Version:
3, 5, 0, 1
Modules
Images
c:\users\admin\appdata\local\temp\ak47.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7560"C:\Users\admin\AppData\Local\Temp\AK47.exe" C:\Users\admin\AppData\Local\Temp\AK47.exe
svchcst.exe
User:
admin
Company:
FEIM Studios
Integrity Level:
HIGH
Description:
A Free Enterprise Instant Messenger
Exit code:
0
Version:
3, 5, 0, 1
Modules
Images
c:\users\admin\appdata\local\temp\ak47.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7616C:\Users\admin\AppData\Local\Temp\\AK47.exeC:\Users\admin\AppData\Local\Temp\AK47.exesvchcst.exe
User:
admin
Company:
FEIM Studios
Integrity Level:
HIGH
Description:
A Free Enterprise Instant Messenger
Exit code:
0
Version:
3, 5, 0, 1
Modules
Images
c:\users\admin\appdata\local\temp\ak47.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7632C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7512 -s 472C:\Windows\SysWOW64\WerFault.exeAK47.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7656C:\Users\admin\AppData\Local\Temp\\AK74.exeC:\Users\admin\AppData\Local\Temp\AK74.exesvchcst.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ak74.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
12 439
Read events
12 383
Write events
47
Delete events
9

Modification events

(PID) Process:(7660) WerFault.exeKey:\REGISTRY\A\{d74e2351-c42b-b74c-e0e2-a54852396949}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(7660) WerFault.exeKey:\REGISTRY\A\{d74e2351-c42b-b74c-e0e2-a54852396949}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
(PID) Process:(7660) WerFault.exeKey:\REGISTRY\A\{d74e2351-c42b-b74c-e0e2-a54852396949}\Root\InventoryApplicationFile\ak47.exe|e9c334bf7b7ab4d1
Operation:writeName:ProgramId
Value:
0006f6f5183897db460d1605d721a83a06bb00000408
(PID) Process:(7660) WerFault.exeKey:\REGISTRY\A\{d74e2351-c42b-b74c-e0e2-a54852396949}\Root\InventoryApplicationFile\ak47.exe|e9c334bf7b7ab4d1
Operation:writeName:FileId
Value:
0000eca6a16ccd13adcfc27bc1041ddef97ec8081255
(PID) Process:(7660) WerFault.exeKey:\REGISTRY\A\{d74e2351-c42b-b74c-e0e2-a54852396949}\Root\InventoryApplicationFile\ak47.exe|e9c334bf7b7ab4d1
Operation:writeName:LowerCaseLongPath
Value:
c:\users\admin\appdata\local\temp\ak47.exe
(PID) Process:(7660) WerFault.exeKey:\REGISTRY\A\{d74e2351-c42b-b74c-e0e2-a54852396949}\Root\InventoryApplicationFile\ak47.exe|e9c334bf7b7ab4d1
Operation:writeName:LongPathHash
Value:
ak47.exe|e9c334bf7b7ab4d1
(PID) Process:(7660) WerFault.exeKey:\REGISTRY\A\{d74e2351-c42b-b74c-e0e2-a54852396949}\Root\InventoryApplicationFile\ak47.exe|e9c334bf7b7ab4d1
Operation:writeName:Name
Value:
AK47.exe
(PID) Process:(7660) WerFault.exeKey:\REGISTRY\A\{d74e2351-c42b-b74c-e0e2-a54852396949}\Root\InventoryApplicationFile\ak47.exe|e9c334bf7b7ab4d1
Operation:writeName:OriginalFileName
Value:
freeeim.exe
(PID) Process:(7660) WerFault.exeKey:\REGISTRY\A\{d74e2351-c42b-b74c-e0e2-a54852396949}\Root\InventoryApplicationFile\ak47.exe|e9c334bf7b7ab4d1
Operation:writeName:Publisher
Value:
feim studios
(PID) Process:(7660) WerFault.exeKey:\REGISTRY\A\{d74e2351-c42b-b74c-e0e2-a54852396949}\Root\InventoryApplicationFile\ak47.exe|e9c334bf7b7ab4d1
Operation:writeName:Version
Value:
3, 5, 0, 1
Executable files
9
Suspicious files
11
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
7660WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_AK47.exe_353d49645539527636f2b24bdf2b85f6a05152_2858139d_d8d33e22-4521-4e1c-87ee-cb247fd1a294\Report.wer
MD5:
SHA256:
7632WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_AK47.exe_353d49645539527636f2b24bdf2b85f6a05152_2858139d_571e4ce6-7f3d-45f1-b537-ac53f8ddc4b6\Report.wer
MD5:
SHA256:
7660WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERCAD5.tmp.WERInternalMetadata.xmlbinary
MD5:6C36BB685AAAF396E279DEA070ADE7A3
SHA256:8D8CD373FCD15BC58A2D526B73DE711694C4623820F98E9C0F6BDEDF3BD4FA5B
7660WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERCA18.tmp.dmpbinary
MD5:E496F311FCE632D7EBE941975F77FD55
SHA256:5C17370F3E3E3F78C01A8024F5C89C3EDAF389A5DB00CBACE8218EE2F387842E
7748WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_AK47.exe_64aa4f36e6aef78669aecf8d49802b2d81db24_2858139d_39d83ee7-60df-45c3-994d-41b79e2903d3\Report.wer
MD5:
SHA256:
74528a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exeC:\Users\admin\AppData\Roaming\Microsoft\svchcst.exeexecutable
MD5:E0EC41FC0A7A27BC845B5583B547180B
SHA256:EC594AEC0B3CA3C22699A38BFF47DC363178EE9A3C0EDF9C8EB8FCC93D74B602
7632WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\AK47.exe.7512.dmpbinary
MD5:F0064D5B7868EB049172889CD3FDB467
SHA256:D558D01DFC73DE07FAA0FD0A9F59993C0FE82783E047D00508698E1608EA234F
7660WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\AK47.exe.7504.dmpbinary
MD5:83364B396E787F5EFE51BBDF40383D90
SHA256:315240281343DCA0242406D7E5B7D18175E1E0D4CCE5BC66730C148F27928032
7632WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC9F9.tmp.dmpbinary
MD5:37F2A82B9A295ACFA6DC124C98D71298
SHA256:3E3D03BC08EF4EE78DE5124358EB5275E9C6095C06F6BDF09DF05422F54654AD
74528a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exeC:\Users\admin\AppData\Local\Temp\AK47.exeexecutable
MD5:423EB994ED553294F8A6813619B8DA87
SHA256:050B4F2D5AE8EAECD414318DC8E222A56F169626DA6CA8FEB7EDD78E8B1F0218
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
167
DNS requests
27
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
7452
8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59.exe
43.249.193.73:54997
CHINA UNICOM China169 Backbone
CN
unknown
7204
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7752
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.78
whitelisted
cf1549064127.f3322.net
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
8a22ecaf0188e3c29e57e359d0cddfca00123895a3817cd64f0e37dac7c62d59