File name:

SeryCodes_acc5b26095c379ead2e3529ab1b016c7f0180e6ea66192c462f8f12246b15b25

Full analysis: https://app.any.run/tasks/ae79e644-f5d6-4235-a30b-5516545d186d
Verdict: Malicious activity
Analysis date: May 15, 2025, 17:28:54
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows, 2 sections
MD5:

5916BBA8B135AB26BF218E3F0C44E051

SHA1:

7FA0688CD54890A0F317EFC9951247065825BDF6

SHA256:

ACC5B26095C379EAD2E3529AB1B016C7F0180E6EA66192C462F8F12246B15B25

SSDEEP:

6144:f2QE8q7KVtkJg7hLke2SGmci46IsYSahRTk+qCswOMKqGk:fDVGIkJmLke2jxi46PYSa/Tkh3wlBGk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • SeryCodes_acc5b26095c379ead2e3529ab1b016c7f0180e6ea66192c462f8f12246b15b25.exe (PID: 7084)

  • SUSPICIOUS

    • Executes application which crashes

      • SeryCodes_acc5b26095c379ead2e3529ab1b016c7f0180e6ea66192c462f8f12246b15b25.exe (PID: 7084)

  • INFO

    • Reads the computer name

      • SeryCodes_acc5b26095c379ead2e3529ab1b016c7f0180e6ea66192c462f8f12246b15b25.exe (PID: 7084)

    • Reads the machine GUID from the registry

      • SeryCodes_acc5b26095c379ead2e3529ab1b016c7f0180e6ea66192c462f8f12246b15b25.exe (PID: 7084)

    • Checks supported languages

      • SeryCodes_acc5b26095c379ead2e3529ab1b016c7f0180e6ea66192c462f8f12246b15b25.exe (PID: 7084)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 3100)

    • Checks proxy server information

      • slui.exe (PID: 5984)

    • Reads the software policy settings

      • slui.exe (PID: 5984)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:13 22:12:25+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware
PEType: PE32+
LinkerVersion: 11
CodeSize: 224256
InitializedDataSize: 1536
UninitializedDataSize: -
EntryPoint: 0x0000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription:
FileVersion: 0.0.0.0
InternalName: lsass.exe
LegalCopyright:
OriginalFileName: lsass.exe
ProductVersion: 0.0.0.0
AssemblyVersion: 0.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start serycodes_acc5b26095c379ead2e3529ab1b016c7f0180e6ea66192c462f8f12246b15b25.exe werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
3100C:\WINDOWS\system32\WerFault.exe -u -p 7084 -s 936C:\Windows\System32\WerFault.exeSeryCodes_acc5b26095c379ead2e3529ab1b016c7f0180e6ea66192c462f8f12246b15b25.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
5984C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7084"C:\Users\admin\Desktop\SeryCodes_acc5b26095c379ead2e3529ab1b016c7f0180e6ea66192c462f8f12246b15b25.exe" C:\Users\admin\Desktop\SeryCodes_acc5b26095c379ead2e3529ab1b016c7f0180e6ea66192c462f8f12246b15b25.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
3221225477
Version:
0.0.0.0
Modules
Images
c:\users\admin\desktop\serycodes_acc5b26095c379ead2e3529ab1b016c7f0180e6ea66192c462f8f12246b15b25.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
5 200
Read events
5 200
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3100WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_3PYJH53VPPGDISIW_f76a613795abb3a44fbf8ebb81e0124e4e2da8_cfe48f2c_5353d3b7-94c0-4533-94a1-b50d4e82e3ed\Report.wer
MD5:
SHA256:
3100WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\SeryCodes_acc5b26095c379ead2e3529ab1b016c7f0180e6ea66192c462f8f12246b15b25.exe.7084.dmp
MD5:
SHA256:
3100WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC622.tmp.xmlxml
MD5:319E0594450E3839EF335D00826A6FD3
SHA256:3BC55F2DC4530AFB093412FEB1B9218FA8B54B679C09ED4DFCEF3A89D9F1D05B
3100WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC4D8.tmp.dmpbinary
MD5:F58FD2A729B00A915329A9DA425DD0BE
SHA256:02D7D7A50DD9EC0D156E03F371DC8DADF374C0DCD5751EE103719BDCAEACE7BE
3100WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC5F3.tmp.WERInternalMetadata.xmlbinary
MD5:E327D71F1652D74A5F89A7A8C28626FA
SHA256:97448FE01FC00C87665C345247BC9D2671CA449DCB9C08D2D62B375552C319E9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
57
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4428
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4428
SIHClient.exe
GET
200
23.48.23.150:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
4428
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
4428
SIHClient.exe
GET
200
23.48.23.150:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
4428
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
4428
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4428
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2104
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
2104
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.14:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4428
SIHClient.exe
172.202.163.200:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 2.19.11.105
  • 2.19.11.120
  • 23.48.23.150
  • 23.48.23.141
  • 23.48.23.140
  • 23.48.23.152
  • 23.48.23.155
  • 23.48.23.151
  • 23.48.23.138
  • 23.48.23.143
  • 23.48.23.148
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 23.35.229.160
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.160.14
  • 40.126.32.134
  • 40.126.32.72
  • 20.190.160.131
  • 20.190.160.22
  • 20.190.160.128
  • 20.190.160.3
  • 20.190.160.17
  • 40.126.32.140
  • 40.126.32.76
  • 40.126.32.74
  • 20.190.160.66
  • 40.126.32.68
  • 40.126.32.133
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SeryCodes_acc5b26095c379ead2e3529ab1b016c7f0180e6ea66192c462f8f12246b15b25