File name:

Y165017221.exe

Full analysis: https://app.any.run/tasks/9c40cc6a-359d-4133-91b9-19573f1ce8bd
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 14, 2026, 08:05:58
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ahk
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

B593C6823286ADAE3DA44112D8B2D1C1

SHA1:

574DE65C522DFD3CD0056CAEEC23CD7D232C5E43

SHA256:

D5C7AB77F10E7B38DDF913609B146E51363247A25B6BBADC013276A7BA14CC2A

SSDEEP:

24576:NslsB2Gum2EkDYPreBbnhujEkjjHpfqCo14J9G:2lsB2GN2EkDYPreBbhujEojHpfqCo142

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Y165017221.exe (PID: 7484)

  • INFO

    • The sample compiled with english language support

      • Y165017221.exe (PID: 7484)

    • Checks supported languages

      • Y165017221.exe (PID: 7484)

    • Reads the computer name

      • Y165017221.exe (PID: 7484)

    • Checks proxy server information

      • Y165017221.exe (PID: 7484)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (35.8)
.exe | Win64 Executable (generic) (31.7)
.scr | Windows screen saver (15)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:03:16 06:02:19+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 705024
InitializedDataSize: 209408
UninitializedDataSize: -
EntryPoint: 0x9d3b0
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.1.37.2
ProductVersionNumber: 1.1.37.2
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileVersion: 1.1.37.02a0
ProductVersion: 1.1.37.02a0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start y165017221.exe slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
7396C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7484"C:\Users\admin\AppData\Local\Temp\Y165017221.exe" C:\Users\admin\AppData\Local\Temp\Y165017221.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.1.37.02a0
Modules
Images
c:\users\admin\appdata\local\temp\y165017221.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
Total events
724
Read events
724
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
26
DNS requests
18
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6768
MoUsoCoreWorker.exe
GET
304
4.231.128.59:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
US
whitelisted
8080
SIHClient.exe
GET
200
20.242.39.171:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
7484
Y165017221.exe
POST
200
84.54.47.26:80
http://zx.pe/bp.php
RU
unknown
8080
SIHClient.exe
GET
200
74.178.240.61:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
8080
SIHClient.exe
GET
304
74.178.240.61:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
408
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
408
svchost.exe
GET
200
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=562&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=1&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
text
5.58 Kb
whitelisted
408
svchost.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
408
svchost.exe
GET
200
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=562&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
text
1.43 Kb
whitelisted
6000
svchost.exe
POST
200
20.190.160.65:443
https://login.live.com/RST2.srf
US
xml
11.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
408
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1868
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7484
Y165017221.exe
84.54.47.26:80
zx.pe
VDSINA-AS
RU
whitelisted
408
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
408
svchost.exe
2.16.164.120:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
408
svchost.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
3412
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.238
whitelisted
zx.pe
  • 84.54.47.26
unknown
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
  • 23.55.110.211
  • 23.55.110.193
whitelisted
www.microsoft.com
  • 23.52.181.212
  • 88.221.169.152
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.160.65
  • 20.190.160.3
  • 40.126.32.74
  • 20.190.160.22
  • 20.190.160.4
  • 20.190.160.17
  • 20.190.160.131
  • 40.126.32.136
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
slscr.update.microsoft.com
  • 74.178.240.61
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

PID
Process
Class
Message
7484
Y165017221.exe
A Network Trojan was detected
ET HUNTING Suspicious Possible Process Dump in POST body
7484
Y165017221.exe
A Network Trojan was detected
ET HUNTING Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Y165017221.exe