File name:

21449b78460d428a3926cb5b869f542eeaa4940f9acfb654a3531b45ff623c1e.exe

Full analysis: https://app.any.run/tasks/82387a87-27db-4e89-9a48-c8608803f9fe
Verdict: Malicious activity
Analysis date: October 03, 2025, 16:31:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
urelas
bootkit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed, 3 sections
MD5:

ECAB7BE7054C1109009C14538C4C764D

SHA1:

6EE740076D022C03169962260ADA9A88DA2CDACC

SHA256:

21449B78460D428A3926CB5B869F542EEAA4940F9ACFB654A3531B45FF623C1E

SSDEEP:

12288:AdDbRSXmj/YqYgJYTRItVm3FwO7kYNqHk4CJj31j+6:AFbRq8JYTRI+3mOkYNqH9q1j+6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • URELAS has been detected

      • 21449b78460d428a3926cb5b869f542eeaa4940f9acfb654a3531b45ff623c1e.exe (PID: 708)
      • cmd.exe (PID: 2120)
      • zohup.exe (PID: 2192)
      • duqol.exe (PID: 4264)

    • URELAS mutex has been found

      • zohup.exe (PID: 2192)

    • URELAS has been detected (YARA)

      • zohup.exe (PID: 2192)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 21449b78460d428a3926cb5b869f542eeaa4940f9acfb654a3531b45ff623c1e.exe (PID: 708)
      • zohup.exe (PID: 2192)
      • duqol.exe (PID: 4264)

    • Starts itself from another location

      • 21449b78460d428a3926cb5b869f542eeaa4940f9acfb654a3531b45ff623c1e.exe (PID: 708)

    • Reads security settings of Internet Explorer

      • zohup.exe (PID: 2192)
      • 21449b78460d428a3926cb5b869f542eeaa4940f9acfb654a3531b45ff623c1e.exe (PID: 708)

    • Executing commands from a ".bat" file

      • 21449b78460d428a3926cb5b869f542eeaa4940f9acfb654a3531b45ff623c1e.exe (PID: 708)

    • Starts CMD.EXE for commands execution

      • 21449b78460d428a3926cb5b869f542eeaa4940f9acfb654a3531b45ff623c1e.exe (PID: 708)

    • There is functionality for taking screenshot (YARA)

      • zohup.exe (PID: 2192)

    • Connects to unusual port

      • zohup.exe (PID: 2192)

  • INFO

    • Checks supported languages

      • 21449b78460d428a3926cb5b869f542eeaa4940f9acfb654a3531b45ff623c1e.exe (PID: 708)
      • zohup.exe (PID: 2192)
      • duqol.exe (PID: 4264)

    • Process checks computer location settings

      • 21449b78460d428a3926cb5b869f542eeaa4940f9acfb654a3531b45ff623c1e.exe (PID: 708)
      • zohup.exe (PID: 2192)

    • Create files in a temporary directory

      • 21449b78460d428a3926cb5b869f542eeaa4940f9acfb654a3531b45ff623c1e.exe (PID: 708)
      • zohup.exe (PID: 2192)
      • duqol.exe (PID: 4264)

    • Reads the computer name

      • 21449b78460d428a3926cb5b869f542eeaa4940f9acfb654a3531b45ff623c1e.exe (PID: 708)
      • zohup.exe (PID: 2192)

    • Reads the software policy settings

      • slui.exe (PID: 4976)

    • Checks proxy server information

      • slui.exe (PID: 4976)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:08:20 15:35:35+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 171008
InitializedDataSize: 312832
UninitializedDataSize: -
EntryPoint: 0x1759a
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
175
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #URELAS 21449b78460d428a3926cb5b869f542eeaa4940f9acfb654a3531b45ff623c1e.exe #URELAS zohup.exe #URELAS cmd.exe no specs conhost.exe no specs slui.exe #URELAS duqol.exe

Process information

PID
CMD
Path
Indicators
Parent process
708"C:\Users\admin\Desktop\21449b78460d428a3926cb5b869f542eeaa4940f9acfb654a3531b45ff623c1e.exe" C:\Users\admin\Desktop\21449b78460d428a3926cb5b869f542eeaa4940f9acfb654a3531b45ff623c1e.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\21449b78460d428a3926cb5b869f542eeaa4940f9acfb654a3531b45ff623c1e.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2120C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\_uinsey.bat" "C:\Windows\SysWOW64\cmd.exe
21449b78460d428a3926cb5b869f542eeaa4940f9acfb654a3531b45ff623c1e.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2192"C:\Users\admin\AppData\Local\Temp\zohup.exe" C:\Users\admin\AppData\Local\Temp\zohup.exe
21449b78460d428a3926cb5b869f542eeaa4940f9acfb654a3531b45ff623c1e.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\zohup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4264"C:\Users\admin\AppData\Local\Temp\duqol.exe" C:\Users\admin\AppData\Local\Temp\duqol.exe
zohup.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\duqol.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4976C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7656\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
4 371
Read events
4 371
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
70821449b78460d428a3926cb5b869f542eeaa4940f9acfb654a3531b45ff623c1e.exeC:\Users\admin\AppData\Local\Temp\golfinfo.inibinary
MD5:61EB80C248A33B970D84D57B6E1FF384
SHA256:46763524BCF90A926DD53D8CD9272EA40CF3EB1A91EE7E3CDC81A8D234B7CC07
70821449b78460d428a3926cb5b869f542eeaa4940f9acfb654a3531b45ff623c1e.exeC:\Users\admin\AppData\Local\Temp\zohup.exeexecutable
MD5:A75C0DBA99F9DDB916B8857BBC146D9B
SHA256:D2ABBD3AC247C4CD9D0949F739425FCB3ED53645ECDEC4BA99312D4A73D06E30
70821449b78460d428a3926cb5b869f542eeaa4940f9acfb654a3531b45ff623c1e.exeC:\Users\admin\AppData\Local\Temp\_uinsey.battext
MD5:BAB2378F7164805E77EFCEE8B3FC969E
SHA256:BF560056864ADA440249BDC918A6FD4BB96B7C34EDC0435A1C01CDE4B3EB618F
2192zohup.exeC:\Users\admin\AppData\Local\Temp\duqol.exeexecutable
MD5:51A821A6FFA0A1198344980A033A12CE
SHA256:D975163118FD0FE61BAA491745CD75B4D1C659820F1DE3C04A725A0B8CC2A869
4264duqol.exeC:\Users\admin\AppData\Local\Temp\zohup.exeexecutable
MD5:F09B32AC7B3B88F932AF231C17382045
SHA256:FED05F6BBE64BD715E6261C7F35C17D247D8635F498E2E1DC691A79F340E67C8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
45
DNS requests
16
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
74.178.240.61:443
https://slscr.update.microsoft.com/sls/ping
US
unknown
GET
200
95.100.100.128:443
https://www.bing.com/DSB/search?dsbmr=1&format=dsbjson&client=windowsminiserp&dsbschemaversion=1.1&dsbminiserp=1&q=q&cc=US&setlang=en-us&clientDateTime=10%2F3%2F2025%2C%204%3A32%3A05%20PM
unknown
binary
59.5 Kb
unknown
POST
200
40.126.32.68:443
https://login.live.com/RST2.srf
US
xml
11.1 Kb
unknown
POST
204
95.100.100.120:443
https://www.bing.com/web/xlsc.aspx?t=5&dl=1&wsbc=1
unknown
unknown
GET
200
95.100.100.129:443
https://www.bing.com/th?id=ODSWG.8229b0e5-fa8c-4e4a-af74-69717698b903&pid=dsb
unknown
unknown
POST
200
40.126.32.68:443
https://login.live.com/RST2.srf
US
xml
11.2 Kb
unknown
GET
200
95.100.100.130:443
https://www.bing.com/th?id=ODSWG.31bcf3d1-4df8-4c6a-9b3a-447ced8d6c39&pid=dsb
unknown
image
4.64 Kb
unknown
POST
200
20.190.160.5:443
https://login.live.com/RST2.srf
US
xml
11.0 Kb
unknown
POST
200
20.190.160.20:443
https://login.live.com/RST2.srf
US
xml
11.3 Kb
unknown
POST
200
20.190.160.66:443
https://login.live.com/RST2.srf
US
11.3 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
8108
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6016
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5948
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2192
zohup.exe
218.54.31.226:11300
SK Broadband Co Ltd
KR
malicious
2192
zohup.exe
1.234.83.146:11170
SK Broadband Co Ltd
KR
unknown
2192
zohup.exe
218.54.31.166:11300
SK Broadband Co Ltd
KR
unknown
356
slui.exe
4.154.185.43:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5224
SearchApp.exe
92.123.104.5:443
www.bing.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 172.217.18.110
whitelisted
activation-v2.sls.microsoft.com
  • 4.154.185.43
whitelisted
www.bing.com
  • 92.123.104.5
  • 92.123.104.53
  • 92.123.104.58
  • 92.123.104.64
  • 92.123.104.67
  • 92.123.104.54
  • 92.123.104.62
  • 92.123.104.52
  • 92.123.104.59
whitelisted
login.live.com
  • 20.190.160.17
  • 20.190.160.5
  • 40.126.32.133
  • 20.190.160.3
  • 40.126.32.140
  • 20.190.160.64
  • 40.126.32.72
  • 40.126.32.68
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 135.233.95.144
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
21449b78460d428a3926cb5b869f542eeaa4940f9acfb654a3531b45ff623c1e.exe