File name:

29441a4198d583d4af597da106531017b06af766c5598ae66ce26b6aac8e087e

Full analysis: https://app.any.run/tasks/83b42179-fca9-4eb8-aa4a-0174297021ca
Verdict: Malicious activity
Analysis date: March 24, 2025, 22:19:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
ludbaruma
blocker
dropper
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 4 sections
MD5:

7EA2F0F2B906D77EC051FA12B1A21331

SHA1:

4E73CB007B61FEF668017EA3F80A0124F5422F69

SHA256:

29441A4198D583D4AF597DA106531017B06AF766C5598AE66CE26B6AAC8E087E

SSDEEP:

6144:DVVVVVVCZ8mLk6wvYlAV9m1yF4SyBPmtCpzd/5wepJmrT24rXyINjpy64z15vamz:DVVVVVVCjeMOtXVVVVVVIO5PXVVVVVVq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • The process uses screensaver hijack for persistence

      • 29441a4198d583d4af597da106531017b06af766c5598ae66ce26b6aac8e087e.exe (PID: 2236)

    • Changes the autorun value in the registry

      • 29441a4198d583d4af597da106531017b06af766c5598ae66ce26b6aac8e087e.exe (PID: 2236)

    • LUDBARUMA has been detected

      • 29441a4198d583d4af597da106531017b06af766c5598ae66ce26b6aac8e087e.exe (PID: 2236)

  • SUSPICIOUS

    • Executes application which crashes

      • 29441a4198d583d4af597da106531017b06af766c5598ae66ce26b6aac8e087e.exe (PID: 2236)

  • INFO

    • The sample compiled with english language support

      • 29441a4198d583d4af597da106531017b06af766c5598ae66ce26b6aac8e087e.exe (PID: 2236)

    • Create files in a temporary directory

      • 29441a4198d583d4af597da106531017b06af766c5598ae66ce26b6aac8e087e.exe (PID: 2236)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 5720)

    • Checks supported languages

      • 29441a4198d583d4af597da106531017b06af766c5598ae66ce26b6aac8e087e.exe (PID: 2236)

    • Checks proxy server information

      • slui.exe (PID: 2148)

    • Reads the software policy settings

      • slui.exe (PID: 2148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2006:11:27 09:24:01+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 147456
InitializedDataSize: 20480
UninitializedDataSize: -
EntryPoint: 0x250c
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.20
ProductVersionNumber: 0.0.0.20
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Oncom
ProductName: xk
FileVersion: 0.00.0020
ProductVersion: 0.00.0020
InternalName: DATA
OriginalFileName: DATA.exe
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #LUDBARUMA 29441a4198d583d4af597da106531017b06af766c5598ae66ce26b6aac8e087e.exe werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2148C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2236"C:\Users\admin\Desktop\29441a4198d583d4af597da106531017b06af766c5598ae66ce26b6aac8e087e.exe" C:\Users\admin\Desktop\29441a4198d583d4af597da106531017b06af766c5598ae66ce26b6aac8e087e.exe
explorer.exe
User:
admin
Company:
Oncom
Integrity Level:
MEDIUM
Exit code:
0
Version:
0.00.0020
Modules
Images
c:\users\admin\desktop\29441a4198d583d4af597da106531017b06af766c5598ae66ce26b6aac8e087e.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
5720C:\WINDOWS\SysWOW64\WerFault.exe -u -p 2236 -s 744C:\Windows\SysWOW64\WerFault.exe29441a4198d583d4af597da106531017b06af766c5598ae66ce26b6aac8e087e.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
5 061
Read events
5 051
Write events
10
Delete events
0

Modification events

(PID) Process:(2236) 29441a4198d583d4af597da106531017b06af766c5598ae66ce26b6aac8e087e.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:SCRNSAVE.EXE
Value:
C:\WINDOWS\system32\Mig~mig.SCR
(PID) Process:(2236) 29441a4198d583d4af597da106531017b06af766c5598ae66ce26b6aac8e087e.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:ScreenSaverIsSecure
Value:
0
(PID) Process:(2236) 29441a4198d583d4af597da106531017b06af766c5598ae66ce26b6aac8e087e.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:ScreenSaveTimeOut
Value:
600
(PID) Process:(2236) 29441a4198d583d4af597da106531017b06af766c5598ae66ce26b6aac8e087e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:xk
Value:
C:\WINDOWS\xk.exe
(PID) Process:(2236) 29441a4198d583d4af597da106531017b06af766c5598ae66ce26b6aac8e087e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MSMSGS
Value:
C:\Users\admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
(PID) Process:(2236) 29441a4198d583d4af597da106531017b06af766c5598ae66ce26b6aac8e087e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Serviceadmin
Value:
C:\Users\admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
(PID) Process:(2236) 29441a4198d583d4af597da106531017b06af766c5598ae66ce26b6aac8e087e.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Logonadmin
Value:
C:\Users\admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
(PID) Process:(2236) 29441a4198d583d4af597da106531017b06af766c5598ae66ce26b6aac8e087e.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:System Monitoring
Value:
C:\Users\admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
(PID) Process:(2236) 29441a4198d583d4af597da106531017b06af766c5598ae66ce26b6aac8e087e.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoFolderOptions
Value:
1
(PID) Process:(2236) 29441a4198d583d4af597da106531017b06af766c5598ae66ce26b6aac8e087e.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableRegistryTools
Value:
1
Executable files
0
Suspicious files
4
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
5720WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_29441a4198d583d4_d0df93298e78c555f6b114242eb756512ddf573_a40aaf18_c320aff3-8fff-4706-b888-57f755887e8e\Report.wer
MD5:
SHA256:
5720WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\29441a4198d583d4af597da106531017b06af766c5598ae66ce26b6aac8e087e.exe.2236.dmpbinary
MD5:31C379B91CA75235199D0DA843CA9F76
SHA256:126C52FAEA835208775DA75ECE9E54B609CECE219818F1BF44B7B8882B4DD2BB
223629441a4198d583d4af597da106531017b06af766c5598ae66ce26b6aac8e087e.exeC:\Users\admin\AppData\Local\Temp\~DF16FDB625BA965E7C.TMPbinary
MD5:F8BAC7AA5170D7850AA0EB0545544519
SHA256:26BE1B4657C55DCEA7469365C2F9F284EA827DF6827A92B011EED50933BBE5AC
5720WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC555.tmp.dmpbinary
MD5:64DC1FFF09CD3C30BF478662F6BBB69F
SHA256:5D30BBA1F87A7C3AED0E0D7A02671332A6BC898EF453924A26519C72ED9C31AD
5720WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC71B.tmp.WERInternalMetadata.xmlbinary
MD5:50F257FF35A719585E7BB11E2D124119
SHA256:BF06F9080FD969317131A003AEBD968A0E5D9E66789AD69B7CD0B0CFCDAAD5FB
5720WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC7B9.tmp.xmlxml
MD5:8E0270C8AE84BCAEE031D667E214234E
SHA256:C282B721CFCADBD767CA76250A59F0936634FE66FB270AD17C873987D623AD3B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
21
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.48.23.147:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2140
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2148
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 23.48.23.147
  • 23.48.23.166
  • 23.48.23.194
  • 23.48.23.173
  • 23.48.23.145
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
29441a4198d583d4af597da106531017b06af766c5598ae66ce26b6aac8e087e