File name:

SIH Client

Full analysis: https://app.any.run/tasks/579630f2-722a-4020-980d-ef166142ef94
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 19, 2025, 23:37:30
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zhong
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

39EACE1295E08C00053A51264D811032

SHA1:

2CFB46467465FD2F58CB740C36EF9C39CE6FF83B

SHA256:

319C33B75DA0CA0B309C4972D4BEAFFB5A981CE88C96D950BA75127378FC1197

SSDEEP:

3072:a3PxQb8eRfR4xTGzIGPrXldALsfF+86nJTtGHQk0mi27S5FeIqXl/2DZ0l8I:aohZwtWVYdnbzqvN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZHONG mutex has been found

      • TASLogin.exe (PID: 7992)
      • TASLogin.exe (PID: 8068)
      • TASLogin.exe (PID: 5512)

    • Changes the autorun value in the registry

      • TASLogin.exe (PID: 7992)

    • Actions looks like stealing of personal data

      • TASLogin.exe (PID: 7992)

    • ZHONG has been detected (SURICATA)

      • TASLogin.exe (PID: 7992)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • SIH Client.exe (PID: 1672)

    • Process drops legitimate windows executable

      • SIH Client.exe (PID: 1672)

    • Executable content was dropped or overwritten

      • SIH Client.exe (PID: 1672)

    • Reads security settings of Internet Explorer

      • SIH Client.exe (PID: 1672)

    • Contacting a server suspected of hosting an CnC

      • TASLogin.exe (PID: 7992)

    • The process executes via Task Scheduler

      • TASLogin.exe (PID: 8068)

    • Connects to unusual port

      • TASLogin.exe (PID: 7992)

  • INFO

    • Checks supported languages

      • SIH Client.exe (PID: 1672)
      • TASLogin.exe (PID: 8068)
      • TASLogin.exe (PID: 7992)
      • TASLogin.exe (PID: 5512)

    • Reads the computer name

      • SIH Client.exe (PID: 1672)
      • TASLogin.exe (PID: 7992)

    • Reads the machine GUID from the registry

      • SIH Client.exe (PID: 1672)

    • Checks proxy server information

      • SIH Client.exe (PID: 1672)

    • Disables trace logs

      • SIH Client.exe (PID: 1672)

    • Reads the software policy settings

      • SIH Client.exe (PID: 1672)
      • slui.exe (PID: 7224)

    • Reads CPU info

      • TASLogin.exe (PID: 7992)

    • Autorun file from Registry key

      • TASLogin.exe (PID: 7992)

    • The sample compiled with english language support

      • SIH Client.exe (PID: 1672)

    • Process checks computer location settings

      • SIH Client.exe (PID: 1672)

    • Manual execution by a user

      • TASLogin.exe (PID: 5512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:03:01 14:37:16+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32
LinkerVersion: 48
CodeSize: 12800
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x319bc
OSVersion: 4
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 10.0.19041.5438
ProductVersionNumber: 10.0.19041.5438
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileVersion: 10.0.19041.5438
ProductVersion: 10.0.19041.5438
FileDescription: SIH Client
CompanyName: Microsoft Corporation
OriginalFileName: SIH Client
ProductName: Microsoft® Windows® Operating System
LegalCopyright: © Microsoft Corporation. All rights reserved.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start sih client.exe sppextcomobj.exe no specs slui.exe mspaint.exe no specs #ZHONG taslogin.exe #ZHONG taslogin.exe no specs #ZHONG taslogin.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1672"C:\Users\admin\AppData\Local\Temp\SIH Client.exe" C:\Users\admin\AppData\Local\Temp\SIH Client.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
SIH Client
Exit code:
0
Version:
10.0.19041.5438
Modules
Images
c:\users\admin\appdata\local\temp\sih client.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2240C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5512"C:\Users\admin\a2c73850-663f-4d43-8032-61485d94a4c1317\TASLogin.exe" C:\Users\admin\a2c73850-663f-4d43-8032-61485d94a4c1317\TASLogin.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
TASLogin Application
Exit code:
0
Version:
0.0.2501.351
Modules
Images
c:\users\admin\a2c73850-663f-4d43-8032-61485d94a4c1317\taslogin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\users\admin\a2c73850-663f-4d43-8032-61485d94a4c1317\tasloginbase.dll
7188C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7224"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7884"C:\WINDOWS\system32\mspaint.exe" "C:\Users\admin\a2c73850-663f-4d43-8032-61485d94a4c1317\image.jpg"C:\Windows\SysWOW64\mspaint.exeSIH Client.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Paint
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mspaint.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7992"C:\Users\admin\a2c73850-663f-4d43-8032-61485d94a4c1317\TASLogin.exe" C:\Users\admin\a2c73850-663f-4d43-8032-61485d94a4c1317\TASLogin.exe
SIH Client.exe
User:
admin
Integrity Level:
MEDIUM
Description:
TASLogin Application
Version:
0.0.2501.351
Modules
Images
c:\users\admin\a2c73850-663f-4d43-8032-61485d94a4c1317\taslogin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\users\admin\a2c73850-663f-4d43-8032-61485d94a4c1317\tasloginbase.dll
8068"C:\Users\admin\a2c73850-663f-4d43-8032-61485d94a4c1317\TASLogin.exe"C:\Users\admin\a2c73850-663f-4d43-8032-61485d94a4c1317\TASLogin.exe
svchost.exe
User:
admin
Integrity Level:
MEDIUM
Description:
TASLogin Application
Exit code:
0
Version:
0.0.2501.351
Modules
Images
c:\users\admin\a2c73850-663f-4d43-8032-61485d94a4c1317\taslogin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\users\admin\a2c73850-663f-4d43-8032-61485d94a4c1317\tasloginbase.dll
c:\users\admin\a2c73850-663f-4d43-8032-61485d94a4c1317\commonbase.dll
Total events
3 467
Read events
3 450
Write events
17
Delete events
0

Modification events

(PID) Process:(1672) SIH Client.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SIH Client_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1672) SIH Client.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SIH Client_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1672) SIH Client.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SIH Client_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1672) SIH Client.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SIH Client_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1672) SIH Client.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SIH Client_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(1672) SIH Client.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SIH Client_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(1672) SIH Client.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SIH Client_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(1672) SIH Client.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SIH Client_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1672) SIH Client.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SIH Client_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1672) SIH Client.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SIH Client_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
3
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
1672SIH Client.exeC:\Users\admin\a2c73850-663f-4d43-8032-61485d94a4c1317\TASLogin.txttext
MD5:D476FF5557309A1349660FAB8EFC4179
SHA256:CEAE30EA5C346A2467F8477A90E65E3FFFAAB4149FA01FA982430BB7985AAD53
1672SIH Client.exeC:\Users\admin\a2c73850-663f-4d43-8032-61485d94a4c1317\TASLoginBase.dllexecutable
MD5:9206D18FB44DEDEE4733895DF53EED2F
SHA256:87EC95AB81CF5B3ED0522F222747383E2C2411B561FA1E0D9DEC6FD2CF4BE7E1
1672SIH Client.exeC:\Users\admin\a2c73850-663f-4d43-8032-61485d94a4c1317\commonbase.dllexecutable
MD5:CAC350F4E9D64A365A29187335D8D629
SHA256:A5E37E100D23F83171B2B2A2E9CBA52F57E35B877FCD14AF18C2D5F43DABE5A1
1672SIH Client.exeC:\Users\admin\a2c73850-663f-4d43-8032-61485d94a4c1317\TASLogin.edskvbinary
MD5:44F432C76EBF0B7BA26F37CE9CC70AEA
SHA256:7F7F25BD4A4AA47755D844ACFE3C88FF9BF38B03670EB32E0888A576C0E0D6A2
1672SIH Client.exeC:\Users\admin\a2c73850-663f-4d43-8032-61485d94a4c1317\image.jpgimage
MD5:23E20AEC94C80E49B5EA7893443E397E
SHA256:9EBD418F7BC9680726083E8204E6FC145EA4A9777061120B0C847DD8AFD01E01
1672SIH Client.exeC:\Users\admin\a2c73850-663f-4d43-8032-61485d94a4c1317\TASLogin.exeexecutable
MD5:7CA41E122724C2D808BF73B7A5129365
SHA256:7406CC23C12E84648C4E5C07BD2FBCEAD4DDCAE8EE25FD1414D1FA9EAFB08419
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
26
DNS requests
17
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6184
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6184
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
184.30.131.245:80
ocsp.digicert.com
AKAMAI-AS
US
whitelisted
1672
SIH Client.exe
3.5.150.166:443
imagesyd.s3.ap-southeast-1.amazonaws.com
AMAZON-02
SG
shared
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1196
backgroundTaskHost.exe
20.199.58.43:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
google.com
  • 142.250.185.78
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
login.live.com
  • 20.190.159.68
  • 20.190.159.64
  • 20.190.159.4
  • 40.126.31.129
  • 20.190.159.2
  • 40.126.31.130
  • 20.190.159.23
  • 40.126.31.67
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
imagesyd.s3.ap-southeast-1.amazonaws.com
  • 3.5.150.166
  • 52.219.129.118
  • 3.5.148.18
  • 3.5.151.129
  • 3.5.148.123
  • 3.5.146.91
  • 3.5.149.157
  • 3.5.151.177
shared
arc.msn.com
  • 20.199.58.43
whitelisted
u.arpuu.com
  • 112.121.170.66
unknown
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted

Threats

PID
Process
Class
Message
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Zhong Stealer Initial Packet with Magic (TCP)
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Zhong Stealer Null Packet (TCP)
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Zhong Stealer Null Packet (TCP)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
SIH Client