File name:

wleGmBs4b4aDDpdx.exe

Full analysis: https://app.any.run/tasks/c27cabd3-ec82-4074-b4cd-d25957c742bc
Verdict: Malicious activity
Analysis date: May 15, 2025, 10:33:37
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
themida
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 13 sections
MD5:

672906A0B5EBA0B9A2021643AEDA7B11

SHA1:

B78D65360F1018FC49B9D8E2740BFC3F5CBE1638

SHA256:

4A3B7D6003B6607977844D065792E330293D41E2FFB6CD0B3390854A5F3C8426

SSDEEP:

98304:2Rl0Q/ksgId0XGf5smu/+eMl2gDbsoDPbKHZU0efByrDu0DClODBFZPytuKRToCC:9LkEO/npt0DJguVG7NC79SvrPuKu0AIK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the BIOS version

      • wleGmBs4b4aDDpdx.exe (PID: 4172)
      • wleGmBs4b4aDDpdx.exe (PID: 3332)

    • Reads the Windows owner or organization settings

      • wleGmBs4b4aDDpdx.exe (PID: 4172)

    • Reads the date of Windows installation

      • wleGmBs4b4aDDpdx.exe (PID: 4172)
      • ldrupd.bin (PID: 5280)

    • Connects to unusual port

      • wleGmBs4b4aDDpdx.exe (PID: 4172)
      • wleGmBs4b4aDDpdx.exe (PID: 3332)

    • Starts CMD.EXE for commands execution

      • wleGmBs4b4aDDpdx.exe (PID: 4172)

    • Searches for installed software

      • wleGmBs4b4aDDpdx.exe (PID: 4172)

    • Executable content was dropped or overwritten

      • ldrupd.bin (PID: 5280)
      • wleGmBs4b4aDDpdx.exe (PID: 4172)

    • Starts application with an unusual extension

      • wleGmBs4b4aDDpdx.exe (PID: 4172)

    • Reads security settings of Internet Explorer

      • ldrupd.bin (PID: 5280)

    • Executes application which crashes

      • wleGmBs4b4aDDpdx.exe (PID: 3332)

  • INFO

    • Process checks whether UAC notifications are on

      • wleGmBs4b4aDDpdx.exe (PID: 4172)
      • wleGmBs4b4aDDpdx.exe (PID: 3332)

    • Checks supported languages

      • wleGmBs4b4aDDpdx.exe (PID: 4172)
      • ldrupd.bin (PID: 5280)
      • wleGmBs4b4aDDpdx.exe (PID: 3332)

    • Reads the machine GUID from the registry

      • wleGmBs4b4aDDpdx.exe (PID: 4172)
      • wleGmBs4b4aDDpdx.exe (PID: 3332)

    • Reads the computer name

      • wleGmBs4b4aDDpdx.exe (PID: 4172)
      • wleGmBs4b4aDDpdx.exe (PID: 3332)
      • ldrupd.bin (PID: 5280)

    • Reads Windows Product ID

      • wleGmBs4b4aDDpdx.exe (PID: 4172)

    • Reads Environment values

      • wleGmBs4b4aDDpdx.exe (PID: 4172)

    • Reads product name

      • wleGmBs4b4aDDpdx.exe (PID: 4172)

    • Themida protector has been detected

      • wleGmBs4b4aDDpdx.exe (PID: 4172)

    • Creates files or folders in the user directory

      • wleGmBs4b4aDDpdx.exe (PID: 4172)
      • WerFault.exe (PID: 6512)

    • Process checks computer location settings

      • ldrupd.bin (PID: 5280)

    • Checks proxy server information

      • slui.exe (PID: 6656)

    • Reads the software policy settings

      • slui.exe (PID: 6656)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:11:07 13:29:48+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.37
CodeSize: 1041408
InitializedDataSize: 413696
UninitializedDataSize: -
EntryPoint: 0x1557058
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
8
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start wlegmbs4b4addpdx.exe cmd.exe no specs cmd.exe no specs slui.exe ldrupd.bin wlegmbs4b4addpdx.exe werfault.exe no specs wlegmbs4b4addpdx.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1116"C:\Users\admin\Desktop\wleGmBs4b4aDDpdx.exe" C:\Users\admin\Desktop\wleGmBs4b4aDDpdx.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\wlegmbs4b4addpdx.exe
c:\windows\system32\ntdll.dll
3300"C:\WINDOWS\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exewleGmBs4b4aDDpdx.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
3332"C:\Users\admin\Desktop\wleGmBs4b4aDDpdx.exe" C:\Users\admin\Desktop\wleGmBs4b4aDDpdx.exe
ldrupd.bin
User:
admin
Integrity Level:
HIGH
Exit code:
3221225477
Modules
Images
c:\users\admin\desktop\wlegmbs4b4addpdx.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
4172"C:\Users\admin\Desktop\wleGmBs4b4aDDpdx.exe" C:\Users\admin\Desktop\wleGmBs4b4aDDpdx.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\wlegmbs4b4addpdx.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
5280"C:\Users\admin\AppData\Local\ldrupd.bin"C:\Users\admin\AppData\Local\ldrupd.bin
wleGmBs4b4aDDpdx.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\ldrupd.bin
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6512C:\WINDOWS\system32\WerFault.exe -u -p 3332 -s 996C:\Windows\System32\WerFault.exewleGmBs4b4aDDpdx.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
6656C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6972"C:\WINDOWS\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exewleGmBs4b4aDDpdx.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
Total events
5 991
Read events
5 985
Write events
3
Delete events
3

Modification events

(PID) Process:(6512) WerFault.exeKey:\REGISTRY\A\{880ec64b-466e-ddc3-1262-12c002109f00}\Root\InventoryApplicationFile
Operation:writeName:WritePermissionsCheck
Value:
1
(PID) Process:(6512) WerFault.exeKey:\REGISTRY\A\{880ec64b-466e-ddc3-1262-12c002109f00}\Root\InventoryApplicationFile\PermissionsCheckTestKey
Operation:delete keyName:(default)
Value:
Executable files
2
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6512WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_wleGmBs4b4aDDpdx_66cd703f5138ffc2fcac8160955e54b09bf54c2f_2f4c09c1_0d94174c-c8fd-4b16-acaa-e5fce88c369e\Report.wer
MD5:
SHA256:
6512WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\wleGmBs4b4aDDpdx.exe.3332.dmp
MD5:
SHA256:
6512WerFault.exeC:\Windows\appcompat\Programs\Amcache.hvebinary
MD5:96269E48334F7DA40EBE81C92A027A10
SHA256:50A94B9BA607B9D7C9253B5D2E063A178B6F3C396E9A315467FCA7A0D58F2A17
6512WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER991C.tmp.WERInternalMetadata.xmlbinary
MD5:45CE1ACCADB77001052C14D13C06DD0C
SHA256:0780189207B4D1619D53C381244B98939DB0D927871DB7CE14179D4EA9EF5CB1
6512WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER97F2.tmp.dmpbinary
MD5:4DB3200FB8CA38925D4B1E1BF153383E
SHA256:38DC7E21CAFD50B0DFAFFF7F0561B1CEC6C06E53F468F8ED4390F1F69072688C
5280ldrupd.binC:\Users\admin\Desktop\wleGmBs4b4aDDpdx.exeexecutable
MD5:6F3632DE32EB4C2180679B22172A311A
SHA256:7B46AADCE456AD837B10BD8875405BD1A1605E0F225338704D235ED15BDDA97F
6512WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER993D.tmp.xmlxml
MD5:D308C8AEABD0EE120A33F9D968461B26
SHA256:478D09D041C42B42B4072B1179E6D6B742055B32A96DECABC2A32B2496DD63AF
4172wleGmBs4b4aDDpdx.exeC:\Users\admin\AppData\Local\ldrupd.binexecutable
MD5:A24978A6B77E2CD99823E24C6EB4D055
SHA256:80AC94C086EB6E52BC3BBEBD86E0795F6CB7476153AF0C767B9AE4B7E9931140
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
25
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4172
wleGmBs4b4aDDpdx.exe
103.230.14.225:3333
Room 704, ChinaChen Leighton Plaza
JP
unknown
6048
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3332
wleGmBs4b4aDDpdx.exe
51.222.31.217:3333
OVH SAS
CA
unknown
6656
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.174
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
wleGmBs4b4aDDpdx.exe