File name:

2025-04-07_d7fbf8dac6386f70c6bc1e5946ac3dc0_helldown_nymaim

Full analysis: https://app.any.run/tasks/2b09f7b2-942a-4019-8650-1f068b6da090
Verdict: Malicious activity
Analysis date: April 07, 2025, 15:09:29
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
scan
smbscan
yero
worm
upx
irc
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

D7FBF8DAC6386F70C6BC1E5946AC3DC0

SHA1:

458385C6220A730C5525123D818F3EAB05CB5C3B

SHA256:

4B83943834DBDF1CBB33CE7CA15C905428A905880B7D8A1DB7D5EDB8616BB71F

SSDEEP:

98304:yRFR97BH9eJt41RXx7/jVVQJTA4SlPxaG6cNcgPIhN+qYrvB780W6B01mBWTPIwe:rPq4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • SMBSCAN has been detected (SURICATA)

      • tmp1104843.exe (PID: 7716)
      • System (PID: 4)

    • YERO has been detected

      • tmp1104843.exe (PID: 7716)
      • 2025-04-07_d7fbf8dac6386f70c6bc1e5946ac3dc0_helldown_nymaim.exe (PID: 7672)

    • YERO mutex has been found

      • tmp1104843.exe (PID: 7716)

    • Attempting to scan the network

      • tmp1104843.exe (PID: 7716)
      • System (PID: 4)

    • IRC has been detected (SURICATA)

      • tmp1104843.exe (PID: 7716)

  • SUSPICIOUS

    • Connects to unusual port

      • tmp1104843.exe (PID: 7716)

    • Potential Corporate Privacy Violation

      • tmp1104843.exe (PID: 7716)
      • System (PID: 4)

    • The process creates files with name similar to system file names

      • tmp1104843.exe (PID: 7716)

    • Executable content was dropped or overwritten

      • 2025-04-07_d7fbf8dac6386f70c6bc1e5946ac3dc0_helldown_nymaim.exe (PID: 7672)
      • tmp1104843.exe (PID: 7716)

    • Starts a Microsoft application from unusual location

      • tmp1105375.exe (PID: 7736)

    • Reads security settings of Internet Explorer

      • tmp1104843.exe (PID: 7716)

    • Uses pipe srvsvc via SMB (transferring data)

      • tmp1104843.exe (PID: 7716)

    • Executes application which crashes

      • tmp1105375.exe (PID: 7736)

  • INFO

    • Checks supported languages

      • tmp1105375.exe (PID: 7736)
      • tmp1104843.exe (PID: 7716)
      • 2025-04-07_d7fbf8dac6386f70c6bc1e5946ac3dc0_helldown_nymaim.exe (PID: 7672)

    • Creates files or folders in the user directory

      • tmp1104843.exe (PID: 7716)
      • tmp1105375.exe (PID: 7736)
      • WerFault.exe (PID: 1228)

    • Reads the computer name

      • tmp1104843.exe (PID: 7716)
      • tmp1105375.exe (PID: 7736)

    • UPX packer has been detected

      • tmp1104843.exe (PID: 7716)

    • Checks proxy server information

      • tmp1104843.exe (PID: 7716)
      • slui.exe (PID: 1328)

    • Create files in a temporary directory

      • 2025-04-07_d7fbf8dac6386f70c6bc1e5946ac3dc0_helldown_nymaim.exe (PID: 7672)

    • Reads the software policy settings

      • slui.exe (PID: 1328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (36.9)
.exe | UPX compressed Win32 Executable (24)
.exe | Win32 EXE Yoda's Crypter (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.8)
.exe | Win32 Executable (generic) (4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 12288
InitializedDataSize: 4096
UninitializedDataSize: 106496
EntryPoint: 0x1cee0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #YERO 2025-04-07_d7fbf8dac6386f70c6bc1e5946ac3dc0_helldown_nymaim.exe #SMBSCAN tmp1104843.exe tmp1105375.exe werfault.exe no specs #SMBSCAN system slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4System
[System Process]
User:
SYSTEM
Integrity Level:
SYSTEM
1228C:\WINDOWS\system32\WerFault.exe -u -p 7736 -s 1396C:\Windows\System32\WerFault.exetmp1105375.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
1328C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7672"C:\Users\admin\Desktop\2025-04-07_d7fbf8dac6386f70c6bc1e5946ac3dc0_helldown_nymaim.exe" C:\Users\admin\Desktop\2025-04-07_d7fbf8dac6386f70c6bc1e5946ac3dc0_helldown_nymaim.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-04-07_d7fbf8dac6386f70c6bc1e5946ac3dc0_helldown_nymaim.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7716C:\Users\admin\AppData\Local\Temp\tmp1104843.exeC:\Users\admin\AppData\Local\Temp\tmp1104843.exe
2025-04-07_d7fbf8dac6386f70c6bc1e5946ac3dc0_helldown_nymaim.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\tmp1104843.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7736C:\Users\admin\AppData\Local\Temp\tmp1105375.exeC:\Users\admin\AppData\Local\Temp\tmp1105375.exe
2025-04-07_d7fbf8dac6386f70c6bc1e5946ac3dc0_helldown_nymaim.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Input Personalization Server
Exit code:
3221225477
Version:
10.0.17134.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\tmp1105375.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
6 766
Read events
6 711
Write events
55
Delete events
0

Modification events

(PID) Process:(7736) tmp1105375.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization
Operation:writeName:RestrictImplicitTextCollection
Value:
1
(PID) Process:(7736) tmp1105375.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization
Operation:writeName:TextHarvestingInstallationStatus
Value:
6
(PID) Process:(7736) tmp1105375.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization
Operation:writeName:RestrictImplicitInkCollection
Value:
1
(PID) Process:(7736) tmp1105375.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization
Operation:writeName:DisablePersInternal
Value:
0
(PID) Process:(7736) tmp1105375.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization
Operation:writeName:MaximumInkStoreSize
Value:
50000
(PID) Process:(7736) tmp1105375.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization
Operation:writeName:TextHarvestingInstallationStatus
Value:
0
(PID) Process:(7736) tmp1105375.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization
Operation:writeName:App Lexicon Timestamp
Value:
0000000000000000
(PID) Process:(7736) tmp1105375.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization
Operation:writeName:Lexicon Generation
Value:
0
(PID) Process:(7736) tmp1105375.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech\CurrentUserLexicon
Operation:writeName:CLSID
Value:
{C9E37C15-DF92-4727-85D6-72E5EEB6995A}
(PID) Process:(7736) tmp1105375.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InputMethod\en-US\DUSTATE
Operation:writeName:Enabled
Value:
1
Executable files
207
Suspicious files
4
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
76722025-04-07_d7fbf8dac6386f70c6bc1e5946ac3dc0_helldown_nymaim.exeC:\Users\admin\AppData\Local\Temp\tmp1105406.exe
MD5:
SHA256:
1228WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_tmp1105375.exe_55216b93d17029af1dcbe42ea93116ad1ec8e_c04bfa58_a2277993-3254-4404-87ab-fff379e929ed\Report.wer
MD5:
SHA256:
7716tmp1104843.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe-
MD5:
SHA256:
7716tmp1104843.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe-
MD5:
SHA256:
7736tmp1105375.exeC:\Users\admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_4010812AABB741D795B1D89C83CF09EB.datbinary
MD5:78E2621B5F90623FC5D2879AA5D7BEA3
SHA256:313399E94F14855E8429509D04E4EE4DBA8FA238EE282EE93F0BEE49823AA9A5
7716tmp1104843.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe-executable
MD5:59D9B7A6584B4D65D99D53E2F6736A6D
SHA256:5E19D82664DF5152CE3390E8C2F99DE77F9A7CC1B2D397E447E1C2220549A3C3
7716tmp1104843.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe-executable
MD5:02007E040F034486BB76A772EE8D411A
SHA256:87BA855AE54B56AA86C53A2E8A6FA8F457E0DF888092C3656503F8B9286A1AF5
1228WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WEREFC1.tmp.dmpdmp
MD5:4D149A9E12BB5A4070E83FFD7D9CB08E
SHA256:0235DC15F0AAAA5EB421FAEA03F4287696506D4C82ECFF5E7A7C0945BF310932
7716tmp1104843.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe-executable
MD5:160CABF76D39BF0EBF840BBF8F77737B
SHA256:24AEA5D115878B91ED33AD51652E6508F95821EA587BFB7DABC0F581B70EC83C
7716tmp1104843.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe-executable
MD5:AEDA9A2AB15DE00B0FB8189A4F5EB56A
SHA256:AF17B5360A1FA8284B693F4FF91AB9596566BF8C3D25A4806DDF3B8B84EC9B01
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
1 233
DNS requests
19
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2432
RUXIMICS.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
680
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
680
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
680
SIHClient.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
680
SIHClient.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
GET
304
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
680
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
680
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
680
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2432
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.190.160.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6544
svchost.exe
20.190.160.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2432
RUXIMICS.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
login.live.com
  • 20.190.160.2
  • 20.190.160.64
  • 20.190.160.132
  • 20.190.160.17
  • 20.190.160.67
  • 40.126.32.74
  • 20.190.160.5
  • 20.190.160.3
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
  • 2.16.164.72
  • 2.16.164.120
  • 2.16.164.114
  • 2.16.164.9
  • 2.16.164.18
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.43
whitelisted

Threats

PID
Process
Class
Message
7716
tmp1104843.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
7716
tmp1104843.exe
Misc activity
ET CHAT IRC NICK command
7716
tmp1104843.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
7716
tmp1104843.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-07_d7fbf8dac6386f70c6bc1e5946ac3dc0_helldown_nymaim