File name:

2025-04-07_d7fbf8dac6386f70c6bc1e5946ac3dc0_helldown_nymaim

Full analysis: https://app.any.run/tasks/2b09f7b2-942a-4019-8650-1f068b6da090
Verdict: Malicious activity
Analysis date: April 07, 2025, 15:09:29
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
scan
smbscan
yero
worm
upx
irc
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

D7FBF8DAC6386F70C6BC1E5946AC3DC0

SHA1:

458385C6220A730C5525123D818F3EAB05CB5C3B

SHA256:

4B83943834DBDF1CBB33CE7CA15C905428A905880B7D8A1DB7D5EDB8616BB71F

SSDEEP:

98304:yRFR97BH9eJt41RXx7/jVVQJTA4SlPxaG6cNcgPIhN+qYrvB780W6B01mBWTPIwe:rPq4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • YERO has been detected

      • 2025-04-07_d7fbf8dac6386f70c6bc1e5946ac3dc0_helldown_nymaim.exe (PID: 7672)
      • tmp1104843.exe (PID: 7716)

    • YERO mutex has been found

      • tmp1104843.exe (PID: 7716)

    • SMBSCAN has been detected (SURICATA)

      • tmp1104843.exe (PID: 7716)
      • System (PID: 4)

    • Attempting to scan the network

      • System (PID: 4)
      • tmp1104843.exe (PID: 7716)

    • IRC has been detected (SURICATA)

      • tmp1104843.exe (PID: 7716)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • tmp1105375.exe (PID: 7736)

    • Executable content was dropped or overwritten

      • 2025-04-07_d7fbf8dac6386f70c6bc1e5946ac3dc0_helldown_nymaim.exe (PID: 7672)
      • tmp1104843.exe (PID: 7716)

    • Reads security settings of Internet Explorer

      • tmp1104843.exe (PID: 7716)

    • Uses pipe srvsvc via SMB (transferring data)

      • tmp1104843.exe (PID: 7716)

    • Connects to unusual port

      • tmp1104843.exe (PID: 7716)

    • Potential Corporate Privacy Violation

      • tmp1104843.exe (PID: 7716)
      • System (PID: 4)

    • The process creates files with name similar to system file names

      • tmp1104843.exe (PID: 7716)

    • Executes application which crashes

      • tmp1105375.exe (PID: 7736)

  • INFO

    • Checks supported languages

      • 2025-04-07_d7fbf8dac6386f70c6bc1e5946ac3dc0_helldown_nymaim.exe (PID: 7672)
      • tmp1104843.exe (PID: 7716)
      • tmp1105375.exe (PID: 7736)

    • Create files in a temporary directory

      • 2025-04-07_d7fbf8dac6386f70c6bc1e5946ac3dc0_helldown_nymaim.exe (PID: 7672)

    • Reads the computer name

      • tmp1105375.exe (PID: 7736)
      • tmp1104843.exe (PID: 7716)

    • Creates files or folders in the user directory

      • tmp1104843.exe (PID: 7716)
      • tmp1105375.exe (PID: 7736)
      • WerFault.exe (PID: 1228)

    • Checks proxy server information

      • tmp1104843.exe (PID: 7716)
      • slui.exe (PID: 1328)

    • UPX packer has been detected

      • tmp1104843.exe (PID: 7716)

    • Reads the software policy settings

      • slui.exe (PID: 1328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (36.9)
.exe | UPX compressed Win32 Executable (24)
.exe | Win32 EXE Yoda's Crypter (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.8)
.exe | Win32 Executable (generic) (4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 12288
InitializedDataSize: 4096
UninitializedDataSize: 106496
EntryPoint: 0x1cee0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #YERO 2025-04-07_d7fbf8dac6386f70c6bc1e5946ac3dc0_helldown_nymaim.exe #SMBSCAN tmp1104843.exe tmp1105375.exe werfault.exe no specs #SMBSCAN system slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4System
[System Process]
User:
SYSTEM
Integrity Level:
SYSTEM
1228C:\WINDOWS\system32\WerFault.exe -u -p 7736 -s 1396C:\Windows\System32\WerFault.exetmp1105375.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
1328C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7672"C:\Users\admin\Desktop\2025-04-07_d7fbf8dac6386f70c6bc1e5946ac3dc0_helldown_nymaim.exe" C:\Users\admin\Desktop\2025-04-07_d7fbf8dac6386f70c6bc1e5946ac3dc0_helldown_nymaim.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-04-07_d7fbf8dac6386f70c6bc1e5946ac3dc0_helldown_nymaim.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7716C:\Users\admin\AppData\Local\Temp\tmp1104843.exeC:\Users\admin\AppData\Local\Temp\tmp1104843.exe
2025-04-07_d7fbf8dac6386f70c6bc1e5946ac3dc0_helldown_nymaim.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\tmp1104843.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7736C:\Users\admin\AppData\Local\Temp\tmp1105375.exeC:\Users\admin\AppData\Local\Temp\tmp1105375.exe
2025-04-07_d7fbf8dac6386f70c6bc1e5946ac3dc0_helldown_nymaim.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Input Personalization Server
Exit code:
3221225477
Version:
10.0.17134.1 (WinBuild.160101.0800)
Modules
Images
c:\users\admin\appdata\local\temp\tmp1105375.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
6 766
Read events
6 711
Write events
55
Delete events
0

Modification events

(PID) Process:(7736) tmp1105375.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization
Operation:writeName:RestrictImplicitTextCollection
Value:
1
(PID) Process:(7736) tmp1105375.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization
Operation:writeName:TextHarvestingInstallationStatus
Value:
6
(PID) Process:(7736) tmp1105375.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization
Operation:writeName:RestrictImplicitInkCollection
Value:
1
(PID) Process:(7736) tmp1105375.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization
Operation:writeName:DisablePersInternal
Value:
0
(PID) Process:(7736) tmp1105375.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization
Operation:writeName:MaximumInkStoreSize
Value:
50000
(PID) Process:(7736) tmp1105375.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization
Operation:writeName:TextHarvestingInstallationStatus
Value:
0
(PID) Process:(7736) tmp1105375.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization
Operation:writeName:App Lexicon Timestamp
Value:
0000000000000000
(PID) Process:(7736) tmp1105375.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\InputPersonalization
Operation:writeName:Lexicon Generation
Value:
0
(PID) Process:(7736) tmp1105375.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech\CurrentUserLexicon
Operation:writeName:CLSID
Value:
{C9E37C15-DF92-4727-85D6-72E5EEB6995A}
(PID) Process:(7736) tmp1105375.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InputMethod\en-US\DUSTATE
Operation:writeName:Enabled
Value:
1
Executable files
207
Suspicious files
4
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
76722025-04-07_d7fbf8dac6386f70c6bc1e5946ac3dc0_helldown_nymaim.exeC:\Users\admin\AppData\Local\Temp\tmp1105406.exe
MD5:
SHA256:
1228WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_tmp1105375.exe_55216b93d17029af1dcbe42ea93116ad1ec8e_c04bfa58_a2277993-3254-4404-87ab-fff379e929ed\Report.wer
MD5:
SHA256:
7716tmp1104843.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe-
MD5:
SHA256:
7716tmp1104843.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe-
MD5:
SHA256:
76722025-04-07_d7fbf8dac6386f70c6bc1e5946ac3dc0_helldown_nymaim.exeC:\Users\admin\AppData\Local\Temp\tmp1104843.exeexecutable
MD5:867346E51B10D597F33B0C4A2B4CDB59
SHA256:25D703A80C5C3D4D833F334D15C13A988CE3FE05E91F496C316171FF251558AB
7716tmp1104843.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\SysWOW64\fsb.tmpexecutable
MD5:867346E51B10D597F33B0C4A2B4CDB59
SHA256:25D703A80C5C3D4D833F334D15C13A988CE3FE05E91F496C316171FF251558AB
7736tmp1105375.exeC:\Users\admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_4010812AABB741D795B1D89C83CF09EB.datbinary
MD5:78E2621B5F90623FC5D2879AA5D7BEA3
SHA256:313399E94F14855E8429509D04E4EE4DBA8FA238EE282EE93F0BEE49823AA9A5
7716tmp1104843.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe-executable
MD5:AEF41B90EF594CEF57306F969B31E83C
SHA256:2FD0EB9C95B606E3FDCF80FC81AA7BB0F3BD903944532C42F4EE3AE52505DFDC
7716tmp1104843.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe-executable
MD5:AB77DAA08F7A0B5B4E1803C029D25CAB
SHA256:0D336E45157CF0263BF54939F4F3DA8B9AF71794812188966D45AEB26C24F232
7716tmp1104843.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe-executable
MD5:02007E040F034486BB76A772EE8D411A
SHA256:87BA855AE54B56AA86C53A2E8A6FA8F457E0DF888092C3656503F8B9286A1AF5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
1 233
DNS requests
19
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2432
RUXIMICS.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
680
SIHClient.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
680
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
680
SIHClient.exe
GET
200
2.16.164.72:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
680
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
304
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
680
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
POST
200
40.126.32.138:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
GET
200
4.245.163.56:443
https://slscr.update.microsoft.com/sls/ping
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2432
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.190.160.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6544
svchost.exe
20.190.160.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2432
RUXIMICS.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
login.live.com
  • 20.190.160.2
  • 20.190.160.64
  • 20.190.160.132
  • 20.190.160.17
  • 20.190.160.67
  • 40.126.32.74
  • 20.190.160.5
  • 20.190.160.3
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
  • 2.16.164.72
  • 2.16.164.120
  • 2.16.164.114
  • 2.16.164.9
  • 2.16.164.18
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.43
whitelisted

Threats

PID
Process
Class
Message
7716
tmp1104843.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
7716
tmp1104843.exe
Misc activity
ET CHAT IRC NICK command
7716
tmp1104843.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 24
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
7716
tmp1104843.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-07_d7fbf8dac6386f70c6bc1e5946ac3dc0_helldown_nymaim