File name:

55967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exe

Full analysis: https://app.any.run/tasks/0906f051-c432-4893-9a92-98aa6939f1b7
Verdict: Malicious activity
Analysis date: March 24, 2025, 08:58:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ludbaruma
blocker
dropper
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 3 sections
MD5:

000238EF73F5B05EF8B7C039D9D094FC

SHA1:

6B381CA525C27D9678608668A42B61F78C64B4C3

SHA256:

55967CF854BD0F9F51977A5FE4788CB4A9DAAB031300674769F7948BAAA90E85

SSDEEP:

3072:kzaEJo3CCvcAnkuVVVVVVIAzzaEJo3CCvcAnkuVVVVVVIAf:kza6CC4FXVVVVVVImza6CC4FXVVVVVVR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUDBARUMA has been detected

      • 55967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exe (PID: 7728)

    • The process uses screensaver hijack for persistence

      • 55967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exe (PID: 7728)

    • Changes the autorun value in the registry

      • 55967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exe (PID: 7728)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • 55967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exe (PID: 7728)

    • Executable content was dropped or overwritten

      • 55967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exe (PID: 7728)

    • Creates file in the systems drive root

      • 55967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exe (PID: 7728)

  • INFO

    • Create files in a temporary directory

      • 55967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exe (PID: 7728)

    • The sample compiled with english language support

      • 55967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exe (PID: 7728)

    • Checks supported languages

      • 55967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exe (PID: 7728)

    • Creates files or folders in the user directory

      • 55967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exe (PID: 7728)

    • Failed to create an executable file in Windows directory

      • 55967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exe (PID: 7728)

    • Reads the software policy settings

      • slui.exe (PID: 7084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2006:11:27 09:24:01+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 147456
InitializedDataSize: 20480
UninitializedDataSize: -
EntryPoint: 0x2a09a
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.20
ProductVersionNumber: 0.0.0.20
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Oncom
ProductName: xk
FileVersion: 0.00.0020
ProductVersion: 0.00.0020
InternalName: DATA
OriginalFileName: DATA.exe
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #LUDBARUMA 55967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7084C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7728"C:\Users\admin\Desktop\55967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exe" C:\Users\admin\Desktop\55967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exe
explorer.exe
User:
admin
Company:
Oncom
Integrity Level:
MEDIUM
Exit code:
0
Version:
0.00.0020
Modules
Images
c:\users\admin\desktop\55967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
Total events
3 425
Read events
3 415
Write events
10
Delete events
0

Modification events

(PID) Process:(7728) 55967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:SCRNSAVE.EXE
Value:
C:\WINDOWS\system32\Mig~mig.SCR
(PID) Process:(7728) 55967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:ScreenSaverIsSecure
Value:
0
(PID) Process:(7728) 55967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:ScreenSaveTimeOut
Value:
600
(PID) Process:(7728) 55967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:xk
Value:
C:\WINDOWS\xk.exe
(PID) Process:(7728) 55967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MSMSGS
Value:
C:\Users\admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
(PID) Process:(7728) 55967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Serviceadmin
Value:
C:\Users\admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
(PID) Process:(7728) 55967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Logonadmin
Value:
C:\Users\admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
(PID) Process:(7728) 55967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:System Monitoring
Value:
C:\Users\admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
(PID) Process:(7728) 55967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoFolderOptions
Value:
1
(PID) Process:(7728) 55967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableRegistryTools
Value:
1
Executable files
11
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
772855967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exeC:\Users\admin\AppData\Local\WINDOWS\CSRSS.EXEexecutable
MD5:000238EF73F5B05EF8B7C039D9D094FC
SHA256:55967CF854BD0F9F51977A5FE4788CB4A9DAAB031300674769F7948BAAA90E85
772855967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exeC:\Users\admin\AppData\Local\lsass.exeexecutable
MD5:000238EF73F5B05EF8B7C039D9D094FC
SHA256:55967CF854BD0F9F51977A5FE4788CB4A9DAAB031300674769F7948BAAA90E85
772855967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exeC:\Users\admin\AppData\Local\csrss.exeexecutable
MD5:000238EF73F5B05EF8B7C039D9D094FC
SHA256:55967CF854BD0F9F51977A5FE4788CB4A9DAAB031300674769F7948BAAA90E85
772855967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exeC:\Users\admin\AppData\Local\WINDOWS\WINLOGON.EXEexecutable
MD5:000238EF73F5B05EF8B7C039D9D094FC
SHA256:55967CF854BD0F9F51977A5FE4788CB4A9DAAB031300674769F7948BAAA90E85
772855967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exeC:\Users\admin\AppData\Local\winlogon.exeexecutable
MD5:000238EF73F5B05EF8B7C039D9D094FC
SHA256:55967CF854BD0F9F51977A5FE4788CB4A9DAAB031300674769F7948BAAA90E85
772855967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exeC:\Users\admin\AppData\Local\services.exeexecutable
MD5:000238EF73F5B05EF8B7C039D9D094FC
SHA256:55967CF854BD0F9F51977A5FE4788CB4A9DAAB031300674769F7948BAAA90E85
772855967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exeC:\Users\admin\AppData\Local\WINDOWS\SERVICES.EXEexecutable
MD5:000238EF73F5B05EF8B7C039D9D094FC
SHA256:55967CF854BD0F9F51977A5FE4788CB4A9DAAB031300674769F7948BAAA90E85
772855967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exeC:\Users\admin\AppData\Local\smss.exeexecutable
MD5:000238EF73F5B05EF8B7C039D9D094FC
SHA256:55967CF854BD0F9F51977A5FE4788CB4A9DAAB031300674769F7948BAAA90E85
772855967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exeC:\Users\admin\AppData\Local\WINDOWS\LSASS.EXEexecutable
MD5:000238EF73F5B05EF8B7C039D9D094FC
SHA256:55967CF854BD0F9F51977A5FE4788CB4A9DAAB031300674769F7948BAAA90E85
772855967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exeC:\Users\admin\AppData\Local\WINDOWS\SMSS.EXEexecutable
MD5:000238EF73F5B05EF8B7C039D9D094FC
SHA256:55967CF854BD0F9F51977A5FE4788CB4A9DAAB031300674769F7948BAAA90E85
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
50
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.147:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
7400
SIHClient.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7400
SIHClient.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7400
SIHClient.exe
GET
200
23.48.23.173:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7400
SIHClient.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7400
SIHClient.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7400
SIHClient.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
POST
400
20.190.159.71:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
GET
200
20.223.36.55:443
https://arc.msn.com/v3/Delivery/Placement?pubid=da63df93-3dbc-42ae-a505-b34988683ac7&pid=280815&adm=2&w=1&h=1&wpx=1&hpx=1&fmt=json&cltp=app&dim=le&rafb=0&nct=1&pm=1&cfmt=text,image,poly&sft=jpeg,png,gif&topt=1&poptin=0&localid=w:AC7699B0-48EA-FD22-C8DC-06A02098A0F0&ctry=US&time=20250324T085831Z&lc=en-US&pl=en-US&idtp=mid&uid=9115d6d1-9f4e-4053-9297-2a8c833b3912&aid=00000000-0000-0000-0000-000000000000&ua=WindowsShellClient%2F9.0.40929.0%20%28Windows%29&asid=854f76eb344f4fb5b88471042e923de1&ctmode=MultiSession&arch=x64&betaedgever=0.0.0.0&canedgever=0.0.0.0&cdm=1&cdmver=10.0.19041.3636&currsel=137271744000000000&devedgever=0.0.0.0&devfam=Windows.Desktop&devform=Unknown&devosver=10.0.19045.4046&disphorzres=1280&dispsize=15.3&dispvertres=720&fosver=16299&isu=0&lo=3967257&metered=false&nettype=ethernet&npid=sc-280815&oemName=DELL&oemid=DELL&ossku=Professional&prevosver=15063&smBiosDm=DELL&stabedgever=122.0.2365.59&tl=2&tsu=1357787&waasBldFlt=1&waasCfgExp=1&waasCfgSet=1&waasRetail=1&waasRing=&svoffered=2
unknown
binary
2.95 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
23.48.23.147:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6544
svchost.exe
40.126.32.140:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7700
backgroundTaskHost.exe
20.223.36.55:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.142
whitelisted
client.wns.windows.com
  • 40.115.3.253
  • 40.113.103.199
whitelisted
crl.microsoft.com
  • 23.48.23.147
  • 23.48.23.143
  • 23.48.23.164
  • 23.48.23.176
  • 23.48.23.173
  • 23.48.23.166
  • 23.48.23.177
whitelisted
login.live.com
  • 40.126.32.140
  • 20.190.160.66
  • 40.126.32.76
  • 40.126.32.74
  • 20.190.160.5
  • 20.190.160.14
  • 40.126.32.134
  • 20.190.160.4
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
www.microsoft.com
  • 2.19.217.218
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
55967cf854bd0f9f51977a5fe4788cb4a9daab031300674769f7948baaa90e85.exe