File name:

72b7c4936ea97ac29f40f632c6d07a33359ef2959cbd18e9a7e69fec09717171.bin

Full analysis: https://app.any.run/tasks/5b3d6fc6-fcb4-405a-9795-d735af9804cd
Verdict: Malicious activity
Analysis date: June 21, 2025, 11:25:00
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
themida
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

D06906F92299455662311C35FF57F0F6

SHA1:

DF8D471DE79B45CC062A41F139E3C10F9BCAE67B

SHA256:

72B7C4936EA97AC29F40F632C6D07A33359EF2959CBD18E9A7E69FEC09717171

SSDEEP:

98304:UTD6MIn5gzV/3coO7YKogmbcBrGm87AHR4X5Glk/dpjyh5oiF95BA9Y2+Flb1wBq:sd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the BIOS version

      • 72b7c4936ea97ac29f40f632c6d07a33359ef2959cbd18e9a7e69fec09717171.bin.exe (PID: 2708)

    • The process executes via Task Scheduler

      • updater.exe (PID: 6508)

    • Application launched itself

      • updater.exe (PID: 6508)

  • INFO

    • The sample compiled with english language support

      • 72b7c4936ea97ac29f40f632c6d07a33359ef2959cbd18e9a7e69fec09717171.bin.exe (PID: 2708)

    • Checks supported languages

      • 72b7c4936ea97ac29f40f632c6d07a33359ef2959cbd18e9a7e69fec09717171.bin.exe (PID: 2708)
      • updater.exe (PID: 6508)
      • updater.exe (PID: 2188)

    • Themida protector has been detected

      • 72b7c4936ea97ac29f40f632c6d07a33359ef2959cbd18e9a7e69fec09717171.bin.exe (PID: 2708)

    • Reads the computer name

      • updater.exe (PID: 6508)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 6508)

    • Checks proxy server information

      • slui.exe (PID: 5012)

    • Reads the software policy settings

      • slui.exe (PID: 5012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:05:13 11:58:23+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.37
CodeSize: 104960
InitializedDataSize: 372224
UninitializedDataSize: -
EntryPoint: 0x49d000
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.1.903.38
ProductVersionNumber: 1.1.903.38
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: KeyJ
FileDescription: MPlayer for Windows
FileVersion: 1.1.903.38
InternalName: MPlayer
LegalCopyright: (C) 2005 Martin J. Fiedler
LegalTrademarks: -
OriginalFileName: MPlayer.dpr
ProductName: MPlayer: a Windows frontend for MPlayer
ProductVersion: 1.1
Comments: -
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
4
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 72b7c4936ea97ac29f40f632c6d07a33359ef2959cbd18e9a7e69fec09717171.bin.exe updater.exe no specs updater.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2188"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x258,0x2a4,0x111c460,0x111c46c,0x111c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2708"C:\Users\admin\Desktop\72b7c4936ea97ac29f40f632c6d07a33359ef2959cbd18e9a7e69fec09717171.bin.exe" C:\Users\admin\Desktop\72b7c4936ea97ac29f40f632c6d07a33359ef2959cbd18e9a7e69fec09717171.bin.exe
explorer.exe
User:
admin
Company:
KeyJ
Integrity Level:
MEDIUM
Description:
MPlayer for Windows
Exit code:
0
Version:
1.1.903.38
Modules
Images
c:\users\admin\desktop\72b7c4936ea97ac29f40f632c6d07a33359ef2959cbd18e9a7e69fec09717171.bin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5012C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6508"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
Total events
3 554
Read events
3 554
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2188updater.exeC:\Program Files (x86)\Google\GoogleUpdater\updater.logtext
MD5:FAD05EFEA2C68EFAF4818C812747FD51
SHA256:55BF02A457A2C74839464DB35C88CF00F8333CB9729AB368B956F297CE06F24E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
40
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
184.24.77.41:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.24.77.41:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
472
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.160.22:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
20.190.160.3:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
20.190.159.2:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.159.2:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
40.126.31.73:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
472
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
184.24.77.41:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.24.77.41:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
472
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 184.24.77.41
  • 184.24.77.36
  • 184.24.77.4
  • 184.24.77.38
  • 184.24.77.14
  • 184.24.77.11
  • 184.24.77.12
  • 184.24.77.7
  • 184.24.77.9
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.160.3
  • 40.126.32.72
  • 20.190.160.20
  • 40.126.32.68
  • 20.190.160.22
  • 20.190.160.14
  • 20.190.160.64
  • 20.190.160.5
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.48
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted

Threats

No threats detected
Process
Message
72b7c4936ea97ac29f40f632c6d07a33359ef2959cbd18e9a7e69fec09717171.bin.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
72b7c4936ea97ac29f40f632c6d07a33359ef2959cbd18e9a7e69fec09717171.bin