File name:

9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2

Full analysis: https://app.any.run/tasks/0a070d46-d755-4eb5-968a-723cdec7f2ca
Verdict: Malicious activity
Analysis date: April 11, 2025, 06:06:09
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

B225B2E39DB95E17BFEF2DECA64DC45F

SHA1:

11C7537158E5EE582A65F1AA38DE68935EB3A9BA

SHA256:

9D6BB7288ED3182742CFB41DF745F336AE861A208CCC4C70149DFA86D66DDBF2

SSDEEP:

12288:O8JnYK3a7Wqze3ubMgP8jAyN4X1nVzRW7to9fFTYOsgInDhIh:5YK3aaqKAyN4X1nVIcfFTYOsgIDhIh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7740)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7740)
      • armsvc.exe (PID: 7968)

    • Executable content was dropped or overwritten

      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7740)
      • armsvc.exe (PID: 7968)

    • Executes as Windows Service

      • armsvc.exe (PID: 7968)
      • FlashPlayerUpdateService.exe (PID: 7996)
      • AppVClient.exe (PID: 8080)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 8128)
      • alg.exe (PID: 8032)

    • Reads security settings of Internet Explorer

      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7596)

    • Application launched itself

      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7596)

    • The process creates files with name similar to system file names

      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7740)

  • INFO

    • Reads the computer name

      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7596)
      • armsvc.exe (PID: 7968)
      • FlashPlayerUpdateService.exe (PID: 7996)
      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7740)

    • Creates files or folders in the user directory

      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7740)

    • The sample compiled with english language support

      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7740)
      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7596)
      • armsvc.exe (PID: 7968)

    • Checks supported languages

      • armsvc.exe (PID: 7968)
      • FlashPlayerUpdateService.exe (PID: 7996)
      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7596)
      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7740)

    • Creates files in the program directory

      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7740)
      • armsvc.exe (PID: 7968)

    • Process checks computer location settings

      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7596)

    • Reads Windows Product ID

      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7740)
      • armsvc.exe (PID: 7968)

    • Checks proxy server information

      • slui.exe (PID: 5244)

    • Reads the software policy settings

      • slui.exe (PID: 5244)
      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7740)

    • Reads the machine GUID from the registry

      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:04:02 08:52:42+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 208896
InitializedDataSize: 106496
UninitializedDataSize: -
EntryPoint: 0x1d5c9
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: TODO: <Company name>
FileDescription: TODO: <File description>
FileVersion: 1.0.0.1
InternalName: login.exe
LegalCopyright: TODO: (c) <Company name>. All rights reserved.
OriginalFileName: login.exe
ProductName: TODO: <Product name>
ProductVersion: 1.0.0.1
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe no specs 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe armsvc.exe flashplayerupdateservice.exe no specs alg.exe no specs appvclient.exe no specs diagnosticshub.standardcollector.service.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
5244C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7596"C:\Users\admin\Desktop\9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe" C:\Users\admin\Desktop\9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exeexplorer.exe
User:
admin
Company:
TODO: <Company name>
Integrity Level:
MEDIUM
Description:
TODO: <File description>
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\users\admin\desktop\9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7740"C:\Users\admin\Desktop\9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe" helpC:\Users\admin\Desktop\9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe
9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe
User:
admin
Company:
TODO: <Company name>
Integrity Level:
HIGH
Description:
TODO: <File description>
Version:
1.0.0.1
Modules
Images
c:\users\admin\desktop\9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7968"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
services.exe
User:
SYSTEM
Company:
Adobe Inc.
Integrity Level:
SYSTEM
Description:
Acrobat Update Service
Version:
1.824.460.1042
Modules
Images
c:\program files (x86)\common files\adobe\arm\1.0\armsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
7996C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeC:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeservices.exe
User:
SYSTEM
Company:
Adobe
Integrity Level:
SYSTEM
Description:
Adobe® Flash® Player Update Service 32.0 r0
Exit code:
0
Version:
32,0,0,465
Modules
Images
c:\windows\syswow64\macromed\flash\flashplayerupdateservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
8032C:\WINDOWS\System32\alg.exeC:\Windows\System32\alg.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Application Layer Gateway Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\alg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
8080C:\WINDOWS\system32\AppVClient.exeC:\Windows\System32\AppVClient.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Application Virtualization Client Service
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\appvclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp_win.dll
8128C:\WINDOWS\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft (R) Diagnostics Hub Standard Collector
Version:
11.00.19041.3930 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\sechost.dll
Total events
7 576
Read events
7 570
Write events
6
Delete events
0

Modification events

(PID) Process:(7740) 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Operation:writeName:Startup
Value:
C:\Users\admin\AppData\Local\kobprrfa
(PID) Process:(7740) 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Operation:writeName:Startup
Value:
C:\Users\admin\AppData\Local\kobprrfa
(PID) Process:(7968) armsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Adobe\Adobe ARM\1.0\ARM
Operation:writeName:iLastSvcSuccess
Value:
1109281
(PID) Process:(7968) armsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
Operation:writeName:EnableSmartScreen
Value:
0
(PID) Process:(7968) armsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:HideSCAHealth
Value:
1
(PID) Process:(7968) armsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\S-1-5-21-1693682860-607145093-2874071422-1001
Operation:writeName:EnableNotifications
Value:
0
Executable files
122
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
77409d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exeC:\Users\admin\AppData\Local\kobprrfa\cmd.exeexecutable
MD5:D3348AC2130C7E754754A6E9CB053B09
SHA256:E9EF013238495BFFCE7459E059BFFE340A0F08B439EC94E7D4436F4E13714ECD
77409d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exeC:\Windows\System32\AppVClient.exeexecutable
MD5:C58D5B7E247C1914F12F5CAF73698047
SHA256:8CA6979C58076AC2EA9E1BE476A886B444FE1591334240831F1612B8D9559A7C
77409d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exeC:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeexecutable
MD5:64DFA05CFB7899670EB7E09D897E094C
SHA256:77881BB0B025447B196F2E81F34915E4301DC045BEAF38E14A435E79286C8279
77409d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exeC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\pcnpclac.tmpexecutable
MD5:B33EA5FB841A3E6690C6495AC336009B
SHA256:9A32648070C731D8D23524740643B40CE24DCC42BC18AA0BC4FDD0E69D68ED11
77409d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exeC:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeexecutable
MD5:B33EA5FB841A3E6690C6495AC336009B
SHA256:9A32648070C731D8D23524740643B40CE24DCC42BC18AA0BC4FDD0E69D68ED11
77409d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exeC:\Windows\SysWOW64\Macromed\Flash\debpiqjn.tmpexecutable
MD5:64DFA05CFB7899670EB7E09D897E094C
SHA256:77881BB0B025447B196F2E81F34915E4301DC045BEAF38E14A435E79286C8279
77409d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exeC:\Windows\System32\alg.exeexecutable
MD5:83724A674C3FA75136D2BEC8C0E200CA
SHA256:0D84EBDC6214FAD018F331BE779B4AA7A3FBEB50EC2E7F90003B9994CE64088C
77409d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exeC:\Windows\SysWOW64\svchost.exeexecutable
MD5:E9EB5F5B82D0969EE9B2698444F4BE38
SHA256:BCC53BA3E466DDCAF28DB01293D4D524073DB89D05D877CED5E809196B5659C1
77409d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exeC:\Users\admin\AppData\Local\kobprrfa\fcpgfajm.tmpexecutable
MD5:ADA6137D00D3225841559CC4A5F634F0
SHA256:FD29124ADE431DA99C2AA01B42A4ECE46E6BDF0224D100A1AA59DCFC2181E86E
77409d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exeC:\Windows\SysWOW64\cgbdjhel.tmpexecutable
MD5:7F9244BAEBC7733983E142754DDE593D
SHA256:813D8CA0E5E9C5712BCFDF41A69CD0B7020F75AD01D40EC7B0410CA8D65D8D85
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
57
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
34.132.102.6:443
https://v.xyzgamev.com/3004.html
unknown
unknown
GET
200
34.136.111.81:443
https://v.xyzgamev.com/3004.html
unknown
unknown
GET
200
34.132.102.6:443
https://v.xyzgamev.com/3004.html
unknown
unknown
GET
200
34.132.102.6:443
https://v.xyzgamev.com/3004.html
unknown
unknown
2104
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
34.136.111.81:443
https://v.xyzgamev.com/3004.html
unknown
unknown
GET
200
34.132.102.6:443
https://v.xyzgamev.com/3004.html
unknown
unknown
GET
200
34.136.111.81:443
https://v.xyzgamev.com/3004.html
unknown
unknown
GET
200
34.132.102.6:443
https://v.xyzgamev.com/3004.html
unknown
unknown
GET
200
34.136.111.81:443
https://v.xyzgamev.com/3004.html
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
7740
9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe
34.136.111.81:443
v.xyzgamev.com
GOOGLE-CLOUD-PLATFORM
US
malicious
2104
svchost.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7288
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5244
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.78
whitelisted
v.xyzgamev.com
  • 34.136.111.81
  • 34.132.102.6
malicious
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2