File name:

9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2

Full analysis: https://app.any.run/tasks/0a070d46-d755-4eb5-968a-723cdec7f2ca
Verdict: Malicious activity
Analysis date: April 11, 2025, 06:06:09
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

B225B2E39DB95E17BFEF2DECA64DC45F

SHA1:

11C7537158E5EE582A65F1AA38DE68935EB3A9BA

SHA256:

9D6BB7288ED3182742CFB41DF745F336AE861A208CCC4C70149DFA86D66DDBF2

SSDEEP:

12288:O8JnYK3a7Wqze3ubMgP8jAyN4X1nVzRW7to9fFTYOsgInDhIh:5YK3aaqKAyN4X1nVIcfFTYOsgIDhIh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7740)

  • SUSPICIOUS

    • Application launched itself

      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7596)

    • Reads security settings of Internet Explorer

      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7596)

    • Executes as Windows Service

      • FlashPlayerUpdateService.exe (PID: 7996)
      • armsvc.exe (PID: 7968)
      • AppVClient.exe (PID: 8080)
      • alg.exe (PID: 8032)
      • DiagnosticsHub.StandardCollector.Service.exe (PID: 8128)

    • The process creates files with name similar to system file names

      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7740)

    • Process drops legitimate windows executable

      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7740)
      • armsvc.exe (PID: 7968)

    • Executable content was dropped or overwritten

      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7740)
      • armsvc.exe (PID: 7968)

  • INFO

    • Reads the computer name

      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7596)
      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7740)
      • armsvc.exe (PID: 7968)
      • FlashPlayerUpdateService.exe (PID: 7996)

    • The sample compiled with english language support

      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7596)
      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7740)
      • armsvc.exe (PID: 7968)

    • Checks supported languages

      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7740)
      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7596)
      • armsvc.exe (PID: 7968)
      • FlashPlayerUpdateService.exe (PID: 7996)

    • Process checks computer location settings

      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7596)

    • Reads the machine GUID from the registry

      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7740)

    • Reads the software policy settings

      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7740)
      • slui.exe (PID: 5244)

    • Creates files or folders in the user directory

      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7740)

    • Creates files in the program directory

      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7740)
      • armsvc.exe (PID: 7968)

    • Reads Windows Product ID

      • armsvc.exe (PID: 7968)
      • 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe (PID: 7740)

    • Checks proxy server information

      • slui.exe (PID: 5244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:04:02 08:52:42+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 208896
InitializedDataSize: 106496
UninitializedDataSize: -
EntryPoint: 0x1d5c9
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: TODO: <Company name>
FileDescription: TODO: <File description>
FileVersion: 1.0.0.1
InternalName: login.exe
LegalCopyright: TODO: (c) <Company name>. All rights reserved.
OriginalFileName: login.exe
ProductName: TODO: <Product name>
ProductVersion: 1.0.0.1
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe no specs 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe armsvc.exe flashplayerupdateservice.exe no specs alg.exe no specs appvclient.exe no specs diagnosticshub.standardcollector.service.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
5244C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7596"C:\Users\admin\Desktop\9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe" C:\Users\admin\Desktop\9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exeexplorer.exe
User:
admin
Company:
TODO: <Company name>
Integrity Level:
MEDIUM
Description:
TODO: <File description>
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\users\admin\desktop\9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7740"C:\Users\admin\Desktop\9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe" helpC:\Users\admin\Desktop\9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe
9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe
User:
admin
Company:
TODO: <Company name>
Integrity Level:
HIGH
Description:
TODO: <File description>
Version:
1.0.0.1
Modules
Images
c:\users\admin\desktop\9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
7968"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
services.exe
User:
SYSTEM
Company:
Adobe Inc.
Integrity Level:
SYSTEM
Description:
Acrobat Update Service
Version:
1.824.460.1042
Modules
Images
c:\program files (x86)\common files\adobe\arm\1.0\armsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
7996C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeC:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exeservices.exe
User:
SYSTEM
Company:
Adobe
Integrity Level:
SYSTEM
Description:
Adobe® Flash® Player Update Service 32.0 r0
Exit code:
0
Version:
32,0,0,465
Modules
Images
c:\windows\syswow64\macromed\flash\flashplayerupdateservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
8032C:\WINDOWS\System32\alg.exeC:\Windows\System32\alg.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Application Layer Gateway Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\alg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
8080C:\WINDOWS\system32\AppVClient.exeC:\Windows\System32\AppVClient.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Application Virtualization Client Service
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\appvclient.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp_win.dll
8128C:\WINDOWS\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeC:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft (R) Diagnostics Hub Standard Collector
Version:
11.00.19041.3930 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\sechost.dll
Total events
7 576
Read events
7 570
Write events
6
Delete events
0

Modification events

(PID) Process:(7740) 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Operation:writeName:Startup
Value:
C:\Users\admin\AppData\Local\kobprrfa
(PID) Process:(7740) 9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Operation:writeName:Startup
Value:
C:\Users\admin\AppData\Local\kobprrfa
(PID) Process:(7968) armsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Adobe\Adobe ARM\1.0\ARM
Operation:writeName:iLastSvcSuccess
Value:
1109281
(PID) Process:(7968) armsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
Operation:writeName:EnableSmartScreen
Value:
0
(PID) Process:(7968) armsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:HideSCAHealth
Value:
1
(PID) Process:(7968) armsvc.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\S-1-5-21-1693682860-607145093-2874071422-1001
Operation:writeName:EnableNotifications
Value:
0
Executable files
122
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
77409d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exeC:\Windows\SysWOW64\svchost.exeexecutable
MD5:E9EB5F5B82D0969EE9B2698444F4BE38
SHA256:BCC53BA3E466DDCAF28DB01293D4D524073DB89D05D877CED5E809196B5659C1
77409d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exeC:\Windows\System32\DiagSvcs\pbpefhnj.tmpexecutable
MD5:2DBBC621ADBC7EEDF611C0070E8BF762
SHA256:2C24302370ED7CB8EBD3FD3B67835968CC7B3147530A473D29F75A03D340AE92
77409d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exeC:\Program Files (x86)\Microsoft\EdgeUpdate\ioddbpbf.tmpexecutable
MD5:8D448249ED33F7193970AF4FD5EFD430
SHA256:C7A32FB592DCA29BD867C6344D213E466EE8FCF7D39DAEF1D8B37098CF85674B
77409d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exeC:\Windows\SysWOW64\cgbdjhel.tmpexecutable
MD5:7F9244BAEBC7733983E142754DDE593D
SHA256:813D8CA0E5E9C5712BCFDF41A69CD0B7020F75AD01D40EC7B0410CA8D65D8D85
77409d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exeC:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeexecutable
MD5:8D448249ED33F7193970AF4FD5EFD430
SHA256:C7A32FB592DCA29BD867C6344D213E466EE8FCF7D39DAEF1D8B37098CF85674B
77409d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exeC:\Windows\System32\alg.exeexecutable
MD5:83724A674C3FA75136D2BEC8C0E200CA
SHA256:0D84EBDC6214FAD018F331BE779B4AA7A3FBEB50EC2E7F90003B9994CE64088C
77409d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exeC:\Windows\SysWOW64\dllhost.exeexecutable
MD5:7F9244BAEBC7733983E142754DDE593D
SHA256:813D8CA0E5E9C5712BCFDF41A69CD0B7020F75AD01D40EC7B0410CA8D65D8D85
77409d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exeC:\Users\admin\AppData\Local\kobprrfa\cmd.exeexecutable
MD5:D3348AC2130C7E754754A6E9CB053B09
SHA256:E9EF013238495BFFCE7459E059BFFE340A0F08B439EC94E7D4436F4E13714ECD
77409d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exeC:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exeexecutable
MD5:2DBBC621ADBC7EEDF611C0070E8BF762
SHA256:2C24302370ED7CB8EBD3FD3B67835968CC7B3147530A473D29F75A03D340AE92
77409d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exeC:\Users\admin\AppData\Local\kobprrfa\fcpgfajm.tmpexecutable
MD5:ADA6137D00D3225841559CC4A5F634F0
SHA256:FD29124ADE431DA99C2AA01B42A4ECE46E6BDF0224D100A1AA59DCFC2181E86E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
57
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
34.136.111.81:443
https://v.xyzgamev.com/3004.html
unknown
GET
200
34.136.111.81:443
https://v.xyzgamev.com/3004.html
unknown
GET
200
34.136.111.81:443
https://v.xyzgamev.com/3004.html
unknown
GET
200
34.136.111.81:443
https://v.xyzgamev.com/3004.html
unknown
GET
200
34.132.102.6:443
https://v.xyzgamev.com/3004.html
unknown
2104
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
34.136.111.81:443
https://v.xyzgamev.com/3004.html
unknown
GET
34.136.111.81:443
https://v.xyzgamev.com/3004.html
unknown
GET
200
34.132.102.6:443
https://v.xyzgamev.com/3004.html
unknown
GET
200
34.132.102.6:443
https://v.xyzgamev.com/3004.html
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
7740
9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2.exe
34.136.111.81:443
v.xyzgamev.com
GOOGLE-CLOUD-PLATFORM
US
malicious
2104
svchost.exe
2.16.164.120:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7288
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5244
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.78
whitelisted
v.xyzgamev.com
  • 34.136.111.81
  • 34.132.102.6
malicious
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
9d6bb7288ed3182742cfb41df745f336ae861a208ccc4c70149dfa86d66ddbf2