File name:

malicious_payload.exe

Full analysis: https://app.any.run/tasks/efe6321e-82aa-4e80-94da-cdea61ffb85f
Verdict: Malicious activity
Analysis date: June 21, 2025, 09:26:37
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 3 sections
MD5:

63C849417FE6FC08EE20B6577F74EFB4

SHA1:

645A6E51DDD823130FFC85CF61875F2985DDEEF8

SHA256:

B3185E4BFA5CE27BE43D920D5DBEAB4ECB226D01EF7174E6631743C9645BBEC0

SSDEEP:

768:SJ7kzgPt7NMrPh9HVc4PEhPNLAAYz6Aj+0VjvmG6VWrNamyOM0jL:jEj+Jk48hFcUYm9WB1jL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE to view/add/change user profiles

      • malicious_payload.exe (PID: 516)
      • net.exe (PID: 7048)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • malicious_payload.exe (PID: 516)

    • Starts a Microsoft application from unusual location

      • malicious_payload.exe (PID: 516)

    • Starts itself from another location

      • malicious_payload.exe (PID: 516)

    • Executable content was dropped or overwritten

      • malicious_payload.exe (PID: 516)

    • The process creates files with name similar to system file names

      • malicious_payload.exe (PID: 516)

    • Reads security settings of Internet Explorer

      • malicious_payload.exe (PID: 516)

    • Reads the date of Windows installation

      • malicious_payload.exe (PID: 516)

    • Creates file in the systems drive root

      • malicious_payload.exe (PID: 516)

  • INFO

    • The sample compiled with english language support

      • malicious_payload.exe (PID: 516)

    • Create files in a temporary directory

      • malicious_payload.exe (PID: 516)

    • Reads the computer name

      • malicious_payload.exe (PID: 516)
      • svchost.exe (PID: 1568)

    • Checks supported languages

      • svchost.exe (PID: 1568)
      • malicious_payload.exe (PID: 516)

    • Process checks computer location settings

      • malicious_payload.exe (PID: 516)

    • Reads the time zone

      • net1.exe (PID: 7052)

    • UPX packer has been detected

      • malicious_payload.exe (PID: 516)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (87)
.exe | Generic Win/DOS Executable (6.4)
.exe | DOS Executable Generic (6.4)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2019:05:03 18:31:34+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 8
CodeSize: 40960
InitializedDataSize: 8192
UninitializedDataSize: 139264
EntryPoint: 0x2bc70
OSVersion: 5.2
ImageVersion: 5.2
SubsystemVersion: 5.2
Subsystem: Windows GUI
FileVersionNumber: 4.0.0.0
ProductVersionNumber: 4.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: Microsoft Corporation
FileDescription: Microsoft Windows Spooler
FileVersion: 4.0.0.0
InternalName: Server
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: Server.exe
ProductVersion: 4.0.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
146
Monitored processes
8
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start malicious_payload.exe svchost.exe no specs net.exe no specs conhost.exe no specs net1.exe no specs ucpdmgr.exe no specs conhost.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
516"C:\Users\admin\AppData\Local\Temp\malicious_payload.exe" C:\Users\admin\AppData\Local\Temp\malicious_payload.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Spooler
Version:
4.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\malicious_payload.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1568C:\Users\admin\AppData\Local\Temp\svchost.exe C:\Users\admin\AppData\Local\Temp\svchost.exemalicious_payload.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2460\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2760"C:\WINDOWS\system32\UCPDMgr.exe"C:\Windows\System32\UCPDMgr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
User Choice Protection Manager
Exit code:
0
Version:
1.0.0.414301
Modules
Images
c:\windows\system32\ucpdmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4512\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUCPDMgr.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5904C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7048"C:\Windows\System32\net.exe" user admin ArashjeyjeyC:\Windows\System32\net.exemalicious_payload.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
7052C:\WINDOWS\system32\net1 user admin ArashjeyjeyC:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\samcli.dll
c:\windows\system32\ucrtbase.dll
Total events
819
Read events
819
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
516malicious_payload.exeC:\RECYCLE.BIN\rundll32.exeexecutable
MD5:63C849417FE6FC08EE20B6577F74EFB4
SHA256:B3185E4BFA5CE27BE43D920D5DBEAB4ECB226D01EF7174E6631743C9645BBEC0
516malicious_payload.exeC:\Users\admin\AppData\Local\Temp\svchost.exeexecutable
MD5:63C849417FE6FC08EE20B6577F74EFB4
SHA256:B3185E4BFA5CE27BE43D920D5DBEAB4ECB226D01EF7174E6631743C9645BBEC0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
31
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1200
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4804
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4804
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5612
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5612
svchost.exe
GET
200
184.24.77.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6012
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5612
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5612
svchost.exe
184.24.77.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5612
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2336
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
1200
svchost.exe
20.190.160.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 184.24.77.19
  • 184.24.77.34
  • 184.24.77.22
  • 184.24.77.15
  • 184.24.77.23
  • 184.24.77.24
  • 184.24.77.29
  • 184.24.77.17
  • 184.24.77.30
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.64
  • 40.126.32.68
  • 20.190.160.3
  • 40.126.32.138
  • 40.126.32.76
  • 20.190.160.130
  • 20.190.160.66
  • 20.190.160.2
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
go.microsoft.com
  • 95.100.186.9
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.30
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
malicious_payload.exe