File name:

ba5a8e0f74e7f45ff3cb3cbb426c43b8f94d5b6f8032e7366939710c626e8806

Full analysis: https://app.any.run/tasks/0f216090-b61f-4ee2-82a2-9e99ebf09f77
Verdict: Malicious activity
Analysis date: April 26, 2025, 15:45:14
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (console) Intel 80386, for MS Windows, 5 sections
MD5:

21CFF366379E13F284E667A54079B7F2

SHA1:

D6AB9777D494989D1A594844D81E714667A05D91

SHA256:

BA5A8E0F74E7F45FF3CB3CBB426C43B8F94D5B6F8032E7366939710C626E8806

SSDEEP:

6144:x/KxEYIC3g3JZh0QOsryUcUqrnxMs8z9MEdg5xAcTciQJ:JYfIZPOsWUcRrxF+MEdg5nT9A

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • ba5a8e0f74e7f45ff3cb3cbb426c43b8f94d5b6f8032e7366939710c626e8806.exe (PID: 7348)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ba5a8e0f74e7f45ff3cb3cbb426c43b8f94d5b6f8032e7366939710c626e8806.exe (PID: 7348)

    • Process drops legitimate windows executable

      • ba5a8e0f74e7f45ff3cb3cbb426c43b8f94d5b6f8032e7366939710c626e8806.exe (PID: 7348)

  • INFO

    • Failed to create an executable file in Windows directory

      • ba5a8e0f74e7f45ff3cb3cbb426c43b8f94d5b6f8032e7366939710c626e8806.exe (PID: 7348)

    • Create files in a temporary directory

      • ba5a8e0f74e7f45ff3cb3cbb426c43b8f94d5b6f8032e7366939710c626e8806.exe (PID: 7348)

    • Reads the computer name

      • ba5a8e0f74e7f45ff3cb3cbb426c43b8f94d5b6f8032e7366939710c626e8806.exe (PID: 7348)

    • Checks supported languages

      • ba5a8e0f74e7f45ff3cb3cbb426c43b8f94d5b6f8032e7366939710c626e8806.exe (PID: 7348)

    • The sample compiled with english language support

      • ba5a8e0f74e7f45ff3cb3cbb426c43b8f94d5b6f8032e7366939710c626e8806.exe (PID: 7348)

    • Checks proxy server information

      • slui.exe (PID: 7844)

    • Reads the software policy settings

      • slui.exe (PID: 7844)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:03:31 12:37:14+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.28
CodeSize: 140288
InitializedDataSize: 76800
UninitializedDataSize: -
EntryPoint: 0x67d7
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows command line
FileVersionNumber: 7.2.1.38
ProductVersionNumber: 7.2.1.38
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Adobe Inc.
FileDescription: Adobe IPC Broker Custom Hook
FileVersion: 7.2.1.38
LegalCopyright: Copyright 2023, Adobe Inc. All rights reserved.
OriginalFileName: AdobeIPCBrokerCustomHook.exe
ProductName: Adobe IPC Broker Custom Hook
ProductVersion: 7.2.1.38
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ba5a8e0f74e7f45ff3cb3cbb426c43b8f94d5b6f8032e7366939710c626e8806.exe conhost.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7348"C:\Users\admin\Desktop\ba5a8e0f74e7f45ff3cb3cbb426c43b8f94d5b6f8032e7366939710c626e8806.exe" C:\Users\admin\Desktop\ba5a8e0f74e7f45ff3cb3cbb426c43b8f94d5b6f8032e7366939710c626e8806.exe
explorer.exe
User:
admin
Company:
Adobe Inc.
Integrity Level:
MEDIUM
Description:
Adobe IPC Broker Custom Hook
Exit code:
1
Version:
7.2.1.38
Modules
Images
c:\users\admin\desktop\ba5a8e0f74e7f45ff3cb3cbb426c43b8f94d5b6f8032e7366939710c626e8806.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
7356\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeba5a8e0f74e7f45ff3cb3cbb426c43b8f94d5b6f8032e7366939710c626e8806.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7844C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 401
Read events
3 401
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7348ba5a8e0f74e7f45ff3cb3cbb426c43b8f94d5b6f8032e7366939710c626e8806.exeC:\Users\admin\AppData\Local\Temp\AdobeIPCBrokerCustomHook.logtext
MD5:27857E4EB6E149C1F71BFCC410F5111D
SHA256:295C7BB5C6A3324286BDA201AC53CC960E80375B1DFF7AEC638D0CA454CF01F6
7348ba5a8e0f74e7f45ff3cb3cbb426c43b8f94d5b6f8032e7366939710c626e8806.exeC:\Users\admin\AppData\Local\Temp\conres.dllexecutable
MD5:7574CF2C64F35161AB1292E2F532AABF
SHA256:DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
39
DNS requests
23
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
7620
SIHClient.exe
GET
200
23.216.77.21:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7620
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7620
SIHClient.exe
GET
200
23.216.77.21:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7620
SIHClient.exe
GET
200
23.216.77.21:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7620
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7620
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7620
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7620
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7620
SIHClient.exe
172.202.163.200:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted
7620
SIHClient.exe
23.216.77.21:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
7620
SIHClient.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7620
SIHClient.exe
13.85.23.206:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7192
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.238
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
crl.microsoft.com
  • 23.216.77.21
  • 23.216.77.29
  • 23.216.77.23
  • 23.216.77.32
  • 23.216.77.30
  • 23.216.77.25
  • 23.216.77.19
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.19
whitelisted
login.live.com
  • 20.190.160.14
  • 20.190.160.64
  • 40.126.32.136
  • 20.190.160.4
  • 40.126.32.140
  • 40.126.32.134
  • 20.190.160.132
  • 40.126.32.76
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ba5a8e0f74e7f45ff3cb3cbb426c43b8f94d5b6f8032e7366939710c626e8806