File name:

bdcc70d9ec34bc056f19d51f24edd6a811498def49e01b129e4174434a4886b0.exe

Full analysis: https://app.any.run/tasks/00b467ed-8d10-45c5-af90-03cfcd6b49c2
Verdict: Malicious activity
Analysis date: September 03, 2025, 16:49:57
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
blihan
mpress
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 2 sections
MD5:

81959A3B6E04BC68667AE6FF29F5A232

SHA1:

36FC1818004A94BE6A1921AE240FC6C400B0A8E5

SHA256:

BDCC70D9EC34BC056F19D51F24EDD6A811498DEF49E01B129E4174434A4886B0

SSDEEP:

3072:NNrFXFQVqR3CP80qH6vghzwYu7vih9GueIh9j2IoHAcBHUIF2kvEHrH1hyhuhrhX:Nv2ViCP80qn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BLIHAN mutex has been found

      • bdcc70d9ec34bc056f19d51f24edd6a811498def49e01b129e4174434a4886b0.exe (PID: 2296)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • bdcc70d9ec34bc056f19d51f24edd6a811498def49e01b129e4174434a4886b0.exe (PID: 2296)

  • INFO

    • Reads the computer name

      • bdcc70d9ec34bc056f19d51f24edd6a811498def49e01b129e4174434a4886b0.exe (PID: 2296)

    • Mpress packer has been detected

      • bdcc70d9ec34bc056f19d51f24edd6a811498def49e01b129e4174434a4886b0.exe (PID: 2296)

    • Checks supported languages

      • bdcc70d9ec34bc056f19d51f24edd6a811498def49e01b129e4174434a4886b0.exe (PID: 2296)

    • Failed to create an executable file in Windows directory

      • bdcc70d9ec34bc056f19d51f24edd6a811498def49e01b129e4174434a4886b0.exe (PID: 2296)

    • Checks proxy server information

      • bdcc70d9ec34bc056f19d51f24edd6a811498def49e01b129e4174434a4886b0.exe (PID: 2296)
      • slui.exe (PID: 7044)

    • Reads the software policy settings

      • slui.exe (PID: 7044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:01:19 04:28:47+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 14336
InitializedDataSize: 14336
UninitializedDataSize: -
EntryPoint: 0xd14e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #BLIHAN bdcc70d9ec34bc056f19d51f24edd6a811498def49e01b129e4174434a4886b0.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2296"C:\Users\admin\Desktop\bdcc70d9ec34bc056f19d51f24edd6a811498def49e01b129e4174434a4886b0.exe" C:\Users\admin\Desktop\bdcc70d9ec34bc056f19d51f24edd6a811498def49e01b129e4174434a4886b0.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\bdcc70d9ec34bc056f19d51f24edd6a811498def49e01b129e4174434a4886b0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7044C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 794
Read events
3 794
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
49
TCP/UDP connections
64
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
6584
RUXIMICS.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
6584
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
POST
200
40.126.31.3:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
unknown
POST
400
20.190.159.131:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
POST
400
40.126.31.3:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
POST
400
40.126.31.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
POST
400
20.190.159.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
POST
400
20.190.159.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6584
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
6584
RUXIMICS.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 2.16.164.9
  • 2.16.164.24
  • 2.16.164.89
  • 2.16.164.32
  • 2.16.164.25
  • 2.16.164.107
  • 2.16.164.98
  • 2.16.164.27
  • 2.16.164.120
  • 2.16.164.122
  • 2.16.164.83
  • 2.16.164.17
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
login.live.com
  • 40.126.32.74
  • 40.126.32.140
  • 20.190.160.132
  • 20.190.160.130
  • 20.190.160.20
  • 20.190.160.14
  • 20.190.160.22
  • 20.190.160.67
whitelisted
slscr.update.microsoft.com
  • 74.178.240.61
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
self.events.data.microsoft.com
  • 52.182.143.210
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
bdcc70d9ec34bc056f19d51f24edd6a811498def49e01b129e4174434a4886b0.exe