File name:

ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74

Full analysis: https://app.any.run/tasks/f166bfbe-2c7d-46e4-b4b0-f98e4c8df2c9
Verdict: Malicious activity
Analysis date: June 21, 2025, 17:31:33
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

FB86C565875519EB4C914852EE2343E7

SHA1:

7C7912386C0A44EF73E1EBD2469B6BF92E29267F

SHA256:

ED21424ABF2B79A486EA74E399F3CF9DBCBD35979E1D6DAD742E78AB7A74AA74

SSDEEP:

49152:65fb5ADmd+/ykdxyzF43hdvwCQYEOFZdOFL3BA0R650U61WCZt:6Rzg7gmsCQYEqZdOt+0zPDZt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Application launched itself

      • ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exe (PID: 3976)

    • Reads security settings of Internet Explorer

      • ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exe (PID: 3976)
      • db01fa58 (PID: 6828)
      • ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exe (PID: 7140)

    • Executable content was dropped or overwritten

      • ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exe (PID: 7140)

    • Executes as Windows Service

      • db01fa58 (PID: 6828)

    • Connects to the server without a host name

      • db01fa58 (PID: 6828)
      • ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exe (PID: 7140)

  • INFO

    • The sample compiled with chinese language support

      • ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exe (PID: 3976)
      • ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exe (PID: 7140)

    • Checks supported languages

      • ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exe (PID: 3976)
      • ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exe (PID: 7140)
      • db01fa58 (PID: 6828)

    • Reads the computer name

      • ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exe (PID: 3976)
      • ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exe (PID: 7140)

    • Process checks computer location settings

      • ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exe (PID: 3976)

    • Reads the software policy settings

      • db01fa58 (PID: 6828)
      • ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exe (PID: 7140)
      • slui.exe (PID: 5172)

    • Reads the machine GUID from the registry

      • db01fa58 (PID: 6828)
      • ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exe (PID: 7140)

    • UPX packer has been detected

      • ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exe (PID: 7140)
      • db01fa58 (PID: 6828)

    • Checks proxy server information

      • ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exe (PID: 7140)
      • slui.exe (PID: 5172)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:03:16 03:34:47+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 143360
InitializedDataSize: 139264
UninitializedDataSize: 274432
EntryPoint: 0x65ed0
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 23.9.20.1611
ProductVersionNumber: 23.9.20.1611
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 23, 9, 20, 1611
ProductVersion: 23, 9, 20, 1611
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
138
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exe no specs ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exe db01fa58 slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
3976"C:\Users\admin\Desktop\ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exe" C:\Users\admin\Desktop\ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Version:
23, 9, 20, 1611
Modules
Images
c:\users\admin\desktop\ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5172C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6828C:\Windows\Syswow64\db01fa58C:\Windows\SysWOW64\db01fa58
services.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Version:
23, 9, 20, 1611
Modules
Images
c:\windows\syswow64\iertutil.dll
c:\windows\syswow64\combase.dll
c:\windows\syswow64\shcore.dll
c:\windows\syswow64\sspicli.dll
c:\windows\syswow64\windows.storage.dll
c:\windows\syswow64\wldp.dll
c:\windows\syswow64\oleaut32.dll
c:\windows\syswow64\profapi.dll
c:\windows\syswow64\ondemandconnroutehelper.dll
c:\windows\syswow64\winhttp.dll
7140"C:\Users\admin\Desktop\ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exe" C:\Users\admin\Desktop\ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exe
ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exe
User:
admin
Integrity Level:
HIGH
Version:
23, 9, 20, 1611
Modules
Images
c:\users\admin\desktop\ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
11 394
Read events
11 391
Write events
3
Delete events
0

Modification events

(PID) Process:(7140) ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7140) ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7140) ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7140ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exeC:\Windows\SysWOW64\db01fa58executable
MD5:AFD41E122B1F2FBB3C6B13C43203AC3B
SHA256:80D2B340B25EB1A40FCD066F283848EF395F55D1CAC72B21A6BFE16DB6B16763
6828db01fa58C:\Windows\74e5d8text
MD5:7C2701242CA905C14BB6A7C14AF06695
SHA256:F2009B0BD5BF9CF06BBDCA14EC971D9BA1A6753A36001F54D053FBC8DBA301E5
7140ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74.exeC:\Windows\7a3d48text
MD5:DBE808D7996115DB103C6AB2D949C123
SHA256:CF472D3A76A82D9423465207CF9ADEB811CC1D926E61A2F4FE31EF15CD964EA8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
188
TCP/UDP connections
258
DNS requests
55
Threats
57

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.31.130:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
40.126.32.133:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
6828
db01fa58
GET
200
223.5.5.5:80
http://dns.alidns.com/resolve?name=down.nugong.asia&type=1
unknown
whitelisted
6828
db01fa58
GET
200
223.5.5.5:80
http://223.5.5.5/resolve?name=down.nugong.asia&type=1
unknown
unknown
POST
200
20.190.159.129:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
GET
200
223.5.5.5:443
https://dns.alidns.com/resolve?name=spi1.tyui54345.xyz&type=16
unknown
binary
255 b
whitelisted
POST
200
20.190.159.129:443
https://login.live.com/RST2.srf
unknown
xml
10.2 Kb
whitelisted
POST
200
20.190.160.131:443
https://login.live.com/RST2.srf
unknown
xml
11.0 Kb
whitelisted
6828
db01fa58
GET
200
223.5.5.5:80
http://dns.alidns.com/resolve?name=spi1.tyui54345.xyz&type=16
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1644
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6024
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.206
whitelisted
down.nugong.asia
unknown
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
  • 2.19.11.105
  • 2.19.11.120
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 95.101.149.131
whitelisted
login.live.com
  • 20.190.159.73
  • 40.126.31.2
  • 40.126.31.3
  • 20.190.159.129
  • 20.190.159.130
  • 40.126.31.0
  • 40.126.31.1
  • 20.190.159.23
whitelisted
dns.alidns.com
  • 223.5.5.5
  • 223.6.6.6
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.29
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
down.xy58.top
unknown

Threats

PID
Process
Class
Message
6828
db01fa58
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
6828
db01fa58
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
6828
db01fa58
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
6828
db01fa58
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
6828
db01fa58
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
6828
db01fa58
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
6828
db01fa58
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
6828
db01fa58
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
6828
db01fa58
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
6828
db01fa58
Misc activity
ET INFO Observed DNS Over HTTPS Domain (dns .alidns .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ed21424abf2b79a486ea74e399f3cf9dbcbd35979e1d6dad742e78ab7a74aa74