File name:

1d4b680bc9432f5471cde1e9019dc094.exe

Full analysis: https://app.any.run/tasks/941d8932-2d5d-41cc-9f19-fb53ba215d12
Verdict: Malicious activity
Analysis date: May 16, 2025, 12:28:38
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

1D4B680BC9432F5471CDE1E9019DC094

SHA1:

5F91F8800225693875E7821D6D4FFC3143FDB4E7

SHA256:

F62EE44DD33623124CC053A66EE83D2718BA2C45EF85F24C787D88BAB54B420A

SSDEEP:

196608:3NZm//EZfkK+Lmkh1MRlHjLz2sfjcIP2NBey:3NZmUxMCkhChz2soIP2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 1d4b680bc9432f5471cde1e9019dc094.exe (PID: 7592)

    • Potential Corporate Privacy Violation

      • 1d4b680bc9432f5471cde1e9019dc094.exe (PID: 7592)

    • Checks for external IP

      • 1d4b680bc9432f5471cde1e9019dc094.exe (PID: 7592)

    • Uses powercfg.exe to modify the power settings

      • 1d4b680bc9432f5471cde1e9019dc094.exe (PID: 7592)

    • Reads security settings of Internet Explorer

      • 1d4b680bc9432f5471cde1e9019dc094.exe (PID: 7592)

    • Creates file in the systems drive root

      • 1d4b680bc9432f5471cde1e9019dc094.exe (PID: 7592)

    • Connects to unusual port

      • 1d4b680bc9432f5471cde1e9019dc094.exe (PID: 7592)

  • INFO

    • The sample compiled with chinese language support

      • 1d4b680bc9432f5471cde1e9019dc094.exe (PID: 7592)

    • Checks supported languages

      • 1d4b680bc9432f5471cde1e9019dc094.exe (PID: 7592)

    • Checks proxy server information

      • 1d4b680bc9432f5471cde1e9019dc094.exe (PID: 7592)
      • slui.exe (PID: 5756)

    • Reads the computer name

      • 1d4b680bc9432f5471cde1e9019dc094.exe (PID: 7592)

    • Create files in a temporary directory

      • 1d4b680bc9432f5471cde1e9019dc094.exe (PID: 7592)

    • Reads the machine GUID from the registry

      • 1d4b680bc9432f5471cde1e9019dc094.exe (PID: 7592)

    • Reads the software policy settings

      • 1d4b680bc9432f5471cde1e9019dc094.exe (PID: 7592)
      • slui.exe (PID: 5756)

    • Creates files or folders in the user directory

      • 1d4b680bc9432f5471cde1e9019dc094.exe (PID: 7592)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:04:21 17:44:45+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 2498560
InitializedDataSize: 12185600
UninitializedDataSize: -
EntryPoint: 0x185459f
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 1.0.0.0
FileDescription: Orion
ProductName: Orion
ProductVersion: 1.0.0.0
LegalCopyright: 作者版权所有 请尊重并使用正版
Comments: 本程序使用易语言编写(http://www.eyuyan.com)
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 1d4b680bc9432f5471cde1e9019dc094.exe powercfg.exe no specs conhost.exe no specs slui.exe 1d4b680bc9432f5471cde1e9019dc094.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5756C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7452"C:\Users\admin\AppData\Local\Temp\1d4b680bc9432f5471cde1e9019dc094.exe" C:\Users\admin\AppData\Local\Temp\1d4b680bc9432f5471cde1e9019dc094.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Orion
Exit code:
3221226540
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\1d4b680bc9432f5471cde1e9019dc094.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7592"C:\Users\admin\AppData\Local\Temp\1d4b680bc9432f5471cde1e9019dc094.exe" C:\Users\admin\AppData\Local\Temp\1d4b680bc9432f5471cde1e9019dc094.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Orion
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\1d4b680bc9432f5471cde1e9019dc094.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
7916Powercfg -s 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635cC:\Windows\SysWOW64\powercfg.exe1d4b680bc9432f5471cde1e9019dc094.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Power Settings Command-Line Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\powercfg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7928\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowercfg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
3 947
Read events
3 942
Write events
5
Delete events
0

Modification events

(PID) Process:(7592) 1d4b680bc9432f5471cde1e9019dc094.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7592) 1d4b680bc9432f5471cde1e9019dc094.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7592) 1d4b680bc9432f5471cde1e9019dc094.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7592) 1d4b680bc9432f5471cde1e9019dc094.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings
Operation:writeName:JITDebug
Value:
0
(PID) Process:(7592) 1d4b680bc9432f5471cde1e9019dc094.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\1d4b680bc9432f5471cde1e9019dc094.exe
Operation:writeName:JScriptSetScriptStateStarted
Value:
C20E110000000000
Executable files
1
Suspicious files
2
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
75921d4b680bc9432f5471cde1e9019dc094.exeC:\Users\admin\AppData\Local\Temp\E2EECore.2.7.2.dllexecutable
MD5:8B6C94BBDBFB213E94A5DCB4FAC28CE3
SHA256:982A177924762F270B36FE34C7D6847392B48AE53151DC2011078DCEEF487A53
75921d4b680bc9432f5471cde1e9019dc094.exeC:\Task.initext
MD5:FE9415FE16067CF53F247C0A100700A2
SHA256:EE4D43BFA1B81E1E16CC9C1478ACBFEF63AE6326C45DB6C4BB7A7588D9C04D31
75921d4b680bc9432f5471cde1e9019dc094.exeC:\¼Û¸ñ±í.txttext
MD5:DF90C7077910BB5170F2D605AFA6281A
SHA256:C78BA7ED7BD54511BCF94E1F8DA52EB48D1371F74AA41D4829B87E73F66822A5
75921d4b680bc9432f5471cde1e9019dc094.exeC:\Long.initext
MD5:FE9415FE16067CF53F247C0A100700A2
SHA256:EE4D43BFA1B81E1E16CC9C1478ACBFEF63AE6326C45DB6C4BB7A7588D9C04D31
75921d4b680bc9432f5471cde1e9019dc094.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\api[1].htmbinary
MD5:EC72A7D41272ED9E61B5B361DC97A58A
SHA256:49864262C653332A08802957F998CEE7D7C03D414BF67CE71C90211C531932EE
75921d4b680bc9432f5471cde1e9019dc094.exeC:\Version.initext
MD5:FE9415FE16067CF53F247C0A100700A2
SHA256:EE4D43BFA1B81E1E16CC9C1478ACBFEF63AE6326C45DB6C4BB7A7588D9C04D31
75921d4b680bc9432f5471cde1e9019dc094.exeC:\Myitask.initext
MD5:FE9415FE16067CF53F247C0A100700A2
SHA256:EE4D43BFA1B81E1E16CC9C1478ACBFEF63AE6326C45DB6C4BB7A7588D9C04D31
75921d4b680bc9432f5471cde1e9019dc094.exeC:\Set Skill.initext
MD5:B88DEFA605A29FD497DABCC17C3AE9D2
SHA256:A1CA73780491E635DA2F07B4331ECC42C1464BA6CADB7E3DF8708BC54B2B4995
75921d4b680bc9432f5471cde1e9019dc094.exeC:\Myitems.initext
MD5:FE9415FE16067CF53F247C0A100700A2
SHA256:EE4D43BFA1B81E1E16CC9C1478ACBFEF63AE6326C45DB6C4BB7A7588D9C04D31
75921d4b680bc9432f5471cde1e9019dc094.exeC:\Mylong.initext
MD5:8EFE8DCDB6934DAB70BC11BD525FAE68
SHA256:0EA28B450F5E2AE8A3979CDC28901FB7DC257F1B9639199A52EAFA9489420330
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
25
DNS requests
18
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7592
1d4b680bc9432f5471cde1e9019dc094.exe
GET
301
42.120.158.5:80
http://www.net.cn/static/customercare/yourIP.asp
unknown
unknown
5496
MoUsoCoreWorker.exe
GET
200
2.16.168.124:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7584
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7592
1d4b680bc9432f5471cde1e9019dc094.exe
GET
200
42.120.158.5:80
http://www.net.cn/static/customercare/yourip.asp
unknown
unknown
7584
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
2.16.168.124:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6544
svchost.exe
40.126.32.74:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4996
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.168.124
  • 2.16.168.114
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
google.com
  • 216.58.206.46
whitelisted
login.live.com
  • 40.126.32.74
  • 20.190.160.130
  • 20.190.160.128
  • 40.126.32.133
  • 40.126.32.134
  • 20.190.160.131
  • 20.190.160.20
  • 40.126.32.138
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
www.net.cn
  • 42.120.158.5
unknown
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

PID
Process
Class
Message
7592
1d4b680bc9432f5471cde1e9019dc094.exe
Potential Corporate Privacy Violation
ET INFO Unsupported/Fake Windows NT Version 5.0
7592
1d4b680bc9432f5471cde1e9019dc094.exe
Potential Corporate Privacy Violation
ET INFO Unsupported/Fake Windows NT Version 5.0
7592
1d4b680bc9432f5471cde1e9019dc094.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup (www .net .cn)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
1d4b680bc9432f5471cde1e9019dc094.exe