File name:

fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exe

Full analysis: https://app.any.run/tasks/e4c0e067-70b0-4195-a351-6b4c59bd57de
Verdict: Malicious activity
Analysis date: March 24, 2025, 10:04:04
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ludbaruma
blocker
dropper
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

60A03FF206E5D37E22D5AF896DA38CC5

SHA1:

7EB2C9575AEE26A47C626DAA6C69342C7BD57B11

SHA256:

FB89102151BC00EE142E70E74EB3557007D681147125B36B71BBA2FE2F179637

SSDEEP:

3072:QBlOEJsWGRz/U+b3cVVVVVV22KBlOEJsWGRz/U+b3cVVVVVV22m:QBlOEJfEz/j7cVVVVVV2pBlOEJfEz/jV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUDBARUMA has been detected

      • fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exe (PID: 300)

    • The process uses screensaver hijack for persistence

      • fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exe (PID: 300)

    • Changes the autorun value in the registry

      • fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exe (PID: 300)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exe (PID: 300)

    • Executable content was dropped or overwritten

      • fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exe (PID: 300)

    • Creates file in the systems drive root

      • fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exe (PID: 300)

  • INFO

    • Create files in a temporary directory

      • fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exe (PID: 300)

    • The sample compiled with english language support

      • fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exe (PID: 300)

    • Checks supported languages

      • fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exe (PID: 300)

    • Creates files or folders in the user directory

      • fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exe (PID: 300)

    • Failed to create an executable file in Windows directory

      • fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exe (PID: 300)

    • Reads the software policy settings

      • slui.exe (PID: 3332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2006:11:27 09:24:01+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 32768
InitializedDataSize: 12288
UninitializedDataSize: 143360
EntryPoint: 0x2b1c0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.20
ProductVersionNumber: 0.0.0.20
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Oncom
ProductName: xk
FileVersion: 0.00.0020
ProductVersion: 0.00.0020
InternalName: DATA
OriginalFileName: DATA.exe
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #LUDBARUMA fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
300"C:\Users\admin\Desktop\fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exe" C:\Users\admin\Desktop\fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exe
explorer.exe
User:
admin
Company:
Oncom
Integrity Level:
MEDIUM
Exit code:
0
Version:
0.00.0020
Modules
Images
c:\users\admin\desktop\fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
3332C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 421
Read events
3 411
Write events
10
Delete events
0

Modification events

(PID) Process:(300) fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:SCRNSAVE.EXE
Value:
C:\WINDOWS\system32\Mig~mig.SCR
(PID) Process:(300) fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:ScreenSaverIsSecure
Value:
0
(PID) Process:(300) fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exeKey:HKEY_CURRENT_USER\Control Panel\Desktop
Operation:writeName:ScreenSaveTimeOut
Value:
600
(PID) Process:(300) fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:xk
Value:
C:\WINDOWS\xk.exe
(PID) Process:(300) fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MSMSGS
Value:
C:\Users\admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
(PID) Process:(300) fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Serviceadmin
Value:
C:\Users\admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
(PID) Process:(300) fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Logonadmin
Value:
C:\Users\admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
(PID) Process:(300) fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:System Monitoring
Value:
C:\Users\admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
(PID) Process:(300) fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoFolderOptions
Value:
1
(PID) Process:(300) fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableRegistryTools
Value:
1
Executable files
11
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
300fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exeC:\Users\admin\AppData\Local\services.exeexecutable
MD5:60A03FF206E5D37E22D5AF896DA38CC5
SHA256:FB89102151BC00EE142E70E74EB3557007D681147125B36B71BBA2FE2F179637
300fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exeC:\Users\admin\AppData\Local\csrss.exeexecutable
MD5:60A03FF206E5D37E22D5AF896DA38CC5
SHA256:FB89102151BC00EE142E70E74EB3557007D681147125B36B71BBA2FE2F179637
300fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exeC:\Users\admin\AppData\Local\lsass.exeexecutable
MD5:60A03FF206E5D37E22D5AF896DA38CC5
SHA256:FB89102151BC00EE142E70E74EB3557007D681147125B36B71BBA2FE2F179637
300fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exeC:\Users\admin\AppData\Local\WINDOWS\WINLOGON.EXEexecutable
MD5:60A03FF206E5D37E22D5AF896DA38CC5
SHA256:FB89102151BC00EE142E70E74EB3557007D681147125B36B71BBA2FE2F179637
300fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exeC:\Users\admin\AppData\Local\smss.exeexecutable
MD5:60A03FF206E5D37E22D5AF896DA38CC5
SHA256:FB89102151BC00EE142E70E74EB3557007D681147125B36B71BBA2FE2F179637
300fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exeC:\Users\admin\AppData\Local\winlogon.exeexecutable
MD5:60A03FF206E5D37E22D5AF896DA38CC5
SHA256:FB89102151BC00EE142E70E74EB3557007D681147125B36B71BBA2FE2F179637
300fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exeC:\Users\admin\AppData\Local\WINDOWS\SERVICES.EXEexecutable
MD5:60A03FF206E5D37E22D5AF896DA38CC5
SHA256:FB89102151BC00EE142E70E74EB3557007D681147125B36B71BBA2FE2F179637
300fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exeC:\Users\admin\AppData\Local\WINDOWS\CSRSS.EXEexecutable
MD5:60A03FF206E5D37E22D5AF896DA38CC5
SHA256:FB89102151BC00EE142E70E74EB3557007D681147125B36B71BBA2FE2F179637
300fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exeC:\Users\admin\AppData\Local\Temp\~DF418C1EC0F391E7A3.TMPbinary
MD5:2F5F26482A924E6A0078F81255014C8E
SHA256:23D312B7153D3CE00C11EF0FA4DBB16B00F6B9122160EC56D2ADB46BE19952A4
300fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exeC:\Users\admin\AppData\Local\WINDOWS\LSASS.EXEexecutable
MD5:60A03FF206E5D37E22D5AF896DA38CC5
SHA256:FB89102151BC00EE142E70E74EB3557007D681147125B36B71BBA2FE2F179637
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
38
TCP/UDP connections
55
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.16.164.32:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
4.175.87.197:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
6132
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
6132
SIHClient.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
6132
SIHClient.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
6132
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6132
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
6132
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
200
4.175.87.197:443
https://slscr.update.microsoft.com/sls/ping
unknown
unknown
6132
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
2.16.164.32:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
6544
svchost.exe
20.190.159.130:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1280
backgroundTaskHost.exe
20.223.35.26:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
6132
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6132
SIHClient.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.238
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
crl.microsoft.com
  • 2.16.164.32
  • 2.16.164.9
  • 2.16.164.25
  • 2.16.164.72
  • 2.16.164.106
  • 2.16.164.99
  • 2.16.164.17
  • 2.16.164.27
  • 2.16.164.128
  • 2.16.164.42
  • 2.16.164.122
  • 2.16.164.107
  • 2.16.164.129
whitelisted
login.live.com
  • 20.190.159.130
  • 40.126.31.3
  • 40.126.31.2
  • 20.190.159.68
  • 40.126.31.73
  • 40.126.31.129
  • 40.126.31.130
  • 40.126.31.69
whitelisted
arc.msn.com
  • 20.223.35.26
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
fb89102151bc00ee142e70e74eb3557007d681147125b36b71bba2fe2f179637.exe