File name:

ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exe

Full analysis: https://app.any.run/tasks/687a9eb4-dca3-4215-9b06-37e685b431f1
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 24, 2025, 11:35:32
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
ducdun
vilsel
stealer
arch-exec
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

AEBED8D112060028C44311D9E6316C51

SHA1:

3B07F382DD3439806E699C3951DE396FD9703A5F

SHA256:

FFD1E1A6A100C9B0720D287014ABE152E2889DADC639FE26D2B24159911804D1

SSDEEP:

768:Wp7XrhkSsV+mNr1zQm/9GiNeGXgfKLtrja6m+im7zAAkSsV+mNa7XrJr:smr1zQ09GiNb9Ltrja6mw7zAtkJr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DUCDUN mutex has been found

      • ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exe (PID: 7412)
      • ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exe (PID: 7680)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exe (PID: 7412)

    • Creates file in the systems drive root

      • ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exe (PID: 7412)
      • ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exe (PID: 7680)

  • INFO

    • The sample compiled with english language support

      • ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exe (PID: 7412)

    • Reads the software policy settings

      • slui.exe (PID: 7792)

    • Reads the computer name

      • ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exe (PID: 7412)
      • ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exe (PID: 7680)

    • Create files in a temporary directory

      • ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exe (PID: 7412)
      • ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exe (PID: 7680)

    • Checks supported languages

      • ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exe (PID: 7412)
      • ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exe (PID: 7680)

    • Manual execution by a user

      • ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exe (PID: 7680)

    • Checks proxy server information

      • slui.exe (PID: 7792)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:01:06 03:24:42+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 45056
InitializedDataSize: 28672
UninitializedDataSize: -
EntryPoint: 0x1134
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.50
ProductVersionNumber: 1.0.0.50
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Microsoft Windows
FileVersion: 1.00.0050
ProductVersion: 1.00.0050
InternalName: music
OriginalFileName: music.exe
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #DUCDUN ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exe #DUCDUN ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7412"C:\Users\admin\Desktop\ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exe" C:\Users\admin\Desktop\ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.00.0050
Modules
Images
c:\users\admin\desktop\ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
7680"C:\Users\admin\Desktop\ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exe" C:\Users\admin\Desktop\ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00.0050
Modules
Images
c:\users\admin\desktop\ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvbvm60.dll
c:\windows\syswow64\user32.dll
7792C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 737
Read events
3 731
Write events
4
Delete events
2

Modification events

(PID) Process:(7412) ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoFolderOptions
Value:
1
(PID) Process:(7412) ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableRegistryTools
Value:
1
(PID) Process:(7412) ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Streams
Operation:delete valueName:Settings
Value:
(PID) Process:(7680) ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:writeName:NoFolderOptions
Value:
1
(PID) Process:(7680) ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableRegistryTools
Value:
1
(PID) Process:(7680) ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Streams
Operation:delete valueName:Settings
Value:
Executable files
1
Suspicious files
8
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
7412ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exeC:\Users\admin\AppData\Local\Temp\3Ga07440compressed
MD5:7B24BE5C66CEEB16FC08AF35B0F553BD
SHA256:DAB4B4EA65F65C07EAF610D76435399F47881982B5EA3F1F435A4DD7626D63AB
7412ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exeC:\Users\admin\Desktop\ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.datbinary
MD5:54ED144484ABB2B71A3AB3A3B2E083E5
SHA256:66639BBF53AB8343D63973B4A6BB03C255DE6D509E2AA7863D6F3966435BB4FE
7412ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exeC:\Users\admin\Desktop\ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.zipcompressed
MD5:349872199261205B3EC4461010BB54E6
SHA256:D9F714505D54F988A4FD532E14CA74643720B10E3E750AACE9A1822FAA6C3B24
7680ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exeC:\Users\admin\AppData\Local\Temp\~DFC62EE49047DC638B.TMPbinary
MD5:30B218E258E9E1669891838E74A2ED8F
SHA256:90B0CAD407C8779ACB405AFC266606FB27AB26BDF858F1AA3E046984F6660F10
7412ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exeC:\Users\admin\Desktop\temp.zip~RF10de3c.TMPcompressed
MD5:76CDB2BAD9582D23C1F6F4D868218D6C
SHA256:8739C76E681F900923B900C9DF0EF75CF421D39CABB54650C4B9AD19B6A76D85
7680ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exeC:\Users\admin\Desktop\ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.datbinary
MD5:F9575614387B2862D4E678197B9A7226
SHA256:D50D12D8BC3D004DB64660548B9562D0EAFA8EF37892D8FFB5C042C5AB9ED98F
7412ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exeC:\Users\admin\Desktop\backup.exeexecutable
MD5:D366F86BF0848343801EDFDCA1498280
SHA256:EAD74DC2D4725216EDCE9F4D50EA32C41C7F4733E23F22729FAE88F3760497DC
7412ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exeC:\Users\admin\Desktop\temp.zipcompressed
MD5:76CDB2BAD9582D23C1F6F4D868218D6C
SHA256:8739C76E681F900923B900C9DF0EF75CF421D39CABB54650C4B9AD19B6A76D85
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
21
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4608
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7792
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 172.217.18.14
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ffd1e1a6a100c9b0720d287014abe152e2889dadc639fe26d2b24159911804d1.exe