File name:

157bc3dbd4628a0dc7a892d0ba5244e000407a565f7de9518c3e8b855fe9a1c7.exe

Full analysis: https://app.any.run/tasks/5c0ed2bc-8e38-4cbd-8d80-4413d8ca4d01
Verdict: Malicious activity
Analysis date: August 01, 2025, 05:46:25
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

A1412DA441C208C1A9894441BB0EA4A7

SHA1:

910BC414E73E6DA6AADC986948ACC1DECEAFDD03

SHA256:

157BC3DBD4628A0DC7A892D0BA5244E000407A565F7DE9518C3E8B855FE9A1C7

SSDEEP:

1536:UjVABc9F8xi59F8xiG+3+U3aWf5jsdeWjEs4I:Uaof5jsdeWjEm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 157bc3dbd4628a0dc7a892d0ba5244e000407a565f7de9518c3e8b855fe9a1c7.exe (PID: 5168)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 157bc3dbd4628a0dc7a892d0ba5244e000407a565f7de9518c3e8b855fe9a1c7.exe (PID: 5168)

    • The process creates files with name similar to system file names

      • 157bc3dbd4628a0dc7a892d0ba5244e000407a565f7de9518c3e8b855fe9a1c7.exe (PID: 5168)

    • Executable content was dropped or overwritten

      • 157bc3dbd4628a0dc7a892d0ba5244e000407a565f7de9518c3e8b855fe9a1c7.exe (PID: 5168)

  • INFO

    • Checks supported languages

      • 157bc3dbd4628a0dc7a892d0ba5244e000407a565f7de9518c3e8b855fe9a1c7.exe (PID: 5168)

    • Checks proxy server information

      • slui.exe (PID: 5628)

    • Reads the software policy settings

      • slui.exe (PID: 5628)

    • Creates files or folders in the user directory

      • 157bc3dbd4628a0dc7a892d0ba5244e000407a565f7de9518c3e8b855fe9a1c7.exe (PID: 5168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x6000
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 157bc3dbd4628a0dc7a892d0ba5244e000407a565f7de9518c3e8b855fe9a1c7.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
5168"C:\Users\admin\Desktop\157bc3dbd4628a0dc7a892d0ba5244e000407a565f7de9518c3e8b855fe9a1c7.exe" C:\Users\admin\Desktop\157bc3dbd4628a0dc7a892d0ba5244e000407a565f7de9518c3e8b855fe9a1c7.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\157bc3dbd4628a0dc7a892d0ba5244e000407a565f7de9518c3e8b855fe9a1c7.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5628C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 469
Read events
3 469
Write events
0
Delete events
0

Modification events

No data
Executable files
1 876
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
5168157bc3dbd4628a0dc7a892d0ba5244e000407a565f7de9518c3e8b855fe9a1c7.exe
MD5:
SHA256:
5168157bc3dbd4628a0dc7a892d0ba5244e000407a565f7de9518c3e8b855fe9a1c7.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:C3042675BC02E7B0F087B7FA78D092C9
SHA256:1F8DAE1DAEB10B45FCCF2533370519325F8341CED5F30AAB85BE3CE448BB084C
5168157bc3dbd4628a0dc7a892d0ba5244e000407a565f7de9518c3e8b855fe9a1c7.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:78EACABAC573F791BFAE6327D5D3D23A
SHA256:6ED47DB81796B9B947146134057637D30DFA5587AAE75C6FF8F225C66A5DFC5D
5168157bc3dbd4628a0dc7a892d0ba5244e000407a565f7de9518c3e8b855fe9a1c7.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:49C7989B19291E6668047629D5901CAA
SHA256:1748BB67C4ACD8FAACFEFD4E0443A4DC2A4AC0E8DB0063C3C19FE7EAF6232A95
5168157bc3dbd4628a0dc7a892d0ba5244e000407a565f7de9518c3e8b855fe9a1c7.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:E94132FE4155A15984C8F4D3AE689977
SHA256:EFD86388C61E38D44F80527C26DC8BE126505B31A936EED557656B4EA1C6A3EF
5168157bc3dbd4628a0dc7a892d0ba5244e000407a565f7de9518c3e8b855fe9a1c7.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:5FED667E912D02EB566F735B47FF9131
SHA256:33E52448894C95B1375BDD959722DAD9D9FFD9A0D82CFEBA7C186719FF485DE3
5168157bc3dbd4628a0dc7a892d0ba5244e000407a565f7de9518c3e8b855fe9a1c7.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:83451B4A72127FDF5C144EF6900F04DF
SHA256:70F5D4EC2F7459D21F33DA46EE91A97AD4DA4693FA4BD1FB8952BD0DC3B5A970
5168157bc3dbd4628a0dc7a892d0ba5244e000407a565f7de9518c3e8b855fe9a1c7.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:B49CA69C51D5432018CFE83B7F7F01AC
SHA256:8C80185BD1B9989E0873144C58CB8DC7CA59DC544ACC0514F1AF01B8E3D53E5F
5168157bc3dbd4628a0dc7a892d0ba5244e000407a565f7de9518c3e8b855fe9a1c7.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:48D7B905C327159B76BF1BC16326166D
SHA256:ECC7AC6EDD607EBCA0BC82DF39FAE41FAEB01C6C2C1B44287F79D9C1CACD5013
5168157bc3dbd4628a0dc7a892d0ba5244e000407a565f7de9518c3e8b855fe9a1c7.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:C3042675BC02E7B0F087B7FA78D092C9
SHA256:1F8DAE1DAEB10B45FCCF2533370519325F8341CED5F30AAB85BE3CE448BB084C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
19
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
188
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
188
RUXIMICS.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
188
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
188
RUXIMICS.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 23.216.77.42
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
self.events.data.microsoft.com
  • 20.42.72.131
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
157bc3dbd4628a0dc7a892d0ba5244e000407a565f7de9518c3e8b855fe9a1c7.exe