File name:

1977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7

Full analysis: https://app.any.run/tasks/2311a4e9-274a-4343-9323-abce222ea803
Verdict: Malicious activity
Analysis date: May 19, 2025, 05:54:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

E7977EDE5C58F1BB41B705BB4631C323

SHA1:

E130F30C65AC0072C876B900D84A1D8676447E54

SHA256:

1977AED77E9A33C79DA30D487C94ED6CF3D81D92C688296A83C310E8FB8128A7

SSDEEP:

384:Ujmr2zerFvXxSnt+bbu2EB9F8xiwEB9F8xiO:UjVzMlXAqbur9F8xi59F8xiO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 1977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exe (PID: 4180)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 1977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exe (PID: 4180)

    • Executable content was dropped or overwritten

      • 1977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exe (PID: 4180)

    • The process creates files with name similar to system file names

      • 1977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exe (PID: 4180)

  • INFO

    • Checks supported languages

      • 1977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exe (PID: 4180)

    • Creates files or folders in the user directory

      • 1977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exe (PID: 4180)

    • Checks proxy server information

      • slui.exe (PID: 5548)

    • Reads the software policy settings

      • slui.exe (PID: 5548)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x6000
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 1977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4180"C:\Users\admin\Desktop\1977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exe" C:\Users\admin\Desktop\1977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\1977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5548C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 369
Read events
3 369
Write events
0
Delete events
0

Modification events

No data
Executable files
1 644
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
41801977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exe
MD5:
SHA256:
41801977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:B38064E6C3343661A3FD5007A6EA91D1
SHA256:8445F8EEDB69E58E217B1C997C58D88C78116DDC4DDF907FB4CD165DC355638C
41801977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:5010A0E16A6B27C4DA40DF4B6940DF4B
SHA256:912C52FFBF5C8B8F9057DDBF331CD9B75324D94A0E5736F1C70AE63DD916F9D1
41801977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:B5112A87AD8A7D7B1B50D00C81410F81
SHA256:D9CF34D01804B4ABDE9641C0A809F1CA68112230945E3224CBE6E5E4DB8114D6
41801977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:2CF8A94527E4E199333E195383D8BFD7
SHA256:B5D2F579796E1273724B21172FB610194EFDFEAF2ACB7D7CD72B94281109CF56
41801977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:6EB62AA5A2DCFA7596ACBF14911EEAF4
SHA256:2339633A8E8377BAFEAC8E409B577DF2B264ABAAB073CC39C98E776BEF70743F
41801977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:1BD6BA8D9DA112E270110431CE5A632B
SHA256:1E74D8A73B784F9FA2B70D1C7696399E7FAE735D4487E93BCF15032964570D02
41801977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:F6ABA811380CCCAB4F5C80F9B6BD52D1
SHA256:145BCA6CF93FE30D348A2C8CE0E93EECBCD9A4383E427A8231F48BA13AC396EB
41801977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:297C4900E3A04922943A9D0739B5DED7
SHA256:830E14FC09ADCCE37FE015C924F13213B70C49A769D476AA8E8A7923DE00A79B
41801977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:3910DE148391CF5FF73463FF5C2587A5
SHA256:B46B25D9FF333365316818D3EC47885F5E0245E75E728506572E3979B6D7C7EC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
23
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4208
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4208
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4208
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
6268
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 23.216.77.42
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
1977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7