File name:

1977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7

Full analysis: https://app.any.run/tasks/2311a4e9-274a-4343-9323-abce222ea803
Verdict: Malicious activity
Analysis date: May 19, 2025, 05:54:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

E7977EDE5C58F1BB41B705BB4631C323

SHA1:

E130F30C65AC0072C876B900D84A1D8676447E54

SHA256:

1977AED77E9A33C79DA30D487C94ED6CF3D81D92C688296A83C310E8FB8128A7

SSDEEP:

384:Ujmr2zerFvXxSnt+bbu2EB9F8xiwEB9F8xiO:UjVzMlXAqbur9F8xi59F8xiO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 1977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exe (PID: 4180)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 1977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exe (PID: 4180)

    • Executable content was dropped or overwritten

      • 1977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exe (PID: 4180)

    • The process creates files with name similar to system file names

      • 1977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exe (PID: 4180)

  • INFO

    • Creates files or folders in the user directory

      • 1977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exe (PID: 4180)

    • Checks supported languages

      • 1977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exe (PID: 4180)

    • Checks proxy server information

      • slui.exe (PID: 5548)

    • Reads the software policy settings

      • slui.exe (PID: 5548)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x6000
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 1977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4180"C:\Users\admin\Desktop\1977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exe" C:\Users\admin\Desktop\1977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\1977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5548C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 369
Read events
3 369
Write events
0
Delete events
0

Modification events

No data
Executable files
1 644
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
41801977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exe
MD5:
SHA256:
41801977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:993B64A2398DFC6D89E608155B6E0BAD
SHA256:13A6406EC2EFFDA7D0D31323EDEF9D9E2CB14B1E8194A1DAFCBA07F9C27D6667
41801977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:B38064E6C3343661A3FD5007A6EA91D1
SHA256:8445F8EEDB69E58E217B1C997C58D88C78116DDC4DDF907FB4CD165DC355638C
41801977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:09974979D0E0F0507B942404753255CE
SHA256:34C1E3DF3389B53DD28FCCA35D18D751B87EF6E767DDDFEDDB84D278F3CF67AB
41801977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:1BD6BA8D9DA112E270110431CE5A632B
SHA256:1E74D8A73B784F9FA2B70D1C7696399E7FAE735D4487E93BCF15032964570D02
41801977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:6EB62AA5A2DCFA7596ACBF14911EEAF4
SHA256:2339633A8E8377BAFEAC8E409B577DF2B264ABAAB073CC39C98E776BEF70743F
41801977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:79CDC12E4A15C7E1E0CFF7C6DB1A3718
SHA256:B6D06E2A50096614D816D633031431B847B6C2932FFF5FB063350A3D70EC4DF6
41801977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:297C4900E3A04922943A9D0739B5DED7
SHA256:830E14FC09ADCCE37FE015C924F13213B70C49A769D476AA8E8A7923DE00A79B
41801977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:D4CDD49CF411CC930F29DE78EE12F8BC
SHA256:30E44DBAA652E53F1765E265109938F3E66389A4C35E9251151C2A4A6C03B8D7
41801977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:F6ABA811380CCCAB4F5C80F9B6BD52D1
SHA256:145BCA6CF93FE30D348A2C8CE0E93EECBCD9A4383E427A8231F48BA13AC396EB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
23
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4208
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4208
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4208
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
6268
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 23.216.77.42
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
1977aed77e9a33c79da30d487c94ed6cf3d81d92c688296a83c310e8fb8128a7