File name:

3a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3

Full analysis: https://app.any.run/tasks/b31af3c7-3aea-40be-989f-c551771c0e0c
Verdict: Malicious activity
Analysis date: May 15, 2025, 21:49:46
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

41DFD8510F176CBD54226DD5B533491E

SHA1:

D15C86D25D39ED65AB88966107061449F47186F1

SHA256:

3A75F30F3AC152227C173F8F2BFD1CB6FF76071863739BE381ED39810B0469A3

SSDEEP:

384:rU1IqlRwRebut+bbu2EB9F8xiwEB9F8xiV/Q2UCXi1oL0/Q2UCXi1oL+:Q1Iqlwebhbur9F8xi59F8xipLYL+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 3a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exe (PID: 5116)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • 3a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exe (PID: 5116)

    • Executable content was dropped or overwritten

      • 3a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exe (PID: 5116)

    • Creates file in the systems drive root

      • 3a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exe (PID: 5116)

  • INFO

    • Checks supported languages

      • 3a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exe (PID: 5116)

    • Checks proxy server information

      • slui.exe (PID: 1616)

    • Creates files or folders in the user directory

      • 3a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exe (PID: 5116)

    • Reads the software policy settings

      • slui.exe (PID: 1616)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x2130
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 3a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1616C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5116"C:\Users\admin\Desktop\3a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exe" C:\Users\admin\Desktop\3a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\3a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
3 369
Read events
3 369
Write events
0
Delete events
0

Modification events

No data
Executable files
1 835
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
51163a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exe
MD5:
SHA256:
51163a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:3449EF5B3CBA48310A280B83EA379234
SHA256:F134094C07B923758E4D277FB9CC3C9DD777FE056FF93E57E9B6B1E122AB8625
51163a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:78CBD8336EF55611E153B8AC3675428C
SHA256:8F7E54AB06375F6D50CC49C8B9A4C99E59C9D0C74C9E53F6EF98DE3A788F0D05
51163a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:FDBA0D50E87F6EB5521FBEB8516CB766
SHA256:F92DB9A186DBF1BBA411E94752673F45A2F57C0FEB20F0C48CCC4D21CD6DEF43
51163a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:BCA6A0561DF0DB56F03DA04D149D4154
SHA256:A3385C872B2B3B4073DB2363CB50EA5EF207BC9466855629B0D163214387115F
51163a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:D8A1754495CF4637C074852049FB6EC5
SHA256:7271D67DC398263FDF7F681BA5EBCFBC6C586FA478707F96FF398E4C9EBBED8F
51163a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_extensions.pak.tmpexecutable
MD5:5BC4BDD58458A189F5EFF7105C44DF1A
SHA256:8F556DD8CBD1C1DEB1F0A06FFDAD86E5C6CD71DF78CF9371202DC6985CD5F679
51163a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:51CFFF83797B6F4FB3760A698899E4AA
SHA256:80E821AE3F6D540C6C641BABCE9AB4FB6C1A129007A76398E024BB60388C5729
51163a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:AA61FE87CA78046C9A477FFC7D698F58
SHA256:E1C61EB5ED0238BEC00ED5F6283A2DF40C6661D8D2020D3A8CE17E8A93CC2725
51163a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:3449EF5B3CBA48310A280B83EA379234
SHA256:F134094C07B923758E4D277FB9CC3C9DD777FE056FF93E57E9B6B1E122AB8625
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
21
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.30:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.216.77.30:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6028
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1616
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.216.77.30
  • 23.216.77.21
  • 23.216.77.25
  • 23.216.77.22
  • 23.216.77.15
  • 23.216.77.18
  • 23.216.77.41
  • 23.216.77.27
  • 23.216.77.7
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
3a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3