File name:

3a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3

Full analysis: https://app.any.run/tasks/b31af3c7-3aea-40be-989f-c551771c0e0c
Verdict: Malicious activity
Analysis date: May 15, 2025, 21:49:46
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

41DFD8510F176CBD54226DD5B533491E

SHA1:

D15C86D25D39ED65AB88966107061449F47186F1

SHA256:

3A75F30F3AC152227C173F8F2BFD1CB6FF76071863739BE381ED39810B0469A3

SSDEEP:

384:rU1IqlRwRebut+bbu2EB9F8xiwEB9F8xiV/Q2UCXi1oL0/Q2UCXi1oL+:Q1Iqlwebhbur9F8xi59F8xipLYL+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 3a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exe (PID: 5116)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 3a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exe (PID: 5116)

    • Executable content was dropped or overwritten

      • 3a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exe (PID: 5116)

    • The process creates files with name similar to system file names

      • 3a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exe (PID: 5116)

  • INFO

    • Creates files or folders in the user directory

      • 3a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exe (PID: 5116)

    • Checks supported languages

      • 3a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exe (PID: 5116)

    • Checks proxy server information

      • slui.exe (PID: 1616)

    • Reads the software policy settings

      • slui.exe (PID: 1616)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x2130
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 3a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1616C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5116"C:\Users\admin\Desktop\3a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exe" C:\Users\admin\Desktop\3a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\3a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
3 369
Read events
3 369
Write events
0
Delete events
0

Modification events

No data
Executable files
1 835
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
51163a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exe
MD5:
SHA256:
51163a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:CA28EF53F1FA5FD872AB428CFD5C59E5
SHA256:1D82FAD2B5E66B05DA865F020AEA47C2CF25900300E239183D34E1ACDBC78A10
51163a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:7A21BEF2D9877E4AB1466C7EA9063859
SHA256:B4BC8210255DC0CE94DD611329F4525D1B02A6E2AD87BFEDF7B80255E1260AF1
51163a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:D4733FCBC7E61678B8A5C3B8E6974605
SHA256:A95E3ECA5F90D27B421EF20D737C61659B4E056CAF3598C1FB9F38555A4A139D
51163a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:3449EF5B3CBA48310A280B83EA379234
SHA256:F134094C07B923758E4D277FB9CC3C9DD777FE056FF93E57E9B6B1E122AB8625
51163a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:AA61FE87CA78046C9A477FFC7D698F58
SHA256:E1C61EB5ED0238BEC00ED5F6283A2DF40C6661D8D2020D3A8CE17E8A93CC2725
51163a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:7BF4870B45D4C73408A5D53EB05888F8
SHA256:231944FF10CC03B60EED7872F144410B9549EA3D0199DBB604640A2842B862CA
51163a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:532DB41233A9FBA0BCFA30912555210E
SHA256:BF78F21897650FFCDCB64F35709B7C0D5D140CD1429D5A6786D6B744F461E40B
51163a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:14135DD454A9C3DEA64367B98412B5B8
SHA256:CF61AF87D3F07921D7E76AC1195337E5F47E11BCDBE94BEAE82C24D123FF071C
51163a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:51CFFF83797B6F4FB3760A698899E4AA
SHA256:80E821AE3F6D540C6C641BABCE9AB4FB6C1A129007A76398E024BB60388C5729
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
21
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.30:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.216.77.30:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6028
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1616
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.216.77.30
  • 23.216.77.21
  • 23.216.77.25
  • 23.216.77.22
  • 23.216.77.15
  • 23.216.77.18
  • 23.216.77.41
  • 23.216.77.27
  • 23.216.77.7
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
3a75f30f3ac152227c173f8f2bfd1cb6ff76071863739be381ed39810b0469a3