File name:

47e392a3a563d04b339eaf898e697a9c17b515b1ea322463356323ed096b1527

Full analysis: https://app.any.run/tasks/611dc0b1-04fc-4bdd-9d3a-3f948f5c01f8
Verdict: Malicious activity
Analysis date: May 15, 2025, 23:44:45
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

B47831167347BDBB87882C0C0A9FDFB8

SHA1:

72DDAB7EA887BDFB724F1A3C0B1355787F7B7735

SHA256:

47E392A3A563D04B339EAF898E697A9C17B515B1EA322463356323ED096B1527

SSDEEP:

384:Ujmr2zerFvXxSnt+bbu2EB9F8xiwEB9F8xiR:UjVzMlXAqbur9F8xi59F8xiR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 47e392a3a563d04b339eaf898e697a9c17b515b1ea322463356323ed096b1527.exe (PID: 5592)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 47e392a3a563d04b339eaf898e697a9c17b515b1ea322463356323ed096b1527.exe (PID: 5592)

    • The process creates files with name similar to system file names

      • 47e392a3a563d04b339eaf898e697a9c17b515b1ea322463356323ed096b1527.exe (PID: 5592)

    • Executable content was dropped or overwritten

      • 47e392a3a563d04b339eaf898e697a9c17b515b1ea322463356323ed096b1527.exe (PID: 5592)

  • INFO

    • Creates files or folders in the user directory

      • 47e392a3a563d04b339eaf898e697a9c17b515b1ea322463356323ed096b1527.exe (PID: 5592)

    • Checks supported languages

      • 47e392a3a563d04b339eaf898e697a9c17b515b1ea322463356323ed096b1527.exe (PID: 5592)

    • Checks proxy server information

      • slui.exe (PID: 2772)

    • Reads the software policy settings

      • slui.exe (PID: 2772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x6000
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 47e392a3a563d04b339eaf898e697a9c17b515b1ea322463356323ed096b1527.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2772C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5592"C:\Users\admin\Desktop\47e392a3a563d04b339eaf898e697a9c17b515b1ea322463356323ed096b1527.exe" C:\Users\admin\Desktop\47e392a3a563d04b339eaf898e697a9c17b515b1ea322463356323ed096b1527.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\47e392a3a563d04b339eaf898e697a9c17b515b1ea322463356323ed096b1527.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 369
Read events
3 369
Write events
0
Delete events
0

Modification events

No data
Executable files
1 733
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
559247e392a3a563d04b339eaf898e697a9c17b515b1ea322463356323ed096b1527.exe
MD5:
SHA256:
559247e392a3a563d04b339eaf898e697a9c17b515b1ea322463356323ed096b1527.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:BE2EABDF5848D8A5B6BF9AB0E5E52E98
SHA256:B79E13DD5236E29E80D6BE3140A9F3005B183E091971D835E997202764AF9D2C
559247e392a3a563d04b339eaf898e697a9c17b515b1ea322463356323ed096b1527.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:C5A09B6F2508C4E3124C920150593666
SHA256:C78C5C820E8DB646566F340A56B8A959E1D047E1D93F2E88372DD1F8FE7A8710
559247e392a3a563d04b339eaf898e697a9c17b515b1ea322463356323ed096b1527.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:CF52E1AD4DD9C42964FAD9184A03903D
SHA256:F7566CCE75F6E59E93989D0801038745B8C6BB23551C34D8A072B16BD54643D6
559247e392a3a563d04b339eaf898e697a9c17b515b1ea322463356323ed096b1527.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:919FF49C0425BE9C6AF62AFE50AAB73E
SHA256:A26E73D60C28BB0AB3E60442EB5E4F314CC0EA76EBBF65B26D1523D5BE028769
559247e392a3a563d04b339eaf898e697a9c17b515b1ea322463356323ed096b1527.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:935548555638A494835CC2FB90E4CEB2
SHA256:900AB9E7C6039A300D6498ACC9C9E74A978AF8A5E3D1AA8071EE5171F8EF1164
559247e392a3a563d04b339eaf898e697a9c17b515b1ea322463356323ed096b1527.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:74741B564C31C39060147BF4F968648A
SHA256:796BEF60829F157AD9D1AC22999EDAA4DDD0D17ABA96BC5AB97CE6899A3DD696
559247e392a3a563d04b339eaf898e697a9c17b515b1ea322463356323ed096b1527.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:B8DEF068B6E68BEBA59F368BCE5AAD7B
SHA256:865BB7B478CFDC3D85B15713A5D0EE647DAD2090827D6E81E49E57B89746E4F1
559247e392a3a563d04b339eaf898e697a9c17b515b1ea322463356323ed096b1527.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:04932BDFCB6BD465BB766D88AC5DCFB1
SHA256:09B99000F37DAF76EA32BA3653EDA9E2CAC34AC73FCC7F29EBABF678D53926BE
559247e392a3a563d04b339eaf898e697a9c17b515b1ea322463356323ed096b1527.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:63CABCC6BFB60B9CB9E24C11CCE6815B
SHA256:E09C200131D49CE9AD9E3AB08194A2F817DF614DFC2ADE15D42F55C905A2A2FC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
52
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2504
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
2504
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
2504
SIHClient.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
2504
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2504
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
2504
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
2504
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
2104
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6544
svchost.exe
40.126.32.74:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.174
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
login.live.com
  • 40.126.32.74
  • 40.126.32.76
  • 20.190.160.67
  • 20.190.160.17
  • 20.190.160.131
  • 20.190.160.128
  • 40.126.32.68
  • 40.126.32.134
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.19
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
47e392a3a563d04b339eaf898e697a9c17b515b1ea322463356323ed096b1527