File name:

4b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617

Full analysis: https://app.any.run/tasks/174c6609-21ff-4607-a647-fe792d687d51
Verdict: Malicious activity
Analysis date: May 17, 2025, 02:01:07
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

6CFDD39C370597519BD8D218BB5D2C06

SHA1:

83AE8B5320D41190C7B262FDBF0A066CB573F090

SHA256:

4B492E49A23883F90374DAF46F77FE8B12A29CB5FACE1EA5117BC4710B126617

SSDEEP:

1536:QPlbc9F8xi59F8xiWjVABc9F8xi59F8xi7mR:alJaAmR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 4b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exe (PID: 7296)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 4b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exe (PID: 7296)

    • Executable content was dropped or overwritten

      • 4b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exe (PID: 7296)

    • The process creates files with name similar to system file names

      • 4b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exe (PID: 7296)

  • INFO

    • Checks supported languages

      • 4b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exe (PID: 7296)

    • Creates files or folders in the user directory

      • 4b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exe (PID: 7296)

    • Checks proxy server information

      • slui.exe (PID: 7988)

    • Reads the software policy settings

      • slui.exe (PID: 7988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x2130
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 4b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7296"C:\Users\admin\Desktop\4b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exe" C:\Users\admin\Desktop\4b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\4b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7988C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 362
Read events
3 362
Write events
0
Delete events
0

Modification events

No data
Executable files
1 720
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
72964b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exe
MD5:
SHA256:
72964b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:BBC065B3C9B04D6C02287F581236FADB
SHA256:1D3754467A7EAAED832F3FFAC58A03C9131F040C5CCD4D01E229D711F9A967E3
72964b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:182563F2B07D8E9DBA5E2DB51F40F69F
SHA256:B726DBFCEB98386AC54DC2E2808F80D89C26021DD9F4EC6BE727486FDEB679DD
72964b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:4741274F51244090D2DDBB8DE62508B9
SHA256:8B8547794AB7602142B105E86A58A0B43FE3CDF394B23A3B2BF76AA228CAB32C
72964b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:E4AA03BAD1E07A31DEA4FFF55838FCF0
SHA256:612F5B431E7BDA2FD8C565030492F35657FA925D26CFA8B6E1E426A848C78CE9
72964b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_extensions.pak.tmpexecutable
MD5:67ABE0A65F4E7A4613302AD659098DB3
SHA256:EA5E455619F997595A7EC2973EF88E8780EDE481BF34D511A89836CE68BA3A2D
72964b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:84708E32BBDFD418B05D2F21F31F890C
SHA256:79CCFAAA16DFCEE1673952257E3F54568F926A3BC50847A0D8DB56ED4FF3318C
72964b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:FAD09184C6DF6E9AE2B2725A6E0A56F6
SHA256:27D0682285E8018FF24A861CD341147F03E6A06D10957285F0D2B2DE4E7A85FB
72964b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:67C335113BFADEEF40448B4522F8311F
SHA256:D79850B3E46ECCDF6945FD8DA10F3BE7037C6A12FF45E281308AA991D982BD91
72964b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:BBC065B3C9B04D6C02287F581236FADB
SHA256:1D3754467A7EAAED832F3FFAC58A03C9131F040C5CCD4D01E229D711F9A967E3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
31
DNS requests
19
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6876
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7816
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 172.217.16.206
whitelisted
login.live.com
  • 20.190.160.20
  • 20.190.160.131
  • 20.190.160.22
  • 40.126.32.76
  • 20.190.160.14
  • 20.190.160.132
  • 20.190.160.128
  • 20.190.160.65
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.22
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
4b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617