File name:

4b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617

Full analysis: https://app.any.run/tasks/174c6609-21ff-4607-a647-fe792d687d51
Verdict: Malicious activity
Analysis date: May 17, 2025, 02:01:07
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

6CFDD39C370597519BD8D218BB5D2C06

SHA1:

83AE8B5320D41190C7B262FDBF0A066CB573F090

SHA256:

4B492E49A23883F90374DAF46F77FE8B12A29CB5FACE1EA5117BC4710B126617

SSDEEP:

1536:QPlbc9F8xi59F8xiWjVABc9F8xi59F8xi7mR:alJaAmR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 4b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exe (PID: 7296)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 4b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exe (PID: 7296)

    • Creates file in the systems drive root

      • 4b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exe (PID: 7296)

    • The process creates files with name similar to system file names

      • 4b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exe (PID: 7296)

  • INFO

    • Creates files or folders in the user directory

      • 4b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exe (PID: 7296)

    • Checks supported languages

      • 4b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exe (PID: 7296)

    • Checks proxy server information

      • slui.exe (PID: 7988)

    • Reads the software policy settings

      • slui.exe (PID: 7988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x2130
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 4b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7296"C:\Users\admin\Desktop\4b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exe" C:\Users\admin\Desktop\4b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\4b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7988C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 362
Read events
3 362
Write events
0
Delete events
0

Modification events

No data
Executable files
1 720
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
72964b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exe
MD5:
SHA256:
72964b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:FAD09184C6DF6E9AE2B2725A6E0A56F6
SHA256:27D0682285E8018FF24A861CD341147F03E6A06D10957285F0D2B2DE4E7A85FB
72964b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:67C335113BFADEEF40448B4522F8311F
SHA256:D79850B3E46ECCDF6945FD8DA10F3BE7037C6A12FF45E281308AA991D982BD91
72964b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:39E736264DC0DD97C32464BBB5364BB1
SHA256:759C024DED7C39AEB6C62AC0AF0B3CAB3DCBE3D0791EDAD4B6F3F62AC3655FFF
72964b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:4741274F51244090D2DDBB8DE62508B9
SHA256:8B8547794AB7602142B105E86A58A0B43FE3CDF394B23A3B2BF76AA228CAB32C
72964b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:CC325C6541C5A17BA5866C14CB99EE77
SHA256:C2E76F6EC75F874999104F6F60E8579EC5DE45126F94B66031C37C38A5962A78
72964b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:5A125B56F5BD8D107567437A0BEB1F47
SHA256:BA9E90A9EB4465B373A83060D875DCB1B464F2E9E482D458C4B38EC1A608DBEA
72964b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:566E882D1D5FA7FFD8D0FAE5405081A5
SHA256:BA2AB34D2DA453A23CBECB7A3C49E073F04FF4E95AE79D18304B252B50F682B5
72964b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:ED4FF95ED002E2B23F8EB0FF06A027B9
SHA256:D6246A627BCB2E710344134DD81D597F6CC5CE4D35F8BC558529B5FB318B513A
72964b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:182563F2B07D8E9DBA5E2DB51F40F69F
SHA256:B726DBFCEB98386AC54DC2E2808F80D89C26021DD9F4EC6BE727486FDEB679DD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
31
DNS requests
19
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6876
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
20.190.160.20:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7816
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 172.217.16.206
whitelisted
login.live.com
  • 20.190.160.20
  • 20.190.160.131
  • 20.190.160.22
  • 40.126.32.76
  • 20.190.160.14
  • 20.190.160.132
  • 20.190.160.128
  • 20.190.160.65
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.22
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
4b492e49a23883f90374daf46f77fe8b12a29cb5face1ea5117bc4710b126617