File name:

4d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exe

Full analysis: https://app.any.run/tasks/bc998469-393b-4122-96d3-dd47b0803895
Verdict: Malicious activity
Analysis date: August 01, 2025, 05:40:41
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

0C94C275B634A412388B4B22C216DE1A

SHA1:

7987E6AF12C5EED07EDD484D57263959C1044BC1

SHA256:

4D79D860F132E48C4CBE6A08EBEC38ABAEA070F5529DB1F75F7D9269B47EA331

SSDEEP:

98304:UKK8UANtUGEQsvl+YgCthbt6RldLrrjT2kXPqBQpco3eSDI2SSE4xzNlnXUawIq:HnS03o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 4d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exe (PID: 3580)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 4d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exe (PID: 3580)

    • Executable content was dropped or overwritten

      • 4d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exe (PID: 3580)

    • The process creates files with name similar to system file names

      • 4d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exe (PID: 3580)

  • INFO

    • Checks supported languages

      • 4d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exe (PID: 3580)

    • Creates files or folders in the user directory

      • 4d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exe (PID: 3580)

    • Checks proxy server information

      • slui.exe (PID: 1332)

    • Reads the software policy settings

      • slui.exe (PID: 1332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x6000
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 4d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1332C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3580"C:\Users\admin\Desktop\4d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exe" C:\Users\admin\Desktop\4d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\4d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 488
Read events
3 488
Write events
0
Delete events
0

Modification events

No data
Executable files
510
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
35804d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exe
MD5:
SHA256:
35804d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:2835757738B9394B2FD5407ABEEF2432
SHA256:93D03DD21C63F910958ABC01254FA7E529689081D406C527A932ECF09556C198
35804d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:D2E768CA8BAF6D53882B494333424D7F
SHA256:51DDF551C430EA0064C1A078EDA3EE82953695C746076611A49FF3E743DF7759
35804d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:E930D34FED603D78F21BBBDFA66D277B
SHA256:5B93C07AABAA057EB3628EF04BB43BC17ADF06178D69E0651A08EF8D76C74E32
35804d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:B663A68A84CFEA0931FBC73A267329FC
SHA256:562A485D4E6ED68F173A15685057E03F0ECD966AE23048B1A56C62F866762F75
35804d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:F58490F5F039DD7C926F3AF4C4935E70
SHA256:B357F231C19F1BA295BDAF2472C69E344996367197D9B2EB389C34B8CA53536A
35804d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:F58490F5F039DD7C926F3AF4C4935E70
SHA256:B357F231C19F1BA295BDAF2472C69E344996367197D9B2EB389C34B8CA53536A
35804d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:39C4338D438740D21B864E635BB775A5
SHA256:05EF7962129E6E22C2F8CD5F816840AA144A047AF0D15AB2D7D42D9AA1B29113
35804d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:AA75469293EEBAF4D15179743B4F168E
SHA256:DF73E0980FC226C581E7B2166AB7C3CDE6DF6101A545E3D94627F209C588B9D6
35804d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:449221E79ED251B45292742D675FEDE2
SHA256:59DD14D0074397D6B7E8337FB46F509F1DFA8777D2F4F3655B27853DED1C5B4E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
22
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4084
RUXIMICS.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4084
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4084
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4084
RUXIMICS.exe
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 23.216.77.42
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
self.events.data.microsoft.com
  • 52.168.112.66
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
4d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exe