File name:

4d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exe

Full analysis: https://app.any.run/tasks/bc998469-393b-4122-96d3-dd47b0803895
Verdict: Malicious activity
Analysis date: August 01, 2025, 05:40:41
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

0C94C275B634A412388B4B22C216DE1A

SHA1:

7987E6AF12C5EED07EDD484D57263959C1044BC1

SHA256:

4D79D860F132E48C4CBE6A08EBEC38ABAEA070F5529DB1F75F7D9269B47EA331

SSDEEP:

98304:UKK8UANtUGEQsvl+YgCthbt6RldLrrjT2kXPqBQpco3eSDI2SSE4xzNlnXUawIq:HnS03o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 4d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exe (PID: 3580)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 4d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exe (PID: 3580)

    • Executable content was dropped or overwritten

      • 4d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exe (PID: 3580)

    • The process creates files with name similar to system file names

      • 4d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exe (PID: 3580)

  • INFO

    • Checks supported languages

      • 4d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exe (PID: 3580)

    • Creates files or folders in the user directory

      • 4d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exe (PID: 3580)

    • Reads the software policy settings

      • slui.exe (PID: 1332)

    • Checks proxy server information

      • slui.exe (PID: 1332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x6000
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 4d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1332C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3580"C:\Users\admin\Desktop\4d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exe" C:\Users\admin\Desktop\4d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\4d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 488
Read events
3 488
Write events
0
Delete events
0

Modification events

No data
Executable files
510
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
35804d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exe
MD5:
SHA256:
35804d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:39C4338D438740D21B864E635BB775A5
SHA256:05EF7962129E6E22C2F8CD5F816840AA144A047AF0D15AB2D7D42D9AA1B29113
35804d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:78EDD04C66DC863FBBE9B761535E34CB
SHA256:8AA7587AABAC7FC38D66648C39419621D6C9FB270809C1DA34EE186E398D932C
35804d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:AA75469293EEBAF4D15179743B4F168E
SHA256:DF73E0980FC226C581E7B2166AB7C3CDE6DF6101A545E3D94627F209C588B9D6
35804d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:32171FBB9CCB6F54929139F07C60F4E6
SHA256:85A3D887E96B7EAD1E4CCA3CD06B71EFF027E819E9D93CC77B7063C5B38CD3B5
35804d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:B663A68A84CFEA0931FBC73A267329FC
SHA256:562A485D4E6ED68F173A15685057E03F0ECD966AE23048B1A56C62F866762F75
35804d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:2835757738B9394B2FD5407ABEEF2432
SHA256:93D03DD21C63F910958ABC01254FA7E529689081D406C527A932ECF09556C198
35804d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:449221E79ED251B45292742D675FEDE2
SHA256:59DD14D0074397D6B7E8337FB46F509F1DFA8777D2F4F3655B27853DED1C5B4E
35804d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_extensions.pak.tmpexecutable
MD5:732CB68602E5F10889A8946ABB43A27C
SHA256:2BF9B35E1D645C086B0E4DD9F4E95309951ACE319C5EFD55E0C3DA6C0E4864B9
35804d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:B4445D2F58422C2C57A6E685D5F9C02F
SHA256:FB67E184F03FD9A7A2460A4561158E12BE39F52AB41C5F839A6A972F425F259E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
22
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4084
RUXIMICS.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4084
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4084
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4084
RUXIMICS.exe
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 23.216.77.42
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
self.events.data.microsoft.com
  • 52.168.112.66
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
4d79d860f132e48c4cbe6a08ebec38abaea070f5529db1f75f7d9269b47ea331.exe