File name:

aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe

Full analysis: https://app.any.run/tasks/8bb92a1d-d302-491c-9e05-598cbb555eca
Verdict: Malicious activity
Analysis date: August 01, 2025, 05:42:07
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

1A49ECD700E5382DBEEACAE0855B68ED

SHA1:

7824D8C8B4F4AE68F0E6B92814CDE01923E57ED5

SHA256:

AA72A88C03A4456767E2CF343CF025890EC2EC36AB1D23A02B5D54E06C320FDA

SSDEEP:

1536:QPlbc9F8xi59F8xiG+3+U3aWf5jsdeWB1:alOf5jsdeWB1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe (PID: 512)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe (PID: 512)

    • Executable content was dropped or overwritten

      • aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe (PID: 512)

    • The process creates files with name similar to system file names

      • aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe (PID: 512)

  • INFO

    • Checks supported languages

      • aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe (PID: 512)

    • Creates files or folders in the user directory

      • aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe (PID: 512)

    • Checks proxy server information

      • slui.exe (PID: 2524)

    • Reads the software policy settings

      • slui.exe (PID: 2524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x2130
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
512"C:\Users\admin\Desktop\aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe" C:\Users\admin\Desktop\aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2524C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 497
Read events
3 497
Write events
0
Delete events
0

Modification events

No data
Executable files
1 829
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
512aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe
MD5:
SHA256:
512aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:C83E2078A6F36FD16B4DF7E10EC818D1
SHA256:E557E247DE515D178D27CDF3F3AE6246475CA4F4136CC221FDDAA59C9AEC4758
512aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:02A4503EC4BD4AAC3182169D06AE6ACE
SHA256:46889EADCBC46E9380FD4DF7909D4C25463392C89499FC6DEFE164808D53B9DE
512aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:E26C195D989514AED03DF3BEA7931294
SHA256:D4D3ADFE4A03CC5B842C68013E304E9BD9C80D967260DA23D7F94BE92FAF396D
512aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:12B6915B529261A9D79DCCD7D8F4380F
SHA256:8FC701732009B4BAC88FA323240E8B4C5F2A0492EBC2AF84C236F3149533141A
512aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:CED32C6679C846DE2739A7ED721C6BEB
SHA256:70AF4B21B41182D6B5EB47D8189A120147885C9861258D5A4F9DF00925999E99
512aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:20CD3543B1C3FC75A5261E4116BFCC8B
SHA256:ADAA4D6E62607676FC4F568332C5F274326C4805BB1C595D2B328E85CE40BBB4
512aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:12B6915B529261A9D79DCCD7D8F4380F
SHA256:8FC701732009B4BAC88FA323240E8B4C5F2A0492EBC2AF84C236F3149533141A
512aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:FC24AF504CE01A6CED51B700E6F190EF
SHA256:7FA4E4CCB631E0C3CF5A26641AE7E721EBEDB62D84B810C99C675828A29F520D
512aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:79F3A57EA42912954DA10130949A2938
SHA256:415AB620B0160860DD8E1F3DA14CADF161A4F7621AA527F17EEDFCA7E884476E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
46
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5432
RUXIMICS.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5432
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.73:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
20.190.159.129:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
20.190.159.130:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
GET
304
20.165.94.63:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5432
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5432
RUXIMICS.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
login.live.com
  • 20.190.159.64
  • 20.190.159.130
  • 20.190.159.0
  • 20.190.159.129
  • 20.190.159.68
  • 20.190.159.4
  • 20.190.159.73
  • 20.190.159.71
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 20.165.94.63
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
self.events.data.microsoft.com
  • 20.42.73.28
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe