File name:

aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe

Full analysis: https://app.any.run/tasks/8bb92a1d-d302-491c-9e05-598cbb555eca
Verdict: Malicious activity
Analysis date: August 01, 2025, 05:42:07
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

1A49ECD700E5382DBEEACAE0855B68ED

SHA1:

7824D8C8B4F4AE68F0E6B92814CDE01923E57ED5

SHA256:

AA72A88C03A4456767E2CF343CF025890EC2EC36AB1D23A02B5D54E06C320FDA

SSDEEP:

1536:QPlbc9F8xi59F8xiG+3+U3aWf5jsdeWB1:alOf5jsdeWB1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe (PID: 512)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe (PID: 512)

    • Executable content was dropped or overwritten

      • aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe (PID: 512)

    • The process creates files with name similar to system file names

      • aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe (PID: 512)

  • INFO

    • Creates files or folders in the user directory

      • aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe (PID: 512)

    • Checks supported languages

      • aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe (PID: 512)

    • Checks proxy server information

      • slui.exe (PID: 2524)

    • Reads the software policy settings

      • slui.exe (PID: 2524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x2130
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
512"C:\Users\admin\Desktop\aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe" C:\Users\admin\Desktop\aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2524C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 497
Read events
3 497
Write events
0
Delete events
0

Modification events

No data
Executable files
1 829
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
512aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe
MD5:
SHA256:
512aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:9A0658FD131C409A8AA16DE37248FA51
SHA256:0D3B282BC9B8A69BABF0C67FAFA525E211B33398A0E2659950292A7FA23364A5
512aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:FC24AF504CE01A6CED51B700E6F190EF
SHA256:7FA4E4CCB631E0C3CF5A26641AE7E721EBEDB62D84B810C99C675828A29F520D
512aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:366CFBEF3FF3BBB40519112C3F4E390F
SHA256:D7C0AA4028A877CE9F583785B1F01D4F6EDF185CB5E3BE5A6D460781679C26A7
512aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:20CD3543B1C3FC75A5261E4116BFCC8B
SHA256:ADAA4D6E62607676FC4F568332C5F274326C4805BB1C595D2B328E85CE40BBB4
512aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:D6DFBE8896E78AD91E705C01FFA57126
SHA256:3980FCDC715881BD7F32687229CB1596990A9FD4442F83FCF0E22ED56C4C7401
512aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:8C81B99811E54B1B485A150C777D050F
SHA256:B4AE2F520C1CF181DEB213DD9088DF2931B5CFAD65CE3BE8ABE71E2DD286E94F
512aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:8844ED94027C1AA41D6C9EB850B24B2C
SHA256:FEAAD4315B354798CE612057B9543BDAE9ED45FA88D14881D7A244639FE70341
512aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:E26C195D989514AED03DF3BEA7931294
SHA256:D4D3ADFE4A03CC5B842C68013E304E9BD9C80D967260DA23D7F94BE92FAF396D
512aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:C83E2078A6F36FD16B4DF7E10EC818D1
SHA256:E557E247DE515D178D27CDF3F3AE6246475CA4F4136CC221FDDAA59C9AEC4758
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
46
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
13.85.23.206:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
unknown
1244
SIHClient.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
5432
RUXIMICS.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5432
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.73:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
20.190.159.129:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5432
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5432
RUXIMICS.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
login.live.com
  • 20.190.159.64
  • 20.190.159.130
  • 20.190.159.0
  • 20.190.159.129
  • 20.190.159.68
  • 20.190.159.4
  • 20.190.159.73
  • 20.190.159.71
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 20.165.94.63
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
self.events.data.microsoft.com
  • 20.42.73.28
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe