File name:

b319f24ba5dde17c34afc95caa85f1747443d961f52a38073758cac5383cdefa

Full analysis: https://app.any.run/tasks/9b51d5e8-5945-4a83-9d4a-194d5db1f234
Verdict: Malicious activity
Analysis date: July 06, 2025, 00:27:36
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

1335F7F7BF8EB424682B8DEE9A6A22BD

SHA1:

3808BFD9EF08F5CA2657D9E23FCB3FFCC1B388A4

SHA256:

B319F24BA5DDE17C34AFC95CAA85F1747443D961F52A38073758CAC5383CDEFA

SSDEEP:

98304:UyDziLsM+e9fXXTEgCeSIwEu2HJIS/UnsFPpxFE4xLmElKB0r5W6:qHW6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • b319f24ba5dde17c34afc95caa85f1747443d961f52a38073758cac5383cdefa.exe (PID: 3652)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • b319f24ba5dde17c34afc95caa85f1747443d961f52a38073758cac5383cdefa.exe (PID: 3652)

    • The process creates files with name similar to system file names

      • b319f24ba5dde17c34afc95caa85f1747443d961f52a38073758cac5383cdefa.exe (PID: 3652)

    • Executable content was dropped or overwritten

      • b319f24ba5dde17c34afc95caa85f1747443d961f52a38073758cac5383cdefa.exe (PID: 3652)

  • INFO

    • Checks supported languages

      • b319f24ba5dde17c34afc95caa85f1747443d961f52a38073758cac5383cdefa.exe (PID: 3652)

    • Creates files or folders in the user directory

      • b319f24ba5dde17c34afc95caa85f1747443d961f52a38073758cac5383cdefa.exe (PID: 3652)

    • Checks proxy server information

      • slui.exe (PID: 2668)

    • Reads the software policy settings

      • slui.exe (PID: 2668)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x6000
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE b319f24ba5dde17c34afc95caa85f1747443d961f52a38073758cac5383cdefa.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2668C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3652"C:\Users\admin\Desktop\b319f24ba5dde17c34afc95caa85f1747443d961f52a38073758cac5383cdefa.exe" C:\Users\admin\Desktop\b319f24ba5dde17c34afc95caa85f1747443d961f52a38073758cac5383cdefa.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\b319f24ba5dde17c34afc95caa85f1747443d961f52a38073758cac5383cdefa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 477
Read events
3 477
Write events
0
Delete events
0

Modification events

No data
Executable files
600
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3652b319f24ba5dde17c34afc95caa85f1747443d961f52a38073758cac5383cdefa.exe
MD5:
SHA256:
3652b319f24ba5dde17c34afc95caa85f1747443d961f52a38073758cac5383cdefa.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:C43D2956B254E764BED435FA69BDEABC
SHA256:FB12023DC2A78D38C9A46092A90AF7751B1085FC9B7D3B31745DCF035F70F5C1
3652b319f24ba5dde17c34afc95caa85f1747443d961f52a38073758cac5383cdefa.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:C48112EDF9223CDBAC0CDDD8CCD48E0D
SHA256:FDA8C1BBE0FCD129764A23DEBF6BEEE10A4A20E76615505BCAD019893669D66D
3652b319f24ba5dde17c34afc95caa85f1747443d961f52a38073758cac5383cdefa.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:FD7AF8E3188DD3C903352B72D9E68B9B
SHA256:C02805E9288B9B27AD7F241AE3CB193016ED4F6B69C98C00D028DE487808DB1E
3652b319f24ba5dde17c34afc95caa85f1747443d961f52a38073758cac5383cdefa.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:C43D2956B254E764BED435FA69BDEABC
SHA256:FB12023DC2A78D38C9A46092A90AF7751B1085FC9B7D3B31745DCF035F70F5C1
3652b319f24ba5dde17c34afc95caa85f1747443d961f52a38073758cac5383cdefa.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:14B9F3D980CD89DD1590F7DDEB41F8D4
SHA256:6715A4E8A5D0D9F2836E0FACF118CC176EFBA2F5CD280ABAD2C23A1828DCCB5D
3652b319f24ba5dde17c34afc95caa85f1747443d961f52a38073758cac5383cdefa.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:AFA7D717BBDD3226F17CAAE465B6C1E9
SHA256:6EF4AB62BEBDA4E7E1E3CD6C35555905140B5F77529483345AB2F7372A65A496
3652b319f24ba5dde17c34afc95caa85f1747443d961f52a38073758cac5383cdefa.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:CC4EBEAC170ECD783DECBF6A08D2AF32
SHA256:7A636A7E4E701BA5AEE4038DA5ADF192774F5E45B8C784E447A3221CFE07DCA1
3652b319f24ba5dde17c34afc95caa85f1747443d961f52a38073758cac5383cdefa.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:53662E6AB2DB119502FF3EC800EE0B48
SHA256:F781A9A9C674620FAF578D7B884730478CAFDC3D686233BAA9E092CD4743F1AF
3652b319f24ba5dde17c34afc95caa85f1747443d961f52a38073758cac5383cdefa.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:A79BA2367590557374C0E21C0F2EC816
SHA256:F5EE5DFD50ED2F0D2F7497603D798205ED5582550B1A023A14F66D93550D0EE5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
22
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3572
RUXIMICS.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3572
RUXIMICS.exe
GET
200
2.23.181.156:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3572
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3572
RUXIMICS.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
2.23.181.156:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 2.23.181.156
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.189.173.5
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
b319f24ba5dde17c34afc95caa85f1747443d961f52a38073758cac5383cdefa