File name:

d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe

Full analysis: https://app.any.run/tasks/bb0c1398-e50f-4bdb-9b7b-cce890588f75
Verdict: Malicious activity
Analysis date: August 01, 2025, 03:22:23
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

D9D685A8A40FAF64ACEFFF9D0D616B9C

SHA1:

B90325737AB56CD95FC801E0450F563C7685C37D

SHA256:

D39297EA60C06F5BEDD3FD3881E0971EA78171E306AA9ADDE3B908C791DC0DA3

SSDEEP:

1536:QPlbc9F8xi59F8xi6iai20uqihRuqihsiRi7gfVkZf+Uq8tHJGh7PkWVV/:alcfVkgOHOAs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe (PID: 4320)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe (PID: 4320)

    • The process creates files with name similar to system file names

      • d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe (PID: 4320)

    • Executable content was dropped or overwritten

      • d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe (PID: 4320)

  • INFO

    • Creates files or folders in the user directory

      • d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe (PID: 4320)

    • Checks supported languages

      • d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe (PID: 4320)

    • Checks proxy server information

      • slui.exe (PID: 4984)

    • Reads the software policy settings

      • slui.exe (PID: 4984)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x2130
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4320"C:\Users\admin\Desktop\d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe" C:\Users\admin\Desktop\d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4984C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 496
Read events
3 496
Write events
0
Delete events
0

Modification events

No data
Executable files
1 859
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe
MD5:
SHA256:
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:23DECEBFD0AFE256EC20FED4E983BF1D
SHA256:12A20C5D1A0E89D36FB310DC7DA756DFA315FBE2BAE71D20B493E174CF1F8AB8
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:ED9E2D957AB05F3D1EC3D0D8D5D192A6
SHA256:F1DE810AA414209E05FA0F17398156B556E5AC28EE0737A5C607DB01E848FE67
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:182051C9B2168AAD1602424E8D2DF15E
SHA256:FBEB9BFEC7A3AD829FE663EB18CF4D4FE9C5114646EF744B4EEA94194B98DB3E
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:785328B45E804521C36D4E775ED88BD6
SHA256:F49AACC5B5D5C3EC0CAE097BDBBDE45591F8F1CC895D35E14F2671BA77DB5859
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:74F2A52385ACACC444960AE00E6F3019
SHA256:CF478056FC624E7EA170B8C4AA90B846D8AC6615C141ADBC9139BE5F2BEFD0F6
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:A8A3E90A931B79392057295CB8157BA0
SHA256:B6FB6A57F5D0037DA5BF344777A07A0DC84DF00AEA919280146C1AEF007CF4BD
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:D9BA5F5EED265A0C63CC418E4CFE46F3
SHA256:472579466257620B34022A72AEE95613BF3859B78DA69C4C316D13FE49872725
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:1DC1060A47337023AA8BED4035FC2081
SHA256:DDA6A81E92BC506023FEEF1685C6543269229985E790E366B2A60DF322B1A5CA
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:B1E4543382506AA8145ED996C8994264
SHA256:36D0EAA43851DF4657DA697F4848F18C3D0BC5C43FBBEE27B5EA071D3BAA08E9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
19
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5432
RUXIMICS.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5432
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5432
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5432
RUXIMICS.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.42
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
self.events.data.microsoft.com
  • 20.42.65.84
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe