File name:

d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe

Full analysis: https://app.any.run/tasks/bb0c1398-e50f-4bdb-9b7b-cce890588f75
Verdict: Malicious activity
Analysis date: August 01, 2025, 03:22:23
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

D9D685A8A40FAF64ACEFFF9D0D616B9C

SHA1:

B90325737AB56CD95FC801E0450F563C7685C37D

SHA256:

D39297EA60C06F5BEDD3FD3881E0971EA78171E306AA9ADDE3B908C791DC0DA3

SSDEEP:

1536:QPlbc9F8xi59F8xi6iai20uqihRuqihsiRi7gfVkZf+Uq8tHJGh7PkWVV/:alcfVkgOHOAs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe (PID: 4320)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe (PID: 4320)

    • The process creates files with name similar to system file names

      • d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe (PID: 4320)

    • Executable content was dropped or overwritten

      • d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe (PID: 4320)

  • INFO

    • Checks supported languages

      • d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe (PID: 4320)

    • Checks proxy server information

      • slui.exe (PID: 4984)

    • Creates files or folders in the user directory

      • d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe (PID: 4320)

    • Reads the software policy settings

      • slui.exe (PID: 4984)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x2130
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4320"C:\Users\admin\Desktop\d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe" C:\Users\admin\Desktop\d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4984C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 496
Read events
3 496
Write events
0
Delete events
0

Modification events

No data
Executable files
1 859
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe
MD5:
SHA256:
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:1E76FDA92FC16D103BCD03737A8C9907
SHA256:062D06A562B25E3AFAB4E9E562747ADB62634FADD4C958AB65C316444D2A084E
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:ED9E2D957AB05F3D1EC3D0D8D5D192A6
SHA256:F1DE810AA414209E05FA0F17398156B556E5AC28EE0737A5C607DB01E848FE67
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:1DC1060A47337023AA8BED4035FC2081
SHA256:DDA6A81E92BC506023FEEF1685C6543269229985E790E366B2A60DF322B1A5CA
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:A8A3E90A931B79392057295CB8157BA0
SHA256:B6FB6A57F5D0037DA5BF344777A07A0DC84DF00AEA919280146C1AEF007CF4BD
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:CD6E4AAE59FE86AB177674FAD1480716
SHA256:85AEC203E503577B6B290CE4FB84EB869909A24674A791B0B8293B289C5BE6A1
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:B1E4543382506AA8145ED996C8994264
SHA256:36D0EAA43851DF4657DA697F4848F18C3D0BC5C43FBBEE27B5EA071D3BAA08E9
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:73A4E75A1C05B0F43B2372497397E707
SHA256:B01598703999BD5A1E4BE75EEEF0BCFB46A2A85634EE1AB649A0B2789F1E5C00
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:307467D1F0C2C81756D71EB4B1D0F9A6
SHA256:73E51D6E57FB60C2CDF7825BF565CFAD27F631C593EA943B49546273BF3B196C
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_200_percent.pak.tmpexecutable
MD5:6DEA8B0CA47F173685C0F8D81E098FD7
SHA256:4E75C6072BD72323D2A78B40AE8D9C47A7E249BB2BD5B2B9F50A2BF0CC910640
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
19
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5432
RUXIMICS.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
5432
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5432
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5432
RUXIMICS.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.42
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
self.events.data.microsoft.com
  • 20.42.65.84
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe