File name:

d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe

Full analysis: https://app.any.run/tasks/bb0c1398-e50f-4bdb-9b7b-cce890588f75
Verdict: Malicious activity
Analysis date: August 01, 2025, 03:22:23
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

D9D685A8A40FAF64ACEFFF9D0D616B9C

SHA1:

B90325737AB56CD95FC801E0450F563C7685C37D

SHA256:

D39297EA60C06F5BEDD3FD3881E0971EA78171E306AA9ADDE3B908C791DC0DA3

SSDEEP:

1536:QPlbc9F8xi59F8xi6iai20uqihRuqihsiRi7gfVkZf+Uq8tHJGh7PkWVV/:alcfVkgOHOAs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe (PID: 4320)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe (PID: 4320)

    • Executable content was dropped or overwritten

      • d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe (PID: 4320)

    • The process creates files with name similar to system file names

      • d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe (PID: 4320)

  • INFO

    • Creates files or folders in the user directory

      • d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe (PID: 4320)

    • Checks supported languages

      • d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe (PID: 4320)

    • Reads the software policy settings

      • slui.exe (PID: 4984)

    • Checks proxy server information

      • slui.exe (PID: 4984)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x2130
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4320"C:\Users\admin\Desktop\d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe" C:\Users\admin\Desktop\d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4984C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 496
Read events
3 496
Write events
0
Delete events
0

Modification events

No data
Executable files
1 859
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe
MD5:
SHA256:
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:182051C9B2168AAD1602424E8D2DF15E
SHA256:FBEB9BFEC7A3AD829FE663EB18CF4D4FE9C5114646EF744B4EEA94194B98DB3E
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:A8A3E90A931B79392057295CB8157BA0
SHA256:B6FB6A57F5D0037DA5BF344777A07A0DC84DF00AEA919280146C1AEF007CF4BD
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:CD6E4AAE59FE86AB177674FAD1480716
SHA256:85AEC203E503577B6B290CE4FB84EB869909A24674A791B0B8293B289C5BE6A1
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:785328B45E804521C36D4E775ED88BD6
SHA256:F49AACC5B5D5C3EC0CAE097BDBBDE45591F8F1CC895D35E14F2671BA77DB5859
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:23DECEBFD0AFE256EC20FED4E983BF1D
SHA256:12A20C5D1A0E89D36FB310DC7DA756DFA315FBE2BAE71D20B493E174CF1F8AB8
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:FE4F16498C4B93955D71DDD09B450E49
SHA256:9A9496C37CFB663622A396C3CDDB977FDD65A4A8DEDF6DF11949987DAB0124A3
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:ED9E2D957AB05F3D1EC3D0D8D5D192A6
SHA256:F1DE810AA414209E05FA0F17398156B556E5AC28EE0737A5C607DB01E848FE67
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:1E76FDA92FC16D103BCD03737A8C9907
SHA256:062D06A562B25E3AFAB4E9E562747ADB62634FADD4C958AB65C316444D2A084E
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:EFCF4C7686700E810BF214D4D538F095
SHA256:B49B079890702432FA7C6AEDBAAE01FBD1D695D9F1AEE217C98E705493685985
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
19
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
5432
RUXIMICS.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
1268
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
5432
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5432
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5432
RUXIMICS.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.42
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
self.events.data.microsoft.com
  • 20.42.65.84
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe