File name:

d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe

Full analysis: https://app.any.run/tasks/bb0c1398-e50f-4bdb-9b7b-cce890588f75
Verdict: Malicious activity
Analysis date: August 01, 2025, 03:22:23
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

D9D685A8A40FAF64ACEFFF9D0D616B9C

SHA1:

B90325737AB56CD95FC801E0450F563C7685C37D

SHA256:

D39297EA60C06F5BEDD3FD3881E0971EA78171E306AA9ADDE3B908C791DC0DA3

SSDEEP:

1536:QPlbc9F8xi59F8xi6iai20uqihRuqihsiRi7gfVkZf+Uq8tHJGh7PkWVV/:alcfVkgOHOAs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe (PID: 4320)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe (PID: 4320)
    • Creates file in the systems drive root

      • d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe (PID: 4320)
    • The process creates files with name similar to system file names

      • d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe (PID: 4320)
  • INFO

    • Checks supported languages

      • d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe (PID: 4320)
    • Creates files or folders in the user directory

      • d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe (PID: 4320)
    • Reads the software policy settings

      • slui.exe (PID: 4984)
    • Checks proxy server information

      • slui.exe (PID: 4984)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x2130
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4320"C:\Users\admin\Desktop\d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe" C:\Users\admin\Desktop\d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4984C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 496
Read events
3 496
Write events
0
Delete events
0

Modification events

No data
Executable files
1 859
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exe
MD5:
SHA256:
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:23DECEBFD0AFE256EC20FED4E983BF1D
SHA256:12A20C5D1A0E89D36FB310DC7DA756DFA315FBE2BAE71D20B493E174CF1F8AB8
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:182051C9B2168AAD1602424E8D2DF15E
SHA256:FBEB9BFEC7A3AD829FE663EB18CF4D4FE9C5114646EF744B4EEA94194B98DB3E
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:182051C9B2168AAD1602424E8D2DF15E
SHA256:FBEB9BFEC7A3AD829FE663EB18CF4D4FE9C5114646EF744B4EEA94194B98DB3E
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:1E76FDA92FC16D103BCD03737A8C9907
SHA256:062D06A562B25E3AFAB4E9E562747ADB62634FADD4C958AB65C316444D2A084E
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:EFCF4C7686700E810BF214D4D538F095
SHA256:B49B079890702432FA7C6AEDBAAE01FBD1D695D9F1AEE217C98E705493685985
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:307467D1F0C2C81756D71EB4B1D0F9A6
SHA256:73E51D6E57FB60C2CDF7825BF565CFAD27F631C593EA943B49546273BF3B196C
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:A8A3E90A931B79392057295CB8157BA0
SHA256:B6FB6A57F5D0037DA5BF344777A07A0DC84DF00AEA919280146C1AEF007CF4BD
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:74F2A52385ACACC444960AE00E6F3019
SHA256:CF478056FC624E7EA170B8C4AA90B846D8AC6615C141ADBC9139BE5F2BEFD0F6
4320d39297ea60c06f5bedd3fd3881e0971ea78171e306aa9adde3b908c791dc0da3.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:CD6E4AAE59FE86AB177674FAD1480716
SHA256:85AEC203E503577B6B290CE4FB84EB869909A24674A791B0B8293B289C5BE6A1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
19
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
5432
RUXIMICS.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
1268
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
5432
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5432
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5432
RUXIMICS.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.42
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
self.events.data.microsoft.com
  • 20.42.65.84
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info