File name:

d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e

Full analysis: https://app.any.run/tasks/49635e82-9e02-4003-9e67-d83650b12b01
Verdict: Malicious activity
Analysis date: May 18, 2025, 06:02:59
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

3875F2DAD054C9D96D0F246222CC4743

SHA1:

7D265830C5D0466F171E120D4286E12A5F8FA1BD

SHA256:

D7E364AC7DAEBC522FAF89AE760A683BFC302DADB59728147B38898C1CE3B33E

SSDEEP:

768:Q1Iqlwebhbur9F8xi59F8xiCnRznRjAixCix+:QPlbc9F8xi59F8xiCnRznRMixCix+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exe (PID: 5728)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exe (PID: 5728)

    • Executable content was dropped or overwritten

      • d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exe (PID: 5728)

    • The process creates files with name similar to system file names

      • d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exe (PID: 5728)

  • INFO

    • Creates files or folders in the user directory

      • d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exe (PID: 5728)

    • Checks supported languages

      • d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exe (PID: 5728)

    • Reads the software policy settings

      • slui.exe (PID: 6456)

    • Checks proxy server information

      • slui.exe (PID: 6456)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x2130
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
5728"C:\Users\admin\Desktop\d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exe" C:\Users\admin\Desktop\d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6456C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 369
Read events
3 369
Write events
0
Delete events
0

Modification events

No data
Executable files
1 900
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
5728d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exe
MD5:
SHA256:
5728d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:3D24FFA3F38DCA046B7D2003393C6187
SHA256:82CEC42AE9AB03FEB84B29941D4D91B778E16690E2307F9E090381D3E4AA5239
5728d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:70A318A88BB35BB6BDB5A3CF52121E6E
SHA256:33B61B1F75C7BE657C9B23E4AC2C8A293600134AD7CBBB1EC7F0E870CD48601C
5728d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:60E73A06A8B9F1E735243742DFF4F8A0
SHA256:D3D87F56B5907863511AB99F5556BCEFF8DC4922B06924BE0D5F88336EEAF853
5728d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:0EF54C13C4CD01673ACF5D9ADE6D4C10
SHA256:A36C6B835B0D014C200D89E44F6FD43EC1143E75BFCBC1470892D3C8647A823E
5728d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:E48ED7E5FFFB4B1D4E34BE8DFF4788F2
SHA256:643452A27753172CB73DB3EF0E4BA3C771B6442C21BA56FCBE8B04B2C53D2D10
5728d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:A66207C017C3F5346F5AFDBB326D94A5
SHA256:DCC459F5B8F66839CD19AF412471C3560C80C34AD16692995128BAC20AE31325
5728d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:8AF1D1DFEF86B6ED2608FF002A641635
SHA256:AA323839A813E8FF337F8605F3F71117A4578ACF657365FF8D265466FCB07DE8
5728d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:E7E99AA84947FABDBE89C48AAC7E7EFA
SHA256:FE7F212D70A098599E702BC9EFABF53750D60FAC0AB4A1CF46DF32CE695BE0F6
5728d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:F7EAF8A37710DE4327E083A155B5FB01
SHA256:A8EEF104C1AE13DA154666D9AA5E5B2E9F9F9447711ED8A93B80EEB6CF02873C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
21
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
6640
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6456
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.46
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e