File name:

d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e

Full analysis: https://app.any.run/tasks/49635e82-9e02-4003-9e67-d83650b12b01
Verdict: Malicious activity
Analysis date: May 18, 2025, 06:02:59
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

3875F2DAD054C9D96D0F246222CC4743

SHA1:

7D265830C5D0466F171E120D4286E12A5F8FA1BD

SHA256:

D7E364AC7DAEBC522FAF89AE760A683BFC302DADB59728147B38898C1CE3B33E

SSDEEP:

768:Q1Iqlwebhbur9F8xi59F8xiCnRznRjAixCix+:QPlbc9F8xi59F8xiCnRznRMixCix+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exe (PID: 5728)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exe (PID: 5728)

    • Executable content was dropped or overwritten

      • d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exe (PID: 5728)

    • The process creates files with name similar to system file names

      • d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exe (PID: 5728)

  • INFO

    • Creates files or folders in the user directory

      • d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exe (PID: 5728)

    • Checks supported languages

      • d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exe (PID: 5728)

    • Reads the software policy settings

      • slui.exe (PID: 6456)

    • Checks proxy server information

      • slui.exe (PID: 6456)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x2130
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
122
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
5728"C:\Users\admin\Desktop\d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exe" C:\Users\admin\Desktop\d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6456C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 369
Read events
3 369
Write events
0
Delete events
0

Modification events

No data
Executable files
1 900
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
5728d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exe
MD5:
SHA256:
5728d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:B12AC722AD3DAB812734829C9D31F12D
SHA256:05C6A9A53E3D5504862E7AC167822F8B123DCB93DEE01E59258397645DB805AD
5728d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:70A318A88BB35BB6BDB5A3CF52121E6E
SHA256:33B61B1F75C7BE657C9B23E4AC2C8A293600134AD7CBBB1EC7F0E870CD48601C
5728d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:60E73A06A8B9F1E735243742DFF4F8A0
SHA256:D3D87F56B5907863511AB99F5556BCEFF8DC4922B06924BE0D5F88336EEAF853
5728d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:84B455CFCDD9C968B8AB4C0AB7844E15
SHA256:00798D9F831716841BA4EB8BE22F2C213B1572D98392D1713B91ED4C112CD5C8
5728d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:0EF54C13C4CD01673ACF5D9ADE6D4C10
SHA256:A36C6B835B0D014C200D89E44F6FD43EC1143E75BFCBC1470892D3C8647A823E
5728d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:60E73A06A8B9F1E735243742DFF4F8A0
SHA256:D3D87F56B5907863511AB99F5556BCEFF8DC4922B06924BE0D5F88336EEAF853
5728d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:4C1EAE897493367C975499613651920E
SHA256:F3945644A5F7E6F0FC7441517DB0D51EB6293FDC997B9BF2527947B1E3D083F3
5728d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:8992498090C1307A9064F2C35BE1B9AF
SHA256:56F15F156CFFCA986908086B0DEE970A1CBE17517EAB14E8ACA1276885CE19DF
5728d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_100_percent.pak.tmpexecutable
MD5:CB4BF4ED0504B15170359846B8EB948F
SHA256:640A68DE3429D0041B17350E5276FF05486076EE289E7DF7FEEC71A1A1127B48
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
21
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
6640
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6456
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.46
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
d7e364ac7daebc522faf89ae760a683bfc302dadb59728147b38898c1ce3b33e