File name:

f5c921693c36091d427fa78e0f99db2253cee07b7729693ba30dfff292bdd9da.exe

Full analysis: https://app.any.run/tasks/20218459-f380-4177-8563-c38a6d64e3a8
Verdict: Malicious activity
Analysis date: August 01, 2025, 02:27:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

56D328452197EA4F3D892385984FCF8E

SHA1:

2EA88AF00D1BBBEC29A5BEABF7011B30D0D8FB6D

SHA256:

F5C921693C36091D427FA78E0F99DB2253CEE07B7729693BA30DFFF292BDD9DA

SSDEEP:

1536:QPlbc9F8xi59F8xi6iai20uqihRuqihsiRih8p1L8p1vjVABc9F8xi59F8xi6iaG:al58jL8jvaT8jL8jo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • f5c921693c36091d427fa78e0f99db2253cee07b7729693ba30dfff292bdd9da.exe (PID: 5436)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • f5c921693c36091d427fa78e0f99db2253cee07b7729693ba30dfff292bdd9da.exe (PID: 5436)

    • The process creates files with name similar to system file names

      • f5c921693c36091d427fa78e0f99db2253cee07b7729693ba30dfff292bdd9da.exe (PID: 5436)

    • Executable content was dropped or overwritten

      • f5c921693c36091d427fa78e0f99db2253cee07b7729693ba30dfff292bdd9da.exe (PID: 5436)

  • INFO

    • Checks proxy server information

      • slui.exe (PID: 6508)

    • Reads the software policy settings

      • slui.exe (PID: 6508)

    • Creates files or folders in the user directory

      • f5c921693c36091d427fa78e0f99db2253cee07b7729693ba30dfff292bdd9da.exe (PID: 5436)

    • Checks supported languages

      • f5c921693c36091d427fa78e0f99db2253cee07b7729693ba30dfff292bdd9da.exe (PID: 5436)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x2130
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE f5c921693c36091d427fa78e0f99db2253cee07b7729693ba30dfff292bdd9da.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
5436"C:\Users\admin\Desktop\f5c921693c36091d427fa78e0f99db2253cee07b7729693ba30dfff292bdd9da.exe" C:\Users\admin\Desktop\f5c921693c36091d427fa78e0f99db2253cee07b7729693ba30dfff292bdd9da.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\f5c921693c36091d427fa78e0f99db2253cee07b7729693ba30dfff292bdd9da.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6508C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 518
Read events
3 518
Write events
0
Delete events
0

Modification events

No data
Executable files
1 803
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
5436f5c921693c36091d427fa78e0f99db2253cee07b7729693ba30dfff292bdd9da.exe
MD5:
SHA256:
5436f5c921693c36091d427fa78e0f99db2253cee07b7729693ba30dfff292bdd9da.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:CB61BBD901865EF0324EA1ABB877DF89
SHA256:655BE46B3A9D3FE8AF06B6C146B0846E7393E67C007AA54A8AA41BE1AFD69B69
5436f5c921693c36091d427fa78e0f99db2253cee07b7729693ba30dfff292bdd9da.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:11062B287FA914302957C7F34E312910
SHA256:98CF4E313BBB626BBEAEDDB0833F7EBD3C1C73D25940DCF247DFF38D47FFE4DA
5436f5c921693c36091d427fa78e0f99db2253cee07b7729693ba30dfff292bdd9da.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:13915F39524EC52A5B2C8FB20D91DA0C
SHA256:FCC57B84FDA830A9A59E2120EA225F20C84D0BCAF09F58EC9297B1C2A44DD798
5436f5c921693c36091d427fa78e0f99db2253cee07b7729693ba30dfff292bdd9da.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:8CF1490A60DD3EE75542F9840C43ECFC
SHA256:A11F770229D309B17FC6F79EA6544F12243F84BEDC6192370DE0A94D6E2226D2
5436f5c921693c36091d427fa78e0f99db2253cee07b7729693ba30dfff292bdd9da.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:11062B287FA914302957C7F34E312910
SHA256:98CF4E313BBB626BBEAEDDB0833F7EBD3C1C73D25940DCF247DFF38D47FFE4DA
5436f5c921693c36091d427fa78e0f99db2253cee07b7729693ba30dfff292bdd9da.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:E99DC5D06129E4CC113CA576640A5076
SHA256:2758CC788EE5B330CD303AA3D483BDD170127B5BF47A1A4B8311301C42A14A2A
5436f5c921693c36091d427fa78e0f99db2253cee07b7729693ba30dfff292bdd9da.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:023075828C38372F95B1E1865001D949
SHA256:836202C8D84110D246766C6DE6A00F64E3E2CC8DF00B32AC94F53CDFA3141CEC
5436f5c921693c36091d427fa78e0f99db2253cee07b7729693ba30dfff292bdd9da.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:83C199B93C5C668AC428AF4D3275EEA1
SHA256:92BD37D747C0F1A401123D39DACF6FFB563C91AA8E922257801E926E1B4349BA
5436f5c921693c36091d427fa78e0f99db2253cee07b7729693ba30dfff292bdd9da.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:FF3E46DA7891A40A0324B1400D21C603
SHA256:786236986DDFF32F12533BDE83F460CEF0537ABAC1F71D54746C1C03812A684F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
42
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
400
40.126.32.136:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
1268
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
2232
RUXIMICS.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
1268
svchost.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
814 b
whitelisted
POST
400
40.126.32.138:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
POST
200
40.126.32.136:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
whitelisted
POST
200
20.190.160.64:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
16.7 Kb
whitelisted
POST
200
20.190.160.22:443
https://login.live.com/RST2.srf
US
xml
11.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2232
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2232
RUXIMICS.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.3.109.244:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.3.109.244:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.142
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
  • 23.32.238.107
  • 23.32.238.112
whitelisted
www.microsoft.com
  • 23.3.109.244
  • 23.52.120.96
whitelisted
login.live.com
  • 40.126.32.140
  • 20.190.160.4
  • 20.190.160.130
  • 20.190.160.17
  • 20.190.160.20
  • 40.126.32.133
  • 40.126.32.72
  • 20.190.160.131
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
slscr.update.microsoft.com
  • 20.165.94.63
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
self.events.data.microsoft.com
  • 20.189.173.3
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
f5c921693c36091d427fa78e0f99db2253cee07b7729693ba30dfff292bdd9da.exe