File name:

01090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449

Full analysis: https://app.any.run/tasks/e2fa3f5e-587a-4446-9301-ff3bafbd22d2
Verdict: Malicious activity
Analysis date: May 17, 2025, 12:04:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

3DBBC2494937B717F82CC400635DAEA9

SHA1:

DB8CF1D126510156AE447D9D4F5934BB67FA7DFA

SHA256:

01090D06970B6C1C42CE3A721573B97221A3B8CCC31F7E1FE109362BD4606449

SSDEEP:

6144:aMHV4diuADvUrUNk6eA7SKdihI+SySLqF7Hbd8yDWLn:vHVMiXDvwUNUA7SKdiDvF7HJ8yD2n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 01090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exe (PID: 7440)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 01090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exe (PID: 7440)

    • The process creates files with name similar to system file names

      • 01090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exe (PID: 7440)

    • Executable content was dropped or overwritten

      • 01090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exe (PID: 7440)

  • INFO

    • Reads the software policy settings

      • slui.exe (PID: 7888)

    • Creates files or folders in the user directory

      • 01090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exe (PID: 7440)

    • Checks proxy server information

      • slui.exe (PID: 7888)

    • Checks supported languages

      • 01090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exe (PID: 7440)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (72.2)
.exe | Win32 Executable (generic) (11.7)
.exe | Win16/32 Executable Delphi generic (5.4)
.exe | Generic Win/DOS Executable (5.2)
.exe | DOS Executable Generic (5.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x2130
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 01090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7440"C:\Users\admin\Desktop\01090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exe" C:\Users\admin\Desktop\01090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\01090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7888C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 369
Read events
3 369
Write events
0
Delete events
0

Modification events

No data
Executable files
1 325
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
744001090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exe
MD5:
SHA256:
744001090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:16F709652EF3A41033D82407344D2AFE
SHA256:0337FB43BA208AE98B1F45B6593D5A11AD72830D0AA80B8F4CE83A7D24B3A8BB
744001090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:FCEFDCB87268A75447D360C2ABF62461
SHA256:1468D9317D006D053D243B106DD91E4F52FA3D1BE0C63D08C5AD15F9C078032A
744001090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:FD52CF01F8C1D9CB61A0A848B88BCF0E
SHA256:986E22EAFB3D90D0468CEA4B09FD1C5619F188113CB84BE7A4C330DC050481B2
744001090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:72B5F4FF814D65B02ACD37E1F0FD56F9
SHA256:6A9BD7AF1752CA478AF93124B954D85FA1162906A5A1350ABF5D76749FEDCD9E
744001090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:01EF4072F08BFDB2229925CEA1827977
SHA256:9DE64668EF881059E2A4E2FCAD68BDF952FF811B84FE299E089DE4FB421D7F2E
744001090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:266C64E21DDCB4EF7EEA6AC6643E0B18
SHA256:37E16FBF481772B204E734083CDD45EE369E94FE123155CB3F3225BC908C9EFA
744001090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_100_percent.pak.tmpexecutable
MD5:DFFA5F4E42C477E1BA2876D37DE25BA6
SHA256:C5153E7D26AD2557C2D451A92DE372F1D270779D342B50F9A02BF6D38263A088
744001090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_200_percent.pak.tmpexecutable
MD5:37B176C9A06CF69F92906C2625BB202A
SHA256:BC260D0D7D9B5075DBFBB955ACDDD414D532A8E0BF99DE0765A97ECB66CCEA57
744001090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_extensions.pak.tmpexecutable
MD5:C7BD88C40A2861B550C7E5867AF88DC8
SHA256:EF2401E98CBF4F77FA04FD1747CC14D5D28DE3111C0876C170D7C71868D0AF36
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
20
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.141:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4024
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
23.48.23.141:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7180
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7888
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 23.48.23.141
  • 23.48.23.169
  • 23.48.23.143
  • 23.48.23.147
  • 23.48.23.167
  • 23.48.23.164
  • 23.48.23.158
  • 23.48.23.176
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
01090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449