File name:

01090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449

Full analysis: https://app.any.run/tasks/e2fa3f5e-587a-4446-9301-ff3bafbd22d2
Verdict: Malicious activity
Analysis date: May 17, 2025, 12:04:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

3DBBC2494937B717F82CC400635DAEA9

SHA1:

DB8CF1D126510156AE447D9D4F5934BB67FA7DFA

SHA256:

01090D06970B6C1C42CE3A721573B97221A3B8CCC31F7E1FE109362BD4606449

SSDEEP:

6144:aMHV4diuADvUrUNk6eA7SKdihI+SySLqF7Hbd8yDWLn:vHVMiXDvwUNUA7SKdiDvF7HJ8yD2n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 01090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exe (PID: 7440)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 01090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exe (PID: 7440)

    • The process creates files with name similar to system file names

      • 01090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exe (PID: 7440)

    • Executable content was dropped or overwritten

      • 01090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exe (PID: 7440)

  • INFO

    • Creates files or folders in the user directory

      • 01090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exe (PID: 7440)

    • Checks supported languages

      • 01090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exe (PID: 7440)

    • Checks proxy server information

      • slui.exe (PID: 7888)

    • Reads the software policy settings

      • slui.exe (PID: 7888)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (72.2)
.exe | Win32 Executable (generic) (11.7)
.exe | Win16/32 Executable Delphi generic (5.4)
.exe | Generic Win/DOS Executable (5.2)
.exe | DOS Executable Generic (5.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x2130
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 01090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7440"C:\Users\admin\Desktop\01090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exe" C:\Users\admin\Desktop\01090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\01090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7888C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 369
Read events
3 369
Write events
0
Delete events
0

Modification events

No data
Executable files
1 325
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
744001090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exe
MD5:
SHA256:
744001090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:8AC4C79FF40AE5003738D485D435EC48
SHA256:99373156E24A237EEA60C0438669785406FF147FD7FE542FC912C64A82A9767B
744001090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:FD52CF01F8C1D9CB61A0A848B88BCF0E
SHA256:986E22EAFB3D90D0468CEA4B09FD1C5619F188113CB84BE7A4C330DC050481B2
744001090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:06E9A6B4E0424B9056E00097978A6358
SHA256:25BD21264AED40D9508D2691D3A4483FB11FD52AB30C7EBAE157D2CE517C3514
744001090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:FCEFDCB87268A75447D360C2ABF62461
SHA256:1468D9317D006D053D243B106DD91E4F52FA3D1BE0C63D08C5AD15F9C078032A
744001090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:ED2D6E707C2BE387E04E7EBA7E8D3885
SHA256:955343F9BC887A00FA469481159F7234D82ACD21BB8F42B9CB781EBE95EE445E
744001090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:20F9C5CDE109E9CE0632FFE273F30850
SHA256:5521AE686CC7A3D23F1C9962A4C647C2D57E8B88A98733D08C7A3FB6CA4D925F
744001090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:16F709652EF3A41033D82407344D2AFE
SHA256:0337FB43BA208AE98B1F45B6593D5A11AD72830D0AA80B8F4CE83A7D24B3A8BB
744001090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:0E8400D1925F769E8F0C969201C5CA38
SHA256:288696EE2BF940D1E4B11F197F35A0DEBE855523E2B6AA6B0F6BA27BEFEC0D6D
744001090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:78147A7C0458F89A8B056FA6263F24FD
SHA256:EBD54402E819A686C9715043E7C8B2EC7523E0EDB85987EBB89DE970DA9D23B1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
20
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.48.23.141:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4024
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
23.48.23.141:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7180
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7888
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 23.48.23.141
  • 23.48.23.169
  • 23.48.23.143
  • 23.48.23.147
  • 23.48.23.167
  • 23.48.23.164
  • 23.48.23.158
  • 23.48.23.176
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
01090d06970b6c1c42ce3a721573b97221a3b8ccc31f7e1fe109362bd4606449