File name:

3262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e

Full analysis: https://app.any.run/tasks/8c7d2879-c7d9-4260-88f0-0292136fd945
Verdict: Malicious activity
Analysis date: June 21, 2025, 06:51:49
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

5FFA8AE70B4B05FFF4F70BC106C5FADC

SHA1:

E13A14D6D271EA55D6B644926C5FB6439A681F19

SHA256:

3262198D573DA712956DB6BF67FC205400C798F25C50BE03F6A77E9FB0470B0E

SSDEEP:

1536:UjVABc9F8xi59F8xi/LGLJdh+xDgDMc1+U4jB0HMSXDtCCbx0xw91H9Al:UaCLGL6c1+h+c

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 3262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exe (PID: 1156)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 3262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exe (PID: 1156)

    • Executable content was dropped or overwritten

      • 3262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exe (PID: 1156)

    • The process creates files with name similar to system file names

      • 3262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exe (PID: 1156)

  • INFO

    • Checks supported languages

      • 3262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exe (PID: 1156)

    • Creates files or folders in the user directory

      • 3262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exe (PID: 1156)

    • Checks proxy server information

      • slui.exe (PID: 2144)

    • Reads the software policy settings

      • slui.exe (PID: 2144)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x6000
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 3262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1156"C:\Users\admin\Desktop\3262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exe" C:\Users\admin\Desktop\3262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\3262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2144C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 494
Read events
3 494
Write events
0
Delete events
0

Modification events

No data
Executable files
1 828
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
11563262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exe
MD5:
SHA256:
11563262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:8CF17E2A98CE4F61B972483A39F2042E
SHA256:95D18CA28776EA893BEE522C042F8BC7B6CB5211F49803E43B5854E6D5B63DB5
11563262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:F10D30A15D44604A29E1217B36FE3A03
SHA256:078DF5B7A4D4656E7E34AC9A74305AF3E16DCC34AD234FA7513B3A9CA12F94F0
11563262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:0A44B1CAA6D016AF83945109A317A948
SHA256:C82AC1949A15B89D8727091B8881F38B2C94A1CC2AFE9CFCEA275DB6974C385E
11563262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:3B72B90EB75B98D62DB3410C695E747C
SHA256:19D85F5122378829BE1C96FEDD089D7C256D6CDC1281F1B83606B58E50F18D53
11563262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:E03AC429A2B232FD338A5B55A6EBBDA1
SHA256:3BB3D4AF71B407D8F0B9407D1A28F4F2668003221B75DB50CF5C08984F91167F
11563262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:4CFB7E8A97A64ED5D9E66C7CC30C0687
SHA256:552A122EC4EB69018CE16C23B58121704F03B28F10CA207E53FBFFE2A72A03BC
11563262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:4DEC997A20D1BBED9432F07B6AEDC8C7
SHA256:828C17C6B58BDEA8BE8AD110D052BCC89F0F037A0834012819A7BB8208A9EE44
11563262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:7981953A9173AECDD15AB074D4D31D54
SHA256:83B781E3E6F8E0287142DCD8F6657FE61ED73F76D7452EFE12A27B7E775B5EEE
11563262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:4CFB7E8A97A64ED5D9E66C7CC30C0687
SHA256:552A122EC4EB69018CE16C23B58121704F03B28F10CA207E53FBFFE2A72A03BC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
20
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3788
RUXIMICS.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
3788
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3788
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
3788
RUXIMICS.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3788
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.55.104.172
  • 23.55.104.190
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.50.80.213
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
3262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e