File name:

3262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e

Full analysis: https://app.any.run/tasks/8c7d2879-c7d9-4260-88f0-0292136fd945
Verdict: Malicious activity
Analysis date: June 21, 2025, 06:51:49
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

5FFA8AE70B4B05FFF4F70BC106C5FADC

SHA1:

E13A14D6D271EA55D6B644926C5FB6439A681F19

SHA256:

3262198D573DA712956DB6BF67FC205400C798F25C50BE03F6A77E9FB0470B0E

SSDEEP:

1536:UjVABc9F8xi59F8xi/LGLJdh+xDgDMc1+U4jB0HMSXDtCCbx0xw91H9Al:UaCLGL6c1+h+c

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 3262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exe (PID: 1156)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 3262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exe (PID: 1156)

    • The process creates files with name similar to system file names

      • 3262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exe (PID: 1156)

    • Creates file in the systems drive root

      • 3262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exe (PID: 1156)

  • INFO

    • Checks supported languages

      • 3262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exe (PID: 1156)

    • Creates files or folders in the user directory

      • 3262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exe (PID: 1156)

    • Reads the software policy settings

      • slui.exe (PID: 2144)

    • Checks proxy server information

      • slui.exe (PID: 2144)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x6000
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 3262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1156"C:\Users\admin\Desktop\3262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exe" C:\Users\admin\Desktop\3262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\3262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2144C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 494
Read events
3 494
Write events
0
Delete events
0

Modification events

No data
Executable files
1 828
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
11563262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exe
MD5:
SHA256:
11563262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:E86DD4BD3EDBC33E163F86776D0380BB
SHA256:00FD5B3044BA36E3AC3AAB400172BF7700B0976D3BB94978FC7434C887D93E0B
11563262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:ED37D45CB4C439C38ED342C120D421B5
SHA256:17D0EBB7776E31597DDACF5127A396C475CC0071644395C4CBE2589453C4DAE0
11563262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:3B72B90EB75B98D62DB3410C695E747C
SHA256:19D85F5122378829BE1C96FEDD089D7C256D6CDC1281F1B83606B58E50F18D53
11563262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:4CFB7E8A97A64ED5D9E66C7CC30C0687
SHA256:552A122EC4EB69018CE16C23B58121704F03B28F10CA207E53FBFFE2A72A03BC
11563262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:ED7744CE89E302736C59D524BE442764
SHA256:1E81027544872E30553772E06954FA5ADB58E7B66F82DC4D8A6D3B914480A033
11563262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:4DEC997A20D1BBED9432F07B6AEDC8C7
SHA256:828C17C6B58BDEA8BE8AD110D052BCC89F0F037A0834012819A7BB8208A9EE44
11563262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:8CF17E2A98CE4F61B972483A39F2042E
SHA256:95D18CA28776EA893BEE522C042F8BC7B6CB5211F49803E43B5854E6D5B63DB5
11563262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:0E910EF69699200692671019DF4FC96A
SHA256:757D0DBDEE14A733520BB9C73FB469E5FD18CC4CEAE370362DA3516EF0EE58F8
11563262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:B65773AE5BAE680A0F42509A1C8C0FB3
SHA256:7C27B68B97FB0841226E40C6412755937E41ABF19F145E406E10C078EE9AADBC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
20
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3788
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
3788
RUXIMICS.exe
GET
200
23.55.104.172:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3788
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
3788
RUXIMICS.exe
23.55.104.172:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3788
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.55.104.172
  • 23.55.104.190
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.50.80.213
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
3262198d573da712956db6bf67fc205400c798f25c50be03f6a77e9fb0470b0e