File name:

3b14e4ca6081a225e3f97d9cc5ddc08cceb64df82590ec2de6dc6782f9e0cc70

Full analysis: https://app.any.run/tasks/f6334187-80c5-4b68-9a38-03a83367aacf
Verdict: Malicious activity
Analysis date: June 21, 2025, 06:55:02
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

11B633C4BCA6ACE61D640B62D27DC8E5

SHA1:

FAE4BE6F9983BBA150013EA3CD3809243BB67922

SHA256:

3B14E4CA6081A225E3F97D9CC5DDC08CCEB64DF82590EC2DE6DC6782F9E0CC70

SSDEEP:

768:Q1Iqlwebhbur9F8xi59F8xin+vTGsSSyL2sQt1q1gIWh0ovvRF6Cph1P7hnV:QPlbc9F8xi59F8xin+visSfitRBZIEZz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 3b14e4ca6081a225e3f97d9cc5ddc08cceb64df82590ec2de6dc6782f9e0cc70.exe (PID: 6536)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 3b14e4ca6081a225e3f97d9cc5ddc08cceb64df82590ec2de6dc6782f9e0cc70.exe (PID: 6536)

    • The process creates files with name similar to system file names

      • 3b14e4ca6081a225e3f97d9cc5ddc08cceb64df82590ec2de6dc6782f9e0cc70.exe (PID: 6536)

    • Executable content was dropped or overwritten

      • 3b14e4ca6081a225e3f97d9cc5ddc08cceb64df82590ec2de6dc6782f9e0cc70.exe (PID: 6536)

  • INFO

    • Checks supported languages

      • 3b14e4ca6081a225e3f97d9cc5ddc08cceb64df82590ec2de6dc6782f9e0cc70.exe (PID: 6536)

    • Creates files or folders in the user directory

      • 3b14e4ca6081a225e3f97d9cc5ddc08cceb64df82590ec2de6dc6782f9e0cc70.exe (PID: 6536)

    • Checks proxy server information

      • slui.exe (PID: 3636)

    • Reads the software policy settings

      • slui.exe (PID: 3636)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (72.2)
.exe | Win32 Executable (generic) (11.7)
.exe | Win16/32 Executable Delphi generic (5.4)
.exe | Generic Win/DOS Executable (5.2)
.exe | DOS Executable Generic (5.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x2130
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 3b14e4ca6081a225e3f97d9cc5ddc08cceb64df82590ec2de6dc6782f9e0cc70.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
3636C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6536"C:\Users\admin\Desktop\3b14e4ca6081a225e3f97d9cc5ddc08cceb64df82590ec2de6dc6782f9e0cc70.exe" C:\Users\admin\Desktop\3b14e4ca6081a225e3f97d9cc5ddc08cceb64df82590ec2de6dc6782f9e0cc70.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\3b14e4ca6081a225e3f97d9cc5ddc08cceb64df82590ec2de6dc6782f9e0cc70.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
3 493
Read events
3 493
Write events
0
Delete events
0

Modification events

No data
Executable files
1 942
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
65363b14e4ca6081a225e3f97d9cc5ddc08cceb64df82590ec2de6dc6782f9e0cc70.exe
MD5:
SHA256:
65363b14e4ca6081a225e3f97d9cc5ddc08cceb64df82590ec2de6dc6782f9e0cc70.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:6D185A3FA83659158109845A6EEF638C
SHA256:B129BEE23D1BADD71B976D369A85090E91C2406E692A7F82036018B903ECA2AB
65363b14e4ca6081a225e3f97d9cc5ddc08cceb64df82590ec2de6dc6782f9e0cc70.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:C098A0DBAB3DF2435938089934927C01
SHA256:3590791E30EFE657ABCFB01B20C1A8B2C78C5F0F6EEAE462FB15440D964AFA00
65363b14e4ca6081a225e3f97d9cc5ddc08cceb64df82590ec2de6dc6782f9e0cc70.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:FBC73D43A72E64A2F52DFA731EC8D7E0
SHA256:CC27FB25D00D19F6C1DCF1518C54E917579B437E5D6958B52723F026AC950416
65363b14e4ca6081a225e3f97d9cc5ddc08cceb64df82590ec2de6dc6782f9e0cc70.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:620EB9A0D261169228A642B33B66B34A
SHA256:39094C7EF2293FAF1EB0880DBBD1E1DBD9925A38207FAD576639E575B79130A3
65363b14e4ca6081a225e3f97d9cc5ddc08cceb64df82590ec2de6dc6782f9e0cc70.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:2F5B9A152D1DD758B5E5CA00CFAD56C3
SHA256:1AE0756CAA5859DE6421FE24135277BA2B6C11DA686C0AA08CF25DC3E7AE99EE
65363b14e4ca6081a225e3f97d9cc5ddc08cceb64df82590ec2de6dc6782f9e0cc70.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:FBE3EF453080B06CF3B952067CD7E628
SHA256:0ECE73B3F94E95586CF334708420373808B479DCF5B022A9211B8E5A2C709943
65363b14e4ca6081a225e3f97d9cc5ddc08cceb64df82590ec2de6dc6782f9e0cc70.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:FC3BDB202CFBFF09E61F6FEF9A3A03BD
SHA256:1D1E95D991FF8559E10FF4EBA34324B4DC5E950B788B25132D19250572E970EE
65363b14e4ca6081a225e3f97d9cc5ddc08cceb64df82590ec2de6dc6782f9e0cc70.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:90F971BD12ABA6B416A78AFB494EB13C
SHA256:03CC218EE759A296F42C8E13EED21923ADF23C7F82AA4CD70B772FD16DCE529F
65363b14e4ca6081a225e3f97d9cc5ddc08cceb64df82590ec2de6dc6782f9e0cc70.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:C098A0DBAB3DF2435938089934927C01
SHA256:3590791E30EFE657ABCFB01B20C1A8B2C78C5F0F6EEAE462FB15440D964AFA00
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
20
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6672
RUXIMICS.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6672
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6672
RUXIMICS.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.42.65.93
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
3b14e4ca6081a225e3f97d9cc5ddc08cceb64df82590ec2de6dc6782f9e0cc70