File name:

4eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463

Full analysis: https://app.any.run/tasks/65ba383b-cd0b-4575-b8a0-c3fcebad0b27
Verdict: Malicious activity
Analysis date: June 21, 2025, 05:25:14
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

9B083871381FCAB6E12AA874543861CB

SHA1:

CFDAB3BC15947241258A477F495C2B03DE841176

SHA256:

4ECA30DE600565B888D05CA7876E18958D3E7DDFA11973BC8ACBBD21B744D463

SSDEEP:

393216:UMdn+RiWgRVbSappedaLv/dTKGZy7F64jreBkWX19tL/hy9n7D8vTYQVSWe8i4K0:n5+RiWgRVbSappedaLv/dTKGZy7F64j2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 4eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exe (PID: 3640)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 4eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exe (PID: 3640)

    • The process executes via Task Scheduler

      • updater.exe (PID: 3584)

    • Executable content was dropped or overwritten

      • 4eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exe (PID: 3640)

    • Application launched itself

      • updater.exe (PID: 3584)

    • The process creates files with name similar to system file names

      • 4eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exe (PID: 3640)

  • INFO

    • Checks supported languages

      • 4eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exe (PID: 3640)
      • updater.exe (PID: 3584)
      • updater.exe (PID: 1096)

    • Reads the computer name

      • updater.exe (PID: 3584)

    • Creates files or folders in the user directory

      • 4eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exe (PID: 3640)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 3584)

    • Reads the software policy settings

      • slui.exe (PID: 2980)

    • Checks proxy server information

      • slui.exe (PID: 2980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x6000
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 4eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exe updater.exe no specs updater.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1096"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x111c460,0x111c46c,0x111c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2980C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3584"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3640"C:\Users\admin\Desktop\4eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exe" C:\Users\admin\Desktop\4eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\4eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 525
Read events
3 525
Write events
0
Delete events
0

Modification events

No data
Executable files
298
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
36404eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exe
MD5:
SHA256:
36404eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:18E1E9A7AA2E53FE1C1561081BAC9447
SHA256:CA9E1C6A3BFA74C1E34599E01CABEE9ECB65634787DDD85578DAF524E8FB865B
36404eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:BCEDC581BFBC576E2D40718187096A08
SHA256:5C473E9D40320F3D64FADDD3E3129E58374328DDEB5702E5563D639CD54536CB
36404eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:BAB35021121BE3D97A075B308516F123
SHA256:31AB2B888BD96C6F9A5635A00701CE00E74FCF16A94E6C5F661D61763DA5E645
36404eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:A4F5B7A0DCFF2CB296DEED7E76D8F111
SHA256:B414BFA57BDC72DA01EF11FBBEF0295F5FA3756C46E05FED7E9B35E8DB2469FF
36404eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:212A5356AC1BC1BEF4AEF91C5D169D0D
SHA256:C98D0AF55990AC5154AAD8BCBFE34AA32DE7FF95BDC6F1B1B091D7261FB81EEC
36404eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:37FAB4194B4AF3F6F49C7B1F3FF1CABC
SHA256:100F0E164A7FC36A602FE5B974142D2D7B0963CEDED9C14B0871DF37BD1C1EA4
36404eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:0BB32114FBEF9670E7890BA9A1497ACF
SHA256:9C965762F370AAB263BA599A13104F8F83A1163D164A60CF861BA18368F704F2
36404eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:3DA16FE8203073137DB3CBBC6615392D
SHA256:1C6B2926FC5422C40819FC2B05489D9EAAC7A32F5E7B4F4DA4512BAA03B83316
36404eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:A009F9EBEC904F157A47B4ADE7AA916F
SHA256:349E07175C288AC9B07CB06E9D9A3BF8D269AA107B193AA64DD06E586D5F8FE7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
18
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2792
RUXIMICS.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2792
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2792
RUXIMICS.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted
self.events.data.microsoft.com
  • 52.168.117.170
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
4eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463