File name:

4eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463

Full analysis: https://app.any.run/tasks/65ba383b-cd0b-4575-b8a0-c3fcebad0b27
Verdict: Malicious activity
Analysis date: June 21, 2025, 05:25:14
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

9B083871381FCAB6E12AA874543861CB

SHA1:

CFDAB3BC15947241258A477F495C2B03DE841176

SHA256:

4ECA30DE600565B888D05CA7876E18958D3E7DDFA11973BC8ACBBD21B744D463

SSDEEP:

393216:UMdn+RiWgRVbSappedaLv/dTKGZy7F64jreBkWX19tL/hy9n7D8vTYQVSWe8i4K0:n5+RiWgRVbSappedaLv/dTKGZy7F64j2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 4eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exe (PID: 3640)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 4eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exe (PID: 3640)

    • Executable content was dropped or overwritten

      • 4eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exe (PID: 3640)

    • Application launched itself

      • updater.exe (PID: 3584)

    • The process executes via Task Scheduler

      • updater.exe (PID: 3584)

    • The process creates files with name similar to system file names

      • 4eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exe (PID: 3640)

  • INFO

    • Creates files or folders in the user directory

      • 4eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exe (PID: 3640)

    • Checks supported languages

      • updater.exe (PID: 3584)
      • updater.exe (PID: 1096)
      • 4eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exe (PID: 3640)

    • Reads the computer name

      • updater.exe (PID: 3584)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 3584)

    • Checks proxy server information

      • slui.exe (PID: 2980)

    • Reads the software policy settings

      • slui.exe (PID: 2980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x6000
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 4eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exe updater.exe no specs updater.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1096"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x111c460,0x111c46c,0x111c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2980C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3584"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
3640"C:\Users\admin\Desktop\4eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exe" C:\Users\admin\Desktop\4eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\4eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 525
Read events
3 525
Write events
0
Delete events
0

Modification events

No data
Executable files
298
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
36404eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exe
MD5:
SHA256:
36404eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:E30975C0995F6B381CBB8AACD46FF147
SHA256:344D4220E0223C21CE105D1BBB08B6D58F096FD678818CD629E2A03E3434DE9D
36404eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:A4F5B7A0DCFF2CB296DEED7E76D8F111
SHA256:B414BFA57BDC72DA01EF11FBBEF0295F5FA3756C46E05FED7E9B35E8DB2469FF
36404eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:37FAB4194B4AF3F6F49C7B1F3FF1CABC
SHA256:100F0E164A7FC36A602FE5B974142D2D7B0963CEDED9C14B0871DF37BD1C1EA4
36404eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:BCEDC581BFBC576E2D40718187096A08
SHA256:5C473E9D40320F3D64FADDD3E3129E58374328DDEB5702E5563D639CD54536CB
36404eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:7E4F0FF85D799BBBB75B7919EEEE4450
SHA256:4ED861204188620C8B3DB5FE567B13516EAF50B329700E390E967A4594AB9BA2
36404eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:B1650D76A33E60579249355CFBA78F6B
SHA256:B669AE273CB84F7F7BE5A4C7D5B27793C5E4B8CD143867BD059D97BFA2B4570E
36404eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:BAB35021121BE3D97A075B308516F123
SHA256:31AB2B888BD96C6F9A5635A00701CE00E74FCF16A94E6C5F661D61763DA5E645
36404eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:18E1E9A7AA2E53FE1C1561081BAC9447
SHA256:CA9E1C6A3BFA74C1E34599E01CABEE9ECB65634787DDD85578DAF524E8FB865B
36404eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:A009F9EBEC904F157A47B4ADE7AA916F
SHA256:349E07175C288AC9B07CB06E9D9A3BF8D269AA107B193AA64DD06E586D5F8FE7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
18
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2792
RUXIMICS.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2792
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2792
RUXIMICS.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted
self.events.data.microsoft.com
  • 52.168.117.170
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
4eca30de600565b888d05ca7876e18958d3e7ddfa11973bc8acbbd21b744d463