File name:

617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f

Full analysis: https://app.any.run/tasks/6a945ccc-7088-4b02-a466-d5f6c024a849
Verdict: Malicious activity
Analysis date: June 21, 2025, 04:16:52
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

02814608ADEA73064ECB75DC325CEF1F

SHA1:

A33F79FB739C721B2190621666994B6F92654DA0

SHA256:

617D1E7CECC25BC69660F0DEB2415A867122E878D67D0BF9ECE4D10076F14D0F

SSDEEP:

1536:UjVABc9F8xi59F8xi/LGLJdQjVABc9F8xi59F8xi/LGLJdR:UaCLGLYaCLGLp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exe (PID: 1324)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exe (PID: 1324)

    • Creates file in the systems drive root

      • 617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exe (PID: 1324)

    • The process creates files with name similar to system file names

      • 617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exe (PID: 1324)

  • INFO

    • Checks supported languages

      • 617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exe (PID: 1324)

    • Creates files or folders in the user directory

      • 617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exe (PID: 1324)

    • Reads the software policy settings

      • slui.exe (PID: 2148)

    • Checks proxy server information

      • slui.exe (PID: 2148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x6000
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1324"C:\Users\admin\Desktop\617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exe" C:\Users\admin\Desktop\617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2148C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 492
Read events
3 492
Write events
0
Delete events
0

Modification events

No data
Executable files
1 834
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1324617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exe
MD5:
SHA256:
1324617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:6144971C8E029EE6A738750AC0ECBD0B
SHA256:7190675A4149117BEF2871D055D95A7810EC5C76DA33BF01949254428BE48FF3
1324617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:55F74CD2C44B5E60DA1B8865B4972AC2
SHA256:C6DC42A0A5C7F4ACBFD6AB907CF8FABE74B8A2A018FF2DAE2DE86DE4F42D5788
1324617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:07E79F6B7D739FA46C3A724D72FA0CD8
SHA256:33BBF873C7BD7998FAB23333BC0485146233D64C76DD145460DE644567DC9407
1324617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:55F74CD2C44B5E60DA1B8865B4972AC2
SHA256:C6DC42A0A5C7F4ACBFD6AB907CF8FABE74B8A2A018FF2DAE2DE86DE4F42D5788
1324617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:E257061B0B71CFAAFAF425F86DAE2259
SHA256:D146BDEE099AA1126A4695AE9044AD4A2C8AC0836D233F6902E79CF1FC11738B
1324617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:E7C7EDAF57FA7F36EB876693082DDA0F
SHA256:B35C48A08B5274A0AE9FD58F29BC443D5F9E4CD14A1CAF062B447B671DEBAA1A
1324617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:A314E8940A238C20D386818D9D5736F1
SHA256:32C97F1F1CEC8C811E5A051B13EF62E9D5209C678899B7FE8DA4E43DBE6E854D
1324617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:5092B739D5DBCC13464685E102F82D28
SHA256:47830A54A7994AA50240D5517686F359814CDF58A5D16C9FF67DA8FE59B4EAE0
1324617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_100_percent.pak.tmpexecutable
MD5:B5DE5384A365535F77D4E75F1F29412D
SHA256:8F1704E85059A184593BB08253BCBFEDE20842ADDF86C4D70FDF13FF0F1A2BD2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
19
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4156
RUXIMICS.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
4156
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4156
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4156
RUXIMICS.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 184.24.77.37
  • 184.24.77.12
  • 184.24.77.35
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 52.168.117.169
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f