File name:

617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f

Full analysis: https://app.any.run/tasks/6a945ccc-7088-4b02-a466-d5f6c024a849
Verdict: Malicious activity
Analysis date: June 21, 2025, 04:16:52
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

02814608ADEA73064ECB75DC325CEF1F

SHA1:

A33F79FB739C721B2190621666994B6F92654DA0

SHA256:

617D1E7CECC25BC69660F0DEB2415A867122E878D67D0BF9ECE4D10076F14D0F

SSDEEP:

1536:UjVABc9F8xi59F8xi/LGLJdQjVABc9F8xi59F8xi/LGLJdR:UaCLGLYaCLGLp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exe (PID: 1324)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exe (PID: 1324)

    • The process creates files with name similar to system file names

      • 617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exe (PID: 1324)

    • Executable content was dropped or overwritten

      • 617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exe (PID: 1324)

  • INFO

    • Creates files or folders in the user directory

      • 617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exe (PID: 1324)

    • Checks supported languages

      • 617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exe (PID: 1324)

    • Checks proxy server information

      • slui.exe (PID: 2148)

    • Reads the software policy settings

      • slui.exe (PID: 2148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x6000
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1324"C:\Users\admin\Desktop\617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exe" C:\Users\admin\Desktop\617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2148C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 492
Read events
3 492
Write events
0
Delete events
0

Modification events

No data
Executable files
1 834
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1324617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exe
MD5:
SHA256:
1324617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:DFE4945A6267EF103FA6B98D15B1B523
SHA256:C603F09582B3957FA9726E6FBB54CD5914C89BAEE998A58BE2E44D6B3269C4F7
1324617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:6144971C8E029EE6A738750AC0ECBD0B
SHA256:7190675A4149117BEF2871D055D95A7810EC5C76DA33BF01949254428BE48FF3
1324617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:07E79F6B7D739FA46C3A724D72FA0CD8
SHA256:33BBF873C7BD7998FAB23333BC0485146233D64C76DD145460DE644567DC9407
1324617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:55F74CD2C44B5E60DA1B8865B4972AC2
SHA256:C6DC42A0A5C7F4ACBFD6AB907CF8FABE74B8A2A018FF2DAE2DE86DE4F42D5788
1324617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:12B5D864B4938371DF8F8A6BFA503A70
SHA256:00FB9AF903E78E57720342057E3584BAC5EB58EA5780EA1824955C836A999F6B
1324617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:E257061B0B71CFAAFAF425F86DAE2259
SHA256:D146BDEE099AA1126A4695AE9044AD4A2C8AC0836D233F6902E79CF1FC11738B
1324617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:82044410E35AA70BDA744E6883479CA9
SHA256:678207F0A278D3F6FA8767078E51E32C5E761F06CA3116689D24042D875C8F9C
1324617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:83F4D9D34621F575A0243C2E22454563
SHA256:8E240AE0DDDE89446642AA979F52DA2184104F80A84A2F1D39347EAC3562C261
1324617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:7A83B3AA8053BBCECF340F7EBA3D086D
SHA256:325B5E0E2F092C753305DFFF5FF7A9043F9783A390E42C7C2B9CAB2C728A095D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
19
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4156
RUXIMICS.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4156
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4156
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4156
RUXIMICS.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 184.24.77.37
  • 184.24.77.12
  • 184.24.77.35
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 52.168.117.169
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
617d1e7cecc25bc69660f0deb2415a867122e878d67d0bf9ece4d10076f14d0f