File name:

64dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9

Full analysis: https://app.any.run/tasks/4a9cc85f-af1a-4631-9735-f6f9cef12d3d
Verdict: Malicious activity
Analysis date: July 06, 2025, 01:26:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

59463C6A1DEFDEC649CB2BA72B6BEB2D

SHA1:

54A77239CAD680084F34EAF94563E467118C399B

SHA256:

64DC2E2B29AE0073484B896BD4300CFE18604FE3D77BB4B40572A25F50675AA9

SSDEEP:

1536:QPlbc9F8xi59F8xiG+3+U3aWf6uXCs/CR:alOfLCsaR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 64dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exe (PID: 2324)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 64dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exe (PID: 2324)

    • Creates file in the systems drive root

      • 64dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exe (PID: 2324)

    • The process creates files with name similar to system file names

      • 64dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exe (PID: 2324)

  • INFO

    • Checks supported languages

      • 64dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exe (PID: 2324)

    • Reads the software policy settings

      • slui.exe (PID: 2032)

    • Checks proxy server information

      • slui.exe (PID: 2032)

    • Creates files or folders in the user directory

      • 64dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exe (PID: 2324)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x2130
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 64dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2032C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2324"C:\Users\admin\Desktop\64dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exe" C:\Users\admin\Desktop\64dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\64dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
3 488
Read events
3 488
Write events
0
Delete events
0

Modification events

No data
Executable files
1 870
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
232464dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exe
MD5:
SHA256:
232464dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:F7490D75FA38B1239BB430A04811693A
SHA256:5C2712C2AB920FA70D4A92FB5F62BD1C2E61845987D28B0E22470669EF77841E
232464dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:A9ECBFF77C33CC48BE053DEA70397019
SHA256:4FDA517C161300BFE80FD2EDA78B48BD4431FD0E2AEC4BDBF2C2EE1DE1BC00F2
232464dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:DE58FC44969777543158D6D943C5AC23
SHA256:24C20DCFCBF6480AB610E998B5FE0B78E9D8176EA294F9D81A84679767532713
232464dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:0503956C027ED60B478ABD4ABC77EA2B
SHA256:A3F42A0CB7C5047F4224683E978508536A131420BF1F6749F76B0076EAA15BC3
232464dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:772A730758421120E12B1581F5D692BC
SHA256:24853A8A9CC4799424401E709CECCE9B47EC6F8F8FC2B5A39D16495531C751B0
232464dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:FE275A7BD5FCB9F5EFB72C3BE100BFB5
SHA256:F97E5B228D20C3E33ACB3807F49A42CA91BB2236D58CA6B480C4A0C0E7017CA8
232464dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:4BBC96D1C4F17764DF351F09880FB3D9
SHA256:6043B78F712E776647254D4C51A2C5A611597321FC673E22F31C524D9910528E
232464dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:621E406C69A05CCCE08460E49603C56B
SHA256:8685E709834E705A7480E719554AE821102931C6CB52402B72BA2530CF86C608
232464dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:EEEB1158DD88C39F3ADBC52A13D23436
SHA256:4513CA5BB49BCDCC5088EFA3ED8FF22B48F71948557C3BAB37E4548476CE539C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
19
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3564
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
3564
RUXIMICS.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3564
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
3564
RUXIMICS.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 142.251.13.113
  • 142.251.13.138
  • 142.251.13.102
  • 142.251.13.101
  • 142.251.13.139
  • 142.251.13.100
whitelisted
crl.microsoft.com
  • 2.20.245.137
  • 2.20.245.139
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 52.178.17.234
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
64dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9