File name:

64dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9

Full analysis: https://app.any.run/tasks/4a9cc85f-af1a-4631-9735-f6f9cef12d3d
Verdict: Malicious activity
Analysis date: July 06, 2025, 01:26:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

59463C6A1DEFDEC649CB2BA72B6BEB2D

SHA1:

54A77239CAD680084F34EAF94563E467118C399B

SHA256:

64DC2E2B29AE0073484B896BD4300CFE18604FE3D77BB4B40572A25F50675AA9

SSDEEP:

1536:QPlbc9F8xi59F8xiG+3+U3aWf6uXCs/CR:alOfLCsaR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 64dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exe (PID: 2324)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 64dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exe (PID: 2324)

    • Creates file in the systems drive root

      • 64dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exe (PID: 2324)

    • The process creates files with name similar to system file names

      • 64dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exe (PID: 2324)

  • INFO

    • Creates files or folders in the user directory

      • 64dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exe (PID: 2324)

    • Checks supported languages

      • 64dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exe (PID: 2324)

    • Reads the software policy settings

      • slui.exe (PID: 2032)

    • Checks proxy server information

      • slui.exe (PID: 2032)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x2130
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 64dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2032C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2324"C:\Users\admin\Desktop\64dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exe" C:\Users\admin\Desktop\64dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\64dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
3 488
Read events
3 488
Write events
0
Delete events
0

Modification events

No data
Executable files
1 870
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
232464dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exe
MD5:
SHA256:
232464dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_100_percent.pak.tmpexecutable
MD5:E88B597877B3F6DD4BD968A271DFD6E1
SHA256:FB374E1869D54B07BE3D1182142CFE3164233931898D9F9DD1D9D3684A8927A2
232464dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:15A54EEC2B591CABC9A7BF8013708729
SHA256:E1E69D8A7254C413C5D641C3514FD611A5879048974C2470B498C0DD3CB766C0
232464dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:621E406C69A05CCCE08460E49603C56B
SHA256:8685E709834E705A7480E719554AE821102931C6CB52402B72BA2530CF86C608
232464dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:772A730758421120E12B1581F5D692BC
SHA256:24853A8A9CC4799424401E709CECCE9B47EC6F8F8FC2B5A39D16495531C751B0
232464dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:A9ECBFF77C33CC48BE053DEA70397019
SHA256:4FDA517C161300BFE80FD2EDA78B48BD4431FD0E2AEC4BDBF2C2EE1DE1BC00F2
232464dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:EEEB1158DD88C39F3ADBC52A13D23436
SHA256:4513CA5BB49BCDCC5088EFA3ED8FF22B48F71948557C3BAB37E4548476CE539C
232464dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:85084C10341B9E7790E29CBBCD2D9679
SHA256:D1B1CFF1A46A06CFA26573826DD106BE41373310BFA9F9B2CD3334C9CBD7FC6B
232464dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:A9ECBFF77C33CC48BE053DEA70397019
SHA256:4FDA517C161300BFE80FD2EDA78B48BD4431FD0E2AEC4BDBF2C2EE1DE1BC00F2
232464dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_extensions.pak.tmpexecutable
MD5:A4D9F4CE2AB261EC54A9DCD8C731D4D1
SHA256:7468B62B9A436BFCE095CF768FEAD351B44BEEABEA5E5B3390E2D4920BCE7F9B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
19
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3564
RUXIMICS.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3564
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3564
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
3564
RUXIMICS.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 142.251.13.113
  • 142.251.13.138
  • 142.251.13.102
  • 142.251.13.101
  • 142.251.13.139
  • 142.251.13.100
whitelisted
crl.microsoft.com
  • 2.20.245.137
  • 2.20.245.139
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 52.178.17.234
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
64dc2e2b29ae0073484b896bd4300cfe18604fe3d77bb4b40572a25f50675aa9