File name:

b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exe

Full analysis: https://app.any.run/tasks/82619d29-6a24-42cb-827c-c8c45ec36ecb
Verdict: Malicious activity
Analysis date: August 01, 2025, 06:08:26
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

89026127AC400F2CD37AF7EA346ACE32

SHA1:

5E33E30C0B0089256E33B6528EBEB1AC465CFCD7

SHA256:

B8989FADA61D35550BF6B5538E968C9BFAB5E28457396F15D609E1A98C4A55D8

SSDEEP:

1536:UjVABc9F8xi59F8xiG+3+U3aWf5jsdeWjEZ:Uaof5jsdeWjEZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exe (PID: 6820)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exe (PID: 6820)

    • Creates file in the systems drive root

      • b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exe (PID: 6820)

    • The process creates files with name similar to system file names

      • b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exe (PID: 6820)

  • INFO

    • Checks supported languages

      • b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exe (PID: 6820)

    • Creates files or folders in the user directory

      • b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exe (PID: 6820)

    • Checks proxy server information

      • slui.exe (PID: 6808)

    • Reads the software policy settings

      • slui.exe (PID: 6808)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x6000
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
6808C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6820"C:\Users\admin\Desktop\b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exe" C:\Users\admin\Desktop\b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 487
Read events
3 487
Write events
0
Delete events
0

Modification events

No data
Executable files
1 857
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6820b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exe
MD5:
SHA256:
6820b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:9B6A3D317F81E1CFD2A9BDCF1C127720
SHA256:0C3F858356C196B619DBB5D6FB9EBC7A7B102F44182EE942436098499D234256
6820b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:B6AB2143A8569162F4E8F44785197407
SHA256:92807AE85431538C6C71E475E21B48855B37380181314E817D8B7851959ECCC6
6820b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:CDD2B14AD5A340685CF6A7A409F1F202
SHA256:54F07C61E832DD437C982A7057FD9FD023A136003FFE4930C6D81F74F930CB48
6820b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:72135DCEC6ED43C35D08A24E7546B018
SHA256:A7B13A3A355AF58FA1A2F45B357F21DA00BE61F95D9486376C58BDCE911E43C0
6820b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:CDD2B14AD5A340685CF6A7A409F1F202
SHA256:54F07C61E832DD437C982A7057FD9FD023A136003FFE4930C6D81F74F930CB48
6820b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:DF6FE4BB1AFE4A60004E93CA9FAF84D3
SHA256:B9F202DAE610EA639284C8F8B9649001549A154B072912A2C71D009AF1FA9DC0
6820b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:131D43E8D754E780B1E8B1F0D15DF7F5
SHA256:2991840C299951852A30C14E5616EFAEE3C07F96E7E089356E85B00AB0CEE7C7
6820b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:D342E723DBF049377D3823BD77B7D291
SHA256:A476505CDBE1049AB33153895A6BB02DC236B57396F9D13013EB5848E53BE84C
6820b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:5BBF1E34CDEEE7AF4BD87F1253C3993E
SHA256:7E496F7CB952918CBC6DB008724008DAD5AB575F7ED858C59B026411FE761AC5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
36
TCP/UDP connections
54
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.25:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2168
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.2:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
40.126.31.0:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.31.129:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.73:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
20.190.159.2:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
POST
200
20.190.159.75:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2168
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.25:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.25:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2168
RUXIMICS.exe
23.216.77.25:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.216.77.25
  • 23.216.77.20
  • 23.216.77.42
  • 23.216.77.6
  • 23.216.77.28
  • 2.16.241.12
  • 2.16.241.14
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
login.live.com
  • 20.190.160.130
  • 40.126.32.74
  • 40.126.32.134
  • 20.190.160.20
  • 20.190.160.64
  • 20.190.160.4
  • 40.126.32.138
  • 20.190.160.67
whitelisted
client.wns.windows.com
  • 20.59.87.226
whitelisted
slscr.update.microsoft.com
  • 20.165.94.63
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
self.events.data.microsoft.com
  • 52.182.141.63
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exe