File name:

cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exe

Full analysis: https://app.any.run/tasks/af6b995c-e4eb-4f8c-ada3-ab3f94e8f819
Verdict: Malicious activity
Analysis date: August 01, 2025, 01:16:55
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

89ADCBDE9D2378EDF0F4A36546B37D29

SHA1:

4865B7DD0734F3E8C003BCE043DE42A2BF66264E

SHA256:

CB88E33457E44B28AE4A0C859615B522B24D22D45BA879468FAC81C40E4EE9BB

SSDEEP:

3072:al7FEF51s4JWICAXNygTBh0fiKl3+beFH3vfaO/qDju3QShmbsXYcXI5wdkOr8YL:a9a24JWI34gTBh0W95wdkOTI97cGA9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exe (PID: 1508)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exe (PID: 1508)

    • Executable content was dropped or overwritten

      • cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exe (PID: 1508)

    • The process creates files with name similar to system file names

      • cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exe (PID: 1508)

  • INFO

    • Creates files or folders in the user directory

      • cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exe (PID: 1508)

    • Checks supported languages

      • cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exe (PID: 1508)

    • Reads the software policy settings

      • slui.exe (PID: 6796)

    • Checks proxy server information

      • slui.exe (PID: 6796)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x2130
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1508"C:\Users\admin\Desktop\cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exe" C:\Users\admin\Desktop\cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6796C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 481
Read events
3 481
Write events
0
Delete events
0

Modification events

No data
Executable files
1 266
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1508cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exe
MD5:
SHA256:
1508cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:4FDB4D02E4B80A82358A66A45B6AD1D6
SHA256:5F7ADF057404D34C14F16E0F85D2402A8A6C9785247C2C3921D99C2E91EB73F4
1508cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:547000EE6AE674ECD174582EB125D42C
SHA256:A9F7F772C8EFFC6DB1B55B010B0E335CF285D091E315C1CBAB2A50A84DEF3743
1508cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:B91AA9D7DE27BE80CB4E3F70E42A4B90
SHA256:36165218648C40D89E86A481B31B7BD115509D3D22434FDB252921DEF971FD4C
1508cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:C2C94D6B62A3CCA23657AD745A638262
SHA256:F795D5DB1FF36419DEB3405A04B63EE040D1DB2D19742B816196C22359F1B9BE
1508cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:7F8967564135EACB4B1BFEB6D269DC85
SHA256:FC975ADC8C20BB4563C627D9A0435E1A0BF4EE03B576E858C221E9C9915A3391
1508cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:FC2B29BAD482B749A447EC6FDE898436
SHA256:616E19F9F6BFB6D132727C4EACB6320EED8DF44BAAB064B6959BE0E9FD35D0E2
1508cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:C23FD42AD021A4DA8469625FB697D66B
SHA256:CE0CFE6BCFAEF99D9DFB72120349F48326A8F2A7B6DA40C0DF8695908CB4F021
1508cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:D95B00959D2ED9ADBDF8012B2A72B610
SHA256:0AE248ACD9B78B50DA54BB8151D14DF70BD7696AADC08755D5285DDDDC6C577D
1508cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:4FDB4D02E4B80A82358A66A45B6AD1D6
SHA256:5F7ADF057404D34C14F16E0F85D2402A8A6C9785247C2C3921D99C2E91EB73F4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
21
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2216
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2216
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
184.24.77.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.24.77.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2216
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 184.24.77.35
  • 184.24.77.37
  • 184.24.77.12
  • 184.24.77.6
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
self.events.data.microsoft.com
  • 20.189.173.28
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exe