File name:

cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exe

Full analysis: https://app.any.run/tasks/af6b995c-e4eb-4f8c-ada3-ab3f94e8f819
Verdict: Malicious activity
Analysis date: August 01, 2025, 01:16:55
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

89ADCBDE9D2378EDF0F4A36546B37D29

SHA1:

4865B7DD0734F3E8C003BCE043DE42A2BF66264E

SHA256:

CB88E33457E44B28AE4A0C859615B522B24D22D45BA879468FAC81C40E4EE9BB

SSDEEP:

3072:al7FEF51s4JWICAXNygTBh0fiKl3+beFH3vfaO/qDju3QShmbsXYcXI5wdkOr8YL:a9a24JWI34gTBh0W95wdkOTI97cGA9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exe (PID: 1508)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exe (PID: 1508)

    • The process creates files with name similar to system file names

      • cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exe (PID: 1508)

    • Executable content was dropped or overwritten

      • cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exe (PID: 1508)

  • INFO

    • Creates files or folders in the user directory

      • cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exe (PID: 1508)

    • Checks supported languages

      • cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exe (PID: 1508)

    • Checks proxy server information

      • slui.exe (PID: 6796)

    • Reads the software policy settings

      • slui.exe (PID: 6796)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x2130
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1508"C:\Users\admin\Desktop\cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exe" C:\Users\admin\Desktop\cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6796C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 481
Read events
3 481
Write events
0
Delete events
0

Modification events

No data
Executable files
1 266
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1508cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exe
MD5:
SHA256:
1508cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:7F8967564135EACB4B1BFEB6D269DC85
SHA256:FC975ADC8C20BB4563C627D9A0435E1A0BF4EE03B576E858C221E9C9915A3391
1508cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:547000EE6AE674ECD174582EB125D42C
SHA256:A9F7F772C8EFFC6DB1B55B010B0E335CF285D091E315C1CBAB2A50A84DEF3743
1508cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:60DB211179E6129E7B32F2D5289D1523
SHA256:3437ED965072E464EFFF9DB93C0DEBE2C818727C52BCD5557BEBEEB7F7B126DF
1508cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:FB5B849B72858A7DB22D21082AAE333D
SHA256:79A3240D2C9C1BE9542FE3C8FC9BFFE951661C6D63AA65AEC67DB5AC57689FAD
1508cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:C23FD42AD021A4DA8469625FB697D66B
SHA256:CE0CFE6BCFAEF99D9DFB72120349F48326A8F2A7B6DA40C0DF8695908CB4F021
1508cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:065279CEF4892F596DA8C3DB977C1F30
SHA256:65542F38D876D3D886E242CB6F4D35041595CC24649742BC1B59613C0C55E659
1508cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:C2C94D6B62A3CCA23657AD745A638262
SHA256:F795D5DB1FF36419DEB3405A04B63EE040D1DB2D19742B816196C22359F1B9BE
1508cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:4FDB4D02E4B80A82358A66A45B6AD1D6
SHA256:5F7ADF057404D34C14F16E0F85D2402A8A6C9785247C2C3921D99C2E91EB73F4
1508cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:79172B576554A6228CF5500BF28BAB22
SHA256:93A745F8EF898C1B111F67E2A0EFDB2A74F9633C9BBA79C6BD111A02D20633A2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
21
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2216
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2216
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
184.24.77.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.24.77.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2216
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 184.24.77.35
  • 184.24.77.37
  • 184.24.77.12
  • 184.24.77.6
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
self.events.data.microsoft.com
  • 20.189.173.28
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
cb88e33457e44b28ae4a0c859615b522b24d22d45ba879468fac81c40e4ee9bb.exe