File name:

dc30954ab0297e20a1691a248ef82c3f64b79b272c0ffadef051eb7ffbabce00.exe

Full analysis: https://app.any.run/tasks/22b3e456-ac69-4f72-96ff-61e55fa061d0
Verdict: Malicious activity
Analysis date: August 01, 2025, 01:23:58
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

F0194DA8D343BC524057B1CAA5E174F4

SHA1:

8ECD5335A600B6ABE47B9DFC7696EE2123888C5E

SHA256:

DC30954AB0297E20A1691A248EF82C3F64B79B272C0FFADEF051EB7FFBABCE00

SSDEEP:

12288:M8H8wJSTcccYcccccccccccQcccccccccccccccQO2uaem7VNcLu:M8H8wJIcccYcccccccccccQcccccccc1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • dc30954ab0297e20a1691a248ef82c3f64b79b272c0ffadef051eb7ffbabce00.exe (PID: 3580)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • dc30954ab0297e20a1691a248ef82c3f64b79b272c0ffadef051eb7ffbabce00.exe (PID: 3580)

    • Executable content was dropped or overwritten

      • dc30954ab0297e20a1691a248ef82c3f64b79b272c0ffadef051eb7ffbabce00.exe (PID: 3580)

    • The process creates files with name similar to system file names

      • dc30954ab0297e20a1691a248ef82c3f64b79b272c0ffadef051eb7ffbabce00.exe (PID: 3580)

    • The process executes via Task Scheduler

      • updater.exe (PID: 4700)

    • Application launched itself

      • updater.exe (PID: 4700)

  • INFO

    • Checks supported languages

      • dc30954ab0297e20a1691a248ef82c3f64b79b272c0ffadef051eb7ffbabce00.exe (PID: 3580)
      • updater.exe (PID: 4700)
      • updater.exe (PID: 3836)

    • Creates files or folders in the user directory

      • dc30954ab0297e20a1691a248ef82c3f64b79b272c0ffadef051eb7ffbabce00.exe (PID: 3580)

    • Reads the computer name

      • updater.exe (PID: 4700)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 4700)

    • Checks proxy server information

      • slui.exe (PID: 7044)

    • Reads the software policy settings

      • slui.exe (PID: 7044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x2130
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE dc30954ab0297e20a1691a248ef82c3f64b79b272c0ffadef051eb7ffbabce00.exe slui.exe updater.exe no specs updater.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3580"C:\Users\admin\Desktop\dc30954ab0297e20a1691a248ef82c3f64b79b272c0ffadef051eb7ffbabce00.exe" C:\Users\admin\Desktop\dc30954ab0297e20a1691a248ef82c3f64b79b272c0ffadef051eb7ffbabce00.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\dc30954ab0297e20a1691a248ef82c3f64b79b272c0ffadef051eb7ffbabce00.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3836"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --crash-handler --system "--database=C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad" --url=https://clients2.google.com/cr/report --annotation=prod=Update4 --annotation=ver=134.0.6985.0 "--attachment=C:\Program Files (x86)\Google\GoogleUpdater\updater.log" --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x111c460,0x111c46c,0x111c478C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exeupdater.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
4700"C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe" --wake --systemC:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exesvchost.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater
Exit code:
0
Version:
134.0.6985.0
Modules
Images
c:\program files (x86)\google\googleupdater\134.0.6985.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
7044C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 527
Read events
3 527
Write events
0
Delete events
0

Modification events

No data
Executable files
1 292
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
3580dc30954ab0297e20a1691a248ef82c3f64b79b272c0ffadef051eb7ffbabce00.exe
MD5:
SHA256:
3580dc30954ab0297e20a1691a248ef82c3f64b79b272c0ffadef051eb7ffbabce00.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:FE81A5F92DC38C484D9D27BD9F50BFC2
SHA256:A6154812F68740B0FED80ABE66DE03081DF39D7BC97CBD87BC4616A9A575B8BC
3580dc30954ab0297e20a1691a248ef82c3f64b79b272c0ffadef051eb7ffbabce00.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:48110BD46F3654A663E47B5BE82E45E5
SHA256:27422562280043A561C64BABC13EEB68F9B837A5B3BD8F22B2AB65A40C1E1A1B
3580dc30954ab0297e20a1691a248ef82c3f64b79b272c0ffadef051eb7ffbabce00.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:CD8E3B44BADA304A0982F4E2EEDF11C0
SHA256:93104A6513E8A6C75262AECA76CCEDF691F096E3E844499E8DD3F88EDEAC3BE5
3580dc30954ab0297e20a1691a248ef82c3f64b79b272c0ffadef051eb7ffbabce00.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:EB18084B678262B9C3F20F06B6B9F806
SHA256:703D693B1A5627BEF99CCC86AFEDD7F2E381BF9AEC9A002FEAC783B04124AA78
3580dc30954ab0297e20a1691a248ef82c3f64b79b272c0ffadef051eb7ffbabce00.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:D33C4E91BCE5930FE700DAA066D0513A
SHA256:8205C55A31163F9F7E3EE670E60659ABFF142AF45ECCF23B554D4E397E653610
3580dc30954ab0297e20a1691a248ef82c3f64b79b272c0ffadef051eb7ffbabce00.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:48110BD46F3654A663E47B5BE82E45E5
SHA256:27422562280043A561C64BABC13EEB68F9B837A5B3BD8F22B2AB65A40C1E1A1B
3580dc30954ab0297e20a1691a248ef82c3f64b79b272c0ffadef051eb7ffbabce00.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:E201992CD79399983BAA77AC5F046DBE
SHA256:93CC5195C3CCB87E5D16228BEDCF15F0D9C65EAB67292BD2C1B9AF1D83D0CA3F
3580dc30954ab0297e20a1691a248ef82c3f64b79b272c0ffadef051eb7ffbabce00.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:5C4D91947A0DE6632949C510E4100EDE
SHA256:DB764CA13B1255B078961684D9282252D6FC9133EBF8EFCF84E526677E2CBE61
3580dc30954ab0297e20a1691a248ef82c3f64b79b272c0ffadef051eb7ffbabce00.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:2A5DD026D4CFAC2325CB43471E74EB24
SHA256:3E15CCD4229363BC369703FD46F88232A2CF2A4126FADE09E3A817BF8B72EF12
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
42
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
400
20.190.159.129:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.31.129:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.0:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
20.190.159.71:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
GET
304
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
52.149.20.212:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
6796
SIHClient.exe
GET
200
23.3.109.244:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4700
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4700
RUXIMICS.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 23.3.109.244
whitelisted
login.live.com
  • 40.126.32.68
  • 20.190.160.131
  • 20.190.160.14
  • 20.190.160.4
  • 40.126.32.140
  • 40.126.32.138
  • 20.190.160.2
  • 20.190.160.20
whitelisted
slscr.update.microsoft.com
  • 74.178.240.61
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
self.events.data.microsoft.com
  • 13.69.116.109
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
x1.c.lencr.org
  • 2.23.197.184
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
dc30954ab0297e20a1691a248ef82c3f64b79b272c0ffadef051eb7ffbabce00.exe