File name:

6b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exe

Full analysis: https://app.any.run/tasks/7db1a06a-ba4e-4353-97d2-b0f4f075921c
Verdict: Malicious activity
Analysis date: August 01, 2025, 06:14:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

F313D1B0D481FFA56FA1AABA567DB541

SHA1:

512AC07BF4F906AE897483A175FCCF429F056077

SHA256:

6B2FF666476E294FDB8A364DBC20C58C4507F6873CECE954DAA6F1AD806F1BF9

SSDEEP:

1536:QPlbc9F8xi59F8xiG+3+U3aWf5jsdeWBFaJZbzHGhe:alOf5jsdeWBczHl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 6b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exe (PID: 2468)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 6b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exe (PID: 2468)

    • The process creates files with name similar to system file names

      • 6b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exe (PID: 2468)

    • Executable content was dropped or overwritten

      • 6b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exe (PID: 2468)

  • INFO

    • Checks supported languages

      • 6b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exe (PID: 2468)

    • Creates files or folders in the user directory

      • 6b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exe (PID: 2468)

    • Reads the software policy settings

      • slui.exe (PID: 7056)

    • Checks proxy server information

      • slui.exe (PID: 7056)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x2130
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 6b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2468"C:\Users\admin\Desktop\6b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exe" C:\Users\admin\Desktop\6b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\6b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7056C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 496
Read events
3 496
Write events
0
Delete events
0

Modification events

No data
Executable files
1 804
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
24686b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exe
MD5:
SHA256:
24686b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:AB36669B3909424248FB8C58D506EFF5
SHA256:6263E7BBE083889C7B5555D39BBDFF0DA8B520921E135D762E81D62D7B7BEC64
24686b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:E44B81E6333E11BFE40B250DC151BB76
SHA256:F2D0D56C90C259FD6D2D49BF1C1070B072AEC83700CC1A99F9536B1331493768
24686b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:21F19133B19023BAB26E11D21771815E
SHA256:7AC8A51BFC0987EE59CAFAF4E3D153616EB8F57EE29CC5BE47C78B5171783623
24686b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:D28E2EEC5FF607B1D79EAB86147497EB
SHA256:24EFEEE8F6A4E174D47ED2942E45188A3987F9704A0BFE9CEA6230B48E4615F9
24686b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_extensions.pak.tmpexecutable
MD5:43474B93F5D7FDC82264CF18E6426241
SHA256:2AAC138466805DE6462F9770EB6818359E54A38C47BD7C69FB62912075F8D0C6
24686b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:6517602B670DC000B468297B43E114E3
SHA256:DAAEFDB3DC3043E414640825A3403C8CD8BDF473DAFBD5A552C40B44727AA29C
24686b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:AA234E3EE21EECDD0BC3DA01D3F338AA
SHA256:3C2EFF749B2484EDD78A709CD2D6A6FDA18428BECC675AE7B7A98BEC4540D6E1
24686b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:D9E625295DEF45B88A5124ACA793B446
SHA256:EE279FDC032032ED907467D42B028E58A64C3184ABAD2BEDDB5213B5344F40B9
24686b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:C0C087ECA100401A37147DA59D81D3E8
SHA256:1885F02B689E647D5D9A21A58285FE4B927FE3C8BCB3162C9FF18CABC3F21A66
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
22
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4160
RUXIMICS.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4160
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4160
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4160
RUXIMICS.exe
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.216.77.42
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
self.events.data.microsoft.com
  • 51.132.193.104
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
6b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exe