File name:

6b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exe

Full analysis: https://app.any.run/tasks/7db1a06a-ba4e-4353-97d2-b0f4f075921c
Verdict: Malicious activity
Analysis date: August 01, 2025, 06:14:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

F313D1B0D481FFA56FA1AABA567DB541

SHA1:

512AC07BF4F906AE897483A175FCCF429F056077

SHA256:

6B2FF666476E294FDB8A364DBC20C58C4507F6873CECE954DAA6F1AD806F1BF9

SSDEEP:

1536:QPlbc9F8xi59F8xiG+3+U3aWf5jsdeWBFaJZbzHGhe:alOf5jsdeWBczHl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 6b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exe (PID: 2468)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 6b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exe (PID: 2468)

    • The process creates files with name similar to system file names

      • 6b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exe (PID: 2468)

    • Executable content was dropped or overwritten

      • 6b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exe (PID: 2468)

  • INFO

    • Creates files or folders in the user directory

      • 6b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exe (PID: 2468)

    • Checks supported languages

      • 6b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exe (PID: 2468)

    • Checks proxy server information

      • slui.exe (PID: 7056)

    • Reads the software policy settings

      • slui.exe (PID: 7056)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x2130
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 6b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2468"C:\Users\admin\Desktop\6b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exe" C:\Users\admin\Desktop\6b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\6b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7056C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 496
Read events
3 496
Write events
0
Delete events
0

Modification events

No data
Executable files
1 804
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
24686b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exe
MD5:
SHA256:
24686b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:AB36669B3909424248FB8C58D506EFF5
SHA256:6263E7BBE083889C7B5555D39BBDFF0DA8B520921E135D762E81D62D7B7BEC64
24686b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:21F19133B19023BAB26E11D21771815E
SHA256:7AC8A51BFC0987EE59CAFAF4E3D153616EB8F57EE29CC5BE47C78B5171783623
24686b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:D9E625295DEF45B88A5124ACA793B446
SHA256:EE279FDC032032ED907467D42B028E58A64C3184ABAD2BEDDB5213B5344F40B9
24686b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:AB36669B3909424248FB8C58D506EFF5
SHA256:6263E7BBE083889C7B5555D39BBDFF0DA8B520921E135D762E81D62D7B7BEC64
24686b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:E44B81E6333E11BFE40B250DC151BB76
SHA256:F2D0D56C90C259FD6D2D49BF1C1070B072AEC83700CC1A99F9536B1331493768
24686b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:3DBF851818E70AEFAFD959A54372B565
SHA256:33EB02914E69F8CD8A4CB19B9526C60B4A0495EB710F3568AC8DC317DF0CED72
24686b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:D2F5D400487E238A064D366CF8B0DA25
SHA256:86694E7820CF723DB28D56D626764270305D43327A8C554BF9B78451B455BC4D
24686b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:1C51D11A86DA6F98DF1B9334D849BC1B
SHA256:CA9C7ECD086712804A83D95692055B2A38E88040254D25562DA222A2872A3C66
24686b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:5BEE92EFAB0E6C550ACA0C4219B5D80A
SHA256:B03830670C4F45491F4FD741EEE32D1AC2C1F5DA48E71457162080C98B1D1943
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
22
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4160
RUXIMICS.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4160
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4160
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4160
RUXIMICS.exe
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.184.206
whitelisted
crl.microsoft.com
  • 23.216.77.42
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
self.events.data.microsoft.com
  • 51.132.193.104
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
6b2ff666476e294fdb8a364dbc20c58c4507f6873cece954daa6f1ad806f1bf9.exe