File name:

6ceddf74c08631b01635f069eda199141511b2af91ca424df28bc99a9891d99e

Full analysis: https://app.any.run/tasks/e727e961-1164-4e7b-b07a-d3f4e51633e3
Verdict: Malicious activity
Analysis date: June 21, 2025, 06:57:13
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

2D195A1C496080BAF3625E964615FBA2

SHA1:

DAB57A3B3CA47001B2BE77368B0B65FB6F639421

SHA256:

6CEDDF74C08631B01635F069EDA199141511B2AF91CA424DF28BC99A9891D99E

SSDEEP:

6144:a1ft7KNgTwcWdowbSZf6NC5U/plhXjmJ0lB8UX64ykQtQTPMBN5Ro08CnEA+1oIL:Qk/GI0S5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 6ceddf74c08631b01635f069eda199141511b2af91ca424df28bc99a9891d99e.exe (PID: 6832)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 6ceddf74c08631b01635f069eda199141511b2af91ca424df28bc99a9891d99e.exe (PID: 6832)

    • Creates file in the systems drive root

      • 6ceddf74c08631b01635f069eda199141511b2af91ca424df28bc99a9891d99e.exe (PID: 6832)

    • The process creates files with name similar to system file names

      • 6ceddf74c08631b01635f069eda199141511b2af91ca424df28bc99a9891d99e.exe (PID: 6832)

  • INFO

    • Creates files or folders in the user directory

      • 6ceddf74c08631b01635f069eda199141511b2af91ca424df28bc99a9891d99e.exe (PID: 6832)

    • Checks supported languages

      • 6ceddf74c08631b01635f069eda199141511b2af91ca424df28bc99a9891d99e.exe (PID: 6832)

    • Checks proxy server information

      • slui.exe (PID: 5124)

    • Reads the software policy settings

      • slui.exe (PID: 5124)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x2130
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 6ceddf74c08631b01635f069eda199141511b2af91ca424df28bc99a9891d99e.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
5124C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6832"C:\Users\admin\Desktop\6ceddf74c08631b01635f069eda199141511b2af91ca424df28bc99a9891d99e.exe" C:\Users\admin\Desktop\6ceddf74c08631b01635f069eda199141511b2af91ca424df28bc99a9891d99e.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\6ceddf74c08631b01635f069eda199141511b2af91ca424df28bc99a9891d99e.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
3 477
Read events
3 477
Write events
0
Delete events
0

Modification events

No data
Executable files
508
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
68326ceddf74c08631b01635f069eda199141511b2af91ca424df28bc99a9891d99e.exe
MD5:
SHA256:
68326ceddf74c08631b01635f069eda199141511b2af91ca424df28bc99a9891d99e.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:5EB99758C638C8DCA601A4A367278F9C
SHA256:8D0371E7142C05480D931E576A0567AB2DDBA66507B938561990C5D914FA5E88
68326ceddf74c08631b01635f069eda199141511b2af91ca424df28bc99a9891d99e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:E0F9887A1859D2C3094D6090AD4CCAC3
SHA256:3F8C1DE01C972A07791906E3DA236438031940255B615934EAE57EA559D2E82A
68326ceddf74c08631b01635f069eda199141511b2af91ca424df28bc99a9891d99e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:51B3B2B9F1A63D31793C8EF232666F38
SHA256:BFEAA99182BD6ED63A40392CB482230B4B1B50ED6F28421AAFE06AF7A65898C3
68326ceddf74c08631b01635f069eda199141511b2af91ca424df28bc99a9891d99e.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:F096B55150BE344E43EF5CC468152B6D
SHA256:7A00EE57D42BD8A2D65D96C406A6F407A12911206297D23826FC6687C65E45F7
68326ceddf74c08631b01635f069eda199141511b2af91ca424df28bc99a9891d99e.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:E6A448AD4EFF4D436F55EFA74BBCE98A
SHA256:874DB4ED60167073C79DB682A18CB4951AF42FF1698DC8CF5160C2E1B3E78E19
68326ceddf74c08631b01635f069eda199141511b2af91ca424df28bc99a9891d99e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:F786876BE68C8488B6318608E39C8AAC
SHA256:BC2D2AECB3F8CC1FE19D70EE330BD4E72DCE03480082D409690CE3408BF40B23
68326ceddf74c08631b01635f069eda199141511b2af91ca424df28bc99a9891d99e.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:1D7BC2CA6DE46118F81C6BEF78D2B69E
SHA256:0B9106B7CD08042C99DA3507DA603618D746AD800EC3E16F7FED85D851644EBA
68326ceddf74c08631b01635f069eda199141511b2af91ca424df28bc99a9891d99e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:35D90D374EEFDFDBAFF00407FB4498F2
SHA256:59C49B38F66FFC3CC5786CFA38DA328371016B8B3BE9466F5CFDCE60D88C717D
68326ceddf74c08631b01635f069eda199141511b2af91ca424df28bc99a9891d99e.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:1A03D686A48F95D9F3DC640F6D0565B5
SHA256:5F06BA7CD12DD3A69CA9D2D0388C1612AC773D110D6FBF315D8548FEC0E3F860
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
22
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4680
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4680
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
5944
MoUsoCoreWorker.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
4680
RUXIMICS.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.55.104.190
  • 23.55.104.172
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
self.events.data.microsoft.com
  • 52.182.143.213
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
6ceddf74c08631b01635f069eda199141511b2af91ca424df28bc99a9891d99e