File name:

b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f

Full analysis: https://app.any.run/tasks/533b4f8f-d9e2-4690-ad8a-64184cb50f13
Verdict: Malicious activity
Analysis date: June 21, 2025, 05:26:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

5514EDC8B9017AB1B80169C55E2598B5

SHA1:

EE2FE27C8662AB290CF79F18457E180EE9A050AC

SHA256:

B6E88BBC42FFAE517F54AC1F5118250366CDBF200E7E44D917DA6FB168C0116F

SSDEEP:

98304:UVKikhiSI0WJsGnVEtEa4a0z6U24ZZ1Hz0njJX3ISW3AWIDZjGQ/oZ8U5bnBAvAA:DB5N

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exe (PID: 4968)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exe (PID: 4968)

    • Creates file in the systems drive root

      • b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exe (PID: 4968)

    • The process creates files with name similar to system file names

      • b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exe (PID: 4968)

  • INFO

    • Checks supported languages

      • b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exe (PID: 4968)

    • Creates files or folders in the user directory

      • b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exe (PID: 4968)

    • Reads the software policy settings

      • slui.exe (PID: 2076)

    • Checks proxy server information

      • slui.exe (PID: 2076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x6000
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2076C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4968"C:\Users\admin\Desktop\b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exe" C:\Users\admin\Desktop\b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 483
Read events
3 483
Write events
0
Delete events
0

Modification events

No data
Executable files
520
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4968b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exe
MD5:
SHA256:
4968b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:1AA324750B2FC203DA47B891258A370B
SHA256:C167427A4C11A98AA3B90F01F066E051781D356AB32F2BB7546D67C8F2E0962F
4968b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:A58CA209BF723D07708C228CA76C897A
SHA256:2444B5B9C9B52B274481304B849CA61255ADEBD9A1EED6CBDDFF7BC4078B705E
4968b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:798ABB6C40BDFCA0A5143BEAA74DD2A4
SHA256:B183FE12AF07D61ECCF9EB8349E790810A8655FE34D9043CDD8A68BE75F6B27A
4968b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_extensions.pak.tmpexecutable
MD5:5B83AF92F15D5E1070BF9F7FE12F8AD3
SHA256:D800261EF02B6E4B5196C00026170776CDD2AA69F0A49A092EE27E863A3B5C85
4968b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:6C50B5F95B80B5A94DB2E10487B8F8F1
SHA256:E9285493D10079AFAE5DCFE38AA6F5739B3F6529FCDA3DBB3DA3FD985D358687
4968b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_200_percent.pak.tmpexecutable
MD5:D19418730D6AEC5403D37900AE746D4A
SHA256:D14ACD8A91C7E378A1457587D298E9A62DBF97AF377A95BB7F37463616C099F0
4968b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:3ACC1DBF79AA9E8AC0FD2D28B46D8A8B
SHA256:DC0E459701097092C933FD56F9FC6E157A71BE0182959F134317BFA7EC3F3737
4968b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:8233658B57F902E9BB404B796D70F782
SHA256:03EE8CA7DB67677595A19F90547519DAEBC9FDC2F9F49A1CDDFD376252F014D1
4968b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:30A000F58110C6C88440036F094D4866
SHA256:ACDD5C602A3220E24C4845A9A2835E7EC59BA19B4E33576E60385BD4C7179303
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
48
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1812
RUXIMICS.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1812
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
400
20.190.160.67:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
40.126.32.74:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
20.190.159.23:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.159.23:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1812
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1812
RUXIMICS.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
5944
MoUsoCoreWorker.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1812
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 23.55.104.190
  • 23.55.104.172
  • 184.24.77.37
  • 184.24.77.35
  • 184.24.77.12
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
login.live.com
  • 40.126.32.138
  • 20.190.160.130
  • 40.126.32.76
  • 20.190.160.67
  • 20.190.160.65
  • 20.190.160.22
  • 40.126.32.134
  • 40.126.32.133
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.22
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f