File name:

b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f

Full analysis: https://app.any.run/tasks/533b4f8f-d9e2-4690-ad8a-64184cb50f13
Verdict: Malicious activity
Analysis date: June 21, 2025, 05:26:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

5514EDC8B9017AB1B80169C55E2598B5

SHA1:

EE2FE27C8662AB290CF79F18457E180EE9A050AC

SHA256:

B6E88BBC42FFAE517F54AC1F5118250366CDBF200E7E44D917DA6FB168C0116F

SSDEEP:

98304:UVKikhiSI0WJsGnVEtEa4a0z6U24ZZ1Hz0njJX3ISW3AWIDZjGQ/oZ8U5bnBAvAA:DB5N

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exe (PID: 4968)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exe (PID: 4968)

    • Executable content was dropped or overwritten

      • b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exe (PID: 4968)

    • The process creates files with name similar to system file names

      • b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exe (PID: 4968)

  • INFO

    • Creates files or folders in the user directory

      • b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exe (PID: 4968)

    • Checks supported languages

      • b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exe (PID: 4968)

    • Checks proxy server information

      • slui.exe (PID: 2076)

    • Reads the software policy settings

      • slui.exe (PID: 2076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x6000
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
2076C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4968"C:\Users\admin\Desktop\b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exe" C:\Users\admin\Desktop\b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 483
Read events
3 483
Write events
0
Delete events
0

Modification events

No data
Executable files
520
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4968b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exe
MD5:
SHA256:
4968b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:B4656DFA4992F7DE9F00E621A798E702
SHA256:8159A8DA3045E7321CBFA4E48639A8AD4597C13542ACB8F9ABA18B9A90F32390
4968b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:8233658B57F902E9BB404B796D70F782
SHA256:03EE8CA7DB67677595A19F90547519DAEBC9FDC2F9F49A1CDDFD376252F014D1
4968b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:1AA324750B2FC203DA47B891258A370B
SHA256:C167427A4C11A98AA3B90F01F066E051781D356AB32F2BB7546D67C8F2E0962F
4968b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:36522D5ED7DB0DEC1723D6A2B9E061A2
SHA256:EC21E6FE4914FC09092B8389F9639C20500148E8BA11339E2F885061C35DD486
4968b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:3ACC1DBF79AA9E8AC0FD2D28B46D8A8B
SHA256:DC0E459701097092C933FD56F9FC6E157A71BE0182959F134317BFA7EC3F3737
4968b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:560B1E8321F1F89E4500EF272B85AC63
SHA256:359270D7AC50F335DA9F8D57EC26B53ECD116C1A22F0176EC4B51795C57F0C40
4968b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:FE61BF0988DCEA9F93F409BE4DF87A23
SHA256:DCD456FA9B6DF07159FE3ABEB5724992CD5ECE8B2E78599829B0B7006A7A8F3F
4968b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:6C50B5F95B80B5A94DB2E10487B8F8F1
SHA256:E9285493D10079AFAE5DCFE38AA6F5739B3F6529FCDA3DBB3DA3FD985D358687
4968b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:7B64025879A2A0B94A7D33A71FFD2CF5
SHA256:94D10B56DE6D44D5805044A02FA753465860E883853DC30B52C922891EAD6FAA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
48
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1812
RUXIMICS.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1812
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
400
20.190.160.67:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
200
40.126.32.74:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
20.190.159.23:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.159.23:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1812
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1812
RUXIMICS.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
5944
MoUsoCoreWorker.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1812
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 23.55.104.190
  • 23.55.104.172
  • 184.24.77.37
  • 184.24.77.35
  • 184.24.77.12
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
login.live.com
  • 40.126.32.138
  • 20.190.160.130
  • 40.126.32.76
  • 20.190.160.67
  • 20.190.160.65
  • 20.190.160.22
  • 40.126.32.134
  • 40.126.32.133
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.22
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
b6e88bbc42ffae517f54ac1f5118250366cdbf200e7e44d917da6fb168c0116f