File name:

ce5d8bdf32f9f4471e4e77291dc6e826604063211b52c81eadfe3f5ce400ada8.exe

Full analysis: https://app.any.run/tasks/08c07c78-91c8-427c-955a-04469bb2d416
Verdict: Malicious activity
Analysis date: August 01, 2025, 02:33:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

890E2D2EC3525A52614FA174FD0F7022

SHA1:

BBFCE2EBC71E7EF6B56BB7373988F2B9C634FD52

SHA256:

CE5D8BDF32F9F4471E4E77291DC6E826604063211B52C81EADFE3F5CE400ADA8

SSDEEP:

1536:QPlbc9F8xi59F8xi6iai2LBbPtkCi7qdKsYAfyAsbdetE7BLeSyl880Qv:al/IdetyCS+sE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • ce5d8bdf32f9f4471e4e77291dc6e826604063211b52c81eadfe3f5ce400ada8.exe (PID: 1976)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • ce5d8bdf32f9f4471e4e77291dc6e826604063211b52c81eadfe3f5ce400ada8.exe (PID: 1976)

    • The process creates files with name similar to system file names

      • ce5d8bdf32f9f4471e4e77291dc6e826604063211b52c81eadfe3f5ce400ada8.exe (PID: 1976)

    • Executable content was dropped or overwritten

      • ce5d8bdf32f9f4471e4e77291dc6e826604063211b52c81eadfe3f5ce400ada8.exe (PID: 1976)

  • INFO

    • Creates files or folders in the user directory

      • ce5d8bdf32f9f4471e4e77291dc6e826604063211b52c81eadfe3f5ce400ada8.exe (PID: 1976)

    • Checks supported languages

      • ce5d8bdf32f9f4471e4e77291dc6e826604063211b52c81eadfe3f5ce400ada8.exe (PID: 1976)

    • Checks proxy server information

      • slui.exe (PID: 2692)

    • Reads the software policy settings

      • slui.exe (PID: 2692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x2130
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE ce5d8bdf32f9f4471e4e77291dc6e826604063211b52c81eadfe3f5ce400ada8.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1976"C:\Users\admin\Desktop\ce5d8bdf32f9f4471e4e77291dc6e826604063211b52c81eadfe3f5ce400ada8.exe" C:\Users\admin\Desktop\ce5d8bdf32f9f4471e4e77291dc6e826604063211b52c81eadfe3f5ce400ada8.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\ce5d8bdf32f9f4471e4e77291dc6e826604063211b52c81eadfe3f5ce400ada8.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2692C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 481
Read events
3 481
Write events
0
Delete events
0

Modification events

No data
Executable files
1 834
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1976ce5d8bdf32f9f4471e4e77291dc6e826604063211b52c81eadfe3f5ce400ada8.exe
MD5:
SHA256:
1976ce5d8bdf32f9f4471e4e77291dc6e826604063211b52c81eadfe3f5ce400ada8.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:A361526EDCAD44091093FED351732DB8
SHA256:202BB783A8B6BCA62FBE63D39654C21CDAB2020104D7D41FC438317A79F99970
1976ce5d8bdf32f9f4471e4e77291dc6e826604063211b52c81eadfe3f5ce400ada8.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:2B81570B539BF1CF73CE5E11EF67C947
SHA256:890B23F01BC68214C5BC17B15433CCB8D765FA9FC4DE67C192E249E65A7A3121
1976ce5d8bdf32f9f4471e4e77291dc6e826604063211b52c81eadfe3f5ce400ada8.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:4363092B14D893398E8A4E5502CF01BC
SHA256:4F9F02C6A5C1332B38D9FBBAD90802EC333AAB6D97ECA67B8CD2E688671B814C
1976ce5d8bdf32f9f4471e4e77291dc6e826604063211b52c81eadfe3f5ce400ada8.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:B3E54F3DC111AE56E7E5BF84BCD0143B
SHA256:6222C0CB2D68115A9346713DCA67591F2C53BA233BEF8ACE6593145BE7B179AB
1976ce5d8bdf32f9f4471e4e77291dc6e826604063211b52c81eadfe3f5ce400ada8.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:7E8A50C8756418236565DBD6C290B1FC
SHA256:DF155ABA891BC1F0828D674C2DF2D2F1442AA7191D824222C2E342BA3831A333
1976ce5d8bdf32f9f4471e4e77291dc6e826604063211b52c81eadfe3f5ce400ada8.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:63D2A72C590B0D2B3444FFFBA946F5D5
SHA256:7E804579A2C0403AC32E7C3B9E8333BA3EAF1EDF1D15C16FDE95CFA0A8C9DFBC
1976ce5d8bdf32f9f4471e4e77291dc6e826604063211b52c81eadfe3f5ce400ada8.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:C9FFC53F0E7E663F61E5FA55153B4321
SHA256:88AF6B4DF36B3959E1BCCF3B94729B876F6730E7EB99ABC1248A11FBDDA09599
1976ce5d8bdf32f9f4471e4e77291dc6e826604063211b52c81eadfe3f5ce400ada8.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:3379FABBDFF9F77272E751246F3E55F6
SHA256:157408DA8A3345B5D629AC2DA2F11AD3581FDE96169C5F8DCC62011BF9BC42DA
1976ce5d8bdf32f9f4471e4e77291dc6e826604063211b52c81eadfe3f5ce400ada8.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:DB4C6E98DAD7A5A3B1C6C9A4B9E31571
SHA256:8A2EBA459B2D5CB11EADD900654B59D47E2C43A9497901378CB14A437F1C7239
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
22
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4024
RUXIMICS.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4024
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4024
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4024
RUXIMICS.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
self.events.data.microsoft.com
  • 52.182.141.63
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ce5d8bdf32f9f4471e4e77291dc6e826604063211b52c81eadfe3f5ce400ada8.exe