File name:

ff6dfb7e177abb84e4f49fa75e2bd1bed182e4c032fae3f1fe3d0ecc16260f50

Full analysis: https://app.any.run/tasks/702f3908-efbc-47a9-a04f-77c56dd14bd0
Verdict: Malicious activity
Analysis date: May 18, 2025, 07:10:29
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:

076021236DB2E4238813A7002FCAF4C2

SHA1:

A370ADA237E9EC4B48F5FDA821EAEEFF33ED2A61

SHA256:

FF6DFB7E177ABB84E4F49FA75E2BD1BED182E4C032FAE3F1FE3D0ECC16260F50

SSDEEP:

98304:UuDozkeLJRE1MFYr7bpc5BTXZIwa4UpKt9WV1tWk9:ae

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • ff6dfb7e177abb84e4f49fa75e2bd1bed182e4c032fae3f1fe3d0ecc16260f50.exe (PID: 6652)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • ff6dfb7e177abb84e4f49fa75e2bd1bed182e4c032fae3f1fe3d0ecc16260f50.exe (PID: 6652)

    • The process creates files with name similar to system file names

      • ff6dfb7e177abb84e4f49fa75e2bd1bed182e4c032fae3f1fe3d0ecc16260f50.exe (PID: 6652)

    • Executable content was dropped or overwritten

      • ff6dfb7e177abb84e4f49fa75e2bd1bed182e4c032fae3f1fe3d0ecc16260f50.exe (PID: 6652)

  • INFO

    • Checks supported languages

      • ff6dfb7e177abb84e4f49fa75e2bd1bed182e4c032fae3f1fe3d0ecc16260f50.exe (PID: 6652)

    • Creates files or folders in the user directory

      • ff6dfb7e177abb84e4f49fa75e2bd1bed182e4c032fae3f1fe3d0ecc16260f50.exe (PID: 6652)

    • Checks proxy server information

      • slui.exe (PID: 1188)

    • Reads the software policy settings

      • slui.exe (PID: 1188)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.4)
.exe | Win16/32 Executable Delphi generic (19.5)
.exe | Generic Win/DOS Executable (18.8)
.exe | DOS Executable Generic (18.8)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: -
CodeSize: -
InitializedDataSize: -
UninitializedDataSize: -
EntryPoint: 0x6000
OSVersion: 1
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE ff6dfb7e177abb84e4f49fa75e2bd1bed182e4c032fae3f1fe3d0ecc16260f50.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
1188C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6652"C:\Users\admin\Desktop\ff6dfb7e177abb84e4f49fa75e2bd1bed182e4c032fae3f1fe3d0ecc16260f50.exe" C:\Users\admin\Desktop\ff6dfb7e177abb84e4f49fa75e2bd1bed182e4c032fae3f1fe3d0ecc16260f50.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\ff6dfb7e177abb84e4f49fa75e2bd1bed182e4c032fae3f1fe3d0ecc16260f50.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 369
Read events
3 369
Write events
0
Delete events
0

Modification events

No data
Executable files
487
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6652ff6dfb7e177abb84e4f49fa75e2bd1bed182e4c032fae3f1fe3d0ecc16260f50.exe
MD5:
SHA256:
6652ff6dfb7e177abb84e4f49fa75e2bd1bed182e4c032fae3f1fe3d0ecc16260f50.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:7BFC2D0B8DA53BDE43A4FFEDF794FC23
SHA256:1D2FA7AA805FF2992D35C65E8ACF6C629A3BACF37D9046D97F3D94319774805A
6652ff6dfb7e177abb84e4f49fa75e2bd1bed182e4c032fae3f1fe3d0ecc16260f50.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:4A4CBEA22B74F324EBF46303598B83A3
SHA256:38FFE7393E9C2913805B999C8E27F09BDF434E59531E8B0C3051E8994370B58D
6652ff6dfb7e177abb84e4f49fa75e2bd1bed182e4c032fae3f1fe3d0ecc16260f50.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:EAEE20B544615EB6ACDB5DCB53630A98
SHA256:11B1007C92FF2C9F7257F8F019EBAA3E9C45A00DA1E8603AC5B4050C7F186C3F
6652ff6dfb7e177abb84e4f49fa75e2bd1bed182e4c032fae3f1fe3d0ecc16260f50.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:9211EFF4C612008ABEEA2C66161BC531
SHA256:BB92803A7058B553E28E2AF6EBECB29D240BACE62EF520B40A4448D3A701AD39
6652ff6dfb7e177abb84e4f49fa75e2bd1bed182e4c032fae3f1fe3d0ecc16260f50.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:E0C304E75199D44016287C51FBD0CB67
SHA256:58436983DBB8D54AF1B59D42134F39D560ECFC5CDFEE0C88D9F1D4A4FD2C066A
6652ff6dfb7e177abb84e4f49fa75e2bd1bed182e4c032fae3f1fe3d0ecc16260f50.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:384EE210B4F7CA2A3F2D402B8822800C
SHA256:D6F07F0686D8D9B4998869427F37BB97C132E4346529C49F45AF32C6ED41CFF2
6652ff6dfb7e177abb84e4f49fa75e2bd1bed182e4c032fae3f1fe3d0ecc16260f50.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:73CF930B6CE0322ED7DEC5C8F013DC58
SHA256:E54490E463B656F039DDA00BDD7AECB2B6C5194E9BE3169DD3A083806946B055
6652ff6dfb7e177abb84e4f49fa75e2bd1bed182e4c032fae3f1fe3d0ecc16260f50.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:6F89E1F7C0295294AA9D8FC2745E84D0
SHA256:00B93074DA67EC777EF7C5DDC33AB41B7AA8779EB553FA735461B9922F384B13
6652ff6dfb7e177abb84e4f49fa75e2bd1bed182e4c032fae3f1fe3d0ecc16260f50.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:9B5AD9014D108E16D86CC16D17C2B3BD
SHA256:280DFA237544C6BD07F4CDEE9A61F5D8D1AEA912784280D50A1D751421937CC6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
23
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.18:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
23.216.77.18:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
6404
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1188
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 23.216.77.18
  • 23.216.77.6
  • 23.216.77.42
  • 23.216.77.38
  • 23.216.77.30
  • 23.216.77.41
  • 23.216.77.25
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ff6dfb7e177abb84e4f49fa75e2bd1bed182e4c032fae3f1fe3d0ecc16260f50