File name:

05f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c

Full analysis: https://app.any.run/tasks/cb5a9161-ac75-44b4-9357-122a91bb898c
Verdict: Malicious activity
Analysis date: December 13, 2024, 19:19:29
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

A8ECECDAD8A44347E8AF2408B0DDC9C6

SHA1:

0F1FC08E0FE14933A7259D9F7EDD6507A82D0122

SHA256:

05F15239DEC7FD810585B4B2D0992FD35ACF56132D4F21A93C25DF3C1524C30C

SSDEEP:

3072:oSvVVVVVVVVwgWsgW2uFN1u8h55q8I+r8xLhWJEd2aNB415kUe7/wF:oSvVVVVVVVVguFTDhfqfWJUNo5kUe7/e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 05f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exe (PID: 4628)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 05f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exe (PID: 4628)

    • Creates file in the systems drive root

      • 05f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exe (PID: 4628)

    • The process creates files with name similar to system file names

      • 05f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exe (PID: 4628)

  • INFO

    • Checks supported languages

      • 05f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exe (PID: 4628)

    • Creates files or folders in the user directory

      • 05f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exe (PID: 4628)

    • UPX packer has been detected

      • 05f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exe (PID: 4628)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x7f80
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 05f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exe

Process information

PID
CMD
Path
Indicators
Parent process
4628"C:\Users\admin\Desktop\05f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exe" C:\Users\admin\Desktop\05f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\05f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 423
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
462805f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exe
MD5:
SHA256:
462805f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:19652815F7228C38178AF87DEAAED099
SHA256:DADECC155C8FFB7B6AC9D71586FD329C8219A5E9FD7237538D111836C0CE3D9A
462805f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:99BD39BA25480083CAD18B089DD7881C
SHA256:8108A7328BE767A51FE9914E09575186AE2B760D29B36FC2179EF929BC433B3C
462805f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:605321030E25969C7948F39A20D04E3C
SHA256:D2D1F6BA68A0545164DA384BB818767122BE00E249BCA99EB915C46D1804C87E
462805f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:674E2D64E47A9A3BEFDFB2ECA6606DB3
SHA256:8B0ADCA7C1EA039C9B1842BE4E7BACE3543E286DEB5BAD5BD8E3298931BB5E44
462805f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:595F64460694F7D3369AC55EB4406FF8
SHA256:902FD349118B396B74C44E22EB70A218D335A0F9D4F0F859B611ACF070CC65AB
462805f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:266E82274E43053FAB2A5E7E70D9E00F
SHA256:EE15BAD813F4193A7769CC7D8B9BDDC5F1A6647C9F89FB2BEF0A20F377CEA030
462805f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:CD1205A255AB271E5442C4EB34086283
SHA256:49EC5B1AFCCAB7C4FC712A931E52241CD945343CDDC9400D0065695F6E825C34
462805f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:7CDAA05DFFA93ACD08C74B684C3E4551
SHA256:73E9372DBF8A950D5A7D0AB7B1020B404E0616693D9196D5DEF1DBB95663497B
462805f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:99BD39BA25480083CAD18B089DD7881C
SHA256:8108A7328BE767A51FE9914E09575186AE2B760D29B36FC2179EF929BC433B3C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
21
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.37.202.100:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
488
svchost.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
488
svchost.exe
GET
200
23.37.202.100:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
488
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.21.110.146:443
www.bing.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.32.238.112:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
488
svchost.exe
23.32.238.112:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.37.202.100:80
www.microsoft.com
Linknet-Fastnet ASN
ID
whitelisted
488
svchost.exe
23.37.202.100:80
www.microsoft.com
Linknet-Fastnet ASN
ID
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
www.bing.com
  • 2.21.110.146
  • 2.21.110.139
whitelisted
google.com
  • 172.217.16.142
whitelisted
crl.microsoft.com
  • 23.32.238.112
  • 23.32.238.107
whitelisted
www.microsoft.com
  • 23.37.202.100
whitelisted
self.events.data.microsoft.com
  • 20.42.65.94
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
05f15239dec7fd810585b4b2d0992fd35acf56132d4f21a93c25df3c1524c30c