File name:

0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe

Full analysis: https://app.any.run/tasks/bdb8066a-1ed8-4c2b-9ab0-7680b75b5b9a
Verdict: Malicious activity
Analysis date: January 10, 2025, 23:06:23
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

4AE4B14E3B65B197D3ACFC66BBCE5053

SHA1:

13BBE87DC07D88524B4214D0F8B2536FBBAC23C1

SHA256:

0E64579F96EA13352BE8BC49A97B561E78C372AA1C1F04EE2EF962A9211EF21F

SSDEEP:

12288:DvVVVVVVVVTfuj5q4uFTDhSfWJUNo5kUe7evVVVVVVVVTfuj5q4uFTDhSfWJUNoh:Hfuj5DuFRSfWJUq5kUe+fuj5DuFRSfWj

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe (PID: 3772)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe (PID: 3772)

    • Executable content was dropped or overwritten

      • 0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe (PID: 3772)

    • The process creates files with name similar to system file names

      • 0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe (PID: 3772)

  • INFO

    • Checks supported languages

      • 0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe (PID: 3772)

    • Creates files or folders in the user directory

      • 0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe (PID: 3772)

    • UPX packer has been detected

      • 0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe (PID: 3772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x7f80
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe

Process information

PID
CMD
Path
Indicators
Parent process
3772"C:\Users\admin\Desktop\0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe" C:\Users\admin\Desktop\0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 289
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
37720e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe
MD5:
SHA256:
37720e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:8EAA02770D7832BBCF3FA8CDAE16E0F0
SHA256:84F769E244F7511D0420A9A680F5D826BE0F18141D6BDCCE33F90683EB4ADD62
37720e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:8625A07CF6DBA0C6BEBDED9DBE719245
SHA256:C49873440E685AAE3246E22C7993879BBF41327DD99676E6EB328E5B357D4D07
37720e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:8EAA02770D7832BBCF3FA8CDAE16E0F0
SHA256:84F769E244F7511D0420A9A680F5D826BE0F18141D6BDCCE33F90683EB4ADD62
37720e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:A5DF8BB5F07627C5831B649609F8CF92
SHA256:A367BDB69DE43BBF69F41C2DC2BE42C4D9A045B3F649E286DDF1BDB52931656F
37720e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:8BBFED11E816610D38ED85D8928CDEBA
SHA256:E8F20E6ACB41109317E4B16284529148CB8C053D25EFD190A5689594B3613B95
37720e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:BA569D6462BE67A7CB8D13C7DE9B7E7D
SHA256:846D229444383CBF11D7B5E3F4AEC1B96199675773A8AEF928CA5D78F5C55893
37720e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:787E1EF846432A1547C5A731B1019ED2
SHA256:D38F0D5B1A415C26F7DE94A3B0A3B677A4DCC7B2B7CADEA17DA724CC53978580
37720e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:640F3FADFF7E8316B1FE8536F6CA340B
SHA256:FFE7497D3DBB459C7EA1033690E5AC6AE191F832122F0618B74C82F9B3F4EB33
37720e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:505502F04FE20FE618CFC979913539A7
SHA256:3342A499C57EE582A4FFB4372C9D3BF36EA93368D249CD42B3036874A16A374F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
22
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5892
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5892
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5892
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.139:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5892
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5892
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
www.bing.com
  • 104.126.37.139
  • 104.126.37.155
  • 104.126.37.145
  • 104.126.37.137
  • 104.126.37.170
  • 104.126.37.162
  • 104.126.37.131
  • 104.126.37.130
  • 104.126.37.163
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 13.69.116.107
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
0e64579f96ea13352be8bc49a97b561e78c372aa1c1f04ee2ef962a9211ef21f.exe