File name:

144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9

Full analysis: https://app.any.run/tasks/710a3941-9a79-4a4a-9563-43c69cda770b
Verdict: Malicious activity
Analysis date: December 13, 2024, 19:47:58
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

CEFD29D8B29E7B68FCD6AE6B93E6CCD4

SHA1:

25BB69205392A4D5CEC07137A637274869C90E0F

SHA256:

144DB6A34E9CAA6DC1575313B48C26234D484089A1FEB7BA7E9C34440D1A7DF9

SSDEEP:

768:Eh1IqQMy6cJgKAUo9AvVVVVVVVVgSjSs5ZEPzf:EhPpyASvVVVVVVVVWs5ZE7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exe (PID: 6096)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exe (PID: 6096)

    • Creates file in the systems drive root

      • 144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exe (PID: 6096)

    • The process creates files with name similar to system file names

      • 144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exe (PID: 6096)

  • INFO

    • Checks supported languages

      • 144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exe (PID: 6096)

    • Creates files or folders in the user directory

      • 144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exe (PID: 6096)

    • UPX packer has been detected

      • 144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exe (PID: 6096)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exe

Process information

PID
CMD
Path
Indicators
Parent process
6096"C:\Users\admin\Desktop\144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exe" C:\Users\admin\Desktop\144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 751
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6096144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exe
MD5:
SHA256:
6096144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:2ACB73C1C2D8D0D3BF1DB983783CE892
SHA256:D88E5EF3329D2CC9EB19F076AE0433126EA7A67B71C3ED1E4FC8B67603955AED
6096144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:2A3824E370FD9A62CC7330AC97336139
SHA256:AB46FA47D0E64569E81C2FE9A2EDA3C416721C321340DB1A221076EC24EE9E7B
6096144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:D0E0EDDF7CFA134B6EC503AD11455273
SHA256:CC5D371CFD89B9B8A67C5F9647E9EF16131FCA2EDB5E9381E669FEC5E3431A89
6096144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:2ACB73C1C2D8D0D3BF1DB983783CE892
SHA256:D88E5EF3329D2CC9EB19F076AE0433126EA7A67B71C3ED1E4FC8B67603955AED
6096144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:DC3A50E457BC7CE1006C56B8C0FB4685
SHA256:5A4FD7A5A1BD037DFD7A20D921FE7CDB0189FE8A15FEF82399B078614D60BD1D
6096144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:3EEF2410323B7CCF1FDFF05BBAEFC265
SHA256:E9F00D6E79565AD026C7057747531F7C7FC6A3B7129C68E5DCFB90F63CB55617
6096144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_100_percent.pak.tmpexecutable
MD5:00DB5B7D37F9FB6FB46F40860C1ED115
SHA256:4A457E3454576039E5B1DC342B21CE26F4BB374C4BA19581D03093DFDB3E9F3E
6096144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:1BAA1DD657D311F67942D41F3266031E
SHA256:E8A33A36D9B0ACB7ECF5ADF60179D5B9344979E7F750944EF0FFB2F73E7E7322
6096144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:847895C910278A4273EB9E68568EE2AF
SHA256:D4B1876EAFC8CCE7DA235BD41AA0EACDFDE43BBB1649E816D64FD082417CECE6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
22
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4536
svchost.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1140
RUXIMICS.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.164:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4536
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1140
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1140
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4536
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
104.126.37.129:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4536
svchost.exe
23.48.23.164:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.164:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1140
RUXIMICS.exe
23.48.23.164:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4536
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
www.bing.com
  • 104.126.37.129
  • 104.126.37.139
  • 104.126.37.137
  • 104.126.37.131
  • 104.126.37.128
  • 104.126.37.178
  • 104.126.37.186
  • 104.126.37.177
  • 104.126.37.136
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 23.48.23.164
  • 23.48.23.143
  • 23.48.23.156
  • 23.48.23.176
  • 23.48.23.166
  • 23.48.23.173
  • 23.48.23.177
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 52.168.117.170
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
144db6a34e9caa6dc1575313b48c26234d484089a1feb7ba7e9c34440d1a7df9