File name:	28bf63c363b1db7da6d661dc89ebafd1c9d524fbdddc4ddc8b571685175fb35f
Full analysis:	https://app.any.run/tasks/e397cb46-e525-4bbc-b75a-5897228906fe
Verdict:	Malicious activity
Analysis date:	July 06, 2025, 05:44:02
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	zombie
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:	ACAF6B2EA9DCC024F01B2E4BC95EB280
SHA1:	D830F885E49E2C406D23D6638E0D1BBB3C2680B2
SHA256:	28BF63C363B1DB7DA6D661DC89EBAFD1C9D524FBDDDC4DDC8B571685175FB35F
SSDEEP:	1536:QPlbd/Nq6nNq6F7Q7XjVABd/Nq6nNq6F7Q7QIbIP:alr7Q7Xah7Q7Qoy

.exe	\|	Win32 Executable (generic) (42.4)
.exe	\|	Win16/32 Executable Delphi generic (19.5)
.exe	\|	Generic Win/DOS Executable (18.8)
.exe	\|	DOS Executable Generic (18.8)
.vxd	\|	VXD Driver (0.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	-
CodeSize:	-
InitializedDataSize:	-
UninitializedDataSize:	-
EntryPoint:	0x2130
OSVersion:	1
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI

PID	Process	Filename		Type
2324	28bf63c363b1db7da6d661dc89ebafd1c9d524fbdddc4ddc8b571685175fb35f.exe			—
		MD5:—	SHA256:—
2324	28bf63c363b1db7da6d661dc89ebafd1c9d524fbdddc4ddc8b571685175fb35f.exe	C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exe		executable
		MD5:1FC9F0B5D0D91518ADBC1BB0734D0FE7	SHA256:BEE7183B17B2EDE7AADEF0D650329B1E20F6744B9E5677838E9FB7E3EE4BE4D6
2324	28bf63c363b1db7da6d661dc89ebafd1c9d524fbdddc4ddc8b571685175fb35f.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmp		executable
		MD5:7AA82AF73B3ECD3E0149106B5C5E3A5B	SHA256:72FE7A12088983FFA61A6CD74E5C4AC919744AC64360B863164B3FC403B0F435
2324	28bf63c363b1db7da6d661dc89ebafd1c9d524fbdddc4ddc8b571685175fb35f.exe	C:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmp		executable
		MD5:B8AD3239AC70C85F5ACEFB4E0752304B	SHA256:4EF6A633D56698CAA3B4DF46AC6B8EFD65C23A677E1E19B1C26D969EF7889B99
2324	28bf63c363b1db7da6d661dc89ebafd1c9d524fbdddc4ddc8b571685175fb35f.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_100_percent.pak.tmp		executable
		MD5:F8E498142A3B1A624EEE60623E57F47C	SHA256:BF1B16267FD92B66AEBAC4B32E19375FF592B3A4C2BBC4EFF389E7BE8116CE94
2324	28bf63c363b1db7da6d661dc89ebafd1c9d524fbdddc4ddc8b571685175fb35f.exe	C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmp		executable
		MD5:1FC9F0B5D0D91518ADBC1BB0734D0FE7	SHA256:BEE7183B17B2EDE7AADEF0D650329B1E20F6744B9E5677838E9FB7E3EE4BE4D6
2324	28bf63c363b1db7da6d661dc89ebafd1c9d524fbdddc4ddc8b571685175fb35f.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmp		executable
		MD5:E1F4208B2C3A0B23CD2FC037AB353495	SHA256:E7D560CC268F5F28982EAA006E49DA687BA3B0C669BCDEFE4B78FCC9CD744FA0
2324	28bf63c363b1db7da6d661dc89ebafd1c9d524fbdddc4ddc8b571685175fb35f.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmp		executable
		MD5:30116C660637671D2A392C44636D6CEB	SHA256:0820D619296FF6BB6E3FB69728151CF25B9AB7636C781816DBEDC969DEFD92C0
2324	28bf63c363b1db7da6d661dc89ebafd1c9d524fbdddc4ddc8b571685175fb35f.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmp		executable
		MD5:8A522B553115AD5AA8590E001650169C	SHA256:EE6D79BA7E353EE8FECF6388C1F1659621DE7882B647B4E470CE99E3A78CD4D9
2324	28bf63c363b1db7da6d661dc89ebafd1c9d524fbdddc4ddc8b571685175fb35f.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmp		executable
		MD5:0631C2D9F6C7DC52E4D71E114272C5EB	SHA256:53F3C296C5B058FADF340B7C8C850D17309C7F088D1F5031AD8679F7CA804702

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5944	MoUsoCoreWorker.exe	GET	200	2.20.245.137:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	2.20.245.137:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6368	RUXIMICS.exe	GET	200	2.20.245.137:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6368	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6368	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	2.20.245.137:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
1268	svchost.exe	2.20.245.137:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
6368	RUXIMICS.exe	2.20.245.137:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5944	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
1268	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.124.78.146	whitelisted
google.com	142.250.186.46	whitelisted
crl.microsoft.com	2.20.245.137 2.20.245.139	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted
self.events.data.microsoft.com	20.42.73.24	whitelisted

General Info

28bf63c363b1db7da6d661dc89ebafd1c9d524fbdddc4ddc8b571685175fb35f

ACAF6B2EA9DCC024F01B2E4BC95EB280

D830F885E49E2C406D23D6638E0D1BBB3C2680B2

28BF63C363B1DB7DA6D661DC89EBAFD1C9D524FBDDDC4DDC8B571685175FB35F

1536:QPlbd/Nq6nNq6F7Q7XjVABd/Nq6nNq6F7Q7QIbIP:alr7Q7Xah7Q7Qoy

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ZOMBIE has been detected (YARA)

SUSPICIOUS

Creates file in the systems drive root

The process creates files with name similar to system file names

Executable content was dropped or overwritten

INFO

Checks supported languages

Creates files or folders in the user directory

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings