File name:	2ac40e8a5148752a283dafc8c551c73667a1acbe98a0de9ffe2568d1ab23cab9
Full analysis:	https://app.any.run/tasks/9004ed7c-b141-48ab-b7fa-ece3c10e0c6d
Verdict:	Malicious activity
Threats:	A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Malware Trends Tracker >>>
Analysis date:	March 24, 2025, 22:32:12
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	zeus botnet
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:	85FFCD71C6C506283CCEADE982DE86F0
SHA1:	F7454E17F0CCD8EBFF92D58F821011699F20457E
SHA256:	2AC40E8A5148752A283DAFC8C551C73667A1ACBE98A0DE9FFE2568D1AB23CAB9
SSDEEP:	3072:kwuKQSjLv8wc9+Zslvh7/VoowpcpetFVE0iBmoUUUUUUnUUUUUUJSmizh49e:9uKQMLEwc9+Zslvhb6oOcpyFV4xUUUUc

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2008:03:05 04:07:06+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	71168
InitializedDataSize:	21504
UninitializedDataSize:	-
EntryPoint:	0x5138
OSVersion:	4
ImageVersion:	1
SubsystemVersion:	4
Subsystem:	Windows GUI


(PID) Process:	(7940) 2ac40e8a5148752a283dafc8c551c73667a1acbe98a0de9ffe2568d1ab23cab9.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	userinit
Value: C:\Users\admin\AppData\Roaming\sdra64.exe
(PID) Process:	(1852) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(1852) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(1852) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(5156) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5156) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5156) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(5864) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5864) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5864) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
5156	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\3489dd46-e425-4a4c-a1a6-4daf6c4ca0a7.down_data		—
		MD5:—	SHA256:—
1116	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\d82bd77f-4ad7-4744-ae2e-9b0746bcbde4.down_data		—
		MD5:—	SHA256:—
5156	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\3489dd46-e425-4a4c-a1a6-4daf6c4ca0a7.0efa4ddf-22c5-4ed8-ab0b-61e538362cb9.down_meta		binary
		MD5:42423E079FECD87D9C51557F2F315ED0	SHA256:45F70E4888468A2853D6D2DF14E2F00872E408CDD17328501411733FA0B2C5B3
7940	2ac40e8a5148752a283dafc8c551c73667a1acbe98a0de9ffe2568d1ab23cab9.exe	C:\Users\admin\AppData\Roaming\sdra64.exe		executable
		MD5:85FFCD71C6C506283CCEADE982DE86F0	SHA256:2AC40E8A5148752A283DAFC8C551C73667A1ACBE98A0DE9FFE2568D1AB23CAB9
5156	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\88df8d22-7fbb-4846-8c68-a0c13b15a27f.0efa4ddf-22c5-4ed8-ab0b-61e538362cb9.down_meta		binary
		MD5:42423E079FECD87D9C51557F2F315ED0	SHA256:45F70E4888468A2853D6D2DF14E2F00872E408CDD17328501411733FA0B2C5B3
1116	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\d82bd77f-4ad7-4744-ae2e-9b0746bcbde4.4ac12776-9b61-4392-ace8-5e0c9a2361c2.down_meta		binary
		MD5:77DD10CB1382642DFD6F83AE707F17A5	SHA256:BF500F75260C40EB64190CD9156460219142799B07A67D235168A0B112D02007
1116	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\2ba04c8a-9ae1-480f-8c3f-a99efa818608.4ac12776-9b61-4392-ace8-5e0c9a2361c2.down_meta		binary
		MD5:77DD10CB1382642DFD6F83AE707F17A5	SHA256:BF500F75260C40EB64190CD9156460219142799B07A67D235168A0B112D02007
5156	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\88df8d22-7fbb-4846-8c68-a0c13b15a27f.up_meta_secure		binary
		MD5:6779BFBD0EA1E4B4B5D3D3CE2BBDE4EE	SHA256:01146A3FDA0EFBAB72EDB5C91679C2EB79473F96C550A43F5478B00846A29697
1116	BackgroundTransferHost.exe	C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\2ba04c8a-9ae1-480f-8c3f-a99efa818608.up_meta_secure		binary
		MD5:D36B71C492CEF069CE426E6F73C2A121	SHA256:63C3F6835B0A0D23E863ED8CF9C6B5C588B0AF68E4E64508F0A7C8DFB77ECCEF

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	304	52.149.20.212:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	—	—	—
2104	svchost.exe	GET	200	23.48.23.147:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4228	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
4228	SIHClient.exe	GET	200	23.48.23.147:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
4228	SIHClient.exe	GET	200	23.48.23.147:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
4228	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
4228	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
4228	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
—	—	GET	200	13.85.23.206:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	—	—	—
4228	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	40.126.32.68:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	40.115.3.253:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	20.223.35.26:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	23.48.23.147:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
6544	svchost.exe	40.126.32.68:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3216	svchost.exe	40.115.3.253:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
login.live.com	40.126.32.68 20.190.160.14 40.126.32.76 20.190.160.20 20.190.160.5 40.126.32.140 20.190.160.17 40.126.32.138	whitelisted
client.wns.windows.com	40.115.3.253	whitelisted
arc.msn.com	20.223.35.26 20.103.156.88	whitelisted
google.com	142.250.185.110	whitelisted
crl.microsoft.com	23.48.23.147 23.48.23.143	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
nexusrules.officeapps.live.com	52.111.227.11	whitelisted

General Info

2ac40e8a5148752a283dafc8c551c73667a1acbe98a0de9ffe2568d1ab23cab9

85FFCD71C6C506283CCEADE982DE86F0

F7454E17F0CCD8EBFF92D58F821011699F20457E

2AC40E8A5148752A283DAFC8C551C73667A1ACBE98A0DE9FFE2568D1AB23CAB9

3072:kwuKQSjLv8wc9+Zslvh7/VoowpcpetFVE0iBmoUUUUUUnUUUUUUJSmizh49e:9uKQMLEwc9+Zslvhb6oOcpyFV4xUUUUc

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

ZEUS mutex has been found

SUSPICIOUS

Executable content was dropped or overwritten

There is functionality for communication over UDP network (YARA)

INFO

Creates files or folders in the user directory

Checks supported languages

Reads the computer name

Checks proxy server information

Reads the software policy settings

Reads security settings of Internet Explorer

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings