File name:	2c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890
Full analysis:	https://app.any.run/tasks/260316b4-d20a-4584-b510-c10ca30bc25a
Verdict:	Malicious activity
Analysis date:	December 13, 2024, 19:36:26
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	upx zombie
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:	1891B8CE4954ED1E88868D9D4800725A
SHA1:	5A2CFE62F3DCB60F9C19367454455DDC5DEBD691
SHA256:	2C737C96CDC46329D4709A9D6D5D67E1DB0996E0FB32BA5E8A80EF4BE26CC890
SSDEEP:	1536:EhPpyASvVVVVVVVVWs5jf/ASvVVVVVVVV+s5jfsvzH:cpDSvVVVVVVVVrf4SvVVVVVVVVTfe

.exe	\|	Win32 Executable MS Visual C++ (generic) (30.9)
.exe	\|	Win64 Executable (generic) (27.3)
.exe	\|	UPX compressed Win32 Executable (26.8)
.dll	\|	Win32 Dynamic Link Library (generic) (6.5)
.exe	\|	Win32 Executable (generic) (4.4)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2011:03:15 04:06:07+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	6
CodeSize:	8192
InitializedDataSize:	4096
UninitializedDataSize:	24576
EntryPoint:	0x2130
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI

PID	Process	Filename		Type
6256	2c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exe	C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exe		—
		MD5:—	SHA256:—
6256	2c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exe			—
		MD5:—	SHA256:—
6256	2c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmp		executable
		MD5:5EEED4CF550D0F3936B7C34F6256CB93	SHA256:C83961C99219B8EFA9C558F5148EE49984C07B9559A04EB86236ED515057DC9A
6256	2c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmp		executable
		MD5:538191D4AD457C63E3D784CCC8157EEC	SHA256:F855598E230BE96431E380B88D30B0B4D4B13BCD27908F8CB8ED3A9E1762BDF0
6256	2c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exe	C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmp		executable
		MD5:4854F332CEA5E386C9314BC7A8C9748E	SHA256:89AF2EDC6A2E3C07758E3486512DAEB9908F1FBC2747BD193376022E0C6026D0
6256	2c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_100_percent.pak.tmp		executable
		MD5:106F4E69B165230287F2D2D380BC68F0	SHA256:760208BF6E4D6968F2A198EF0B4CEC860245E03B17E3FEAC00FCCF5D1BA3CE7E
6256	2c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmp		executable
		MD5:B16B04305800424661E3895B51F4684D	SHA256:035A5BE6F55F96DE380D1C98C6CFAB5F6553626FD851FFB6BF054C4611A55DDF
6256	2c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmp		executable
		MD5:3C090EFBDC1AB972703A527280517829	SHA256:C5492705ED57722ACC427E8537BF1B9B7FE71FFFEA30430867CCAD0DF1F94C92
6256	2c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exe	C:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmp		executable
		MD5:D777224DD56E52C508B3B4FC3F53D420	SHA256:6DAB8548A4B74DF3FBA987A37CFEC0B5A9F82766D17D772330285BF66C0388DD
6256	2c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmp		executable
		MD5:5ECA8E677F3B8140B841EE3365C8435B	SHA256:A627399AA4E53C6EA76411C4329EE0195B9310814656CE9AC94E21EA4A22E68B

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5496	svchost.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4300	RUXIMICS.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4300	RUXIMICS.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5496	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	2.23.209.179:443	www.bing.com	Akamai International B.V.	GB	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
5496	svchost.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4300	RUXIMICS.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5496	svchost.exe	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4300	RUXIMICS.exe	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	2.16.241.12:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5496	svchost.exe	88.221.169.152:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
www.bing.com	2.23.209.179 2.23.209.177 2.23.209.133 2.23.209.149 2.23.209.140 2.23.209.130 2.23.209.148 2.23.209.182 2.23.209.187	whitelisted
google.com	172.217.18.110	whitelisted
crl.microsoft.com	2.16.241.12 2.16.241.19	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
settings-win.data.microsoft.com	51.104.136.2	whitelisted
self.events.data.microsoft.com	20.42.65.94	whitelisted

General Info

2c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890

1891B8CE4954ED1E88868D9D4800725A

5A2CFE62F3DCB60F9C19367454455DDC5DEBD691

2C737C96CDC46329D4709A9D6D5D67E1DB0996E0FB32BA5E8A80EF4BE26CC890

1536:EhPpyASvVVVVVVVVWs5jf/ASvVVVVVVVV+s5jfsvzH:cpDSvVVVVVVVVrf4SvVVVVVVVVTfe

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ZOMBIE has been detected (YARA)

SUSPICIOUS

Executable content was dropped or overwritten

The process creates files with name similar to system file names

INFO

Creates files or folders in the user directory

UPX packer has been detected

Checks supported languages

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings