File name:

2c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890

Full analysis: https://app.any.run/tasks/260316b4-d20a-4584-b510-c10ca30bc25a
Verdict: Malicious activity
Analysis date: December 13, 2024, 19:36:26
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

1891B8CE4954ED1E88868D9D4800725A

SHA1:

5A2CFE62F3DCB60F9C19367454455DDC5DEBD691

SHA256:

2C737C96CDC46329D4709A9D6D5D67E1DB0996E0FB32BA5E8A80EF4BE26CC890

SSDEEP:

1536:EhPpyASvVVVVVVVVWs5jf/ASvVVVVVVVV+s5jfsvzH:cpDSvVVVVVVVVrf4SvVVVVVVVVTfe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 2c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exe (PID: 6256)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exe (PID: 6256)

    • The process creates files with name similar to system file names

      • 2c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exe (PID: 6256)

  • INFO

    • UPX packer has been detected

      • 2c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exe (PID: 6256)

    • Checks supported languages

      • 2c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exe (PID: 6256)

    • Creates files or folders in the user directory

      • 2c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exe (PID: 6256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
121
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 2c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exe

Process information

PID
CMD
Path
Indicators
Parent process
6256"C:\Users\admin\Desktop\2c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exe" C:\Users\admin\Desktop\2c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 802
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
62562c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exe
MD5:
SHA256:
62562c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exe
MD5:
SHA256:
62562c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:B16B04305800424661E3895B51F4684D
SHA256:035A5BE6F55F96DE380D1C98C6CFAB5F6553626FD851FFB6BF054C4611A55DDF
62562c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:4854F332CEA5E386C9314BC7A8C9748E
SHA256:89AF2EDC6A2E3C07758E3486512DAEB9908F1FBC2747BD193376022E0C6026D0
62562c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_100_percent.pak.tmpexecutable
MD5:106F4E69B165230287F2D2D380BC68F0
SHA256:760208BF6E4D6968F2A198EF0B4CEC860245E03B17E3FEAC00FCCF5D1BA3CE7E
62562c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:5ECA8E677F3B8140B841EE3365C8435B
SHA256:A627399AA4E53C6EA76411C4329EE0195B9310814656CE9AC94E21EA4A22E68B
62562c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:CF256D78AA2856861FC166E93ED22FAB
SHA256:17E3DA21E1045105CAC6FC4C25158E873389E29FC73C98B05B3B69EB11ECC675
62562c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_extensions.pak.tmpexecutable
MD5:83CD1AA90166B37DC799AD58500CEB16
SHA256:11167B5EB2570210D1DDC9199856C3F58AA6C20155607A30634F68A7826AF064
62562c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:FA2AC558C652D607C3779ABABB46F740
SHA256:92B9CF200D86EC86B77AB4905079F5A63E23F6200339165F6F3A49096005C7BD
62562c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\chrome_100_percent.pak.tmpexecutable
MD5:3405B3A63D4E5A1D438699BD0A4645E6
SHA256:55344BD34CB4CF689743209973A40F81061703BF399B28AFE9624C687A87AE19
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
23
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4300
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5496
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4300
RUXIMICS.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2.23.209.179:443
www.bing.com
Akamai International B.V.
GB
whitelisted
192.168.100.255:137
whitelisted
5496
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4300
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4300
RUXIMICS.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.209.179
  • 2.23.209.177
  • 2.23.209.133
  • 2.23.209.149
  • 2.23.209.140
  • 2.23.209.130
  • 2.23.209.148
  • 2.23.209.182
  • 2.23.209.187
whitelisted
google.com
  • 172.217.18.110
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
self.events.data.microsoft.com
  • 20.42.65.94
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2c737c96cdc46329d4709a9d6d5d67e1db0996e0fb32ba5e8a80ef4be26cc890