File name:

2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4

Full analysis: https://app.any.run/tasks/47534f94-385a-453e-804e-5d9c086e6560
Verdict: Malicious activity
Analysis date: January 10, 2025, 21:53:31
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

AC1FC8284D18AA671706661778D16F81

SHA1:

87DEB56CED369238096027812AA212593EDA7898

SHA256:

2CA0E2AFE43BA6EB8A069B84B7FDC9B55C0498E4035DFADCCF9E71B043B6CDB4

SSDEEP:

12288:DvVVVVVVVVtu74R0vVVVVVVVVtu74RYvVVVVVVVVtu74R0vVVVVVVVVtu74R5NA:U74RP74RD74RP74R5NA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe (PID: 6220)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe (PID: 6220)

    • The process creates files with name similar to system file names

      • 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe (PID: 6220)

  • INFO

    • Creates files or folders in the user directory

      • 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe (PID: 6220)

    • Checks supported languages

      • 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe (PID: 6220)

    • UPX packer has been detected

      • 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe (PID: 6220)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x7f80
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe

Process information

PID
CMD
Path
Indicators
Parent process
6220"C:\Users\admin\Desktop\2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe" C:\Users\admin\Desktop\2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 386
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
62202ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe
MD5:
SHA256:
62202ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:193C03C5BCEC2483171518C68992D4A4
SHA256:EBEA1DD9DB28EA4E2AEC9752BB7CB86C57F6106952D60A0E5AB27C7A1C29E816
62202ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:3C1CA07430AE6830401A95F00AFEB547
SHA256:A36FC529366B96F3931BC6179EBFD0E2B350926ED489F9861D84AD5452AB1320
62202ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:193C03C5BCEC2483171518C68992D4A4
SHA256:EBEA1DD9DB28EA4E2AEC9752BB7CB86C57F6106952D60A0E5AB27C7A1C29E816
62202ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:BB32E01AC7AE4F4041547303883663A2
SHA256:A61B4F82959B7A3706ACE757D06BFFD40BB5ADF2DE99565EFBC69517C4D3E442
62202ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:C1898E087FA1775A74DBFA839295AC9B
SHA256:F7E3D86FD46135B59DE61F91DE096D9D9F7353BD238A56FE0D935F9BB9DB0B51
62202ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:91155F75041839C8CDE4CA3DAB2E1792
SHA256:3BD08E9E68FF789E36D5D5A57FB33366CBDD7A2012CC4A0168A5CD97037C0B48
62202ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:BD23B545970587E3861DDB974B81FA39
SHA256:DB2B629E6FD9A1960ADEB0C205B9D453E70407FA357CC75E45D574D5FCC5C45B
62202ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:78E5F32AD4881935E16599BC3C444538
SHA256:A471B5CC3501C210F56C31761BF22110FDA9E0A7F812431A13814E1920216BC0
62202ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:0C99DFF99264ACDCEC7DA6871DD15C52
SHA256:23BEF9B2F136E2FBC1ADB439D019F4F976DBF7158C3717AC997C684937A8D070
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
18
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3000
svchost.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3000
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3000
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3000
svchost.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
3000
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
3000
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
self.events.data.microsoft.com
  • 20.189.173.14
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4