File name:

2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4

Full analysis: https://app.any.run/tasks/47534f94-385a-453e-804e-5d9c086e6560
Verdict: Malicious activity
Analysis date: January 10, 2025, 21:53:31
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

AC1FC8284D18AA671706661778D16F81

SHA1:

87DEB56CED369238096027812AA212593EDA7898

SHA256:

2CA0E2AFE43BA6EB8A069B84B7FDC9B55C0498E4035DFADCCF9E71B043B6CDB4

SSDEEP:

12288:DvVVVVVVVVtu74R0vVVVVVVVVtu74RYvVVVVVVVVtu74R0vVVVVVVVVtu74R5NA:U74RP74RD74RP74R5NA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe (PID: 6220)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe (PID: 6220)

    • The process creates files with name similar to system file names

      • 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe (PID: 6220)

  • INFO

    • Creates files or folders in the user directory

      • 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe (PID: 6220)

    • Checks supported languages

      • 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe (PID: 6220)

    • UPX packer has been detected

      • 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe (PID: 6220)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x7f80
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe

Process information

PID
CMD
Path
Indicators
Parent process
6220"C:\Users\admin\Desktop\2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe" C:\Users\admin\Desktop\2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
1 386
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
62202ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exe
MD5:
SHA256:
62202ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:193C03C5BCEC2483171518C68992D4A4
SHA256:EBEA1DD9DB28EA4E2AEC9752BB7CB86C57F6106952D60A0E5AB27C7A1C29E816
62202ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:ED9DE365A2F628C2B7F4B83DF7D93CE8
SHA256:2BE54BCB9E7E1C3DCE38BE7D0053054C55BFDB07ACD9520EE6C1F8AB2921EB5A
62202ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:193C03C5BCEC2483171518C68992D4A4
SHA256:EBEA1DD9DB28EA4E2AEC9752BB7CB86C57F6106952D60A0E5AB27C7A1C29E816
62202ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:3A2EDE664C0D2574AEC4D9B990ABD613
SHA256:627951B1BE01F83174B2901921B179D28E83B82A47B2354A6659E2572871BA71
62202ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:443EB6415649316AC509450AFBABC8A8
SHA256:F85DCDA7B4565605E118F380CC48ABFD3AF7EA941BF14DB7DC79E7E7F792B03A
62202ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:C1898E087FA1775A74DBFA839295AC9B
SHA256:F7E3D86FD46135B59DE61F91DE096D9D9F7353BD238A56FE0D935F9BB9DB0B51
62202ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:AAAAA33989D10BA202CF1B17F0B6EBA0
SHA256:665077EBCD8B1805DDD26E49055A748FBE424C473DDD563BB362B364F5D08D6B
62202ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:0C99DFF99264ACDCEC7DA6871DD15C52
SHA256:23BEF9B2F136E2FBC1ADB439D019F4F976DBF7158C3717AC997C684937A8D070
62202ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:78E5F32AD4881935E16599BC3C444538
SHA256:A471B5CC3501C210F56C31761BF22110FDA9E0A7F812431A13814E1920216BC0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
18
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3000
svchost.exe
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3000
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3000
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3000
svchost.exe
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
3000
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
3000
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
self.events.data.microsoft.com
  • 20.189.173.14
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2ca0e2afe43ba6eb8a069b84b7fdc9b55c0498e4035dfadccf9e71b043b6cdb4