File name:

2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe

Full analysis: https://app.any.run/tasks/1ffaf7cc-60a7-481e-9126-34d6d3439f15
Verdict: Malicious activity
Analysis date: January 10, 2025, 22:47:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

3C10E5AFEFA2B9817F3453A8CBCEB693

SHA1:

306CD6860047D31760C2377657C7E566053B43DA

SHA256:

2FE6A2D337BB9FC791249C6DBDF32876F29A9A98790C74E6E6BB08028875B80A

SSDEEP:

768:Eh1IqQMy6cJgKAUo9AvVVVVVVVVgSjSs5ZEPzWuqxWsqxW/:EhPpyASvVVVVVVVVWs5ZEDgWsgW/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe (PID: 3040)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe (PID: 3040)

    • The process creates files with name similar to system file names

      • 2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe (PID: 3040)

    • Executable content was dropped or overwritten

      • 2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe (PID: 3040)

  • INFO

    • Checks supported languages

      • 2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe (PID: 3040)

    • UPX packer has been detected

      • 2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe (PID: 3040)

    • Creates files or folders in the user directory

      • 2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe (PID: 3040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe

Process information

PID
CMD
Path
Indicators
Parent process
3040"C:\Users\admin\Desktop\2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe" C:\Users\admin\Desktop\2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 618
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe
MD5:
SHA256:
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:FB800A97568F43938EA3DF045BA8E5C5
SHA256:5EDB949C5C469ED940362AB76682C10523C4D2021BA11E82D461F8EB708184F0
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:DD6485B7BC48F96B86A97EED89BEA45E
SHA256:C80CD8D8B2BCBC28D1BF7816070C598CA08A0051135ADFB1A05ECC98249829F7
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:2FF3E06A7C6DD7AFBA713D596F621A9B
SHA256:AC67D22F65D901540B7659FD1866AE4522F936E63A6DEB2D51E6F6B4B2682F48
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:6ECB3D236B4AFB6D0FBD7E9564740614
SHA256:8AB8238350F43233A2B27D999F02AC2A6CFEEB4B2891CC09E104F13AB50C3437
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:7BAC9B89981BFC71B50AB7CECF27538B
SHA256:28DE38C516520A9B3F63B1974D3A48610250BFEE2B87F1636D86E7AAD9C0CCC6
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:D528B72DE057358D4125BFFFA9F53098
SHA256:1EABA4F0AB2F2F538DA1AF9A4DA0D2A78A51726829E58564B0ADF0492787C7F6
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:6C877DE4A254D61AEA208DEFE65628C2
SHA256:F2534E0DBD371A548EE382AACCB794D03F6FA405973FFAC78F8533A44D4D3B37
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_extensions.pak.tmpexecutable
MD5:3A55C30788E1F55730C9166F9496CAD1
SHA256:686092ACDB15FF4096B005723D57E7581ADB15014A22CEC212D97DA1C22B6F05
30402fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:AC80013BE59149943F727A4972AD6797
SHA256:C9EB795AC43381044863B239954CA5819B2C0E52D7009886752D4D47D1B727AF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
23
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5004
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5004
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5004
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
unknown
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
104.126.37.144:443
www.bing.com
Akamai International B.V.
DE
unknown
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
5004
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
5004
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
  • 51.104.136.2
unknown
www.bing.com
  • 104.126.37.144
  • 104.126.37.186
  • 104.126.37.160
  • 104.126.37.177
  • 104.126.37.155
  • 104.126.37.179
  • 104.126.37.154
  • 104.126.37.161
  • 104.126.37.123
unknown
google.com
  • 142.250.185.238
unknown
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
unknown
www.microsoft.com
  • 184.30.21.171
unknown
self.events.data.microsoft.com
  • 20.189.173.9
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2fe6a2d337bb9fc791249c6dbdf32876f29a9a98790c74e6e6bb08028875b80a.exe