File name:	4310d4f3b058a11732439ddb8b2cd0c0cea5cf81b13e1f8bfd9d6c57e6f6218d
Full analysis:	https://app.any.run/tasks/1bd89e1e-acc6-44e3-80e2-e161f62cf348
Verdict:	Malicious activity
Analysis date:	May 15, 2025, 16:05:36
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	zombie
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:	75E47756EFF98D74C8037A1575BE0BA8
SHA1:	FA83040DA3D105E4D5B06446B0401EFF62001EA4
SHA256:	4310D4F3B058A11732439DDB8B2CD0C0CEA5CF81B13E1F8BFD9D6C57E6F6218D
SSDEEP:	384:rU1IqlRwRebut+bbu2EB9F8xiwEB9F8xiCnRznRd:Q1Iqlwebhbur9F8xi59F8xiCnRznRd

.exe	\|	Win32 Executable (generic) (42.4)
.exe	\|	Win16/32 Executable Delphi generic (19.5)
.exe	\|	Generic Win/DOS Executable (18.8)
.exe	\|	DOS Executable Generic (18.8)
.vxd	\|	VXD Driver (0.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	-
CodeSize:	-
InitializedDataSize:	-
UninitializedDataSize:	-
EntryPoint:	0x2130
OSVersion:	1
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI

PID	Process	Filename		Type
5332	4310d4f3b058a11732439ddb8b2cd0c0cea5cf81b13e1f8bfd9d6c57e6f6218d.exe			—
		MD5:—	SHA256:—
5332	4310d4f3b058a11732439ddb8b2cd0c0cea5cf81b13e1f8bfd9d6c57e6f6218d.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmp		executable
		MD5:594BF0E75806F40CB76327EE810DF539	SHA256:E040B8016DDF9E01FF338C358C0B5554B9E4ADFF0F294918FBBE484B96F5F10F
5332	4310d4f3b058a11732439ddb8b2cd0c0cea5cf81b13e1f8bfd9d6c57e6f6218d.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmp		executable
		MD5:7BFA4D18A976FB38F5251B7573C1A173	SHA256:5D55E5BB965E05EB005332C60E656A7F62792C27B679AF77BAD125ED9A3AC803
5332	4310d4f3b058a11732439ddb8b2cd0c0cea5cf81b13e1f8bfd9d6c57e6f6218d.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmp		executable
		MD5:5FD732521A7A453568746A4BBA6CB1B2	SHA256:7341DDCC2D97CA1B05E730171CC1D5FB418F91D5F0F02F31344D5FBE13F82811
5332	4310d4f3b058a11732439ddb8b2cd0c0cea5cf81b13e1f8bfd9d6c57e6f6218d.exe	C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmp		executable
		MD5:5984954823FCC5F049C605451EE2C25E	SHA256:E040F6F153981A8FAF3296DBBB6F8828B6949169F294DF48675CCCE016BE496B
5332	4310d4f3b058a11732439ddb8b2cd0c0cea5cf81b13e1f8bfd9d6c57e6f6218d.exe	C:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmp		executable
		MD5:C86D0FEA7EC6EEADE109D0D7A8A43E9C	SHA256:2C0B3DD51768BD2A288437F5D77D65E31D1D724B263915BC815DACAB8CAB622A
5332	4310d4f3b058a11732439ddb8b2cd0c0cea5cf81b13e1f8bfd9d6c57e6f6218d.exe	C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exe		executable
		MD5:5984954823FCC5F049C605451EE2C25E	SHA256:E040F6F153981A8FAF3296DBBB6F8828B6949169F294DF48675CCCE016BE496B
5332	4310d4f3b058a11732439ddb8b2cd0c0cea5cf81b13e1f8bfd9d6c57e6f6218d.exe	C:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmp		executable
		MD5:4282FB2F27ECFA39D050095CA5CE30AC	SHA256:13EA414DCAD5BCEF9C0DF81C4EBF72EFA8658C87B0D0F9051E252D36B58FCDD5
5332	4310d4f3b058a11732439ddb8b2cd0c0cea5cf81b13e1f8bfd9d6c57e6f6218d.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmp		executable
		MD5:996B35EDB0294DCB7FC21F29056F895E	SHA256:3FA22803178A5D283B473DFF76748CA186345F919B3CE6881EBAA76825B6B15D
5332	4310d4f3b058a11732439ddb8b2cd0c0cea5cf81b13e1f8bfd9d6c57e6f6218d.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmp		executable
		MD5:A7A3ECFD01B457BBBD5EA5ACFB20856C	SHA256:A7464862D390AAB74FF7D6A3EC02FEE949695B47FB902CFEB95655FB49C88930

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1912	SIHClient.exe	GET	200	23.48.23.161:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1912	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
1912	SIHClient.exe	GET	200	23.48.23.161:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
1912	SIHClient.exe	GET	200	23.48.23.161:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
1912	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1912	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
1912	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
1912	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2104	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
1912	SIHClient.exe	172.202.163.200:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	whitelisted
1912	SIHClient.exe	23.48.23.161:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1912	SIHClient.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
1912	SIHClient.exe	13.85.23.206:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 20.73.194.208	whitelisted
google.com	172.217.16.142	whitelisted
client.wns.windows.com	172.211.123.250 172.211.123.248	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
crl.microsoft.com	23.48.23.161 23.48.23.168 23.48.23.166 23.48.23.177 23.48.23.176 23.48.23.169 23.48.23.164 23.48.23.162 23.48.23.174	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted
nexusrules.officeapps.live.com	52.111.236.23	whitelisted
login.live.com	40.126.31.1 20.190.159.64 40.126.31.67 40.126.31.2 40.126.31.128 20.190.159.68 20.190.159.130 20.190.159.23	whitelisted

General Info

4310d4f3b058a11732439ddb8b2cd0c0cea5cf81b13e1f8bfd9d6c57e6f6218d

75E47756EFF98D74C8037A1575BE0BA8

FA83040DA3D105E4D5B06446B0401EFF62001EA4

4310D4F3B058A11732439DDB8B2CD0C0CEA5CF81B13E1F8BFD9D6C57E6F6218D

384:rU1IqlRwRebut+bbu2EB9F8xiwEB9F8xiCnRznRd:Q1Iqlwebhbur9F8xi59F8xiCnRznRd

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ZOMBIE has been detected (YARA)

SUSPICIOUS

Creates file in the systems drive root

Executable content was dropped or overwritten

The process creates files with name similar to system file names

INFO

Checks supported languages

Creates files or folders in the user directory

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings