File name:	4310d4f3b058a11732439ddb8b2cd0c0cea5cf81b13e1f8bfd9d6c57e6f6218d
Full analysis:	https://app.any.run/tasks/1bd89e1e-acc6-44e3-80e2-e161f62cf348
Verdict:	Malicious activity
Analysis date:	May 15, 2025, 16:05:36
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	zombie
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:	75E47756EFF98D74C8037A1575BE0BA8
SHA1:	FA83040DA3D105E4D5B06446B0401EFF62001EA4
SHA256:	4310D4F3B058A11732439DDB8B2CD0C0CEA5CF81B13E1F8BFD9D6C57E6F6218D
SSDEEP:	384:rU1IqlRwRebut+bbu2EB9F8xiwEB9F8xiCnRznRd:Q1Iqlwebhbur9F8xi59F8xiCnRznRd

.exe	\|	Win32 Executable (generic) (42.4)
.exe	\|	Win16/32 Executable Delphi generic (19.5)
.exe	\|	Generic Win/DOS Executable (18.8)
.exe	\|	DOS Executable Generic (18.8)
.vxd	\|	VXD Driver (0.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	-
CodeSize:	-
InitializedDataSize:	-
UninitializedDataSize:	-
EntryPoint:	0x2130
OSVersion:	1
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI

PID	Process	Filename		Type
5332	4310d4f3b058a11732439ddb8b2cd0c0cea5cf81b13e1f8bfd9d6c57e6f6218d.exe			—
		MD5:—	SHA256:—
5332	4310d4f3b058a11732439ddb8b2cd0c0cea5cf81b13e1f8bfd9d6c57e6f6218d.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmp		executable
		MD5:1844067FBFBFAE44D66F09CB5B6F589E	SHA256:9279CE8678CD6FA8859FE8FB5383F141996A6FFCCE9DCBBCDC96A5A96C9F40E4
5332	4310d4f3b058a11732439ddb8b2cd0c0cea5cf81b13e1f8bfd9d6c57e6f6218d.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmp		executable
		MD5:050FBEB8875F1746BC17E23DB8A34B47	SHA256:FCA5600BA0D5892FBEF8AAC29F21F0A92BF834DA755792F0EB7543E158E25BC2
5332	4310d4f3b058a11732439ddb8b2cd0c0cea5cf81b13e1f8bfd9d6c57e6f6218d.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmp		executable
		MD5:5A0211BCFEB6812F06A6572F5FA3E315	SHA256:748D59C2B473F7D95FD9643A3928D21FD9800E19DDC7C3EE2E3A522E6DF2F702
5332	4310d4f3b058a11732439ddb8b2cd0c0cea5cf81b13e1f8bfd9d6c57e6f6218d.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmp		executable
		MD5:594BF0E75806F40CB76327EE810DF539	SHA256:E040B8016DDF9E01FF338C358C0B5554B9E4ADFF0F294918FBBE484B96F5F10F
5332	4310d4f3b058a11732439ddb8b2cd0c0cea5cf81b13e1f8bfd9d6c57e6f6218d.exe	C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmp		executable
		MD5:5984954823FCC5F049C605451EE2C25E	SHA256:E040F6F153981A8FAF3296DBBB6F8828B6949169F294DF48675CCCE016BE496B
5332	4310d4f3b058a11732439ddb8b2cd0c0cea5cf81b13e1f8bfd9d6c57e6f6218d.exe	C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exe		executable
		MD5:5984954823FCC5F049C605451EE2C25E	SHA256:E040F6F153981A8FAF3296DBBB6F8828B6949169F294DF48675CCCE016BE496B
5332	4310d4f3b058a11732439ddb8b2cd0c0cea5cf81b13e1f8bfd9d6c57e6f6218d.exe	C:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmp		executable
		MD5:4282FB2F27ECFA39D050095CA5CE30AC	SHA256:13EA414DCAD5BCEF9C0DF81C4EBF72EFA8658C87B0D0F9051E252D36B58FCDD5
5332	4310d4f3b058a11732439ddb8b2cd0c0cea5cf81b13e1f8bfd9d6c57e6f6218d.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmp		executable
		MD5:996B35EDB0294DCB7FC21F29056F895E	SHA256:3FA22803178A5D283B473DFF76748CA186345F919B3CE6881EBAA76825B6B15D
5332	4310d4f3b058a11732439ddb8b2cd0c0cea5cf81b13e1f8bfd9d6c57e6f6218d.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmp		executable
		MD5:C739967692CDD829447727A2499866E1	SHA256:5936D450FE11BB0AA256A75EFB53ACD10ECFBA7AE3B0EEECD95C95C37EAA28A2

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1912	SIHClient.exe	GET	200	23.48.23.161:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1912	SIHClient.exe	GET	200	23.48.23.161:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
1912	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
1912	SIHClient.exe	GET	200	23.48.23.161:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
1912	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1912	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
1912	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
1912	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2104	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3216	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
1912	SIHClient.exe	172.202.163.200:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	whitelisted
1912	SIHClient.exe	23.48.23.161:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1912	SIHClient.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
1912	SIHClient.exe	13.85.23.206:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 20.73.194.208	whitelisted
google.com	172.217.16.142	whitelisted
client.wns.windows.com	172.211.123.250 172.211.123.248	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
crl.microsoft.com	23.48.23.161 23.48.23.168 23.48.23.166 23.48.23.177 23.48.23.176 23.48.23.169 23.48.23.164 23.48.23.162 23.48.23.174	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted
nexusrules.officeapps.live.com	52.111.236.23	whitelisted
login.live.com	40.126.31.1 20.190.159.64 40.126.31.67 40.126.31.2 40.126.31.128 20.190.159.68 20.190.159.130 20.190.159.23	whitelisted

General Info

4310d4f3b058a11732439ddb8b2cd0c0cea5cf81b13e1f8bfd9d6c57e6f6218d

75E47756EFF98D74C8037A1575BE0BA8

FA83040DA3D105E4D5B06446B0401EFF62001EA4

4310D4F3B058A11732439DDB8B2CD0C0CEA5CF81B13E1F8BFD9D6C57E6F6218D

384:rU1IqlRwRebut+bbu2EB9F8xiwEB9F8xiCnRznRd:Q1Iqlwebhbur9F8xi59F8xiCnRznRd

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ZOMBIE has been detected (YARA)

SUSPICIOUS

Creates file in the systems drive root

The process creates files with name similar to system file names

Executable content was dropped or overwritten

INFO

Creates files or folders in the user directory

Checks proxy server information

Checks supported languages

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings