File name:

4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe

Full analysis: https://app.any.run/tasks/5e92c9e0-2374-44eb-87da-4d79c421e077
Verdict: Malicious activity
Analysis date: January 10, 2025, 22:09:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

6856E8C6EC26620A99E54833E0D823C6

SHA1:

80601C36AFF4F77D8E1EF992294075F415E5C37C

SHA256:

4F04BE02707A3CCCD80D1E49DFF4F0E5F9CDB4136E929ABEBF00EE4E2688C41B

SSDEEP:

12288:XvVVVVVVVVrfuj5qNvVVVVVVVVTfuj5qOuFTDhSfWJUNo5kUe7z:zfuj5ufuj5NuFRSfWJUq5kUeX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)

    • Creates file in the systems drive root

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)

    • The process creates files with name similar to system file names

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)

  • INFO

    • Checks supported languages

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)

    • UPX packer has been detected

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)

    • Creates files or folders in the user directory

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe

Process information

PID
CMD
Path
Indicators
Parent process
5404"C:\Users\admin\Desktop\4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe" C:\Users\admin\Desktop\4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 371
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe
MD5:
SHA256:
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:C288386DAC031131DCD12B4CE3052C4A
SHA256:30EC417C48D84155DB15AA6582886D48176CF8704F11DA430ED22AE252DF5B54
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:9B37DA90CF200F021D071B488127D93C
SHA256:B2EB67CBBD6348CA65AD60E9AE565D9FA2681A4C071D0ABDD5F1D6626010A236
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:C288386DAC031131DCD12B4CE3052C4A
SHA256:30EC417C48D84155DB15AA6582886D48176CF8704F11DA430ED22AE252DF5B54
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:13AA960BF31C49760514B19589788F12
SHA256:118D048F3AA107B50DB357FBC922317EC3CD794500B3EF85D9FC2A03A4181154
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:56A4CAFCF27E4EA948CB7E1B2C37D285
SHA256:D6B32EDAE56E1B33FA46F16C1530A9E5D7C99ECFC3580FBF170A3EAA17FB275B
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:AE372F65D1789FAF375335F8A8BFDE50
SHA256:5D736BAE0578DB429570DD3C30AF013C86E77FDF94A932FD49B30A1B7E08523F
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:E1F6552873504323012CAE5500A71F1E
SHA256:C563F0E3DE5C88BA81756DD0EB2E74B59456EDE2B25525A4AA1B875072C45E7A
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:F5D4D8136D13E5FD95F5D0248CA9AD11
SHA256:ACEE0EE1A1E0A2D903611A072E21C597B753DE4F36E7CECF9C4ADAB569BA3D89
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:7A5FC91942B02B06A3BBED0933BD37BF
SHA256:E2C2F5F1E1EE495E1A3BE40BA89AE1F17FA821F2FC6E5889A5AA14FDEA1CF2E9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
18
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
828
svchost.exe
GET
200
23.48.23.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
828
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
828
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
828
svchost.exe
23.48.23.177:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
828
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
828
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 23.48.23.177
  • 23.48.23.166
  • 23.48.23.173
  • 23.48.23.167
  • 23.48.23.180
  • 23.48.23.147
  • 23.48.23.164
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
self.events.data.microsoft.com
  • 13.89.179.9
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe