File name:

4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe

Full analysis: https://app.any.run/tasks/5e92c9e0-2374-44eb-87da-4d79c421e077
Verdict: Malicious activity
Analysis date: January 10, 2025, 22:09:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

6856E8C6EC26620A99E54833E0D823C6

SHA1:

80601C36AFF4F77D8E1EF992294075F415E5C37C

SHA256:

4F04BE02707A3CCCD80D1E49DFF4F0E5F9CDB4136E929ABEBF00EE4E2688C41B

SSDEEP:

12288:XvVVVVVVVVrfuj5qNvVVVVVVVVTfuj5qOuFTDhSfWJUNo5kUe7z:zfuj5ufuj5NuFRSfWJUq5kUeX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)

    • The process creates files with name similar to system file names

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)

    • Executable content was dropped or overwritten

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)

  • INFO

    • Creates files or folders in the user directory

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)

    • Checks supported languages

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)

    • UPX packer has been detected

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe

Process information

PID
CMD
Path
Indicators
Parent process
5404"C:\Users\admin\Desktop\4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe" C:\Users\admin\Desktop\4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 371
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe
MD5:
SHA256:
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:C288386DAC031131DCD12B4CE3052C4A
SHA256:30EC417C48D84155DB15AA6582886D48176CF8704F11DA430ED22AE252DF5B54
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_100_percent.pak.tmpexecutable
MD5:3208EF51C361CE8D31497D3522E9DFFC
SHA256:3A6F240939F7C62EC64E59D8DA665099BDD289F1B17411B78B4E10F763E3E944
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:5E6946A0840F045F9EE1CF3370B3C6FF
SHA256:291DDB32B5EC65833E7BE293F816A3DD603CA8BEFFB19A35F34040AF3760FC16
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:6E49978C5D3D8467EC3F36A08BDFD038
SHA256:D0772FEF2A034F26531FA88DCE95F89520EBFEAF52020A971C3D5B4BCA5E7307
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:9B37DA90CF200F021D071B488127D93C
SHA256:B2EB67CBBD6348CA65AD60E9AE565D9FA2681A4C071D0ABDD5F1D6626010A236
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:FFE9BAFD8C08B66CB01652548238F981
SHA256:CF7708DCC6556686791E5A8164BA7487D404126AF6AC3E5B528EEB8B6FB3802A
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:C288386DAC031131DCD12B4CE3052C4A
SHA256:30EC417C48D84155DB15AA6582886D48176CF8704F11DA430ED22AE252DF5B54
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:AA74714B63B5305F6B60B96F6AF45317
SHA256:0A6F9DDB03CBA5226B6232EED142307F77F0C6556024E2EEADF23E16E0FA6684
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:E1F6552873504323012CAE5500A71F1E
SHA256:C563F0E3DE5C88BA81756DD0EB2E74B59456EDE2B25525A4AA1B875072C45E7A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
18
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
828
svchost.exe
GET
200
23.48.23.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
828
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
828
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
828
svchost.exe
23.48.23.177:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
828
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
828
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 23.48.23.177
  • 23.48.23.166
  • 23.48.23.173
  • 23.48.23.167
  • 23.48.23.180
  • 23.48.23.147
  • 23.48.23.164
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
self.events.data.microsoft.com
  • 13.89.179.9
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe