File name:

4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe

Full analysis: https://app.any.run/tasks/5e92c9e0-2374-44eb-87da-4d79c421e077
Verdict: Malicious activity
Analysis date: January 10, 2025, 22:09:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

6856E8C6EC26620A99E54833E0D823C6

SHA1:

80601C36AFF4F77D8E1EF992294075F415E5C37C

SHA256:

4F04BE02707A3CCCD80D1E49DFF4F0E5F9CDB4136E929ABEBF00EE4E2688C41B

SSDEEP:

12288:XvVVVVVVVVrfuj5qNvVVVVVVVVTfuj5qOuFTDhSfWJUNo5kUe7z:zfuj5ufuj5NuFRSfWJUq5kUeX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)

    • Creates file in the systems drive root

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)

    • The process creates files with name similar to system file names

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)

  • INFO

    • Checks supported languages

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)

    • Creates files or folders in the user directory

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)

    • UPX packer has been detected

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe

Process information

PID
CMD
Path
Indicators
Parent process
5404"C:\Users\admin\Desktop\4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe" C:\Users\admin\Desktop\4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
1 371
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe
MD5:
SHA256:
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:9B37DA90CF200F021D071B488127D93C
SHA256:B2EB67CBBD6348CA65AD60E9AE565D9FA2681A4C071D0ABDD5F1D6626010A236
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:E1F6552873504323012CAE5500A71F1E
SHA256:C563F0E3DE5C88BA81756DD0EB2E74B59456EDE2B25525A4AA1B875072C45E7A
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:FFE9BAFD8C08B66CB01652548238F981
SHA256:CF7708DCC6556686791E5A8164BA7487D404126AF6AC3E5B528EEB8B6FB3802A
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:6E49978C5D3D8467EC3F36A08BDFD038
SHA256:D0772FEF2A034F26531FA88DCE95F89520EBFEAF52020A971C3D5B4BCA5E7307
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:F5D4D8136D13E5FD95F5D0248CA9AD11
SHA256:ACEE0EE1A1E0A2D903611A072E21C597B753DE4F36E7CECF9C4ADAB569BA3D89
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:6D88F6903FBDEF65C6931EA74B030F5C
SHA256:0FB17DF1D516E7FBD3C204F249D092DEC01FEB2C1B7B4111E6937F5F9543447B
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:C288386DAC031131DCD12B4CE3052C4A
SHA256:30EC417C48D84155DB15AA6582886D48176CF8704F11DA430ED22AE252DF5B54
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:56A4CAFCF27E4EA948CB7E1B2C37D285
SHA256:D6B32EDAE56E1B33FA46F16C1530A9E5D7C99ECFC3580FBF170A3EAA17FB275B
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:6125DF9DDED488ED886C660F9CA1357F
SHA256:8BBE0A14FB3C8AB7D594B09D9E69455FD8F48F38415408FA0C7429C493A82357
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
18
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
828
svchost.exe
GET
200
23.48.23.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
828
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
828
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
828
svchost.exe
23.48.23.177:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
828
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
828
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 23.48.23.177
  • 23.48.23.166
  • 23.48.23.173
  • 23.48.23.167
  • 23.48.23.180
  • 23.48.23.147
  • 23.48.23.164
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
self.events.data.microsoft.com
  • 13.89.179.9
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe