File name:

4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe

Full analysis: https://app.any.run/tasks/5e92c9e0-2374-44eb-87da-4d79c421e077
Verdict: Malicious activity
Analysis date: January 10, 2025, 22:09:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

6856E8C6EC26620A99E54833E0D823C6

SHA1:

80601C36AFF4F77D8E1EF992294075F415E5C37C

SHA256:

4F04BE02707A3CCCD80D1E49DFF4F0E5F9CDB4136E929ABEBF00EE4E2688C41B

SSDEEP:

12288:XvVVVVVVVVrfuj5qNvVVVVVVVVTfuj5qOuFTDhSfWJUNo5kUe7z:zfuj5ufuj5NuFRSfWJUq5kUeX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)

    • The process creates files with name similar to system file names

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)

    • Executable content was dropped or overwritten

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)

  • INFO

    • Creates files or folders in the user directory

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)

    • Checks supported languages

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)

    • UPX packer has been detected

      • 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe (PID: 5404)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe

Process information

PID
CMD
Path
Indicators
Parent process
5404"C:\Users\admin\Desktop\4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe" C:\Users\admin\Desktop\4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 371
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe
MD5:
SHA256:
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:C288386DAC031131DCD12B4CE3052C4A
SHA256:30EC417C48D84155DB15AA6582886D48176CF8704F11DA430ED22AE252DF5B54
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:7A5FC91942B02B06A3BBED0933BD37BF
SHA256:E2C2F5F1E1EE495E1A3BE40BA89AE1F17FA821F2FC6E5889A5AA14FDEA1CF2E9
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:C288386DAC031131DCD12B4CE3052C4A
SHA256:30EC417C48D84155DB15AA6582886D48176CF8704F11DA430ED22AE252DF5B54
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:AA74714B63B5305F6B60B96F6AF45317
SHA256:0A6F9DDB03CBA5226B6232EED142307F77F0C6556024E2EEADF23E16E0FA6684
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:85E802407B4928EE2D364AC5C9B0DD7B
SHA256:22BCE1D9CEADEEA969E7096C952A659D7A9DFE5B81F81D63402AE576749D775D
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:AE372F65D1789FAF375335F8A8BFDE50
SHA256:5D736BAE0578DB429570DD3C30AF013C86E77FDF94A932FD49B30A1B7E08523F
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:6D88F6903FBDEF65C6931EA74B030F5C
SHA256:0FB17DF1D516E7FBD3C204F249D092DEC01FEB2C1B7B4111E6937F5F9543447B
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_200_percent.pak.tmpexecutable
MD5:1E1ADC9178ACAD0844E0FFAB3793558B
SHA256:557B8729532C045E999774AADBB67F7CE7E80ACC5A79FD9BE5A0CB406BECFD26
54044f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\chrome_100_percent.pak.tmpexecutable
MD5:E0A14E81272F7028DE57BED1E9615180
SHA256:BB8788F7B1AAE2F6A25072692D75CE94C617FE8747C0D0137F9A73A085805365
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
18
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
828
svchost.exe
GET
200
23.48.23.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
828
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
828
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
828
svchost.exe
23.48.23.177:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
828
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
828
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 23.48.23.177
  • 23.48.23.166
  • 23.48.23.173
  • 23.48.23.167
  • 23.48.23.180
  • 23.48.23.147
  • 23.48.23.164
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
self.events.data.microsoft.com
  • 13.89.179.9
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
4f04be02707a3cccd80d1e49dff4f0e5f9cdb4136e929abebf00ee4e2688c41b.exe