File name:	607b7b9c716367bd62e2c706799510d1e0770d3e636022ebdd34c9e687b44e8a
Full analysis:	https://app.any.run/tasks/8aca6d84-eb7b-4d93-bcad-16f7e789252e
Verdict:	Malicious activity
Analysis date:	May 18, 2025, 07:59:47
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	zombie
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:	4A793B1868A477A3A38B073ECE8CB4CE
SHA1:	98F89D1DD33138253042FD1DD664202F57CA5ADE
SHA256:	607B7B9C716367BD62E2C706799510D1E0770D3E636022EBDD34C9E687B44E8A
SSDEEP:	1536:QPlbc9F8xi59F8xiPMx27jVABc9F8xi59F8xiPMx2O+3:alSa7+3

.exe	\|	Win32 Executable (generic) (42.4)
.exe	\|	Win16/32 Executable Delphi generic (19.5)
.exe	\|	Generic Win/DOS Executable (18.8)
.exe	\|	DOS Executable Generic (18.8)
.vxd	\|	VXD Driver (0.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	-
CodeSize:	-
InitializedDataSize:	-
UninitializedDataSize:	-
EntryPoint:	0x2130
OSVersion:	1
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI

PID	Process	Filename		Type
7568	607b7b9c716367bd62e2c706799510d1e0770d3e636022ebdd34c9e687b44e8a.exe			—
		MD5:—	SHA256:—
7568	607b7b9c716367bd62e2c706799510d1e0770d3e636022ebdd34c9e687b44e8a.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmp		executable
		MD5:395CE0A3020DAC6D93F63CE92E0055A9	SHA256:9BAE08AEE6A9D765D8FE00F370409C810FEFC90C8D8C440EE0F3D63722631EE4
7568	607b7b9c716367bd62e2c706799510d1e0770d3e636022ebdd34c9e687b44e8a.exe	C:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmp		executable
		MD5:F16F4B639F2F77E9C392B5A2B1CEEA3E	SHA256:805E8ED6103333DEAC91E745C01A3D28F4706EAE874982E5FF3AAB5203518B02
7568	607b7b9c716367bd62e2c706799510d1e0770d3e636022ebdd34c9e687b44e8a.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmp		executable
		MD5:79E70B9E842FFB1D18519AD1252A8CD2	SHA256:A5F6FC5DA1B8A475BDE71233DCB63D7917D90730873B097BC2878FCF28283CDA
7568	607b7b9c716367bd62e2c706799510d1e0770d3e636022ebdd34c9e687b44e8a.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmp		executable
		MD5:FEDC74F3CA63B34E59E72F384C801389	SHA256:6353D4B69278D402EC3BAD1529F9D4FF69141916F2865DE16BE4C848162EE27B
7568	607b7b9c716367bd62e2c706799510d1e0770d3e636022ebdd34c9e687b44e8a.exe	C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmp		executable
		MD5:8B979A57A37DE0AE7C4CBC2AF58479A5	SHA256:9ACAC1F264B3F73A374266186591BC77F9EC086A090FCB081A39290EC0AE9A3F
7568	607b7b9c716367bd62e2c706799510d1e0770d3e636022ebdd34c9e687b44e8a.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmp		executable
		MD5:B4C1A25E6248A588AB94160239BDA2D3	SHA256:F1053A02E1AE34D935662A342206C6AB99C8D0C5532761C3A08A21D86DC6B7B5
7568	607b7b9c716367bd62e2c706799510d1e0770d3e636022ebdd34c9e687b44e8a.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmp		executable
		MD5:40803908B36240835A4412FFA7A7A9AB	SHA256:4B2DD341805457B220E8A4B6E1C8B63EDC9A9EA483966CB02055740016F4C341
7568	607b7b9c716367bd62e2c706799510d1e0770d3e636022ebdd34c9e687b44e8a.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmp		executable
		MD5:0BEDAB6AB842EF2567665E99F4AF3CC0	SHA256:2F9E092F4C5F14722551D97696F41D96D971E2DAD0A305D8039DA4FA635C67C3
7568	607b7b9c716367bd62e2c706799510d1e0770d3e636022ebdd34c9e687b44e8a.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmp		executable
		MD5:24F508DCC9C8C1C3CB9E84C990B1A088	SHA256:8190D3CD13BC5E731EE84F68429691F8DAAF850376EDD1A5B74117C358FCD43E

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2104	svchost.exe	GET	200	23.216.77.25:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2104	svchost.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7860	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
7860	SIHClient.exe	GET	200	23.216.77.36:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
7860	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
7860	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7860	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
7860	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
7860	SIHClient.exe	GET	200	23.216.77.36:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2104	svchost.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2104	svchost.exe	23.216.77.25:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2104	svchost.exe	2.23.246.101:80	www.microsoft.com	Ooredoo Q.S.C.	QA	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	20.190.160.14:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2104	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7860	SIHClient.exe	172.202.163.200:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	whitelisted

Domain	IP	Reputation
google.com	142.250.185.78	whitelisted
crl.microsoft.com	23.216.77.25 23.216.77.36 23.216.77.6	whitelisted
www.microsoft.com	2.23.246.101	whitelisted
client.wns.windows.com	172.211.123.249 172.211.123.248	whitelisted
login.live.com	20.190.160.14 20.190.160.131 20.190.160.4 20.190.160.3 40.126.32.133 20.190.160.17 20.190.160.20 20.190.160.66	whitelisted
settings-win.data.microsoft.com	40.127.240.158 20.73.194.208	whitelisted
slscr.update.microsoft.com	172.202.163.200	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98 40.91.76.224	whitelisted
nexusrules.officeapps.live.com	52.111.229.48	whitelisted

General Info

607b7b9c716367bd62e2c706799510d1e0770d3e636022ebdd34c9e687b44e8a

4A793B1868A477A3A38B073ECE8CB4CE

98F89D1DD33138253042FD1DD664202F57CA5ADE

607B7B9C716367BD62E2C706799510D1E0770D3E636022EBDD34C9E687B44E8A

1536:QPlbc9F8xi59F8xiPMx27jVABc9F8xi59F8xiPMx2O+3:alSa7+3

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ZOMBIE has been detected (YARA)

SUSPICIOUS

The process creates files with name similar to system file names

Executable content was dropped or overwritten

Creates file in the systems drive root

INFO

Checks supported languages

Creates files or folders in the user directory

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings