File name:

639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122

Full analysis: https://app.any.run/tasks/e146711f-658c-451a-acc1-6bac973a7f89
Verdict: Malicious activity
Analysis date: January 11, 2025, 00:53:06
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

02715805E25E14E5B16E8849EF30D657

SHA1:

AE7ECB3F5ADFEAB52BCBF1664E49AE36BE5848F0

SHA256:

639B6EC0C8975FAA8584FC08485C509C044E087A475BFEC3E12FD19179F44122

SSDEEP:

12288:DvVVVVVVVVtu74R0vVVVVVVVVtu74RYvVVVVVVVVtu74R0vVVVVVVVVtu74R5Nf:U74RP74RD74RP74R5Nf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe (PID: 6564)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe (PID: 6564)

    • The process creates files with name similar to system file names

      • 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe (PID: 6564)

    • Creates file in the systems drive root

      • 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe (PID: 6564)

  • INFO

    • Checks supported languages

      • 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe (PID: 6564)

    • UPX packer has been detected

      • 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe (PID: 6564)

    • Creates files or folders in the user directory

      • 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe (PID: 6564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x7f80
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe

Process information

PID
CMD
Path
Indicators
Parent process
6564"C:\Users\admin\Desktop\639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe" C:\Users\admin\Desktop\639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
1 364
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exe
MD5:
SHA256:
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:AC7DD4D91668B077A134FA816E5EEBDC
SHA256:7C238B7EE44BA3CC4B800C1CDB7D0A4075F49C7B2FD533F455304AC590C3FC15
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:E721630035AFF3278012709636D72CDC
SHA256:D4C5D59BCE228D54F3FC45CD15752D7AD11323F90A6E015A6B2E9B585A84F682
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:D44B32C79C1A993D75B8E281B34C24AC
SHA256:BF827E8B0349267C275678D0A02EAE99C314380CCE4F4CD98A06317D07B369F6
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:C8BD8EE1416D4B6A4FABE5CF8C33DC2E
SHA256:063A67FA0D3E82373B231B39DD26F1615E7A0173A106541D068A97E42BB828F0
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:B8DC43B2E89431B6CF817FEF4F2C2676
SHA256:40AE31E067297CC171D48B8508145A8A59BC113515625D51B6ABBFAB891D7D56
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:A116C56F08C3CB471D6FDD824E321504
SHA256:938EFE4737918489BF36CC2F9D94F26C336643DA35BC36BC09C842D8EEB96AE8
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:2E3728FFC23B903BD3D95CE7D50DD9BC
SHA256:994A11A9AC871B2A252E6FE8384946AADE314865466082E8B899F9511C9CBB2E
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:7AAAC923779EAA8D523CC97E1BC03C40
SHA256:1010CD0A33FB0EEDCB0FB037902E0F2580755EEF023243BFFA358B61C82BF0D6
6564639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:C9728E1493CC1600E1C19D255DCC3CEB
SHA256:F5A997F981B6C718EB6CDF022FD8B5DFB275D55F5E434C5869091B546A635898
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
22
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3040
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3040
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
3040
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3040
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
3040
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
self.events.data.microsoft.com
  • 52.182.141.63
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
639b6ec0c8975faa8584fc08485c509c044e087a475bfec3e12fd19179f44122