File name:

Trojan.Win32.Zombie.rfn6a119d6591d9c632e0022ef3de7c3014166538571e430f7a575d7d838f9a667dN

Full analysis: https://app.any.run/tasks/d77fc0a7-754f-483d-8e5e-91fb45620351
Verdict: Malicious activity
Analysis date: September 19, 2024, 05:09:19
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

5D04CE418D3D50AA2B9FAD6E4ECAA520

SHA1:

8570C4C26A33CA5DB08F75EF149B89AF9E38779E

SHA256:

6A119D6591D9C632E0022EF3DE7C3014166538571E430F7A575D7D838F9A667D

SSDEEP:

1536:BPREepPfVPfaPa9lRoPa9lRWvtuxhuxrTxP:9Ret/aITxP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • Trojan.Win32.Zombie.rfn6a119d6591d9c632e0022ef3de7c3014166538571e430f7a575d7d838f9a667dN.exe (PID: 1680)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Trojan.Win32.Zombie.rfn6a119d6591d9c632e0022ef3de7c3014166538571e430f7a575d7d838f9a667dN.exe (PID: 1680)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE trojan.win32.zombie.rfn6a119d6591d9c632e0022ef3de7c3014166538571e430f7a575d7d838f9a667dn.exe

Process information

PID
CMD
Path
Indicators
Parent process
1680"C:\Users\admin\Desktop\Trojan.Win32.Zombie.rfn6a119d6591d9c632e0022ef3de7c3014166538571e430f7a575d7d838f9a667dN.exe" C:\Users\admin\Desktop\Trojan.Win32.Zombie.rfn6a119d6591d9c632e0022ef3de7c3014166538571e430f7a575d7d838f9a667dN.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\trojan.win32.zombie.rfn6a119d6591d9c632e0022ef3de7c3014166538571e430f7a575d7d838f9a667dn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 441
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1680Trojan.Win32.Zombie.rfn6a119d6591d9c632e0022ef3de7c3014166538571e430f7a575d7d838f9a667dN.exe
MD5:
SHA256:
1680Trojan.Win32.Zombie.rfn6a119d6591d9c632e0022ef3de7c3014166538571e430f7a575d7d838f9a667dN.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:85C4515BB46DFB6BBCB184C997E127BE
SHA256:DBB3F679CC21123655316FFC8BB651CF7BD10B6404998936E8EAC9F283E1C514
1680Trojan.Win32.Zombie.rfn6a119d6591d9c632e0022ef3de7c3014166538571e430f7a575d7d838f9a667dN.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:A93CFC760340DEAD5D9E440185E30AEF
SHA256:E1F243B9DB3DF12C99241856FE61C0F0CDCF64E87887CE17722AEC95ABC86AC9
1680Trojan.Win32.Zombie.rfn6a119d6591d9c632e0022ef3de7c3014166538571e430f7a575d7d838f9a667dN.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:A93CFC760340DEAD5D9E440185E30AEF
SHA256:E1F243B9DB3DF12C99241856FE61C0F0CDCF64E87887CE17722AEC95ABC86AC9
1680Trojan.Win32.Zombie.rfn6a119d6591d9c632e0022ef3de7c3014166538571e430f7a575d7d838f9a667dN.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:DE6CD7F42EC4B57EB1CE093A14591D68
SHA256:75D9D5354E5767A0FB66D0EECA63FE42355671B1D60A1734020F3B82CBD90796
1680Trojan.Win32.Zombie.rfn6a119d6591d9c632e0022ef3de7c3014166538571e430f7a575d7d838f9a667dN.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:263F64ECEBF233FF6D09CF33CAB3FF64
SHA256:6AAC1940CA22F0AF9D39C3923AEEEE3ADE12B4D23471FCB834E356263AEBBAC2
1680Trojan.Win32.Zombie.rfn6a119d6591d9c632e0022ef3de7c3014166538571e430f7a575d7d838f9a667dN.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:C4408940016B8013616C227C6B2160B7
SHA256:ED9397DD34A77F5D288A6014D736D29210F5FAFF3D17277B0C578C98313DE7E9
1680Trojan.Win32.Zombie.rfn6a119d6591d9c632e0022ef3de7c3014166538571e430f7a575d7d838f9a667dN.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:6B445B030BDC673F1B52FF0550F5BC76
SHA256:EF9E54A96AD0D1B33D0F1D8D12BBF5A2B87F6619CD5DE786DC395F42C9832637
1680Trojan.Win32.Zombie.rfn6a119d6591d9c632e0022ef3de7c3014166538571e430f7a575d7d838f9a667dN.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:FA3E8551192250286045AE7028C8544B
SHA256:295F5A590E5162F5E3B894A17AE24DDF519AA0590631A1E43FF75B71B0FC01ED
1680Trojan.Win32.Zombie.rfn6a119d6591d9c632e0022ef3de7c3014166538571e430f7a575d7d838f9a667dN.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:3EFDF62E57F5B36EBE88E5913E40F838
SHA256:02E53C5C50201B4BEBAA2D2A2A8AEF0100281019C25A61B5B271ECB713147CA0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
18
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2456
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2120
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1776
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
2456
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1776
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2456
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1776
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2456
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
  • 51.104.136.2
whitelisted
google.com
  • 172.217.23.110
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Trojan.Win32.Zombie.rfn6a119d6591d9c632e0022ef3de7c3014166538571e430f7a575d7d838f9a667dN