File name:

ZeroAccess_xxx-porn-movie.avi.exe_

Full analysis: https://app.any.run/tasks/58bdb9fb-8ff5-4479-b538-808e28ce8bbe
Verdict: Malicious activity
Analysis date: January 19, 2025, 21:45:05
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zeroaccess
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 4 sections
MD5:

A2611095F689FADFFD3068E0D4E3E7ED

SHA1:

6D21FC25B9DA49D746B2B7609A5EFAED4D332E6A

SHA256:

71B38F041B4A4AE169C44E3AFF412E527E1156F92C27F1340A8ABE70A45BEE10

SSDEEP:

6144:3yL9TAhWmj1HqIH835CbffrVzNZv8XDCY18LfRgM:5suKIH83wbffr5NZ0XBEfRg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZEROACCESS mutex has been found

      • ZeroAccess_xxx-porn-movie.avi.exe_.exe (PID: 1476)

  • SUSPICIOUS

    • Executes application which crashes

      • ZeroAccess_xxx-porn-movie.avi.exe_.exe (PID: 1476)

  • INFO

    • Checks proxy server information

      • WerFault.exe (PID: 6172)

    • Reads the software policy settings

      • WerFault.exe (PID: 6172)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6172)

    • Checks supported languages

      • ZeroAccess_xxx-porn-movie.avi.exe_.exe (PID: 1476)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2004:04:29 03:00:54+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit, No debug, Bytes reversed hi
PEType: PE32
LinkerVersion: 6
CodeSize: 150706
InitializedDataSize: -
UninitializedDataSize: 4096
EntryPoint: 0x3515
OSVersion: 4
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZEROACCESS zeroaccess_xxx-porn-movie.avi.exe_.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
1476"C:\Users\admin\AppData\Local\Temp\ZeroAccess_xxx-porn-movie.avi.exe_.exe" C:\Users\admin\AppData\Local\Temp\ZeroAccess_xxx-porn-movie.avi.exe_.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\appdata\local\temp\zeroaccess_xxx-porn-movie.avi.exe_.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
6172C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1476 -s 472C:\Windows\SysWOW64\WerFault.exe
ZeroAccess_xxx-porn-movie.avi.exe_.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
3 083
Read events
3 083
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
6
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6172WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_ZeroAccess_xxx-p_a2b2ed6d57bd1360c386779fabb14b28ea4d2bb_3db73452_7f8ee26e-7293-4011-a8be-d07d21a44ca6\Report.wer
MD5:
SHA256:
6172WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER5623.tmp.WERInternalMetadata.xmlxml
MD5:BEBE30B7516916F5B48A3EEFD33E21C5
SHA256:A1AE762108B79DB6C74DD1880378435140DCDF5D08697E0C7D26EAC6709E72D5
6172WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FEbinary
MD5:FA84E4BCC92AA5DB735AB50711040CDE
SHA256:6D7205E794FDE4219A62D9692ECDDF612663A5CF20399E79BE87B851FCA4CA33
6172WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\21253908F3CB05D51B1C2DA8B681A785binary
MD5:FB1E85FC781D381BD5C50BD23E240B0A
SHA256:DFA28FBC629E0CD34D1D92DD4B782C913CD5CECCE0A4078B805265F825B1F8C9
6172WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\ZeroAccess_xxx-porn-movie.avi.exe_.exe.1476.dmpbinary
MD5:D2ADA662AD7B5712FA98C408DB03BBD8
SHA256:DDA2EF5278DB9F2190B1C36BC697868C47193F2C2B99E42642B83DDF9C50BDDD
6172WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER5682.tmp.xmlxml
MD5:48998E89B5A27A26D4124BB7D10FBB7B
SHA256:1F5803765428E4371F44B1608C568325B3A02CF948F164D3FB9D49847CDB62E1
6172WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER5566.tmp.dmpbinary
MD5:0210F9494430E1533CF50BBA94BA70E2
SHA256:948CA581C2C2EDBFF38690C43FF08C778148162437E8F0B2FE087153197B2DDD
6172WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEbinary
MD5:477F1CCFA0C8D2EC29A3EB2481EA17F8
SHA256:BF252B2D13725078B11EE0423344A625F7F904E48A42BC44692CBF8B4CC0C90B
6172WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21253908F3CB05D51B1C2DA8B681A785binary
MD5:F6F53CD09A41E968C363419B279D3112
SHA256:6D2BB01CC7A9BADE2113B219CAC1BDA86B2733196B7E1BD0C807CE1E396B1892
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
36
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.167:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6172
WerFault.exe
GET
200
23.48.23.167:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6172
WerFault.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6244
backgroundTaskHost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
7136
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7136
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
2.16.110.171:443
www.bing.com
Akamai International B.V.
DE
whitelisted
23.48.23.167:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2040
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
40.126.32.72:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.48.23.167
  • 23.48.23.169
  • 23.48.23.147
  • 23.48.23.177
  • 23.48.23.162
  • 23.48.23.159
  • 23.48.23.156
  • 23.48.23.164
  • 23.48.23.166
whitelisted
www.bing.com
  • 2.16.110.171
  • 2.16.110.121
whitelisted
www.microsoft.com
  • 23.52.120.96
  • 95.101.149.131
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 2.23.77.188
whitelisted
login.live.com
  • 40.126.32.72
  • 40.126.32.134
  • 20.190.160.17
  • 20.190.160.22
  • 40.126.32.68
  • 40.126.32.133
  • 20.190.160.20
  • 20.190.160.14
whitelisted
go.microsoft.com
  • 184.30.18.9
whitelisted
watson.events.data.microsoft.com
  • 52.182.143.212
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
  • 51.124.78.146
whitelisted
arc.msn.com
  • 20.31.169.57
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ZeroAccess_xxx-porn-movie.avi.exe_