File name:

7c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d

Full analysis: https://app.any.run/tasks/d74a3dc5-353c-41f5-a36e-dd867c24b994
Verdict: Malicious activity
Analysis date: December 13, 2024, 19:26:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

E7EDC9A2C14CA15A99DDDED2756982BD

SHA1:

08A3594FD0D51A2103C9B89E6BD55B5591970D5F

SHA256:

7C393F0F65087B857D9308BB1A27C0D9871FCC138AE672E45C5806198A306E6D

SSDEEP:

3072:oSvVVVVVVVVwgWsgW2uFN1u8h55q8I+r8xLhWJEd2aNB415kUe7/wA:oSvVVVVVVVVguFTDhfqfWJUNo5kUe7/r

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 7c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exe (PID: 6236)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 7c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exe (PID: 6236)

  • INFO

    • Creates files or folders in the user directory

      • 7c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exe (PID: 6236)

    • Checks supported languages

      • 7c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exe (PID: 6236)

    • UPX packer has been detected

      • 7c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exe (PID: 6236)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x7f80
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
119
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 7c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exe

Process information

PID
CMD
Path
Indicators
Parent process
6236"C:\Users\admin\Desktop\7c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exe" C:\Users\admin\Desktop\7c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\7c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 193
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
62367c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exe
MD5:
SHA256:
62367c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:C6728D8681D3A9898D5B6609CB23D690
SHA256:EE6D4F43A0E57A2A36987A35FA1D7D5D866978E76E75AE36829E894101330613
62367c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:E0A730AB7E69F0C7B8ABC24CE8353F06
SHA256:660794846E37DABBF705D152A31B2A163DE817809DE605DF16602DC08DC22EE2
62367c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:10E400C37033EE8ABBD387993EA6D81B
SHA256:354EC786D1CD085A6EDD7FE7B4254B6850330F758DD4E2FE58995B08B1425DAC
62367c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:56AEB749A7D96ACFD9CCD2D638956553
SHA256:66BE38F93F074549CD50549B251B4386933961B4F3E1FB2922D08EA5368D6158
62367c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:C2D0429C78327A10644FFD427B906A15
SHA256:F4CCA2B6162E6F6BFBA631A1C41E6D71303044104C34FCB0A4F9E695619C8CE3
62367c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:A50B8F62E92698362778BF8651B11EB5
SHA256:FC4EEBC97C67AF3E9301E5C266A6B88F2BB873358666E9914128180FA8880F8C
62367c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:BAC985137588B19F85D54064645E120C
SHA256:67F1071AB98508020A1900CC1C74214347BB53E35D0AEAE03D686ADF2838A6A1
62367c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:C338B96B8F92DE16097F85CF0742B989
SHA256:1193D2BE65784CA3849C71BDD5AC02F606C3C6CF3057DF4FC34B7CB420469174
62367c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:F5AB33FAF1352BB855F4378EEFF08FD2
SHA256:5BB7C06693ECCC6159CE5FBC269E305AFB61F19AAC41423C27F097D3E197F638
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
16
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.215.121.133:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4160
RUXIMICS.exe
GET
200
23.215.121.133:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4160
RUXIMICS.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
736
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4160
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.21.110.146:443
AKAMAI-AS
DE
unknown
4160
RUXIMICS.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4160
RUXIMICS.exe
23.215.121.133:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
736
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
23.215.121.133:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 23.32.238.107
  • 23.32.238.112
whitelisted
www.microsoft.com
  • 23.215.121.133
whitelisted
self.events.data.microsoft.com
  • 20.189.173.8
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
7c393f0f65087b857d9308bb1a27c0d9871fcc138ae672e45c5806198a306e6d