File name:

8c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe

Full analysis: https://app.any.run/tasks/891113e7-69fe-43f1-9517-890ef40bc803
Verdict: Malicious activity
Analysis date: January 15, 2025, 22:21:47
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

7D19CD1FC2A41516640EEAD21AF21AEF

SHA1:

04CA2496E4D86473FE556E44B9415FD1C7551CEB

SHA256:

8C0E6E379B467B9D1E3E0C636518E4FC6CE5970E10168F2169CDEE56C7123387

SSDEEP:

3072:cpDSvVVVVVVVVrfQF3Esj5qePCKaRqhjcUuWhieo+4G:cdSvVVVVVVVVrfuj5qvRqhjzuWhi0R

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 8c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe (PID: 2512)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 8c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe (PID: 2512)

    • Executable content was dropped or overwritten

      • 8c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe (PID: 2512)

    • The process creates files with name similar to system file names

      • 8c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe (PID: 2512)

  • INFO

    • Creates files or folders in the user directory

      • 8c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe (PID: 2512)

    • Checks supported languages

      • 8c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe (PID: 2512)

    • UPX packer has been detected

      • 8c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe (PID: 2512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 8c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe

Process information

PID
CMD
Path
Indicators
Parent process
2512"C:\Users\admin\Desktop\8c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe" C:\Users\admin\Desktop\8c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\8c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 452
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
25128c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe
MD5:
SHA256:
25128c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:5655CD5FD5C53BF932FB72336313D1A7
SHA256:7582379B62CFF119BCE70D3E35F90FD29D3363293AE3C6E0BC1B28ED05E2F053
25128c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:ADC2C0D8B4B8DF51E62D51A2C94081E2
SHA256:918254B4AE1366E28014CA1553F25DD711CE3D6A6FD550091EC5803B6D4B1EAA
25128c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:D2806F0CACC47130ACEBB57C0FF1C2F9
SHA256:789911F6211129078450C57B306F88D4F034288A87D01D32B639C49AB6ECDC8A
25128c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:97E8C2F306435EFC77BA1BACC856C254
SHA256:D70D2D78CFB827A70475A3318FA64DCE785A2817CA6F86C8A2D18AF08081B82E
25128c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:99994980087C9AF6EF3A519351666095
SHA256:DDEAD863E7DBC909DC2F20F51C2766EF1597D610E7047E1439DFAB03DC5BA8F8
25128c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:97E8C2F306435EFC77BA1BACC856C254
SHA256:D70D2D78CFB827A70475A3318FA64DCE785A2817CA6F86C8A2D18AF08081B82E
25128c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:31F757806CFF294EEFFA762BFF8E0DFF
SHA256:B38B5370FD41F39751CD72E0B7CD8FD11C48EA684564086EF12B57196F09A5E6
25128c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_100_percent.pak.tmpexecutable
MD5:E9C6BE67FE42E9F00EB4182E3646ABDD
SHA256:8463E1705427066858328D2061CCEFF7CA1C23875C64020B2CEBDC772013BBDA
25128c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:AC6D347A866757CC4261D2E9901D847B
SHA256:5C111053AC1AD62793A9216A584FB3D8A7802BFD70ADBDB5E143F45C3B2BACE4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
14
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2356
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1684
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1684
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
self.events.data.microsoft.com
  • 20.189.173.1
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
8c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe