File name:

8c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe

Full analysis: https://app.any.run/tasks/891113e7-69fe-43f1-9517-890ef40bc803
Verdict: Malicious activity
Analysis date: January 15, 2025, 22:21:47
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

7D19CD1FC2A41516640EEAD21AF21AEF

SHA1:

04CA2496E4D86473FE556E44B9415FD1C7551CEB

SHA256:

8C0E6E379B467B9D1E3E0C636518E4FC6CE5970E10168F2169CDEE56C7123387

SSDEEP:

3072:cpDSvVVVVVVVVrfQF3Esj5qePCKaRqhjcUuWhieo+4G:cdSvVVVVVVVVrfuj5qvRqhjzuWhi0R

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • 8c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe (PID: 2512)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • 8c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe (PID: 2512)

    • The process creates files with name similar to system file names

      • 8c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe (PID: 2512)

    • Executable content was dropped or overwritten

      • 8c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe (PID: 2512)

  • INFO

    • Creates files or folders in the user directory

      • 8c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe (PID: 2512)

    • Checks supported languages

      • 8c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe (PID: 2512)

    • UPX packer has been detected

      • 8c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe (PID: 2512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE 8c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe

Process information

PID
CMD
Path
Indicators
Parent process
2512"C:\Users\admin\Desktop\8c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe" C:\Users\admin\Desktop\8c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\8c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 452
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
25128c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe
MD5:
SHA256:
25128c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:97E8C2F306435EFC77BA1BACC856C254
SHA256:D70D2D78CFB827A70475A3318FA64DCE785A2817CA6F86C8A2D18AF08081B82E
25128c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:31F757806CFF294EEFFA762BFF8E0DFF
SHA256:B38B5370FD41F39751CD72E0B7CD8FD11C48EA684564086EF12B57196F09A5E6
25128c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:ADC2C0D8B4B8DF51E62D51A2C94081E2
SHA256:918254B4AE1366E28014CA1553F25DD711CE3D6A6FD550091EC5803B6D4B1EAA
25128c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:D2806F0CACC47130ACEBB57C0FF1C2F9
SHA256:789911F6211129078450C57B306F88D4F034288A87D01D32B639C49AB6ECDC8A
25128c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:7DEAB1741EB2D153E752AF79E50AA467
SHA256:3A1FAD3723F787D49D24DEA22DFFDBC84A2D83393B77F7ECE2E98EAB1F2035B2
25128c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:99994980087C9AF6EF3A519351666095
SHA256:DDEAD863E7DBC909DC2F20F51C2766EF1597D610E7047E1439DFAB03DC5BA8F8
25128c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:AF7068BC601AD5276233DA917EA39727
SHA256:41CC36A07AF98A43132CEF4FA0C36823C1F0F77F7722121C6A3AD5134B1E56EE
25128c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:5655CD5FD5C53BF932FB72336313D1A7
SHA256:7582379B62CFF119BCE70D3E35F90FD29D3363293AE3C6E0BC1B28ED05E2F053
25128c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:D78C152D31F2DCB9D89A6E56B36D50A0
SHA256:46F4203F23FD989C378DB83B591754593B8F1D31777A57714ABEA0F5BF8B1CF3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
14
DNS requests
3
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2356
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1684
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1684
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
self.events.data.microsoft.com
  • 20.189.173.1
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
8c0e6e379b467b9d1e3e0c636518e4fc6ce5970e10168f2169cdee56c7123387.exe