File name:

z88driver.exe

Full analysis: https://app.any.run/tasks/942e3f18-1e2f-45bd-b87f-290913db432e
Verdict: Malicious activity
Analysis date: October 29, 2024, 12:04:26
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive, with extra data prepended
MD5:

BBCEEAA18D69FFB9F5508E5B56E85372

SHA1:

D0F5B1F275073276CACD48C2CBF8B4F5FFC7E2DB

SHA256:

9EF91FAED7D619765600700C0C7C8F00C097581DCA42863C810DE7ECBC2AA6FC

SSDEEP:

98304:sMqKttyB49B0f/YtP0OLJW0Jh1BYfUFj1p9noWaNHtvFpZkQKXIOL/wtDLAB34fZ:2Q1QZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • z88driver.exe (PID: 4904)

    • Process drops legitimate windows executable

      • z88driver.exe (PID: 4904)

    • Drops a system driver (possible attempt to evade defenses)

      • z88driver.exe (PID: 4904)

    • Starts a Microsoft application from unusual location

      • dpinst-amd64.exe (PID: 6372)

  • INFO

    • Checks supported languages

      • z88driver.exe (PID: 4904)
      • dp-chooser.exe (PID: 1576)

    • Reads the computer name

      • z88driver.exe (PID: 4904)
      • dp-chooser.exe (PID: 1576)

    • Create files in a temporary directory

      • z88driver.exe (PID: 4904)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (33)
.exe | Win32 EXE Yoda's Crypter (32.4)
.scr | Windows screen saver (16)
.dll | Win32 Dynamic Link Library (generic) (8)
.exe | Win32 Executable (generic) (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2001:03:20 06:35:57+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Aggressive working-set trim, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 24576
InitializedDataSize: 4096
UninitializedDataSize: 77824
EntryPoint: 0x19200
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start z88driver.exe dp-chooser.exe no specs dpinst-amd64.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1576dp-chooser.exeC:\Users\admin\AppData\Local\Temp\CDM20830\dp-chooser.exez88driver.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\cdm20830\dp-chooser.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4904"C:\Users\admin\AppData\Local\Temp\z88driver.exe" C:\Users\admin\AppData\Local\Temp\z88driver.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\z88driver.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6372C:\Users\admin\AppData\Local\Temp\CDM20830\dpinst-amd64C:\Users\admin\AppData\Local\Temp\CDM20830\dpinst-amd64.exedp-chooser.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Driver Package Installer
Exit code:
3221226540
Version:
2.1
Modules
Images
c:\users\admin\appdata\local\temp\cdm20830\dpinst-amd64.exe
c:\windows\system32\ntdll.dll
Total events
50
Read events
50
Write events
0
Delete events
0

Modification events

No data
Executable files
17
Suspicious files
8
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4904z88driver.exeC:\Users\admin\AppData\Local\Temp\CDM20830\i386\ftd2xx.dllexecutable
MD5:C42D0F96CE90FB6D3B96DE21886E778E
SHA256:ABF80AF6316C5F475CD60BEC680C07B4E11D1F2163F36DC51BCCEE3F4F2E31A4
4904z88driver.exeC:\Users\admin\AppData\Local\Temp\CDM20830\i386\ftdibus.sysexecutable
MD5:D25C535DC57DAB5A6298CD8B23A62743
SHA256:F85A1C911FCA47D5DA55E97C5E3EF234B97A4F8171477202E0AC6FA8F886E713
4904z88driver.exeC:\Users\admin\AppData\Local\Temp\CDM20830\amd64\ftlang.dllexecutable
MD5:0B17B700B17DDC80F539267D989542B5
SHA256:C4DD55A3E9CD173ACE302E2240CCF8DD5DD0DD493B256C2EE708244469950644
4904z88driver.exeC:\Users\admin\AppData\Local\Temp\CDM20830\i386\ftd2xx.libbinary
MD5:2D5CBE3B885D014143073B92325CE774
SHA256:0EBC10D4846122AF45E9B8E7F6625B66874630BC12366C47214D88B641669476
4904z88driver.exeC:\Users\admin\AppData\Local\Temp\CDM20830\i386\ftlang.dllexecutable
MD5:BCE6EF5D348387F4B80761D446BBBDB1
SHA256:1606A60E40665C6B11948EA0C0C4873712665202BD249B8E4BD1989C32320E8B
4904z88driver.exeC:\Users\admin\AppData\Local\Temp\CDM20830\i386\ftserui2.dllexecutable
MD5:72C05BA42CA2EF93B4E63F3A10E7439F
SHA256:111B66F67B59DFE5667ECF182DEEB5497D7745C575702D2643B8DC51A251B9C1
4904z88driver.exeC:\Users\admin\AppData\Local\Temp\CDM20830\amd64\ftcserco.dllexecutable
MD5:84A0DD31EDA61CF8B03F0909F1064C49
SHA256:CD971E1EE2C0AB6EB8DE96E258618AA3DA6F8845B989DDF6CEBB2BAE216C8A02
4904z88driver.exeC:\Users\admin\AppData\Local\Temp\CDM20830\i386\ftser2k.sysexecutable
MD5:A4727C98DF89ED909AAC5F814125E0DE
SHA256:2E3B3BD48F3C2540DE785C3E054741B5EE39ADF1368F961F55AC1AC7DA48D6A6
4904z88driver.exeC:\Users\admin\AppData\Local\Temp\CDM20830\amd64\ftser2k.sysexecutable
MD5:A19D6F0356DBABB94293894B84C27D27
SHA256:93B4E3314302F6F1524E776EF0FBF29221D10B642E3BA649D6E68FFAB2B7B16B
4904z88driver.exeC:\Users\admin\AppData\Local\Temp\CDM20830\amd64\ftd2xx.libbinary
MD5:5E8C222D7CC7D38CAB7FC257D02D0EAF
SHA256:16338B59CBCCB6305E62809248D3F0782EDAC14D76DFEA0891D03BD2952EEA09
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
36
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1752
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7104
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
1752
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1552
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4360
SearchApp.exe
184.86.251.21:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4020
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
1552
svchost.exe
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.53.40.176
  • 23.53.41.90
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 88.221.169.152
whitelisted
google.com
  • 142.250.184.206
whitelisted
www.bing.com
  • 184.86.251.21
  • 184.86.251.23
  • 184.86.251.19
  • 184.86.251.22
  • 184.86.251.26
  • 184.86.251.25
  • 184.86.251.29
  • 184.86.251.27
  • 184.86.251.24
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.31.69
  • 40.126.31.67
  • 20.190.159.71
  • 20.190.159.0
  • 40.126.31.71
  • 40.126.31.73
  • 20.190.159.73
  • 20.190.159.68
whitelisted
th.bing.com
  • 184.86.251.24
  • 184.86.251.21
  • 184.86.251.23
  • 184.86.251.19
  • 184.86.251.22
  • 184.86.251.26
  • 184.86.251.25
  • 184.86.251.29
  • 184.86.251.27
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
  • 20.109.210.53
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
z88driver.exe