File name:

z88driver.exe

Full analysis: https://app.any.run/tasks/942e3f18-1e2f-45bd-b87f-290913db432e
Verdict: Malicious activity
Analysis date: October 29, 2024, 12:04:26
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/zip
File info: Zip archive, with extra data prepended
MD5:

BBCEEAA18D69FFB9F5508E5B56E85372

SHA1:

D0F5B1F275073276CACD48C2CBF8B4F5FFC7E2DB

SHA256:

9EF91FAED7D619765600700C0C7C8F00C097581DCA42863C810DE7ECBC2AA6FC

SSDEEP:

98304:sMqKttyB49B0f/YtP0OLJW0Jh1BYfUFj1p9noWaNHtvFpZkQKXIOL/wtDLAB34fZ:2Q1QZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • z88driver.exe (PID: 4904)

    • Process drops legitimate windows executable

      • z88driver.exe (PID: 4904)

    • Drops a system driver (possible attempt to evade defenses)

      • z88driver.exe (PID: 4904)

    • Starts a Microsoft application from unusual location

      • dpinst-amd64.exe (PID: 6372)

  • INFO

    • Checks supported languages

      • z88driver.exe (PID: 4904)
      • dp-chooser.exe (PID: 1576)

    • Reads the computer name

      • z88driver.exe (PID: 4904)
      • dp-chooser.exe (PID: 1576)

    • Create files in a temporary directory

      • z88driver.exe (PID: 4904)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (33)
.exe | Win32 EXE Yoda's Crypter (32.4)
.scr | Windows screen saver (16)
.dll | Win32 Dynamic Link Library (generic) (8)
.exe | Win32 Executable (generic) (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2001:03:20 06:35:57+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Aggressive working-set trim, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 24576
InitializedDataSize: 4096
UninitializedDataSize: 77824
EntryPoint: 0x19200
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start z88driver.exe dp-chooser.exe no specs dpinst-amd64.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1576dp-chooser.exeC:\Users\admin\AppData\Local\Temp\CDM20830\dp-chooser.exez88driver.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\cdm20830\dp-chooser.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4904"C:\Users\admin\AppData\Local\Temp\z88driver.exe" C:\Users\admin\AppData\Local\Temp\z88driver.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\z88driver.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6372C:\Users\admin\AppData\Local\Temp\CDM20830\dpinst-amd64C:\Users\admin\AppData\Local\Temp\CDM20830\dpinst-amd64.exedp-chooser.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Driver Package Installer
Exit code:
3221226540
Version:
2.1
Modules
Images
c:\users\admin\appdata\local\temp\cdm20830\dpinst-amd64.exe
c:\windows\system32\ntdll.dll
Total events
50
Read events
50
Write events
0
Delete events
0

Modification events

No data
Executable files
17
Suspicious files
8
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4904z88driver.exeC:\Users\admin\AppData\Local\Temp\CDM20830\amd64\ftcserco.dllexecutable
MD5:84A0DD31EDA61CF8B03F0909F1064C49
SHA256:CD971E1EE2C0AB6EB8DE96E258618AA3DA6F8845B989DDF6CEBB2BAE216C8A02
4904z88driver.exeC:\Users\admin\AppData\Local\Temp\CDM20830\amd64\ftd2xx64.dllexecutable
MD5:6A1E17FE76A97559E0B9468AFF6925D2
SHA256:FB993526425134B83964DDB45A2266AACFB2B5B85F83D856BA8D56D9F53F84AA
4904z88driver.exeC:\Users\admin\AppData\Local\Temp\CDM20830\amd64\ftd2xx.libbinary
MD5:5E8C222D7CC7D38CAB7FC257D02D0EAF
SHA256:16338B59CBCCB6305E62809248D3F0782EDAC14D76DFEA0891D03BD2952EEA09
4904z88driver.exeC:\Users\admin\AppData\Local\Temp\FEB501.tmptext
MD5:3102AA37E23F4B79C68DE9B480B661E6
SHA256:3069489DF7A522B32F637E74B2D34682FABBEF0A75796E902D0A1E5E2A856E10
4904z88driver.exeC:\Users\admin\AppData\Local\Temp\CDM20830\i386\ftbusui.dllexecutable
MD5:DB550EBE6B18CE0EA0ACABC420E3D8D6
SHA256:0A2D3DFEF80609DBCDC887014182D4D6698D111A98BAB873A1BE0FC2E4EDAE00
4904z88driver.exeC:\Users\admin\AppData\Local\Temp\CDM20830\amd64\ftser2k.sysexecutable
MD5:A19D6F0356DBABB94293894B84C27D27
SHA256:93B4E3314302F6F1524E776EF0FBF29221D10B642E3BA649D6E68FFAB2B7B16B
4904z88driver.exeC:\Users\admin\AppData\Local\Temp\CDM20830\amd64\ftserui2.dllexecutable
MD5:BB420F33F2AF1E3CD0A64FC3CAB080B4
SHA256:618382E67F2736AC1449195CB442F4BB8CD6AF4361DF0523719C65291A031579
4904z88driver.exeC:\Users\admin\AppData\Local\Temp\CDM20830\amd64\ftlang.dllexecutable
MD5:0B17B700B17DDC80F539267D989542B5
SHA256:C4DD55A3E9CD173ACE302E2240CCF8DD5DD0DD493B256C2EE708244469950644
4904z88driver.exeC:\Users\admin\AppData\Local\Temp\CDM20830\amd64\ftbusui.dllexecutable
MD5:DD60226D8B1A3B35A09E3A8C9E5C40EA
SHA256:947DC457B62378E10908D28DD9B05F2F587F4B13B523D4B3CD8D3C6B2758454A
4904z88driver.exeC:\Users\admin\AppData\Local\Temp\CDM20830\amd64\ftdibus.sysexecutable
MD5:340BA7CABB1F314E3650A7EF59F0A371
SHA256:B3B11FCC0C8AFD668CA6ED180B632C3983BD66026DAAEC150A23C83C9A0A6DCE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
36
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5488
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1552
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1752
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1752
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7104
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4360
SearchApp.exe
184.86.251.21:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
6944
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4020
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
1552
svchost.exe
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.53.40.176
  • 23.53.41.90
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 88.221.169.152
whitelisted
google.com
  • 142.250.184.206
whitelisted
www.bing.com
  • 184.86.251.21
  • 184.86.251.23
  • 184.86.251.19
  • 184.86.251.22
  • 184.86.251.26
  • 184.86.251.25
  • 184.86.251.29
  • 184.86.251.27
  • 184.86.251.24
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.31.69
  • 40.126.31.67
  • 20.190.159.71
  • 20.190.159.0
  • 40.126.31.71
  • 40.126.31.73
  • 20.190.159.73
  • 20.190.159.68
whitelisted
th.bing.com
  • 184.86.251.24
  • 184.86.251.21
  • 184.86.251.23
  • 184.86.251.19
  • 184.86.251.22
  • 184.86.251.26
  • 184.86.251.25
  • 184.86.251.29
  • 184.86.251.27
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
  • 20.109.210.53
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
z88driver.exe