File name:

a0d9a8466288f18f78f6af1cd48b900fa4a896098298b7e0321742977360e079.exe

Full analysis: https://app.any.run/tasks/6359cc81-7cad-43ac-bb69-37588ad98622
Verdict: Malicious activity
Analysis date: December 10, 2024, 12:21:57
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

790B8431BBFE0B0D861CAD04B6F7C72D

SHA1:

8549964DEBCBDB0020D8F9343E2840AFF4CE0847

SHA256:

A0D9A8466288F18F78F6AF1CD48B900FA4A896098298B7E0321742977360E079

SSDEEP:

1536:EhPpyASvVVVVVVVVWs5jf/ASvVVVVVVVV+s5jfT:cpDSvVVVVVVVVrf4SvVVVVVVVVTfT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • a0d9a8466288f18f78f6af1cd48b900fa4a896098298b7e0321742977360e079.exe (PID: 4384)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • a0d9a8466288f18f78f6af1cd48b900fa4a896098298b7e0321742977360e079.exe (PID: 4384)

    • Executable content was dropped or overwritten

      • a0d9a8466288f18f78f6af1cd48b900fa4a896098298b7e0321742977360e079.exe (PID: 4384)

    • The process creates files with name similar to system file names

      • a0d9a8466288f18f78f6af1cd48b900fa4a896098298b7e0321742977360e079.exe (PID: 4384)

  • INFO

    • Checks supported languages

      • a0d9a8466288f18f78f6af1cd48b900fa4a896098298b7e0321742977360e079.exe (PID: 4384)

    • Creates files or folders in the user directory

      • a0d9a8466288f18f78f6af1cd48b900fa4a896098298b7e0321742977360e079.exe (PID: 4384)

    • UPX packer has been detected

      • a0d9a8466288f18f78f6af1cd48b900fa4a896098298b7e0321742977360e079.exe (PID: 4384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
114
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE a0d9a8466288f18f78f6af1cd48b900fa4a896098298b7e0321742977360e079.exe

Process information

PID
CMD
Path
Indicators
Parent process
4384"C:\Users\admin\Desktop\a0d9a8466288f18f78f6af1cd48b900fa4a896098298b7e0321742977360e079.exe" C:\Users\admin\Desktop\a0d9a8466288f18f78f6af1cd48b900fa4a896098298b7e0321742977360e079.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\a0d9a8466288f18f78f6af1cd48b900fa4a896098298b7e0321742977360e079.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 688
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4384a0d9a8466288f18f78f6af1cd48b900fa4a896098298b7e0321742977360e079.exe
MD5:
SHA256:
4384a0d9a8466288f18f78f6af1cd48b900fa4a896098298b7e0321742977360e079.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:95174B9317B08A89AA389A14B3FA0734
SHA256:1BC0CDB9D88BAE3DE55884E1A7E54593CE5D316350CC8E321AB8A26D5C258C23
4384a0d9a8466288f18f78f6af1cd48b900fa4a896098298b7e0321742977360e079.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:95174B9317B08A89AA389A14B3FA0734
SHA256:1BC0CDB9D88BAE3DE55884E1A7E54593CE5D316350CC8E321AB8A26D5C258C23
4384a0d9a8466288f18f78f6af1cd48b900fa4a896098298b7e0321742977360e079.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:14B1E3D2E6AEA1B4C771A39C58CAC134
SHA256:06C8843B4DF7023FE02936F76E5772FCA597DE1F74B1A9755DC70A21B461FD61
4384a0d9a8466288f18f78f6af1cd48b900fa4a896098298b7e0321742977360e079.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:CC97CE97114ED2F73DD445D64AA08E77
SHA256:4A15FAB94B41AF516A35CB4BF86FCBE347A8ABDCAA86FE7E99261E45CAA7CB7D
4384a0d9a8466288f18f78f6af1cd48b900fa4a896098298b7e0321742977360e079.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:9F4603A0DD22581A49036251E93A44E6
SHA256:5C158D3F354DFEEA5F98E62A7308D6C3BF27986800D4BFF5B17CDE735CBCB905
4384a0d9a8466288f18f78f6af1cd48b900fa4a896098298b7e0321742977360e079.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:EEB22D657D703DDD4583BB7A231B568B
SHA256:5B26CD7327328629F0824421AD0F2E25B878721BB9E1A5D006E81AF2C820F773
4384a0d9a8466288f18f78f6af1cd48b900fa4a896098298b7e0321742977360e079.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:3F690F0662A1A9DAFC9CA68F8DA1BC52
SHA256:25DE267E72F167F2893D321AEBF82EE64B34AD0B8B6792B0CF2780F9258CDB62
4384a0d9a8466288f18f78f6af1cd48b900fa4a896098298b7e0321742977360e079.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:A44E79B38CBB1D7ADA5AF6C1F5B7825A
SHA256:1D203DE81CD9C06CF53D5FDA8A81D306C77B7BDF68986D449F6E26878A6D71C4
4384a0d9a8466288f18f78f6af1cd48b900fa4a896098298b7e0321742977360e079.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:CB700660E4FC5A9CC0849FFAB3A1BF9A
SHA256:DA997398C9FDAC36F850A7CA8384ABDF73B7BB5791540D97367ECD2FA410C0F4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
20
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3976
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 52.182.143.213
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
a0d9a8466288f18f78f6af1cd48b900fa4a896098298b7e0321742977360e079.exe