File name:	aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe
Full analysis:	https://app.any.run/tasks/8bb92a1d-d302-491c-9e05-598cbb555eca
Verdict:	Malicious activity
Analysis date:	August 01, 2025, 05:42:07
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	zombie
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:	1A49ECD700E5382DBEEACAE0855B68ED
SHA1:	7824D8C8B4F4AE68F0E6B92814CDE01923E57ED5
SHA256:	AA72A88C03A4456767E2CF343CF025890EC2EC36AB1D23A02B5D54E06C320FDA
SSDEEP:	1536:QPlbc9F8xi59F8xiG+3+U3aWf5jsdeWB1:alOf5jsdeWB1

.exe	\|	Win32 Executable (generic) (42.4)
.exe	\|	Win16/32 Executable Delphi generic (19.5)
.exe	\|	Generic Win/DOS Executable (18.8)
.exe	\|	DOS Executable Generic (18.8)
.vxd	\|	VXD Driver (0.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	-
CodeSize:	-
InitializedDataSize:	-
UninitializedDataSize:	-
EntryPoint:	0x2130
OSVersion:	1
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI

PID	Process	Filename		Type
512	aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe			—
		MD5:—	SHA256:—
512	aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe	C:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmp		executable
		MD5:79F3A57EA42912954DA10130949A2938	SHA256:415AB620B0160860DD8E1F3DA14CADF161A4F7621AA527F17EEDFCA7E884476E
512	aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmp		executable
		MD5:7A8D1799700CE1D5303A8596E1C136D8	SHA256:F295EF7A1E0874A894E595D502DF4E61CA39AFE796555B410D3E6FD5F50E96CB
512	aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmp		executable
		MD5:9A0658FD131C409A8AA16DE37248FA51	SHA256:0D3B282BC9B8A69BABF0C67FAFA525E211B33398A0E2659950292A7FA23364A5
512	aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe	C:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmp		executable
		MD5:C83E2078A6F36FD16B4DF7E10EC818D1	SHA256:E557E247DE515D178D27CDF3F3AE6246475CA4F4136CC221FDDAA59C9AEC4758
512	aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmp		executable
		MD5:77D469A1434614C843F9F8DA4987A1A2	SHA256:A8CCF6EC0175F88FD078736AF194A90C0E79EAAEE3C7C07977E223A205148D18
512	aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmp		executable
		MD5:38711FBE71FEF4C49A04ECE0CAC7754F	SHA256:DA128469182150B7CEA5EF3D51D8571E5409ABAA99B9C7FDD1DC1EE680E3A0F0
512	aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmp		executable
		MD5:02A4503EC4BD4AAC3182169D06AE6ACE	SHA256:46889EADCBC46E9380FD4DF7909D4C25463392C89499FC6DEFE164808D53B9DE
512	aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_extensions.pak.tmp		executable
		MD5:EA14240582CC41C4001CB72CB217D59B	SHA256:7C46E8C9056E433048BB10EAA33DD35F620CF63345776A23BD7EC328189A2DAE
512	aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmp		executable
		MD5:E26C195D989514AED03DF3BEA7931294	SHA256:D4D3ADFE4A03CC5B842C68013E304E9BD9C80D967260DA23D7F94BE92FAF396D

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5944	MoUsoCoreWorker.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5432	RUXIMICS.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5432	RUXIMICS.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	20.190.159.73:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	POST	400	20.190.159.129:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	200	20.190.159.0:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	16.7 Kb	whitelisted
—	—	POST	400	20.190.159.68:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5432	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5432	RUXIMICS.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
1268	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 20.73.194.208 51.124.78.146	whitelisted
google.com	216.58.206.78	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
login.live.com	20.190.159.64 20.190.159.130 20.190.159.0 20.190.159.129 20.190.159.68 20.190.159.4 20.190.159.73 20.190.159.71	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
slscr.update.microsoft.com	20.165.94.63	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
self.events.data.microsoft.com	20.42.73.28	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

General Info

aa72a88c03a4456767e2cf343cf025890ec2ec36ab1d23a02b5d54e06c320fda.exe

1A49ECD700E5382DBEEACAE0855B68ED

7824D8C8B4F4AE68F0E6B92814CDE01923E57ED5

AA72A88C03A4456767E2CF343CF025890EC2EC36AB1D23A02B5D54E06C320FDA

1536:QPlbc9F8xi59F8xiG+3+U3aWf5jsdeWB1:alOf5jsdeWB1

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ZOMBIE has been detected (YARA)

SUSPICIOUS

Executable content was dropped or overwritten

Creates file in the systems drive root

The process creates files with name similar to system file names

INFO

Checks supported languages

Creates files or folders in the user directory

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings