File name:	b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exe
Full analysis:	https://app.any.run/tasks/82619d29-6a24-42cb-827c-c8c45ec36ecb
Verdict:	Malicious activity
Analysis date:	August 01, 2025, 06:08:26
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	zombie
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:	89026127AC400F2CD37AF7EA346ACE32
SHA1:	5E33E30C0B0089256E33B6528EBEB1AC465CFCD7
SHA256:	B8989FADA61D35550BF6B5538E968C9BFAB5E28457396F15D609E1A98C4A55D8
SSDEEP:	1536:UjVABc9F8xi59F8xiG+3+U3aWf5jsdeWjEZ:Uaof5jsdeWjEZ

.exe	\|	Win32 Executable (generic) (42.4)
.exe	\|	Win16/32 Executable Delphi generic (19.5)
.exe	\|	Generic Win/DOS Executable (18.8)
.exe	\|	DOS Executable Generic (18.8)
.vxd	\|	VXD Driver (0.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	-
CodeSize:	-
InitializedDataSize:	-
UninitializedDataSize:	-
EntryPoint:	0x6000
OSVersion:	1
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI

PID	Process	Filename		Type
6820	b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exe			—
		MD5:—	SHA256:—
6820	b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmp		executable
		MD5:2FA5D55A1B65F91E53B60038C48B5A09	SHA256:108B89AA81E19FD2BD3419719B0F187C430EA5C64E10A12AB5295D2CFCE7EDB2
6820	b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmp		executable
		MD5:5BBF1E34CDEEE7AF4BD87F1253C3993E	SHA256:7E496F7CB952918CBC6DB008724008DAD5AB575F7ED858C59B026411FE761AC5
6820	b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exe	C:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmp		executable
		MD5:8E14C2B740FDB95390CDCEAF9692F5CC	SHA256:1DEAAE797BCCC4F8D1BDC81945F68B6DDDCF9DC91F4EBDF685CFFA82FA9E880F
6820	b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_100_percent.pak.tmp		executable
		MD5:9F0B47B971D10CA6A9001EA7198DC33A	SHA256:9003DDA8ED741396ADD6ED5D60B145BFE14613F08E26D38346EE2E52A4EF7455
6820	b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmp		executable
		MD5:72135DCEC6ED43C35D08A24E7546B018	SHA256:A7B13A3A355AF58FA1A2F45B357F21DA00BE61F95D9486376C58BDCE911E43C0
6820	b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmp		executable
		MD5:FAE259362FF60695AC2B0AFE45F78ED7	SHA256:84B7BE5B03340BC7DCAAC6D58C9ABD55CD402BC7E56BD055A97E9028579E95AC
6820	b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmp		executable
		MD5:D342E723DBF049377D3823BD77B7D291	SHA256:A476505CDBE1049AB33153895A6BB02DC236B57396F9D13013EB5848E53BE84C
6820	b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmp		executable
		MD5:B6AB2143A8569162F4E8F44785197407	SHA256:92807AE85431538C6C71E475E21B48855B37380181314E817D8B7851959ECCC6
6820	b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_extensions.pak.tmp		executable
		MD5:47B8306C8CAF66E4C4BDF58C9B416EC0	SHA256:5634683FC73A117C81BE78D6C1766018ADB419C9618A8F9383FC014450D7AADD

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	23.216.77.25:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	825 b	whitelisted
2168	RUXIMICS.exe	GET	200	23.216.77.25:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	825 b	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.216.77.25:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	825 b	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	NL	binary	814 b	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	NL	binary	814 b	whitelisted
2168	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	NL	binary	814 b	whitelisted
—	—	POST	200	20.190.159.2:443	https://login.live.com/RST2.srf	US	xml	1.24 Kb	whitelisted
—	—	POST	400	20.190.159.2:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	203 b	whitelisted
—	—	POST	400	20.190.159.130:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	203 b	whitelisted
—	—	POST	400	20.190.159.73:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	203 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
1268	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2168	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	23.216.77.25:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.216.77.25:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2168	RUXIMICS.exe	23.216.77.25:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
5944	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.124.78.146	whitelisted
google.com	172.217.16.206	whitelisted
crl.microsoft.com	23.216.77.25 23.216.77.20 23.216.77.42 23.216.77.6 23.216.77.28 2.16.241.12 2.16.241.14	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
login.live.com	20.190.160.130 40.126.32.74 40.126.32.134 20.190.160.20 20.190.160.64 20.190.160.4 40.126.32.138 20.190.160.67	whitelisted
client.wns.windows.com	20.59.87.226	whitelisted
slscr.update.microsoft.com	20.165.94.63	whitelisted
fe3cr.delivery.mp.microsoft.com	20.242.39.171	whitelisted
self.events.data.microsoft.com	52.182.141.63	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted

General Info

b8989fada61d35550bf6b5538e968c9bfab5e28457396f15d609e1a98c4a55d8.exe

89026127AC400F2CD37AF7EA346ACE32

5E33E30C0B0089256E33B6528EBEB1AC465CFCD7

B8989FADA61D35550BF6B5538E968C9BFAB5E28457396F15D609E1A98C4A55D8

1536:UjVABc9F8xi59F8xiG+3+U3aWf5jsdeWjEZ:Uaof5jsdeWjEZ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ZOMBIE has been detected (YARA)

SUSPICIOUS

The process creates files with name similar to system file names

Creates file in the systems drive root

Executable content was dropped or overwritten

INFO

Checks supported languages

Creates files or folders in the user directory

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings