File name:

b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45

Full analysis: https://app.any.run/tasks/f3c9d8dd-e827-4dc9-adf9-6ef33da7ad78
Verdict: Malicious activity
Analysis date: December 09, 2024, 02:39:22
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

6FDEACD1E5F3981A8F4083E1ECE4E48B

SHA1:

2E5F72C77D205FC4A59576574D3BB2444A13460D

SHA256:

B968E304D5C07DBB067758577FC634D1EB6241BF5FB7950AA90A6A72282A6F45

SSDEEP:

3072:oSvVVVVVVVVwgWsgWruFN1u8h55q8I+r8xLhWJEd2aNB415kUe7K:oSvVVVVVVVVFuFTDhfqfWJUNo5kUe7K

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exe (PID: 5448)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exe (PID: 5448)

    • Executable content was dropped or overwritten

      • b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exe (PID: 5448)

    • The process creates files with name similar to system file names

      • b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exe (PID: 5448)

  • INFO

    • Creates files or folders in the user directory

      • b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exe (PID: 5448)

    • Checks supported languages

      • b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exe (PID: 5448)

    • UPX packer has been detected

      • b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exe (PID: 5448)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x7f80
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exe

Process information

PID
CMD
Path
Indicators
Parent process
5448"C:\Users\admin\Desktop\b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exe" C:\Users\admin\Desktop\b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 599
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
5448b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exe
MD5:
SHA256:
5448b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:5EF6C03D029B28DB4507EA783A772309
SHA256:FBF098C8A3CC328D8686135DA086C959A44392BEB37AAE50686772D491133FBC
5448b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:78DE9BC0BBF83E95E4F37723D7C45F1A
SHA256:74CC102F4E7E5BBD09DC44147EEC52FB32872A7276BB592590C097D3B2D02A22
5448b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:0C5095D8B75D7967A2B4B5584F1F1BC6
SHA256:591E562B50D416950F1A4EC3D0731A98579DC6895368D2AA0E01F02EF4FBFF0C
5448b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:DC1120404D394058602704708931981D
SHA256:F925C17792BE0E2C79B310AEE572F81006785DEB8E0B6E27FF63AB37FDEE5331
5448b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:736CE567D62F3875C36EE1DE95F215B7
SHA256:3AC065DE878BCB2A478853FA437C0E1C493BEFC60D191D2C049914D2153E579C
5448b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:95796C35420104ABCE852D9E2D27FDFD
SHA256:0BDFFD8AAA0C3E805E3DDFCEBCF87A2CACA39D5782DBA9046A2260E8F3ADF99C
5448b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:8FEA5DC662D6E444D0C97BBFAABA7496
SHA256:480659AB1BB82E7375E581970EA2509E6CAF5CD329707A9BACD66EA871477074
5448b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_100_percent.pak.tmpexecutable
MD5:AEFC411AB06F2F019E9487EA6E7B5EC5
SHA256:00C6552516E5BD99D484FD6DC3D4B60273E856AC8E03AD63C8FC60CA8513A057
5448b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:BD2DEC3075B6F8C81B50CAB018479FA5
SHA256:3DEE6AA9267301DCD07BF85A6661AE98BE3C07939339BF2A5B1D04F784D04388
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
19
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1684
svchost.exe
GET
200
2.16.164.9:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5988
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1684
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5988
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1684
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5988
RUXIMICS.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1684
svchost.exe
2.16.164.9:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5988
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 2.16.164.9
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
self.events.data.microsoft.com
  • 20.42.73.27
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45