File name:	b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45
Full analysis:	https://app.any.run/tasks/f3c9d8dd-e827-4dc9-adf9-6ef33da7ad78
Verdict:	Malicious activity
Analysis date:	December 09, 2024, 02:39:22
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	upx zombie
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:	6FDEACD1E5F3981A8F4083E1ECE4E48B
SHA1:	2E5F72C77D205FC4A59576574D3BB2444A13460D
SHA256:	B968E304D5C07DBB067758577FC634D1EB6241BF5FB7950AA90A6A72282A6F45
SSDEEP:	3072:oSvVVVVVVVVwgWsgWruFN1u8h55q8I+r8xLhWJEd2aNB415kUe7K:oSvVVVVVVVVFuFTDhfqfWJUNo5kUe7K

.exe	\|	UPX compressed Win32 Executable (64.2)
.dll	\|	Win32 Dynamic Link Library (generic) (15.6)
.exe	\|	Win32 Executable (generic) (10.6)
.exe	\|	Generic Win/DOS Executable (4.7)
.exe	\|	DOS Executable Generic (4.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2011:03:15 04:06:07+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	8192
InitializedDataSize:	4096
UninitializedDataSize:	24576
EntryPoint:	0x7f80
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI

PID	Process	Filename		Type
5448	b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exe			—
		MD5:—	SHA256:—
5448	b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exe	C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exe		executable
		MD5:DC1120404D394058602704708931981D	SHA256:F925C17792BE0E2C79B310AEE572F81006785DEB8E0B6E27FF63AB37FDEE5331
5448	b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exe	C:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmp		executable
		MD5:BA03909716A4E538550E6DC3B838827C	SHA256:55D0000334A1529A86513897AA3EEF781113E78668154A80EEF1D9BF1DF1BB03
5448	b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmp		executable
		MD5:736CE567D62F3875C36EE1DE95F215B7	SHA256:3AC065DE878BCB2A478853FA437C0E1C493BEFC60D191D2C049914D2153E579C
5448	b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exe	C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmp		executable
		MD5:DC1120404D394058602704708931981D	SHA256:F925C17792BE0E2C79B310AEE572F81006785DEB8E0B6E27FF63AB37FDEE5331
5448	b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmp		executable
		MD5:78DE9BC0BBF83E95E4F37723D7C45F1A	SHA256:74CC102F4E7E5BBD09DC44147EEC52FB32872A7276BB592590C097D3B2D02A22
5448	b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exe	C:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmp		executable
		MD5:C21DF23E09F41F5AF5AB871070CEB797	SHA256:5C740DB2F058C0ABF744645F07EC97AE863544302E44E484A1965705B45AF7EE
5448	b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmp		executable
		MD5:67443DDF3BFDC9B2CA8442FE40A7DF9A	SHA256:5CDDAB78799AB6A27B98C1A51C0EE723E9DB8A71665E74D395560F53B8328458
5448	b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmp		executable
		MD5:276C4B5DE3B245C805D6008BBE4F9F7E	SHA256:38ADA3916F643EDBCD5F9FB387F6D44F5344FB21A6FE775AE0905A63683F37F8
5448	b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45.exe	C:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmp		executable
		MD5:BE0461E8DDF76FAF88C8E5237312D762	SHA256:14B0567908F7B49D058829C7332E0D8FB20A697B003AFFF1A26B665EDFCF8A9E

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1684	svchost.exe	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	2.16.164.9:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5988	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1684	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
5988	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1684	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	2.16.164.9:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5988	RUXIMICS.exe	2.16.164.9:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
1684	svchost.exe	2.16.164.9:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
5988	RUXIMICS.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 20.73.194.208	whitelisted
google.com	142.250.186.78	whitelisted
crl.microsoft.com	2.16.164.9 2.16.164.49	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
self.events.data.microsoft.com	20.42.73.27	whitelisted

General Info

b968e304d5c07dbb067758577fc634d1eb6241bf5fb7950aa90a6a72282a6f45

6FDEACD1E5F3981A8F4083E1ECE4E48B

2E5F72C77D205FC4A59576574D3BB2444A13460D

B968E304D5C07DBB067758577FC634D1EB6241BF5FB7950AA90A6A72282A6F45

3072:oSvVVVVVVVVwgWsgWruFN1u8h55q8I+r8xLhWJEd2aNB415kUe7K:oSvVVVVVVVVFuFTDhfqfWJUNo5kUe7K

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ZOMBIE has been detected (YARA)

SUSPICIOUS

Creates file in the systems drive root

Executable content was dropped or overwritten

The process creates files with name similar to system file names

INFO

UPX packer has been detected

Checks supported languages

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings