File name:

b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835

Full analysis: https://app.any.run/tasks/f3067940-e398-485d-8e14-621d29eac4d3
Verdict: Malicious activity
Analysis date: December 13, 2024, 19:20:32
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

625111165B46FA07216CB0B131F483F2

SHA1:

1EF5826BF30D1ED5752305F795A98F2967731325

SHA256:

B9CEACA5942E3E765D6D9C30422B56C0A7F98AAD31CA109E78561D0DCEE0A835

SSDEEP:

24576:BuFRSfWJUq5kUebuFRSfWJUq5kUeKuFRSfWJUq5kUebuFRSfWJUq5kUed:4FRSfWJ9kUeiFRSfWJ9kUejFRSfWJ9kn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exe (PID: 5864)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exe (PID: 5864)

    • Executable content was dropped or overwritten

      • b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exe (PID: 5864)

    • The process creates files with name similar to system file names

      • b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exe (PID: 5864)

  • INFO

    • Creates files or folders in the user directory

      • b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exe (PID: 5864)

    • Checks supported languages

      • b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exe (PID: 5864)

    • UPX packer has been detected

      • b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exe (PID: 5864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exe

Process information

PID
CMD
Path
Indicators
Parent process
5864"C:\Users\admin\Desktop\b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exe" C:\Users\admin\Desktop\b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 094
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
5864b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exe
MD5:
SHA256:
5864b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:71349AAA0ACB4BE6D6FD1A80C0948C6C
SHA256:A8BFB57F8FE498FF10B788084B0CB0FC87D647565EF06EBB2B5ADF2A642C603A
5864b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:B7003549FCE12971A3A4270ECF603F9B
SHA256:AB0080BCD55DF28D2811502032087A63D335B7DA0C8E51166170EA29DCE2BC8E
5864b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:B17A4AC3730DDBE4A14B028B0D114C90
SHA256:21D6BF39E3625CE31CCD4423A54F5B2EB0F447DD735B763369602C24E6E184C7
5864b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:ADF4BAFF7779BBF9C68E3E3584781D1B
SHA256:487ABA3FB4EE032AB3F5F9954C8CF3E61F9E4C0D91866EA33AF107330F96A7E4
5864b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:127FEEC973678A0A170F023F165497AD
SHA256:A39DD35CCC5781720FC82144C7E1506BADC876C579E27AC6F39DD7451D94E00E
5864b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:D380BC2210A489C4B047E4CFD9B201FD
SHA256:DF0641BA67177147E8F62624156A495A6301FE61D3CF3B30F0A6357903C51FB2
5864b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:00AE7A1B4D3ADFEF913E6B846C864AF3
SHA256:343C899A13305395E1A98B9F8ED3313C4260E90371296031473179B56F29A6EB
5864b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:B7003549FCE12971A3A4270ECF603F9B
SHA256:AB0080BCD55DF28D2811502032087A63D335B7DA0C8E51166170EA29DCE2BC8E
5864b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:146D8BF30BE0DA1A87CBE60C1D82DE04
SHA256:AB8CACD4EF65B53DC40FCFAD85989831A26AAEA8FA41C35E002DC254E6E00E20
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
17
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
188
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
188
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3976
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.46
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
self.events.data.microsoft.com
  • 20.42.65.89
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
b9ceaca5942e3e765d6d9c30422b56c0a7f98aad31ca109e78561d0dcee0a835