File name:

bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21

Full analysis: https://app.any.run/tasks/99486514-5d12-46df-a7d1-825789a50fce
Verdict: Malicious activity
Analysis date: December 13, 2024, 19:10:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

C533D22B9B3D8B104178A82E133A794D

SHA1:

0A89DCBA6C634472CE10266D1504A5F4EEA2EFDA

SHA256:

BC085F728A5D36E9FAEA30E865E4CD9A51606C0A6C43AE6BAC6D610F23E7FA21

SSDEEP:

3072:cpDSvVVVVVVVVIgWsgW2uFN1u8h55q8I+r8xLhWJEd2aNB415kUe7g0j:cdSvVVVVVVVVIuFTDhfqfWJUNo5kUe7J

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exe (PID: 2100)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exe (PID: 2100)

    • The process creates files with name similar to system file names

      • bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exe (PID: 2100)

  • INFO

    • Checks supported languages

      • bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exe (PID: 2100)

    • Creates files or folders in the user directory

      • bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exe (PID: 2100)

    • UPX packer has been detected

      • bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exe (PID: 2100)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exe

Process information

PID
CMD
Path
Indicators
Parent process
2100"C:\Users\admin\Desktop\bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exe" C:\Users\admin\Desktop\bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 479
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2100bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exe
MD5:
SHA256:
2100bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:640947F5D922636B7F6CA20304799390
SHA256:5F4F41FF2541BA2F8178B751A9302861FDD7E416FA9A11F8D202BD5826401230
2100bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:7794C5E6DA6E4DB049870A54561685DD
SHA256:B53DAF62EA182E29BC0228190F2C9509076BE84E8B4B1CD4455E4A62B58C8D25
2100bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:606E20E05C586C8353A7D919240E625A
SHA256:10F54222586DC7EFCF4C1B0FA002B3F199E108CD786241B3C4669CCD3CC02A87
2100bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:20A2F7E1DA013034CBF56877A408B4F8
SHA256:452BBC2D3142F3FD772DD4EC04A05D1B565F1CDE93F093EBA48F5CA83BFB59A9
2100bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:640947F5D922636B7F6CA20304799390
SHA256:5F4F41FF2541BA2F8178B751A9302861FDD7E416FA9A11F8D202BD5826401230
2100bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:58115F902087FB8F13F56853D8731D0C
SHA256:365191064E90664067C124107FEE1BC4886FD3C1C0D4336FBCE079E59C280C9F
2100bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:B153B953FAA35E80C66A452D36C1E710
SHA256:DD638D029B1A3D34B98B3904F6DFDF3F331F6D678016BDB0477526C9818D5CCC
2100bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:17FA05A437DEE1A971FCE4B6800454F3
SHA256:BC0884432823B3169B55E77EBB5D5D5C336B554804F23446376F0566940BC18E
2100bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:C7F4A2C848CE740BA5AC6AB78C021C82
SHA256:47A7AA9C7BAC4BB6E3CED05B4F7BCA62C2060C6A67CE869E6F201F63F95172C8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
18
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.19.198.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.37.202.100:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
444
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
444
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
2.19.198.194:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.37.202.100:80
www.microsoft.com
Linknet-Fastnet ASN
ID
whitelisted
3976
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 2.19.198.194
  • 23.32.238.34
whitelisted
www.microsoft.com
  • 23.37.202.100
whitelisted
self.events.data.microsoft.com
  • 20.42.73.31
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
bc085f728a5d36e9faea30e865e4cd9a51606c0a6c43ae6bac6d610f23e7fa21