File name:

bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe

Full analysis: https://app.any.run/tasks/ef3c8fe8-307c-46b6-adad-5dae56fa4179
Verdict: Malicious activity
Analysis date: January 10, 2025, 19:01:09
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

5159F505D351AAD992BB5A9228BB1474

SHA1:

A4DC91FF6BC6556B9BEEFC9DF02074E6964548AA

SHA256:

BEF09720420C26367F856266CF1803B7F235DB46DA3545EB7A7878E39570BFB2

SSDEEP:

6144:cdSvVVVVVVVVrfuj5q4uFTDhfqfWJUNo5kUe7xo6oD:XvVVVVVVVVrfuj5q4uFTDhSfWJUNo5ke

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)

    • Executable content was dropped or overwritten

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)

    • The process creates files with name similar to system file names

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)

  • INFO

    • Checks supported languages

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)

    • Creates files or folders in the user directory

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)

    • UPX packer has been detected

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe

Process information

PID
CMD
Path
Indicators
Parent process
6268"C:\Users\admin\Desktop\bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe" C:\Users\admin\Desktop\bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 220
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe
MD5:
SHA256:
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:16D6D65B0C940F748D2083E28D087945
SHA256:43B80654B8AF923080D8AED80CD3FB58D9E1ADB9158972553573F4E3C39822F7
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:0436A84C8776892A9EFB198B03B803E2
SHA256:23F94973C824D7C4ACCCD14C18EB8131977B3D6585E0F7B41BB21C350563CCD9
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:7BC7B9C496C6AB4F33E78CB890768E17
SHA256:E9C1D4DF9A258C6927DBF4C162CDA0A4C29FBBD45AC638AC7432585349B31944
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:1C5CCDA8BE65EE79D31FAEACEA188E68
SHA256:B72DA35240DDF457A3D88254A70E8397F865B95E00663EFCDD1C3B1DCF52A7A2
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:B9A76C379FD78D4210D3902BEFC5BB7F
SHA256:D6579F0773A7DF28B5571EBF2C5974B23C92E4F715D79A337B965A61A1307D44
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:3998CFE05C542B6AF248EB5657D9AF5A
SHA256:2BABF93127B59D3A3DBAECB3E6FB811B973BBE113F3209C1E67B5CCFE82DD1CD
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:E88A5B794AE188886DCBCC393BB1D50E
SHA256:1776BA08888DCFDE9DC721BD07415873F934A345EA49705D2A0185B630B35065
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:EC23035034E25BA1D8665E03F5D53C17
SHA256:7A3E1FCBB4733652F9640C2C84F06B757E7BF56C69B64730D26AD1AFEFFE60DE
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:0436A84C8776892A9EFB198B03B803E2
SHA256:23F94973C824D7C4ACCCD14C18EB8131977B3D6585E0F7B41BB21C350563CCD9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
18
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
4
System
192.168.100.255:137
unknown
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
4
System
192.168.100.255:138
unknown
4712
MoUsoCoreWorker.exe
23.48.23.177:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3976
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
  • 40.127.240.158
unknown
google.com
  • 216.58.206.46
unknown
crl.microsoft.com
  • 23.48.23.177
  • 23.48.23.194
  • 23.48.23.167
  • 23.48.23.173
  • 23.48.23.137
  • 23.48.23.180
  • 23.48.23.190
  • 23.48.23.169
  • 23.48.23.166
unknown
www.microsoft.com
  • 184.30.21.171
unknown
self.events.data.microsoft.com
  • 20.189.173.14
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe