File name:

bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe

Full analysis: https://app.any.run/tasks/ef3c8fe8-307c-46b6-adad-5dae56fa4179
Verdict: Malicious activity
Analysis date: January 10, 2025, 19:01:09
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

5159F505D351AAD992BB5A9228BB1474

SHA1:

A4DC91FF6BC6556B9BEEFC9DF02074E6964548AA

SHA256:

BEF09720420C26367F856266CF1803B7F235DB46DA3545EB7A7878E39570BFB2

SSDEEP:

6144:cdSvVVVVVVVVrfuj5q4uFTDhfqfWJUNo5kUe7xo6oD:XvVVVVVVVVrfuj5q4uFTDhSfWJUNo5ke

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)

    • Creates file in the systems drive root

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)

    • The process creates files with name similar to system file names

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)

  • INFO

    • Creates files or folders in the user directory

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)

    • Checks supported languages

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)

    • UPX packer has been detected

      • bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe (PID: 6268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe

Process information

PID
CMD
Path
Indicators
Parent process
6268"C:\Users\admin\Desktop\bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe" C:\Users\admin\Desktop\bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 220
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe
MD5:
SHA256:
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_extensions.pak.tmpexecutable
MD5:930208C890460E62F3F38890CB312506
SHA256:94CAAE5DA94FF7779880C274EDEA38FB8875B2E7CEF171352758FE08D6726B4C
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_100_percent.pak.tmpexecutable
MD5:43D228DE600E97199A4792192F666852
SHA256:E7F671BEB934278041D80F7C601E40877C3A80EE5D527C966CCC1CDB500AA3F7
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_200_percent.pak.tmpexecutable
MD5:686E8DD7476236EA1178E7217BE24E1A
SHA256:97041271E7AC663DB71140B0798804B6180A67203F9AB928FA09AA9D23D7D85B
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:DD3FB2C82DF4347178575789A97433BD
SHA256:A7FFA6280813619829B23C9DBBEAB24CE364CED16C14193012C03F086D7E929C
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:0436A84C8776892A9EFB198B03B803E2
SHA256:23F94973C824D7C4ACCCD14C18EB8131977B3D6585E0F7B41BB21C350563CCD9
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:1C5CCDA8BE65EE79D31FAEACEA188E68
SHA256:B72DA35240DDF457A3D88254A70E8397F865B95E00663EFCDD1C3B1DCF52A7A2
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:7BC7B9C496C6AB4F33E78CB890768E17
SHA256:E9C1D4DF9A258C6927DBF4C162CDA0A4C29FBBD45AC638AC7432585349B31944
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:7C451527C38639A9A9402F0649A28BA4
SHA256:A642C1BECAE7AE1CD33427DE47EF80EEDF6EBF1B985B5C7D61E560A4B1D52734
6268bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:B9A76C379FD78D4210D3902BEFC5BB7F
SHA256:D6579F0773A7DF28B5571EBF2C5974B23C92E4F715D79A337B965A61A1307D44
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
18
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
4
System
192.168.100.255:137
unknown
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
4
System
192.168.100.255:138
unknown
4712
MoUsoCoreWorker.exe
23.48.23.177:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3976
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
  • 40.127.240.158
unknown
google.com
  • 216.58.206.46
unknown
crl.microsoft.com
  • 23.48.23.177
  • 23.48.23.194
  • 23.48.23.167
  • 23.48.23.173
  • 23.48.23.137
  • 23.48.23.180
  • 23.48.23.190
  • 23.48.23.169
  • 23.48.23.166
unknown
www.microsoft.com
  • 184.30.21.171
unknown
self.events.data.microsoft.com
  • 20.189.173.14
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
bef09720420c26367f856266cf1803b7f235db46da3545eb7a7878e39570bfb2.exe