File name:	d7f589b54037b1497768a9cfe5eb42a24b77efe2a0805f83bd90b6191c54d492
Full analysis:	https://app.any.run/tasks/68e983bf-b286-4346-9657-df57ba0ec583
Verdict:	Malicious activity
Analysis date:	May 15, 2025, 17:30:37
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	zombie
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:	38B9113A1E50812D13AC0B80626AE38E
SHA1:	9C1FADCD6F1D9BCB21B6B2AC7E0FA3E0B44B12F1
SHA256:	D7F589B54037B1497768A9CFE5EB42A24B77EFE2A0805F83BD90B6191C54D492
SSDEEP:	1536:QPlbc9F8xi59F8xizyUtr8iwLl0ipIArEM6+n+1f1Jh4DShQO0y2VA7:alROIvRpIArE/bU9O0yF

.exe	\|	Win32 Executable (generic) (42.4)
.exe	\|	Win16/32 Executable Delphi generic (19.5)
.exe	\|	Generic Win/DOS Executable (18.8)
.exe	\|	DOS Executable Generic (18.8)
.vxd	\|	VXD Driver (0.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	-
CodeSize:	-
InitializedDataSize:	-
UninitializedDataSize:	-
EntryPoint:	0x2130
OSVersion:	1
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI

PID	Process	Filename		Type
5772	d7f589b54037b1497768a9cfe5eb42a24b77efe2a0805f83bd90b6191c54d492.exe			—
		MD5:—	SHA256:—
5772	d7f589b54037b1497768a9cfe5eb42a24b77efe2a0805f83bd90b6191c54d492.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmp		executable
		MD5:B18FD4E0F68A58B3DCA781474275A9BD	SHA256:A9776A792F6AAA9F8959E2032C4EE6E11AC0358C80D67AE61E8E0F2B1955DDD6
5772	d7f589b54037b1497768a9cfe5eb42a24b77efe2a0805f83bd90b6191c54d492.exe	C:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmp		executable
		MD5:1E300B6A54C78E524C112903555A0CD6	SHA256:222C6A575FD4FC4F45671397118F9DB7111693C4AED25555C5FDE42FFE5B4B3E
5772	d7f589b54037b1497768a9cfe5eb42a24b77efe2a0805f83bd90b6191c54d492.exe	C:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmp		executable
		MD5:A8CBBBC38AE0D22D793D3CCFF19CC6E1	SHA256:BC829F91AF2C3D511C7FE75F8695B1FECA5C958FE4FA6162A075EFB768F3FC5C
5772	d7f589b54037b1497768a9cfe5eb42a24b77efe2a0805f83bd90b6191c54d492.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmp		executable
		MD5:32DB47AB9BA153098DAEC211D6C4B1DF	SHA256:E04E0C78947EC54EEB21CBD2AFFF5A62E804EF8DD1BC10EE7002CE32AE876D58
5772	d7f589b54037b1497768a9cfe5eb42a24b77efe2a0805f83bd90b6191c54d492.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmp		executable
		MD5:2FA431AEB52607B91A1775B8C71A9D2D	SHA256:5B6FB51CE166E6C620473D8918F0223B0D60EDAC832BA5763430933E9279441F
5772	d7f589b54037b1497768a9cfe5eb42a24b77efe2a0805f83bd90b6191c54d492.exe	C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmp		executable
		MD5:32CA16DA8261B99F0EF957295889AC39	SHA256:2E9278B4EC02BBB463D434696086AAA79486C64CE633B90BBC1B4B49287A3822
5772	d7f589b54037b1497768a9cfe5eb42a24b77efe2a0805f83bd90b6191c54d492.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmp		executable
		MD5:A585189F6A95F81A7FE873AFBFADD3F6	SHA256:9CC9B1A84BC9B2AC8A0F6A5B67D1D4C3D3BEB51D495628A9108E508071DD6C6E
5772	d7f589b54037b1497768a9cfe5eb42a24b77efe2a0805f83bd90b6191c54d492.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmp		executable
		MD5:64DA1000C09D9CF6466A71E5BE578895	SHA256:682C1E6FDF75508FE88AAE7296A254A40CE5887E22F40EB53A2B10C3E79CFFE7
5772	d7f589b54037b1497768a9cfe5eb42a24b77efe2a0805f83bd90b6191c54d492.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmp		executable
		MD5:B6DCDA6A8394D20F4FB7F9033D95D6EC	SHA256:9D2B813C983DFA62176409F03D6954399AFECC5A0501922654803D2297698067

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5376	SIHClient.exe	GET	200	23.48.23.155:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
5376	SIHClient.exe	GET	200	23.48.23.155:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5376	SIHClient.exe	GET	200	23.48.23.155:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
5376	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
5376	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
5376	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
5376	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
5376	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	40.126.32.74:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5376	SIHClient.exe	4.175.87.197:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5376	SIHClient.exe	23.48.23.155:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5376	SIHClient.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5376	SIHClient.exe	13.85.23.206:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 20.73.194.208	whitelisted
google.com	142.250.185.110	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
login.live.com	40.126.32.74 40.126.32.136 40.126.32.76 20.190.160.66 20.190.160.5 20.190.160.131 40.126.32.133 20.190.160.20	whitelisted
slscr.update.microsoft.com	4.175.87.197	whitelisted
crl.microsoft.com	23.48.23.155 23.48.23.179 23.48.23.180 23.48.23.161 23.48.23.157 23.48.23.175 23.48.23.158 23.48.23.170 23.48.23.173	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
nexusrules.officeapps.live.com	52.111.229.43	whitelisted

General Info

d7f589b54037b1497768a9cfe5eb42a24b77efe2a0805f83bd90b6191c54d492

38B9113A1E50812D13AC0B80626AE38E

9C1FADCD6F1D9BCB21B6B2AC7E0FA3E0B44B12F1

D7F589B54037B1497768A9CFE5EB42A24B77EFE2A0805F83BD90B6191C54D492

1536:QPlbc9F8xi59F8xizyUtr8iwLl0ipIArEM6+n+1f1Jh4DShQO0y2VA7:alROIvRpIArE/bU9O0yF

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ZOMBIE has been detected (YARA)

SUSPICIOUS

Executable content was dropped or overwritten

Creates file in the systems drive root

The process creates files with name similar to system file names

INFO

Checks supported languages

Creates files or folders in the user directory

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings