File name:	d7f589b54037b1497768a9cfe5eb42a24b77efe2a0805f83bd90b6191c54d492
Full analysis:	https://app.any.run/tasks/68e983bf-b286-4346-9657-df57ba0ec583
Verdict:	Malicious activity
Analysis date:	May 15, 2025, 17:30:37
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	zombie
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:	38B9113A1E50812D13AC0B80626AE38E
SHA1:	9C1FADCD6F1D9BCB21B6B2AC7E0FA3E0B44B12F1
SHA256:	D7F589B54037B1497768A9CFE5EB42A24B77EFE2A0805F83BD90B6191C54D492
SSDEEP:	1536:QPlbc9F8xi59F8xizyUtr8iwLl0ipIArEM6+n+1f1Jh4DShQO0y2VA7:alROIvRpIArE/bU9O0yF

.exe	\|	Win32 Executable (generic) (42.4)
.exe	\|	Win16/32 Executable Delphi generic (19.5)
.exe	\|	Generic Win/DOS Executable (18.8)
.exe	\|	DOS Executable Generic (18.8)
.vxd	\|	VXD Driver (0.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	-
CodeSize:	-
InitializedDataSize:	-
UninitializedDataSize:	-
EntryPoint:	0x2130
OSVersion:	1
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI

PID	Process	Filename		Type
5772	d7f589b54037b1497768a9cfe5eb42a24b77efe2a0805f83bd90b6191c54d492.exe			—
		MD5:—	SHA256:—
5772	d7f589b54037b1497768a9cfe5eb42a24b77efe2a0805f83bd90b6191c54d492.exe	C:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmp		executable
		MD5:2361AB9F61B1C0513EBEA18013B86290	SHA256:C889164E9CBCBB6210844E12FB8DD5ECA251E979E4F8DCE2CBBE3D4FF6B0710E
5772	d7f589b54037b1497768a9cfe5eb42a24b77efe2a0805f83bd90b6191c54d492.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmp		executable
		MD5:CF06FD61DF3D331800E55D0A68694289	SHA256:68112DBB86C029DC6AB666146E3F4D78FC1B20F53AECC4FE035410E12B85C403
5772	d7f589b54037b1497768a9cfe5eb42a24b77efe2a0805f83bd90b6191c54d492.exe	C:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmp		executable
		MD5:1E300B6A54C78E524C112903555A0CD6	SHA256:222C6A575FD4FC4F45671397118F9DB7111693C4AED25555C5FDE42FFE5B4B3E
5772	d7f589b54037b1497768a9cfe5eb42a24b77efe2a0805f83bd90b6191c54d492.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmp		executable
		MD5:B6DCDA6A8394D20F4FB7F9033D95D6EC	SHA256:9D2B813C983DFA62176409F03D6954399AFECC5A0501922654803D2297698067
5772	d7f589b54037b1497768a9cfe5eb42a24b77efe2a0805f83bd90b6191c54d492.exe	C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exe		executable
		MD5:32CA16DA8261B99F0EF957295889AC39	SHA256:2E9278B4EC02BBB463D434696086AAA79486C64CE633B90BBC1B4B49287A3822
5772	d7f589b54037b1497768a9cfe5eb42a24b77efe2a0805f83bd90b6191c54d492.exe	C:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmp		executable
		MD5:A8CBBBC38AE0D22D793D3CCFF19CC6E1	SHA256:BC829F91AF2C3D511C7FE75F8695B1FECA5C958FE4FA6162A075EFB768F3FC5C
5772	d7f589b54037b1497768a9cfe5eb42a24b77efe2a0805f83bd90b6191c54d492.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmp		executable
		MD5:B18FD4E0F68A58B3DCA781474275A9BD	SHA256:A9776A792F6AAA9F8959E2032C4EE6E11AC0358C80D67AE61E8E0F2B1955DDD6
5772	d7f589b54037b1497768a9cfe5eb42a24b77efe2a0805f83bd90b6191c54d492.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmp		executable
		MD5:2FA431AEB52607B91A1775B8C71A9D2D	SHA256:5B6FB51CE166E6C620473D8918F0223B0D60EDAC832BA5763430933E9279441F
5772	d7f589b54037b1497768a9cfe5eb42a24b77efe2a0805f83bd90b6191c54d492.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmp		executable
		MD5:05B881882D65B885F9A9459F8CE2CF3F	SHA256:58249855C342351D7B478335B6ED7A0027DC6E8A03F01F277F19245ED359ADD2

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5376	SIHClient.exe	GET	200	23.48.23.155:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5376	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
5376	SIHClient.exe	GET	200	23.48.23.155:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
5376	SIHClient.exe	GET	200	23.48.23.155:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
5376	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
5376	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
5376	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
5376	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	40.126.32.74:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5376	SIHClient.exe	4.175.87.197:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5376	SIHClient.exe	23.48.23.155:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5376	SIHClient.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5376	SIHClient.exe	13.85.23.206:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 20.73.194.208	whitelisted
google.com	142.250.185.110	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
login.live.com	40.126.32.74 40.126.32.136 40.126.32.76 20.190.160.66 20.190.160.5 20.190.160.131 40.126.32.133 20.190.160.20	whitelisted
slscr.update.microsoft.com	4.175.87.197	whitelisted
crl.microsoft.com	23.48.23.155 23.48.23.179 23.48.23.180 23.48.23.161 23.48.23.157 23.48.23.175 23.48.23.158 23.48.23.170 23.48.23.173	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
nexusrules.officeapps.live.com	52.111.229.43	whitelisted

General Info

d7f589b54037b1497768a9cfe5eb42a24b77efe2a0805f83bd90b6191c54d492

38B9113A1E50812D13AC0B80626AE38E

9C1FADCD6F1D9BCB21B6B2AC7E0FA3E0B44B12F1

D7F589B54037B1497768A9CFE5EB42A24B77EFE2A0805F83BD90B6191C54D492

1536:QPlbc9F8xi59F8xizyUtr8iwLl0ipIArEM6+n+1f1Jh4DShQO0y2VA7:alROIvRpIArE/bU9O0yF

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ZOMBIE has been detected (YARA)

SUSPICIOUS

Creates file in the systems drive root

Executable content was dropped or overwritten

The process creates files with name similar to system file names

INFO

Creates files or folders in the user directory

Checks supported languages

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings