File name:

d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb

Full analysis: https://app.any.run/tasks/cd4cecb3-1d5f-4407-9ed9-4981d09e7f60
Verdict: Malicious activity
Analysis date: December 13, 2024, 19:41:54
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

FDD0D9AABE362320875655B2496A1F2A

SHA1:

445E06864055F6CED307084AAE3C6964A3F5029E

SHA256:

D8804AF1EF1DB28FB42859F5B2911DABE2B24C565D1B16413D3EFB23DD37F7EB

SSDEEP:

12288:XvVVVVVVVVIuFTDhSfWJUNo5kUe7UvVVVVVVVVguFTDhSfWJUNo5kUe7P:AuFRSfWJUq5kUehuFRSfWJUq5kUeT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exe (PID: 1392)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exe (PID: 1392)

    • Executable content was dropped or overwritten

      • d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exe (PID: 1392)

    • The process creates files with name similar to system file names

      • d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exe (PID: 1392)

  • INFO

    • Creates files or folders in the user directory

      • d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exe (PID: 1392)

    • UPX packer has been detected

      • d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exe (PID: 1392)

    • Checks supported languages

      • d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exe (PID: 1392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exe

Process information

PID
CMD
Path
Indicators
Parent process
1392"C:\Users\admin\Desktop\d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exe" C:\Users\admin\Desktop\d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
925
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
1392d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exe
MD5:
SHA256:
1392d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:CD6E86C56609E08331B668269415D886
SHA256:7D66A5083A0AA0207D9B8DB37CB4FC23BBDC7FE6BF72C41E08B338B105CBEE64
1392d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:8472C4E97F375881C28F98FD83A9D65B
SHA256:D880AAAAF0BB280C2E239E8D48124C669E9190B4A451F68190AF5E8C19B0BECC
1392d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:C353D0A521A6EFADD340A8FB62448368
SHA256:A82584E1F08B1E0BEE942AC793AC9935E1BAEB971021184393A9F11428B1ABE9
1392d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:3BEB68B2E2E97B512F7710CDE2F4C41E
SHA256:5A1EA33352A5A351BB4356454182EB21BF86D7029D4EC43E705155791DEBCEC4
1392d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:EF8680FF75B13D31C8CE4D88974B6872
SHA256:65C23FCD4291576196A6D1092D94469E2BAB4CBF7711A85FB1B5A7D2ACD4BA70
1392d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:1CA61430A84B88E5F895D9A7F99CB5BA
SHA256:62EB13A9C98AAC7A1341FEF7E244F137C52FB65B7D18795B5E98C0408CCF1CFE
1392d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:E3ED1E8E3730E8B88B552B4D475112B9
SHA256:7E401A7D05C859029739D4D623DD3090A55C1840F515B5E3056DF8E56E5DD9BA
1392d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:CD6E86C56609E08331B668269415D886
SHA256:7D66A5083A0AA0207D9B8DB37CB4FC23BBDC7FE6BF72C41E08B338B105CBEE64
1392d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:63D41CC5C40F5BA7567DB6256B2BAF7B
SHA256:2CB5E2BFA5938C8CB55E61FF12E067889BAB3185D07C66EDB135AE9235D57A9B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
17
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3508
svchost.exe
GET
200
95.101.54.224:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3508
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
95.101.54.224:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3508
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
95.101.54.224:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3508
svchost.exe
95.101.54.224:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3508
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 172.217.16.142
whitelisted
crl.microsoft.com
  • 95.101.54.224
  • 95.101.54.240
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
self.events.data.microsoft.com
  • 52.182.143.208
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
d8804af1ef1db28fb42859f5b2911dabe2b24c565d1b16413d3efb23dd37f7eb