File name:

dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580

Full analysis: https://app.any.run/tasks/ad5ec8c4-7f6d-4133-b49d-715b599fecc0
Verdict: Malicious activity
Analysis date: December 13, 2024, 19:36:25
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

3D4CE9F06D976056BF3447AC0452BA2C

SHA1:

46392B7DDDD8982CFCBCB4311A321319F71871FD

SHA256:

DC01297C74F056AE175BAB404E6C27FD3062273EA11434A8DF115B4B82FCF580

SSDEEP:

1536:EhPpyASvVVVVVVVVWs5jf/ASvVVVVVVVV+s5jfsS:cpDSvVVVVVVVVrf4SvVVVVVVVVTfH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exe (PID: 5432)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exe (PID: 5432)

    • The process creates files with name similar to system file names

      • dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exe (PID: 5432)

  • INFO

    • Checks supported languages

      • dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exe (PID: 5432)

    • Creates files or folders in the user directory

      • dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exe (PID: 5432)

    • UPX packer has been detected

      • dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exe (PID: 5432)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exe

Process information

PID
CMD
Path
Indicators
Parent process
5432"C:\Users\admin\Desktop\dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exe" C:\Users\admin\Desktop\dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 765
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
5432dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmp
MD5:
SHA256:
5432dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exe
MD5:
SHA256:
5432dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:E97271EFA98555FC90CF86436428C061
SHA256:3DEF8E661D0204A9A12B6258EB0F8E69C8E337DF8379832B42FB2179A5DB3549
5432dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:B9034D491AA47EE5F794BA57DC729D30
SHA256:BF02A8F1657F125A760364FF6FACE052C59D9201AAEA800674F4F8A182709E6D
5432dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:038DCA898BF6F09100AAEB9C4A95BF92
SHA256:2156AE6B76A38673424A83CC4B872FBD4A9E66C5F3E0F127D98C5C37E5636E57
5432dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:6AE090DB673FC9B02DFBEC827F404604
SHA256:361F218789A79EDE0A36F92618ECE0D85FA49A65E99EC6E3F9494C2C352EE0B4
5432dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:8BD04A61530E92F507947136348670F3
SHA256:2CC027DB0347261B15F8D3885E3E15E934EBFC4097EC8AFC72D3786E87DB4AA1
5432dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:794DD44F464158D8D609CD1B52E2BDB9
SHA256:BED7BE26B36CC20ADDAC9B5F63864163A2E76A5E652A4FB344EDFABB0124688C
5432dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:E59744D65DC6CE79CCEABA6011CB72D8
SHA256:EC4491269463B649A701C98F0E37C0969AC1429335EC4B4B91EDE7BAF1FA2FAD
5432dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:BF2DC09E8A562A815B414DDA24912158
SHA256:C03D7880BFCF241B334EE71A30BD3A1E7E8D402FF04020ECED22B671D13E1D15
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
19
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5580
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5580
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
5580
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5580
svchost.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5580
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5580
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 172.217.18.110
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
self.events.data.microsoft.com
  • 20.42.65.94
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
dc01297c74f056ae175bab404e6c27fd3062273ea11434a8df115b4b82fcf580