File name:	e296f4f21d6372637a3b03ec8d980dddcf57fe297555217f0f00ffee426d735b.exe
Full analysis:	https://app.any.run/tasks/18612bc5-109f-40f3-884a-f8d1f1d2d441
Verdict:	Malicious activity
Analysis date:	August 01, 2025, 05:49:17
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	zombie
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections
MD5:	C33D11BF700D9BBCB63949B2BBF42549
SHA1:	72990F2562F33DB05CEE0126E9E77F2DA437E143
SHA256:	E296F4F21D6372637A3B03EC8D980DDDCF57FE297555217F0F00FFEE426D735B
SSDEEP:	1536:UjVABc9F8xi59F8xiG+3+U3aWf5jsdeWjEXLT2LTe:Uaof5jsdeWjEXLT2LTe

.exe	\|	Win32 Executable (generic) (42.4)
.exe	\|	Win16/32 Executable Delphi generic (19.5)
.exe	\|	Generic Win/DOS Executable (18.8)
.exe	\|	DOS Executable Generic (18.8)
.vxd	\|	VXD Driver (0.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	-
CodeSize:	-
InitializedDataSize:	-
UninitializedDataSize:	-
EntryPoint:	0x6000
OSVersion:	1
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI

PID	Process	Filename		Type
4824	e296f4f21d6372637a3b03ec8d980dddcf57fe297555217f0f00ffee426d735b.exe			—
		MD5:—	SHA256:—
4824	e296f4f21d6372637a3b03ec8d980dddcf57fe297555217f0f00ffee426d735b.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmp		executable
		MD5:7AE6D041D16DD3685AFC99CE67929320	SHA256:9113655EA73ABD1D20B72803DF0E0566DD09378CE795AB179A8DD64E5EBEBBE8
4824	e296f4f21d6372637a3b03ec8d980dddcf57fe297555217f0f00ffee426d735b.exe	C:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmp		executable
		MD5:CD126E94CE1F0319B5D7631DED62D1A4	SHA256:6969C345A86C83F68809874488E0E2DFE594AA4A4A5CF9A6B6B4673972C0721D
4824	e296f4f21d6372637a3b03ec8d980dddcf57fe297555217f0f00ffee426d735b.exe	C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exe		executable
		MD5:E9197E1C87070894E8A7617205B90E8D	SHA256:797B22F95D8C973767F303B965A8EF81C4C43A4588275C242BFF98D7E968DA12
4824	e296f4f21d6372637a3b03ec8d980dddcf57fe297555217f0f00ffee426d735b.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmp		executable
		MD5:EF9058954E1AF4BBB39EF002894A5E67	SHA256:323F08872D102C85EBCDF5C9DB0900CE31046E7737383B841B93300D29648935
4824	e296f4f21d6372637a3b03ec8d980dddcf57fe297555217f0f00ffee426d735b.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmp		executable
		MD5:2A953FFC9A18D6E56548AD6B12D0FEE3	SHA256:0100532ABD205F73BAD48F782C6249498ACDC421750416099EDA755D74A4DB5F
4824	e296f4f21d6372637a3b03ec8d980dddcf57fe297555217f0f00ffee426d735b.exe	C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmp		executable
		MD5:E9197E1C87070894E8A7617205B90E8D	SHA256:797B22F95D8C973767F303B965A8EF81C4C43A4588275C242BFF98D7E968DA12
4824	e296f4f21d6372637a3b03ec8d980dddcf57fe297555217f0f00ffee426d735b.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmp		executable
		MD5:8632ED21ED5F25E100B2A6CB6E100112	SHA256:6B27B67F68C4DEDE0458C486BC4584A9A9FB4EBDEBACB3CE12683B97A50FE9E8
4824	e296f4f21d6372637a3b03ec8d980dddcf57fe297555217f0f00ffee426d735b.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmp		executable
		MD5:41AED069840E8954F0410A6EE6B3C9DD	SHA256:2A5258F66315C8B1A33B7554B6AB29AC40791929BDEFCE990F7DA7FB13F6EC1E
4824	e296f4f21d6372637a3b03ec8d980dddcf57fe297555217f0f00ffee426d735b.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmp		executable
		MD5:B7A0FFF407E3755440A29D4C381104E9	SHA256:3700FA9CF9386F9491B7D3860EE73C2C867A7121D53B778BAB51A7BBC5EE2F11

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5944	MoUsoCoreWorker.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3160	RUXIMICS.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3160	RUXIMICS.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	40.126.32.76:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	POST	400	20.190.160.66:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	400	20.190.160.5:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	—	—	whitelisted
—	—	POST	400	20.190.160.65:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	400	20.190.160.132:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
5944	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3160	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3160	RUXIMICS.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
1268	svchost.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3160	RUXIMICS.exe	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
google.com	172.217.16.206	whitelisted
crl.microsoft.com	23.48.23.156 23.48.23.143	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
login.live.com	40.126.32.76 20.190.160.20 20.190.160.17 20.190.160.130 20.190.160.132 20.190.160.65 20.190.160.66 20.190.160.5	whitelisted
slscr.update.microsoft.com	20.109.210.53	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted
self.events.data.microsoft.com	20.189.173.3	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
x1.c.lencr.org	2.23.197.184	whitelisted

General Info

e296f4f21d6372637a3b03ec8d980dddcf57fe297555217f0f00ffee426d735b.exe

C33D11BF700D9BBCB63949B2BBF42549

72990F2562F33DB05CEE0126E9E77F2DA437E143

E296F4F21D6372637A3B03EC8D980DDDCF57FE297555217F0F00FFEE426D735B

1536:UjVABc9F8xi59F8xiG+3+U3aWf5jsdeWjEXLT2LTe:Uaof5jsdeWjEXLT2LTe

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ZOMBIE has been detected (YARA)

SUSPICIOUS

Creates file in the systems drive root

Executable content was dropped or overwritten

The process creates files with name similar to system file names

INFO

Checks supported languages

Creates files or folders in the user directory

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings