File name:

e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe

Full analysis: https://app.any.run/tasks/13d1c542-8976-444c-b40d-fe9d09166e12
Verdict: Malicious activity
Analysis date: January 10, 2025, 22:34:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

C23436A55768FDAADAE63A0C8A5340A0

SHA1:

4A7BED3A42938356E86F1C8901F6EAB1E639DA74

SHA256:

E57BB38EAD28545CC162A12CB522C58A55518E454B365E7D7A90DC33E8060FA6

SSDEEP:

12288:XvVVVVVVVVIuFTDhSfWJUNo5kUe7UvVVVVVVVVguFTDhSfWJUNo5kUe70Rqhjzum:AuFRSfWJUq5kUehuFRSfWJUq5kUeARqT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe (PID: 4500)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe (PID: 4500)

    • The process creates files with name similar to system file names

      • e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe (PID: 4500)

    • Executable content was dropped or overwritten

      • e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe (PID: 4500)

  • INFO

    • Creates files or folders in the user directory

      • e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe (PID: 4500)

    • Checks supported languages

      • e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe (PID: 4500)

    • UPX packer has been detected

      • e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe (PID: 4500)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe

Process information

PID
CMD
Path
Indicators
Parent process
4500"C:\Users\admin\Desktop\e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe" C:\Users\admin\Desktop\e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 231
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe
MD5:
SHA256:
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:3499973D429BD5EC544FBC07B8EFF04E
SHA256:3F7502EDFA9B2B09EF83D6741244F945D13960EC14397ECE2799966F127B9A7F
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:45BEDA62C42B292775C3F52CF5AA6C22
SHA256:485E31F4835126295E5F9AD9A3E95F110DC20A97CCB8EFB04AC7D0E9B504F164
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:4F178C7771F1BA2E752013E08108F5BB
SHA256:B77700FC792FC1E06DFD72927779A47C9541FDB554774A5B5D8204CE807E1077
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:56CEC30C922B323476C2EE881503E88E
SHA256:BA965AD96B49D33E1352A751CB9B396F60E9B1D4D387291CBF9D34FD51EAE361
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:21398A6B01396E7CAC81C4D9224898C2
SHA256:4839BBAD9224B2251BEB0BAB483CEFF76CB78039660178BC71695F2F4172515F
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:0354C1B5C1D560AF6F3120BEFCB407C9
SHA256:CC2CF159E88724ABDEFB5261C57672847EC4386C1FCC7E891BD9870141D4845C
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:46954EAC7FF6F8F9D6291A023A3510D7
SHA256:EAFCB06DDA3E6A705C94D6AD1630E1B5678124AE73A3E3539F6CD6A115E6112F
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:027B418833150FF84DE66A5E622B0C6F
SHA256:24F3365B7F17C415FA8DDC9469E8C0FEA9B3612C38424045F6F9E8210FABA07C
4500e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:3625A72C417910BA98F82DC9931C41DA
SHA256:639176482EC4BD39E35B59E09BB00E4B764B4112E13D94F5D0FF331F3E015549
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
19
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1016
svchost.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
188
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
188
RUXIMICS.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1016
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
188
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1016
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1016
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
188
RUXIMICS.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1016
svchost.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4712
MoUsoCoreWorker.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
188
RUXIMICS.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
self.events.data.microsoft.com
  • 52.182.143.209
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
e57bb38ead28545cc162a12cb522c58a55518e454b365e7d7a90dc33e8060fa6.exe