File name:

ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93

Full analysis: https://app.any.run/tasks/be0e52e1-f344-4e20-9c4c-f176f9ff8acd
Verdict: Malicious activity
Analysis date: December 13, 2024, 19:42:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

18A7BFE9B0107C31BCB8AA6419398A8B

SHA1:

8B6EC61503AF53A1DF799EE5F0D05E7590FA48EF

SHA256:

EC97AF940E709F506E9F40E2B9E0EA5AB915ED637A3471DE54C9583A906B3C93

SSDEEP:

1536:EhPpyASvVVVVVVVVWs5jf/ASvVVVVVVVV+s5jfs4:cpDSvVVVVVVVVrf4SvVVVVVVVVTf5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe (PID: 3620)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe (PID: 3620)

    • Executable content was dropped or overwritten

      • ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe (PID: 3620)

    • The process creates files with name similar to system file names

      • ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe (PID: 3620)

  • INFO

    • Creates files or folders in the user directory

      • ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe (PID: 3620)

    • Checks supported languages

      • ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe (PID: 3620)

    • UPX packer has been detected

      • ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe (PID: 3620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe

Process information

PID
CMD
Path
Indicators
Parent process
3620"C:\Users\admin\Desktop\ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe" C:\Users\admin\Desktop\ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 187
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3620ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exe
MD5:
SHA256:
3620ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exe
MD5:
SHA256:
3620ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:E2B8B028C76C2A74BF33A2DFC44927EC
SHA256:5AC7FDE3DF8F4A5737D20AD652538C9C6257D46F341F15F347FE0CCC7EF53FEE
3620ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:FA1902B8E716E66EBE0EC3566377A95F
SHA256:98AB9CB601A7F5CAE30813ED48112B6D85404E120CB21525F92C7D19386B4BCE
3620ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:6B8A368D0F86264B4EF21FE2B3C6BA1A
SHA256:F26031A5AC72AD29FCCBA6A9B4BB4EAE30571092917F21A8848BF099604DAC89
3620ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:0FF20B1036D41B2D0CF944EE0F94F604
SHA256:B47376C9E583937BDC4CBA118285FFC7174F00F7C622689F3BD807A2FB4526ED
3620ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:A3156ED4D27A6BD15F453C96253A1D26
SHA256:0CCD978BBE13735537AE9DFDEF58D2AF512902C038B08551772A44FF15C05CEC
3620ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:A695D6A41D6E4461A9F7A051CE8DBA57
SHA256:7910E10102E41FBF60FC6DB43A4EC46C02A75CFF9DCEE2433C1E8437866E620E
3620ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:59E140C6AAF671211DCDA13226200C6F
SHA256:9B8D67859818DB0AA790C5824CA74487991C046FFC0886E0D9A85E85E07FE411
3620ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:B353E8B1A17BD21E73E231BEC27F66B4
SHA256:CDC823A12241440C2D97F18CD53E7A821F88808F107061DCF26A56FDD232CD28
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
18
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3996
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.167:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3996
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
104.126.37.162:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.167:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3996
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
www.bing.com
  • 104.126.37.162
  • 104.126.37.161
  • 104.126.37.139
  • 104.126.37.137
  • 104.126.37.177
  • 104.126.37.145
  • 104.126.37.155
  • 104.126.37.178
  • 104.126.37.160
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 23.48.23.167
  • 23.48.23.177
  • 23.48.23.176
  • 23.48.23.145
  • 23.48.23.143
  • 23.48.23.166
  • 23.48.23.156
  • 23.48.23.164
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 20.42.65.89
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ec97af940e709f506e9f40e2b9e0ea5ab915ed637a3471de54c9583a906b3c93