File name:

eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0

Full analysis: https://app.any.run/tasks/f32732fe-f9df-4e03-9066-ee978c496580
Verdict: Malicious activity
Analysis date: December 13, 2024, 19:27:20
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

A3EBF0FBF88F92F0F98641D050EF5935

SHA1:

E84546A0F1104F815C264747030D2CDA2686DBBF

SHA256:

EDA429E8EE24B9FBC6476BCB8E0AAAF8638FB95FA5796E902B87CA855F0115D0

SSDEEP:

24576:BuFRSfWJUq5kUehuFRSfWJUq5kUeccqto6qCQNvuFRSfWJUq5kUehuFRSfWJUq5X:4FRSfWJ9kUeYFRSfWJ9kUeccqto6qCQ8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exe (PID: 828)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exe (PID: 828)

  • INFO

    • Checks supported languages

      • eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exe (PID: 828)

    • UPX packer has been detected

      • eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exe (PID: 828)

    • Creates files or folders in the user directory

      • eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exe (PID: 828)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exe

Process information

PID
CMD
Path
Indicators
Parent process
828"C:\Users\admin\Desktop\eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exe" C:\Users\admin\Desktop\eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 118
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
828eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exe
MD5:
SHA256:
828eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:50FF873B7D54908FB3498EA3FB451F8C
SHA256:A1FD1246AB511E78A77B8CF6628C1142FBD68F84382B4DEB8EAF5C0E214992CC
828eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:783432DD90B5207226EC619D88B5728D
SHA256:D9A0EF3CAE1F8E41F73AECED2A38EB15C6A81482C965B038061E1CD02611BD1A
828eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:783432DD90B5207226EC619D88B5728D
SHA256:D9A0EF3CAE1F8E41F73AECED2A38EB15C6A81482C965B038061E1CD02611BD1A
828eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:9AA5C4504819041CB466C4B9D9A184FB
SHA256:1277BBBC4CC7AC71AC5137AB7DF18CE6CDF09D8394987E5F0D0042B4ACAEF5CB
828eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:DE07EA026443393D3247689E744F2BDC
SHA256:DF0140540C420A608FD0580939A23FCA8AB9A6D45556294AFB6070E7160A0AD0
828eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:D6C1AFEA06B744579A5CE9CDFBD959D2
SHA256:447D5B8F42747ECEC2CDFBE5AAA3D3C6150318F3B7771EF964CD17C4E97BA004
828eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:48E2DA4EF3FBB864AD127E3E81945999
SHA256:4A37E215F8A95D8D4462BFC92D3485B72AA208F3388047D1E06B322AA94F073B
828eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:E14D17ECC8FF31D5C2D68F4277C731B8
SHA256:78044019F5B7B5051F7019B4B43D90697C487BA53DDC055ED268BD9210A7B7AF
828eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_200_percent.pak.tmpexecutable
MD5:A093803F2C6691DA8F7930BC85655DA2
SHA256:EB674A3CB845E02F8238769300A5605B987CCAE68DEE9F58D2D85243E1B09145
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
20
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4308
svchost.exe
GET
200
23.48.23.161:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.161:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4308
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4308
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.161:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4308
svchost.exe
23.48.23.161:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4308
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 23.48.23.161
  • 23.48.23.168
  • 23.48.23.169
  • 23.48.23.153
  • 23.48.23.158
  • 23.48.23.177
  • 23.48.23.156
  • 23.48.23.174
  • 23.48.23.162
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 52.182.143.210
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
eda429e8ee24b9fbc6476bcb8e0aaaf8638fb95fa5796e902b87ca855f0115d0