File name:

fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad

Full analysis: https://app.any.run/tasks/ae51a3a1-c4c0-42f4-ac85-c168d3d27769
Verdict: Malicious activity
Analysis date: November 23, 2024, 05:38:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
zombie
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

688EDF0BDCCB5E27AC23F86E3CE9DC3C

SHA1:

D26BEE3EC333875A73060C99C6F643D66AA5C4BC

SHA256:

FC23D3501DD7E3462ACC42CD848C74343928087052B09680C434FD68CB5844AD

SSDEEP:

12288:XvVVVVVVVVIuFTDhSfWJUNo5kUe7uvVVVVVVVVguFTDhSfWJUNo5kUe7L:AuFRSfWJUq5kUeDuFRSfWJUq5kUev

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exe (PID: 5472)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exe (PID: 5472)

    • Executable content was dropped or overwritten

      • fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exe (PID: 5472)

    • The process creates files with name similar to system file names

      • fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exe (PID: 5472)

  • INFO

    • Checks supported languages

      • fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exe (PID: 5472)

    • UPX packer has been detected

      • fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exe (PID: 5472)

    • Creates files or folders in the user directory

      • fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exe (PID: 5472)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
119
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exe

Process information

PID
CMD
Path
Indicators
Parent process
5472"C:\Users\admin\Desktop\fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exe" C:\Users\admin\Desktop\fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 362
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
5472fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exe
MD5:
SHA256:
5472fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:7CCA05112F5276CBCFF2D9FC86981914
SHA256:DE5F2D53E03AE120039C89C9CB713ED1B9B82B30998D293DBEE266B60F9D9D74
5472fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_100_percent.pak.tmpexecutable
MD5:595DDB54B1B41E6529306B74619BB794
SHA256:90AE589B8C037C71A3003D226235260C847CA6FDF56E13925BA66A1EEA637C24
5472fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:B6AFA63B2B172086462BA68252363E3E
SHA256:6BD07F404D2FFF2468EDE3BB73286C336E57CEA07871F0D3740FC94C57BAED0E
5472fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:B6AFA63B2B172086462BA68252363E3E
SHA256:6BD07F404D2FFF2468EDE3BB73286C336E57CEA07871F0D3740FC94C57BAED0E
5472fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:1F8E70AFAEA4BE636BD56AD654035A1F
SHA256:8452D2A968A82A505CFF9FCF42E3A33243963A281FC307339B8E4D3BF0732D29
5472fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:1CDBEF831E5EBADD7176788474EE9E00
SHA256:0B34A68638CECD77AC8C6D883B99E6AC9A785FBC5540032AA0581AC6F7524368
5472fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:8711CC3DEE2B3E193339A30A6346D850
SHA256:9E400ECF4E60D2351299AECD79751F14D43D0B93CD78B96C476CD2CCA483BAFB
5472fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:2C1F5CCBCAA777E1CFEECA3575202E6B
SHA256:6911705C4AD83B27CD0BDABA1CBD831019F6490F96573DDE971E3AE9D5E5A0BA
5472fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:B1EEB784002A3E612F4BCC23F0765417
SHA256:E8B930A19554EEA4F323FB29416EDFB6A3D2D8A931CAE9C558FFAAF5EFB69D98
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
22
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
444
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2736
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
444
RUXIMICS.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
444
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2736
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
104.126.37.144:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
444
RUXIMICS.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2736
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
444
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
  • 4.231.128.59
whitelisted
www.bing.com
  • 104.126.37.144
  • 104.126.37.145
  • 104.126.37.137
  • 104.126.37.136
  • 104.126.37.153
  • 104.126.37.139
  • 104.126.37.154
  • 104.126.37.162
  • 104.126.37.155
whitelisted
google.com
  • 142.250.186.110
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 20.189.173.7
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
fc23d3501dd7e3462acc42cd848c74343928087052b09680c434fd68cb5844ad