File name:

CDM20828_Setup.exe

Full analysis: https://app.any.run/tasks/21e2339d-1a2e-497b-97cf-c979520684ef
Verdict: Malicious activity
Analysis date: November 08, 2024, 13:08:34
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

8C51A8EC1FD9F3B84DF8F1F8969BEDDD

SHA1:

E49446E5B0A2923A2F0D148786CEFCEBCA0573F9

SHA256:

0E4ACF0D8517906BC1B77177CB6B4C835A8FFFB4ECB33FC3BEEF03B017643A89

SSDEEP:

49152:nhq29Cn5CKYIxGTSfJCiaFR/X6DsRDnE:nhqaC5PYEQSfGRisRw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • CDM20828_Setup.exe (PID: 6564)

    • Starts a Microsoft application from unusual location

      • dpinst-amd64.exe (PID: 7152)

    • Executable content was dropped or overwritten

      • CDM20828_Setup.exe (PID: 6564)

    • Drops a system driver (possible attempt to evade defenses)

      • CDM20828_Setup.exe (PID: 6564)

  • INFO

    • UPX packer has been detected

      • CDM20828_Setup.exe (PID: 6564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (39.3)
.exe | Win32 EXE Yoda's Crypter (38.6)
.dll | Win32 Dynamic Link Library (generic) (9.5)
.exe | Win32 Executable (generic) (6.5)
.exe | Generic Win/DOS Executable (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2001:03:20 06:35:57+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Aggressive working-set trim, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 24576
InitializedDataSize: 4096
UninitializedDataSize: 77824
EntryPoint: 0x19200
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT cdm20828_setup.exe dp-chooser.exe no specs dpinst-amd64.exe no specs cdm20828_setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
4076"C:\Users\admin\Desktop\CDM20828_Setup.exe" C:\Users\admin\Desktop\CDM20828_Setup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\cdm20828_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4680C:\Users\admin\AppData\Local\Temp\CDM20828\dp-chooser.exeC:\Users\admin\AppData\Local\Temp\CDM20828\dp-chooser.exeCDM20828_Setup.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\appdata\local\temp\cdm20828\dp-chooser.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
6564"C:\Users\admin\Desktop\CDM20828_Setup.exe" C:\Users\admin\Desktop\CDM20828_Setup.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\cdm20828_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
7152C:\Users\admin\AppData\Local\Temp\CDM20828\dpinst-amd64C:\Users\admin\AppData\Local\Temp\CDM20828\dpinst-amd64.exedp-chooser.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Driver Package Installer
Version:
2.1
Modules
Images
c:\users\admin\appdata\local\temp\cdm20828\dpinst-amd64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
68
Read events
68
Write events
0
Delete events
0

Modification events

No data
Executable files
17
Suspicious files
8
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6564CDM20828_Setup.exeC:\Users\admin\AppData\Local\Temp\CDM20828\amd64\ftbusui.dllexecutable
MD5:02CBAE0ECB056B9106A05E771198F338
SHA256:A482D9CC15BDD682947B1F1C72EFF1917069828A92D47C40C9722A0B3321D434
6564CDM20828_Setup.exeC:\Users\admin\AppData\Local\Temp\CDM20828\amd64\ftd2xx64.dllexecutable
MD5:BD52F897F3413834E0FE41A183D679E8
SHA256:E71C6827BBD708040109C4B17CD291A4750026F05C25390891913B5811692A1F
6564CDM20828_Setup.exeC:\Users\admin\AppData\Local\Temp\CDM20828\i386\ftd2xx.libbinary
MD5:79D08834526BDAC0134C486CC9E8A1CF
SHA256:A9C02D1584B9EDDAC5D49C228FFDD386256245E43E5C97A2091C5FE4E8098294
6564CDM20828_Setup.exeC:\Users\admin\AppData\Local\Temp\CDM20828\i386\ftcserco.dllexecutable
MD5:A80892663BADD1E97CD7F6589B085AA6
SHA256:03B2FE908EE530E2DFD2F3A0EAD8B3597DB886C05456AE545C3ADB4B2338AEA7
6564CDM20828_Setup.exeC:\Users\admin\AppData\Local\Temp\CDM20828\amd64\ftlang.dllexecutable
MD5:41F0D8F295670F3391284F27000641C8
SHA256:EFD6593347ED1E30732DACA68FB0C547526CD81A819A364E4767F29FE3B062AE
6564CDM20828_Setup.exeC:\Users\admin\AppData\Local\Temp\CDM20828\amd64\ftdibus.sysexecutable
MD5:F16370F37CCA72ED2C21C230333C2C11
SHA256:F8CA56AE1FA3A45EBEBA2536063B9141803DE3E61EE4D9999DCC941A6B3B7869
6564CDM20828_Setup.exeC:\Users\admin\AppData\Local\Temp\CDM20828\amd64\ftser2k.sysexecutable
MD5:787BBE2466C36B2E36B4A41BB788E2A2
SHA256:A8B2480CBD350B7B89C0801C1F8C6B1504F964CE0B627B76885A682164060DA3
6564CDM20828_Setup.exeC:\Users\admin\AppData\Local\Temp\CDM20828\amd64\ftserui2.dllexecutable
MD5:AEC470EE99F6F0E203F3CFA6BE825537
SHA256:67888909E9363FD2FABC2EAD40E3F4C30BC671F8265F226FDA2E2D6A0DD981C6
6564CDM20828_Setup.exeC:\Users\admin\AppData\Local\Temp\CDM20828\i386\ftlang.dllexecutable
MD5:EAF5EC9F2258C8A1192AFF098D1762E7
SHA256:D93E12F1BEF258585ED526F76C79930AE2DDC4149EAFF82B4839E9C464A24554
6564CDM20828_Setup.exeC:\Users\admin\AppData\Local\Temp\CDM20828\i386\ftbusui.dllexecutable
MD5:D9901185283297A18C7BF1E13058DBA4
SHA256:EBB012D0E30FDF1841C4E4810B8BDC94BE4C4D9C902C2B5CEAE0812D252653A9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
21
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
2.16.164.43:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1584
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
2.16.164.43:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1584
RUXIMICS.exe
GET
200
2.16.164.43:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6944
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1584
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5488
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6944
svchost.exe
2.16.164.43:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1584
RUXIMICS.exe
2.16.164.43:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
5488
MoUsoCoreWorker.exe
2.16.164.43:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
6944
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1584
RUXIMICS.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.212.142
whitelisted
crl.microsoft.com
  • 2.16.164.43
  • 2.16.164.9
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
whitelisted
self.events.data.microsoft.com
  • 52.168.117.169
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CDM20828_Setup.exe