File name:

CD1.exe

Full analysis: https://app.any.run/tasks/71cb92ad-6b48-4bd5-af86-23ca949b14c9
Verdict: Malicious activity
Analysis date: April 28, 2025, 11:26:38
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive, 4 sections
MD5:

2D2A7F3F401429C838437E56D9B4BAD6

SHA1:

C20FC78EE64B93B2309FE716A0533591EE51185A

SHA256:

414DB71E64CB072C604B9F4F96A97336E3B7639E6CC3751C6ACF6E3D88F919F4

SSDEEP:

98304:cyPUcp8rDqy5T9uwpq7S/LscN3rpBOcFG3VD6+imnntbu3Az+dvqCdkKrPb22bOw:k/nc6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Accesses environment variables (SCRIPT)

      • cscript.exe (PID: 6620)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • CD1.exe (PID: 6040)

    • Executing commands from ".cmd" file

      • cmd.exe (PID: 6712)
      • CD1.exe (PID: 6040)
      • cmd.exe (PID: 7152)

    • Reads security settings of Internet Explorer

      • CD1.exe (PID: 6040)

    • The process executes VB scripts

      • cmd.exe (PID: 7152)

    • Application launched itself

      • cmd.exe (PID: 6712)
      • cmd.exe (PID: 7152)

    • Starts CMD.EXE for commands execution

      • CD1.exe (PID: 6040)
      • cmd.exe (PID: 7152)
      • cmd.exe (PID: 6712)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • cscript.exe (PID: 6620)

    • Checks whether a specific file exists (SCRIPT)

      • cscript.exe (PID: 6620)

  • INFO

    • Reads the computer name

      • CD1.exe (PID: 6040)
      • PBCDCopy.exe (PID: 4976)

    • Checks supported languages

      • CD1.exe (PID: 6040)
      • PBCDCopy.exe (PID: 4976)

    • The sample compiled with english language support

      • CD1.exe (PID: 6040)

    • Reads security settings of Internet Explorer

      • cscript.exe (PID: 6620)

    • Process checks computer location settings

      • CD1.exe (PID: 6040)

    • Checks proxy server information

      • cscript.exe (PID: 6620)

    • Reads the software policy settings

      • cscript.exe (PID: 6620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2014:12:02 10:07:30+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 165376
InitializedDataSize: 175104
UninitializedDataSize: -
EntryPoint: 0x1d5db
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
15
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start cd1.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cscript.exe no specs sppextcomobj.exe no specs slui.exe no specs cmd.exe no specs conhost.exe no specs pbcdcopy.exe no specs pbcdcopy.exe no specs pbcdcopy.exe cmd.exe no specs reg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2616cmd.exe /c InstallCD.cmd /CF="C:\ProBase\INSTALL\CCF" /UI=ALL /UC:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
3768"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4976"C:\ProAgent\CD1\CMD\PBCDCopy.exe" /AIU /CF="C:\ProBase\INSTALL\CCF" /UI=ALL /UC:\ProAgent\CD1\CMD\PBCDCopy.exe
cmd.exe
User:
admin
Company:
Diebold Nixdorf
Integrity Level:
HIGH
Description:
PBCDCopy
Exit code:
10
Version:
4.0.21083.1
Modules
Images
c:\proagent\cd1\cmd\pbcdcopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
5116\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5960C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
6040"C:\Users\admin\AppData\Local\Temp\CD1.exe" C:\Users\admin\AppData\Local\Temp\CD1.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\cd1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6112REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Diebold\Agilis Installer" /v "AiuRoot" /reg:32C:\Windows\SysWOW64\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6192C:\WINDOWS\system32\cmd.exe /c REG QUERY "HKEY_LOCAL_MACHINE\SOFTWARE\Diebold\Agilis Installer" /v "AiuRoot" /reg:32C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
6248PBCDCopy /AIU /CF="C:\ProBase\INSTALL\CCF" /UI=ALL /UC:\ProAgent\CD1\CMD\PBCDCopy.execmd.exe
User:
admin
Company:
Diebold Nixdorf
Integrity Level:
MEDIUM
Description:
PBCDCopy
Exit code:
3221226540
Version:
4.0.21083.1
Modules
Images
c:\proagent\cd1\cmd\pbcdcopy.exe
c:\windows\system32\ntdll.dll
6268\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
4 262
Read events
4 259
Write events
3
Delete events
0

Modification events

(PID) Process:(4976) PBCDCopy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Diebold Nixdorf\ProBase\Install
Operation:writeName:CopyStatus
Value:
InvalidProgramInvocation (10)
(PID) Process:(4976) PBCDCopy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Diebold Nixdorf\ProBase\Install
Operation:writeName:LastSetup
Value:
4/28/2025 11:27:05 AM
(PID) Process:(4976) PBCDCopy.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Diebold Nixdorf\ProBase\Install
Operation:writeName:PBCDCopy
Value:
4.0.21083.1
Executable files
4
Suspicious files
3
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
6040CD1.exeC:\ProAgent\CD1\CMD\Cancel.cmdtext
MD5:330D33CA7223AD8D7101980FD384E941
SHA256:45E05B91426FE7ADD3519FDBAA08B5BA0640BDC4EA70EEB5AA0CC35F4393E070
6040CD1.exeC:\ProAgent\CD1\CMD\AIUInstall\Agilis Installation Utility.msiexecutable
MD5:51AA420397F79E9FD2FCE5A3F1062B1A
SHA256:F332952C368DFF2CE1C687903A28FFA706B8A48C385A3762F2B6A761C60CB8AD
6040CD1.exeC:\ProAgent\CD1\Updates\FBYENDFBYDCMZB\Z009000_FBYENDFBYDCMZB.xmlxml
MD5:400484244506C3993D414F4D379C14AB
SHA256:0B1D0DC835A22F0941A1BEE467CE02F0B2817C5465383AA039969BABF9C4EAA6
6040CD1.exeC:\ProAgent\CD1\CMD\ShellBasics.dllexecutable
MD5:1546AC11B92E9F8EA7E6A22A298FE95A
SHA256:5CE2EC365E32861ACE35F92E6513538871FA04AFCBD1E920FEE2BBFD6544F98F
6040CD1.exeC:\ProAgent\CD1\CMD\checkAIU.vbstext
MD5:1FA3593E5177B74A18AAAE7610B9F64D
SHA256:CE06DAD47119D4B2362E6C94AF72E6071AF20DE88FA7E2264EF1F281B1EB6DAE
6040CD1.exeC:\ProAgent\CD1\CMD\PBCDCopy.exeexecutable
MD5:551B4A921BED08F48E3B57B57C91CF89
SHA256:0B4D3AD444BB6F63914CFE986CCD9F3971CAA6D4AD1355294F929D580226F2D7
6040CD1.exeC:\ProAgent\CD1\Parts\XFSPBYRWT80L02.zipcompressed
MD5:C4F27424D62A3DDBF637A5126F492C94
SHA256:F62D59849A0A4F56D0C1A93791AC949AEE6AD9497EF174B85FA984CF481AB879
6040CD1.exeC:\ProAgent\CD1\CDContents.txttext
MD5:10648A432F086A4B5AF0B9BEF3176BE3
SHA256:BD488B8833B3AF347BE3B620D9FAB843A848959952EC2314C1FBEC188EB30846
6040CD1.exeC:\ProAgent\CD1\card.cmdtext
MD5:F451D6DE587A961BD30F8AB3AFAAF295
SHA256:B4BC97BF0FBF8CB733495101EC0772E90C5DA2587391CAB946E6AC4A8C3287EB
6040CD1.exeC:\ProAgent\CD1\CMD\FPMenu.cfgtext
MD5:F4FA97E620925538D6A65A0A06313EF6
SHA256:3C15CF428F257BB4E94B5D2DA126A6E194217CB9E92670F0A67672DA77F22468
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
CD1.exe