File name:	9cb07c0bf061b82a68fda7bf908b2ae7e029333772c6b9d6ca1f94871270c458.exe
Full analysis:	https://app.any.run/tasks/d8a95e43-8642-4d9e-9623-5524cbdedb62
Verdict:	Malicious activity
Analysis date:	October 03, 2025, 17:47:25
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	m0yv
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (console) x86-64, for MS Windows, 7 sections
MD5:	F78A2D209C3C9430EA373BF76454E6DB
SHA1:	A01DCCC9E331033FFBC96318BEDC58328FE30A9F
SHA256:	9CB07C0BF061B82A68FDA7BF908B2AE7E029333772C6B9D6CA1F94871270C458
SSDEEP:	98304:p0LdR75wXRTFv6lBJqWeUBI5RB82s25p3MxV2nv3ASjdoc1Z9/pe09gWYLTT9vIB:7UsJ1/Jq

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

MachineType:	AMD AMD64
TimeStamp:	2025:08:05 22:11:58+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.38
CodeSize:	4430336
InitializedDataSize:	4775424
UninitializedDataSize:	-
EntryPoint:	0x2ee4a0
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows command line
FileVersionNumber:	5.1.0.211
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Malwarebytes
FileDescription:	Malwarebytes Installer Service
FileVersion:	5.1.0.211
ProductName:	Malwarebytes
ProductVersion:	5.1.0.211
LegalCopyright:	(c) Malwarebytes. All rights reserved.
InternalName:	MBAMIService.exe
OriginalFileName:	MBAMIService.exe


(PID) Process:	(7628) armsvc.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Adobe\Adobe ARM\1.0\ARM
Operation:	write	Name:	iLastSvcSuccess
Value: 1516703
(PID) Process:	(1920) FXSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax
Operation:	write	Name:	RedirectionGuard
Value: 1
(PID) Process:	(1920) FXSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:	write	Name:	Password
Value: 00
(PID) Process:	(1920) FXSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:	delete value	Name:	Password
Value:
(PID) Process:	(1920) FXSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:	write	Name:	Server
Value:
(PID) Process:	(1920) FXSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:	write	Name:	From
Value:
(PID) Process:	(1920) FXSSVC.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fax\Receipts
Operation:	write	Name:	User
Value:
(PID) Process:	(8736) ssh-agent.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\OpenSSH\Agent
Operation:	write	Name:	ProcessID
Value: 8736
(PID) Process:	(8684) Spectrum.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Spectrum
Operation:	write	Name:	HeadCenterOfRotationFloat3
Value: 000000000AD7A3BD0AD7A33D
(PID) Process:	(9132) SearchIndexer.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\Tracing\EventThrottleState
Operation:	delete value	Name:	000003eb
Value:

PID	Process	Filename		Type
2568	9cb07c0bf061b82a68fda7bf908b2ae7e029333772c6b9d6ca1f94871270c458.exe	C:\Users\admin\AppData\Local\Temp\mbamiservice.log		text
		MD5:EEEFB800FDBC01B3F83F251A0DA4F4C8	SHA256:86E24E2B0E5A538BE80BD3373A25E4E6DE9F14BCBF7F88E4835595BA9C4515E4
2568	9cb07c0bf061b82a68fda7bf908b2ae7e029333772c6b9d6ca1f94871270c458.exe	C:\Users\admin\AppData\Roaming\26b799fa89ba8c8f.bin		binary
		MD5:E29A0FC658789F1D063C6549AD72A11E	SHA256:018DB7DE4A35A64D093C5EB1B63B216A113685BE75756A03887543203F72985E
7628	armsvc.exe	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\26b799fa89ba8c8f.bin		binary
		MD5:AE56C60D18E2B3F02C703644490A6347	SHA256:D23360BEBC0F5D96D56105A14E364224B0FB0B796CAF407D9585C63C3283E77C
7628	armsvc.exe	C:\Windows\System32\alg.exe		executable
		MD5:710B089E4527D210CE668A5B0CE6CF58	SHA256:589ABE03A9EF8E410C3529DB8BD82C7E79969826250FFBD88A35F61BD38D9712
2568	9cb07c0bf061b82a68fda7bf908b2ae7e029333772c6b9d6ca1f94871270c458.exe	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe		executable
		MD5:6D094D801ED3BB5DC0343C8D4CE95C61	SHA256:4C7C70431659783669DDB8FCD2D0F6802FA980523C67C08492009CADC8537003
7808	maintenanceservice.exe	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log		text
		MD5:FEE10A3714AF863A56732AD1862254F4	SHA256:AFE9E08E7A8D7254EE55106294AB13E5E0BD7BC5CDC9769EE7B9725FF4471B34
7628	armsvc.exe	C:\Windows\System32\msiexec.exe		executable
		MD5:E1116F52B72A3B3DB3C27CEF98589C38	SHA256:CB5B5C6AD2C1932B3507B29137CEAD3EE7D5248670D5D1533AEA2B3EE42EE2F4
7628	armsvc.exe	C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe		executable
		MD5:A9C095CF5C4837A5A057B7D85A590894	SHA256:C076E79F944CC64FBE76733257BD2F3A0451D8D0347B95568CABAD7C70EA4C8A
7628	armsvc.exe	C:\Windows\System32\msdtc.exe		executable
		MD5:88C39B7D9742D4E21AF7D059EDB7C67B	SHA256:BB573EDA8DEB5220503727FEA0917CC0987AD156066510279311019B410B881E
7628	armsvc.exe	C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\updater.exe		executable
		MD5:1433B32C5DDE9D796F45EC310A5F5D67	SHA256:CDFF74693E53542EE0A429AF44D18C77752332489BA2E331CE199DECE6FFA9C9

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7628	armsvc.exe	POST	200	44.244.22.128:80	http://pywolwnvd.biz/jjcwhqymcjs	US	—	—	malicious
7628	armsvc.exe	POST	200	50.16.27.236:80	http://ssbzmoy.biz/olo	US	—	—	unknown
7628	armsvc.exe	POST	200	44.244.22.128:80	http://cvgrf.biz/gnjwawvrklkgnysc	US	—	—	malicious
7628	armsvc.exe	POST	200	3.229.117.57:80	http://npukfztj.biz/riuigyg	US	—	—	malicious
—	—	GET	200	23.192.36.137:443	https://www.bing.com/DSB/search?dsbmr=1&format=dsbjson&client=windowsminiserp&dsbschemaversion=1.1&dsbminiserp=1&q=q&cc=US&setlang=en-us&clientDateTime=10%2F3%2F2025%2C%205%3A47%3A41%20PM	US	binary	64.1 Kb	unknown
—	—	POST	204	23.192.36.137:443	https://www.bing.com/web/xlsc.aspx?t=5&dl=1&wsbc=1	US	—	—	unknown
—	—	POST	200	40.126.32.72:443	https://login.live.com/RST2.srf	US	xml	11.1 Kb	unknown
—	—	POST	200	40.126.32.72:443	https://login.live.com/RST2.srf	US	xml	11.2 Kb	unknown
—	—	POST	200	20.190.159.0:443	https://login.live.com/RST2.srf	US	xml	11.0 Kb	unknown
—	—	POST	200	20.190.159.128:443	https://login.live.com/RST2.srf	US	xml	11.3 Kb	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
6016	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6168	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	23.192.36.142:443	www.bing.com	AKAMAI-AS	US	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
7628	armsvc.exe	44.244.22.128:80	pywolwnvd.biz	AMAZON-02	US	malicious
6016	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7628	armsvc.exe	50.16.27.236:80	ssbzmoy.biz	AMAZON-AES	US	malicious
5948	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7628	armsvc.exe	3.229.117.57:80	npukfztj.biz	AMAZON-AES	US	malicious

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.104.136.2	whitelisted
www.bing.com	23.192.36.142 23.192.36.137	whitelisted
google.com	172.217.16.206	whitelisted
pywolwnvd.biz	44.244.22.128	malicious
ssbzmoy.biz	50.16.27.236	unknown
cvgrf.biz	44.244.22.128	malicious
npukfztj.biz	3.229.117.57	malicious
login.live.com	40.126.32.74 20.190.160.2 20.190.160.20 20.190.160.22 40.126.32.138 40.126.32.134 20.190.160.132 20.190.160.17	whitelisted
przvgke.biz	172.233.219.123 172.233.219.49 172.237.146.8 172.237.146.25 172.237.146.38 172.233.219.78	unknown
zlenh.biz	—	unknown

PID	Process	Class	Message
2428	svchost.exe	A Network Trojan was detected	ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)
2428	svchost.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Win32/m0yv CnC related domain (zlenh .biz)
7628	armsvc.exe	Misc activity	ET INFO Namecheap URL Forward
7628	armsvc.exe	Misc activity	ET INFO Namecheap URL Forward

General Info

9cb07c0bf061b82a68fda7bf908b2ae7e029333772c6b9d6ca1f94871270c458.exe

F78A2D209C3C9430EA373BF76454E6DB

A01DCCC9E331033FFBC96318BEDC58328FE30A9F

9CB07C0BF061B82A68FDA7BF908B2AE7E029333772C6B9D6CA1F94871270C458

98304:p0LdR75wXRTFv6lBJqWeUBI5RB82s25p3MxV2nv3ASjdoc1Z9/pe09gWYLTT9vIB:7UsJ1/Jq

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

M0YV mutex has been found

Connects to the CnC server

M0YV has been detected (YARA)

M0YV has been detected (SURICATA)

SUSPICIOUS

Executable content was dropped or overwritten

Executes as Windows Service

Application launched itself

Process drops legitimate windows executable

INFO

The sample compiled with english language support

Creates files or folders in the user directory

Checks supported languages

Reads the computer name

Create files in a temporary directory

Creates files in the program directory

Reads the software policy settings

Executes as Windows Service

Reads the time zone

The sample compiled with bulgarian language support

Reads security settings of Internet Explorer

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings