URL:

http://185.172.128.32/cp.exe

Full analysis: https://app.any.run/tasks/9874e3ef-816a-4a61-a81e-d32f3cc78388
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 16, 2024, 01:51:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
miner
Indicators:
MD5:

74B26108FEFB908448D85220F113D6DC

SHA1:

3A13FCD4C9C73E767E9D39910373F184BB3092B6

SHA256:

AF90EA8F932430A91DDC4C9DF0ADED316F8322C769ECB7D5233334931AB10BE4

SSDEEP:

3:N1KlmbYQKC0Cn:CLfCJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • cp.exe (PID: 1236)

    • Connects to the CnC server

      • RegAsm.exe (PID: 2172)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • cp.exe (PID: 1236)

    • Reads the Internet Settings

      • RegAsm.exe (PID: 2172)

    • Connects to the server without a host name

      • RegAsm.exe (PID: 2172)

  • INFO

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 2040)
      • iexplore.exe (PID: 392)

    • The process uses the downloaded file

      • iexplore.exe (PID: 2040)

    • Checks supported languages

      • cp.exe (PID: 1236)
      • RegAsm.exe (PID: 2172)

    • Application launched itself

      • iexplore.exe (PID: 2040)

    • Drops the executable file immediately after the start

      • iexplore.exe (PID: 392)
      • iexplore.exe (PID: 2040)

    • Reads the computer name

      • cp.exe (PID: 1236)
      • RegAsm.exe (PID: 2172)

    • Reads the machine GUID from the registry

      • cp.exe (PID: 1236)
      • RegAsm.exe (PID: 2172)

    • Create files in a temporary directory

      • cp.exe (PID: 1236)

    • Reads Environment values

      • RegAsm.exe (PID: 2172)

    • Creates files in the program directory

      • RegAsm.exe (PID: 2172)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe cp.exe regasm.exe

Process information

PID
CMD
Path
Indicators
Parent process
392"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2040 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
1236"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\cp.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\cp.exe
iexplore.exe
User:
admin
Integrity Level:
MEDIUM
Description:
news_feed_with_genre_selection
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\po2hn1x2\cp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2040"C:\Program Files\Internet Explorer\iexplore.exe" "http://185.172.128.32/cp.exe"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2172C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
cp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Assembly Registration Utility
Exit code:
0
Version:
4.8.3761.0 built by: NET48REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regasm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
Total events
12 471
Read events
12 412
Write events
59
Delete events
0

Modification events

(PID) Process:(2040) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
0
(PID) Process:(2040) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30847387
(PID) Process:(2040) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30847437
(PID) Process:(2040) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2040) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2040) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2040) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2040) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2040) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2040) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
4
Suspicious files
14
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
2040iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
392iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\cp[1].exeexecutable
MD5:C8250025047EEFAC4976234AE35316FB
SHA256:0ABDE0DB2BC0CFDE8994C58D5D1464E53C73DDCE44223A63B07C778798292FA8
392iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\cp.exe.uffet9b.partialexecutable
MD5:DE3AB27A1CB257338DCB7D50D463182A
SHA256:BAEEE6192A3D5AE609710D4C45222BC020AC65DF7294177518B32D4C04AF4E06
2040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{D113EFD7-B411-11EE-AE0A-12A9866C77DE}.datbinary
MD5:58D322A828C8128155C6351A50471DA2
SHA256:3504C07FD2131F5C99DF9A6AF38E3CC7ABFA0E0F5525AD88EE77E5654A4C0999
2040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\cp.exe.uffet9b.partial:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
2040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\cp.exeexecutable
MD5:DE3AB27A1CB257338DCB7D50D463182A
SHA256:BAEEE6192A3D5AE609710D4C45222BC020AC65DF7294177518B32D4C04AF4E06
2040iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF0A8B3254B3914204.TMPbinary
MD5:028E0D2E6C1CAE7A900284611D9692A6
SHA256:CAFBCF7D20FD92B6931219E7703895AE20546EF287EA46D8423B4417B9E73557
2040iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:1D406313C830D49A25E90C81F1FFE3D3
SHA256:11206DC26301A10F4E56B4F7C940407317272D94E4E2A07F144C3461B112FEE3
2040iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868binary
MD5:2B078518F993A89D2CE803DC8A2612B0
SHA256:7426A70A009E03CEFC523E661311362E699210B2A75A1A9F3C507ABC771B5944
2040iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\71XSOEWP.txttext
MD5:DE4408F32A7A7F36E6BC4F7405AE8A30
SHA256:E2B1082FECDEDEE2A112CDDFBAD6D4AA78A89DE5C8883CCBDA1E2833E5DC7718
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
21
DNS requests
9
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2040
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?08d91df001b427ad
unknown
compressed
4.66 Kb
unknown
392
iexplore.exe
GET
200
185.172.128.32:80
http://185.172.128.32/cp.exe
unknown
executable
4.11 Mb
unknown
2040
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?fa4f1dfa99832483
unknown
compressed
4.66 Kb
unknown
2040
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a10a16456a3ace15
unknown
compressed
4.66 Kb
unknown
2040
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
1080
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?89bca2e7018c82c0
unknown
unknown
2172
RegAsm.exe
GET
404
185.172.128.87:80
http://185.172.128.87/zima.php?mine=loader
unknown
html
300 b
unknown
2040
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
binary
471 b
unknown
2040
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D
unknown
binary
471 b
unknown
2040
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
unknown
binary
471 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
392
iexplore.exe
185.172.128.32:80
OOO Nadym Svyaz Service
RU
unknown
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2040
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
EDGECAST
US
whitelisted
2040
iexplore.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
2040
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1080
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
2172
RegAsm.exe
185.172.128.87:80
OOO Nadym Svyaz Service
RU
unknown
2040
iexplore.exe
204.79.197.200:443
ieonline.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
go.microsoft.com
  • 23.32.186.57
whitelisted
www.msn.com
  • 204.79.197.203
whitelisted

Threats

PID
Process
Class
Message
392
iexplore.exe
Potentially Bad Traffic
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
392
iexplore.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
392
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
392
iexplore.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
2172
RegAsm.exe
A Network Trojan was detected
MINER [ANY.RUN] ZimaCoinMiner HTTP Check-In
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://185.172.128.32/cp.exe