File name:

cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8

Full analysis: https://app.any.run/tasks/e958134a-d2ac-42c1-83a4-e60a5a235f9f
Verdict: Malicious activity
Analysis date: December 13, 2024, 19:41:44
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

E1FD7DA8A41148151D3FA95E63E1D07B

SHA1:

090F7550831BD7EE8C2040C3BE6A7F61D9865D6F

SHA256:

CC1AB5B0121EC635EB8CA97EEF9B249754693BC57707AC682FF0F1C99B0386A8

SSDEEP:

12288:XvVVVVVVVVIuFTDhSfWJUNo5kUe7/JvVVVVVVVVguFTDhSfWJUNo5kUe7/C:AuFRSfWJUq5kUebSuFRSfWJUq5kUebC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exe (PID: 6444)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exe (PID: 6444)

    • Executable content was dropped or overwritten

      • cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exe (PID: 6444)

    • The process creates files with name similar to system file names

      • cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exe (PID: 6444)

  • INFO

    • Creates files or folders in the user directory

      • cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exe (PID: 6444)

    • Checks supported languages

      • cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exe (PID: 6444)

    • UPX packer has been detected

      • cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exe (PID: 6444)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exe

Process information

PID
CMD
Path
Indicators
Parent process
6444"C:\Users\admin\Desktop\cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exe" C:\Users\admin\Desktop\cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
804
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6444cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exe
MD5:
SHA256:
6444cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:494B458886BE5F960B5B09EEA8A1F163
SHA256:F56161F82CF3CF4387BF7F0853997381E585E4CACCF832A3B7A17FA856A966E3
6444cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:B296D4CE3E76FC55853377C6AD536C17
SHA256:35D9EF556FC760B8409600E7C04027F91C5A7262F8E5ECE708F0DCDDD2C05B0D
6444cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:9B2634AEF2A1FE351C03138E45BF0B5B
SHA256:626C64896D0CFE8C3B8AC03DE862BD810937E220099F9AD60541ABB1D67E2B55
6444cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:DA907289223EBD13765C1F8F66F3F525
SHA256:DBA7C31EB009EAD0F474BC863A13CD3910BA5D3B95C3D6A976E21A1F7FB560B8
6444cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:B41E6B2BE488FE81CFD3F47F29760185
SHA256:EBE1E54B8D006490D6E7740CB5EF90EAD4387CC92272F4604840BA602B5AF3A4
6444cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:DA907289223EBD13765C1F8F66F3F525
SHA256:DBA7C31EB009EAD0F474BC863A13CD3910BA5D3B95C3D6A976E21A1F7FB560B8
6444cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:7A205EE1145992E02AE51933768743AC
SHA256:DC0D1EFEB128CC691EEDF8A49A8575D407E2FCE093BFB4C0029AA5166AFB595C
6444cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:EA19754C7F35FA9345AC5CF4F9FEAC7A
SHA256:494711C1466EA16FD1E037A21BAAD4662796748C3D5967F64919835A274D04F0
6444cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:10C56BA203D52798D8D06B9B2F2FE2BF
SHA256:2F5B9BB0BB1F714220D8D29B0D7399F790D023F1543F6F3F43D00DCEE5934DE3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
19
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2992
svchost.exe
GET
200
23.48.23.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2992
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
2992
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
104.126.37.145:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2992
svchost.exe
23.48.23.177:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.177:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2992
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
www.bing.com
  • 104.126.37.145
  • 104.126.37.137
  • 104.126.37.160
  • 104.126.37.163
  • 104.126.37.136
  • 104.126.37.162
  • 104.126.37.154
  • 104.126.37.153
  • 104.126.37.155
whitelisted
google.com
  • 142.250.181.238
whitelisted
crl.microsoft.com
  • 23.48.23.177
  • 23.48.23.167
  • 23.48.23.173
  • 23.48.23.145
  • 23.48.23.176
  • 23.48.23.164
  • 23.48.23.147
  • 23.48.23.156
  • 23.48.23.194
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 52.182.143.208
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8