File name:	cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8
Full analysis:	https://app.any.run/tasks/e958134a-d2ac-42c1-83a4-e60a5a235f9f
Verdict:	Malicious activity
Analysis date:	December 13, 2024, 19:41:44
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	zombie upx
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:	E1FD7DA8A41148151D3FA95E63E1D07B
SHA1:	090F7550831BD7EE8C2040C3BE6A7F61D9865D6F
SHA256:	CC1AB5B0121EC635EB8CA97EEF9B249754693BC57707AC682FF0F1C99B0386A8
SSDEEP:	12288:XvVVVVVVVVIuFTDhSfWJUNo5kUe7/JvVVVVVVVVguFTDhSfWJUNo5kUe7/C:AuFRSfWJUq5kUebSuFRSfWJUq5kUebC

.exe	\|	Win32 Executable MS Visual C++ (generic) (30.9)
.exe	\|	Win64 Executable (generic) (27.3)
.exe	\|	UPX compressed Win32 Executable (26.8)
.dll	\|	Win32 Dynamic Link Library (generic) (6.5)
.exe	\|	Win32 Executable (generic) (4.4)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2011:03:15 04:06:07+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	6
CodeSize:	8192
InitializedDataSize:	4096
UninitializedDataSize:	24576
EntryPoint:	0x2130
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI

PID	Process	Filename		Type
6444	cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exe			—
		MD5:—	SHA256:—
6444	cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmp		executable
		MD5:0BF140BB2A50054DCC6E943BDE0C0C3D	SHA256:46447066B74DBC6615DA97EB46C55238A4305B7465121BA707DC8302E065A926
6444	cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exe	C:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmp		executable
		MD5:1F86C514A49F5399B920DFE989844F48	SHA256:3703D0271B410353B47028F417212521ACC7ADAEE058D5D6493B2504A6C728BE
6444	cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exe	C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exe		executable
		MD5:DA907289223EBD13765C1F8F66F3F525	SHA256:DBA7C31EB009EAD0F474BC863A13CD3910BA5D3B95C3D6A976E21A1F7FB560B8
6444	cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_100_percent.pak.tmp		executable
		MD5:5CF0C689BEAB020FF9F23D865F565E70	SHA256:261B80FB0869AAC515C17AEFAD31A9AB5B3CF471E952D571068E78AEC3569FA6
6444	cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmp		executable
		MD5:47F5A648FB1F7301F4BF42EAA25D91D7	SHA256:8BD7F5CEDE49D8CBF35ACD064DF8533756B8888281F8D5AB14283C945EC2ABA8
6444	cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exe	C:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmp		executable
		MD5:9B2634AEF2A1FE351C03138E45BF0B5B	SHA256:626C64896D0CFE8C3B8AC03DE862BD810937E220099F9AD60541ABB1D67E2B55
6444	cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exe	C:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmp		executable
		MD5:10C56BA203D52798D8D06B9B2F2FE2BF	SHA256:2F5B9BB0BB1F714220D8D29B0D7399F790D023F1543F6F3F43D00DCEE5934DE3
6444	cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmp		executable
		MD5:7A205EE1145992E02AE51933768743AC	SHA256:DC0D1EFEB128CC691EEDF8A49A8575D407E2FCE093BFB4C0029AA5166AFB595C
6444	cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmp		executable
		MD5:8761E6667DF2E760FCAFD2E985067905	SHA256:8A05F161F1ABEBE4ED45B5F1D87916ACA16B28041AC6B9DE006658BADF942E4E

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.177:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2992	svchost.exe	GET	200	23.48.23.177:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2992	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
2992	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	104.126.37.145:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2992	svchost.exe	23.48.23.177:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.177:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2992	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59	whitelisted
www.bing.com	104.126.37.145 104.126.37.137 104.126.37.160 104.126.37.163 104.126.37.136 104.126.37.162 104.126.37.154 104.126.37.153 104.126.37.155	whitelisted
google.com	142.250.181.238	whitelisted
crl.microsoft.com	23.48.23.177 23.48.23.167 23.48.23.173 23.48.23.145 23.48.23.176 23.48.23.164 23.48.23.147 23.48.23.156 23.48.23.194	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
self.events.data.microsoft.com	52.182.143.208	whitelisted

General Info

cc1ab5b0121ec635eb8ca97eef9b249754693bc57707ac682ff0f1c99b0386a8

E1FD7DA8A41148151D3FA95E63E1D07B

090F7550831BD7EE8C2040C3BE6A7F61D9865D6F

CC1AB5B0121EC635EB8CA97EEF9B249754693BC57707AC682FF0F1C99B0386A8

12288:XvVVVVVVVVIuFTDhSfWJUNo5kUe7/JvVVVVVVVVguFTDhSfWJUNo5kUe7/C:AuFRSfWJUq5kUebSuFRSfWJUq5kUebC

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ZOMBIE has been detected (YARA)

SUSPICIOUS

Creates file in the systems drive root

Executable content was dropped or overwritten

The process creates files with name similar to system file names

INFO

Creates files or folders in the user directory

Checks supported languages

UPX packer has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings