File name:

cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe

Full analysis: https://app.any.run/tasks/177ef774-b371-4924-8089-defe92704383
Verdict: Malicious activity
Analysis date: January 10, 2025, 20:01:40
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

4289DC05B73B4D9FD97E77D0BC4E2B04

SHA1:

DC059ADB7AE474D4E0ECD401D4D79D3A2F73A41C

SHA256:

CF1220074A3CE75326782112C7D89485ECB0A5A31A3D3498D0C0E53FF8AEC30A

SSDEEP:

6144:Z5SvVVVVVVVVBfuj5qu5SvVVVVVVVVBfuj5q+:CvVVVVVVVVBfuj5qBvVVVVVVVVBfuj5B

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)

    • The process creates files with name similar to system file names

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)

    • Creates file in the systems drive root

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)

  • INFO

    • Creates files or folders in the user directory

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)

    • Checks supported languages

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)

    • UPX packer has been detected

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe

Process information

PID
CMD
Path
Indicators
Parent process
4264"C:\Users\admin\Desktop\cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe" C:\Users\admin\Desktop\cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
1 513
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe
MD5:
SHA256:
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:F500D4721B1690368B275535BAE32FC8
SHA256:6D664A389A28FB6A741F10C72DE73B7D56754199468E98B8314ADAFCF87B75CA
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:9168E8592C75907AE0B407CB381C3925
SHA256:CDE783F20E903C29C68BC2DD0A4146955CC183D6D512A33CF5B921CC60569D6F
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:769E12F7F59E1B93EE5C3B15D016FAD5
SHA256:41C02A771E99A0A8DBDE5E753E5F9A35C361CDDA84724DC48FA0678105FF27BC
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:44C7DCB4BCCF3C9C2393F2535C9B958B
SHA256:B04C3D313B8D87FF96BEB16BA770C2DFCC4E38FA7EA7DCC5FD8808E3D6C16296
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:F500D4721B1690368B275535BAE32FC8
SHA256:6D664A389A28FB6A741F10C72DE73B7D56754199468E98B8314ADAFCF87B75CA
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_extensions.pak.tmpexecutable
MD5:3036CA6A00AE197328651E43C73B58DF
SHA256:C420989EF707DC12F452E0DE3AE5FDC73FE85A32E7AF4AFD3CF179EA1DD774A0
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:9193FE29A2C1301CD1174D48567D2637
SHA256:7F354975199B96AE7F7DCA5FA76D84A328BB6B1D94B2A83648A6BCA79204BB91
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_200_percent.pak.tmpexecutable
MD5:D0C6F27C12501397EEDF690CB4C57D9C
SHA256:E7336294705EBC5ADE3AF99FEB3E40B1EEC66D73701CC414D824E4D5EF328B27
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_100_percent.pak.tmpexecutable
MD5:81E2B72B1CA1AE0A3C98A999E6FCE254
SHA256:01A6F89EAA32BC1F040A173301227880EA18B7D58CA12E3502982A7806216BDE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
23
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2356
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2356
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
92.123.104.32:443
www.bing.com
Akamai International B.V.
DE
whitelisted
2356
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2356
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2356
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 92.123.104.32
  • 92.123.104.34
  • 92.123.104.38
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 52.182.143.209
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe