File name:

cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe

Full analysis: https://app.any.run/tasks/177ef774-b371-4924-8089-defe92704383
Verdict: Malicious activity
Analysis date: January 10, 2025, 20:01:40
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

4289DC05B73B4D9FD97E77D0BC4E2B04

SHA1:

DC059ADB7AE474D4E0ECD401D4D79D3A2F73A41C

SHA256:

CF1220074A3CE75326782112C7D89485ECB0A5A31A3D3498D0C0E53FF8AEC30A

SSDEEP:

6144:Z5SvVVVVVVVVBfuj5qu5SvVVVVVVVVBfuj5q+:CvVVVVVVVVBfuj5qBvVVVVVVVVBfuj5B

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)

    • The process creates files with name similar to system file names

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)

    • Executable content was dropped or overwritten

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)

  • INFO

    • Creates files or folders in the user directory

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)

    • Checks supported languages

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)

    • UPX packer has been detected

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe

Process information

PID
CMD
Path
Indicators
Parent process
4264"C:\Users\admin\Desktop\cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe" C:\Users\admin\Desktop\cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 513
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe
MD5:
SHA256:
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.tmpexecutable
MD5:C60C3426CE4BEBD272EB7C8BA296607E
SHA256:0BE27441C73E9C423353F4DE5C64A8FEA25449B1130BD62CF8B25D1E1F52F227
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:26ED1F8461E814BF5788C8E57D7693A9
SHA256:A020066B598AC2ED4BB371E0A7398099662B41C318F954D67B42C054064A486C
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:6F62AB7A4296460E458868525C23A442
SHA256:E6976E49EB5EC2F82862BBE13196FE0B40AD2AF3ACD41EBEA3EE3E13BA586CEE
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmpexecutable
MD5:639E57E41868DF7355EF76CFEBE98C1A
SHA256:636BEEE41C12DE8440E549556F40C3FA0ADD9D825EF5A1FDF604ED945CDA63B5
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:9193FE29A2C1301CD1174D48567D2637
SHA256:7F354975199B96AE7F7DCA5FA76D84A328BB6B1D94B2A83648A6BCA79204BB91
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:28699B38C55F72A0A888EEAD8A853A35
SHA256:41BCF971035E8BA0C943FD1804417767CA1917D29C1AFF7D2FEC0D6566C68FDD
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe.tmpexecutable
MD5:9F54BD2D8BA1E6FB1AD9AB9A31155093
SHA256:73D3F95C03C11820196356E55481D446912BE888836EDD3F1B59CFB4C46FDA5D
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:F1864F21CD7A35A1CD2406C6008F3958
SHA256:F01DA0BFCFF608E8E462D6722B83D95F63A115B0766302DC01CE4D02633878C8
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:ECC517D41DDC78B6A9EE4666637898C8
SHA256:69B86C9C449FF94C27929E853E6563CBD7B1865CDD334153CEDE5A067C9AB975
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
23
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2356
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2356
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
92.123.104.32:443
www.bing.com
Akamai International B.V.
DE
whitelisted
2356
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2356
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2356
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 92.123.104.32
  • 92.123.104.34
  • 92.123.104.38
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 52.182.143.209
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe