File name:

cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe

Full analysis: https://app.any.run/tasks/177ef774-b371-4924-8089-defe92704383
Verdict: Malicious activity
Analysis date: January 10, 2025, 20:01:40
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

4289DC05B73B4D9FD97E77D0BC4E2B04

SHA1:

DC059ADB7AE474D4E0ECD401D4D79D3A2F73A41C

SHA256:

CF1220074A3CE75326782112C7D89485ECB0A5A31A3D3498D0C0E53FF8AEC30A

SSDEEP:

6144:Z5SvVVVVVVVVBfuj5qu5SvVVVVVVVVBfuj5q+:CvVVVVVVVVBfuj5qBvVVVVVVVVBfuj5B

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)

    • Executable content was dropped or overwritten

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)

    • The process creates files with name similar to system file names

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)

  • INFO

    • Checks supported languages

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)

    • Creates files or folders in the user directory

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)

    • UPX packer has been detected

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe

Process information

PID
CMD
Path
Indicators
Parent process
4264"C:\Users\admin\Desktop\cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe" C:\Users\admin\Desktop\cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 513
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe
MD5:
SHA256:
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:9168E8592C75907AE0B407CB381C3925
SHA256:CDE783F20E903C29C68BC2DD0A4146955CC183D6D512A33CF5B921CC60569D6F
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmpexecutable
MD5:F9BCFF56DBDACD5FA8ADEE8C90BD7BD0
SHA256:180A470466F965B6343EFB1B2D012EEFB0DA3E41EDB4BBFE3200763DB620740B
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmpexecutable
MD5:769E12F7F59E1B93EE5C3B15D016FAD5
SHA256:41C02A771E99A0A8DBDE5E753E5F9A35C361CDDA84724DC48FA0678105FF27BC
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.exeexecutable
MD5:F500D4721B1690368B275535BAE32FC8
SHA256:6D664A389A28FB6A741F10C72DE73B7D56754199468E98B8314ADAFCF87B75CA
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmpexecutable
MD5:44C7DCB4BCCF3C9C2393F2535C9B958B
SHA256:B04C3D313B8D87FF96BEB16BA770C2DFCC4E38FA7EA7DCC5FD8808E3D6C16296
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\desktop.ini.tmpexecutable
MD5:F500D4721B1690368B275535BAE32FC8
SHA256:6D664A389A28FB6A741F10C72DE73B7D56754199468E98B8314ADAFCF87B75CA
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:26ED1F8461E814BF5788C8E57D7693A9
SHA256:A020066B598AC2ED4BB371E0A7398099662B41C318F954D67B42C054064A486C
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:28699B38C55F72A0A888EEAD8A853A35
SHA256:41BCF971035E8BA0C943FD1804417767CA1917D29C1AFF7D2FEC0D6566C68FDD
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmpexecutable
MD5:F1864F21CD7A35A1CD2406C6008F3958
SHA256:F01DA0BFCFF608E8E462D6722B83D95F63A115B0766302DC01CE4D02633878C8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
23
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2356
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2356
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
92.123.104.32:443
www.bing.com
Akamai International B.V.
DE
whitelisted
2356
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2356
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2356
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 92.123.104.32
  • 92.123.104.34
  • 92.123.104.38
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 52.182.143.209
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe