File name:

cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe

Full analysis: https://app.any.run/tasks/177ef774-b371-4924-8089-defe92704383
Verdict: Malicious activity
Analysis date: January 10, 2025, 20:01:40
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
zombie
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed, 4 sections
MD5:

4289DC05B73B4D9FD97E77D0BC4E2B04

SHA1:

DC059ADB7AE474D4E0ECD401D4D79D3A2F73A41C

SHA256:

CF1220074A3CE75326782112C7D89485ECB0A5A31A3D3498D0C0E53FF8AEC30A

SSDEEP:

6144:Z5SvVVVVVVVVBfuj5qu5SvVVVVVVVVBfuj5q+:CvVVVVVVVVBfuj5qBvVVVVVVVVBfuj5B

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ZOMBIE has been detected (YARA)

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)

    • Creates file in the systems drive root

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)

    • The process creates files with name similar to system file names

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)

  • INFO

    • Checks supported languages

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)

    • Creates files or folders in the user directory

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)

    • UPX packer has been detected

      • cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe (PID: 4264)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (30.9)
.exe | Win64 Executable (generic) (27.3)
.exe | UPX compressed Win32 Executable (26.8)
.dll | Win32 Dynamic Link Library (generic) (6.5)
.exe | Win32 Executable (generic) (4.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:03:15 04:06:07+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 8192
InitializedDataSize: 4096
UninitializedDataSize: 24576
EntryPoint: 0x2130
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #ZOMBIE cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe

Process information

PID
CMD
Path
Indicators
Parent process
4264"C:\Users\admin\Desktop\cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe" C:\Users\admin\Desktop\cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
11
Read events
11
Write events
0
Delete events
0

Modification events

No data
Executable files
1 513
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe
MD5:
SHA256:
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmpexecutable
MD5:9168E8592C75907AE0B407CB381C3925
SHA256:CDE783F20E903C29C68BC2DD0A4146955CC183D6D512A33CF5B921CC60569D6F
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\bootmgr.tmpexecutable
MD5:26ED1F8461E814BF5788C8E57D7693A9
SHA256:A020066B598AC2ED4BB371E0A7398099662B41C318F954D67B42C054064A486C
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmpexecutable
MD5:6F62AB7A4296460E458868525C23A442
SHA256:E6976E49EB5EC2F82862BBE13196FE0B40AD2AF3ACD41EBEA3EE3E13BA586CEE
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.tmpexecutable
MD5:04800AC4D5CF43565F7540A3717C305D
SHA256:82CAFB793256D6972B2F2F743C645C4B599418B1F580F065519E5A159930B93C
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmpexecutable
MD5:28699B38C55F72A0A888EEAD8A853A35
SHA256:41BCF971035E8BA0C943FD1804417767CA1917D29C1AFF7D2FEC0D6566C68FDD
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmpexecutable
MD5:ECC517D41DDC78B6A9EE4666637898C8
SHA256:69B86C9C449FF94C27929E853E6563CBD7B1865CDD334153CEDE5A067C9AB975
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef.pak.tmpexecutable
MD5:9193FE29A2C1301CD1174D48567D2637
SHA256:7F354975199B96AE7F7DCA5FA76D84A328BB6B1D94B2A83648A6BCA79204BB91
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\cef_extensions.pak.tmpexecutable
MD5:3036CA6A00AE197328651E43C73B58DF
SHA256:C420989EF707DC12F452E0DE3AE5FDC73FE85A32E7AF4AFD3CF179EA1DD774A0
4264cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.tmpexecutable
MD5:0C696497CBE0C0CE0E07309FA2628ECD
SHA256:C39D24975DB3B72F054C4FD2E8DA09192FE95A66E1B0A7895B6A5C56A4723075
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
23
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2356
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
2356
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
92.123.104.32:443
www.bing.com
Akamai International B.V.
DE
whitelisted
2356
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2356
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2356
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 92.123.104.32
  • 92.123.104.34
  • 92.123.104.38
whitelisted
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 52.182.143.209
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
cf1220074a3ce75326782112c7d89485ecb0a5a31a3d3498d0c0e53ff8aec30a.exe