File name:

sans-simulator.exe

Full analysis: https://app.any.run/tasks/24a68970-8b24-4abc-8d65-09ccdf813885
Verdict: Malicious activity
Analysis date: June 21, 2025, 20:32:16
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

60EF884EE30D22F73DF6A12F1D8B45D6

SHA1:

68644DC4EC055CDB1A9540D89E823B860DCB792B

SHA256:

125DDAD93CF41DB0444D4A9470586BFC77672C964443E2C26F491F9EB85C95FD

SSDEEP:

196608:knR0spogYseU9GwbGFr09c2letV3pEOSn//LchsskTsVkpwJN+zJbM9Ck4B:knSsppYsKws0OHF0ohss1JN+FQUk4B

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • sans-simulator.exe (PID: 2628)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • sans-simulator.exe (PID: 2072)

    • There is functionality for taking screenshot (YARA)

      • sans-simulator.exe (PID: 2072)

  • INFO

    • Create files in a temporary directory

      • sans-simulator.exe (PID: 2072)

    • Checks supported languages

      • sans-simulator.exe (PID: 2072)

    • The sample compiled with english language support

      • sans-simulator.exe (PID: 2072)

    • Checks proxy server information

      • slui.exe (PID: 3936)

    • Reads the software policy settings

      • slui.exe (PID: 3936)

    • Reads the computer name

      • sans-simulator.exe (PID: 2072)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:12:10 16:58:55+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 525312
InitializedDataSize: 435712
UninitializedDataSize: -
EntryPoint: 0x5faa5
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 2.0.0.0
ProductVersionNumber: 2.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Process default
CharacterSet: Unicode
CompanyName: Neko'mmunity
FileDescription: Sans Simulator Release
FileVersion: 2.0.0
LegalCopyright: NekoGlass
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
137
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start sans-simulator.exe slui.exe sans-simulator.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2072"C:\Users\admin\Desktop\sans-simulator.exe" C:\Users\admin\Desktop\sans-simulator.exe
explorer.exe
User:
admin
Company:
Neko'mmunity
Integrity Level:
HIGH
Description:
Sans Simulator Release
Version:
2.0.0
Modules
Images
c:\users\admin\desktop\sans-simulator.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2628"C:\Users\admin\Desktop\sans-simulator.exe" C:\Users\admin\Desktop\sans-simulator.exeexplorer.exe
User:
admin
Company:
Neko'mmunity
Integrity Level:
MEDIUM
Description:
Sans Simulator Release
Exit code:
3221226540
Version:
2.0.0
Modules
Images
c:\users\admin\desktop\sans-simulator.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
3936C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 895
Read events
3 886
Write events
9
Delete events
0

Modification events

(PID) Process:(2072) sans-simulator.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MediaResources\DirectSound\Speaker Configuration
Operation:writeName:Speaker Configuration
Value:
4
(PID) Process:(2072) sans-simulator.exeKey:HKEY_CURRENT_USER\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibration\0
Operation:writeName:GUID
Value:
10B3C5DEDE4EF0118001444553540000
(PID) Process:(2072) sans-simulator.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:Version
Value:
0A050000
(PID) Process:(2072) sans-simulator.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:Name
Value:
SANS-SIMULATOR.EXE
(PID) Process:(2072) sans-simulator.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:Id
Value:
SANS-SIMULATOR.EXE5FD253CF019FCBB0
(PID) Process:(2072) sans-simulator.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\DirectInput\MostRecentApplication
Operation:writeName:MostRecentStart
Value:
1B301CA1EBE2DB01
Executable files
12
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2072sans-simulator.exeC:\Users\admin\AppData\Local\Temp\ce7a99ff-b344-489c-b586-f1e8c60c9aa9.FusionApp\Key.mfxexecutable
MD5:19836CE4FB47847489F3C2C4D14A4A87
SHA256:869C07C4A74D958EBFF04AD3E5046E9F5AB3CDA63E12EDACB15D9DD8D443A74B
2072sans-simulator.exeC:\Users\admin\AppData\Local\Temp\ce7a99ff-b344-489c-b586-f1e8c60c9aa9.FusionApp\mmf2d3d8.dllexecutable
MD5:FA439EDEB7D0BF6F637670F14CEBD157
SHA256:B558A04FD67D0D7CD71170A2B7A1BFD004F0B5BCC268E7B38C3A12FE72CA26D8
2072sans-simulator.exeC:\Users\admin\AppData\Local\Temp\ce7a99ff-b344-489c-b586-f1e8c60c9aa9.FusionApp\oggflt.sftexecutable
MD5:0C8C1EE3BA92189F4CE21D1B396A2765
SHA256:9E589F86317D840DF9BB74F6EE20C24CA65AFE58F4009740382F63A0F5531941
2072sans-simulator.exeC:\Users\admin\AppData\Local\Temp\ce7a99ff-b344-489c-b586-f1e8c60c9aa9.FusionApp\kcedit.mfxexecutable
MD5:11A493B3D84A7E8A017A7151FFADD97D
SHA256:451C843C89CA05F37E77468BC6B1A63E78B92D2D4DAC630AD7F6555D9BC4AD38
2072sans-simulator.exeC:\Users\admin\AppData\Local\Temp\ce7a99ff-b344-489c-b586-f1e8c60c9aa9.FusionApp\mp3flt.sftexecutable
MD5:DADC138BE9D36E6E4B8E4BF9EF2DE4BC
SHA256:DDEAFDA7B28BF7545E3BA164AA4A74219EB961C36BB974E0F5085A07DAF18F44
2072sans-simulator.exeC:\Users\admin\AppData\Local\Temp\ce7a99ff-b344-489c-b586-f1e8c60c9aa9.FusionApp\RedRelayClient.mfxexecutable
MD5:46B8A621E8BC1E420FE746236E1CCB98
SHA256:2461D59C1768158D2F5DF209D1F0ED67E6D6F2FC1CB4E4946A642989FD4ADA56
2072sans-simulator.exeC:\Users\admin\AppData\Local\Temp\ce7a99ff-b344-489c-b586-f1e8c60c9aa9.FusionApp\mmf2d3d9.dllexecutable
MD5:3AE47534F1224C4797176107A9A41683
SHA256:53EDF5138930D52B473104CE0D085413248D15A4AA891AC02A718E89625DE6EF
2072sans-simulator.exeC:\Users\admin\AppData\Local\Temp\ce7a99ff-b344-489c-b586-f1e8c60c9aa9.FusionApp\mmfs2.dllexecutable
MD5:09FEB373CFCF9FD9A618D0A38759E297
SHA256:4DE2B0753A286D3572574D6C03F769176973B9E2EB53F5B6645B32854983EFF0
2072sans-simulator.exeC:\Users\admin\AppData\Local\Temp\ce7a99ff-b344-489c-b586-f1e8c60c9aa9.FusionApp\kcini.mfxexecutable
MD5:82CFC8736716B25A05D11F0E0C2C4BF1
SHA256:EBBBFED7862181D63D8D3D9E055B419B68C7AF60BD51B1925CF3CE28712EBA31
2072sans-simulator.exeC:\Users\admin\AppData\Local\Temp\ce7a99ff-b344-489c-b586-f1e8c60c9aa9.FusionApp\waveFlt.sftexecutable
MD5:57EA61DD14314EF155E80C6A0BE8A664
SHA256:92A5053CF5973A6AA228C738D55387F12F1DFA8A837D7B938C60F05B6B56B3AD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
39
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.31.128:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
2468
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.31.128:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
592
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
592
SIHClient.exe
GET
200
184.24.77.23:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
POST
200
20.190.160.66:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.160.66:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2468
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
5944
MoUsoCoreWorker.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
2468
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 216.58.212.142
whitelisted
crl.microsoft.com
  • 23.55.104.190
  • 23.55.104.172
  • 184.24.77.23
  • 184.24.77.14
  • 184.24.77.9
  • 184.24.77.13
  • 184.24.77.19
  • 184.24.77.7
  • 184.24.77.12
  • 184.24.77.10
  • 184.24.77.11
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 172.211.123.249
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.160.67
  • 40.126.32.74
  • 20.190.160.132
  • 20.190.160.4
  • 20.190.160.66
  • 20.190.160.64
  • 20.190.160.65
  • 40.126.32.133
whitelisted
nexusrules.officeapps.live.com
  • 52.111.229.19
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
Process
Message
sans-simulator.exe
Start app
sans-simulator.exe
Start Frame 0
sans-simulator.exe
End Frame 0
sans-simulator.exe
Start Frame 1
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
sans-simulator.exe