File name:

66336eabc7a12fb847caef109994e87068839b51dc97d9663d20709b2d23b251.exe

Full analysis: https://app.any.run/tasks/c5a9ad02-7005-4bcd-9671-d059025bf287
Verdict: Malicious activity
Analysis date: November 24, 2024, 03:48:31
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
evasion
pykspa
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

8A565BC5BBFD2DE383852ACCE1DDC424

SHA1:

65ABB133B8D751E08B75332DE39FD8C8D432BB46

SHA256:

66336EABC7A12FB847CAEF109994E87068839B51DC97D9663D20709B2D23B251

SSDEEP:

12288:v5KvSFU/94LYz5rWLm+Rm7b0445JD5eKm3eve4+uc:vwvSFU/+Lc5rWLm+R2bE5JD5jRW4+H

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • UAC/LUA settings modification

      • 66336eabc7a12fb847caef109994e87068839b51dc97d9663d20709b2d23b251.exe (PID: 5292)
      • msyaml.exe (PID: 5448)
      • msyaml.exe (PID: 4832)

    • Changes the autorun value in the registry

      • 66336eabc7a12fb847caef109994e87068839b51dc97d9663d20709b2d23b251.exe (PID: 5292)
      • msyaml.exe (PID: 5448)
      • msyaml.exe (PID: 4832)

    • Changes appearance of the Explorer extensions

      • 66336eabc7a12fb847caef109994e87068839b51dc97d9663d20709b2d23b251.exe (PID: 5292)
      • msyaml.exe (PID: 5448)
      • msyaml.exe (PID: 4832)

    • PYKSPA has been detected (SURICATA)

      • msyaml.exe (PID: 5448)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 66336eabc7a12fb847caef109994e87068839b51dc97d9663d20709b2d23b251.exe (PID: 5292)

    • Reads the Internet Settings

      • 66336eabc7a12fb847caef109994e87068839b51dc97d9663d20709b2d23b251.exe (PID: 5292)
      • msyaml.exe (PID: 4832)
      • msyaml.exe (PID: 5448)

    • Reads security settings of Internet Explorer

      • 66336eabc7a12fb847caef109994e87068839b51dc97d9663d20709b2d23b251.exe (PID: 5292)
      • msyaml.exe (PID: 4832)
      • msyaml.exe (PID: 5448)

    • Potential Corporate Privacy Violation

      • msyaml.exe (PID: 5448)

    • Checks for external IP

      • svchost.exe (PID: 1656)
      • msyaml.exe (PID: 5448)

  • INFO

    • Process checks whether UAC notifications are on

      • 66336eabc7a12fb847caef109994e87068839b51dc97d9663d20709b2d23b251.exe (PID: 5292)
      • msyaml.exe (PID: 5448)
      • msyaml.exe (PID: 4832)

    • Create files in a temporary directory

      • 66336eabc7a12fb847caef109994e87068839b51dc97d9663d20709b2d23b251.exe (PID: 5292)
      • msyaml.exe (PID: 5448)

    • Reads the computer name

      • 66336eabc7a12fb847caef109994e87068839b51dc97d9663d20709b2d23b251.exe (PID: 5292)
      • msyaml.exe (PID: 5448)
      • msyaml.exe (PID: 4832)
      • FileCoAuth.exe (PID: 2052)
      • SearchHost.exe (PID: 5788)

    • Checks supported languages

      • 66336eabc7a12fb847caef109994e87068839b51dc97d9663d20709b2d23b251.exe (PID: 5292)
      • msyaml.exe (PID: 5448)
      • msyaml.exe (PID: 4832)
      • FileCoAuth.exe (PID: 2052)
      • SearchHost.exe (PID: 5788)

    • The process uses the downloaded file

      • 66336eabc7a12fb847caef109994e87068839b51dc97d9663d20709b2d23b251.exe (PID: 5292)
      • msyaml.exe (PID: 5448)

    • Checks proxy server information

      • SearchHost.exe (PID: 5788)

    • Creates files or folders in the user directory

      • FileCoAuth.exe (PID: 2052)
      • msyaml.exe (PID: 5448)
      • SearchHost.exe (PID: 5788)

    • Reads Environment values

      • SearchHost.exe (PID: 5788)

    • Reads the machine GUID from the registry

      • SearchHost.exe (PID: 5788)

    • Reads the software policy settings

      • SearchHost.exe (PID: 5788)

    • Reads product name

      • SearchHost.exe (PID: 5788)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2006:12:09 08:52:06+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 7.1
CodeSize: 167936
InitializedDataSize: 245760
UninitializedDataSize: -
EntryPoint: 0x22b93
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
192
Monitored processes
50
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 66336eabc7a12fb847caef109994e87068839b51dc97d9663d20709b2d23b251.exe #PYKSPA msyaml.exe msyaml.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe svchost.exe filecoauth.exe no specs regedit.exe no specs searchhost.exe regedit.exe regedit.exe no specs regedit.exe

Process information

PID
CMD
Path
Indicators
Parent process
384"regedit.exe" "C:\Users\admin\AppData\Local\Temp\zgnqddl.reg"C:\Windows\SysWOW64\regedit.exemsyaml.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
464"regedit.exe" "C:\Users\admin\AppData\Local\Temp\zgnqddl.reg"C:\Windows\SysWOW64\regedit.exemsyaml.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
536"regedit.exe" "C:\Users\admin\AppData\Local\Temp\zgnqddl.reg"C:\Windows\SysWOW64\regedit.exemsyaml.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1076"regedit.exe" "C:\Users\admin\AppData\Local\Temp\zgnqddl.reg"C:\Windows\SysWOW64\regedit.exemsyaml.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1216"regedit.exe" "C:\Users\admin\AppData\Local\Temp\zgnqddl.reg"C:\Windows\SysWOW64\regedit.exe
msyaml.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1228"regedit.exe" "C:\Users\admin\AppData\Local\Temp\zgnqddl.reg"C:\Windows\SysWOW64\regedit.exe
msyaml.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1592"regedit.exe" "C:\Users\admin\AppData\Local\Temp\zgnqddl.reg"C:\Windows\SysWOW64\regedit.exemsyaml.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1600"regedit.exe" "C:\Users\admin\AppData\Local\Temp\zgnqddl.reg"C:\Windows\SysWOW64\regedit.exe
msyaml.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1656C:\Windows\system32\svchost.exe -k NetworkService -pC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
1688"regedit.exe" "C:\Users\admin\AppData\Local\Temp\zgnqddl.reg"C:\Windows\SysWOW64\regedit.exemsyaml.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
31 826
Read events
31 288
Write events
537
Delete events
1

Modification events

(PID) Process:(5292) 66336eabc7a12fb847caef109994e87068839b51dc97d9663d20709b2d23b251.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(5292) 66336eabc7a12fb847caef109994e87068839b51dc97d9663d20709b2d23b251.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:qcowotgzirgk
Value:
yoeqmvmjwjcknysu.exe
(PID) Process:(5292) 66336eabc7a12fb847caef109994e87068839b51dc97d9663d20709b2d23b251.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:pcpyrxlfpzpuu
Value:
ogymkvoncrmwbokocz.exe .
(PID) Process:(5292) 66336eabc7a12fb847caef109994e87068839b51dc97d9663d20709b2d23b251.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:tixidlbxjvnuwgz
Value:
fwnaxhzxlztcgsnqd.exe
(PID) Process:(5292) 66336eabc7a12fb847caef109994e87068839b51dc97d9663d20709b2d23b251.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:yoeqmvmjwjcknysu
Value:
ogymkvoncrmwbokocz.exe .
(PID) Process:(5292) 66336eabc7a12fb847caef109994e87068839b51dc97d9663d20709b2d23b251.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:ogymkvoncrmwbokocz
Value:
C:\Users\admin\AppData\Local\Temp\bwrijxtvnfdqyonullpjj.exe
(PID) Process:(5292) 66336eabc7a12fb847caef109994e87068839b51dc97d9663d20709b2d23b251.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:fwnaxhzxlztcgsnqd
Value:
C:\Users\admin\AppData\Local\Temp\bwrijxtvnfdqyonullpjj.exe .
(PID) Process:(5292) 66336eabc7a12fb847caef109994e87068839b51dc97d9663d20709b2d23b251.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:qcowotgzirgk
Value:
C:\Users\admin\AppData\Local\Temp\mgaqqdyzqheqxmkqgfib.exe
(PID) Process:(5292) 66336eabc7a12fb847caef109994e87068839b51dc97d9663d20709b2d23b251.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:pcpyrxlfpzpuu
Value:
C:\Users\admin\AppData\Local\Temp\mgaqqdyzqheqxmkqgfib.exe .
(PID) Process:(5292) 66336eabc7a12fb847caef109994e87068839b51dc97d9663d20709b2d23b251.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableRegistryTools
Value:
1
Executable files
1
Suspicious files
22
Text files
15
Unknown types
0

Dropped files

PID
Process
Filename
Type
5448msyaml.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\dcbwbttzvrtkwqtezdljn.kvtbinary
MD5:8688BC1DBF51A79789D34B8D2102D87E
SHA256:52C068E63C16F6AACCBFCD9188E56D2C9A53CED66C12F2E01E54CA663B1B09FE
529266336eabc7a12fb847caef109994e87068839b51dc97d9663d20709b2d23b251.exeC:\Users\admin\AppData\Local\Temp\msyaml.exeexecutable
MD5:8A565BC5BBFD2DE383852ACCE1DDC424
SHA256:66336EABC7A12FB847CAEF109994E87068839B51DC97D9663D20709B2D23B251
5448msyaml.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\SysWOW64\dcbwbttzvrtkwqtezdljn.kvtbinary
MD5:8688BC1DBF51A79789D34B8D2102D87E
SHA256:52C068E63C16F6AACCBFCD9188E56D2C9A53CED66C12F2E01E54CA663B1B09FE
5448msyaml.exeC:\Users\admin\AppData\Local\Temp\yisyorctahuwtymiodwfuvnjsoyioehs.qxkbinary
MD5:5318EBC9854A0A44898A8E35B2B13A9A
SHA256:3E83EFDDA9AD0EF321DDD050903A9B25197A4DAF27A270CD7E6335412EC6ABA1
5448msyaml.exeC:\Users\admin\AppData\Local\Temp\zgnqddl.regtext
MD5:A8702BDFF482E47B2E74B115FFAAF779
SHA256:15BD561433C476CB5E4AD5EB3AFE7ECA32841149FFDC21E1D33181532669EE6B
5448msyaml.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files (x86)\dcbwbttzvrtkwqtezdljn.kvtbinary
MD5:8688BC1DBF51A79789D34B8D2102D87E
SHA256:52C068E63C16F6AACCBFCD9188E56D2C9A53CED66C12F2E01E54CA663B1B09FE
5448msyaml.exeC:\Users\admin\AppData\Local\yisyorctahuwtymiodwfuvnjsoyioehs.qxkbinary
MD5:5318EBC9854A0A44898A8E35B2B13A9A
SHA256:3E83EFDDA9AD0EF321DDD050903A9B25197A4DAF27A270CD7E6335412EC6ABA1
5448msyaml.exeC:\Users\admin\AppData\Local\Temp\dcbwbttzvrtkwqtezdljn.kvtbinary
MD5:8688BC1DBF51A79789D34B8D2102D87E
SHA256:52C068E63C16F6AACCBFCD9188E56D2C9A53CED66C12F2E01E54CA663B1B09FE
5448msyaml.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\SysWOW64\yisyorctahuwtymiodwfuvnjsoyioehs.qxkbinary
MD5:5318EBC9854A0A44898A8E35B2B13A9A
SHA256:3E83EFDDA9AD0EF321DDD050903A9B25197A4DAF27A270CD7E6335412EC6ABA1
5448msyaml.exeC:\Users\admin\AppData\Local\dcbwbttzvrtkwqtezdljn.kvtbinary
MD5:8688BC1DBF51A79789D34B8D2102D87E
SHA256:52C068E63C16F6AACCBFCD9188E56D2C9A53CED66C12F2E01E54CA663B1B09FE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
56
TCP/UDP connections
41
DNS requests
39
Threats
24

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5028
rundll32.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d2846a3933bcc643
unknown
whitelisted
1776
firefox.exe
POST
200
192.229.221.95:80
http://ocsp.digicert.com/
unknown
whitelisted
1296
svchost.exe
GET
200
2.16.168.13:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
HEAD
200
23.213.164.137:443
https://fs.microsoft.com/fs/windows/config.json
unknown
POST
200
95.101.74.224:80
http://r10.o.lencr.org/
unknown
whitelisted
2552
MoUsoCoreWorker.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?de3853cfcfe64408
unknown
whitelisted
2860
svchost.exe
GET
200
23.32.238.201:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?d427199d7579a766
unknown
whitelisted
1776
firefox.exe
POST
200
95.101.74.224:80
http://r10.o.lencr.org/
unknown
whitelisted
2860
svchost.exe
GET
304
23.32.238.201:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a630cbd5594efc7a
unknown
whitelisted
2860
svchost.exe
GET
200
23.32.238.201:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?5f2b6b6f12087c12
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5244
OfficeC2RClient.exe
52.109.76.240:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
whitelisted
5552
svchost.exe
239.255.255.250:1900
whitelisted
1776
firefox.exe
34.149.100.209:443
firefox.settings.services.mozilla.com
GOOGLE
US
whitelisted
1776
firefox.exe
34.120.208.123:443
incoming.telemetry.mozilla.org
GOOGLE-CLOUD-PLATFORM
US
whitelisted
5028
rundll32.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1296
svchost.exe
2.16.168.13:80
Akamai International B.V.
RU
unknown
5028
rundll32.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
1776
firefox.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1776
firefox.exe
95.101.74.224:80
r10.o.lencr.org
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
firefox.settings.services.mozilla.com
  • 34.149.100.209
whitelisted
incoming.telemetry.mozilla.org
  • 34.120.208.123
whitelisted
prod.remote-settings.prod.webservices.mozgcp.net
  • 34.149.100.209
whitelisted
telemetry-incoming.r53-2.services.mozilla.com
  • 34.120.208.123
whitelisted
google.com
  • 142.250.186.110
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
  • 23.32.238.201
  • 23.32.238.208
whitelisted
r10.o.lencr.org
  • 95.101.74.224
  • 95.101.74.223
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
fp2e7a.wpc.phicdn.net
  • 192.229.221.95
  • 2606:2800:233:fa02:67b:9ff6:6107:833
whitelisted
a1887.dscq.akamai.net
  • 95.101.74.224
  • 95.101.74.223
  • 2a02:26f0:3100::1735:29f0
  • 2a02:26f0:3100::1735:2a18
whitelisted

Threats

PID
Process
Class
Message
1296
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
5448
msyaml.exe
Potential Corporate Privacy Violation
ET POLICY IP Check Domain (showmyipaddress .com in HTTP Host)
5448
msyaml.exe
A Network Trojan was detected
ET MALWARE Win32/Pykspa.C Public IP Check
5448
msyaml.exe
Potential Corporate Privacy Violation
ET POLICY IP Check Domain (showmyipaddress .com in HTTP Host)
5448
msyaml.exe
A Network Trojan was detected
ET MALWARE Win32/Pykspa.C Public IP Check
5448
msyaml.exe
A Network Trojan was detected
ET MALWARE Win32/Pykspa.C Public IP Check
5448
msyaml.exe
Potential Corporate Privacy Violation
ET POLICY IP Check Domain (showmyipaddress .com in HTTP Host)
5448
msyaml.exe
Potential Corporate Privacy Violation
ET POLICY IP Check Domain (showmyipaddress .com in HTTP Host)
5448
msyaml.exe
A Network Trojan was detected
ET MALWARE Win32/Pykspa.C Public IP Check
5448
msyaml.exe
Attempted Information Leak
ET POLICY IP Check Domain (whatismyip in HTTP Host)
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
66336eabc7a12fb847caef109994e87068839b51dc97d9663d20709b2d23b251.exe