File name:	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3
Full analysis:	https://app.any.run/tasks/d7057beb-5bf2-4670-80a7-8cc49e1fc7fc
Verdict:	Malicious activity
Analysis date:	October 09, 2024, 22:21:31
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	sinkhole
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	F3530BF81351BC22ED14D076242E39F8
SHA1:	8F9A28AA95410821EAED935C5E48265CB5D2CE13
SHA256:	75154791ECA35EA5C47AE6E7FE75E4952CC10557A0782E31C63012FE4EAE03E3
SSDEEP:	6144:GWUm6wbXiiBaVwUbMxDAs+Kvm3MxaX506S5KftMUjEUxy8Q0MvTYGnW2E4rix:Gjm6wbXbBXUbGp6S5KftMIrkWD6i

.exe	\|	Win32 Executable MS Visual C++ (generic) (46.3)
.exe	\|	Win64 Executable (generic) (41)
.exe	\|	Win32 Executable (generic) (6.6)
.exe	\|	Generic Win/DOS Executable (2.9)
.exe	\|	DOS Executable Generic (2.9)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2011:06:20 19:18:48+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	10
CodeSize:	11264
InitializedDataSize:	355840
UninitializedDataSize:	-
EntryPoint:	0x2c10
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI


(PID) Process:	(2432) 75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:	write	Name:	26b799fa
Value: C:\Users\admin\Desktop\75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe
(PID) Process:	(2432) 75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2432) 75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2432) 75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2432) 75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft
Operation:	write	Name:	d9486693a
Value: 607312
(PID) Process:	(2432) 75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft
Operation:	write	Name:	d94867bfa
Value: 64114

PID	Process	Filename		Type
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\login[1].php		text
		MD5:32682312D17C7CBF18E73594F5570319	SHA256:E55FB1A1D731153E943B68844AF12DCCE8BFAC917C98FFDEA64C80DA0607DD47
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\login[3].htm		html
		MD5:7A5DF79FBAAFF2C161C6E29461785403	SHA256:B1C52A7C21C4B21BF69866D7859284068D6ECC90306FE22076F81DAA0176A7ED
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\login[2].htm		html
		MD5:4F8E702CC244EC5D4DE32740C0ECBD97	SHA256:9E17CB15DD75BBBD5DBB984EDA674863C3B10AB72613CF8A39A00C3E11A8492A
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	C:\Users\admin\AppData\Roaming\26a69c55\scr.bmp		binary
		MD5:7E5A3D46B33DBD7DEF793B58EF70FCA2	SHA256:A5BEC4D618DAC9512B1D3F43E2CD9D9A4355FBE3DD27F991E08A347E6E993627
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\login[1].htm		html
		MD5:D57E3A550060F85D44A175139EA23021	SHA256:43EDF068D34276E8ADE4113D4D7207DE19FC98A2AE1C07298E593EDAE2A8774C
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\login[1].php		text
		MD5:32682312D17C7CBF18E73594F5570319	SHA256:E55FB1A1D731153E943B68844AF12DCCE8BFAC917C98FFDEA64C80DA0607DD47
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\login[2].htm		html
		MD5:4F8E702CC244EC5D4DE32740C0ECBD97	SHA256:9E17CB15DD75BBBD5DBB984EDA674863C3B10AB72613CF8A39A00C3E11A8492A
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	C:\Users\admin\AppData\Roaming\678734.zip		compressed
		MD5:5898E9EB4E243ABCB28854FF3F58FF9B	SHA256:72B2C46F425CD96BC8FF283161422F5822D7C95E1FE88708C208C235BE7A6020
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	C:\Users\admin\AppData\Roaming\26a69c55\debug_09;Oct;2024_22;23;28.log		text
		MD5:6AEE134539D16E8DC47A8A3B7D73BE17	SHA256:C81D10AC94543077FFF71A4A14CFC04931BA0B8563962B00283002D68BCEBDBE
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	C:\Users\admin\AppData\Roaming\26a69c55\sysinfo.log		text
		MD5:91258677411466C3F190F0B819EDCF33	SHA256:4C612FD128DB46F43E01886957789A555D24C8F3796F3BF91EF85B0ABFD8F188

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	GET	302	162.255.119.102:80	http://gahyqah.com/login.php	unknown	—	—	malicious
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	GET	410	13.248.252.114:80	http://puzylyp.com/login.php	unknown	—	—	malicious
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	GET	200	44.221.84.105:80	http://qetyfuv.com/login.php	unknown	—	—	malicious
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	GET	200	44.221.84.105:80	http://vocyzit.com/login.php	unknown	—	—	malicious
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	GET	200	3.94.10.34:80	http://lymyxid.com/login.php	unknown	—	—	malicious
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	GET	200	18.208.156.248:80	http://vonypom.com/login.php	unknown	—	—	malicious
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	GET	404	208.100.26.245:80	http://lyvyxor.com/login.php	unknown	—	—	malicious
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	GET	302	199.191.50.83:80	http://galyqaz.com/login.php	unknown	—	—	malicious
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	GET	302	69.162.80.51:80	http://lysyfyj.com/login.php	unknown	—	—	malicious
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	GET	410	13.248.252.114:80	http://puzylyp.com/login.php	unknown	—	—	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
6944	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5488	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1252	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	184.86.251.19:80	www.bing.com	Akamai International B.V.	DE	whitelisted
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	188.114.96.3:80	qegyhig.com	CLOUDFLARENET	NL	malicious
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	162.255.119.102:80	gahyqah.com	NAMECHEAP-NET	US	unknown
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	13.248.252.114:80	puzylyp.com	AMAZON-02	US	unknown
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	44.221.84.105:80	qetyfuv.com	AMAZON-AES	US	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 51.124.78.146	whitelisted
google.com	142.250.185.78	whitelisted
www.bing.com	184.86.251.19 184.86.251.22 184.86.251.27 184.86.251.7	whitelisted
gaqydeb.com	—	unknown
qexylup.com	—	unknown
gatyfus.com	178.162.217.107 178.162.203.211 178.162.203.202 85.17.31.122 85.17.31.82 5.79.71.205 5.79.71.225 178.162.203.226	malicious
vofymik.com	—	unknown
qegyhig.com	188.114.96.3 188.114.97.3	unknown
lygymoj.com	—	unknown
vowydef.com	—	unknown

PID	Process	Class	Message
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	Potential Corporate Privacy Violation	ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2.
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	Potential Corporate Privacy Violation	ET POLICY Unsupported/Fake Windows NT Version 5.0
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	Potential Corporate Privacy Violation	ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2.
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	Potential Corporate Privacy Violation	ET POLICY Unsupported/Fake Windows NT Version 5.0
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
2432	75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

General Info

75154791eca35ea5c47ae6e7fe75e4952cc10557a0782e31c63012fe4eae03e3

F3530BF81351BC22ED14D076242E39F8

8F9A28AA95410821EAED935C5E48265CB5D2CE13

75154791ECA35EA5C47AE6E7FE75E4952CC10557A0782E31C63012FE4EAE03E3

6144:GWUm6wbXiiBaVwUbMxDAs+Kvm3MxaX506S5KftMUjEUxy8Q0MvTYGnW2E4rix:Gjm6wbXbBXUbGp6S5KftMIrkWD6i

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Request for a sinkholed resource

SUSPICIOUS

Reads the date of Windows installation

Reads security settings of Internet Explorer

Checks Windows Trust Settings

The process verifies whether the antivirus software is installed

There is functionality for taking screenshot (YARA)

Potential Corporate Privacy Violation

Connects to unusual port

INFO

Checks supported languages

Creates files or folders in the user directory

Reads the computer name

Checks proxy server information

Reads the software policy settings

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings