File name:

76efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_

Full analysis: https://app.any.run/tasks/7eabbc1c-f61a-4a82-8ef4-0a5b222048de
Verdict: Malicious activity
Analysis date: April 29, 2025, 02:37:20
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
sinkhole
m0yv
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

13343D20D39EC792BBFF9CD51A7D12D5

SHA1:

0D32C9E1855436943C60A96C5847223D03D79A87

SHA256:

76EFDA6C81B51A09CA94C5AA645CF08D2BF876CC0EAD4855BA57582BB32BCB2D

SSDEEP:

24576:oC+OmQHJldaOmLvQOpau+Dm21dfAkbGyThhh+niqtZHxOX2Z1u:oC+OmoJHaOmLvQOpau+D91RAkqyVhh+W

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • M0YV mutex has been found

      • 76efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exe (PID: 6620)

    • M0YV has been detected (YARA)

      • 76efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exe (PID: 6620)

    • Request for a sinkholed resource

      • 76efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exe (PID: 6620)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • 76efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exe (PID: 6620)

    • Executable content was dropped or overwritten

      • 76efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exe (PID: 6620)

  • INFO

    • Reads the computer name

      • 76efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exe (PID: 6620)

    • The sample compiled with english language support

      • 76efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exe (PID: 6620)

    • Checks proxy server information

      • 76efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exe (PID: 6620)

    • Creates files or folders in the user directory

      • 76efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exe (PID: 6620)

    • Checks supported languages

      • 76efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exe (PID: 6620)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:11:21 16:55:51+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 36864
InitializedDataSize: 19968
UninitializedDataSize: -
EntryPoint: 0x795a
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 1.701.3.3014
ProductVersionNumber: 1.701.3.3014
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Adobe Systems Incorporated
FileDescription: Adobe Acrobat Update Service
FileVersion: 1.701.3.3014
InternalName: armsvc.exe
LegalCopyright: Copyright © 2013 Adobe Systems Incorporated. All rights reserved.
OriginalFileName: armsvc.exe
ProductName: Adobe Acrobat Update Service
ProductVersion: 1.701.3.3014
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #M0YV 76efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exe sppextcomobj.exe no specs slui.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6436"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exeSppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6620"C:\Users\admin\AppData\Local\Temp\76efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exe" C:\Users\admin\AppData\Local\Temp\76efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exe
explorer.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Update Service
Version:
1.701.3.3014
Modules
Images
c:\users\admin\appdata\local\temp\76efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6964C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
Total events
656
Read events
656
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
662076efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeexecutable
MD5:22F6B640C504D2ADB3C936A0546D725E
SHA256:D2627A1CD58657B4BBBC5347A62F78D3A73A09A5E31C6D13AD3CA2C0F731B63B
662076efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exeC:\Users\admin\AppData\Roaming\26b799fa89ba8c8f.binbinary
MD5:863CE899AFE1D24CDE86934F278D25BC
SHA256:C326BC0BA642F9809C4605972212F5DA61693D3DF7AD1505361FA9D300982311
662076efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeexecutable
MD5:B9418875DC22DF7F87775A18DDAE4994
SHA256:D53A255CDEE0620A661B8D9EB8DBDBCD39F92ED7EDE2065B5A20AA52FDBC58DA
662076efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeexecutable
MD5:5E5F48057CBEAD7E92837538BE626D29
SHA256:495C1EA7EB6310C7E728D061AD0E10F7D95ECD8668370B36EC8DDF4300CB60B5
662076efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exeexecutable
MD5:1A382D028F4EB1029A8F73CE2DFC5CE1
SHA256:9C0F326AA94A7035B44032AA2901120FBAEE3E61B3ACBE0052EC358DA7346057
662076efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeexecutable
MD5:691966582F7C3A00ABCBCE6BE80F0B9C
SHA256:D59FB5EB1B2130D09EC52383971265286AF2EED62E8DE4190D88CD5078BAAF59
662076efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exeexecutable
MD5:80D9CA1D44D6EB774585FDA8AC56D1FB
SHA256:32100F6C647E4A5BBC64318B4302DCD47931177C30FE259F782B208AC1B6F353
662076efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exeC:\ProgramData\Adobe\ARM\S\388\AdobeARMHelper.exeexecutable
MD5:BF622DE62F9B2C48FE3FE830379AB2F0
SHA256:8C867ABE9F3FB33A8BCF9D20C823B37E52C37B40D551027C4A3EB96C549FA792
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
31
DNS requests
24
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6620
76efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exe
POST
200
52.11.240.239:80
http://pywolwnvd.biz/vemhk
unknown
malicious
6620
76efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exe
POST
200
18.234.103.197:80
http://ssbzmoy.biz/bntgfd
unknown
malicious
6620
76efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exe
POST
200
52.11.240.239:80
http://cvgrf.biz/xove
unknown
malicious
6620
76efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exe
POST
200
3.229.117.57:80
http://npukfztj.biz/selge
unknown
malicious
6620
76efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exe
POST
200
172.233.219.123:80
http://przvgke.biz/imby
unknown
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6620
76efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exe
POST
200
172.233.219.123:80
http://przvgke.biz/lstssm
unknown
6620
76efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exe
POST
302
192.64.119.165:80
http://anpmnmxo.biz/dax
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6620
76efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exe
52.11.240.239:80
pywolwnvd.biz
AMAZON-02
US
malicious
6620
76efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exe
18.234.103.197:80
ssbzmoy.biz
AMAZON-AES
US
malicious
6620
76efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exe
3.229.117.57:80
npukfztj.biz
AMAZON-AES
US
malicious
6620
76efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_.exe
172.233.219.123:80
przvgke.biz
Akamai International B.V.
US
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 172.217.18.14
whitelisted
pywolwnvd.biz
  • 52.11.240.239
malicious
ssbzmoy.biz
  • 18.234.103.197
malicious
cvgrf.biz
  • 52.11.240.239
malicious
npukfztj.biz
  • 3.229.117.57
malicious
przvgke.biz
  • 172.233.219.123
  • 172.233.219.49
  • 172.233.219.78
unknown
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.31.2
  • 20.190.159.2
  • 20.190.159.68
  • 40.126.31.0
  • 20.190.159.129
  • 40.126.31.69
  • 20.190.159.23
  • 40.126.31.130
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
A Network Trojan was detected
ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)
Misc activity
ET INFO Namecheap URL Forward
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
76efda6c81b51a09ca94c5aa645cf08d2bf876cc0ead4855ba57582bb32bcb2d.ex_