Malware analysis Credit Card Frauder.exe Malicious activity

Add for printing

File name:	Credit Card Frauder.exe
Full analysis:	https://app.any.run/tasks/c45019c4-3c0e-4b68-b461-d749dce87b77
Verdict:	Malicious activity
Threats:	Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. Malware Trends Tracker >>>
Analysis date:	March 03, 2026, 18:35:23
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	sapphire ransomware
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	595CA187B1E4B3D9BFA3264B4C7CB135
SHA1:	C99C1080C2126D890608D51DA8AD1ED087495E9C
SHA256:	819190F5D012D3267C1BC6294DA9F50060316BB146AACBC61863094959E1AFE7
SSDEEP:	98304:W5lFYBUDfY1OfmfFOaZH7WRl7/ZCwZe3rV4uCI75TEvDbh0OFS21BB:5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 45 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: on
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Create files in the Startup directory
  - Credit Card Frauder.exe (PID: 4368)
- Disables task manager
  - Credit Card Frauder.exe (PID: 4368)
- SAPPHIRE has been detected
  - Credit Card Frauder.exe (PID: 4368)
SUSPICIOUS
No suspicious indicators.
INFO
- Reads the computer name
  - Credit Card Frauder.exe (PID: 4368)
- Checks supported languages
  - Credit Card Frauder.exe (PID: 4368)
- Drops script file
  - Credit Card Frauder.exe (PID: 4368)
- Creates files or folders in the user directory
  - Credit Card Frauder.exe (PID: 4368)
- Launching a file from the Startup directory
  - Credit Card Frauder.exe (PID: 4368)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe	\|	Win64 Executable (generic) (23.8)
.dll	\|	Win32 Dynamic Link Library (generic) (5.6)
.exe	\|	Win32 Executable (generic) (3.8)
.exe	\|	Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2081:06:06 00:57:52+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32
LinkerVersion:	80
CodeSize:	1668096
InitializedDataSize:	223744
UninitializedDataSize:	-
EntryPoint:	0x1993fa
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	-
CompanyName:	-
FileDescription:	sysem
FileVersion:	1.0.0.0
InternalName:	Credit Card Frauder.exe
LegalCopyright:	Copyright © 2023
LegalTrademarks:	-
OriginalFileName:	Credit Card Frauder.exe
ProductName:	sysem
ProductVersion:	1.0.0.0
AssemblyVersion:	1.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

143

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

4368

"C:\Users\admin\AppData\Roaming\Credit Card Frauder.exe"

C:\Users\admin\AppData\Roaming\Credit Card Frauder.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Description:

sysem

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\roaming\credit card frauder.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

7392

"C:\Users\admin\AppData\Roaming\Credit Card Frauder.exe"

C:\Users\admin\AppData\Roaming\Credit Card Frauder.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

sysem

Exit code:

3221226540

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\roaming\credit card frauder.exe
c:\windows\system32\ntdll.dll

7728

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

Add for printing

Total events

350

Read events

349

Write events

Delete events

Modification events


(PID) Process:	(4368) Credit Card Frauder.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:	write	Name:	DisableTaskMgr
Value: 1

Add for printing

Executable files

Suspicious files

425

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4368	Credit Card Frauder.exe	C:\Users\admin\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol.fbi		binary
		MD5:385FF67B64B55D8D36518DEE001A70DF	SHA256:CC0B8CBA7E8A1DFE5C123453B58E4FFE757FF0CFBA366D0006C511573BA9B07B
4368	Credit Card Frauder.exe	C:\Users\admin\AppData\Roaming\Credit Card Frauder.exe.fbi		binary
		MD5:24315304B18BCFD2406AD06452E0E93A	SHA256:5B57E55FFB117447E9F6057BD7AB5B2FE43496CE8AC8197F822E77C5BABDEB23
4368	Credit Card Frauder.exe	C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storei.fbi		binary
		MD5:C3846D226FE3B3C8BED00C6CA7815180	SHA256:A738BBB2C46A6D65417EE7336E197D89BEF807965B72D597AF783B4B9059B7BC
4368	Credit Card Frauder.exe	C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_storek.fbi		binary
		MD5:245BE18F254BEB45CB7924EC0CAF888C	SHA256:067750ACB17A483422CDEDFEBBFD668D12DEDF4C3F3570259AE20F00A158D1C0
4368	Credit Card Frauder.exe	C:\Users\admin\AppData\Roaming\FileZilla\filezilla.xml.fbi		binary
		MD5:3AE46EAA60B07C19F3DDCD25532F30FF	SHA256:2AF0046AC0984F5F3F7DA10DAF4F3E41204E1DE0463EE6A840DC3143C6CC07E1
4368	Credit Card Frauder.exe	C:\Users\admin\AppData\Roaming\FileZilla\layout.xml.fbi		binary
		MD5:3ED0FA8D3E0D2F3882BE9304670789E4	SHA256:EB77AA0D1396ECC3F11FC0372F54A78ACE9E3FFD26EEA6C2CB883E400563B59B
4368	Credit Card Frauder.exe	C:\Users\admin\AppData\Roaming\FileZilla\queue.sqlite3.fbi		binary
		MD5:A8E04DA1FA9A77F1555638F80DAA603E	SHA256:ACEF9F9286CAFDB70759E60BECE84F83B17CA5D9301C583DD91911B88B93222A
4368	Credit Card Frauder.exe	C:\Users\admin\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_store.fbi		binary
		MD5:8DF35F9788579D23E52689144D2F2A75	SHA256:9C174361F6E12F09988F934B7E4878FA8AE5B85228D2B8559CA2E97D148CDBE8
4368	Credit Card Frauder.exe	C:\Users\admin\AppData\Roaming\Microsoft\Access\AccessCache.accdb.fbi		binary
		MD5:4CF6EE2F8E1EE4F6C6E180F5CDE095B3	SHA256:6CC8494A645875963BF53A37AD58FB68B913A997F292C6CF74BEF8C577C5FD82
4368	Credit Card Frauder.exe	C:\Users\admin\AppData\Roaming\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.fbi		binary
		MD5:F6FE9A194674709B4E0830F57CFD5C92	SHA256:C5AEFA4E575796D64C78CCA494C783575AA69A8D77852BFAAC54CFB0413E18EA

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
356	svchost.exe	POST	404	20.190.160.5:443	https://login.live.com/RST2.srf	unknown	xml	341 b	whitelisted
356	svchost.exe	POST	404	20.190.160.5:443	https://login.live.com/RST2.srf	unknown	xml	341 b	whitelisted
356	svchost.exe	POST	404	20.190.160.5:443	https://login.live.com/RST2.srf	unknown	xml	341 b	whitelisted
356	svchost.exe	POST	404	20.190.160.5:443	https://login.live.com/RST2.srf	unknown	xml	341 b	whitelisted
356	svchost.exe	POST	404	20.190.160.5:443	https://login.live.com/RST2.srf	unknown	xml	341 b	whitelisted
356	svchost.exe	POST	404	20.190.160.5:443	https://login.live.com/RST2.srf	unknown	xml	341 b	whitelisted
6272	SIHClient.exe	GET	404	74.178.240.61:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	xml	341 b	whitelisted
6272	SIHClient.exe	GET	404	135.232.92.97:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	xml	341 b	whitelisted
6272	SIHClient.exe	GET	404	74.178.240.61:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	unknown	xml	341 b	whitelisted
6272	SIHClient.exe	GET	404	135.232.92.97:443	https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping	unknown	xml	341 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5412	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	2.16.241.218:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
5568	SearchApp.exe	2.16.241.207:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
3412	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
356	svchost.exe	20.190.160.5:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6272	SIHClient.exe	74.178.240.61:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6272	SIHClient.exe	135.232.92.97:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
www.bing.com	2.16.241.218 2.16.241.207 2.16.241.222 2.16.241.225 2.16.241.201	whitelisted
th.bing.com	2.16.241.207 2.16.241.218 2.16.241.201 2.16.241.225 2.16.241.222	whitelisted
self.events.data.microsoft.com	51.116.253.168	whitelisted
google.com	142.251.141.78	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
login.live.com	20.190.160.5 20.190.160.128 40.126.32.74 20.190.160.17 20.190.160.130 20.190.160.22 20.190.160.3 40.126.32.68	whitelisted
slscr.update.microsoft.com	74.178.240.61	whitelisted
fe3cr.delivery.mp.microsoft.com	135.232.92.97 2603:1030:10:12::2fe	whitelisted
97.92.232.135.in-addr.arpa	—	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

Credit Card Frauder.exe

595CA187B1E4B3D9BFA3264B4C7CB135

C99C1080C2126D890608D51DA8AD1ED087495E9C

819190F5D012D3267C1BC6294DA9F50060316BB146AACBC61863094959E1AFE7

98304:W5lFYBUDfY1OfmfFOaZH7WRl7/ZCwZe3rV4uCI75TEvDbh0OFS21BB:5

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Create files in the Startup directory

Disables task manager

SAPPHIRE has been detected

SUSPICIOUS

INFO

Reads the computer name

Checks supported languages

Drops script file

Creates files or folders in the user directory

Launching a file from the Startup directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings