Malware analysis a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243 Malicious activity

Add for printing

File name:	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243
Full analysis:	https://app.any.run/tasks/61a25647-7ebc-4340-8258-3bdd00d525c9
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 29, 2025, 09:10:25
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	sinkhole simda stealer
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:	90899F596E5520B6ADC37466BF4709BF
SHA1:	8E926DC9CBC9E5C6CFBC36A52B0494B5038C5093
SHA256:	A748DFBC0D59405540E71AAEEDDEE8ED4465FB207D0B02BBB3EDEA266C1F7243
SSDEEP:	6144:yUjfG4t82T9X2wfdjHCl8XWhJCPoT5/nKt0H1WKVC+bPF/s6Lc1O:yUq4y2T9B1jW8X5PanKteA+J/c1O

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- SIMDA mutex has been found
  - a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe (PID: 2152)
- Request for a sinkholed resource
  - a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe (PID: 2152)
SUSPICIOUS
- Potential Corporate Privacy Violation
  - a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe (PID: 2152)
- The process verifies whether the antivirus software is installed
  - a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe (PID: 2152)
- There is functionality for taking screenshot (YARA)
  - a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe (PID: 2152)
- Reads the date of Windows installation
  - a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe (PID: 2152)
- Reads security settings of Internet Explorer
  - a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe (PID: 2152)
- The process checks if it is being run in the virtual environment
  - a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe (PID: 2152)
INFO
- Reads the computer name
  - a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe (PID: 2152)
- Creates files or folders in the user directory
  - a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe (PID: 2152)
- Checks proxy server information
  - a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe (PID: 2152)
- Reads the software policy settings
  - a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe (PID: 2152)
- Checks supported languages
  - a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe (PID: 2152)
- Reads the machine GUID from the registry
  - a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe (PID: 2152)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2002:12:10 12:24:25+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	7.12
CodeSize:	12288
InitializedDataSize:	199680
UninitializedDataSize:	329073
EntryPoint:	0x1000
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	2.8.0.1
ProductVersionNumber:	5.1.7.3
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
FileVersion:	2.8.0.1
ProductVersion:	5.1.7.3
FileDescription:	cacopharyngia
CompanyName:	Panda Security, S.L.
LegalCopyright:	triodion
ProductName:	Percurrent

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

130

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2152

"C:\Users\admin\AppData\Local\Temp\a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe"

C:\Users\admin\AppData\Local\Temp\a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe

explorer.exe

User:

admin

Company:

Panda Security, S.L.

Integrity Level:

MEDIUM

Description:

cacopharyngia

Version:

2.8.0.1

Modules

Images
c:\users\admin\appdata\local\temp\a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

2196

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

7976

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SppExtComObj.Exe

—

svchost.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

KMS Connection Broker

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll

8024

"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent

C:\Windows\System32\slui.exe

—

SppExtComObj.Exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

Add for printing

Total events

1 894

Read events

1 888

Write events

Delete events

Modification events


(PID) Process:	(2152) a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:	write	Name:	26b799fa
Value: C:\Users\admin\AppData\Local\Temp\a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe
(PID) Process:	(2152) a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(2152) a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2152) a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(2152) a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft
Operation:	write	Name:	d9486693a
Value: 1105328
(PID) Process:	(2152) a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft
Operation:	write	Name:	d94867bfa
Value: 64114

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\login[2].htm		html
		MD5:0104C301C5E02BD6148B8703D19B3A73	SHA256:446A6087825FA73EADB045E5A2E9E2ADF7DF241B571228187728191D961DDA1F
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	C:\Users\admin\AppData\Roaming\26a69c55\debug_29;Apr;2025_09;11;31.log		text
		MD5:F08B81CE757CD60DDC76C7A9396891B9	SHA256:072846A70F57FC18B0E5897DF2444B15CBDC23A1DC9EFDA7489487ADD789A4FE
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8		binary
		MD5:1FBB37F79B317A9A248E7C4CE4F5BAC5	SHA256:9BF639C595FE335B6F694EE35990BEFD2123F5E07FD1973FF619E3FC88F5F49F
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8		binary
		MD5:7702BCB573191052E499DFEF8C166DCA	SHA256:42474291CD5BED59BC01993AE4F5ED7F824B90A5BE1B11D1B34FD391000137AF
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\login[1].htm		html
		MD5:4F8E702CC244EC5D4DE32740C0ECBD97	SHA256:9E17CB15DD75BBBD5DBB984EDA674863C3B10AB72613CF8A39A00C3E11A8492A
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	C:\Users\admin\AppData\Roaming\26a69c55\scr.bmp		image
		MD5:6974DD84BC62D87B757C6ADC4F2CD2CF	SHA256:557975FDAA13A806DA4DEB3C8C336E2ED0BF4ABB30E035BE0FFDEB2B0D38E785
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	C:\Users\admin\AppData\Roaming\26a69c55\sysinfo.log		text
		MD5:C016066F85AF3BACF824223CE35694FB	SHA256:37F4CB7889FD0812AFA79BF9220944EEF06AD20D5E20DAFB2D3BFAA577CCEC32
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	C:\Users\admin\AppData\Roaming\1157609.zip		compressed
		MD5:2B7AF6CBA3A50C8F7CC59D8EFFDBC4F7	SHA256:7481CDF571219C17FD100676306A92FE46B910F728F3AB25E46B1AEF9B15A28C
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\login[1].htm		html
		MD5:4F8E702CC244EC5D4DE32740C0ECBD97	SHA256:9E17CB15DD75BBBD5DBB984EDA674863C3B10AB72613CF8A39A00C3E11A8492A
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\login[1].php		text
		MD5:32682312D17C7CBF18E73594F5570319	SHA256:E55FB1A1D731153E943B68844AF12DCCE8BFAC917C98FFDEA64C80DA0607DD47

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

2 144

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	GET	200	54.85.87.184:80	http://lymyxid.com/login.php	unknown	—	—	malicious
—	—	GET	200	23.216.77.30:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	GET	404	154.212.231.82:80	http://gadyniw.com/login.php	unknown	—	—	malicious
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	GET	200	3.229.117.57:80	http://qetyfuv.com/login.php	unknown	—	—	malicious
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	GET	301	104.21.112.1:80	http://qegyhig.com/login.php	unknown	—	—	malicious
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	GET	500	13.248.169.48:80	http://puzylyp.com/login.php	unknown	—	—	malicious
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	GET	200	142.250.74.195:80	http://c.pki.goog/r/r4.crl	unknown	—	—	whitelisted
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	GET	—	91.195.240.19:80	http://www.gahyqah.com/login.php	unknown	—	—	malicious
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	GET	200	142.250.74.195:80	http://c.pki.goog/r/gsr1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	23.216.77.30:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	92.123.104.46:80	www.bing.com	Akamai International B.V.	DE	whitelisted
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	154.212.231.82:80	gadyniw.com	ABCDE GROUP COMPANY LIMITED	HK	unknown
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	162.255.119.102:80	gahyqah.com	NAMECHEAP-NET	US	malicious
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	13.248.169.48:80	puzylyp.com	AMAZON-02	US	malicious
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	104.21.112.1:80	qegyhig.com	CLOUDFLARENET	—	malicious
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	54.85.87.184:80	lymyxid.com	AMAZON-AES	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.124.78.146	whitelisted
crl.microsoft.com	23.216.77.30 23.216.77.25	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
google.com	142.250.185.142	whitelisted
www.bing.com	92.123.104.46 92.123.104.56 92.123.104.54 92.123.104.49 92.123.104.47 92.123.104.43 92.123.104.50 92.123.104.52 92.123.104.53	whitelisted
lysynur.com	—	malicious
lymysan.com	—	malicious
lymyxid.com	54.85.87.184	malicious
lygygin.com	—	malicious
lygymoj.com	—	malicious

Threats

PID	Process	Class	Message
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	Potential Corporate Privacy Violation	ET INFO Unsupported/Fake Internet Explorer Version MSIE 2.
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	Potential Corporate Privacy Violation	ET INFO Unsupported/Fake Windows NT Version 5.0
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	Potential Corporate Privacy Violation	ET INFO Unsupported/Fake Internet Explorer Version MSIE 2.
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	Potential Corporate Privacy Violation	ET INFO Unsupported/Fake Windows NT Version 5.0
2152	a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Add for printing

No debug info

General Info

a748dfbc0d59405540e71aaeeddee8ed4465fb207d0b02bbb3edea266c1f7243

90899F596E5520B6ADC37466BF4709BF

8E926DC9CBC9E5C6CFBC36A52B0494B5038C5093

A748DFBC0D59405540E71AAEEDDEE8ED4465FB207D0B02BBB3EDEA266C1F7243

6144:yUjfG4t82T9X2wfdjHCl8XWhJCPoT5/nKt0H1WKVC+bPF/s6Lc1O:yUq4y2T9B1jW8X5PanKteA+J/c1O

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SIMDA mutex has been found

Request for a sinkholed resource

SUSPICIOUS

Potential Corporate Privacy Violation

The process verifies whether the antivirus software is installed

There is functionality for taking screenshot (YARA)

Reads the date of Windows installation

Reads security settings of Internet Explorer

The process checks if it is being run in the virtual environment

INFO

Reads the computer name

Creates files or folders in the user directory

Checks proxy server information

Reads the software policy settings

Checks supported languages

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings