File name:

b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe

Full analysis: https://app.any.run/tasks/3dba97e9-4a01-4ca9-8ea7-40ec65eff74a
Verdict: Malicious activity
Analysis date: January 10, 2025, 20:45:09
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
sinkhole
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 10 sections
MD5:

75F7C2024B21A897EA58BEAED7972DED

SHA1:

432278FA5D2B432AB47A513C8325094176D44BCA

SHA256:

B0404029838CAE5527DFA1AAE9A936DBF7C3CC7799229FFACE196FFEAA3A2C8E

SSDEEP:

6144:yUjfG4t82T9X2wfdjHCl8XWhJCPoT5/nKt0H1WKVC+bPF/s6Lc1L:yUq4y2T9B1jW8X5PanKteA+J/c1L

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Request for a sinkholed resource

      • b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe (PID: 6440)

  • SUSPICIOUS

    • Reads the date of Windows installation

      • b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe (PID: 6440)

    • Reads security settings of Internet Explorer

      • b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe (PID: 6440)

    • The process checks if it is being run in the virtual environment

      • b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe (PID: 6440)

    • Checks Windows Trust Settings

      • b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe (PID: 6440)

    • The process verifies whether the antivirus software is installed

      • b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe (PID: 6440)

    • There is functionality for taking screenshot (YARA)

      • b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe (PID: 6440)

    • Potential Corporate Privacy Violation

      • b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe (PID: 6440)

  • INFO

    • Creates files or folders in the user directory

      • b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe (PID: 6440)

    • Checks proxy server information

      • b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe (PID: 6440)

    • Reads the machine GUID from the registry

      • b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe (PID: 6440)

    • Checks supported languages

      • b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe (PID: 6440)

    • Reads the computer name

      • b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe (PID: 6440)

    • Reads the software policy settings

      • b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe (PID: 6440)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

ProductName: Percurrent
LegalCopyright: triodion
CompanyName: Panda Security, S.L.
FileDescription: cacopharyngia
ProductVersion: 5.1.7.3
FileVersion: 2.8.0.1
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 5.1.7.3
FileVersionNumber: 2.8.0.1
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x1000
UninitializedDataSize: 329073
InitializedDataSize: 199680
CodeSize: 12288
LinkerVersion: 7.12
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2002:12:10 12:24:25+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6440"C:\Users\admin\Desktop\b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe" C:\Users\admin\Desktop\b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe
explorer.exe
User:
admin
Company:
Panda Security, S.L.
Integrity Level:
MEDIUM
Description:
cacopharyngia
Version:
2.8.0.1
Modules
Images
c:\users\admin\desktop\b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
3 523
Read events
3 518
Write events
5
Delete events
0

Modification events

(PID) Process:(6440) b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:writeName:26b799fa
Value:
C:\Users\admin\Desktop\b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe
(PID) Process:(6440) b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6440) b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6440) b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6440) b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft
Operation:writeName:d9486693a
Value:
1401734
Executable files
0
Suspicious files
0
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
6440b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\login[1].htmhtml
MD5:4F8E702CC244EC5D4DE32740C0ECBD97
SHA256:9E17CB15DD75BBBD5DBB984EDA674863C3B10AB72613CF8A39A00C3E11A8492A
6440b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\login[1].htmhtml
MD5:7A5DF79FBAAFF2C161C6E29461785403
SHA256:B1C52A7C21C4B21BF69866D7859284068D6ECC90306FE22076F81DAA0176A7ED
6440b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\login[2].htmhtml
MD5:7A5DF79FBAAFF2C161C6E29461785403
SHA256:B1C52A7C21C4B21BF69866D7859284068D6ECC90306FE22076F81DAA0176A7ED
6440b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\login[1].htmhtml
MD5:7A5DF79FBAAFF2C161C6E29461785403
SHA256:B1C52A7C21C4B21BF69866D7859284068D6ECC90306FE22076F81DAA0176A7ED
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
57
TCP/UDP connections
68
DNS requests
1 176
Threats
25

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6440
b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe
GET
200
44.221.84.105:80
http://qetyfuv.com/login.php
unknown
malicious
6440
b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe
GET
200
44.221.84.105:80
http://vocyzit.com/login.php
unknown
malicious
6440
b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe
GET
178.162.203.226:80
http://gatyfus.com/login.php
unknown
malicious
6440
b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe
GET
302
162.255.119.102:80
http://gahyqah.com/login.php
unknown
malicious
6440
b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe
GET
301
104.21.32.1:80
http://qegyhig.com/login.php
unknown
malicious
6440
b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe
GET
199.191.50.83:80
http://galyqaz.com/login.php
unknown
malicious
2632
svchost.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6440
b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe
GET
404
154.212.231.82:80
http://gadyniw.com/login.php
unknown
malicious
6440
b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe
GET
200
3.94.10.34:80
http://lymyxid.com/login.php
unknown
malicious
6440
b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe
GET
308
99.83.170.3:80
http://puzylyp.com/login.php
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2.23.227.215:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2632
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
6440
b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe
2.23.227.215:80
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
6440
b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe
162.255.119.102:80
gahyqah.com
NAMECHEAP-NET
US
malicious
6440
b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe
104.21.32.1:80
qegyhig.com
CLOUDFLARENET
malicious
6440
b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe
178.162.203.226:80
gatyfus.com
Leaseweb Deutschland GmbH
DE
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.227.215
  • 2.23.227.208
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.46
whitelisted
vowycac.com
malicious
lyxylux.com
unknown
qetyfuv.com
  • 44.221.84.105
malicious
gacyzuz.com
malicious
pumypog.com
malicious
vocyzit.com
  • 44.221.84.105
malicious
lyryfyd.com
unknown

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2.
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2.
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
b0404029838cae5527dfa1aae9a936dbf7c3cc7799229fface196ffeaa3a2c8e.exe