File name:

ebd2e5efdaa434cf8c2c8aa63086ba6d282dc7cf9348c2ec6bb77c64724fce68.exe

Full analysis: https://app.any.run/tasks/c65ed6ff-73f8-4484-90fa-3ea86c2e98f2
Verdict: Malicious activity
Analysis date: January 25, 2025, 14:14:24
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
pykspa
worm
evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

66285C8D9369EC6665D1904A04B22D13

SHA1:

7CF45696455A8272C1F0A793829BFE1E0129FBFF

SHA256:

EBD2E5EFDAA434CF8C2C8AA63086BA6D282DC7CF9348C2EC6BB77C64724FCE68

SSDEEP:

12288:YFKvSFU/94LYz5rWLm+Rn7b044vJ/JD5eKm3eve4+uc:YEvSFU/+Lc5rWLm+R7bEvJ/JD5jRW4+H

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes appearance of the Explorer extensions

      • ebd2e5efdaa434cf8c2c8aa63086ba6d282dc7cf9348c2ec6bb77c64724fce68.exe (PID: 5400)
      • zbmqv.exe (PID: 5776)
      • zbmqv.exe (PID: 1356)

    • Changes the autorun value in the registry

      • ebd2e5efdaa434cf8c2c8aa63086ba6d282dc7cf9348c2ec6bb77c64724fce68.exe (PID: 5400)
      • zbmqv.exe (PID: 5776)
      • zbmqv.exe (PID: 1356)

    • PYKSPA mutex has been found

      • ebd2e5efdaa434cf8c2c8aa63086ba6d282dc7cf9348c2ec6bb77c64724fce68.exe (PID: 5400)
      • zbmqv.exe (PID: 5776)
      • zbmqv.exe (PID: 1356)

    • UAC/LUA settings modification

      • ebd2e5efdaa434cf8c2c8aa63086ba6d282dc7cf9348c2ec6bb77c64724fce68.exe (PID: 5400)
      • zbmqv.exe (PID: 5776)
      • zbmqv.exe (PID: 1356)

    • PYKSPA has been detected (SURICATA)

      • zbmqv.exe (PID: 5776)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ebd2e5efdaa434cf8c2c8aa63086ba6d282dc7cf9348c2ec6bb77c64724fce68.exe (PID: 5400)

    • Reads security settings of Internet Explorer

      • ebd2e5efdaa434cf8c2c8aa63086ba6d282dc7cf9348c2ec6bb77c64724fce68.exe (PID: 5400)
      • zbmqv.exe (PID: 1356)
      • zbmqv.exe (PID: 5776)

    • Potential Corporate Privacy Violation

      • zbmqv.exe (PID: 5776)

    • There is functionality for taking screenshot (YARA)

      • zbmqv.exe (PID: 5776)
      • zbmqv.exe (PID: 1356)

    • Checks for external IP

      • zbmqv.exe (PID: 5776)

  • INFO

    • Checks supported languages

      • ebd2e5efdaa434cf8c2c8aa63086ba6d282dc7cf9348c2ec6bb77c64724fce68.exe (PID: 5400)
      • zbmqv.exe (PID: 5776)
      • zbmqv.exe (PID: 1356)

    • Reads the computer name

      • ebd2e5efdaa434cf8c2c8aa63086ba6d282dc7cf9348c2ec6bb77c64724fce68.exe (PID: 5400)
      • zbmqv.exe (PID: 5776)
      • zbmqv.exe (PID: 1356)

    • Process checks whether UAC notifications are on

      • ebd2e5efdaa434cf8c2c8aa63086ba6d282dc7cf9348c2ec6bb77c64724fce68.exe (PID: 5400)
      • zbmqv.exe (PID: 5776)
      • zbmqv.exe (PID: 1356)

    • Create files in a temporary directory

      • ebd2e5efdaa434cf8c2c8aa63086ba6d282dc7cf9348c2ec6bb77c64724fce68.exe (PID: 5400)
      • zbmqv.exe (PID: 5776)

    • Process checks computer location settings

      • ebd2e5efdaa434cf8c2c8aa63086ba6d282dc7cf9348c2ec6bb77c64724fce68.exe (PID: 5400)
      • zbmqv.exe (PID: 5776)

    • Creates files or folders in the user directory

      • zbmqv.exe (PID: 5776)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 3260)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2006:12:09 08:36:42+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 7.1
CodeSize: 167936
InitializedDataSize: 245760
UninitializedDataSize: -
EntryPoint: 0x22b93
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
185
Monitored processes
48
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #PYKSPA ebd2e5efdaa434cf8c2c8aa63086ba6d282dc7cf9348c2ec6bb77c64724fce68.exe #PYKSPA zbmqv.exe #PYKSPA zbmqv.exe rundll32.exe no specs regedit.exe no specs regedit.exe openwith.exe no specs regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe regedit.exe no specs regedit.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
440"regedit.exe" "C:\Users\admin\AppData\Local\Temp\djygpxkoz.reg"C:\Windows\SysWOW64\regedit.exe
zbmqv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
488"regedit.exe" "C:\Users\admin\AppData\Local\Temp\djygpxkoz.reg"C:\Windows\SysWOW64\regedit.exe
zbmqv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
720"regedit.exe" "C:\Users\admin\AppData\Local\Temp\djygpxkoz.reg"C:\Windows\SysWOW64\regedit.exezbmqv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
768"regedit.exe" "C:\Users\admin\AppData\Local\Temp\djygpxkoz.reg"C:\Windows\SysWOW64\regedit.exezbmqv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1200"regedit.exe" "C:\Users\admin\AppData\Local\Temp\djygpxkoz.reg"C:\Windows\SysWOW64\regedit.exezbmqv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1356"C:\Users\admin\AppData\Local\Temp\zbmqv.exe" "-"C:\Users\admin\AppData\Local\Temp\zbmqv.exe
ebd2e5efdaa434cf8c2c8aa63086ba6d282dc7cf9348c2ec6bb77c64724fce68.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\zbmqv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1416"regedit.exe" "C:\Users\admin\AppData\Local\Temp\djygpxkoz.reg"C:\Windows\SysWOW64\regedit.exe
zbmqv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1868"regedit.exe" "C:\Users\admin\AppData\Local\Temp\djygpxkoz.reg"C:\Windows\SysWOW64\regedit.exezbmqv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2060"regedit.exe" "C:\Users\admin\AppData\Local\Temp\djygpxkoz.reg"C:\Windows\SysWOW64\regedit.exezbmqv.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Editor
Exit code:
3221226540
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
Total events
19 507
Read events
19 012
Write events
494
Delete events
1

Modification events

(PID) Process:(5400) ebd2e5efdaa434cf8c2c8aa63086ba6d282dc7cf9348c2ec6bb77c64724fce68.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:EnableLUA
Value:
0
(PID) Process:(5400) ebd2e5efdaa434cf8c2c8aa63086ba6d282dc7cf9348c2ec6bb77c64724fce68.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:oxpamxnuiicm
Value:
droevlgslqpexoaui.exe
(PID) Process:(5400) ebd2e5efdaa434cf8c2c8aa63086ba6d282dc7cf9348c2ec6bb77c64724fce68.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:nxqcpbsapqlwl
Value:
zrsmhbaqnwzspkayquooa.exe .
(PID) Process:(5400) ebd2e5efdaa434cf8c2c8aa63086ba6d282dc7cf9348c2ec6bb77c64724fce68.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:rdymbpisjmjwncm
Value:
xnmexpmavcdupiwsikc.exe
(PID) Process:(5400) ebd2e5efdaa434cf8c2c8aa63086ba6d282dc7cf9348c2ec6bb77c64724fce68.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:wjfukztewaymeufy
Value:
mbzqizviciiyskxshi.exe .
(PID) Process:(5400) ebd2e5efdaa434cf8c2c8aa63086ba6d282dc7cf9348c2ec6bb77c64724fce68.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:mbzqizviciiyskxshi
Value:
C:\Users\admin\AppData\Local\Temp\zrsmhbaqnwzspkayquooa.exe
(PID) Process:(5400) ebd2e5efdaa434cf8c2c8aa63086ba6d282dc7cf9348c2ec6bb77c64724fce68.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:droevlgslqpexoaui
Value:
C:\Users\admin\AppData\Local\Temp\kbbuohfuqyasoixulohg.exe .
(PID) Process:(5400) ebd2e5efdaa434cf8c2c8aa63086ba6d282dc7cf9348c2ec6bb77c64724fce68.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:oxpamxnuiicm
Value:
C:\Users\admin\AppData\Local\Temp\kbbuohfuqyasoixulohg.exe
(PID) Process:(5400) ebd2e5efdaa434cf8c2c8aa63086ba6d282dc7cf9348c2ec6bb77c64724fce68.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:nxqcpbsapqlwl
Value:
C:\Users\admin\AppData\Local\Temp\mbzqizviciiyskxshi.exe .
(PID) Process:(5400) ebd2e5efdaa434cf8c2c8aa63086ba6d282dc7cf9348c2ec6bb77c64724fce68.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:writeName:DisableRegistryTools
Value:
1
Executable files
1
Suspicious files
10
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
5776zbmqv.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files (x86)\edlmopvswmwwaczedopwpzno.zhibinary
MD5:FAC531A01382DF08BB733BD9A1C65581
SHA256:D63C87A0E11187FABB83CE2B3B8F93748A16545EECF01AB6861C2B8D53545167
5776zbmqv.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\edlmopvswmwwaczedopwpzno.zhibinary
MD5:FAC531A01382DF08BB733BD9A1C65581
SHA256:D63C87A0E11187FABB83CE2B3B8F93748A16545EECF01AB6861C2B8D53545167
5776zbmqv.exeC:\Users\admin\AppData\Local\Temp\edlmopvswmwwaczedopwpzno.zhibinary
MD5:FAC531A01382DF08BB733BD9A1C65581
SHA256:D63C87A0E11187FABB83CE2B3B8F93748A16545EECF01AB6861C2B8D53545167
5400ebd2e5efdaa434cf8c2c8aa63086ba6d282dc7cf9348c2ec6bb77c64724fce68.exeC:\Users\admin\AppData\Local\Temp\zbmqv.exeexecutable
MD5:66285C8D9369EC6665D1904A04B22D13
SHA256:EBD2E5EFDAA434CF8C2C8AA63086BA6D282DC7CF9348C2EC6BB77C64724FCE68
5776zbmqv.exeC:\Users\admin\AppData\Local\Temp\djygpxkoz.regtext
MD5:A8702BDFF482E47B2E74B115FFAAF779
SHA256:15BD561433C476CB5E4AD5EB3AFE7ECA32841149FFDC21E1D33181532669EE6B
5776zbmqv.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\SysWOW64\edlmopvswmwwaczedopwpzno.zhibinary
MD5:FAC531A01382DF08BB733BD9A1C65581
SHA256:D63C87A0E11187FABB83CE2B3B8F93748A16545EECF01AB6861C2B8D53545167
5776zbmqv.exeC:\Users\admin\AppData\Local\edlmopvswmwwaczedopwpzno.zhibinary
MD5:FAC531A01382DF08BB733BD9A1C65581
SHA256:D63C87A0E11187FABB83CE2B3B8F93748A16545EECF01AB6861C2B8D53545167
5776zbmqv.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\SysWOW64\nxqcpbsapqlwlygwgcogkfeqnxqcpbsapql.lygbinary
MD5:FACE6FBFC5475418AAF7F7C0596D5658
SHA256:70666F2B284080ED338B2F37D464DF6A0D572532D0057C7DFBFDDB4B3DC5AD57
5776zbmqv.exeC:\Users\admin\AppData\Local\nxqcpbsapqlwlygwgcogkfeqnxqcpbsapql.lygbinary
MD5:FACE6FBFC5475418AAF7F7C0596D5658
SHA256:70666F2B284080ED338B2F37D464DF6A0D572532D0057C7DFBFDDB4B3DC5AD57
5776zbmqv.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files (x86)\nxqcpbsapqlwlygwgcogkfeqnxqcpbsapql.lygbinary
MD5:FACE6FBFC5475418AAF7F7C0596D5658
SHA256:70666F2B284080ED338B2F37D464DF6A0D572532D0057C7DFBFDDB4B3DC5AD57
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
31
DNS requests
14
Threats
23

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5776
zbmqv.exe
GET
301
188.114.97.3:80
http://www.showmyipaddress.com/
unknown
malicious
5776
zbmqv.exe
GET
301
172.66.40.87:80
http://www.whatismyip.com/
unknown
shared
5776
zbmqv.exe
GET
301
188.114.97.3:80
http://www.showmyipaddress.com/
unknown
malicious
5776
zbmqv.exe
GET
301
188.114.97.3:80
http://www.showmyipaddress.com/
unknown
malicious
5776
zbmqv.exe
GET
301
172.66.40.87:80
http://www.whatismyip.com/
unknown
shared
5776
zbmqv.exe
GET
403
104.19.223.79:80
http://whatismyipaddress.com/
unknown
shared
5776
zbmqv.exe
GET
403
104.19.223.79:80
http://whatismyipaddress.com/
unknown
shared
5776
zbmqv.exe
GET
301
172.66.40.87:80
http://www.whatismyip.com/
unknown
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6068
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.110.123:443
www.bing.com
Akamai International B.V.
DE
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
3976
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5776
zbmqv.exe
188.114.97.3:80
www.showmyipaddress.com
CLOUDFLARENET
NL
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
www.bing.com
  • 2.16.110.123
  • 2.16.110.170
  • 2.16.110.171
  • 2.16.110.121
  • 2.16.110.176
  • 2.16.110.193
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
self.events.data.microsoft.com
  • 20.189.173.24
whitelisted
www.whatismyip.ca
malicious
www.showmyipaddress.com
  • 188.114.97.3
  • 188.114.96.3
malicious
www.whatismyip.com
  • 172.66.40.87
  • 172.66.43.169
shared
whatismyip.everdot.org
unknown

Threats

PID
Process
Class
Message
5776
zbmqv.exe
Potential Corporate Privacy Violation
ET INFO IP Check Domain (showmyipaddress .com in HTTP Host)
5776
zbmqv.exe
A Network Trojan was detected
ET MALWARE Win32/Pykspa.C Public IP Check
5776
zbmqv.exe
Attempted Information Leak
ET INFO IP Check Domain (whatismyip in HTTP Host)
5776
zbmqv.exe
A Network Trojan was detected
ET MALWARE Win32/Pykspa.C Public IP Check
5776
zbmqv.exe
Potential Corporate Privacy Violation
ET INFO IP Check Domain (showmyipaddress .com in HTTP Host)
5776
zbmqv.exe
A Network Trojan was detected
ET MALWARE Win32/Pykspa.C Public IP Check
5776
zbmqv.exe
Potential Corporate Privacy Violation
ET INFO IP Check Domain (showmyipaddress .com in HTTP Host)
5776
zbmqv.exe
A Network Trojan was detected
ET MALWARE Win32/Pykspa.C Public IP Check
5776
zbmqv.exe
Attempted Information Leak
ET INFO IP Check Domain (whatismyip in HTTP Host)
5776
zbmqv.exe
A Network Trojan was detected
ET MALWARE Win32/Pykspa.C Public IP Check
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ebd2e5efdaa434cf8c2c8aa63086ba6d282dc7cf9348c2ec6bb77c64724fce68.exe