File name:

voluptatem.k

Full analysis: https://app.any.run/tasks/9757a61a-db53-45c6-bceb-0db663066645
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 18, 2023, 18:42:12
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
pikabot
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5:

73E19478B398CA4CB09484E829930A36

SHA1:

EC80BC4E60D806EC7A88A5924C756F5CAFFE6CF0

SHA256:

EC375EE3A232E22B40BCF56AE3BE52091069577400E2C71AE3A3093C0CE9281E

SSDEEP:

49152:OnqQveRIc+KTjvDaPnO5nLWL2JWLDukIak8hQGZLUUWu6hTNPN9W7/8WLGyAmMpj:Onq8eRzjvDavO9KagfukIR8h9LUUzsNn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • PikaBot has been detected

      • rundll32.exe (PID: 2104)

    • Connects to the CnC server

      • SearchProtocolHost.exe (PID: 1464)

    • PIKABOT has been detected (SURICATA)

      • SearchProtocolHost.exe (PID: 1464)

  • SUSPICIOUS

    • Connects to unusual port

      • SearchProtocolHost.exe (PID: 1464)

  • INFO

    • Checks proxy server information

      • SearchProtocolHost.exe (PID: 1464)
      • slui.exe (PID: 6064)

    • Reads security settings of Internet Explorer

      • SearchProtocolHost.exe (PID: 1464)

    • Reads the software policy settings

      • slui.exe (PID: 6064)
      • slui.exe (PID: 4456)
      • SearchProtocolHost.exe (PID: 1464)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (38.7)
.exe | Win64 Executable (generic) (34.3)
.scr | Windows screen saver (16.2)
.exe | Win32 Executable (generic) (5.6)
.exe | Generic Win/DOS Executable (2.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2016:10:04 17:12:28+02:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Large address aware, 32-bit, DLL
PEType: PE32
LinkerVersion: 6
CodeSize: 823808
InitializedDataSize: 783872
UninitializedDataSize: -
EntryPoint: 0xc12b9
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 16.4.0.0
ProductVersionNumber: 16.4.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Igor Pavlov
FileDescription: 7z Plugin
FileVersion: 16.04
InternalName: 7z
LegalCopyright: Copyright (c) 1999-2016 Igor Pavlov
OriginalFileName: 7z.dll
ProductName: 7-Zip
ProductVersion: 16.04
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs #PIKABOT rundll32.exe no specs #PIKABOT searchprotocolhost.exe sppextcomobj.exe no specs slui.exe slui.exe filecoauth.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1464"C:\Windows\System32\SearchProtocolHost.exe"C:\Windows\SysWOW64\SearchProtocolHost.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.0.19041.1151 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
2104"C:\Windows\System32\rundll32.exe" C:\Users\admin\Desktop\voluptatem.k,EnterC:\Windows\SysWOW64\rundll32.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.746 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
3680"C:\Windows\System32\rundll32.exe" C:\Users\admin\Desktop\voluptatem.k,EnterC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
4456"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
5472C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.1202 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
5716C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
6064C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
Total events
3 920
Read events
3 910
Write events
10
Delete events
0

Modification events

(PID) Process:(1464) SearchProtocolHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1464) SearchProtocolHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1464) SearchProtocolHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1464) SearchProtocolHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1464) SearchProtocolHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1464) SearchProtocolHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
0
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
5716FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2023-12-18.1846.5716.1.odlbinary
MD5:113DE7964430E0119701372F13B86CB4
SHA256:44230F9ED639483ACED9816CCE114A7C46263DC6F7287A54D8B956660F557E8B
5716FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2023-12-18.1846.5716.1.aodlbinary
MD5:923BF0E545D9C37CA8874C8D6C4A30E6
SHA256:AB32C675D35DDBEBFCF8B11720C3E550024E8D0DF557838F17186377E3D0FE65
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
70
DNS requests
31
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
binary
313 b
unknown
1092
svchost.exe
POST
302
2.19.246.123:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
1092
svchost.exe
POST
302
2.19.246.123:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
2908
svchost.exe
GET
200
23.212.210.158:80
http://x1.c.lencr.org/
unknown
binary
717 b
unknown
5716
SIHClient.exe
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
binary
418 b
unknown
1092
svchost.exe
POST
302
2.19.246.123:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
5716
SIHClient.exe
GET
200
104.119.109.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
binary
409 b
unknown
1092
svchost.exe
POST
302
2.19.246.123:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
1092
svchost.exe
POST
302
2.19.246.123:80
http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409
unknown
unknown
2644
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
binary
471 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1140
svchost.exe
20.190.159.71:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3720
svchost.exe
239.255.255.250:1900
whitelisted
1092
svchost.exe
2.19.246.123:80
go.microsoft.com
AKAMAI-AS
DE
unknown
1092
svchost.exe
20.231.121.79:80
dmd.metaservices.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
5736
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5612
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5736
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1464
SearchProtocolHost.exe
45.56.71.218:13724
Linode, LLC
US
unknown
5340
backgroundTaskHost.exe
23.15.178.147:443
www.bing.com
Akamai International B.V.
DE
unknown
5340
backgroundTaskHost.exe
192.229.221.95:80
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
go.microsoft.com
  • 2.19.246.123
whitelisted
dmd.metaservices.microsoft.com
  • 20.231.121.79
  • 138.91.171.81
  • 52.142.223.178
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
whitelisted
www.bing.com
  • 23.15.178.147
  • 23.15.178.179
  • 23.15.178.226
  • 23.15.178.208
  • 23.15.178.136
  • 23.15.178.200
  • 23.15.178.234
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
www.microsoft.com
  • 104.119.109.218
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
x1.c.lencr.org
  • 23.212.210.158
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
self.events.data.microsoft.com
  • 20.189.173.4
whitelisted

Threats

PID
Process
Class
Message
1464
SearchProtocolHost.exe
A Network Trojan was detected
LOADER [ANY.RUN] Possible PikaBot TLS Certificate
1464
SearchProtocolHost.exe
A Network Trojan was detected
LOADER [ANY.RUN] Possible PikaBot TLS Certificate
1464
SearchProtocolHost.exe
A Network Trojan was detected
LOADER [ANY.RUN] Possible PikaBot TLS Certificate
1464
SearchProtocolHost.exe
A Network Trojan was detected
LOADER [ANY.RUN] Possible PikaBot TLS Certificate
1464
SearchProtocolHost.exe
A Network Trojan was detected
LOADER [ANY.RUN] Possible PikaBot TLS Certificate
1464
SearchProtocolHost.exe
A Network Trojan was detected
ET CNC Feodo Tracker Reported CnC Server group 5
1464
SearchProtocolHost.exe
A Network Trojan was detected
LOADER [ANY.RUN] Possible PikaBot TLS Certificate
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
voluptatem.k