Malware analysis https://ndcertainlywhen.com/?tid=1045621 Malicious activity

Add for printing

URL:	https://ndcertainlywhen.com/?tid=1045621
Full analysis:	https://app.any.run/tasks/027c5269-346a-47c1-8ca9-1067c44c849e
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	January 06, 2026, 17:17:35
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	stealer loader arch-doc arch-html mentalmentor adware anti-evasion opera tool delphi inno installer evasion qrcode
Indicators:
MD5:	951617805FD4F9C0A697488E3A6B3B24
SHA1:	F97FE001F71C74131661F93E3567E6E7A892CEA9
SHA256:	24009FAC06CA5E49F0CD381F77EE6828AEE67F46A8F8DAE050597C5D68BBA088
SSDEEP:	3:N8nSSNuNV:2h6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 240 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 180 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Actions looks like stealing of personal data
  - PixelSee_id1429535id.exe (PID: 8540)
  - PixelSee_id1429535id.exe (PID: 8556)
  - PixelSee_id1429535id.exe (PID: 8724)
  - setup.exe (PID: 7208)
  - PixelSee_id1429535id.exe (PID: 7264)
  - opera_crashreporter.exe (PID: 10012)
  - opera.exe (PID: 9644)
  - opera_crashreporter.exe (PID: 10100)
  - opera_crashreporter.exe (PID: 9404)
  - opera_crashreporter.exe (PID: 8576)
  - opera.exe (PID: 9428)
  - opera_crashreporter.exe (PID: 9896)
  - browser_assistant.exe (PID: 10228)
  - opera_crashreporter.exe (PID: 9412)
  - browser_assistant.exe (PID: 9588)
  - opera.exe (PID: 10424)
  - opera.exe (PID: 10564)
  - opera.exe (PID: 10808)
  - opera_autoupdate.exe (PID: 9364)
  - opera_autoupdate.exe (PID: 8232)
  - 360TS_Setup.exe (PID: 5676)
- MENTALMENTOR mutex has been found
  - luminati-m-controller.exe (PID: 8852)
  - luminati-m-controller.exe (PID: 7756)
- Changes the autorun value in the registry
  - pixelsee.exe (PID: 9004)
  - assistant_installer.exe (PID: 9364)
  - opera.exe (PID: 9644)
  - opera.exe (PID: 10564)
  - bdvpn_setup.exe (PID: 1156)
- Steals credentials from Web Browsers
  - setup.exe (PID: 7208)
  - setup.exe (PID: 4404)
  - setup.exe (PID: 3400)
  - setup.exe (PID: 5780)
  - assistant_installer.exe (PID: 4660)
  - assistant_installer.exe (PID: 7164)
  - installer.exe (PID: 6676)
  - installer.exe (PID: 5036)
  - assistant_installer.exe (PID: 9388)
  - assistant_installer.exe (PID: 9364)
  - assistant_installer.exe (PID: 9480)
  - assistant_installer.exe (PID: 9544)
  - opera_crashreporter.exe (PID: 10012)
  - opera.exe (PID: 9644)
  - opera_crashreporter.exe (PID: 10100)
  - opera.exe (PID: 9632)
  - opera_crashreporter.exe (PID: 9404)
  - opera.exe (PID: 9304)
  - opera.exe (PID: 8052)
  - opera_crashreporter.exe (PID: 8576)
  - opera.exe (PID: 9428)
  - opera_crashreporter.exe (PID: 9896)
  - opera.exe (PID: 7764)
  - browser_assistant.exe (PID: 10228)
  - opera_crashreporter.exe (PID: 9412)
  - opera.exe (PID: 10184)
  - browser_assistant.exe (PID: 9588)
  - opera_crashreporter.exe (PID: 10452)
  - opera.exe (PID: 10424)
  - opera.exe (PID: 10564)
  - opera_crashreporter.exe (PID: 10624)
  - opera.exe (PID: 10808)
  - installer.exe (PID: 10348)
  - opera_autoupdate.exe (PID: 9600)
  - installer.exe (PID: 10580)
  - opera_autoupdate.exe (PID: 9848)
  - opera_autoupdate.exe (PID: 9364)
  - opera_autoupdate.exe (PID: 8232)
  - opera.exe (PID: 9836)
  - opera_crashreporter.exe (PID: 9304)
- Starts NET.EXE for service management
  - bdvpn_setup.exe (PID: 1156)
  - net.exe (PID: 9856)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - PixelSee_id1429535id.exe (PID: 8556)
  - lum_inst.tmp (PID: 8216)
  - luminati-m-controller.exe (PID: 8852)
  - brightvpn_installer.exe (PID: 7344)
  - bdvpn_setup.exe (PID: 1156)
  - antivirus360.exe (PID: 8460)
  - net_updater32.exe (PID: 7368)
  - setup.exe (PID: 7208)
  - net_updater32.exe (PID: 1352)
  - PixelSee_id1429535id.exe (PID: 7264)
  - installer.exe (PID: 5036)
  - net_updater32.exe (PID: 9692)
  - browser_assistant.exe (PID: 9588)
  - net_updater32.exe (PID: 6676)
  - net_updater32.exe (PID: 8596)
  - Bright VPN.exe (PID: 9300)
  - net_updater32.exe (PID: 9832)
  - 360TS_Setup.exe (PID: 5676)
- Reads Microsoft Outlook installation path
  - PixelSee_id1429535id.exe (PID: 8556)
  - PixelSee_id1429535id.exe (PID: 7264)
- Reads Internet Explorer settings
  - PixelSee_id1429535id.exe (PID: 8556)
  - PixelSee_id1429535id.exe (PID: 7264)
- Process drops legitimate windows executable
  - PixelSee_id1429535id.exe (PID: 8556)
  - luminati-m-controller.exe (PID: 8852)
  - net_updater32.exe (PID: 7368)
  - Assistant_123.0.5669.23_Setup.exe_sfx.exe (PID: 8404)
  - assistant_installer.exe (PID: 9364)
  - bdvpn_setup.exe (PID: 1156)
- Executable content was dropped or overwritten
  - PixelSee_id1429535id.exe (PID: 8556)
  - luminati-m-controller.exe (PID: 8852)
  - lum_inst.exe (PID: 8228)
  - lum_inst.tmp (PID: 8216)
  - net_updater32.exe (PID: 7484)
  - bdvpn_setup.exe (PID: 1156)
  - antivirus360.exe (PID: 8460)
  - opera_binst.exe (PID: 9124)
  - luminati-m-controller.exe (PID: 7756)
  - setup.exe (PID: 4404)
  - setup.exe (PID: 7208)
  - setup.exe (PID: 7212)
  - setup.exe (PID: 3400)
  - setup.exe (PID: 5780)
  - net_updater32.exe (PID: 7368)
  - Assistant_123.0.5669.23_Setup.exe_sfx.exe (PID: 8404)
  - installer.exe (PID: 6676)
  - assistant_installer.exe (PID: 9364)
  - installer.exe (PID: 5036)
  - net_updater32.exe (PID: 9692)
  - installer.exe (PID: 10348)
  - installer.exe (PID: 10580)
  - net_updater32.exe (PID: 6676)
  - Bright VPN.exe (PID: 9300)
  - installer.exe (PID: 10580)
  - opera_autoupdate.exe (PID: 9848)
  - net_updater32.exe (PID: 9832)
  - net_updater32.exe (PID: 6976)
  - 360TS_Setup.exe (PID: 9972)
  - 360TS_Setup.exe (PID: 5676)
- The process drops C-runtime libraries
  - PixelSee_id1429535id.exe (PID: 8556)
  - luminati-m-controller.exe (PID: 8852)
  - net_updater32.exe (PID: 7368)
- Reads the Windows owner or organization settings
  - lum_inst.tmp (PID: 8216)
- Executes as Windows Service
  - net_updater32.exe (PID: 7484)
  - WmiApSrv.exe (PID: 2688)
  - net_updater32.exe (PID: 6976)
  - WmiApSrv.exe (PID: 9972)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - PixelSee_id1429535id.exe (PID: 8556)
- The process checks if it is being run in the virtual environment
  - net_updater32.exe (PID: 7484)
  - net_updater32.exe (PID: 6976)
- The process creates files with name similar to system file names
  - bdvpn_setup.exe (PID: 1156)
- Malware-specific behavior (creating "System.dll" in Temp)
  - bdvpn_setup.exe (PID: 1156)
- Application launched itself
  - setup.exe (PID: 7208)
  - setup.exe (PID: 3400)
  - net_updater32.exe (PID: 7368)
  - assistant_installer.exe (PID: 4660)
  - installer.exe (PID: 5036)
  - assistant_installer.exe (PID: 9364)
  - assistant_installer.exe (PID: 9480)
  - net_updater32.exe (PID: 1352)
  - opera.exe (PID: 9644)
  - browser_assistant.exe (PID: 9588)
  - opera.exe (PID: 10424)
  - opera.exe (PID: 10564)
  - installer.exe (PID: 10348)
  - opera_autoupdate.exe (PID: 9848)
  - opera_autoupdate.exe (PID: 9364)
  - net_updater32.exe (PID: 6676)
  - Bright VPN.exe (PID: 9300)
- Starts itself from another location
  - setup.exe (PID: 7208)
  - assistant_installer.exe (PID: 9364)
  - 360TS_Setup.exe (PID: 9972)
- Searches for installed software
  - installer.exe (PID: 5036)
  - browser_assistant.exe (PID: 9588)
- Reads the date of Windows installation
  - installer.exe (PID: 5036)
  - opera.exe (PID: 10564)
- Reads binary file using Get-Content
  - powershell.exe (PID: 9956)
  - powershell.exe (PID: 9844)
- Probably obfuscated PowerShell command line is found
  - bdvpn_setup.exe (PID: 1156)
- Possible stealing from browsers
  - opera_crashreporter.exe (PID: 10012)
  - opera.exe (PID: 9644)
  - opera_crashreporter.exe (PID: 10100)
  - opera_crashreporter.exe (PID: 9404)
  - opera_crashreporter.exe (PID: 8576)
  - opera_crashreporter.exe (PID: 9896)
  - browser_assistant.exe (PID: 10228)
  - opera_crashreporter.exe (PID: 9412)
  - browser_assistant.exe (PID: 9588)
  - opera.exe (PID: 10564)
- Starts POWERSHELL.EXE for commands execution
  - bdvpn_setup.exe (PID: 1156)
- Reads Mozilla Firefox installation path
  - opera.exe (PID: 10564)
- Drops 7-zip archiver for unpacking
  - bdvpn_setup.exe (PID: 1156)
  - 360TS_Setup.exe (PID: 5676)
- The process executes via Task Scheduler
  - opera_autoupdate.exe (PID: 9848)
- Uses WMIC.EXE to obtain Windows Installer data
  - cmd.exe (PID: 9388)
- Starts CMD.EXE for commands execution
  - Bright VPN.exe (PID: 9300)
- Checks for external IP
  - net_updater32.exe (PID: 7484)
- Creates file in the systems drive root
  - 360TS_Setup.exe (PID: 5676)
- The process verifies whether the antivirus software is installed
  - 360TS_Setup.exe (PID: 5676)
INFO
- Reads Environment values
  - identity_helper.exe (PID: 8172)
- Application launched itself
  - msedge.exe (PID: 7524)
- Checks supported languages
  - identity_helper.exe (PID: 8172)
  - PixelSee_id1429535id.exe (PID: 8540)
  - PixelSee_id1429535id.exe (PID: 8556)
  - PixelSee_id1429535id.exe (PID: 8724)
  - lum_inst.exe (PID: 8228)
  - luminati-m-controller.exe (PID: 8852)
  - test_wpf.exe (PID: 8948)
  - lum_inst.tmp (PID: 8216)
  - net_updater32.exe (PID: 7172)
  - net_updater32.exe (PID: 7484)
  - test_wpf.exe (PID: 7216)
  - idle_report.exe (PID: 1352)
  - brightdata.exe (PID: 5448)
  - bdvpn_setup.exe (PID: 1156)
  - pixelsee_crashpad_handler.exe (PID: 2240)
  - pixelsee.exe (PID: 9004)
  - brightvpn_installer.exe (PID: 7344)
  - antivirus360.exe (PID: 8460)
  - opera_binst.exe (PID: 9124)
  - luminati-m-controller.exe (PID: 7756)
  - setup.exe (PID: 7208)
  - setup.exe (PID: 4404)
  - test_wpf.exe (PID: 5824)
  - net_updater32.exe (PID: 7368)
  - setup.exe (PID: 7212)
  - setup.exe (PID: 3400)
  - setup.exe (PID: 5780)
  - test_wpf.exe (PID: 6272)
  - net_updater32.exe (PID: 1352)
  - PixelSee_id1429535id.exe (PID: 7264)
  - Assistant_123.0.5669.23_Setup.exe_sfx.exe (PID: 8404)
  - assistant_installer.exe (PID: 4660)
  - assistant_installer.exe (PID: 7164)
  - installer.exe (PID: 6676)
  - installer.exe (PID: 5036)
  - assistant_installer.exe (PID: 9364)
  - assistant_installer.exe (PID: 9388)
  - assistant_installer.exe (PID: 9544)
  - net_updater32.exe (PID: 9692)
  - opera.exe (PID: 9644)
  - opera.exe (PID: 9632)
  - test_wpf.exe (PID: 9780)
  - assistant_installer.exe (PID: 9480)
  - browser_assistant.exe (PID: 9588)
  - opera_crashreporter.exe (PID: 10012)
  - opera_crashreporter.exe (PID: 10100)
  - browser_assistant.exe (PID: 10228)
  - opera.exe (PID: 9304)
  - opera.exe (PID: 9376)
  - opera.exe (PID: 9428)
  - opera_crashreporter.exe (PID: 9404)
  - opera.exe (PID: 8052)
  - opera.exe (PID: 4864)
  - opera.exe (PID: 1952)
  - opera_crashreporter.exe (PID: 8576)
  - opera.exe (PID: 7764)
  - opera.exe (PID: 9544)
  - opera.exe (PID: 9928)
  - opera.exe (PID: 9936)
  - opera_crashreporter.exe (PID: 9896)
  - opera.exe (PID: 10184)
  - opera.exe (PID: 9632)
  - opera.exe (PID: 9904)
  - opera_crashreporter.exe (PID: 9412)
  - opera.exe (PID: 10324)
  - opera.exe (PID: 10424)
  - opera_crashreporter.exe (PID: 10452)
  - opera_crashreporter.exe (PID: 10624)
  - opera.exe (PID: 10564)
  - opera.exe (PID: 10808)
  - opera.exe (PID: 10796)
  - opera.exe (PID: 10888)
  - opera.exe (PID: 10988)
  - opera.exe (PID: 10980)
  - opera.exe (PID: 11012)
  - opera.exe (PID: 10996)
  - opera.exe (PID: 11004)
  - opera.exe (PID: 10972)
  - opera.exe (PID: 11060)
  - opera.exe (PID: 10964)
  - opera_gx_splash.exe (PID: 10336)
  - opera.exe (PID: 9684)
  - opera.exe (PID: 3088)
  - opera.exe (PID: 9412)
  - opera.exe (PID: 10368)
  - opera.exe (PID: 2216)
  - opera.exe (PID: 9580)
  - opera.exe (PID: 10052)
  - opera.exe (PID: 9220)
  - opera.exe (PID: 9256)
  - opera.exe (PID: 6272)
  - opera.exe (PID: 10576)
  - opera.exe (PID: 8596)
  - opera.exe (PID: 6096)
  - opera.exe (PID: 10516)
  - opera.exe (PID: 10524)
  - opera.exe (PID: 10540)
  - opera.exe (PID: 10548)
  - opera.exe (PID: 10536)
  - opera.exe (PID: 9428)
  - opera.exe (PID: 4572)
  - opera.exe (PID: 7912)
  - opera.exe (PID: 10488)
  - opera.exe (PID: 10592)
  - opera.exe (PID: 10596)
  - opera.exe (PID: 8832)
  - opera.exe (PID: 5788)
  - opera.exe (PID: 10472)
  - opera.exe (PID: 10508)
  - opera.exe (PID: 7356)
  - pixelsee.exe (PID: 7708)
  - opera.exe (PID: 6852)
  - installer.exe (PID: 10580)
  - opera.exe (PID: 10012)
  - opera.exe (PID: 8536)
  - opera.exe (PID: 10532)
  - opera.exe (PID: 10448)
  - opera.exe (PID: 9584)
  - opera.exe (PID: 10464)
  - installer.exe (PID: 10348)
  - browser_assistant.exe (PID: 9284)
  - opera.exe (PID: 9292)
  - opera_autoupdate.exe (PID: 9848)
  - opera_autoupdate.exe (PID: 9600)
  - opera_autoupdate.exe (PID: 9364)
  - opera_autoupdate.exe (PID: 8232)
  - opera.exe (PID: 11016)
  - opera.exe (PID: 10196)
  - opera.exe (PID: 9392)
  - opera.exe (PID: 6272)
  - opera.exe (PID: 9604)
  - opera.exe (PID: 8204)
  - opera.exe (PID: 8220)
  - opera.exe (PID: 9852)
  - opera.exe (PID: 10576)
  - opera.exe (PID: 10536)
  - opera.exe (PID: 4624)
  - opera.exe (PID: 11168)
  - opera.exe (PID: 11240)
  - opera.exe (PID: 10452)
  - opera.exe (PID: 8616)
  - net_updater32.exe (PID: 6676)
  - opera.exe (PID: 9836)
  - opera_crashreporter.exe (PID: 9304)
  - opera.exe (PID: 10456)
  - net_updater32.exe (PID: 8596)
  - opera.exe (PID: 1180)
  - test_wpf.exe (PID: 11216)
  - Bright VPN.exe (PID: 9300)
  - test_wpf.exe (PID: 11152)
  - idle_report.exe (PID: 5492)
  - installer.exe (PID: 10580)
  - test_wpf.exe (PID: 948)
  - Bright VPN.exe (PID: 10044)
  - Bright VPN.exe (PID: 10968)
  - net_updater32.exe (PID: 9832)
  - idle_report.exe (PID: 2448)
  - brightdata.exe (PID: 9392)
  - net_updater32.exe (PID: 6976)
  - test_wpf.exe (PID: 8636)
  - opera.exe (PID: 1148)
  - 360TS_Setup.exe (PID: 9972)
  - 360TS_Setup.exe (PID: 5676)
  - idle_report.exe (PID: 7028)
- Reads the computer name
  - identity_helper.exe (PID: 8172)
  - PixelSee_id1429535id.exe (PID: 8540)
  - PixelSee_id1429535id.exe (PID: 8556)
  - PixelSee_id1429535id.exe (PID: 8724)
  - test_wpf.exe (PID: 8948)
  - lum_inst.tmp (PID: 8216)
  - luminati-m-controller.exe (PID: 8852)
  - net_updater32.exe (PID: 7484)
  - test_wpf.exe (PID: 7216)
  - idle_report.exe (PID: 1352)
  - brightdata.exe (PID: 5448)
  - net_updater32.exe (PID: 7172)
  - pixelsee.exe (PID: 9004)
  - brightvpn_installer.exe (PID: 7344)
  - bdvpn_setup.exe (PID: 1156)
  - antivirus360.exe (PID: 8460)
  - test_wpf.exe (PID: 5824)
  - setup.exe (PID: 7208)
  - net_updater32.exe (PID: 7368)
  - luminati-m-controller.exe (PID: 7756)
  - test_wpf.exe (PID: 6272)
  - setup.exe (PID: 3400)
  - net_updater32.exe (PID: 1352)
  - PixelSee_id1429535id.exe (PID: 7264)
  - assistant_installer.exe (PID: 4660)
  - installer.exe (PID: 5036)
  - assistant_installer.exe (PID: 9364)
  - net_updater32.exe (PID: 9692)
  - assistant_installer.exe (PID: 9480)
  - opera.exe (PID: 9644)
  - opera.exe (PID: 9632)
  - test_wpf.exe (PID: 9780)
  - browser_assistant.exe (PID: 9588)
  - opera.exe (PID: 9376)
  - opera.exe (PID: 9304)
  - opera.exe (PID: 9428)
  - opera.exe (PID: 8052)
  - opera.exe (PID: 7764)
  - opera.exe (PID: 9936)
  - opera.exe (PID: 10184)
  - opera.exe (PID: 10424)
  - opera.exe (PID: 10564)
  - opera.exe (PID: 10796)
  - opera.exe (PID: 10808)
  - opera_gx_splash.exe (PID: 10336)
  - opera.exe (PID: 10052)
  - pixelsee.exe (PID: 7708)
  - installer.exe (PID: 10348)
  - opera_autoupdate.exe (PID: 9848)
  - opera_autoupdate.exe (PID: 9364)
  - net_updater32.exe (PID: 6676)
  - opera.exe (PID: 9836)
  - test_wpf.exe (PID: 11216)
  - net_updater32.exe (PID: 8596)
  - Bright VPN.exe (PID: 9300)
  - test_wpf.exe (PID: 11152)
  - idle_report.exe (PID: 5492)
  - Bright VPN.exe (PID: 10968)
  - test_wpf.exe (PID: 948)
  - net_updater32.exe (PID: 6976)
  - Bright VPN.exe (PID: 10044)
  - net_updater32.exe (PID: 9832)
  - idle_report.exe (PID: 2448)
  - test_wpf.exe (PID: 8636)
  - idle_report.exe (PID: 7028)
  - 360TS_Setup.exe (PID: 9972)
  - 360TS_Setup.exe (PID: 5676)
  - brightdata.exe (PID: 9392)
- Executable content was dropped or overwritten
  - msedge.exe (PID: 7844)
  - msedge.exe (PID: 7524)
- The sample compiled with english language support
  - msedge.exe (PID: 7844)
  - msedge.exe (PID: 7524)
  - PixelSee_id1429535id.exe (PID: 8556)
  - luminati-m-controller.exe (PID: 8852)
  - lum_inst.tmp (PID: 8216)
  - bdvpn_setup.exe (PID: 1156)
  - antivirus360.exe (PID: 8460)
  - opera_binst.exe (PID: 9124)
  - setup.exe (PID: 4404)
  - setup.exe (PID: 7208)
  - setup.exe (PID: 7212)
  - setup.exe (PID: 3400)
  - net_updater32.exe (PID: 7368)
  - setup.exe (PID: 5780)
  - Assistant_123.0.5669.23_Setup.exe_sfx.exe (PID: 8404)
  - installer.exe (PID: 6676)
  - installer.exe (PID: 5036)
  - assistant_installer.exe (PID: 9364)
  - installer.exe (PID: 10348)
  - installer.exe (PID: 10580)
  - opera_autoupdate.exe (PID: 9848)
  - installer.exe (PID: 10580)
  - 360TS_Setup.exe (PID: 5676)
- Launching a file from the Downloads directory
  - msedge.exe (PID: 7524)
- Create files in a temporary directory
  - PixelSee_id1429535id.exe (PID: 8556)
  - lum_inst.exe (PID: 8228)
  - lum_inst.tmp (PID: 8216)
  - bdvpn_setup.exe (PID: 1156)
  - opera_binst.exe (PID: 9124)
  - antivirus360.exe (PID: 8460)
  - setup.exe (PID: 4404)
  - setup.exe (PID: 7212)
  - setup.exe (PID: 7208)
  - setup.exe (PID: 3400)
  - setup.exe (PID: 5780)
  - PixelSee_id1429535id.exe (PID: 7264)
  - Assistant_123.0.5669.23_Setup.exe_sfx.exe (PID: 8404)
  - installer.exe (PID: 5036)
  - installer.exe (PID: 6676)
  - opera.exe (PID: 9644)
  - opera.exe (PID: 10564)
  - installer.exe (PID: 10348)
  - installer.exe (PID: 10580)
  - opera_autoupdate.exe (PID: 9848)
  - Bright VPN.exe (PID: 9300)
  - installer.exe (PID: 10580)
  - 360TS_Setup.exe (PID: 5676)
  - 360TS_Setup.exe (PID: 9972)
- Checks proxy server information
  - PixelSee_id1429535id.exe (PID: 8556)
  - luminati-m-controller.exe (PID: 8852)
  - pixelsee.exe (PID: 9004)
  - slui.exe (PID: 8656)
  - bdvpn_setup.exe (PID: 1156)
  - antivirus360.exe (PID: 8460)
  - brightvpn_installer.exe (PID: 7344)
  - setup.exe (PID: 7208)
  - net_updater32.exe (PID: 7368)
  - net_updater32.exe (PID: 1352)
  - PixelSee_id1429535id.exe (PID: 7264)
  - opera.exe (PID: 9644)
  - browser_assistant.exe (PID: 9588)
  - opera.exe (PID: 10564)
  - opera_autoupdate.exe (PID: 9364)
  - net_updater32.exe (PID: 8596)
  - opera_autoupdate.exe (PID: 9848)
  - Bright VPN.exe (PID: 9300)
  - 360TS_Setup.exe (PID: 5676)
- Process checks computer location settings
  - PixelSee_id1429535id.exe (PID: 8556)
  - lum_inst.tmp (PID: 8216)
  - luminati-m-controller.exe (PID: 8852)
  - net_updater32.exe (PID: 7484)
  - luminati-m-controller.exe (PID: 7756)
  - net_updater32.exe (PID: 7368)
  - net_updater32.exe (PID: 1352)
  - opera.exe (PID: 9644)
  - opera.exe (PID: 1952)
  - opera.exe (PID: 4864)
  - opera.exe (PID: 9904)
  - opera.exe (PID: 10564)
  - opera.exe (PID: 11060)
  - opera.exe (PID: 9684)
  - opera.exe (PID: 3088)
  - opera.exe (PID: 9412)
  - opera.exe (PID: 10368)
  - opera.exe (PID: 9580)
  - opera.exe (PID: 2216)
  - opera.exe (PID: 9428)
  - opera.exe (PID: 9292)
  - opera.exe (PID: 4624)
  - opera.exe (PID: 10576)
  - opera.exe (PID: 11240)
  - opera.exe (PID: 9604)
  - opera.exe (PID: 10456)
  - opera.exe (PID: 1180)
  - net_updater32.exe (PID: 8596)
  - net_updater32.exe (PID: 6676)
  - Bright VPN.exe (PID: 9300)
  - net_updater32.exe (PID: 9832)
  - net_updater32.exe (PID: 6976)
  - antivirus360.exe (PID: 8460)
  - opera.exe (PID: 1148)
  - 360TS_Setup.exe (PID: 5676)
- Creates a software uninstall entry
  - PixelSee_id1429535id.exe (PID: 8556)
  - installer.exe (PID: 5036)
  - bdvpn_setup.exe (PID: 1156)
- Creates files or folders in the user directory
  - PixelSee_id1429535id.exe (PID: 8556)
  - luminati-m-controller.exe (PID: 8852)
  - pixelsee_crashpad_handler.exe (PID: 2240)
  - pixelsee.exe (PID: 9004)
  - bdvpn_setup.exe (PID: 1156)
  - antivirus360.exe (PID: 8460)
  - net_updater32.exe (PID: 7368)
  - setup.exe (PID: 4404)
  - setup.exe (PID: 7208)
  - net_updater32.exe (PID: 1352)
  - setup.exe (PID: 3400)
  - installer.exe (PID: 5036)
  - assistant_installer.exe (PID: 9364)
  - opera.exe (PID: 9644)
  - opera.exe (PID: 9428)
  - opera.exe (PID: 10424)
  - opera.exe (PID: 10564)
  - opera.exe (PID: 10808)
  - browser_assistant.exe (PID: 9588)
  - opera_autoupdate.exe (PID: 9364)
  - opera_autoupdate.exe (PID: 8232)
  - brightvpn_installer.exe (PID: 7344)
  - Bright VPN.exe (PID: 9300)
  - opera_autoupdate.exe (PID: 9848)
  - Bright VPN.exe (PID: 10968)
  - 360TS_Setup.exe (PID: 5676)
- Reads the machine GUID from the registry
  - luminati-m-controller.exe (PID: 8852)
  - test_wpf.exe (PID: 8948)
  - test_wpf.exe (PID: 7216)
  - idle_report.exe (PID: 1352)
  - brightdata.exe (PID: 5448)
  - net_updater32.exe (PID: 7484)
  - pixelsee.exe (PID: 9004)
  - brightvpn_installer.exe (PID: 7344)
  - bdvpn_setup.exe (PID: 1156)
  - luminati-m-controller.exe (PID: 7756)
  - antivirus360.exe (PID: 8460)
  - net_updater32.exe (PID: 7368)
  - test_wpf.exe (PID: 5824)
  - test_wpf.exe (PID: 6272)
  - setup.exe (PID: 7208)
  - net_updater32.exe (PID: 1352)
  - installer.exe (PID: 5036)
  - net_updater32.exe (PID: 9692)
  - test_wpf.exe (PID: 9780)
  - opera.exe (PID: 9644)
  - opera.exe (PID: 10564)
  - browser_assistant.exe (PID: 9588)
  - pixelsee.exe (PID: 7708)
  - opera_autoupdate.exe (PID: 9848)
  - opera_autoupdate.exe (PID: 9600)
  - opera_autoupdate.exe (PID: 9364)
  - opera_autoupdate.exe (PID: 8232)
  - net_updater32.exe (PID: 6676)
  - test_wpf.exe (PID: 11216)
  - net_updater32.exe (PID: 8596)
  - Bright VPN.exe (PID: 9300)
  - test_wpf.exe (PID: 11152)
  - idle_report.exe (PID: 5492)
  - net_updater32.exe (PID: 9832)
  - test_wpf.exe (PID: 948)
  - net_updater32.exe (PID: 6976)
  - test_wpf.exe (PID: 8636)
  - idle_report.exe (PID: 2448)
  - idle_report.exe (PID: 7028)
  - brightdata.exe (PID: 9392)
  - 360TS_Setup.exe (PID: 5676)
- Creates files in the program directory
  - luminati-m-controller.exe (PID: 8852)
  - net_updater32.exe (PID: 7172)
  - net_updater32.exe (PID: 7484)
  - brightdata.exe (PID: 5448)
  - brightvpn_installer.exe (PID: 7344)
  - bdvpn_setup.exe (PID: 1156)
  - luminati-m-controller.exe (PID: 7756)
  - net_updater32.exe (PID: 7368)
  - net_updater32.exe (PID: 1352)
  - net_updater32.exe (PID: 9692)
  - powershell.exe (PID: 9844)
  - powershell.exe (PID: 9956)
  - net_updater32.exe (PID: 8596)
  - net_updater32.exe (PID: 6676)
  - Bright VPN.exe (PID: 9300)
  - net_updater32.exe (PID: 9832)
  - net_updater32.exe (PID: 6976)
  - brightdata.exe (PID: 9392)
  - 360TS_Setup.exe (PID: 9972)
  - 360TS_Setup.exe (PID: 5676)
- Disables trace logs
  - luminati-m-controller.exe (PID: 8852)
  - net_updater32.exe (PID: 7484)
  - brightvpn_installer.exe (PID: 7344)
  - antivirus360.exe (PID: 8460)
  - net_updater32.exe (PID: 1352)
  - net_updater32.exe (PID: 8596)
  - rasdial.exe (PID: 9960)
  - Bright VPN.exe (PID: 9300)
  - net_updater32.exe (PID: 6976)
- Compiled with Borland Delphi (YARA)
  - lum_inst.exe (PID: 8228)
  - lum_inst.tmp (PID: 8216)
- Detects InnoSetup installer (YARA)
  - lum_inst.exe (PID: 8228)
  - lum_inst.tmp (PID: 8216)
- Reads CPU info
  - net_updater32.exe (PID: 7484)
  - Bright VPN.exe (PID: 9300)
  - net_updater32.exe (PID: 6976)
  - opera.exe (PID: 10564)
- Launching a file from a Registry key
  - pixelsee.exe (PID: 9004)
  - assistant_installer.exe (PID: 9364)
  - opera.exe (PID: 9644)
  - opera.exe (PID: 10564)
  - bdvpn_setup.exe (PID: 1156)
- Reads the time zone
  - net_updater32.exe (PID: 7484)
  - net_updater32.exe (PID: 6976)
- Manual execution by a user
  - PixelSee_id1429535id.exe (PID: 7264)
  - PixelSee_id1429535id.exe (PID: 1236)
  - notepad.exe (PID: 8172)
  - msedge.exe (PID: 8124)
  - msedge.exe (PID: 8620)
  - msedge.exe (PID: 5208)
  - msedge.exe (PID: 8720)
  - msedge.exe (PID: 8228)
  - msedge.exe (PID: 7020)
  - pixelsee.exe (PID: 7708)
  - browser_assistant.exe (PID: 9284)
  - opera.exe (PID: 9836)
  - Bright VPN.exe (PID: 9300)
- Reads security settings of Internet Explorer
  - notepad.exe (PID: 8172)
  - WMIC.exe (PID: 9504)
- OPERA mutex has been found
  - opera.exe (PID: 9644)
  - browser_assistant.exe (PID: 9588)
  - opera.exe (PID: 10564)
  - opera_autoupdate.exe (PID: 9364)
  - opera_autoupdate.exe (PID: 9848)
- The sample compiled with chinese language support
  - 360TS_Setup.exe (PID: 9972)
  - 360TS_Setup.exe (PID: 5676)
- The sample compiled with turkish language support
  - 360TS_Setup.exe (PID: 5676)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

412

Monitored processes

251

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

144

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=7604,i,6008971435191412046,12742840306237642541,262144 --variations-seed-version --mojo-platform-channel-handle=4484 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

792

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6036,i,6008971435191412046,12742840306237642541,262144 --variations-seed-version --mojo-platform-channel-handle=6748 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

133.0.3065.92

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

948

C:\ProgramData\BrightData\6cca5f7f15056f66a3211bbbd92076486a2361bb\test_wpf.exe

—

net_updater32.exe

User:

admin

Company:

BrightData Ltd. (certified)

Integrity Level:

HIGH

Description:

test_wpf

Exit code:

Version:

1.572.298

Modules

Images
c:\programdata\brightdata\6cca5f7f15056f66a3211bbbd92076486a2361bb\test_wpf.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

1148

"C:\Users\admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --extension-process --no-pre-read-main-dll --force-high-res-timeticks=disabled --with-feature:address-bar-dropdown-autocomplete-filter=on --with-feature:address-bar-dropdown-cities=on --with-feature:address-bar-intent=on --with-feature:ai-tab-management=on --with-feature:ai-writing-mode-in-context-menu=on --with-feature:amazon-bookmarks-tags-update=on --with-feature:amp-requests-stats=on --with-feature:aria-in-tab-view=on --with-feature:audio-analysis=on --with-feature:bluesky-in-sidebar=on --with-feature:cashback-assistant=on --with-feature:certificate-transparency-enforcement=on --with-feature:continue-filter=on --with-feature:continue-on-mixed=on --with-feature:continue-shopping-structured-partners=on --with-feature:discord-in-sidebar=on --with-feature:early-bird=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:hide-navigations-from-extensions=on --with-feature:installer-experiment-test=off --with-feature:installer-move-opera-exe=off --with-feature:keywords-from-backend=on --with-feature:native-crypto-wallet=on --with-feature:opera-one-unskippable-introduction=on --with-feature:opera-startpage-special-2=off --with-feature:proxy-switcher-ui-default-visible=on --with-feature:realtime-impressions-reporting=on --with-feature:run-at-startup-default=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:slack-in-sidebar=on --with-feature:specific-keywords=on --with-feature:startpage-content=off --with-feature:startpage-opening-animation=off --with-feature:startpage-sync-banner=on --with-feature:translator=on --with-feature:vpn-pro-v4-support=on --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=74 --metrics-shmem-handle=10124,i,14482263033900775274,4745273360506698381,2097152 --field-trial-handle=2064,i,189091553551654942,17071768605519957545,262144 --enable-features=CertificateTransparencyAskBeforeEnabling,MultiThreadedUiCompositor --disable-features=AutoPictureInPictureForVideoPlayback,AutoPictureInPictureVideoHeuristics,CapitalOneCashbackProtection,MediaSessionEnterPictureInPicture,PlatformSoftwareH264EncoderInGpu,SyncWorkspacesInSessions --variations-seed-version --mojo-platform-channel-handle=3888 /prefetch:2

C:\Users\admin\AppData\Local\Programs\Opera\opera.exe

—

opera.exe

User:

admin

Company:

Opera Software

Integrity Level:

LOW

Description:

Opera Internet Browser

Exit code:

Version:

125.0.5729.49

Modules

Images
c:\users\admin\appdata\local\programs\opera\opera.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\programs\opera\125.0.5729.49\opera_elf.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll

1156

"C:\Users\admin\AppData\Local\Temp\bdvpn\bdvpn_setup.exe" /Silent=yes /Affiliate=pixelsee_wiz

C:\Users\admin\AppData\Local\Temp\bdvpn\bdvpn_setup.exe

PixelSee_id1429535id.exe

User:

admin

Company:

Bright Data Ltd.

Integrity Level:

HIGH

Exit code:

Version:

1.572.298

Modules

Images
c:\users\admin\appdata\local\temp\bdvpn\bdvpn_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

1180

"C:\Users\admin\AppData\Local\Programs\Opera\opera.exe" --type=renderer --no-pre-read-main-dll --force-high-res-timeticks=disabled --start-stack-profiler --with-feature:address-bar-dropdown-autocomplete-filter=on --with-feature:address-bar-dropdown-cities=on --with-feature:address-bar-intent=on --with-feature:ai-tab-management=on --with-feature:ai-writing-mode-in-context-menu=on --with-feature:amazon-bookmarks-tags-update=on --with-feature:amp-requests-stats=on --with-feature:aria-in-tab-view=on --with-feature:audio-analysis=on --with-feature:bluesky-in-sidebar=on --with-feature:cashback-assistant=on --with-feature:certificate-transparency-enforcement=on --with-feature:continue-filter=on --with-feature:continue-on-mixed=on --with-feature:continue-shopping-structured-partners=on --with-feature:discord-in-sidebar=on --with-feature:early-bird=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:hide-navigations-from-extensions=on --with-feature:installer-experiment-test=off --with-feature:installer-move-opera-exe=off --with-feature:keywords-from-backend=on --with-feature:native-crypto-wallet=on --with-feature:opera-one-unskippable-introduction=on --with-feature:opera-startpage-special-2=off --with-feature:proxy-switcher-ui-default-visible=on --with-feature:realtime-impressions-reporting=on --with-feature:run-at-startup-default=on --with-feature:sd-suggestions-external=on --with-feature:sitecheck-age=on --with-feature:slack-in-sidebar=on --with-feature:specific-keywords=on --with-feature:startpage-content=off --with-feature:startpage-opening-animation=off --with-feature:startpage-sync-banner=on --with-feature:translator=on --with-feature:vpn-pro-v4-support=on --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=73 --metrics-shmem-handle=10244,i,628455103884293288,1896678961652914948,2097152 --field-trial-handle=2064,i,189091553551654942,17071768605519957545,262144 --enable-features=CertificateTransparencyAskBeforeEnabling,MultiThreadedUiCompositor --disable-features=AutoPictureInPictureForVideoPlayback,AutoPictureInPictureVideoHeuristics,CapitalOneCashbackProtection,MediaSessionEnterPictureInPicture,PlatformSoftwareH264EncoderInGpu,SyncWorkspacesInSessions --variations-seed-version --mojo-platform-channel-handle=9580 /prefetch:1

C:\Users\admin\AppData\Local\Programs\Opera\opera.exe

—

opera.exe

User:

admin

Company:

Opera Software

Integrity Level:

LOW

Description:

Opera Internet Browser

Version:

125.0.5729.49

Modules

Images
c:\users\admin\appdata\local\programs\opera\opera.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\programs\opera\125.0.5729.49\opera_elf.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll

1236

"C:\Users\admin\Downloads\PixelSee_id1429535id.exe"

C:\Users\admin\Downloads\PixelSee_id1429535id.exe

—

explorer.exe

User:

admin

Company:

SIA Circle Solutions

Integrity Level:

MEDIUM

Description:

PixelSee Player Installer

Exit code:

3221226540

Version:

14.0.0.0

Modules

Images
c:\users\admin\downloads\pixelsee_id1429535id.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

1352

C:\ProgramData\BrightData\b85f5ef603041f1fc4e7f943c177a0d440a01266\idle_report.exe --id 60538 --screen

C:\ProgramData\BrightData\b85f5ef603041f1fc4e7f943c177a0d440a01266\idle_report.exe

—

net_updater32.exe

User:

admin

Company:

BrightData Ltd.

Integrity Level:

MEDIUM

Description:

idle_report

Exit code:

Version:

1.549.804

Modules

Images
c:\programdata\brightdata\b85f5ef603041f1fc4e7f943c177a0d440a01266\idle_report.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll

1352

"C:\\Program Files (x86)\\Bright VPN\\net_updater32.exe" --install-ui win_brightvpn.com --fast

C:\Program Files (x86)\Bright VPN\net_updater32.exe

net_updater32.exe

User:

admin

Company:

BrightData Ltd. (certified)

Integrity Level:

HIGH

Description:

BrightData service allows free use of certain features in an app you installed

Exit code:

Version:

1.572.298

Modules

Images
c:\program files (x86)\bright vpn\net_updater32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\wldap32.dll
c:\windows\syswow64\ucrtbase.dll

1488

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="PixelSee" dir=in action=allow program="C:\Users\admin\pixelsee\qtwebengineprocess.exe"

C:\Windows\SysWOW64\netsh.exe

—

PixelSee_id1429535id.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Network Command Shell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll

Add for printing

Total events

102 600

Read events

100 691

Write events

1 793

Delete events

116

Modification events


(PID) Process:	(8556) PixelSee_id1429535id.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\PixelSee LLC\PixelSee-systemScope\pixelsee_info
Operation:	write	Name:	hasDownloadedUpdate
Value: false
(PID) Process:	(8556) PixelSee_id1429535id.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch
Operation:	write	Name:	Version
Value: WS not running
(PID) Process:	(8556) PixelSee_id1429535id.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:	write	Name:	DisableFirstRunCustomize
Value: 1
(PID) Process:	(8540) PixelSee_id1429535id.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\PixelSee LLC\PixelSee-systemScope\pixelsee_info
Operation:	write	Name:	hasDownloadedUpdate
Value: false
(PID) Process:	(8556) PixelSee_id1429535id.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(8556) PixelSee_id1429535id.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(8556) PixelSee_id1429535id.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(8724) PixelSee_id1429535id.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\PixelSee LLC\PixelSee-systemScope\pixelsee_info
Operation:	write	Name:	hasDownloadedUpdate
Value: false
(PID) Process:	(8556) PixelSee_id1429535id.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PixelSee
Operation:	write	Name:	InstallLocation
Value: C:\Users\admin\PixelSee\
(PID) Process:	(8556) PixelSee_id1429535id.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PixelSee
Operation:	write	Name:	DisplayName
Value: PixelSee

Add for printing

Executable files

632

Suspicious files

1 276

Text files

1 779

Unknown types

Dropped files

PID	Process	Filename		Type
7524	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RFfdcab.TMP		—
		MD5:—	SHA256:—
7524	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
7524	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RFfdcba.TMP		—
		MD5:—	SHA256:—
7524	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—
7524	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RFfdcba.TMP		—
		MD5:—	SHA256:—
7524	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RFfdcba.TMP		—
		MD5:—	SHA256:—
7524	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
7524	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—
7524	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RFfdcca.TMP		—
		MD5:—	SHA256:—
7524	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

350

TCP/UDP connections

446

DNS requests

211

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
7844	msedge.exe	GET	302	46.36.218.109:443	https://updservice.site/click.php?key=djdc4z6ojl878ubtq47r&click_id=2456162432140744467&cost=0.0&sub_source_id=1045621_-1&country_code=DE&ip=212.30.36.12&user_agent=Mozilla%2F5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20x64)%20AppleWebKit%2F537.36%20(KHTML%2C%20like%20Gecko)%20Chrome%2F133.0.0.0%20Safari%2F537.36%20Edg%2F133.0.0.0&os_type=windows&os_version=10.0&creative_id=686657&isp=GSL%20Networks&campaign_name=Pix_Pops_WW_01.09.2025&browser=Edge	unknown	—	—	unknown
7844	msedge.exe	GET	200	150.171.22.17:443	https://config.edge.skype.com/config/v1/Edge/133.0.3065.92?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=65&mngd=0&installdate=1661339457&edu=0&soobedate=1504771245&bphint=2&fg=1&lbfgdate=1741678270&lafgdate=0	unknown	text	768 b	whitelisted
7844	msedge.exe	GET	200	150.171.27.11:80	http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:y7vkhl_ziqPd1ymcRGtzxxQt0dNgh80itUQPo2ai_WI&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855	unknown	—	—	whitelisted
7844	msedge.exe	GET	200	104.18.23.222:443	https://copilot.microsoft.com/c/api/user/eligibility	unknown	text	25 b	whitelisted
7844	msedge.exe	GET	200	150.171.28.11:443	https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=133.0.3065.92&experimentationmode=2&scpguard=0&scpfull=0&scpver=0	unknown	text	446 b	whitelisted
7844	msedge.exe	GET	200	99.84.152.115:443	https://ndcertainlywhen.com/?tid=1045621	unknown	html	616 b	unknown
7844	msedge.exe	GET	200	172.67.156.199:443	https://digesttech.com/css/style.min.css	unknown	text	15.0 Kb	unknown
7844	msedge.exe	GET	200	2.16.241.218:443	https://www.bing.com/bloomfilterfiles/ExpandedDomainsFilterGlobal.json	unknown	text	128 Kb	whitelisted
7844	msedge.exe	GET	200	172.67.156.199:443	https://digesttech.com/?r=Ad-Maven_VT_Pops_WW_01_09_2025&sub1=1045621_-1&sub2=binom_postback&sub5=2456162432140744467&sub6=4d81dqdhqa2468n0c9	unknown	html	9.75 Kb	unknown
7844	msedge.exe	GET	200	172.67.156.199:443	https://digesttech.com/images/player/img1.png	unknown	image	128 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1156	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
6768	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4300	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7844	msedge.exe	150.171.27.11:80	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
7844	msedge.exe	150.171.22.17:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7844	msedge.exe	150.171.28.11:443	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7844	msedge.exe	99.84.152.115:443	ndcertainlywhen.com	AMAZON-02	US	whitelisted
7844	msedge.exe	104.18.23.222:443	copilot.microsoft.com	CLOUDFLARENET	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 51.104.136.2 4.231.128.59	whitelisted
google.com	142.251.140.174	whitelisted
edge.microsoft.com	150.171.27.11 150.171.28.11	whitelisted
config.edge.skype.com	150.171.22.17	whitelisted
ndcertainlywhen.com	99.84.152.115 99.84.152.91 99.84.152.104 99.84.152.29	whitelisted
copilot.microsoft.com	104.18.23.222 104.18.22.222	whitelisted
www.bing.com	2.16.241.218 2.16.241.206 2.16.241.202 2.16.241.213 2.16.241.224 2.16.241.214 2.16.241.204 2.16.241.201 2.16.241.225 92.123.104.62 92.123.104.67 92.123.104.61 92.123.104.59 92.123.104.5 92.123.104.58 92.123.104.63 92.123.104.66 92.123.104.60 2.16.241.216 2.16.241.219 2.16.241.207 2.16.241.205 2.16.241.209 2.16.241.221 2.16.241.211	whitelisted
updservice.site	46.36.218.109	unknown
digesttech.com	172.67.156.199 104.21.8.39	malicious
fonts.googleapis.com	142.250.186.138	whitelisted

Threats

PID	Process	Class	Message
7844	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
7844	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
7844	msedge.exe	Not Suspicious Traffic	INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
—	—	Unknown Traffic	ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
—	—	Potentially Bad Traffic	ET INFO PE EXE or DLL Windows file download HTTP
—	—	Misc activity	ET INFO EXE - Served Attached HTTP
—	—	Misc activity	ADWARE [ANY.RUN] Bright Data SDK User-Agent in HTTP request
—	—	Misc activity	ADWARE [ANY.RUN] Bright Data SDK User-Agent in HTTP request
—	—	Misc activity	ADWARE [ANY.RUN] Bright Data SDK User-Agent in HTTP request
—	—	Misc activity	ADWARE [ANY.RUN] Bright Data SDK User-Agent in HTTP request

Add for printing

Process	Message
pixelsee.exe	> __thiscall Application::Application(int &,char *[])
pixelsee.exe	os version: "10.0.19045v" __ os name: "Windows 10 Version 2009"
pixelsee.exe	> int __thiscall Application::exec(void)
pixelsee.exe	> __thiscall PixelseeSettings::PixelseeSettings(void)
pixelsee.exe	INSTALL ID: "" _ OLD ID: ""
pixelsee.exe	reseller - "" installId ""
pixelsee.exe	> void __thiscall PixelseeSettings::flushSettings(void)
pixelsee.exe	main libvlc debug: VLC media player - 3.0.16 Vetinari
pixelsee.exe	main libvlc debug: Copyright © 1996-2021 the VideoLAN team
pixelsee.exe	main libvlc debug: revision 3.0.16-0-g5e70837d8d

General Info

https://ndcertainlywhen.com/?tid=1045621

951617805FD4F9C0A697488E3A6B3B24

F97FE001F71C74131661F93E3567E6E7A892CEA9

24009FAC06CA5E49F0CD381F77EE6828AEE67F46A8F8DAE050597C5D68BBA088

3:N8nSSNuNV:2h6

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

MENTALMENTOR mutex has been found

Changes the autorun value in the registry

Steals credentials from Web Browsers

Starts NET.EXE for service management

SUSPICIOUS

Reads security settings of Internet Explorer

Reads Microsoft Outlook installation path

Reads Internet Explorer settings

Process drops legitimate windows executable

Executable content was dropped or overwritten

The process drops C-runtime libraries

Reads the Windows owner or organization settings

Executes as Windows Service

Uses NETSH.EXE to add a firewall rule or allowed programs

The process checks if it is being run in the virtual environment

The process creates files with name similar to system file names

Malware-specific behavior (creating "System.dll" in Temp)

Application launched itself

Starts itself from another location

Searches for installed software

Reads the date of Windows installation

Reads binary file using Get-Content

Probably obfuscated PowerShell command line is found

Possible stealing from browsers

Starts POWERSHELL.EXE for commands execution

Reads Mozilla Firefox installation path

Drops 7-zip archiver for unpacking

The process executes via Task Scheduler

Uses WMIC.EXE to obtain Windows Installer data

Starts CMD.EXE for commands execution

Checks for external IP

Creates file in the systems drive root

The process verifies whether the antivirus software is installed

INFO

Reads Environment values

Application launched itself

Checks supported languages

Reads the computer name

Executable content was dropped or overwritten

The sample compiled with english language support

Launching a file from the Downloads directory

Create files in a temporary directory

Checks proxy server information

Process checks computer location settings

Creates a software uninstall entry

Creates files or folders in the user directory

Reads the machine GUID from the registry

Creates files in the program directory

Disables trace logs

Compiled with Borland Delphi (YARA)

Detects InnoSetup installer (YARA)

Reads CPU info

Launching a file from a Registry key

Reads the time zone

Manual execution by a user

Reads security settings of Internet Explorer

OPERA mutex has been found

The sample compiled with chinese language support

The sample compiled with turkish language support

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information