File name:

final_boss.bin

Full analysis: https://app.any.run/tasks/280c8269-a67d-4fd5-8c7e-65d39f90dadf
Verdict: Malicious activity
Threats:

Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat.

Malware Trends Tracker     >>>
Analysis date: December 22, 2024, 01:39:20
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
lumma
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

926FD4235ADE096C02B36B2ED6A53739

SHA1:

337424610694E00EBAC66D36DD20E535C7A92164

SHA256:

25F3978A8BB28D7D978F5F861D639796E805230ACA153FFA612DCC4D0A939EDC

SSDEEP:

49152:UbeFZrKZPTIu7gJG7wY1EDx4YfKe0ybTXjgkijHsjb5qOexvoVifkCoLefcCtb4r:ieFZrKJISIGF1EOSF0ybTXAMhyx9k3e/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA mutex has been found

      • final_boss.bin.exe (PID: 6800)

    • Executing a file with an untrusted certificate

      • S11NNNWX7IRK6G7J7S.exe (PID: 6932)
      • 5QYNCGXF1O7DH5RNH.exe (PID: 7032)
      • 5QYNCGXF1O7DH5RNH.exe (PID: 7100)
      • cl.exe (PID: 4520)
      • cl.exe (PID: 7072)

    • Steals credentials from Web Browsers

      • final_boss.bin.exe (PID: 6800)

    • Actions looks like stealing of personal data

      • final_boss.bin.exe (PID: 6800)

    • Antivirus name has been found in the command line (generic signature)

      • cmd.exe (PID: 7156)
      • tasklist.exe (PID: 6220)
      • find.exe (PID: 4804)
      • cmd.exe (PID: 3076)
      • tasklist.exe (PID: 5788)
      • find.exe (PID: 624)
      • find.exe (PID: 5528)
      • tasklist.exe (PID: 4520)
      • cmd.exe (PID: 2436)
      • find.exe (PID: 4944)
      • find.exe (PID: 2076)
      • tasklist.exe (PID: 6748)
      • cmd.exe (PID: 6916)
      • tasklist.exe (PID: 7016)
      • find.exe (PID: 7028)
      • cmd.exe (PID: 5572)
      • tasklist.exe (PID: 6268)
      • cmd.exe (PID: 6204)
      • tasklist.exe (PID: 536)
      • find.exe (PID: 6336)
      • cmd.exe (PID: 5792)
      • find.exe (PID: 1916)
      • tasklist.exe (PID: 2356)
      • find.exe (PID: 2928)
      • cmd.exe (PID: 3540)
      • cmd.exe (PID: 3420)
      • tasklist.exe (PID: 4384)
      • find.exe (PID: 5748)
      • cmd.exe (PID: 7060)
      • tasklist.exe (PID: 3652)
      • tasklist.exe (PID: 3640)
      • cmd.exe (PID: 5472)
      • find.exe (PID: 6468)
      • tasklist.exe (PID: 6516)
      • find.exe (PID: 4932)
      • cmd.exe (PID: 3564)
      • find.exe (PID: 6920)
      • cmd.exe (PID: 5488)
      • tasklist.exe (PID: 3296)
      • find.exe (PID: 4740)
      • cmd.exe (PID: 6264)
      • tasklist.exe (PID: 6664)
      • cmd.exe (PID: 6832)
      • find.exe (PID: 6552)
      • tasklist.exe (PID: 7016)

  • SUSPICIOUS

    • Detected use of alternative data streams (AltDS)

      • pcaui.exe (PID: 6996)

    • Executable content was dropped or overwritten

      • final_boss.bin.exe (PID: 6800)
      • S11NNNWX7IRK6G7J7S.exe (PID: 6932)
      • 5QYNCGXF1O7DH5RNH.exe (PID: 7032)
      • 5QYNCGXF1O7DH5RNH.tmp (PID: 7056)
      • 5QYNCGXF1O7DH5RNH.tmp (PID: 7128)
      • 5QYNCGXF1O7DH5RNH.exe (PID: 7100)

    • Reads security settings of Internet Explorer

      • S11NNNWX7IRK6G7J7S.exe (PID: 6932)
      • 5QYNCGXF1O7DH5RNH.tmp (PID: 7056)
      • 5QYNCGXF1O7DH5RNH.tmp (PID: 7128)

    • Reads the Windows owner or organization settings

      • 5QYNCGXF1O7DH5RNH.tmp (PID: 7056)
      • 5QYNCGXF1O7DH5RNH.tmp (PID: 7128)

    • Get information on the list of running processes

      • cmd.exe (PID: 4628)
      • 5QYNCGXF1O7DH5RNH.tmp (PID: 7128)
      • cmd.exe (PID: 7156)
      • cmd.exe (PID: 3076)
      • cmd.exe (PID: 5572)
      • cmd.exe (PID: 2436)
      • cmd.exe (PID: 6204)
      • cmd.exe (PID: 7040)
      • cmd.exe (PID: 6916)
      • cmd.exe (PID: 5792)
      • cmd.exe (PID: 3540)
      • cmd.exe (PID: 3420)
      • cmd.exe (PID: 7060)
      • cmd.exe (PID: 5472)
      • cmd.exe (PID: 3564)
      • cmd.exe (PID: 6384)
      • cmd.exe (PID: 6832)
      • cmd.exe (PID: 5488)
      • cmd.exe (PID: 6264)

    • Starts CMD.EXE for commands execution

      • 5QYNCGXF1O7DH5RNH.tmp (PID: 7128)

    • Uses TIMEOUT.EXE to delay execution

      • 5QYNCGXF1O7DH5RNH.tmp (PID: 7128)

  • INFO

    • Reads the machine GUID from the registry

      • final_boss.bin.exe (PID: 6228)

    • Checks supported languages

      • final_boss.bin.exe (PID: 6228)
      • final_boss.bin.exe (PID: 6800)
      • S11NNNWX7IRK6G7J7S.exe (PID: 6932)
      • 5QYNCGXF1O7DH5RNH.exe (PID: 7032)
      • ManyCam.exe (PID: 6988)
      • 5QYNCGXF1O7DH5RNH.tmp (PID: 7056)
      • 5QYNCGXF1O7DH5RNH.exe (PID: 7100)
      • 5QYNCGXF1O7DH5RNH.tmp (PID: 7128)
      • cl.exe (PID: 4520)
      • cl.exe (PID: 7072)

    • Process checks computer location settings

      • S11NNNWX7IRK6G7J7S.exe (PID: 6932)
      • 5QYNCGXF1O7DH5RNH.tmp (PID: 7056)
      • 5QYNCGXF1O7DH5RNH.tmp (PID: 7128)

    • Reads the computer name

      • final_boss.bin.exe (PID: 6228)
      • final_boss.bin.exe (PID: 6800)
      • S11NNNWX7IRK6G7J7S.exe (PID: 6932)
      • 5QYNCGXF1O7DH5RNH.tmp (PID: 7056)
      • ManyCam.exe (PID: 6988)
      • 5QYNCGXF1O7DH5RNH.tmp (PID: 7128)
      • cl.exe (PID: 7072)
      • cl.exe (PID: 4520)

    • Create files in a temporary directory

      • final_boss.bin.exe (PID: 6800)
      • S11NNNWX7IRK6G7J7S.exe (PID: 6932)
      • 5QYNCGXF1O7DH5RNH.exe (PID: 7032)
      • 5QYNCGXF1O7DH5RNH.tmp (PID: 7056)
      • 5QYNCGXF1O7DH5RNH.tmp (PID: 7128)
      • 5QYNCGXF1O7DH5RNH.exe (PID: 7100)
      • cl.exe (PID: 4520)
      • cl.exe (PID: 7072)

    • Reads the software policy settings

      • final_boss.bin.exe (PID: 6800)

    • Manual execution by a user

      • final_boss.bin.exe (PID: 6800)
      • Taskmgr.exe (PID: 7044)
      • Taskmgr.exe (PID: 4804)

    • The process uses the downloaded file

      • S11NNNWX7IRK6G7J7S.exe (PID: 6932)
      • 5QYNCGXF1O7DH5RNH.tmp (PID: 7056)
      • 5QYNCGXF1O7DH5RNH.tmp (PID: 7128)

    • The sample compiled with english language support

      • S11NNNWX7IRK6G7J7S.exe (PID: 6932)

    • Reads CPU info

      • ManyCam.exe (PID: 6988)

    • Creates files or folders in the user directory

      • 5QYNCGXF1O7DH5RNH.tmp (PID: 7128)

    • Reads security settings of Internet Explorer

      • Taskmgr.exe (PID: 4804)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (82.9)
.dll | Win32 Dynamic Link Library (generic) (7.4)
.exe | Win32 Executable (generic) (5.1)
.exe | Generic Win/DOS Executable (2.2)
.exe | DOS Executable Generic (2.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:12:18 11:00:21+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 1245184
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x131f7e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: ldr
FileVersion: 1.0.0.0
InternalName: ldr.exe
LegalCopyright: Copyright © 2017
LegalTrademarks: -
OriginalFileName: ldr.exe
ProductName: ldr
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
214
Monitored processes
87
Malicious processes
6
Suspicious processes
17

Behavior graph

Click at the process to see the details
start final_boss.bin.exe no specs #LUMMA final_boss.bin.exe s11nnnwx7irk6g7j7s.exe manycam.exe no specs pcaui.exe no specs 5qyncgxf1o7dh5rnh.exe 5qyncgxf1o7dh5rnh.tmp 5qyncgxf1o7dh5rnh.exe 5qyncgxf1o7dh5rnh.tmp cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs timeout.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs cl.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs find.exe no specs cl.exe no specs taskmgr.exe no specs taskmgr.exe

Process information

PID
CMD
Path
Indicators
Parent process
536tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH C:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
624find /I "avastui.exe"C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
836\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
936find /I "opssvc.exe"C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1224\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1296find /I "opssvc.exe"C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1916find /I "nswscsvc.exe"C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
2076find /I "nswscsvc.exe"C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
2356tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH C:\Windows\System32\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2436"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"C:\Windows\System32\cmd.exe5QYNCGXF1O7DH5RNH.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
Total events
5 762
Read events
5 760
Write events
1
Delete events
1

Modification events

(PID) Process:(4804) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:delete valueName:Preferences
Value:
(PID) Process:(4804) Taskmgr.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:writeName:Preferences
Value:
0D00000060000000600000006800000068000000E3010000DC010000000001000000008000000080D8010080DF010080000100016B00000034000000130300008C020000E80300000000000000000000000000000F000000010000000000000058AA6C15F77F00000000000000000000000000002E0100001E0000008990000000000000FF00000001015002000000000D0000000000000098AA6C15F77F00000000000000000000FFFFFFFF960000001E0000008B900000010000000000000000101001000000000300000000000000B0AA6C15F77F00000000000000000000FFFFFFFF780000001E0000008C900000020000000000000001021200000000000400000000000000C8AA6C15F77F00000000000000000000FFFFFFFF960000001E0000008D900000030000000000000000011001000000000200000000000000E8AA6C15F77F00000000000000000000FFFFFFFF320000001E0000008A90000004000000000000000008200100000000050000000000000000AB6C15F77F00000000000000000000FFFFFFFFC80000001E0000008E90000005000000000000000001100100000000060000000000000028AB6C15F77F00000000000000000000FFFFFFFF040100001E0000008F90000006000000000000000001100100000000070000000000000050AB6C15F77F00000000000000000000FFFFFFFF49000000490000009090000007000000000000000004250000000000080000000000000080AA6C15F77F00000000000000000000FFFFFFFF49000000490000009190000008000000000000000004250000000000090000000000000070AB6C15F77F00000000000000000000FFFFFFFF490000004900000092900000090000000000000000042508000000000A0000000000000088AB6C15F77F00000000000000000000FFFFFFFF4900000049000000939000000A0000000000000000042508000000000B00000000000000A8AB6C15F77F00000000000000000000FFFFFFFF490000004900000039A000000B0000000000000000042509000000001C00000000000000C8AB6C15F77F00000000000000000000FFFFFFFFC8000000490000003AA000000C0000000000000000011009000000001D00000000000000F0AB6C15F77F00000000000000000000FFFFFFFF64000000490000004CA000000D0000000000000000021508000000001E0000000000000010AC6C15F77F00000000000000000000FFFFFFFF64000000490000004DA000000E000000000000000002150800000000030000000A000000010000000000000058AA6C15F77F0000000000000000000000000000D70000001E0000008990000000000000FF00000001015002000000000400000000000000C8AA6C15F77F0000000000000000000001000000960000001E0000008D900000010000000000000001011000000000000300000000000000B0AA6C15F77F00000000000000000000FFFFFFFF640000001E0000008C900000020000000000000000021000000000000C0000000000000040AC6C15F77F0000000000000000000003000000640000001E00000094900000030000000000000001021000000000000D0000000000000068AC6C15F77F00000000000000000000FFFFFFFF640000001E00000095900000040000000000000000011001000000000E0000000000000090AC6C15F77F0000000000000000000005000000320000001E00000096900000050000000000000001042001000000000F00000000000000B8AC6C15F77F0000000000000000000006000000320000001E00000097900000060000000000000001042001000000001000000000000000D8AC6C15F77F0000000000000000000007000000460000001E00000098900000070000000000000001011001000000001100000000000000F8AC6C15F77F00000000000000000000FFFFFFFF640000001E0000009990000008000000000000000001100100000000060000000000000028AB6C15F77F0000000000000000000009000000040100001E0000008F9000000900000000000000010110010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000B000000010000000000000058AA6C15F77F0000000000000000000000000000D70000001E0000009E90000000000000FF0000000101500200000000120000000000000020AD6C15F77F00000000000000000000FFFFFFFF2D0000001E0000009B90000001000000000000000004200100000000140000000000000040AD6C15F77F00000000000000000000FFFFFFFF640000001E0000009D90000002000000000000000001100100000000130000000000000068AD6C15F77F00000000000000000000FFFFFFFF640000001E0000009C900000030000000000000000011001000000000300000000000000B0AA6C15F77F00000000000000000000FFFFFFFF640000001E0000008C90000004000000000000000102100000000000070000000000000050AB6C15F77F000000000000000000000500000049000000490000009090000005000000000000000104210000000000080000000000000080AA6C15F77F000000000000000000000600000049000000490000009190000006000000000000000104210000000000090000000000000070AB6C15F77F0000000000000000000007000000490000004900000092900000070000000000000001042108000000000A0000000000000088AB6C15F77F0000000000000000000008000000490000004900000093900000080000000000000001042108000000000B00000000000000A8AB6C15F77F0000000000000000000009000000490000004900000039A00000090000000000000001042109000000001C00000000000000C8AB6C15F77F000000000000000000000A00000064000000490000003AA000000A00000000000000000110090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000008000000010000000000000058AA6C15F77F0000000000000000000000000000C60000001E000000B090000000000000FF0000000101500200000000150000000000000088AD6C15F77F00000000000000000000FFFFFFFF6B0000001E000000B1900000010000000000000000042500000000001600000000000000B8AD6C15F77F00000000000000000000FFFFFFFF6B0000001E000000B2900000020000000000000000042500000000001800000000000000E0AD6C15F77F00000000000000000000FFFFFFFF6B0000001E000000B490000003000000000000000004250000000000170000000000000008AE6C15F77F00000000000000000000FFFFFFFF6B0000001E000000B390000004000000000000000004250000000000190000000000000040AE6C15F77F00000000000000000000FFFFFFFFA00000001E000000B5900000050000000000000000042001000000001A0000000000000070AE6C15F77F00000000000000000000FFFFFFFF7D0000001E000000B6900000060000000000000000042001000000001B00000000000000A0AE6C15F77F00000000000000000000FFFFFFFF7D0000001E000000B790000007000000000000000004200100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA00000000000000000000000000000000000000000000009D200000200000009100000064000000320000006400000050000000320000003200000028000000500000003C0000005000000050000000320000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C00000050000000500000009700000032000000780000003200000050000000500000005000000050000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA000000000000000000000000000000000000009D200000200000009100000064000000320000009700000050000000320000003200000028000000500000003C000000500000005000000032000000500000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C0000005000000064000000780000003200000078000000780000003200000050000000500000005000000050000000C8000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C0000002D0000002E0000002F00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002000000030000000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000
Executable files
15
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
71285QYNCGXF1O7DH5RNH.tmpC:\Users\admin\AppData\Roaming\StreamSphere\is-6OPLP.tmp
MD5:
SHA256:
71285QYNCGXF1O7DH5RNH.tmpC:\Users\admin\AppData\Roaming\StreamSphere\cl.exe
MD5:
SHA256:
4520cl.exeC:\Users\admin\AppData\Local\Temp\1702d97b
MD5:
SHA256:
7072cl.exeC:\Users\admin\AppData\Local\Temp\17249394
MD5:
SHA256:
6932S11NNNWX7IRK6G7J7S.exeC:\Users\admin\AppData\Local\Temp\yfmbinary
MD5:8E0459F1FFF01124169DB93B9147B9C8
SHA256:EE12124ED37C8AD44940761A5607085185412C5B8240BFBD931E80724886D96D
6932S11NNNWX7IRK6G7J7S.exeC:\Users\admin\AppData\Local\Temp\jdykfbinary
MD5:874F17F963F3A839AA89EAA24973B06C
SHA256:9DBA7D03F27F36B4DC3AB19771A98450FD0B79475960A0E4A57CE69366FFD6D2
6932S11NNNWX7IRK6G7J7S.exeC:\Users\admin\AppData\Local\Temp\cv099.dllexecutable
MD5:2A8B33FEE2F84490D52A3A7C75254971
SHA256:FAFF6A0745E1720413A028F77583FFF013C3F4682756DC717A0549F1BE3FEFC2
6932S11NNNWX7IRK6G7J7S.exeC:\Users\admin\AppData\Local\Temp\cximagecrt.dllexecutable
MD5:C36F6E088C6457A43ADB7EDCD17803F3
SHA256:8E1243454A29998CC7DC89CAECFADC0D29E00E5776A8B5777633238B8CD66F72
6932S11NNNWX7IRK6G7J7S.exeC:\Users\admin\AppData\Local\Temp\cxcore099.dllexecutable
MD5:286284D4AE1C67D0D5666B1417DCD575
SHA256:37D9A8057D58B043AD037E9905797C215CD0832D48A29731C1687B23447CE298
6932S11NNNWX7IRK6G7J7S.exeC:\Users\admin\AppData\Local\Temp\highgui099.dllexecutable
MD5:A354C42FCB37A50ECAD8DDE250F6119E
SHA256:89DB6973F4EC5859792BCD8A50CD10DB6B847613F2CEA5ADEF740EEC141673B2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
39
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
440
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
440
svchost.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6172
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6740
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6740
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
440
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.19.217.218:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
440
svchost.exe
2.19.217.218:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
23.212.110.162:443
www.bing.com
Akamai International B.V.
CZ
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1076
svchost.exe
184.30.17.189:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 2.19.217.218
  • 95.101.149.131
whitelisted
google.com
  • 216.58.206.46
whitelisted
www.bing.com
  • 23.212.110.162
  • 23.212.110.169
  • 23.212.110.163
  • 23.212.110.152
  • 23.212.110.170
  • 23.212.110.144
unknown
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 184.30.17.189
whitelisted
login.live.com
  • 20.190.159.0
  • 20.190.159.75
  • 20.190.159.2
  • 40.126.31.71
  • 20.190.159.4
  • 20.190.159.64
  • 20.190.159.71
  • 20.190.159.73
whitelisted
peelyitemsn.click
  • 104.21.62.151
  • 172.67.136.183
unknown
klippetamea8.shop
  • 188.114.96.3
  • 188.114.97.3
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
final_boss.bin