File name:

1riageFiddlershit.zip

Full analysis: https://app.any.run/tasks/ed646016-3e24-4b0a-a53c-3a8a323cdcb7
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 05, 2025, 12:15:19
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
arch-exec
lumma
stealer
arch-doc
netreactor
github
loader
telegram
evasion
ims-api
generic
stealerium
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

7DEC47DD246B6A81C9F0992091EF2D03

SHA1:

C46E9ADDF83D24ADEB036B8ED33A6DD13C024EDE

SHA256:

28327D9E90781C714D6951C767B3FA88396048B81178E9B691AB8EDEF0E59CF7

SSDEEP:

393216:m5sVPBesf7zE08aO7zE0moC06CN2LabyJ:m5srNnETnEroCuNSabyJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to the CnC server

      • svchost.exe (PID: 2192)

    • Stealers network behavior

      • Script.exe (PID: 4320)

    • Executing a file with an untrusted certificate

      • Script.exe (PID: 3436)
      • Script.exe (PID: 4320)

    • LUMMA has been detected (SURICATA)

      • Script.exe (PID: 4320)
      • svchost.exe (PID: 2192)

    • Actions looks like stealing of personal data

      • Script.exe (PID: 4320)
      • update.exe (PID: 3816)

    • LUMMA mutex has been found

      • Script.exe (PID: 4320)

    • LUMMA has been detected (YARA)

      • Script.exe (PID: 4320)

    • Steals credentials from Web Browsers

      • Script.exe (PID: 4320)
      • update.exe (PID: 3816)

    • Changes the autorun value in the registry

      • SolaraV3.exe (PID: 5548)
      • SolaraV3.exe (PID: 3640)
      • SolaraV3.exe (PID: 4840)
      • SolaraV3.exe (PID: 6732)
      • SolaraV3.exe (PID: 6148)
      • SolaraV3.exe (PID: 7152)
      • SolaraV3.exe (PID: 6868)
      • SolaraV3.exe (PID: 6244)

    • STEALERIUM has been detected (YARA)

      • update.exe (PID: 3816)

  • SUSPICIOUS

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2192)
      • Script.exe (PID: 4320)

    • Executes application which crashes

      • Script.exe (PID: 3436)
      • svchost.exe (PID: 5528)
      • svchost.exe (PID: 4428)
      • svchost.exe (PID: 2736)
      • svchost.exe (PID: 6908)
      • svchost.exe (PID: 6308)

    • Application launched itself

      • Script.exe (PID: 3436)

    • Executable content was dropped or overwritten

      • FiddlerSetup.5.0.20245.10105-latest.exe (PID: 640)
      • SolaraV3.exe (PID: 5548)
      • update.exe (PID: 3816)

    • Reads security settings of Internet Explorer

      • SolaraV3.exe (PID: 3640)
      • update.exe (PID: 3816)
      • SolaraV3.exe (PID: 4840)
      • SolaraV3.exe (PID: 6732)
      • SolaraV3.exe (PID: 6148)
      • WinRAR.exe (PID: 5920)
      • SolaraV3.exe (PID: 7124)
      • SolaraV3.exe (PID: 4136)
      • SolaraV3.exe (PID: 6244)
      • SolaraV3.exe (PID: 6712)
      • SolaraV3.exe (PID: 1760)

    • Starts CMD.EXE for commands execution

      • SolaraV3.exe (PID: 3640)
      • SolaraV3.exe (PID: 4840)
      • update.exe (PID: 3816)
      • SolaraV3.exe (PID: 6732)
      • SolaraV3.exe (PID: 6148)
      • SolaraV3.exe (PID: 7152)
      • WinRAR.exe (PID: 5920)
      • SolaraV3.exe (PID: 7124)
      • SolaraV3.exe (PID: 4136)
      • SolaraV3.exe (PID: 6868)
      • SolaraV3.exe (PID: 5684)
      • SolaraV3.exe (PID: 6712)
      • SolaraV3.exe (PID: 6244)
      • SolaraV3.exe (PID: 1760)

    • Reads the date of Windows installation

      • SolaraV3.exe (PID: 3640)
      • update.exe (PID: 3816)
      • SolaraV3.exe (PID: 4840)
      • SolaraV3.exe (PID: 6732)
      • SolaraV3.exe (PID: 6148)
      • SolaraV3.exe (PID: 7152)
      • SolaraV3.exe (PID: 7124)
      • SolaraV3.exe (PID: 4136)
      • SolaraV3.exe (PID: 6712)
      • SolaraV3.exe (PID: 6244)
      • SolaraV3.exe (PID: 1760)

    • Executing commands from a ".bat" file

      • SolaraV3.exe (PID: 3640)
      • SolaraV3.exe (PID: 4840)
      • SolaraV3.exe (PID: 6732)
      • SolaraV3.exe (PID: 6148)
      • SolaraV3.exe (PID: 7152)
      • WinRAR.exe (PID: 5920)
      • SolaraV3.exe (PID: 7124)
      • SolaraV3.exe (PID: 4136)
      • update.exe (PID: 3816)
      • SolaraV3.exe (PID: 6868)
      • SolaraV3.exe (PID: 5684)
      • SolaraV3.exe (PID: 6244)
      • SolaraV3.exe (PID: 6712)
      • SolaraV3.exe (PID: 1760)

    • Starts itself from another location

      • SolaraV3.exe (PID: 5548)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 520)
      • cmd.exe (PID: 3848)
      • cmd.exe (PID: 6224)
      • cmd.exe (PID: 6808)
      • cmd.exe (PID: 6304)
      • cmd.exe (PID: 5912)
      • cmd.exe (PID: 6156)
      • cmd.exe (PID: 6092)
      • cmd.exe (PID: 6732)
      • cmd.exe (PID: 5980)
      • cmd.exe (PID: 2132)
      • cmd.exe (PID: 6896)

    • The process creates files with name similar to system file names

      • update.exe (PID: 3816)
      • WerFault.exe (PID: 2496)
      • WerFault.exe (PID: 5536)
      • WerFault.exe (PID: 6652)
      • WerFault.exe (PID: 6884)

    • Process drops legitimate windows executable

      • update.exe (PID: 3816)

    • Starts application with an unusual extension

      • cmd.exe (PID: 520)
      • cmd.exe (PID: 3848)
      • cmd.exe (PID: 5320)
      • cmd.exe (PID: 3640)
      • cmd.exe (PID: 6224)
      • cmd.exe (PID: 6808)
      • cmd.exe (PID: 6304)
      • cmd.exe (PID: 5912)
      • cmd.exe (PID: 6156)
      • cmd.exe (PID: 6092)
      • cmd.exe (PID: 6456)
      • cmd.exe (PID: 6732)
      • cmd.exe (PID: 2132)
      • cmd.exe (PID: 5980)
      • cmd.exe (PID: 6896)

    • The executable file from the user directory is run by the CMD process

      • SolaraV3.exe (PID: 4840)
      • SolaraV3.exe (PID: 6732)
      • SolaraV3.exe (PID: 6148)
      • SolaraV3.exe (PID: 7152)
      • SolaraV3.exe (PID: 7124)
      • SolaraV3.exe (PID: 4136)
      • SolaraV3.exe (PID: 6868)
      • SolaraV3.exe (PID: 6244)
      • SolaraV3.exe (PID: 5684)
      • SolaraV3.exe (PID: 6712)
      • SolaraV3.exe (PID: 1760)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • update.exe (PID: 3816)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • update.exe (PID: 3816)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 5320)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 5320)
      • cmd.exe (PID: 3640)

    • Checks for external IP

      • svchost.exe (PID: 2192)
      • update.exe (PID: 3816)

    • MS Edge headless start

      • msedge.exe (PID: 6772)
      • msedge.exe (PID: 7016)

    • Loads DLL from Mozilla Firefox

      • update.exe (PID: 3816)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 6456)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 6456)

  • INFO

    • Reads the software policy settings

      • WerFault.exe (PID: 5256)
      • Script.exe (PID: 4320)
      • update.exe (PID: 3816)
      • WerFault.exe (PID: 2496)
      • WerFault.exe (PID: 5536)
      • WerFault.exe (PID: 6652)
      • WerFault.exe (PID: 6884)

    • Manual execution by a user

      • Script.exe (PID: 3436)
      • OpenWith.exe (PID: 6032)
      • SolaraV3.exe (PID: 5548)
      • FiddlerSetup.5.0.20245.10105-latest.exe (PID: 640)
      • FiddlerSetup.5.0.20245.10105-latest.exe (PID: 2380)
      • notepad.exe (PID: 4548)
      • update.exe (PID: 3816)
      • WinRAR.exe (PID: 5920)

    • Reads the computer name

      • Script.exe (PID: 4320)
      • Script.exe (PID: 3436)
      • FiddlerSetup.exe (PID: 4512)
      • SolaraV3.exe (PID: 5548)
      • update.exe (PID: 3816)
      • SolaraV3.exe (PID: 3640)
      • svchost.exe (PID: 5528)
      • svchost.exe (PID: 4428)
      • SolaraV3.exe (PID: 4840)
      • svchost.exe (PID: 2736)
      • msiexec.exe (PID: 6716)
      • SolaraV3.exe (PID: 6732)
      • SolaraV3.exe (PID: 6148)
      • SolaraV3.exe (PID: 7152)
      • svchost.exe (PID: 6908)
      • MpCmdRun.exe (PID: 6732)
      • SolaraV3.exe (PID: 4136)
      • SolaraV3.exe (PID: 6868)
      • SolaraV3.exe (PID: 5684)
      • SolaraV3.exe (PID: 1760)

    • Checks supported languages

      • Script.exe (PID: 4320)
      • Script.exe (PID: 3436)
      • SolaraV3.exe (PID: 5548)
      • FiddlerSetup.5.0.20245.10105-latest.exe (PID: 640)
      • FiddlerSetup.exe (PID: 4512)
      • SolaraV3.exe (PID: 3640)
      • update.exe (PID: 3816)
      • svchost.exe (PID: 5528)
      • chcp.com (PID: 3652)
      • svchost.exe (PID: 4428)
      • SolaraV3.exe (PID: 4840)
      • chcp.com (PID: 5652)
      • chcp.com (PID: 2012)
      • chcp.com (PID: 2160)
      • svchost.exe (PID: 2736)
      • msiexec.exe (PID: 6716)
      • SolaraV3.exe (PID: 6148)
      • SolaraV3.exe (PID: 6732)
      • SolaraV3.exe (PID: 7152)
      • svchost.exe (PID: 6908)
      • MpCmdRun.exe (PID: 6732)
      • SolaraV3.exe (PID: 7124)
      • svchost.exe (PID: 6308)
      • SolaraV3.exe (PID: 4136)
      • SolaraV3.exe (PID: 5684)
      • chcp.com (PID: 6520)
      • SolaraV3.exe (PID: 6712)
      • SolaraV3.exe (PID: 6244)
      • SolaraV3.exe (PID: 1760)

    • Reads the machine GUID from the registry

      • Script.exe (PID: 4320)
      • SolaraV3.exe (PID: 5548)
      • SolaraV3.exe (PID: 3640)
      • update.exe (PID: 3816)
      • svchost.exe (PID: 5528)
      • svchost.exe (PID: 4428)
      • SolaraV3.exe (PID: 4840)
      • svchost.exe (PID: 2736)
      • SolaraV3.exe (PID: 6732)
      • SolaraV3.exe (PID: 6148)
      • SolaraV3.exe (PID: 7152)
      • svchost.exe (PID: 6908)
      • svchost.exe (PID: 6308)
      • SolaraV3.exe (PID: 4136)
      • SolaraV3.exe (PID: 6868)
      • SolaraV3.exe (PID: 5684)
      • SolaraV3.exe (PID: 6244)
      • SolaraV3.exe (PID: 6712)
      • SolaraV3.exe (PID: 1760)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 6032)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 5256)
      • SolaraV3.exe (PID: 5548)
      • WerFault.exe (PID: 2496)
      • WerFault.exe (PID: 5536)
      • update.exe (PID: 3816)
      • WerFault.exe (PID: 6652)

    • Checks proxy server information

      • WerFault.exe (PID: 5256)
      • update.exe (PID: 3816)
      • WerFault.exe (PID: 2496)
      • WerFault.exe (PID: 5536)
      • WerFault.exe (PID: 6832)
      • WerFault.exe (PID: 6884)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 4308)
      • FiddlerSetup.5.0.20245.10105-latest.exe (PID: 640)

    • Create files in a temporary directory

      • FiddlerSetup.5.0.20245.10105-latest.exe (PID: 640)
      • FiddlerSetup.exe (PID: 4512)
      • SolaraV3.exe (PID: 3640)
      • SolaraV3.exe (PID: 4840)
      • update.exe (PID: 3816)
      • SolaraV3.exe (PID: 6732)
      • SolaraV3.exe (PID: 6148)
      • MpCmdRun.exe (PID: 6732)
      • SolaraV3.exe (PID: 7152)
      • SolaraV3.exe (PID: 4136)
      • SolaraV3.exe (PID: 6868)
      • SolaraV3.exe (PID: 5684)
      • SolaraV3.exe (PID: 6244)
      • SolaraV3.exe (PID: 6712)

    • .NET Reactor protector has been detected

      • Script.exe (PID: 4320)

    • Reads Environment values

      • SolaraV3.exe (PID: 5548)
      • update.exe (PID: 3816)
      • SolaraV3.exe (PID: 3640)
      • SolaraV3.exe (PID: 4840)
      • SolaraV3.exe (PID: 6732)
      • SolaraV3.exe (PID: 6148)
      • SolaraV3.exe (PID: 7152)
      • SolaraV3.exe (PID: 7124)
      • SolaraV3.exe (PID: 6868)
      • SolaraV3.exe (PID: 5684)
      • SolaraV3.exe (PID: 1760)

    • The process uses the downloaded file

      • SolaraV3.exe (PID: 5548)
      • SolaraV3.exe (PID: 3640)
      • WinRAR.exe (PID: 5920)
      • SolaraV3.exe (PID: 4840)
      • update.exe (PID: 3816)
      • SolaraV3.exe (PID: 6732)
      • SolaraV3.exe (PID: 6148)
      • SolaraV3.exe (PID: 7152)
      • SolaraV3.exe (PID: 7124)
      • SolaraV3.exe (PID: 4136)
      • SolaraV3.exe (PID: 6868)
      • SolaraV3.exe (PID: 6244)
      • SolaraV3.exe (PID: 5684)
      • SolaraV3.exe (PID: 6712)
      • SolaraV3.exe (PID: 1760)

    • Process checks computer location settings

      • SolaraV3.exe (PID: 3640)
      • update.exe (PID: 3816)
      • SolaraV3.exe (PID: 4840)
      • SolaraV3.exe (PID: 6732)
      • SolaraV3.exe (PID: 6148)
      • SolaraV3.exe (PID: 7152)
      • SolaraV3.exe (PID: 7124)
      • SolaraV3.exe (PID: 4136)
      • SolaraV3.exe (PID: 6712)
      • SolaraV3.exe (PID: 6244)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 4548)

    • Disables trace logs

      • update.exe (PID: 3816)

    • Changes the display of characters in the console

      • cmd.exe (PID: 520)
      • cmd.exe (PID: 3848)
      • cmd.exe (PID: 5320)
      • cmd.exe (PID: 3640)
      • cmd.exe (PID: 6224)
      • cmd.exe (PID: 6808)
      • cmd.exe (PID: 6304)
      • cmd.exe (PID: 5912)
      • cmd.exe (PID: 6156)
      • cmd.exe (PID: 6456)
      • cmd.exe (PID: 6092)
      • cmd.exe (PID: 6732)
      • cmd.exe (PID: 5980)
      • cmd.exe (PID: 2132)
      • cmd.exe (PID: 6896)

    • Attempting to use instant messaging service

      • svchost.exe (PID: 2192)
      • update.exe (PID: 3816)

    • Sends debugging messages

      • svchost.exe (PID: 4428)
      • svchost.exe (PID: 5528)
      • svchost.exe (PID: 2736)
      • msedge.exe (PID: 6772)
      • chrome.exe (PID: 4968)
      • svchost.exe (PID: 6908)
      • svchost.exe (PID: 6308)

    • Drops encrypted VBS script (Microsoft Script Encoder)

      • update.exe (PID: 3816)

    • Application launched itself

      • msedge.exe (PID: 6772)
      • chrome.exe (PID: 4968)

    • Reads CPU info

      • update.exe (PID: 3816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:01:05 06:34:24
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: scriptzip/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
246
Monitored processes
120
Malicious processes
15
Suspicious processes
13

Behavior graph

Click at the process to see the details
start winrar.exe no specs script.exe conhost.exe no specs #LUMMA script.exe openwith.exe no specs werfault.exe #LUMMA svchost.exe fiddlersetup.5.0.20245.10105-latest.exe no specs fiddlersetup.5.0.20245.10105-latest.exe fiddlersetup.exe no specs solarav3.exe solarav3.exe #STEALERIUM update.exe notepad.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs winrar.exe no specs svchost.exe werfault.exe svchost.exe solarav3.exe werfault.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs netsh.exe no specs findstr.exe no specs chrome.exe cmd.exe no specs conhost.exe no specs chcp.com no specs netsh.exe no specs chrome.exe no specs svchost.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs werfault.exe msiexec.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs solarav3.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs solarav3.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs solarav3.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs svchost.exe cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs werfault.exe solarav3.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs svchost.exe werfault.exe solarav3.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs taskkill.exe no specs timeout.exe no specs solarav3.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs solarav3.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs solarav3.exe cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs solarav3.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs solarav3.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
520C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\BvUtOjM2kZ7X.bat" "C:\Windows\System32\cmd.exeSolaraV3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
640"C:\Users\admin\Desktop\FiddlerSetup.5.0.20245.10105-latest.exe" C:\Users\admin\Desktop\FiddlerSetup.5.0.20245.10105-latest.exe
explorer.exe
User:
admin
Company:
Progress Software Corporation
Integrity Level:
HIGH
Description:
Installer for Progress Telerik Fiddler Classic
Version:
5.0.20245.10105
Modules
Images
c:\users\admin\desktop\fiddlersetup.5.0.20245.10105-latest.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
776netsh wlan show profile C:\Windows\System32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Network Command Shell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1224chcp 65001C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1328"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" --extension-process --renderer-sub-type=extension --no-appcompat-clear --disable-logging --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3936 --field-trial-handle=2220,i,1090696835614675495,3531257472962757624,262144 --disable-features=PaintHolding --variations-seed-version /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1468ping -n 10 localhost C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\mswsock.dll
1760"C:\Users\admin\AppData\Roaming\SubDir\SolaraV3.exe" C:\Users\admin\AppData\Roaming\SubDir\SolaraV3.execmd.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Quasar Client
Exit code:
0
Version:
1.4.1
Modules
Images
c:\users\admin\appdata\roaming\subdir\solarav3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2008\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2012chcp 65001 C:\Windows\System32\chcp.comcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
2124"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-logging --headless=new --noerrdialogs --user-data-dir="C:\Users\admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --disable-logging --mojo-platform-channel-handle=1944 --field-trial-handle=1960,i,17807942692571302623,1181876793354172120,262144 --disable-features=PaintHolding --variations-seed-version /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
71 776
Read events
71 719
Write events
57
Delete events
0

Modification events

(PID) Process:(4308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(4308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\1riageFiddlershit.zip
(PID) Process:(4308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4308) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList
Operation:writeName:ArcSort
Value:
32
(PID) Process:(5548) SolaraV3.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Windows Update
Value:
"C:\Users\admin\AppData\Roaming\SubDir\SolaraV3.exe"
Executable files
5
Suspicious files
58
Text files
103
Unknown types
0

Dropped files

PID
Process
Filename
Type
5256WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Script.exe_c61d39ef61d6ecce6d62d7e8c29f64e77e9e7ef_6f1b0a17_7a1dca79-716b-4e9d-a7bd-a7181b883bc2\Report.wer
MD5:
SHA256:
5256WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\Script.exe.3436.dmp
MD5:
SHA256:
2496WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_26dacd3f4f67e47739badf514e5a52ba36391642_7a76fa63_381c8fc5-bd26-42f8-a67e-54bb6cfb5fb2\Report.wer
MD5:
SHA256:
2496WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\svchost.exe.5528.dmp
MD5:
SHA256:
5536WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_26dacd3f4f67e47739badf514e5a52ba36391642_7a76fa63_91bded63-bdfb-4fcb-a861-484619d41ee5\Report.wer
MD5:
SHA256:
5256WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER8187.tmp.dmpbinary
MD5:66437EB3F1FBE82BEC54142AC6AC3566
SHA256:3924DFC9575F816B14B5BEC82E9964FBEE89CD6474BE011EC7093EAC559FF9A6
5256WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER8234.tmp.WERInternalMetadata.xmlxml
MD5:DA9C06B1C913A7C9EC8EC21BEE468D92
SHA256:10346F7E07FE346AF5AC25752569F733203D31D9A99771AD2248B53369AD827D
640FiddlerSetup.5.0.20245.10105-latest.exeC:\Users\admin\AppData\Local\Temp\nsnD100.tmp\FiddlerSetup.exeexecutable
MD5:C2A0EB6F104EACEC3F39581451EE208F
SHA256:1F926CC353301E547E76C6D2EFF23FCBE85495BA0292174CC6344FAC26457AF8
3640SolaraV3.exeC:\Users\admin\AppData\Local\Temp\BvUtOjM2kZ7X.battext
MD5:E091176F24CBAD652A21AC0A0FE1815A
SHA256:5D15FB7AF14F3A7B86559B09346993A6D0849EEA11F3CB144F574642D9610F4C
3816update.exeC:\Users\admin\AppData\Local\7363a32209c4413867f264e7dcee772e\admin@DESKTOP-JGLLJLD_en-US\Messenger\Skype\Local Storage\leveldb\CURRENTtext
MD5:46295CAC801E5D4857D09837238A6394
SHA256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
50
TCP/UDP connections
64
DNS requests
39
Threats
25

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.164.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.230.103:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3816
update.exe
GET
200
104.16.185.241:80
http://icanhazip.com/
unknown
shared
GET
142.250.185.132:443
https://www.google.com/async/ddljson?async=ntp:2
unknown
unknown
5604
WmiPrvSE.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
whitelisted
GET
142.250.185.132:443
https://www.google.com/async/newtab_promos
unknown
unknown
5604
WmiPrvSE.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
142.250.185.132:443
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
unknown
unknown
POST
200
104.21.16.1:443
https://fancywaxxers.shop/api
unknown
text
17 b
malicious
POST
200
104.21.80.1:443
https://fancywaxxers.shop/api
unknown
text
17 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.164.114:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
4712
MoUsoCoreWorker.exe
184.30.230.103:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
4320
Script.exe
104.21.112.1:443
fancywaxxers.shop
CLOUDFLARENET
malicious
3884
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 2.16.164.114
  • 2.16.164.72
  • 23.48.23.156
  • 23.48.23.143
  • 23.48.23.166
whitelisted
www.microsoft.com
  • 184.30.230.103
  • 23.35.229.160
whitelisted
fancywaxxers.shop
  • 104.21.112.1
  • 104.21.16.1
  • 104.21.48.1
  • 104.21.96.1
  • 104.21.80.1
  • 104.21.64.1
  • 104.21.32.1
malicious
watson.events.data.microsoft.com
  • 20.189.173.22
  • 52.168.117.173
  • 104.208.16.94
  • 52.182.143.212
whitelisted
raw.githubusercontent.com
  • 185.199.110.133
  • 185.199.111.133
  • 185.199.109.133
  • 185.199.108.133
shared
api.telegram.org
  • 149.154.167.220
shared
icanhazip.com
  • 104.16.185.241
  • 104.16.184.241
shared

Threats

PID
Process
Class
Message
2192
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop)
4320
Script.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
4320
Script.exe
A Network Trojan was detected
STEALER [ANY.RUN] Lumma Stealer TLS Connection
4320
Script.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
4320
Script.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
4320
Script.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
4320
Script.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
4320
Script.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
4320
Script.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)
2192
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Attempting to access raw user content on GitHub
Process
Message
svchost.exe
CLR: Managed code called FailFast without specifying a reason.
svchost.exe
CLR: Managed code called FailFast without specifying a reason.
chrome.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Google\Chrome\User Data directory exists )
svchost.exe
CLR: Managed code called FailFast without specifying a reason.
msedge.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Microsoft\Edge\User Data directory exists )
msedge.exe
RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Microsoft\Edge\User Data directory exists )
svchost.exe
CLR: Managed code called FailFast without specifying a reason.
svchost.exe
CLR: Managed code called FailFast without specifying a reason.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
1riageFiddlershit.zip