File name:

lem.exe

Full analysis: https://app.any.run/tasks/d5fa8e13-fb5b-4562-8392-46dbd7c38298
Verdict: Malicious activity
Threats:

Vidar is a dangerous malware that steals information and cryptocurrency from infected users. It derives its name from the ancient Scandinavian god of Vengeance. This stealer has been terrorizing the internet since 2018.

Malware Trends Tracker     >>>
Analysis date: August 20, 2024, 13:48:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
vidar
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

480CC345F96293237F33FDC8261E1F87

SHA1:

981E17E7DC02AA6EE2CA014920151F5B73A3FE70

SHA256:

639A5217E18588E928816A64491589D085456FADF5D6F9A5B0DA7B5B0D7FBA9D

SSDEEP:

49152:P5bzHf0RiXqZFFYfoHcQqF6EBZEPeFpIwGYokD6m9FQ5VoSnpUeExLLuaRPtyzq3:BbzfzQFFmoHcVFJGebIwxdD2VoSnpMHP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Antivirus name has been found in the command line (generic signature)

      • findstr.exe (PID: 6848)
      • findstr.exe (PID: 4692)

    • VIDAR has been detected (YARA)

      • Uc.pif (PID: 5116)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • lem.exe (PID: 6672)
      • cmd.exe (PID: 6712)

    • Reads security settings of Internet Explorer

      • lem.exe (PID: 6672)

    • Reads the date of Windows installation

      • lem.exe (PID: 6672)

    • Executing commands from ".cmd" file

      • lem.exe (PID: 6672)

    • Starts CMD.EXE for commands execution

      • lem.exe (PID: 6672)
      • cmd.exe (PID: 6712)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6712)

    • Get information on the list of running processes

      • cmd.exe (PID: 6712)

    • Application launched itself

      • cmd.exe (PID: 6712)

    • Drops a file with a rarely used extension (PIF)

      • cmd.exe (PID: 6712)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 6712)

    • The executable file from the user directory is run by the CMD process

      • Uc.pif (PID: 5116)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6712)

  • INFO

    • Checks supported languages

      • lem.exe (PID: 6672)
      • Uc.pif (PID: 5116)

    • Create files in a temporary directory

      • lem.exe (PID: 6672)
      • Uc.pif (PID: 5116)

    • Reads the computer name

      • lem.exe (PID: 6672)
      • Uc.pif (PID: 5116)

    • Process checks computer location settings

      • lem.exe (PID: 6672)

    • Reads mouse settings

      • Uc.pif (PID: 5116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Vidar

(PID) Process(5116) Uc.pif
C2https://t.me/iyigunl
URLhttps://steamcommunity.com/profiles/76561199761128941
Strings (239)INSERT_KEY_HERE
lstrcpyA
GetEnvironmentVariableA
GdipSaveImageToStream
History
runas
ssfn*
GetProcAddress
lstrcatA
OpenEventA
CloseHandle
Sleep
GetUserDefaultLangID
VirtualAllocExNuma
VirtualFree
GetSystemInfo
HeapAlloc
GetComputerNameA
GetProcessHeap
GetCurrentProcess
lstrlenA
ExitProcess
GlobalMemoryStatusEx
GetSystemTime
SystemTimeToFileTime
gdi32.dll
user32.dll
crypt32.dll
ntdll.dll
CreateDCA
GetDeviceCaps
ReleaseDC
CryptStringToBinaryA
sscanf
NtQueryInformationProcess
HAL9TH
JohnDoe
DISPLAY
%hu/%hu/%hu
GetFileAttributesA
GlobalLock
GlobalSize
CreateToolhelp32Snapshot
IsWow64Process
Process32Next
GetLocalTime
GetTimeZoneInformation
GetSystemPowerStatus
GetVolumeInformationA
Process32First
GetLocaleInfoA
GetUserDefaultLocaleName
GetModuleFileNameA
FindNextFileA
SetEnvironmentVariableA
LocalAlloc
GetFileSizeEx
SetFilePointer
FindFirstFileA
VirtualProtect
GetLogicalProcessorInformationEx
GetLastError
MultiByteToWideChar
GlobalFree
WideCharToMultiByte
TerminateProcess
GetCurrentProcessId
rstrtmgr.dll
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteObject
CreateCompatibleDC
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipCreateBitmapFromHBITMA
GdiplusStartup
GdiplusShutdown
GdipDisposeImage
GetHGlobalFromStream
CreateStreamOnHGlobal
CoUninitialize
CoInitialize
CoCreateInstance
BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptSetProperty
BCryptDestroyKey
BCryptOpenAlgorithmProvider
GetWindowRect
GetDesktopWindow
GetDC
EnumDisplayDevicesA
GetKeyboardLayoutList
CharToOemW
RegQueryValueExA
RegEnumKeyExA
RegOpenKeyExA
RegEnumValueA
CryptBinaryToStringA
CryptUnprotectData
SHGetFolderPathA
InternetOpenUrlA
InternetConnectA
InternetCloseHandle
InternetOpenA
HttpSendRequestA
HttpOpenRequestA
InternetReadFile
InternetCrackUrlA
StrStrA
PathMatchSpecA
GetModuleFileNameExA
RmStartSession
RmRegisterResources
RmEndSession
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_finalize
sqlite3_close
sqlite3_column_bytes
sqlite3_column_blob
encrypted_key
PATH
C:\ProgramData\nss3.dll
NSS_Shutdown
PK11_GetInternalKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
C:\ProgramData\
SELECT origin_url, username_value, password_value FROM logins
Soft:
Host:
Login:
Password:
Opera
OperaGX
Network
Cookies
.txt
TRUE
FALSE
SELECT name, value FROM autofill
History
SELECT url FROM urls LIMIT 1000
CC
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Name:
Month:
Year:
Card:
Cookies
Login Data
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
guid
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places LIMIT 1000
cookies.sqlite
formhistory.sqlite
places.sqlite
Plugins
Local Extension Settings
Sync Extension Settings
Opera Stable
Opera GX Stable
CURRENT
chrome-extension_
_0.indexeddb.leveldb
profiles.ini
chrome
opera
firefox
Wallets
%08lX%04lX%lu
SOFTWARE\Microsoft\Windows NT\CurrentVersion
x64
%d/%d/%d %d:%d:%d
HARDWARE\DESCRIPTION\System\CentralProcessor\0
ProcessorNameString
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
DisplayVersion
msvcp140.dll
softokn3.dll
vcruntime140.dll
\Temp\
.exe
open
%LOCALAPPDATA%
%USERPROFILE%
%PROGRAMFILES%
%PROGRAMFILES_86%
*.lnk
Files
\Local Storage\leveldb\CURRENT
\Local Storage\leveldb
\Telegram Desktop\
D877F783D5D3EF8C*
map*
A7FDF864FBC10B77*
A92DAA6EA6F891F2*
F8806DD0C461824F*
Tox
*.tox
*.ini
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375
Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
\Outlook\accounts.txt
Pidgin
accounts.xml
token:
Software\Valve\Steam
config.vdf
DialogConfig.vdf
DialogConfigOverlay*.vdf
libraryfolders.vdf
loginusers.vdf
\Steam\
\Discord\tokens.txt
/c timeout /t 5 & del /f /q "
" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\system32\cmd.exe
Content-Type: multipart/form-data; boundary=----
Content-Disposition: form-data; name="
build
token
message
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
screenshot.jpg
C2https://t.me/iyigunl
URLhttps://steamcommunity.com/profiles/76561199761128941
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:04:10 12:19:38+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 26624
InitializedDataSize: 475136
UninitializedDataSize: 16896
EntryPoint: 0x3415
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 0.2184.7.9734
ProductVersionNumber: 0.2184.7.9734
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
Comments: Pixel art creation software with advanced editing features.
CompanyName: ArtPixel360 Innovations Co.
FileDescription: Pixel art creation software with advanced editing features.
FileVersion: 0.2184.7.9734
LegalCopyright: Copyright © ArtPixel360 Innovations Co. 2019 All rights reserved.
LegalTrademarks: PixelArtX360 is a trademark of ArtPixel360 Innovations Co.
ProductName: PixelArtX360
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
12
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start lem.exe no specs cmd.exe conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs #VIDAR uc.pif no specs choice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1688tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4692findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5116Uc.pif i C:\Users\admin\AppData\Local\Temp\17221\Uc.pif
cmd.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script
Version:
3, 3, 14, 5
Modules
Images
c:\users\admin\appdata\local\temp\17221\uc.pif
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
Vidar
(PID) Process(5116) Uc.pif
C2https://t.me/iyigunl
URLhttps://steamcommunity.com/profiles/76561199761128941
Strings (239)INSERT_KEY_HERE
lstrcpyA
GetEnvironmentVariableA
GdipSaveImageToStream
History
runas
ssfn*
GetProcAddress
lstrcatA
OpenEventA
CloseHandle
Sleep
GetUserDefaultLangID
VirtualAllocExNuma
VirtualFree
GetSystemInfo
HeapAlloc
GetComputerNameA
GetProcessHeap
GetCurrentProcess
lstrlenA
ExitProcess
GlobalMemoryStatusEx
GetSystemTime
SystemTimeToFileTime
gdi32.dll
user32.dll
crypt32.dll
ntdll.dll
CreateDCA
GetDeviceCaps
ReleaseDC
CryptStringToBinaryA
sscanf
NtQueryInformationProcess
HAL9TH
JohnDoe
DISPLAY
%hu/%hu/%hu
GetFileAttributesA
GlobalLock
GlobalSize
CreateToolhelp32Snapshot
IsWow64Process
Process32Next
GetLocalTime
GetTimeZoneInformation
GetSystemPowerStatus
GetVolumeInformationA
Process32First
GetLocaleInfoA
GetUserDefaultLocaleName
GetModuleFileNameA
FindNextFileA
SetEnvironmentVariableA
LocalAlloc
GetFileSizeEx
SetFilePointer
FindFirstFileA
VirtualProtect
GetLogicalProcessorInformationEx
GetLastError
MultiByteToWideChar
GlobalFree
WideCharToMultiByte
TerminateProcess
GetCurrentProcessId
rstrtmgr.dll
CreateCompatibleBitmap
SelectObject
BitBlt
DeleteObject
CreateCompatibleDC
GdipGetImageEncodersSize
GdipGetImageEncoders
GdipCreateBitmapFromHBITMA
GdiplusStartup
GdiplusShutdown
GdipDisposeImage
GetHGlobalFromStream
CreateStreamOnHGlobal
CoUninitialize
CoInitialize
CoCreateInstance
BCryptGenerateSymmetricKey
BCryptCloseAlgorithmProvider
BCryptDecrypt
BCryptSetProperty
BCryptDestroyKey
BCryptOpenAlgorithmProvider
GetWindowRect
GetDesktopWindow
GetDC
EnumDisplayDevicesA
GetKeyboardLayoutList
CharToOemW
RegQueryValueExA
RegEnumKeyExA
RegOpenKeyExA
RegEnumValueA
CryptBinaryToStringA
CryptUnprotectData
SHGetFolderPathA
InternetOpenUrlA
InternetConnectA
InternetCloseHandle
InternetOpenA
HttpSendRequestA
HttpOpenRequestA
InternetReadFile
InternetCrackUrlA
StrStrA
PathMatchSpecA
GetModuleFileNameExA
RmStartSession
RmRegisterResources
RmEndSession
sqlite3_open
sqlite3_prepare_v2
sqlite3_step
sqlite3_column_text
sqlite3_finalize
sqlite3_close
sqlite3_column_bytes
sqlite3_column_blob
encrypted_key
PATH
C:\ProgramData\nss3.dll
NSS_Shutdown
PK11_GetInternalKeySlot
PK11_FreeSlot
PK11_Authenticate
PK11SDR_Decrypt
C:\ProgramData\
SELECT origin_url, username_value, password_value FROM logins
Soft:
Host:
Login:
Password:
Opera
OperaGX
Network
Cookies
.txt
TRUE
FALSE
SELECT name, value FROM autofill
History
SELECT url FROM urls LIMIT 1000
CC
SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Name:
Month:
Year:
Card:
Cookies
Login Data
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
guid
SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
SELECT fieldname, value FROM moz_formhistory
SELECT url FROM moz_places LIMIT 1000
cookies.sqlite
formhistory.sqlite
places.sqlite
Plugins
Local Extension Settings
Sync Extension Settings
Opera Stable
Opera GX Stable
CURRENT
chrome-extension_
_0.indexeddb.leveldb
profiles.ini
chrome
opera
firefox
Wallets
%08lX%04lX%lu
SOFTWARE\Microsoft\Windows NT\CurrentVersion
x64
%d/%d/%d %d:%d:%d
HARDWARE\DESCRIPTION\System\CentralProcessor\0
ProcessorNameString
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
DisplayVersion
msvcp140.dll
softokn3.dll
vcruntime140.dll
\Temp\
.exe
open
%LOCALAPPDATA%
%USERPROFILE%
%PROGRAMFILES%
%PROGRAMFILES_86%
*.lnk
Files
\Local Storage\leveldb\CURRENT
\Local Storage\leveldb
\Telegram Desktop\
D877F783D5D3EF8C*
map*
A7FDF864FBC10B77*
A92DAA6EA6F891F2*
F8806DD0C461824F*
Tox
*.tox
*.ini
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375
Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Office.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
\Outlook\accounts.txt
Pidgin
accounts.xml
token:
Software\Valve\Steam
config.vdf
DialogConfig.vdf
DialogConfigOverlay*.vdf
libraryfolders.vdf
loginusers.vdf
\Steam\
\Discord\tokens.txt
/c timeout /t 5 & del /f /q "
" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\system32\cmd.exe
Content-Type: multipart/form-data; boundary=----
Content-Disposition: form-data; name="
build
token
message
ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
screenshot.jpg
(PID) Process(5116) Uc.pif
C2https://t.me/iyigunl
URLhttps://steamcommunity.com/profiles/76561199761128941
6056choice /d y /t 5C:\Windows\SysWOW64\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Offers the user a choice
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6508cmd /c copy /b ..\Trademark + ..\Producer + ..\Patterns + ..\Trials + ..\Albany + ..\Jackson i C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6520findstr /V "bonesacersystemplaying" Cream C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6528cmd /c md 17221C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6672"C:\Users\admin\Desktop\lem.exe" C:\Users\admin\Desktop\lem.exeexplorer.exe
User:
admin
Company:
ArtPixel360 Innovations Co.
Integrity Level:
MEDIUM
Description:
Pixel art creation software with advanced editing features.
Exit code:
0
Version:
0.2184.7.9734
Modules
Images
c:\users\admin\desktop\lem.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6712"C:\Windows\System32\cmd.exe" /k move Pray Pray.cmd & Pray.cmd & exitC:\Windows\SysWOW64\cmd.exe
lem.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
9009
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6724\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
2 042
Read events
2 032
Write events
8
Delete events
2

Modification events

(PID) Process:(6672) lem.exeKey:HKEY_CURRENT_USER
Operation:delete valueName:BowHardcore
Value:
(PID) Process:(6672) lem.exeKey:HKEY_CURRENT_USER
Operation:delete valueName:PaperbacksCambodia
Value:
(PID) Process:(6672) lem.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6672) lem.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6672) lem.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6672) lem.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
1
Suspicious files
19
Text files
162
Unknown types
1

Dropped files

PID
Process
Filename
Type
6672lem.exeC:\Users\admin\AppData\Local\Temp\Praytext
MD5:F1FD3C7220FACF470B996A9379190113
SHA256:34ECED43FE6CD76E5B6ACDF44AF4DEC89AB1D077D14E3D14D70E7CA1ECBCDC0E
6672lem.exeC:\Users\admin\AppData\Local\Temp\Trialsbinary
MD5:24CF38486E24605222EDF6FCF8CFF6E8
SHA256:A0F013172D123432D09D895355A1478783308468615261312D91F99C662663DF
6672lem.exeC:\Users\admin\AppData\Local\Temp\Creambinary
MD5:9214610A5B73E1B10F4E6E06A2BA2432
SHA256:FFD3C52E488062B4F11DF0B8A7A3FAC58C66FC34207AFE0BAE1C660FF5E51A0D
5116Uc.pifC:\Users\admin\AppData\Local\Temp\delays.tmptext
MD5:275C8C499B12CEC09D8718B16E3FD329
SHA256:97C693F204221532D7CBBC57D477774A155E1FABA10CDF312E6D0422D1DEA97C
6672lem.exeC:\Users\admin\AppData\Local\Temp\Producerbinary
MD5:7E7607AE2A5B15272504D9113D0DAA05
SHA256:45B07AE181FFCDF6E4C1A69D59798E38172F028DEEDA2849F5C115D9C127356F
6672lem.exeC:\Users\admin\AppData\Local\Temp\Albanybinary
MD5:EB88F93AF4EB225F8B39EA60405098B1
SHA256:C3712F8BF559A493F16E58DBFA06E02BDA63E04731AF85ECABC9FB417A9A86E2
6672lem.exeC:\Users\admin\AppData\Local\Temp\Trademarkbinary
MD5:BD964B18DF227902A7A616EAC33DC230
SHA256:3424C9E85A4FCAED1911C6164E559C2E2A1AAD3B32AD9153DAF9380AE8CAA6CE
6672lem.exeC:\Users\admin\AppData\Local\Temp\Jacksonbinary
MD5:33CCC90C0137E8BBDA9BA32F554AAE10
SHA256:2C2D4A66E8BA5D0F634426AD2BAA1C204D9C3A4639F186DDFFB44B2426633200
6672lem.exeC:\Users\admin\AppData\Local\Temp\Patternsbinary
MD5:0B93429A8CE125DD69E92E0AA6DCE16A
SHA256:7C0127A038DBAC9CE2AEEB436A24ED031506D7719FD096A075706C5ACD55BD43
6712cmd.exeC:\Users\admin\AppData\Local\Temp\Pray.cmdtext
MD5:F1FD3C7220FACF470B996A9379190113
SHA256:34ECED43FE6CD76E5B6ACDF44AF4DEC89AB1D077D14E3D14D70E7CA1ECBCDC0E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
14
DNS requests
6
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1432
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2252
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:138
whitelisted
2120
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1432
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4324
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1432
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.78
whitelisted
DhKHpuUtSSXxLJFtoyCtewjr.DhKHpuUtSSXxLJFtoyCtewjr
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
lem.exe