File name:

_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.exe

Full analysis: https://app.any.run/tasks/a477d647-cad9-43fd-ba52-9cc7f50097bc
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 27, 2026, 20:43:30
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto
offloader
loader
anti-evasion
inno
installer
delphi
stealer
santastealer
teamviewer
rmm-tool
tightvnc
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections
MD5:

EA15E8ADB529FFB437BD08B4893A88E1

SHA1:

27744F65E4BC13555D0A13851FD747C283C53242

SHA256:

8100DA6F9B544D639EB857D99BF33CEADB31FAD65C2E9C33AA8536D77F937230

SSDEEP:

98304:IpUvmenPSZpQzDjFKUm5m20g3wPNbiLE/Pay+MMnOxVwjpoPp1gWueA2qmaM1eBf:mU3gPyG8+jna5mEjU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • OFFLOADER has been found (auto)

      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.exe (PID: 5448)

    • Starts CMD.EXE for self-deleting

      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp (PID: 6104)

    • Actions looks like stealing of personal data

      • FnHotkeyUtility.exe (PID: 6796)
      • FnHotkeyUtility.exe (PID: 7580)

    • Steals credentials from Web Browsers

      • FnHotkeyUtility.exe (PID: 6796)
      • FnHotkeyUtility.exe (PID: 7580)

    • SANTASTEALER has been detected (SURICATA)

      • svchost.exe (PID: 2232)

  • SUSPICIOUS

    • The process checks if it is being run in the virtual environment

      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp (PID: 1904)

    • Reads the Windows owner or organization settings

      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp (PID: 1904)
      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp (PID: 6104)

    • Executable content was dropped or overwritten

      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp (PID: 1904)
      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.exe (PID: 5448)
      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.exe (PID: 1140)
      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp (PID: 6104)

    • The process drops C-runtime libraries

      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp (PID: 6104)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 1776)

    • Starts CMD.EXE with output disabled

      • cmd.exe (PID: 1776)

    • File deletion via cmd.exe

      • cmd.exe (PID: 1776)

    • Self-deletion pattern has been detected

      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp (PID: 6104)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 1776)

    • Hides command output

      • cmd.exe (PID: 1776)

    • Reads the date of Windows installation

      • FnHotkeyUtility.exe (PID: 6796)
      • FnHotkeyUtility.exe (PID: 7580)

    • Reads browser cookies

      • FnHotkeyUtility.exe (PID: 6796)
      • FnHotkeyUtility.exe (PID: 7580)

    • Searches for installed software

      • FnHotkeyUtility.exe (PID: 6796)
      • FnHotkeyUtility.exe (PID: 7580)

    • Possible stealing from crypto wallets

      • FnHotkeyUtility.exe (PID: 6796)
      • FnHotkeyUtility.exe (PID: 7580)

    • The process verifies whether the antivirus software is installed

      • FnHotkeyUtility.exe (PID: 6796)
      • FnHotkeyUtility.exe (PID: 7580)

    • Possible stealing of VPN data

      • FnHotkeyUtility.exe (PID: 6796)
      • FnHotkeyUtility.exe (PID: 7580)

    • Possible stealing from password managers

      • FnHotkeyUtility.exe (PID: 6796)
      • FnHotkeyUtility.exe (PID: 7580)

    • Possible stealing of FTP data

      • FnHotkeyUtility.exe (PID: 6796)
      • FnHotkeyUtility.exe (PID: 7580)

    • Possible stealing of cloud data

      • FnHotkeyUtility.exe (PID: 6796)
      • FnHotkeyUtility.exe (PID: 7580)

    • Loads DLL from Mozilla Firefox

      • FnHotkeyUtility.exe (PID: 6796)
      • FnHotkeyUtility.exe (PID: 7580)

    • Contacting a server suspected of hosting an CnC

      • FnHotkeyUtility.exe (PID: 6796)

    • The process executes via Task Scheduler

      • FnHotkeyUtility.exe (PID: 7580)

    • Possible stealing from browsers

      • FnHotkeyUtility.exe (PID: 6796)
      • FnHotkeyUtility.exe (PID: 7580)

  • INFO

    • Reads security settings of Internet Explorer

      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp (PID: 1904)

    • Compiled with Borland Delphi (YARA)

      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp (PID: 1904)
      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.exe (PID: 5448)

    • Reads the computer name

      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp (PID: 1904)
      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp (PID: 6104)
      • FnHotkeyUtility.exe (PID: 6796)
      • FnHotkeyUtility.exe (PID: 7580)

    • Detects InnoSetup installer (YARA)

      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp (PID: 1904)
      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.exe (PID: 5448)

    • Create files in a temporary directory

      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp (PID: 1904)
      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.exe (PID: 5448)
      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.exe (PID: 1140)
      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp (PID: 6104)
      • FnHotkeyUtility.exe (PID: 6796)
      • FnHotkeyUtility.exe (PID: 7580)

    • Reads Environment values

      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp (PID: 1904)
      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.exe (PID: 5448)
      • FnHotkeyUtility.exe (PID: 6796)
      • FnHotkeyUtility.exe (PID: 7580)

    • Checks supported languages

      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp (PID: 1904)
      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.exe (PID: 5448)
      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.exe (PID: 1140)
      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp (PID: 6104)
      • FnHotkeyUtility.exe (PID: 6796)
      • FnHotkeyUtility.exe (PID: 7580)

    • Password parameter in command-line

      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp (PID: 1904)
      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.exe (PID: 1140)

    • The sample compiled with chinese language support

      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp (PID: 6104)

    • The sample compiled with english language support

      • _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp (PID: 6104)

    • UPX packer has been detected

      • FnHotkeyUtility.exe (PID: 6796)
      • FnHotkeyUtility.exe (PID: 7580)

    • Reads product name

      • FnHotkeyUtility.exe (PID: 6796)
      • FnHotkeyUtility.exe (PID: 7580)

    • TEAMVIEWER has been detected

      • FnHotkeyUtility.exe (PID: 6796)
      • FnHotkeyUtility.exe (PID: 7580)

    • TIGHTVNC has been detected

      • FnHotkeyUtility.exe (PID: 6796)
      • FnHotkeyUtility.exe (PID: 7580)

    • Reads CPU info

      • FnHotkeyUtility.exe (PID: 6796)
      • FnHotkeyUtility.exe (PID: 7580)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:11:10 17:25:51+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 2.25
CodeSize: 716800
InitializedDataSize: 175616
UninitializedDataSize: -
EntryPoint: 0xafe60
OSVersion: 6.1
ImageVersion: -
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 18.72.12.0
ProductVersionNumber: 18.72.12.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Gizmo Ega) ltiot AI
FileDescription: Universal print management com proxy dll for richedit 1.0. w
FileVersion: 18.72.12
LegalCopyright: Copyright 2084-2088 Gizmo Ega) ltiot AI
OriginalFileName:
ProductName: lldres64
ProductVersion: 18.72.12
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
152
Monitored processes
18
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.exe _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.exe _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp fnhotkeyutility.exe cmd.exe no specs conhost.exe no specs timeout.exe no specs unsecapp.exe no specs unsecapp.exe no specs chrome.exe no specs msedge.exe no specs #SANTASTEALER svchost.exe fnhotkeyutility.exe unsecapp.exe no specs unsecapp.exe no specs chrome.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1140"C:\Users\admin\Desktop\_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.exe" /VERYSILENT /PASSWORD=094d5eee-f6a1-44ff-aa66-5b0c158b46f9C:\Users\admin\Desktop\_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.exe
_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp
User:
admin
Company:
Gizmo Ega) ltiot AI
Integrity Level:
MEDIUM
Description:
Universal print management com proxy dll for richedit 1.0. w
Exit code:
0
Version:
18.72.12
Modules
Images
c:\users\admin\desktop\_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
1776"cmd.exe" /c timeout /t 3 /nobreak > nul && del /f /q "C:\Users\admin\Desktop\_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.exe"C:\Windows\SysWOW64\cmd.exe_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1904"C:\Users\admin\AppData\Local\Temp\is-PFISLK52NM.tmp\_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp" /SL5="$C0300,5430626,893440,C:\Users\admin\Desktop\_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.exe" C:\Users\admin\AppData\Local\Temp\is-PFISLK52NM.tmp\_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp
_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.exe
User:
admin
Company:
Gizmo Ega) ltiot AI
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
1
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-pfislk52nm.tmp\_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
2232C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
4956"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeFnHotkeyUtility.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5200C:\WINDOWS\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\System32\wbem\unsecapp.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Sink to receive asynchronous callbacks for WMI client application
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
5288timeout /t 3 /nobreak C:\Windows\SysWOW64\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5448"C:\Users\admin\Desktop\_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.exe" C:\Users\admin\Desktop\_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.exe
explorer.exe
User:
admin
Company:
Gizmo Ega) ltiot AI
Integrity Level:
MEDIUM
Description:
Universal print management com proxy dll for richedit 1.0. w
Exit code:
1
Version:
18.72.12
Modules
Images
c:\users\admin\desktop\_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comctl32.dll
5768"C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exeFnHotkeyUtility.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
5784"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exeFnHotkeyUtility.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
4 515
Read events
2 958
Write events
1 557
Delete events
0

Modification events

(PID) Process:(1904) _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
70070000A7C5A9622ABEDC01
(PID) Process:(1904) _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
E3937F2349B8E979441AA98C53FA541CE6E5B78A526BC845ED63A933371F437D
(PID) Process:(1904) _8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(6796) FnHotkeyUtility.exeKey:HKEY_CURRENT_USER\SOFTWARE\Lenovo\Hotkey\VID_1915&PID_eee0
Operation:writeName:Ex_31
Value:
0C0103000100
(PID) Process:(6796) FnHotkeyUtility.exeKey:HKEY_CURRENT_USER\SOFTWARE\Lenovo\Hotkey\VID_1915&PID_eee0
Operation:writeName:Ex_1A
Value:
0C0103000200
(PID) Process:(6796) FnHotkeyUtility.exeKey:HKEY_CURRENT_USER\SOFTWARE\Lenovo\Hotkey\VID_1915&PID_eee0
Operation:writeName:Ex_91
Value:
0C0103080000
(PID) Process:(6796) FnHotkeyUtility.exeKey:HKEY_CURRENT_USER\SOFTWARE\Lenovo\Hotkey\VID_1915&PID_eee0
Operation:writeName:05
Value:
0C0103004000
(PID) Process:(6796) FnHotkeyUtility.exeKey:HKEY_CURRENT_USER\SOFTWARE\Lenovo\Hotkey\VID_1915&PID_eee0
Operation:writeName:Ex_20
Value:
0C0103100001
(PID) Process:(6796) FnHotkeyUtility.exeKey:HKEY_CURRENT_USER\SOFTWARE\Lenovo\Hotkey\VID_1915&PID_eee0
Operation:writeName:Ex_25
Value:
0C0103100010
(PID) Process:(6796) FnHotkeyUtility.exeKey:HKEY_CURRENT_USER\SOFTWARE\Lenovo\Hotkey\VID_1915&PID_eee0
Operation:writeName:Ex_27
Value:
0C0103100012
Executable files
18
Suspicious files
8
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6104_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmpC:\Users\admin\AppData\Local\Temp\is-LLCV61EQ9G.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
6104_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmpC:\ProgramData\SiennaLawnGreen\spkvol.dllexecutable
MD5:038FBF6DB8904FF06607A47ABD4358CF
SHA256:3124B72FA36D6A91601BE754CA76C619B4C1A91D7A26150F3B158799B380C7A3
5448_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.exeC:\Users\admin\AppData\Local\Temp\is-PFISLK52NM.tmp\_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmpexecutable
MD5:DC0E488E28DDE92386E3994E034F22AE
SHA256:E1B154BA0EBE5B5DB2575AFB874D4F6376BF1D2E135C9D2657638771E439A136
1904_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmpC:\Users\admin\AppData\Local\Temp\is-D6KDQNUM41.tmp\_isetup\_isdecmp.dllexecutable
MD5:C6AE924AD02500284F7E4EFA11FA7CFC
SHA256:31D04C1E4BFDFA34704C142FA98F80C0A3076E4B312D6ADA57C4BE9D9C7DCF26
1904_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmpC:\Users\admin\AppData\Local\Temp\is-D6KDQNUM41.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
6104_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmpC:\Users\admin\AppData\Local\Temp\is-LLCV61EQ9G.tmp\_isetup\_isdecmp.dllexecutable
MD5:C6AE924AD02500284F7E4EFA11FA7CFC
SHA256:31D04C1E4BFDFA34704C142FA98F80C0A3076E4B312D6ADA57C4BE9D9C7DCF26
1140_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.exeC:\Users\admin\AppData\Local\Temp\is-Q90TI87E0U.tmp\_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmpexecutable
MD5:DC0E488E28DDE92386E3994E034F22AE
SHA256:E1B154BA0EBE5B5DB2575AFB874D4F6376BF1D2E135C9D2657638771E439A136
6104_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmpC:\ProgramData\SiennaLawnGreen\FnHotkeyUtility.exeexecutable
MD5:AC01B1EFE9BDD6C127BCB489765E935D
SHA256:2728E26AF764A64DD31F6DF20BAD9CE68F27A1C54628ABF7353A62F5E67A9DFF
6104_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmpC:\ProgramData\SiennaLawnGreen\is-QFXSCMCG69.tmpexecutable
MD5:AC01B1EFE9BDD6C127BCB489765E935D
SHA256:2728E26AF764A64DD31F6DF20BAD9CE68F27A1C54628ABF7353A62F5E67A9DFF
6104_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.tmpC:\ProgramData\SiennaLawnGreen\ludp.dllexecutable
MD5:084F247502E6054ADA4A65A8935A4396
SHA256:A62F73B7CEF738EBD9963744665AA85772B428AEF214F07F8112FF3816B09241
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
43
TCP/UDP connections
31
DNS requests
24
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5276
MoUsoCoreWorker.exe
GET
304
51.104.136.2:443
https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop
US
whitelisted
5276
MoUsoCoreWorker.exe
GET
304
51.104.136.2:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
5316
svchost.exe
GET
200
23.11.41.157:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
NL
binary
471 b
whitelisted
4240
SIHClient.exe
GET
304
74.178.240.61:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
4240
SIHClient.exe
GET
200
135.233.95.135:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
4240
SIHClient.exe
GET
200
74.178.240.61:443
https://slscr.update.microsoft.com/sls/ping
US
whitelisted
4240
SIHClient.exe
GET
304
74.178.240.61:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
GET
200
204.79.197.203:80
http://oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBQ3L3%2F%2Fa6ADK8NraY2GXzVaYrHG4AQUb6t%2B2v%2BXQ3LsO2d33oJhNYhHQoUCEzMAAAAGb6JMMcOVb6sAAAAAAAY%3D
US
binary
959 b
whitelisted
5316
svchost.exe
POST
200
40.126.31.3:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
whitelisted
8044
svchost.exe
GET
304
40.127.240.158:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
8044
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5532
SearchApp.exe
92.123.104.65:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
23.11.41.157:80
ocsp.digicert.com
AKAMAI-AMS
NL
whitelisted
204.79.197.203:80
oneocsp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
3428
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5316
svchost.exe
40.126.31.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
www.bing.com
  • 92.123.104.65
  • 92.123.104.46
  • 92.123.104.54
  • 92.123.104.61
  • 92.123.104.64
  • 92.123.104.47
  • 92.123.104.52
  • 92.123.104.62
  • 92.123.104.60
whitelisted
ocsp.digicert.com
  • 23.11.41.157
whitelisted
google.com
  • 142.251.37.14
whitelisted
oneocsp.microsoft.com
  • 204.79.197.203
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.31.3
  • 20.190.159.131
  • 20.190.159.4
  • 20.190.159.23
  • 40.126.31.73
  • 40.126.31.2
  • 20.190.159.128
  • 20.190.159.130
whitelisted
crl.microsoft.com
  • 23.48.23.191
  • 23.48.23.146
  • 23.48.23.194
  • 23.48.23.177
  • 23.48.23.166
  • 23.48.23.151
  • 23.48.23.153
  • 23.48.23.144
  • 23.48.23.145
  • 23.48.23.149
  • 23.48.23.168
  • 23.48.23.156
  • 23.48.23.164
  • 23.48.23.158
  • 23.48.23.157
whitelisted
www.microsoft.com
  • 23.52.181.212
  • 88.221.169.152
whitelisted

Threats

PID
Process
Class
Message
8044
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
2232
svchost.exe
A Network Trojan was detected
STEALER [ANY.RUN] SantaStealer related domain (ruruurururururu .ru)
6796
FnHotkeyUtility.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 14
6796
FnHotkeyUtility.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Generic Agent C2 related IP address
6796
FnHotkeyUtility.exe
Misc activity
INFO [ANY.RUN] Connection to IP from commonly abused ASN (AS214943 RAILNET)
6796
FnHotkeyUtility.exe
A Network Trojan was detected
STEALER [ANY.RUN] SantaStealer-like data exfil via HTTP POST request
7580
FnHotkeyUtility.exe
A Network Trojan was detected
STEALER [ANY.RUN] SantaStealer-like data exfil via HTTP POST request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_8100da6f9b544d639eb857d99bf33ceadb31fad65c2e9c33aa8536d77f937230.exe