Malware analysis 0914672501ea24f6c1d8613499dd776b.exe Malicious activity

Add for printing

File name:	0914672501ea24f6c1d8613499dd776b.exe
Full analysis:	https://app.any.run/tasks/88289c60-6813-4ab6-a87d-dc4edd810069
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	April 25, 2025, 11:04:25
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	lumma stealer amadey botnet loader telegram credentialflusher phishing putty rmm-tool auto generic pastebin rdp themida delphi
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:	0914672501EA24F6C1D8613499DD776B
SHA1:	8E0E9C8E4B7F9AB9CBD1CBCD926BFCF985FB5CE9
SHA256:	87922C7E74F51E7D7D965C5EA64D881BDAD501B05794376155DB64A1C555AEC8
SSDEEP:	98304:Clz1Ym0W7qlrN66LlQWdbZgnsYPX2H03DhSlMrZd39SyazwmWC+Wp5ochkj3PFx9:fl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- LUMMA mutex has been found
  - 0914672501ea24f6c1d8613499dd776b.exe (PID: 7392)
  - MSBuild.exe (PID: 864)
  - fe905bad02.exe (PID: 6048)
- Actions looks like stealing of personal data
  - 0914672501ea24f6c1d8613499dd776b.exe (PID: 7392)
  - MSBuild.exe (PID: 864)
  - fe905bad02.exe (PID: 6048)
- Steals credentials from Web Browsers
  - 0914672501ea24f6c1d8613499dd776b.exe (PID: 7392)
  - fe905bad02.exe (PID: 6048)
  - MSBuild.exe (PID: 864)
- LUMMA has been detected (SURICATA)
  - 0914672501ea24f6c1d8613499dd776b.exe (PID: 7392)
  - svchost.exe (PID: 2196)
  - fe905bad02.exe (PID: 6048)
  - f77ba36c2c.exe (PID: 6828)
  - f3e0384f67.exe (PID: 2664)
  - InstallUtil.exe (PID: 1532)
  - f9ab8b298a.exe (PID: 632)
  - 5e2b369b99.exe (PID: 2564)
  - zb7jDew.exe (PID: 4452)
  - MSBuild.exe (PID: 5328)
  - wqANqmh.exe (PID: 1180)
  - RtRra7v.exe (PID: 1116)
- Connects to the CnC server
  - svchost.exe (PID: 2196)
  - saved.exe (PID: 8156)
- AMADEY has been detected (SURICATA)
  - saved.exe (PID: 8156)
- AMADEY has been detected (YARA)
  - saved.exe (PID: 8156)
- Changes the autorun value in the registry
  - saved.exe (PID: 8156)
- LUMMA has been detected (YARA)
  - MSBuild.exe (PID: 864)
  - fe905bad02.exe (PID: 6048)
  - InstallUtil.exe (PID: 1532)
- Disables Windows Defender
  - 321e86c047.exe (PID: 3240)
- Possible tool for stealing has been detected
  - 7e8bcba70f.exe (PID: 7972)
  - firefox.exe (PID: 8120)
- Uses Task Scheduler to run other applications
  - cmd.exe (PID: 5512)
- Run PowerShell with an invisible window
  - powershell.exe (PID: 8028)
- Changes the Windows auto-update feature
  - 321e86c047.exe (PID: 3240)
- Script downloads file (POWERSHELL)
  - powershell.exe (PID: 8028)
- GENERIC has been found (auto)
  - 97e7b9dd41.exe (PID: 5392)
- Executing a file with an untrusted certificate
  - core.exe (PID: 7928)
- PHISHING has been detected (SURICATA)
  - svchost.exe (PID: 2196)
- Stealers network behavior
  - svchost.exe (PID: 2196)
SUSPICIOUS
- Reads the BIOS version
  - 0914672501ea24f6c1d8613499dd776b.exe (PID: 7392)
  - fe905bad02.exe (PID: 6048)
  - 321e86c047.exe (PID: 3240)
- Contacting a server suspected of hosting an CnC
  - 0914672501ea24f6c1d8613499dd776b.exe (PID: 7392)
  - svchost.exe (PID: 2196)
  - saved.exe (PID: 8156)
  - fe905bad02.exe (PID: 6048)
  - f3e0384f67.exe (PID: 2664)
  - InstallUtil.exe (PID: 1532)
  - f9ab8b298a.exe (PID: 632)
  - 5e2b369b99.exe (PID: 2564)
  - f77ba36c2c.exe (PID: 6828)
  - MSBuild.exe (PID: 5328)
  - zb7jDew.exe (PID: 4452)
  - RtRra7v.exe (PID: 1116)
  - wqANqmh.exe (PID: 1180)
- Searches for installed software
  - 0914672501ea24f6c1d8613499dd776b.exe (PID: 7392)
  - fe905bad02.exe (PID: 6048)
  - MSBuild.exe (PID: 864)
- Connects to the server without a host name
  - 0914672501ea24f6c1d8613499dd776b.exe (PID: 7392)
  - saved.exe (PID: 8156)
  - fe905bad02.exe (PID: 6048)
  - powershell.exe (PID: 8028)
- Potential Corporate Privacy Violation
  - 0914672501ea24f6c1d8613499dd776b.exe (PID: 7392)
  - saved.exe (PID: 8156)
  - fe905bad02.exe (PID: 6048)
  - powershell.exe (PID: 8028)
- Process requests binary or script from the Internet
  - 0914672501ea24f6c1d8613499dd776b.exe (PID: 7392)
  - saved.exe (PID: 8156)
  - fe905bad02.exe (PID: 6048)
  - powershell.exe (PID: 8028)
- Executable content was dropped or overwritten
  - 0914672501ea24f6c1d8613499dd776b.exe (PID: 7392)
  - TO4JMDBIA6J6IOLV8.exe (PID: 8096)
  - saved.exe (PID: 8156)
  - fe905bad02.exe (PID: 6048)
  - powershell.exe (PID: 8028)
  - 9935c46a47.exe (PID: 3240)
  - 9935c46a47.tmp (PID: 2344)
  - 97e7b9dd41.exe (PID: 5392)
- Reads security settings of Internet Explorer
  - TO4JMDBIA6J6IOLV8.exe (PID: 8096)
  - saved.exe (PID: 8156)
  - 9935c46a47.tmp (PID: 2344)
- Starts itself from another location
  - TO4JMDBIA6J6IOLV8.exe (PID: 8096)
- Process drops legitimate windows executable
  - saved.exe (PID: 8156)
- Starts a Microsoft application from unusual location
  - 0609e9cf61.exe (PID: 5256)
- There is functionality for taking screenshot (YARA)
  - saved.exe (PID: 8156)
  - MSBuild.exe (PID: 864)
  - InstallUtil.exe (PID: 1532)
- There is functionality for enable RDP (YARA)
  - saved.exe (PID: 8156)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - MSBuild.exe (PID: 864)
- Uses TASKKILL.EXE to kill Browsers
  - 7e8bcba70f.exe (PID: 7972)
- The process executes via Task Scheduler
  - saved.exe (PID: 7824)
  - saved.exe (PID: 6652)
  - saved.exe (PID: 1300)
  - saved.exe (PID: 3676)
  - saved.exe (PID: 744)
- Uses TASKKILL.EXE to kill process
  - 7e8bcba70f.exe (PID: 7972)
- Starts CMD.EXE for commands execution
  - 86a857bb1a.exe (PID: 3784)
- Starts POWERSHELL.EXE for commands execution
  - mshta.exe (PID: 5056)
- Found IP address in command line
  - powershell.exe (PID: 8028)
- Manipulates environment variables
  - powershell.exe (PID: 8028)
- Probably download files using WebClient
  - mshta.exe (PID: 5056)
- Starts process via Powershell
  - powershell.exe (PID: 8028)
- Reads the Windows owner or organization settings
  - 9935c46a47.tmp (PID: 2344)
- PUTTY has been detected
  - putty.exe (PID: 7980)
- Executes application which crashes
  - 172f3f7ee8.exe (PID: 7976)
- Connects to unusual port
  - svchost.exe (PID: 4272)
INFO
- Checks supported languages
  - 0914672501ea24f6c1d8613499dd776b.exe (PID: 7392)
  - TO4JMDBIA6J6IOLV8.exe (PID: 8096)
  - saved.exe (PID: 8156)
  - 0609e9cf61.exe (PID: 5256)
  - MSBuild.exe (PID: 864)
  - fe905bad02.exe (PID: 6048)
  - 321e86c047.exe (PID: 3240)
  - 7e8bcba70f.exe (PID: 7972)
  - saved.exe (PID: 7824)
  - 86a857bb1a.exe (PID: 3784)
  - HZEZBB3MJWQO6JEFR0JESW.exe (PID: 6652)
  - TempLFUPJFVQQW6LNUATGWJVFOKMIU3ZA06D.EXE (PID: 5116)
  - 9935c46a47.exe (PID: 3240)
  - 9935c46a47.tmp (PID: 2344)
  - putty.exe (PID: 7980)
- Reads the computer name
  - 0914672501ea24f6c1d8613499dd776b.exe (PID: 7392)
  - TO4JMDBIA6J6IOLV8.exe (PID: 8096)
  - saved.exe (PID: 8156)
  - MSBuild.exe (PID: 864)
  - fe905bad02.exe (PID: 6048)
  - 321e86c047.exe (PID: 3240)
  - 7e8bcba70f.exe (PID: 7972)
  - 86a857bb1a.exe (PID: 3784)
  - putty.exe (PID: 7980)
  - 9935c46a47.tmp (PID: 2344)
- Reads the software policy settings
  - 0914672501ea24f6c1d8613499dd776b.exe (PID: 7392)
  - fe905bad02.exe (PID: 6048)
  - MSBuild.exe (PID: 864)
- Create files in a temporary directory
  - 0914672501ea24f6c1d8613499dd776b.exe (PID: 7392)
  - TO4JMDBIA6J6IOLV8.exe (PID: 8096)
  - saved.exe (PID: 8156)
  - fe905bad02.exe (PID: 6048)
  - 86a857bb1a.exe (PID: 3784)
  - 9935c46a47.exe (PID: 3240)
  - 9935c46a47.tmp (PID: 2344)
- Process checks computer location settings
  - TO4JMDBIA6J6IOLV8.exe (PID: 8096)
  - saved.exe (PID: 8156)
  - 9935c46a47.tmp (PID: 2344)
- Checks proxy server information
  - saved.exe (PID: 8156)
  - powershell.exe (PID: 8028)
- The sample compiled with english language support
  - saved.exe (PID: 8156)
  - 9935c46a47.tmp (PID: 2344)
  - 97e7b9dd41.exe (PID: 5392)
- Creates files or folders in the user directory
  - saved.exe (PID: 8156)
  - 9935c46a47.tmp (PID: 2344)
- Manual execution by a user
  - Taskmgr.exe (PID: 6988)
  - Taskmgr.exe (PID: 4380)
  - Taskmgr.exe (PID: 1512)
  - InstallUtil.exe (PID: 1532)
  - svchost.exe (PID: 4272)
  - Taskmgr.exe (PID: 5292)
- Reads security settings of Internet Explorer
  - Taskmgr.exe (PID: 6988)
- Reads mouse settings
  - 7e8bcba70f.exe (PID: 7972)
  - 86a857bb1a.exe (PID: 3784)
- Themida protector has been detected
  - fe905bad02.exe (PID: 6048)
  - 321e86c047.exe (PID: 3240)
- Application launched itself
  - firefox.exe (PID: 8120)
  - firefox.exe (PID: 8108)
- Reads Internet Explorer settings
  - mshta.exe (PID: 5056)
- Disables trace logs
  - powershell.exe (PID: 8028)
- The executable file from the user directory is run by the Powershell process
  - TempLFUPJFVQQW6LNUATGWJVFOKMIU3ZA06D.EXE (PID: 5116)
- Creates a software uninstall entry
  - 9935c46a47.tmp (PID: 2344)
- Compiled with Borland Delphi (YARA)
  - core.exe (PID: 7928)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Amadey

(PID) Process(8156) saved.exe

C2185.39.17.163

URLhttp://185.39.17.163/Su8kud7i/index.php

Version5.34

Options

Drop directoryc13dbdc4fa

Drop namesaved.exe

Strings (125)S-%lu-

og:

clip.dll

ProgramData\

shell32.dll

<c>

vs:

Programs

VideoID

ESET

av:

\App

0000043f

Doctor Web

:::

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

------

rundll32.exe

00000422

185.39.17.163

0123456789

st=s

00000419

Content-Type: application/x-www-form-urlencoded

/Plugins/

msi

ar:

GetNativeSystemInfo

Norton

-%lu

Sophos

zip

SOFTWARE\Microsoft\Windows NT\CurrentVersion

" Content-Type: application/octet-stream

+++

" && ren

pc:

cmd /C RMDIR /s/q

Bitdefender

Comodo

<d>

Kaspersky Lab

DefaultSettings.YResolution

Main

c13dbdc4fa

-executionpolicy remotesigned -File "

&& Exit"

ProductName

&unit=

2022

Panda Security

Rem

cmd

\0000

id:

sd:

/quiet

rundll32

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

%-lu

random

GET

"taskkill /f /im "

Content-Disposition: form-data; name="data"; filename="

00000423

5.34

2016

?scr=1

ComputerName

Keyboard Layout\Preload

Powershell.exe

POST

http://

AVAST Software

SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\

ps1

DefaultSettings.XResolution

Startup

CurrentBuild

cred.dll|clip.dll|

------

WinDefender

https://

Avira

2025

" && timeout 1 && del

cred.dll

un:

SYSTEM\ControlSet001\Services\BasicDisplay\Video

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

360TotalSecurity

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

saved.exe

lv:

/Su8kud7i/index.php

shutdown -s -t 0

SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

exe

%USERPROFILE%

-unicode-

.jpg

dll

Content-Type: multipart/form-data; boundary=----

2019

bi:

kernel32.dll

os:

abcdefghijklmnopqrstuvwxyz0123456789-_

dm:

AVG

Lumma

(PID) Process(864) MSBuild.exe

C2 (10)woodpeckersd.run/glsk

vigorbridgoe.top/banb

climatologfy.top/kbud

https://t.me/cob1488

topographky.top/xlak

techwaveg.run/oipz

biosphxere.digital/tqoa

cartograhphy.top/ixau

geographys.run/eirq

tropiscbs.live/iuwxx

(PID) Process(6048) fe905bad02.exe

C2 (9)woodpeckersd.run/glsk

climatologfy.top/kbud

tropiscbs.live/iuwxx

topographky.top/xlak

biosphxere.digital/tqoa

clarmodq.top/qoxo

cartograhphy.top/ixau

geographys.run/eirq

vigorbridgoe.top/banb

(PID) Process(1532) InstallUtil.exe

C2 (10)wolverineas.top/xadw

jawdedmirror.run/ewqd

zestmodp.top/zeda

salaccgfa.top/gsooz

owlflright.digital/qopy

modmovel.digital/plhx

nighetwhisper.top/lekd

liftally.top/xasj

lonfgshadow.live/xawi

changeaie.top/geps

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:04:23 14:02:20+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14
CodeSize:	312320
InitializedDataSize:	37888
UninitializedDataSize:	-
EntryPoint:	0x496000
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

215

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

632

"C:\Users\admin\AppData\Local\Temp\10020690101\f9ab8b298a.exe"

C:\Users\admin\AppData\Local\Temp\10020690101\f9ab8b298a.exe

saved.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\10020690101\f9ab8b298a.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

744

"C:\Users\admin\AppData\Local\Temp\c13dbdc4fa\saved.exe"

C:\Users\admin\AppData\Local\Temp\c13dbdc4fa\saved.exe

—

svchost.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\c13dbdc4fa\saved.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

864

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

0609e9cf61.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

MSBuild.exe

Exit code:

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll

Lumma

(PID) Process(864) MSBuild.exe

C2 (10)woodpeckersd.run/glsk

vigorbridgoe.top/banb

climatologfy.top/kbud

https://t.me/cob1488

topographky.top/xlak

techwaveg.run/oipz

biosphxere.digital/tqoa

cartograhphy.top/ixau

geographys.run/eirq

tropiscbs.live/iuwxx

968

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5092 -childID 5 -isForBrowser -prefsHandle 3160 -prefMapHandle 4752 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1368 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cb3f6c7-623d-44ed-b8a5-2ea3744626da} 8108 "\\.\pipe\gecko-crash-server-pipe.8108" 23a07daea10 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll

1116

"C:\Users\admin\AppData\Local\Temp\10020750101\RtRra7v.exe"

C:\Users\admin\AppData\Local\Temp\10020750101\RtRra7v.exe

saved.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\10020750101\rtrra7v.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

1180

"C:\Users\admin\AppData\Local\Temp\10020740101\wqANqmh.exe"

C:\Users\admin\AppData\Local\Temp\10020740101\wqANqmh.exe

saved.exe

User:

admin

Company:

Responsive Strategy Group

Integrity Level:

MEDIUM

Description:

Provides Schedule Workflow capabilities

Exit code:

Version:

1.3.16.1765

Modules

Images
c:\users\admin\appdata\local\temp\10020740101\wqanqmh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

1300

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5932 -childID 8 -isForBrowser -prefsHandle 2956 -prefMapHandle 5740 -prefsLen 31293 -prefMapSize 244583 -jsInitHandle 1368 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39b62151-b5cf-4145-8ef0-d268a668a434} 8108 "\\.\pipe\gecko-crash-server-pipe.8108" 23a0bae04d0 tab

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll

1300

"C:\Users\admin\AppData\Local\Temp\c13dbdc4fa\saved.exe"

C:\Users\admin\AppData\Local\Temp\c13dbdc4fa\saved.exe

—

svchost.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\c13dbdc4fa\saved.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

1512

"C:\WINDOWS\system32\taskmgr.exe" /4

C:\Windows\System32\Taskmgr.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Task Manager

Exit code:

3221226540

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll

1532

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

.NET Framework installation utility

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\installutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll

Lumma

(PID) Process(1532) InstallUtil.exe

C2 (10)wolverineas.top/xadw

jawdedmirror.run/ewqd

zestmodp.top/zeda

salaccgfa.top/gsooz

owlflright.digital/qopy

modmovel.digital/plhx

nighetwhisper.top/lekd

liftally.top/xasj

lonfgshadow.live/xawi

changeaie.top/geps

Add for printing

Total events

39 038

Read events

38 961

Write events

Delete events

Modification events


(PID) Process:	(8156) saved.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(8156) saved.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(8156) saved.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(8156) saved.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	fe905bad02.exe
Value: C:\Users\admin\AppData\Local\Temp\10020610101\fe905bad02.exe
(PID) Process:	(6988) Taskmgr.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:	delete value	Name:	Preferences
Value:
(PID) Process:	(6988) Taskmgr.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\TaskManager
Operation:	write	Name:	Preferences
Value: 0D00000060000000600000006800000068000000E3010000DC010000000001000000008000000080D8010080DF010080000100016B00000034000000130300008C020000E80300000000000000000000000000000F000000010000000000000058AA043AF67F00000000000000000000000000002E0100001E0000008990000000000000FF00000001015002000000000D0000000000000098AA043AF67F00000000000000000000FFFFFFFF960000001E0000008B900000010000000000000000101001000000000300000000000000B0AA043AF67F00000000000000000000FFFFFFFF780000001E0000008C900000020000000000000001021200000000000400000000000000C8AA043AF67F00000000000000000000FFFFFFFF960000001E0000008D900000030000000000000000011001000000000200000000000000E8AA043AF67F00000000000000000000FFFFFFFF320000001E0000008A90000004000000000000000008200100000000050000000000000000AB043AF67F00000000000000000000FFFFFFFFC80000001E0000008E90000005000000000000000001100100000000060000000000000028AB043AF67F00000000000000000000FFFFFFFF040100001E0000008F90000006000000000000000001100100000000070000000000000050AB043AF67F00000000000000000000FFFFFFFF49000000490000009090000007000000000000000004250000000000080000000000000080AA043AF67F00000000000000000000FFFFFFFF49000000490000009190000008000000000000000004250000000000090000000000000070AB043AF67F00000000000000000000FFFFFFFF490000004900000092900000090000000000000000042508000000000A0000000000000088AB043AF67F00000000000000000000FFFFFFFF4900000049000000939000000A0000000000000000042508000000000B00000000000000A8AB043AF67F00000000000000000000FFFFFFFF490000004900000039A000000B0000000000000000042509000000001C00000000000000C8AB043AF67F00000000000000000000FFFFFFFFC8000000490000003AA000000C0000000000000000011009000000001D00000000000000F0AB043AF67F00000000000000000000FFFFFFFF64000000490000004CA000000D0000000000000000021508000000001E0000000000000010AC043AF67F00000000000000000000FFFFFFFF64000000490000004DA000000E000000000000000002150800000000030000000A000000010000000000000058AA043AF67F0000000000000000000000000000D70000001E0000008990000000000000FF00000001015002000000000400000000000000C8AA043AF67F0000000000000000000001000000960000001E0000008D900000010000000000000001011000000000000300000000000000B0AA043AF67F00000000000000000000FFFFFFFF640000001E0000008C900000020000000000000000021000000000000C0000000000000040AC043AF67F0000000000000000000003000000640000001E00000094900000030000000000000001021000000000000D0000000000000068AC043AF67F00000000000000000000FFFFFFFF640000001E00000095900000040000000000000000011001000000000E0000000000000090AC043AF67F0000000000000000000005000000320000001E00000096900000050000000000000001042001000000000F00000000000000B8AC043AF67F0000000000000000000006000000320000001E00000097900000060000000000000001042001000000001000000000000000D8AC043AF67F0000000000000000000007000000460000001E00000098900000070000000000000001011001000000001100000000000000F8AC043AF67F00000000000000000000FFFFFFFF640000001E0000009990000008000000000000000001100100000000060000000000000028AB043AF67F0000000000000000000009000000040100001E0000008F9000000900000000000000010110010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000B000000010000000000000058AA043AF67F0000000000000000000000000000D70000001E0000009E90000000000000FF0000000101500200000000120000000000000020AD043AF67F00000000000000000000FFFFFFFF2D0000001E0000009B90000001000000000000000004200100000000140000000000000040AD043AF67F00000000000000000000FFFFFFFF640000001E0000009D90000002000000000000000001100100000000130000000000000068AD043AF67F00000000000000000000FFFFFFFF640000001E0000009C900000030000000000000000011001000000000300000000000000B0AA043AF67F00000000000000000000FFFFFFFF640000001E0000008C90000004000000000000000102100000000000070000000000000050AB043AF67F000000000000000000000500000049000000490000009090000005000000000000000104210000000000080000000000000080AA043AF67F000000000000000000000600000049000000490000009190000006000000000000000104210000000000090000000000000070AB043AF67F0000000000000000000007000000490000004900000092900000070000000000000001042108000000000A0000000000000088AB043AF67F0000000000000000000008000000490000004900000093900000080000000000000001042108000000000B00000000000000A8AB043AF67F0000000000000000000009000000490000004900000039A00000090000000000000001042109000000001C00000000000000C8AB043AF67F000000000000000000000A00000064000000490000003AA000000A00000000000000000110090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000008000000010000000000000058AA043AF67F0000000000000000000000000000C60000001E000000B090000000000000FF0000000101500200000000150000000000000088AD043AF67F00000000000000000000FFFFFFFF6B0000001E000000B1900000010000000000000000042500000000001600000000000000B8AD043AF67F00000000000000000000FFFFFFFF6B0000001E000000B2900000020000000000000000042500000000001800000000000000E0AD043AF67F00000000000000000000FFFFFFFF6B0000001E000000B490000003000000000000000004250000000000170000000000000008AE043AF67F00000000000000000000FFFFFFFF6B0000001E000000B390000004000000000000000004250000000000190000000000000040AE043AF67F00000000000000000000FFFFFFFFA00000001E000000B5900000050000000000000000042001000000001A0000000000000070AE043AF67F00000000000000000000FFFFFFFF7D0000001E000000B6900000060000000000000000042001000000001B00000000000000A0AE043AF67F00000000000000000000FFFFFFFF7D0000001E000000B790000007000000000000000004200100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA00000000000000000000000000000000000000000000009D200000200000009100000064000000320000006400000050000000320000003200000028000000500000003C0000005000000050000000320000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C00000050000000500000009700000032000000780000003200000050000000500000005000000050000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000DA000000000000000000000000000000000000009D200000200000009100000064000000320000009700000050000000320000003200000028000000500000003C000000500000005000000032000000500000005000000050000000500000005000000050000000500000002800000050000000230000002300000023000000230000005000000050000000500000003200000032000000320000007800000078000000500000003C0000005000000064000000780000003200000078000000780000003200000050000000500000005000000050000000C8000000000000000100000002000000030000000400000005000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000290000002A0000002B0000002C0000002D0000002E0000002F00000000000000000000001F00000000000000B400000032000000D8000000640000006400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000002000000030000000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000000000000000000
(PID) Process:	(8156) saved.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	321e86c047.exe
Value: C:\Users\admin\AppData\Local\Temp\10020620101\321e86c047.exe
(PID) Process:	(8156) saved.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	7e8bcba70f.exe
Value: C:\Users\admin\AppData\Local\Temp\10020630101\7e8bcba70f.exe
(PID) Process:	(3240) 321e86c047.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features
Operation:	write	Name:	TamperProtection
Value: 0
(PID) Process:	(3240) 321e86c047.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:	write	Name:	DisableAntiSpyware
Value: 1

Add for printing

Executable files

Suspicious files

145

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
8108	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-current.bin		—
		MD5:—	SHA256:—
7392	0914672501ea24f6c1d8613499dd776b.exe	C:\Users\admin\AppData\Local\Temp\TO4JMDBIA6J6IOLV8.exe		executable
		MD5:F6C20A18AFEAC04964A6CCAD6BE59731	SHA256:CE75F9DEDE6D4E93549D35B816898113B6BEFAB9EF0AADF8949D4887C2C34BEA
8156	saved.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\random[1].exe		executable
		MD5:012ED8EFD516112A63292FBCEB7F0272	SHA256:14B4F88F74AB950BBEA37391AD91E1FBC45ACAC27C8AC1FAEA79C3A2DC9D6C12
8156	saved.exe	C:\Users\admin\AppData\Local\Temp\10020640101\86a857bb1a.exe		executable
		MD5:185A47FE65CD5D933760E174E84D297D	SHA256:1B0FBC916A928257568096608295DB054F3E8F4803BBF0DC0CA1810A9CCE4022
8108	firefox.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\cookies.sqlite-shm		binary
		MD5:B7C14EC6110FA820CA6B65F5AEC85911	SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
8156	saved.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\random[1].exe		executable
		MD5:7C790D2FE9BFD3CE7E681947683E16C3	SHA256:44C7CCD8EF8259BCA92224732F5EF7C6F7DF42EF61B603EF0895F7986BA368DB
8156	saved.exe	C:\Users\admin\AppData\Local\Temp\10020620101\321e86c047.exe		executable
		MD5:7C790D2FE9BFD3CE7E681947683E16C3	SHA256:44C7CCD8EF8259BCA92224732F5EF7C6F7DF42EF61B603EF0895F7986BA368DB
8156	saved.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\random[2].exe		executable
		MD5:0EC10D16C67B0F8F1382692A9FE4DDE6	SHA256:22B58343B726C9FCB192EC68F7DB07AA49EFF901B448F50F37D61F6C39FCC58B
8108	firefox.exe	C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\scriptCache-child-current.bin		binary
		MD5:C95DDC2B1A525D1A243E4C294DA2F326	SHA256:3A5919E086BFB31E36110CF636D2D5109EB51F2C410B107F126126AB25D67363
8156	saved.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\random[1].exe		executable
		MD5:185A47FE65CD5D933760E174E84D297D	SHA256:1B0FBC916A928257568096608295DB054F3E8F4803BBF0DC0CA1810A9CCE4022

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

281

DNS requests

148

Threats

160

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6544	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
—	—	GET	200	23.53.40.178:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7392	0914672501ea24f6c1d8613499dd776b.exe	GET	200	185.39.17.162:80	http://185.39.17.162/mine/random.exe	unknown	—	—	malicious
8156	saved.exe	POST	200	185.39.17.163:80	http://185.39.17.163/Su8kud7i/index.php	unknown	—	—	malicious
8156	saved.exe	GET	200	185.39.17.162:80	http://185.39.17.162/files/fate/random.exe	unknown	—	—	malicious
8156	saved.exe	POST	200	185.39.17.163:80	http://185.39.17.163/Su8kud7i/index.php	unknown	—	—	malicious
8156	saved.exe	POST	200	185.39.17.163:80	http://185.39.17.163/Su8kud7i/index.php	unknown	—	—	malicious
8156	saved.exe	POST	200	185.39.17.163:80	http://185.39.17.163/Su8kud7i/index.php	unknown	—	—	malicious
8156	saved.exe	GET	200	185.39.17.162:80	http://185.39.17.162/off/random.exe	unknown	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:137	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	23.53.40.178:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
7392	0914672501ea24f6c1d8613499dd776b.exe	172.67.205.184:443	clarmodq.top	CLOUDFLARENET	US	malicious
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
6544	svchost.exe	20.190.160.67:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
7392	0914672501ea24f6c1d8613499dd776b.exe	185.39.17.162:80	—	Joint Stock Company Tagnet	RU	malicious

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158	whitelisted
crl.microsoft.com	23.53.40.178 23.53.40.176	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
google.com	216.58.206.78	whitelisted
clarmodq.top	172.67.205.184 104.21.85.126	malicious
client.wns.windows.com	172.211.123.248 172.211.123.250	whitelisted
login.live.com	20.190.160.67 20.190.160.5 20.190.160.132 20.190.160.130 40.126.32.133 20.190.160.2 20.190.160.64 40.126.32.138 40.126.31.67 20.190.159.73 40.126.31.3 20.190.159.129 40.126.31.2 20.190.159.2 40.126.31.131 20.190.159.23	whitelisted
ocsp.digicert.com	184.30.131.245 2.23.77.188	whitelisted
t.me	149.154.167.99	whitelisted
techwaveg.run	188.114.97.3 188.114.96.3	unknown

Threats

PID	Process	Class	Message
2196	svchost.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Suspected Domain Associated with Malware Distribution (clarmodq .top)
2196	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
2196	svchost.exe	Domain Observed Used for C2 Detected	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clarmodq .top)
7392	0914672501ea24f6c1d8613499dd776b.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI)
7392	0914672501ea24f6c1d8613499dd776b.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI)
7392	0914672501ea24f6c1d8613499dd776b.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI)
7392	0914672501ea24f6c1d8613499dd776b.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI)
7392	0914672501ea24f6c1d8613499dd776b.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI)
7392	0914672501ea24f6c1d8613499dd776b.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI)
7392	0914672501ea24f6c1d8613499dd776b.exe	Domain Observed Used for C2 Detected	ET MALWARE Observed Win32/Lumma Stealer Related Domain (clarmodq .top in TLS SNI)

Add for printing

No debug info

General Info

0914672501ea24f6c1d8613499dd776b.exe

0914672501EA24F6C1D8613499DD776B

8E0E9C8E4B7F9AB9CBD1CBCD926BFCF985FB5CE9

87922C7E74F51E7D7D965C5EA64D881BDAD501B05794376155DB64A1C555AEC8

98304:Clz1Ym0W7qlrN66LlQWdbZgnsYPX2H03DhSlMrZd39SyazwmWC+Wp5ochkj3PFx9:fl

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

LUMMA mutex has been found

Actions looks like stealing of personal data

Steals credentials from Web Browsers

LUMMA has been detected (SURICATA)

Connects to the CnC server

AMADEY has been detected (SURICATA)

AMADEY has been detected (YARA)

Changes the autorun value in the registry

LUMMA has been detected (YARA)

Disables Windows Defender

Possible tool for stealing has been detected

Uses Task Scheduler to run other applications

Run PowerShell with an invisible window

Changes the Windows auto-update feature

Script downloads file (POWERSHELL)

GENERIC has been found (auto)

Executing a file with an untrusted certificate

PHISHING has been detected (SURICATA)

Stealers network behavior

SUSPICIOUS

Reads the BIOS version

Contacting a server suspected of hosting an CnC

Searches for installed software

Connects to the server without a host name

Potential Corporate Privacy Violation

Process requests binary or script from the Internet

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Starts itself from another location

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

There is functionality for taking screenshot (YARA)

There is functionality for enable RDP (YARA)

Process communicates with Telegram (possibly using it as an attacker's C2 server)

Uses TASKKILL.EXE to kill Browsers

The process executes via Task Scheduler

Uses TASKKILL.EXE to kill process

Starts CMD.EXE for commands execution

Starts POWERSHELL.EXE for commands execution

Found IP address in command line

Manipulates environment variables

Probably download files using WebClient

Starts process via Powershell

Reads the Windows owner or organization settings

PUTTY has been detected

Executes application which crashes

Connects to unusual port

INFO

Checks supported languages

Reads the computer name

Reads the software policy settings

Create files in a temporary directory

Process checks computer location settings

Checks proxy server information

The sample compiled with english language support

Creates files or folders in the user directory

Manual execution by a user

Reads security settings of Internet Explorer

Reads mouse settings

Themida protector has been detected

Application launched itself

Reads Internet Explorer settings

Disables trace logs

The executable file from the user directory is run by the Powershell process

Creates a software uninstall entry

Compiled with Borland Delphi (YARA)

Malware configuration

Amadey