File name:

2025-07-25_12e78d5e7d7af1d59ba9afa3c5db3d96_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_smoke-loader_stea.exe

Full analysis: https://app.any.run/tasks/53df4283-8ad7-4a46-9936-59d6156b3c11
Verdict: Malicious activity
Analysis date: July 25, 2025, 05:36:59
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
advancedinstaller
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

12E78D5E7D7AF1D59BA9AFA3C5DB3D96

SHA1:

4E5E547F829EF0F92E0E62C2C1A0013C7AAC79E5

SHA256:

BA6FCDAE4F139F8FE6FD8DC1F4175D9B79D58289D54745717708CCBF4AE45DC7

SSDEEP:

98304:YpfE1CQOGlfuAfpLPlmmJUyI92/GIGWFyfywJ2ZOAT3ykK17qSLjyj45Yn3MMSsQ:clPQ9Bj7Ow6xeM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • msiexec.exe (PID: 5824)

  • SUSPICIOUS

    • ADVANCEDINSTALLER mutex has been found

      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 5692)

    • Adds/modifies Windows certificates

      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 5692)

    • Reads the Windows owner or organization settings

      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 5692)
      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 4844)
      • msiexec.exe (PID: 5824)

    • Reads security settings of Internet Explorer

      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 5692)
      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 4844)
      • NLSvc.exe (PID: 7124)
      • NLSvc.exe (PID: 5236)
      • NLClientApp.exe (PID: 4708)
      • NLClientApp.exe (PID: 6004)

    • Process drops legitimate windows executable

      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 5692)
      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 4844)
      • msiexec.exe (PID: 5780)
      • msiexec.exe (PID: 6980)
      • msiexec.exe (PID: 5824)

    • Executable content was dropped or overwritten

      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 5692)
      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 4844)

    • The process drops C-runtime libraries

      • msiexec.exe (PID: 5780)
      • msiexec.exe (PID: 6980)

    • Application launched itself

      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 5692)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3400)
      • NLSvc.exe (PID: 5236)

    • Detects AdvancedInstaller (YARA)

      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 5692)
      • msiexec.exe (PID: 5824)

    • Reads Internet Explorer settings

      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 5692)

    • There is functionality for taking screenshot (YARA)

      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 5692)

    • The process creates files with name similar to system file names

      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 5692)
      • msiexec.exe (PID: 5824)

    • Drops a system driver (possible attempt to evade defenses)

      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 5692)
      • msiexec.exe (PID: 5824)

    • Creates files in the driver directory

      • msiexec.exe (PID: 5824)

    • Reads the date of Windows installation

      • NLClientApp.exe (PID: 6004)

  • INFO

    • The sample compiled with english language support

      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 5692)
      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 4844)
      • msiexec.exe (PID: 5780)
      • msiexec.exe (PID: 5824)
      • msiexec.exe (PID: 6980)

    • Reads Environment values

      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 5692)
      • msiexec.exe (PID: 5780)
      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 4844)
      • msiexec.exe (PID: 6980)

    • Reads the machine GUID from the registry

      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 5692)
      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 4844)
      • msiexec.exe (PID: 5824)
      • NLSvc.exe (PID: 7124)
      • NLSvc.exe (PID: 5236)
      • NLClientApp.exe (PID: 4708)
      • NLClientApp.exe (PID: 6004)

    • Reads the software policy settings

      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 5692)
      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 4844)
      • msiexec.exe (PID: 5824)
      • NLSvc.exe (PID: 7124)
      • NLSvc.exe (PID: 5236)
      • NLClientApp.exe (PID: 4708)
      • NLClientApp.exe (PID: 6004)
      • slui.exe (PID: 1652)

    • Creates files or folders in the user directory

      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 5692)
      • NLClientApp.exe (PID: 6004)

    • Reads the computer name

      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 5692)
      • msiexec.exe (PID: 5824)
      • msiexec.exe (PID: 5780)
      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 4844)
      • msiexec.exe (PID: 6980)
      • msiexec.exe (PID: 6304)
      • NLSvc.exe (PID: 7124)
      • NLSvc.exe (PID: 5236)
      • NLClientApp.exe (PID: 4708)
      • NLClientApp.exe (PID: 6004)

    • Checks proxy server information

      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 5692)
      • slui.exe (PID: 1652)

    • Create files in a temporary directory

      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 5692)
      • msiexec.exe (PID: 5780)
      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 4844)
      • msiexec.exe (PID: 6980)
      • msiexec.exe (PID: 6304)
      • NLClientApp.exe (PID: 6004)

    • Checks supported languages

      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 5692)
      • msiexec.exe (PID: 5824)
      • msiexec.exe (PID: 5780)
      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 4844)
      • msiexec.exe (PID: 6304)
      • msiexec.exe (PID: 6980)
      • NLSvc.exe (PID: 7124)
      • NLSvc.exe (PID: 5236)
      • NLClientApp.exe (PID: 4708)
      • NLClientApp.exe (PID: 6004)
      • NLSvcCliCnnCheck.exe (PID: 6356)

    • Process checks computer location settings

      • 53df4283-8ad7-4a46-9936-59d6156b3c11.exe (PID: 5692)
      • NLClientApp.exe (PID: 6004)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 5780)
      • msiexec.exe (PID: 5824)
      • msiexec.exe (PID: 6980)

    • Manages system restore points

      • SrTasks.exe (PID: 892)

    • Launching a file from a Registry key

      • msiexec.exe (PID: 5824)

    • Creates files in the program directory

      • NLSvc.exe (PID: 7124)
      • NLClientApp.exe (PID: 4708)
      • NLClientApp.exe (PID: 6004)
      • NLSvc.exe (PID: 5236)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 5824)

    • Manual execution by a user

      • NLClientApp.exe (PID: 6004)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:12:14 13:40:00+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.34
CodeSize: 2450944
InitializedDataSize: 1032704
UninitializedDataSize: -
EntryPoint: 0x1d0974
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 5.3.25.0
ProductVersionNumber: 5.3.25.0
FileFlagsMask: 0x003f
FileFlags: Debug
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Locktime Software
FileDescription: NetLimiter Installer
FileVersion: 5.3.25.0
InternalName: netlimiter-5.3.25.0
LegalCopyright: Copyright (C) 2025 Locktime Software
OriginalFileName: netlimiter-5.3.25.0.exe
ProductName: NetLimiter
ProductVersion: 5.3.25.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
155
Monitored processes
17
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 53df4283-8ad7-4a46-9936-59d6156b3c11.exe msiexec.exe msiexec.exe 53df4283-8ad7-4a46-9936-59d6156b3c11.exe vssvc.exe no specs srtasks.exe no specs conhost.exe no specs msiexec.exe msiexec.exe nlsvc.exe no specs conhost.exe no specs nlsvc.exe nlclientapp.exe no specs nlclientapp.exe no specs nlsvcclicnncheck.exe no specs slui.exe 53df4283-8ad7-4a46-9936-59d6156b3c11.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
892C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11C:\Windows\System32\SrTasks.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Windows System Protection background tasks.
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1300"C:\Users\admin\Desktop\53df4283-8ad7-4a46-9936-59d6156b3c11.exe" C:\Users\admin\Desktop\53df4283-8ad7-4a46-9936-59d6156b3c11.exeexplorer.exe
User:
admin
Company:
Locktime Software
Integrity Level:
MEDIUM
Description:
NetLimiter Installer
Exit code:
3221226540
Version:
5.3.25.0
Modules
Images
c:\users\admin\desktop\53df4283-8ad7-4a46-9936-59d6156b3c11.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1652C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3400C:\WINDOWS\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4708"C:\Program Files\Locktime Software\NetLimiter\NLClientApp.exe" /installC:\Program Files\Locktime Software\NetLimiter\NLClientApp.exemsiexec.exe
User:
admin
Company:
Locktime Software
Integrity Level:
HIGH
Description:
NetLimiter Client
Exit code:
0
Version:
5.3.25.0
Modules
Images
c:\program files\locktime software\netlimiter\nlclientapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4844"C:\Users\admin\Desktop\53df4283-8ad7-4a46-9936-59d6156b3c11.exe" /i C:\Users\admin\AppData\Local\Temp\{74C906E9-CE85-4B1C-95D8-48E990081EF6}\0081EF6\netlimiter-5.3.25.0.x64.msi AI_EUIMSI=1 APPDIR="C:\Program Files\Locktime Software\NetLimiter" SECONDSEQUENCE="1" CLIENTPROCESSID="5692" AI_MORE_CMD_LINE=1C:\Users\admin\Desktop\53df4283-8ad7-4a46-9936-59d6156b3c11.exe
53df4283-8ad7-4a46-9936-59d6156b3c11.exe
User:
admin
Company:
Locktime Software
Integrity Level:
HIGH
Description:
NetLimiter Installer
Exit code:
0
Version:
5.3.25.0
Modules
Images
c:\users\admin\desktop\53df4283-8ad7-4a46-9936-59d6156b3c11.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5236"C:\Program Files\Locktime Software\NetLimiter\NLSvc.exe"C:\Program Files\Locktime Software\NetLimiter\NLSvc.exe
services.exe
User:
SYSTEM
Company:
Locktime Software
Integrity Level:
SYSTEM
Description:
NLSvc
Version:
5.3.25.0
Modules
Images
c:\program files\locktime software\netlimiter\nlsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5432\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeNLSvc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5564\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeSrTasks.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5692"C:\Users\admin\Desktop\53df4283-8ad7-4a46-9936-59d6156b3c11.exe" C:\Users\admin\Desktop\53df4283-8ad7-4a46-9936-59d6156b3c11.exe
explorer.exe
User:
admin
Company:
Locktime Software
Integrity Level:
HIGH
Description:
NetLimiter Installer
Exit code:
0
Version:
5.3.25.0
Modules
Images
c:\users\admin\desktop\53df4283-8ad7-4a46-9936-59d6156b3c11.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
33 032
Read events
32 511
Write events
493
Delete events
28

Modification events

(PID) Process:(5692) 53df4283-8ad7-4a46-9936-59d6156b3c11.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
Operation:delete valueName:4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Value:
(PID) Process:(5692) 53df4283-8ad7-4a46-9936-59d6156b3c11.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Operation:writeName:Blob
Value:
040000000100000010000000E94FB54871208C00DF70F708AC47085B0F0000000100000030000000C130BBA37B8B350E89FD5ED76B4F78777FEEE220D3B9E729042BEF6AF46E8E4C1B252E32B3080C681BC9A8A1AFDD0A3C0300000001000000140000004EFC31460C619ECAE59C1BCE2C008036D94C84B809000000010000000C000000300A06082B060105050703031D00000001000000100000005467B0ADDE8D858E30EE517B1A19ECD91400000001000000140000001F00BF46800AFC7839B7A5B443D95650BBCE963B53000000010000001F000000301D301B060567810C010330123010060A2B0601040182373C0101030200C06200000001000000200000007B9D553E1C92CB6E8803E137F4F287D4363757F5D44B37D52F9FCA22FB97DF860B000000010000004200000047006C006F00620061006C005300690067006E00200043006F006400650020005300690067006E0069006E006700200052006F006F007400200052003400350000001900000001000000100000005D1B8FF2C30F63F5B536EDD400F7F9B4200000000100000076050000308205723082035AA00302010202107653FEAC75464893F5E5D74A483A4EF8300D06092A864886F70D01010C05003053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F7420523435301E170D3230303331383030303030305A170D3435303331383030303030305A3053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F742052343530820222300D06092A864886F70D01010105000382020F003082020A0282020100B62DC530DD7AE8AB903D0372B03A4B991661B2E5FFA5671D371CE57EEC9383AA84F5A3439B98458AB863575D9B00880425E9F868924B82D84BC94A03F3A87F6A8F8A6127BDA144D0FDF53F22C2A34F918DB305B22882915DFB5988050B9706C298F82CA73324EE503A41CCF0A0B07B1D4DD2A8583896E9DFF91B91BB8B102CD2C7431DA20974A180AF7BE6330A0C596B8EBCF4AB5A977B7FAE55FB84F080FE844CD7E2BABDC475A16FBD61107444B29807E274ABFF68DC6C263EE91FE5E00487AD30D30C8D037C55B816705C24782025EB676788ABBA4E34986B7011DE38CAD4BEA1C09CE1DF1E0201D83BE1674384B6CFFC74B72F84A3BFBA09373D676CB1455C1961AB4183F5AC1DEB770D464773CEBFBD9595ED9D2B8810FEFA58E8A757E1B3CFA85AE907259B12C49E80723D93DC8C94DF3B44E62680FCD2C303F08C0CD245D62EE78F989EE604EE426E677E42167162E704F960C664A1B69C81214E2BC66D689486C699747367317A91F2D48C796E7CA6BB7E466F4DC585122BCF9A224408A88537CE07615706171224C0C43173A1983557477E103A45D92DA4519098A9A00737C4651AAA1C6B1677F7A797EC3F1930996F31FBEA40B2E7D2C4FAC9D0F050767459FA8D6D1732BEF8E97E03F4E787759AD44A912C850313022B4280F2896A36CFC84CA0CE9EF8CB8DAD16A7D3DED59B18A7C6923AF18263F12E0E2464DF0203010001A3423040300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E041604141F00BF46800AFC7839B7A5B443D95650BBCE963B300D06092A864886F70D01010C050003820201005E2BBA749734445F764828408493EE016EE9A1B3D68025E67BE4BC09913D0FFC76ADD7D43020BB8F60D091D61CF29CEF781A2B943202C12496525202D0F3D1FCF29B396E99E11F8E43417D9A1E5BC95D9A84FC26E687F3747226ADA41BD93D3B6A52A03C091E2F1E7BB333B445C7F7ACB1AF9360AD76AEB8B21578EB836AEBFFDB46AB24E5EE02FA901F59C02F5DD6B75DA45C10B77253F8414ECCFA781A254ACAFE85624361C3B437AA81D2F4D63A0FBD8D597E3047DE2B6BE72150335FD4679BD4B8679F3C279903FF85438E7312CA20CDE861D5B166DC17D6396D0FDBCF2337A182894E1C6B3FD6A0CDAA079D3E4226AAD70CEEFA47BF1A527ED17581D3C98A62176D4F88A021A0263EAF6DD962301FE99828AE6E8DD58E4C726693808D2AE355C760679042565C22510FB3DC4E39EE4DDDD91D7810543B6ED0976F03B51EB22373C612B29A64D0FC958524A8FFDFA1B0DC9140AEDF0933ABB9DD92B7F1CC91743B69EB67971B90BFE7C7A06F71BB57BFB78F5AED7A406A16CD80842D2FE102D4249443B315FC0C2B1BFD716FFCCBBC75173A5E83D2C9B32F1BD59C8D7F54FE7E7EE456A387A79DE1595294418F6D5BBE86959AFF1A76DD40D2514A70B41F336323773FEC271E59E40887ED34824A0F3FFEA01DC1F56773458678F4AA29E92787C619DBC61314C33949874DA097E06513F59D7756E9DAB358C73AF2C0CD82
(PID) Process:(5692) 53df4283-8ad7-4a46-9936-59d6156b3c11.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8
Operation:writeName:Blob
Value:
5C0000000100000004000000001000001900000001000000100000005D1B8FF2C30F63F5B536EDD400F7F9B40B000000010000004200000047006C006F00620061006C005300690067006E00200043006F006400650020005300690067006E0069006E006700200052006F006F007400200052003400350000006200000001000000200000007B9D553E1C92CB6E8803E137F4F287D4363757F5D44B37D52F9FCA22FB97DF8653000000010000001F000000301D301B060567810C010330123010060A2B0601040182373C0101030200C01400000001000000140000001F00BF46800AFC7839B7A5B443D95650BBCE963B1D00000001000000100000005467B0ADDE8D858E30EE517B1A19ECD909000000010000000C000000300A06082B060105050703030300000001000000140000004EFC31460C619ECAE59C1BCE2C008036D94C84B80F0000000100000030000000C130BBA37B8B350E89FD5ED76B4F78777FEEE220D3B9E729042BEF6AF46E8E4C1B252E32B3080C681BC9A8A1AFDD0A3C040000000100000010000000E94FB54871208C00DF70F708AC47085B200000000100000076050000308205723082035AA00302010202107653FEAC75464893F5E5D74A483A4EF8300D06092A864886F70D01010C05003053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F7420523435301E170D3230303331383030303030305A170D3435303331383030303030305A3053310B300906035504061302424531193017060355040A1310476C6F62616C5369676E206E762D73613129302706035504031320476C6F62616C5369676E20436F6465205369676E696E6720526F6F742052343530820222300D06092A864886F70D01010105000382020F003082020A0282020100B62DC530DD7AE8AB903D0372B03A4B991661B2E5FFA5671D371CE57EEC9383AA84F5A3439B98458AB863575D9B00880425E9F868924B82D84BC94A03F3A87F6A8F8A6127BDA144D0FDF53F22C2A34F918DB305B22882915DFB5988050B9706C298F82CA73324EE503A41CCF0A0B07B1D4DD2A8583896E9DFF91B91BB8B102CD2C7431DA20974A180AF7BE6330A0C596B8EBCF4AB5A977B7FAE55FB84F080FE844CD7E2BABDC475A16FBD61107444B29807E274ABFF68DC6C263EE91FE5E00487AD30D30C8D037C55B816705C24782025EB676788ABBA4E34986B7011DE38CAD4BEA1C09CE1DF1E0201D83BE1674384B6CFFC74B72F84A3BFBA09373D676CB1455C1961AB4183F5AC1DEB770D464773CEBFBD9595ED9D2B8810FEFA58E8A757E1B3CFA85AE907259B12C49E80723D93DC8C94DF3B44E62680FCD2C303F08C0CD245D62EE78F989EE604EE426E677E42167162E704F960C664A1B69C81214E2BC66D689486C699747367317A91F2D48C796E7CA6BB7E466F4DC585122BCF9A224408A88537CE07615706171224C0C43173A1983557477E103A45D92DA4519098A9A00737C4651AAA1C6B1677F7A797EC3F1930996F31FBEA40B2E7D2C4FAC9D0F050767459FA8D6D1732BEF8E97E03F4E787759AD44A912C850313022B4280F2896A36CFC84CA0CE9EF8CB8DAD16A7D3DED59B18A7C6923AF18263F12E0E2464DF0203010001A3423040300E0603551D0F0101FF040403020186300F0603551D130101FF040530030101FF301D0603551D0E041604141F00BF46800AFC7839B7A5B443D95650BBCE963B300D06092A864886F70D01010C050003820201005E2BBA749734445F764828408493EE016EE9A1B3D68025E67BE4BC09913D0FFC76ADD7D43020BB8F60D091D61CF29CEF781A2B943202C12496525202D0F3D1FCF29B396E99E11F8E43417D9A1E5BC95D9A84FC26E687F3747226ADA41BD93D3B6A52A03C091E2F1E7BB333B445C7F7ACB1AF9360AD76AEB8B21578EB836AEBFFDB46AB24E5EE02FA901F59C02F5DD6B75DA45C10B77253F8414ECCFA781A254ACAFE85624361C3B437AA81D2F4D63A0FBD8D597E3047DE2B6BE72150335FD4679BD4B8679F3C279903FF85438E7312CA20CDE861D5B166DC17D6396D0FDBCF2337A182894E1C6B3FD6A0CDAA079D3E4226AAD70CEEFA47BF1A527ED17581D3C98A62176D4F88A021A0263EAF6DD962301FE99828AE6E8DD58E4C726693808D2AE355C760679042565C22510FB3DC4E39EE4DDDD91D7810543B6ED0976F03B51EB22373C612B29A64D0FC958524A8FFDFA1B0DC9140AEDF0933ABB9DD92B7F1CC91743B69EB67971B90BFE7C7A06F71BB57BFB78F5AED7A406A16CD80842D2FE102D4249443B315FC0C2B1BFD716FFCCBBC75173A5E83D2C9B32F1BD59C8D7F54FE7E7EE456A387A79DE1595294418F6D5BBE86959AFF1A76DD40D2514A70B41F336323773FEC271E59E40887ED34824A0F3FFEA01DC1F56773458678F4AA29E92787C619DBC61314C33949874DA097E06513F59D7756E9DAB358C73AF2C0CD82
(PID) Process:(5824) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4800000000000000D76F952D26FDDB01C0160000F8180000D50700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5824) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Enter)
Value:
4800000000000000D76F952D26FDDB01C0160000F8180000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5824) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppGetSnapshots (Leave)
Value:
48000000000000007DD1B62D26FDDB01C0160000F8180000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5824) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Enter)
Value:
48000000000000007DD1B62D26FDDB01C0160000F8180000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5824) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4800000000000000A398BB2D26FDDB01C0160000F8180000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5824) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:writeName:SppEnumGroups (Leave)
Value:
48000000000000007DD1B62D26FDDB01C0160000F8180000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(5824) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
11
Executable files
515
Suspicious files
69
Text files
109
Unknown types
1

Dropped files

PID
Process
Filename
Type
569253df4283-8ad7-4a46-9936-59d6156b3c11.exeC:\Users\admin\AppData\Local\Temp\{74C906E9-CE85-4B1C-95D8-48E990081EF6}\holder0.aiph
MD5:
SHA256:
569253df4283-8ad7-4a46-9936-59d6156b3c11.exeC:\Users\admin\AppData\Local\Temp\{74C906E9-CE85-4B1C-95D8-48E990081EF6}\0081EF6\netlimiter-5.3.25.0.msiexecutable
MD5:7D1712CD6002720502430173BB356503
SHA256:C148285636965E54D57617CE24943D2E24557FDCF5ABB4C551BBC025A8E77DD7
569253df4283-8ad7-4a46-9936-59d6156b3c11.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554Ebinary
MD5:1A82AB3C781ECA0987EA0862CA46ADB9
SHA256:62C848A853FC886AFE8919251C878977F2152BCB9FC3D4F5D8359D23CC10DFE6
569253df4283-8ad7-4a46-9936-59d6156b3c11.exeC:\Users\admin\AppData\Local\Temp\shiE26C.tmpexecutable
MD5:84A34BF3486F7B9B7035DB78D78BDD1E
SHA256:F85911C910B660E528D2CF291BAA40A92D09961996D6D84E7A53A7095C7CD96E
569253df4283-8ad7-4a46-9936-59d6156b3c11.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554Eder
MD5:707CBCDB260A1E2F1468DD9AD49558BA
SHA256:73C9800A039B7E79D8A223C28C98C7CE26213608F8B6DD4C32A62BB553C4E397
569253df4283-8ad7-4a46-9936-59d6156b3c11.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_E6F24C84455822F37E36BD9E2116AD33binary
MD5:B41F7D95292E5080C71A2E2B49FC1C88
SHA256:BD3D4E2ABA3923F917D3B596ED77D394612AF9C9DA68BA3B1EB1D0300B8D37F1
569253df4283-8ad7-4a46-9936-59d6156b3c11.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_E6F24C84455822F37E36BD9E2116AD33binary
MD5:9160C90D0BEAC790F7550DE543C64F28
SHA256:EE26D1887CA64D90D235D1F88FFD19BB539338F4269FE233CBB4F78F248FEB13
569253df4283-8ad7-4a46-9936-59d6156b3c11.exeC:\Users\admin\AppData\Local\Temp\{74C906E9-CE85-4B1C-95D8-48E990081EF6}\0081EF6\netlimiter-5.3.25.0.x64.msiexecutable
MD5:BC90E259966E706F45AF07F2844BE544
SHA256:5E352AA08EEA1A67786EC84770845438B795BFA58DE7974611B094060E171356
569253df4283-8ad7-4a46-9936-59d6156b3c11.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_5692\installlogoiconimage
MD5:488C247C4D7482E34D4576C44CEE79E0
SHA256:EB276449EB326A407CE055001607F212FFCAEF01B5F849BB50A606BD9CD177A6
569253df4283-8ad7-4a46-9936-59d6156b3c11.exeC:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_5692\backgroundimage
MD5:A0EFB0E7B9CEE25B09E09A1A64E96BA6
SHA256:F044F542BC46464054084C63596877F06C6E2C215C0E954C4ACE9787CED82787
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
50
TCP/UDP connections
51
DNS requests
20
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3584
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3584
RUXIMICS.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5692
53df4283-8ad7-4a46-9936-59d6156b3c11.exe
GET
200
151.101.130.133:80
http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgW3WQu2HUdhUx4%2Fde0%3D
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5692
53df4283-8ad7-4a46-9936-59d6156b3c11.exe
GET
200
151.101.130.133:80
http://ocsp.globalsign.com/gsgccr45evcodesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQaCbVYh07WONuW4e63Ydlu4AlbDAQUJZ3Q%2FFkJhmPF7POxEztXHAOSNhECDEX685ZejurnNJyDZQ%3D%3D
unknown
whitelisted
POST
200
20.190.160.67:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
20.190.160.67:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3584
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3584
RUXIMICS.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3584
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.42
  • 23.216.77.28
  • 23.55.110.193
  • 23.55.110.211
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 104.79.89.142
whitelisted
ocsp.globalsign.com
  • 151.101.130.133
  • 151.101.66.133
  • 151.101.2.133
  • 151.101.194.133
  • 104.18.20.226
  • 104.18.21.226
whitelisted
login.live.com
  • 20.190.160.14
  • 20.190.160.22
  • 20.190.160.130
  • 20.190.160.132
  • 40.126.32.68
  • 20.190.160.66
  • 20.190.160.3
  • 40.126.32.134
whitelisted
go.microsoft.com
  • 95.100.186.9
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
self.events.data.microsoft.com
  • 20.44.10.123
whitelisted

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
Process
Message
msiexec.exe
Logger::SetLogFile( C:\Users\admin\AppData\Roaming\Caphyon\Advanced Installer\AI_ResourceCleaner.log ) while OLD path is:
msiexec.exe
Logger::SetLogFile( C:\Users\admin\AppData\Roaming\Caphyon\Advanced Installer\AI_ResourceCleaner.log ) while OLD path is:
msiexec.exe
Logger::SetLogFile( C:\Users\admin\AppData\Roaming\Caphyon\Advanced Installer\AI_ResourceCleaner.log ) while OLD path is:
msiexec.exe
Logger::SetLogFile( C:\Users\admin\AppData\Roaming\Caphyon\Advanced Installer\AI_ResourceCleaner.log ) while OLD path is:
msiexec.exe
Logger::SetLogFile( C:\Users\admin\AppData\Roaming\Caphyon\Advanced Installer\AI_ResourceCleaner.log ) while OLD path is:
msiexec.exe
Logger::SetLogFile( C:\Users\admin\AppData\Roaming\Caphyon\Advanced Installer\AI_ResourceCleaner.log ) while OLD path is:
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-07-25_12e78d5e7d7af1d59ba9afa3c5db3d96_amadey_black-basta_darkgate_elex_hijackloader_luca-stealer_smoke-loader_stea.exe