File name:

c359645932b44cea5abc0857102c206e729f091f85112275e73d7817f7388af0.exe

Full analysis: https://app.any.run/tasks/304740c8-6eef-4018-b986-be397a3f0b80
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Analysis date: September 03, 2025, 17:28:18
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
lumma
stealer
auto
redline
amadey
botnet
arch-exec
themida
auto-reg
loader
rdp
autoit
gcleaner
vidar
telegram
stealc
purelogs
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

2816B7C92F27819B6AC86B2CD8C5CBBA

SHA1:

1E0EA7FAC106CE46C9A88699D41BD5D679D6D662

SHA256:

C359645932B44CEA5ABC0857102C206E729F091F85112275E73D7817F7388AF0

SSDEEP:

98304:Ln2e2yx5mi6x1cEnEcoKRkZ5YjbdkrpyCZuMX7H2mXv8PCJWkVjZu5+ouBIkb8Ti:QEq5Y18R

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • REDLINE has been found (auto)

      • 1G13S4.exe (PID: 3396)
      • 1G13S4.exe (PID: 2368)
    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1588)
    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 4800)
    • Connects to the CnC server

      • svchost.exe (PID: 2200)
      • winloghelper.exe (PID: 6164)
      • svchost015.exe (PID: 8948)
    • LUMMA has been detected (SURICATA)

      • 2U9672.exe (PID: 3628)
      • svchost.exe (PID: 2200)
      • 169b93a6fd.exe (PID: 7248)
      • svchost015.exe (PID: 8948)
      • 6Y9kT1153TtQt.exe (PID: 5436)
      • MSBuild.exe (PID: 1440)
      • Yq8vgfV.exe (PID: 8500)
      • Yq8vgfV.exe (PID: 8564)
      • MSBuild.exe (PID: 6176)
      • rRLarDufw.exe (PID: 1592)
    • Starts NET.EXE for service management

      • net.exe (PID: 3092)
      • cmd.exe (PID: 2464)
    • AMADEY mutex has been found

      • dSPiPTCo.exe (PID: 6240)
      • winloghelper.exe (PID: 6164)
      • dSPiPTCo.exe (PID: 4160)
      • dSPiPTCo.exe (PID: 3720)
      • dSPiPTCo.exe (PID: 6764)
      • dSPiPTCo.exe (PID: 6332)
      • dSPiPTCo.exe (PID: 8072)
      • dSPiPTCo.exe (PID: 1660)
      • dSPiPTCo.exe (PID: 7084)
      • dSPiPTCo.exe (PID: 7520)
      • dSPiPTCo.exe (PID: 532)
      • dSPiPTCo.exe (PID: 7696)
      • dSPiPTCo.exe (PID: 7444)
      • dSPiPTCo.exe (PID: 7596)
      • dSPiPTCo.exe (PID: 1132)
      • dSPiPTCo.exe (PID: 4268)
      • dSPiPTCo.exe (PID: 8740)
      • dSPiPTCo.exe (PID: 8968)
      • dSPiPTCo.exe (PID: 6488)
      • dSPiPTCo.exe (PID: 8512)
      • dSPiPTCo.exe (PID: 8364)
      • dSPiPTCo.exe (PID: 8976)
      • dSPiPTCo.exe (PID: 6656)
      • dSPiPTCo.exe (PID: 2064)
      • dSPiPTCo.exe (PID: 8920)
      • dSPiPTCo.exe (PID: 532)
      • dSPiPTCo.exe (PID: 7908)
      • dSPiPTCo.exe (PID: 8372)
      • dSPiPTCo.exe (PID: 5460)
    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 5712)
    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 892)
      • NSudoLG.exe (PID: 4456)
    • Changes Windows Defender settings

      • NSudoLG.exe (PID: 4456)
    • AMADEY has been detected (SURICATA)

      • winloghelper.exe (PID: 6164)
    • LUMMA mutex has been found

      • 2U9672.exe (PID: 3628)
      • 169b93a6fd.exe (PID: 7248)
      • MSBuild.exe (PID: 1440)
      • Yq8vgfV.exe (PID: 8500)
      • Philippines.pif (PID: 8008)
      • Yq8vgfV.exe (PID: 8564)
      • 6Y9kT1153TtQt.exe (PID: 5436)
      • MSBuild.exe (PID: 6176)
      • MSBuild.exe (PID: 9196)
    • Changes the Windows auto-update feature

      • reg.exe (PID: 4172)
    • LUMMA has been detected (YARA)

      • 2U9672.exe (PID: 3628)
    • AMADEY has been detected (YARA)

      • winloghelper.exe (PID: 6164)
    • Changes the autorun value in the registry

      • winloghelper.exe (PID: 6164)
    • Steals credentials from Web Browsers

      • 2U9672.exe (PID: 3628)
      • 169b93a6fd.exe (PID: 7248)
      • K8kGyaj.exe (PID: 7064)
    • Actions looks like stealing of personal data

      • 2U9672.exe (PID: 3628)
      • 169b93a6fd.exe (PID: 7248)
      • K8kGyaj.exe (PID: 7064)
    • Executing a file with an untrusted certificate

      • ojjvpn1.exe (PID: 8852)
      • svchost015.exe (PID: 8948)
      • 6Y9kT1153TtQt.exe (PID: 5436)
      • rRLarDufw.exe (PID: 1592)
    • GCLEANER has been detected (SURICATA)

      • svchost015.exe (PID: 8948)
    • VIDAR mutex has been found

      • K8kGyaj.exe (PID: 7064)
      • v3434.exe (PID: 7444)
    • PURELOGS has been found (auto)

      • winloghelper.exe (PID: 6164)
  • SUSPICIOUS

    • Process drops legitimate windows executable

      • c359645932b44cea5abc0857102c206e729f091f85112275e73d7817f7388af0.exe (PID: 4948)
    • Starts a Microsoft application from unusual location

      • c359645932b44cea5abc0857102c206e729f091f85112275e73d7817f7388af0.exe (PID: 4948)
    • Executable content was dropped or overwritten

      • c359645932b44cea5abc0857102c206e729f091f85112275e73d7817f7388af0.exe (PID: 4948)
      • 1G13S4.exe (PID: 3396)
      • 1G13S4.exe (PID: 2368)
      • systemhelper.exe (PID: 1100)
      • game.exe (PID: 3608)
      • game.exe (PID: 3160)
      • 7z.exe (PID: 1180)
      • winloghelper.exe (PID: 6164)
      • ojjvpn1.exe (PID: 8852)
      • jI3j2iL.exe (PID: 6544)
      • svchost015.exe (PID: 8948)
      • SZDtTMvPtRJa.exe (PID: 1056)
      • tb3vWy3tKee.exe (PID: 6360)
      • rNLSRzSpRe.exe (PID: 8512)
      • jhdD6pQvmOGL.exe (PID: 9104)
    • Reads security settings of Internet Explorer

      • 1G13S4.exe (PID: 2320)
      • systemhelper.exe (PID: 1100)
      • winloghelper.exe (PID: 6164)
      • game.exe (PID: 6900)
      • game.exe (PID: 3608)
      • game.exe (PID: 3160)
      • IObitUnlocker.exe (PID: 7200)
      • StartMenuExperienceHost.exe (PID: 8112)
      • StartMenuExperienceHost.exe (PID: 6060)
      • svchost015.exe (PID: 8948)
      • K8kGyaj.exe (PID: 7064)
      • v3434.exe (PID: 7444)
    • Application launched itself

      • 1G13S4.exe (PID: 2320)
      • cmd.exe (PID: 892)
      • cmd.exe (PID: 1164)
      • cmd.exe (PID: 7716)
      • cmd.exe (PID: 3912)
      • K8kGyaj.exe (PID: 7572)
      • cmd.exe (PID: 7308)
      • v3434.exe (PID: 4020)
      • cmd.exe (PID: 1964)
    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 5476)
      • cmd.exe (PID: 4724)
      • cmd.exe (PID: 6812)
      • cmd.exe (PID: 4664)
      • cmd.exe (PID: 4864)
      • cmd.exe (PID: 6472)
      • cmd.exe (PID: 1520)
      • cmd.exe (PID: 1944)
      • cmd.exe (PID: 5764)
    • Reads the BIOS version

      • 2U9672.exe (PID: 3628)
      • 169b93a6fd.exe (PID: 7248)
    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4800)
      • NSudoLG.exe (PID: 4456)
    • Starts CMD.EXE for commands execution

      • 1G13S4.exe (PID: 3396)
      • 1G13S4.exe (PID: 2368)
      • systemhelper.exe (PID: 1100)
      • NSudoLG.exe (PID: 6764)
      • cmd.exe (PID: 892)
      • game.exe (PID: 6900)
      • game.exe (PID: 3608)
      • game.exe (PID: 3160)
      • jI3j2iL.exe (PID: 6544)
      • cmd.exe (PID: 1164)
      • SZDtTMvPtRJa.exe (PID: 1056)
      • cmd.exe (PID: 7716)
      • tb3vWy3tKee.exe (PID: 6360)
      • cmd.exe (PID: 3912)
      • rNLSRzSpRe.exe (PID: 8512)
      • cmd.exe (PID: 7308)
      • jhdD6pQvmOGL.exe (PID: 9104)
      • cmd.exe (PID: 1964)
    • Executes as Windows Service

      • 1G13S4.exe (PID: 2368)
    • Executes application which crashes

      • dSPiPTCo.exe (PID: 6240)
      • dSPiPTCo.exe (PID: 4160)
      • dSPiPTCo.exe (PID: 3720)
      • dSPiPTCo.exe (PID: 6764)
      • dSPiPTCo.exe (PID: 6332)
      • dSPiPTCo.exe (PID: 8072)
      • dSPiPTCo.exe (PID: 1660)
      • dSPiPTCo.exe (PID: 7084)
      • dSPiPTCo.exe (PID: 7520)
      • dSPiPTCo.exe (PID: 532)
      • dSPiPTCo.exe (PID: 7444)
      • dSPiPTCo.exe (PID: 7596)
      • dSPiPTCo.exe (PID: 1132)
      • dSPiPTCo.exe (PID: 7696)
      • dSPiPTCo.exe (PID: 4268)
      • dSPiPTCo.exe (PID: 8740)
      • dSPiPTCo.exe (PID: 8968)
      • dSPiPTCo.exe (PID: 6488)
      • dSPiPTCo.exe (PID: 8364)
      • dSPiPTCo.exe (PID: 8512)
      • dSPiPTCo.exe (PID: 8976)
      • dSPiPTCo.exe (PID: 6656)
      • dSPiPTCo.exe (PID: 8920)
      • dSPiPTCo.exe (PID: 2064)
      • dSPiPTCo.exe (PID: 532)
      • dSPiPTCo.exe (PID: 7908)
      • K8kGyaj.exe (PID: 7064)
      • dSPiPTCo.exe (PID: 8372)
      • dSPiPTCo.exe (PID: 5460)
    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2200)
      • 2U9672.exe (PID: 3628)
      • winloghelper.exe (PID: 6164)
      • 169b93a6fd.exe (PID: 7248)
      • svchost015.exe (PID: 8948)
      • 6Y9kT1153TtQt.exe (PID: 5436)
      • MSBuild.exe (PID: 1440)
      • Yq8vgfV.exe (PID: 8564)
      • Yq8vgfV.exe (PID: 8500)
      • MSBuild.exe (PID: 6176)
      • rRLarDufw.exe (PID: 1592)
    • Drops 7-zip archiver for unpacking

      • systemhelper.exe (PID: 1100)
    • The process creates files with name similar to system file names

      • systemhelper.exe (PID: 1100)
    • Executing commands from a ".bat" file

      • systemhelper.exe (PID: 1100)
      • NSudoLG.exe (PID: 6764)
    • The executable file from the user directory is run by the CMD process

      • nircmd.exe (PID: 7008)
      • NSudoLG.exe (PID: 6764)
      • nircmd.exe (PID: 4880)
      • NSudoLG.exe (PID: 4456)
      • 7z.exe (PID: 1180)
      • game.exe (PID: 6900)
      • game.exe (PID: 3608)
      • game.exe (PID: 3160)
      • Philippines.pif (PID: 8008)
      • Him.pif (PID: 8364)
    • Starts application with an unusual extension

      • cmd.exe (PID: 2028)
      • cmd.exe (PID: 892)
      • cmd.exe (PID: 1960)
      • cmd.exe (PID: 4088)
    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2028)
      • cmd.exe (PID: 892)
    • Get information on the list of running processes

      • cmd.exe (PID: 892)
      • cmd.exe (PID: 3288)
      • cmd.exe (PID: 1960)
      • cmd.exe (PID: 768)
      • cmd.exe (PID: 4088)
    • Escape characters obfuscation (POWERSHELL)

      • NSudoLG.exe (PID: 4456)
      • powershell.exe (PID: 6680)
    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 892)
      • cmd.exe (PID: 1960)
      • cmd.exe (PID: 768)
      • cmd.exe (PID: 4088)
    • Script adds exclusion path to Windows Defender

      • NSudoLG.exe (PID: 4456)
    • PowerShell delay command usage (probably sleep evasion)

      • powershell.exe (PID: 6680)
    • Reads the date of Windows installation

      • game.exe (PID: 6900)
      • game.exe (PID: 3608)
      • game.exe (PID: 3160)
      • StartMenuExperienceHost.exe (PID: 8112)
      • StartMenuExperienceHost.exe (PID: 6060)
      • SearchApp.exe (PID: 5804)
    • Starts SC.EXE for service management

      • cmd.exe (PID: 3160)
      • cmd.exe (PID: 892)
      • cmd.exe (PID: 2400)
      • cmd.exe (PID: 1180)
      • cmd.exe (PID: 1800)
    • Windows service management via SC.EXE

      • sc.exe (PID: 4540)
      • sc.exe (PID: 3392)
      • sc.exe (PID: 4844)
      • sc.exe (PID: 6676)
      • sc.exe (PID: 4936)
      • sc.exe (PID: 5032)
      • sc.exe (PID: 6676)
      • sc.exe (PID: 2320)
      • sc.exe (PID: 4456)
    • Stops a currently running service

      • sc.exe (PID: 5496)
      • sc.exe (PID: 2428)
      • sc.exe (PID: 4544)
      • sc.exe (PID: 1212)
      • sc.exe (PID: 436)
      • sc.exe (PID: 3876)
    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3608)
      • cmd.exe (PID: 2992)
    • Creates or modifies Windows services

      • reg.exe (PID: 3396)
      • game.exe (PID: 3608)
    • Drops a system driver (possible attempt to evade defenses)

      • game.exe (PID: 3608)
      • game.exe (PID: 3160)
    • The process verifies whether the antivirus software is installed

      • game.exe (PID: 3160)
      • IObitUnlocker.exe (PID: 7200)
    • Potential Corporate Privacy Violation

      • winloghelper.exe (PID: 6164)
      • svchost015.exe (PID: 8948)
    • There is functionality for taking screenshot (YARA)

      • 1G13S4.exe (PID: 2368)
      • winloghelper.exe (PID: 6164)
    • There is functionality for enable RDP (YARA)

      • winloghelper.exe (PID: 6164)
    • Reads command from file

      • cmd.exe (PID: 1164)
      • cmd.exe (PID: 7716)
      • cmd.exe (PID: 3912)
      • cmd.exe (PID: 7308)
      • cmd.exe (PID: 1964)
    • Drops a file with a rarely used extension (PIF)

      • cmd.exe (PID: 1960)
      • cmd.exe (PID: 4088)
    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 1960)
      • cmd.exe (PID: 4088)
    • Searches for installed software

      • 2U9672.exe (PID: 3628)
      • K8kGyaj.exe (PID: 7064)
      • MSBuild.exe (PID: 9196)
    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • K8kGyaj.exe (PID: 7064)
      • Philippines.pif (PID: 8008)
    • The process executes via Task Scheduler

      • cmd.exe (PID: 8560)
  • INFO

    • The sample compiled with english language support

      • c359645932b44cea5abc0857102c206e729f091f85112275e73d7817f7388af0.exe (PID: 4948)
      • systemhelper.exe (PID: 1100)
      • game.exe (PID: 3608)
      • game.exe (PID: 3160)
      • winloghelper.exe (PID: 6164)
      • ojjvpn1.exe (PID: 8852)
      • svchost015.exe (PID: 8948)
    • Checks supported languages

      • c359645932b44cea5abc0857102c206e729f091f85112275e73d7817f7388af0.exe (PID: 4948)
      • 1G13S4.exe (PID: 2320)
      • 1G13S4.exe (PID: 3396)
      • 2U9672.exe (PID: 3628)
      • 1G13S4.exe (PID: 2368)
      • dSPiPTCo.exe (PID: 6240)
      • winloghelper.exe (PID: 6164)
      • systemhelper.exe (PID: 1100)
      • nircmd.exe (PID: 7008)
      • NSudoLG.exe (PID: 6764)
      • chcp.com (PID: 6676)
      • nircmd.exe (PID: 4880)
      • chcp.com (PID: 4724)
      • mode.com (PID: 3760)
      • NSudoLG.exe (PID: 4456)
      • dSPiPTCo.exe (PID: 4160)
      • 7z.exe (PID: 1180)
      • game.exe (PID: 6900)
      • game.exe (PID: 3608)
      • game.exe (PID: 3160)
      • dSPiPTCo.exe (PID: 3720)
      • IObitUnlocker.exe (PID: 7200)
      • StartMenuExperienceHost.exe (PID: 8112)
      • SearchApp.exe (PID: 6440)
      • dSPiPTCo.exe (PID: 6764)
      • TextInputHost.exe (PID: 7860)
      • dSPiPTCo.exe (PID: 6332)
      • StartMenuExperienceHost.exe (PID: 6060)
      • SearchApp.exe (PID: 5804)
      • dSPiPTCo.exe (PID: 8072)
      • dSPiPTCo.exe (PID: 1660)
      • 169b93a6fd.exe (PID: 7248)
      • dSPiPTCo.exe (PID: 7084)
      • dSPiPTCo.exe (PID: 7520)
      • dSPiPTCo.exe (PID: 532)
      • dSPiPTCo.exe (PID: 7696)
      • dSPiPTCo.exe (PID: 7444)
      • dSPiPTCo.exe (PID: 7596)
      • dSPiPTCo.exe (PID: 1132)
      • dSPiPTCo.exe (PID: 4268)
      • dSPiPTCo.exe (PID: 8740)
      • ojjvpn1.exe (PID: 8852)
      • svchost015.exe (PID: 8948)
      • jI3j2iL.exe (PID: 6544)
      • dSPiPTCo.exe (PID: 8968)
      • extrac32.exe (PID: 4792)
      • Philippines.pif (PID: 8008)
      • dSPiPTCo.exe (PID: 8364)
      • Yq8vgfV.exe (PID: 8564)
      • Yq8vgfV.exe (PID: 8500)
      • dSPiPTCo.exe (PID: 8512)
      • 6Y9kT1153TtQt.exe (PID: 5436)
      • dSPiPTCo.exe (PID: 8976)
      • MSBuild.exe (PID: 1440)
      • tb3vWy3tKee.exe (PID: 6360)
      • dSPiPTCo.exe (PID: 2064)
      • dSPiPTCo.exe (PID: 8920)
      • YXJ9Hvg.exe (PID: 7312)
      • K8kGyaj.exe (PID: 7064)
      • extrac32.exe (PID: 7380)
      • dSPiPTCo.exe (PID: 532)
      • sQNHMrP.exe (PID: 6240)
      • Him.pif (PID: 8364)
      • MSBuild.exe (PID: 9196)
      • rRLarDufw.exe (PID: 1592)
      • K8kGyaj.exe (PID: 7572)
      • dSPiPTCo.exe (PID: 7908)
      • MSBuild.exe (PID: 6176)
      • v3434.exe (PID: 4020)
      • rNLSRzSpRe.exe (PID: 8512)
      • 2c8FJYQ.exe (PID: 9120)
      • dSPiPTCo.exe (PID: 8372)
      • v3434.exe (PID: 7444)
      • Tse2E3k.exe (PID: 2040)
      • jhdD6pQvmOGL.exe (PID: 9104)
      • dSPiPTCo.exe (PID: 5460)
    • Create files in a temporary directory

      • c359645932b44cea5abc0857102c206e729f091f85112275e73d7817f7388af0.exe (PID: 4948)
      • 1G13S4.exe (PID: 3396)
      • systemhelper.exe (PID: 1100)
      • winloghelper.exe (PID: 6164)
      • 7z.exe (PID: 1180)
      • jI3j2iL.exe (PID: 6544)
      • ojjvpn1.exe (PID: 8852)
      • extrac32.exe (PID: 4792)
      • tb3vWy3tKee.exe (PID: 6360)
      • extrac32.exe (PID: 7380)
      • rNLSRzSpRe.exe (PID: 8512)
      • SZDtTMvPtRJa.exe (PID: 1056)
      • jhdD6pQvmOGL.exe (PID: 9104)
    • Reads the computer name

      • 1G13S4.exe (PID: 2320)
      • 1G13S4.exe (PID: 3396)
      • 2U9672.exe (PID: 3628)
      • 1G13S4.exe (PID: 2368)
      • dSPiPTCo.exe (PID: 6240)
      • systemhelper.exe (PID: 1100)
      • winloghelper.exe (PID: 6164)
      • NSudoLG.exe (PID: 6764)
      • NSudoLG.exe (PID: 4456)
      • dSPiPTCo.exe (PID: 4160)
      • game.exe (PID: 6900)
      • game.exe (PID: 3608)
      • game.exe (PID: 3160)
      • IObitUnlocker.exe (PID: 7200)
      • dSPiPTCo.exe (PID: 3720)
      • StartMenuExperienceHost.exe (PID: 8112)
      • SearchApp.exe (PID: 6440)
      • dSPiPTCo.exe (PID: 6764)
      • StartMenuExperienceHost.exe (PID: 6060)
      • TextInputHost.exe (PID: 7860)
      • 7z.exe (PID: 1180)
      • SearchApp.exe (PID: 5804)
      • dSPiPTCo.exe (PID: 8072)
      • dSPiPTCo.exe (PID: 6332)
      • dSPiPTCo.exe (PID: 1660)
      • 169b93a6fd.exe (PID: 7248)
      • dSPiPTCo.exe (PID: 7084)
      • dSPiPTCo.exe (PID: 7520)
      • dSPiPTCo.exe (PID: 532)
      • dSPiPTCo.exe (PID: 7696)
      • dSPiPTCo.exe (PID: 7444)
      • dSPiPTCo.exe (PID: 7596)
      • dSPiPTCo.exe (PID: 1132)
      • dSPiPTCo.exe (PID: 4268)
      • dSPiPTCo.exe (PID: 8740)
      • dSPiPTCo.exe (PID: 8968)
      • jI3j2iL.exe (PID: 6544)
      • extrac32.exe (PID: 4792)
      • svchost015.exe (PID: 8948)
      • dSPiPTCo.exe (PID: 8364)
      • Yq8vgfV.exe (PID: 8564)
      • dSPiPTCo.exe (PID: 8512)
      • Philippines.pif (PID: 8008)
      • dSPiPTCo.exe (PID: 8976)
      • 6Y9kT1153TtQt.exe (PID: 5436)
      • MSBuild.exe (PID: 1440)
      • SZDtTMvPtRJa.exe (PID: 1056)
      • tb3vWy3tKee.exe (PID: 6360)
      • dSPiPTCo.exe (PID: 8920)
      • dSPiPTCo.exe (PID: 2064)
      • extrac32.exe (PID: 7380)
      • K8kGyaj.exe (PID: 7064)
      • dSPiPTCo.exe (PID: 532)
      • Him.pif (PID: 8364)
      • MSBuild.exe (PID: 9196)
      • dSPiPTCo.exe (PID: 7908)
      • MSBuild.exe (PID: 6176)
      • rNLSRzSpRe.exe (PID: 8512)
      • dSPiPTCo.exe (PID: 8372)
      • v3434.exe (PID: 7444)
      • rRLarDufw.exe (PID: 1592)
      • dSPiPTCo.exe (PID: 5460)
      • jhdD6pQvmOGL.exe (PID: 9104)
    • Process checks computer location settings

      • 1G13S4.exe (PID: 2320)
      • systemhelper.exe (PID: 1100)
      • StartMenuExperienceHost.exe (PID: 8112)
      • SearchApp.exe (PID: 6440)
      • StartMenuExperienceHost.exe (PID: 6060)
      • SearchApp.exe (PID: 5804)
      • winloghelper.exe (PID: 6164)
      • svchost015.exe (PID: 8948)
    • Reads the software policy settings

      • 2U9672.exe (PID: 3628)
      • WerFault.exe (PID: 2880)
      • WerFault.exe (PID: 5496)
      • WerFault.exe (PID: 3876)
      • SearchApp.exe (PID: 6440)
      • WerFault.exe (PID: 4416)
      • SearchApp.exe (PID: 5804)
      • slui.exe (PID: 7788)
      • WerFault.exe (PID: 7628)
      • WerFault.exe (PID: 320)
      • 169b93a6fd.exe (PID: 7248)
      • WerFault.exe (PID: 1740)
      • WerFault.exe (PID: 7376)
      • WerFault.exe (PID: 7176)
      • WerFault.exe (PID: 3756)
      • WerFault.exe (PID: 7448)
      • WerFault.exe (PID: 6724)
      • WerFault.exe (PID: 5428)
      • WerFault.exe (PID: 4528)
      • WerFault.exe (PID: 3872)
      • WerFault.exe (PID: 8788)
      • WerFault.exe (PID: 9048)
      • svchost015.exe (PID: 8948)
      • WerFault.exe (PID: 8760)
      • WerFault.exe (PID: 8880)
      • WerFault.exe (PID: 8604)
      • WerFault.exe (PID: 9092)
      • 6Y9kT1153TtQt.exe (PID: 5436)
      • MSBuild.exe (PID: 1440)
      • Yq8vgfV.exe (PID: 8500)
      • WerFault.exe (PID: 5036)
      • K8kGyaj.exe (PID: 7064)
      • WerFault.exe (PID: 9180)
      • Philippines.pif (PID: 8008)
      • WerFault.exe (PID: 4160)
      • MSBuild.exe (PID: 6176)
      • MSBuild.exe (PID: 9196)
      • WerFault.exe (PID: 8064)
      • WerFault.exe (PID: 1944)
      • WerFault.exe (PID: 9004)
      • rRLarDufw.exe (PID: 1592)
      • v3434.exe (PID: 7444)
    • Reads the machine GUID from the registry

      • 2U9672.exe (PID: 3628)
      • game.exe (PID: 6900)
      • game.exe (PID: 3608)
      • game.exe (PID: 3160)
      • SearchApp.exe (PID: 6440)
      • SearchApp.exe (PID: 5804)
      • 169b93a6fd.exe (PID: 7248)
      • svchost015.exe (PID: 8948)
      • 6Y9kT1153TtQt.exe (PID: 5436)
      • MSBuild.exe (PID: 1440)
      • Yq8vgfV.exe (PID: 8500)
      • K8kGyaj.exe (PID: 7064)
      • Philippines.pif (PID: 8008)
      • MSBuild.exe (PID: 9196)
      • MSBuild.exe (PID: 6176)
      • rRLarDufw.exe (PID: 1592)
      • v3434.exe (PID: 7444)
    • NirSoft software is detected

      • nircmd.exe (PID: 7008)
      • nircmd.exe (PID: 4880)
    • Changes the display of characters in the console

      • cmd.exe (PID: 2028)
      • cmd.exe (PID: 892)
    • Starts MODE.COM to configure console settings

      • mode.com (PID: 3760)
    • Checks operating system version

      • cmd.exe (PID: 892)
    • Checks proxy server information

      • winloghelper.exe (PID: 6164)
      • SearchApp.exe (PID: 6440)
      • SearchApp.exe (PID: 5804)
      • slui.exe (PID: 7788)
      • svchost015.exe (PID: 8948)
      • K8kGyaj.exe (PID: 7064)
      • WerFault.exe (PID: 9004)
      • v3434.exe (PID: 7444)
    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6680)
    • Application launched itself

      • chrome.exe (PID: 6472)
      • chrome.exe (PID: 4820)
      • chrome.exe (PID: 7228)
      • chrome.exe (PID: 1056)
      • msedge.exe (PID: 6484)
      • msedge.exe (PID: 2668)
      • msedge.exe (PID: 3800)
      • msedge.exe (PID: 1960)
      • msedge.exe (PID: 6840)
      • chrome.exe (PID: 3052)
      • msedge.exe (PID: 6232)
      • chrome.exe (PID: 9112)
      • chrome.exe (PID: 8756)
      • chrome.exe (PID: 8532)
      • msedge.exe (PID: 7308)
      • msedge.exe (PID: 7256)
      • chrome.exe (PID: 8452)
      • msedge.exe (PID: 1740)
      • chrome.exe (PID: 7908)
      • chrome.exe (PID: 2384)
      • chrome.exe (PID: 6688)
      • chrome.exe (PID: 5764)
      • chrome.exe (PID: 7924)
    • Creates files or folders in the user directory

      • winloghelper.exe (PID: 6164)
      • svchost015.exe (PID: 8948)
      • WerFault.exe (PID: 9004)
    • Themida protector has been detected

      • 2U9672.exe (PID: 3628)
    • Reads the time zone

      • explorer.exe (PID: 7676)
    • Changes appearance of the Explorer extensions

      • explorer.exe (PID: 7676)
    • Reads Environment values

      • SearchApp.exe (PID: 5804)
      • K8kGyaj.exe (PID: 7064)
    • Launching a file from a Registry key

      • winloghelper.exe (PID: 6164)
    • Reads mouse settings

      • Philippines.pif (PID: 8008)
      • Him.pif (PID: 8364)
    • Manual execution by a user

      • msedge.exe (PID: 6232)
      • msedge.exe (PID: 7256)
    • Creates files in the program directory

      • K8kGyaj.exe (PID: 7064)
      • v3434.exe (PID: 7444)
    • Reads product name

      • K8kGyaj.exe (PID: 7064)
    • Reads CPU info

      • K8kGyaj.exe (PID: 7064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Lumma

(PID) Process(3628) 2U9672.exe
C2 (9)backab.ru/lkdo
eigwos.ru/wqex
epitherd.ru/zadw
georgej.ru/plnb
kimmenkiz.ru/zldw
mastwin.in/qsaz
noggs.ru/yopd
oneflof.ru/tids
washerv.ru/qygd
ChaCha20
key6LLFpk2ehzaYdZQtXPkjdKhLJ8ClWgPY6EQYOlqhH1I=
nonceZs96G7hytJw=
counter2
key6LLFpk2ehzaYdZQtXPkjdKhLJ8ClWgPY6EQYOlqhH1I=
nonceZs96G7hytJw=
counter0
Strings (18)/LevelDB
/dp.txt
/leveldb
Content-Disposition: form-data; name="
Content-Type: multipart/form-data; boundary=
DCFEttt|l
HQJKTUVOPIRS<M>7XaZ[def_`Ybc ]
LFLJDFDBLFLJ4F42LFLJDFDBLFLJ
\IndexedDB\chrome-extension_
\Local Extension Settings\
\Local State
\Local Storage\leveldb
\Microsoft\Windows Mail\Local Folders
\Packages
\Sync Extension Settings\
dcfehgjilknmporqtsvuxwzy|{~}
dpapi.dll
winhttp.dll

Amadey

(PID) Process(6164) winloghelper.exe
C294.154.35.25
URLhttp://94.154.35.25/di9ku38f/index.php
Version5.55
Options
Drop directory96a319e745
Drop nameSrxelqcif.exe
Strings (125)e2
cmd
AVG
SYSTEM\ControlSet001\Services\BasicDisplay\Video
e3
/Plugins/
00000422
og:
zip
lv:
" && timeout 1 && del
dm:
Startup
2025
Comodo
S-%lu-
94.154.35.25
bi:
DefaultSettings.YResolution
kernel32.dll
ProgramData\
st=s
cmd /C RMDIR /s/q
" Content-Type: application/octet-stream
dll
shell32.dll
-unicode-
"
Content-Disposition: form-data; name="data"; filename="
:::
e1
Avira
VideoID
?scr=1
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
r=
ar:
<c>
+++
abcdefghijklmnopqrstuvwxyz0123456789-_
\
00000419
/di9ku38f/index.php
\0000
WinDefender
" && ren
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
SOFTWARE\Microsoft\Windows NT\CurrentVersion
-%lu
Rem
av:
&& Exit"
POST
Keyboard Layout\Preload
--
"taskkill /f /im "
Sophos
ProductName
/k
=
shutdown -s -t 0
0000043f
Srxelqcif.exe
Doctor Web
wb
96a319e745
&&
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
------
d1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
------
exe
|
#
http://
GET
cred.dll
rb
sd:
.jpg
2016
rundll32.exe
msi
ComputerName
id:
2019
vs:
clip.dll
Panda Security
https://
&unit=
AVAST Software
%USERPROFILE%
CurrentBuild
Kaspersky Lab
/quiet
2022
-executionpolicy remotesigned -File "
Powershell.exe
\App
Bitdefender
os:
0123456789
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
cred.dll|clip.dll|
Main
ps1
Programs
360TotalSecurity
5.55
00000423
Norton
DefaultSettings.XResolution
un:
random
Content-Type: multipart/form-data; boundary=----
<d>
rundll32
ESET
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
pc:
GetNativeSystemInfo
Content-Type: application/x-www-form-urlencoded
%-lu
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:05:24 22:49:06+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.13
CodeSize: 25600
InitializedDataSize: 4147200
UninitializedDataSize: -
EntryPoint: 0x6a60
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 11.0.17763.1
ProductVersionNumber: 11.0.17763.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Win32 Cabinet Self-Extractor
FileVersion: 11.00.17763.1 (WinBuild.160101.0800)
InternalName: Wextract
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: WEXTRACT.EXE .MUI
ProductName: Internet Explorer
ProductVersion: 11.00.17763.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
594
Monitored processes
416
Malicious processes
65
Suspicious processes
15

Behavior graph

Click at the process to see the details
start c359645932b44cea5abc0857102c206e729f091f85112275e73d7817f7388af0.exe 1g13s4.exe no specs #REDLINE 1g13s4.exe #LUMMA 2u9672.exe cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs #LUMMA svchost.exe cmd.exe no specs conhost.exe no specs net.exe no specs net1.exe no specs #REDLINE 1g13s4.exe cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs cmd.exe no specs conhost.exe no specs icacls.exe no specs dspiptco.exe werfault.exe cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs #PURELOGS winloghelper.exe systemhelper.exe cmd.exe no specs conhost.exe no specs nircmd.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs nsudolg.exe no specs cmd.exe conhost.exe no specs nircmd.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs mode.com no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs tasklist.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs findstr.exe no specs reg.exe no specs find.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs find.exe no specs nsudolg.exe no specs powershell.exe no specs conhost.exe no specs dspiptco.exe werfault.exe 7z.exe game.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs chrome.exe sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs chrome.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs game.exe cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs game.exe cmd.exe no specs conhost.exe no specs sc.exe no specs dspiptco.exe werfault.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs iobitunlocker.exe reg.exe no specs reg.exe no specs reg.exe no specs chrome.exe no specs explorer.exe no specs rundll32.exe no specs startmenuexperiencehost.exe no specs searchapp.exe dspiptco.exe werfault.exe chrome.exe no specs slui.exe no specs explorer.exe no specs rundll32.exe no specs startmenuexperiencehost.exe no specs textinputhost.exe no specs dspiptco.exe searchapp.exe werfault.exe slui.exe mobsync.exe no specs dspiptco.exe werfault.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs dspiptco.exe werfault.exe chrome.exe no specs #LUMMA 169b93a6fd.exe dspiptco.exe werfault.exe dspiptco.exe werfault.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs dspiptco.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs werfault.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs dspiptco.exe werfault.exe dspiptco.exe werfault.exe dspiptco.exe werfault.exe dspiptco.exe msedge.exe no specs werfault.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs dspiptco.exe werfault.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs dspiptco.exe werfault.exe ojjvpn1.exe chrome.exe no specs #GCLEANER svchost015.exe dspiptco.exe werfault.exe chrome.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs ji3j2il.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs tasklist.exe no specs findstr.exe no specs dspiptco.exe werfault.exe extrac32.exe no specs findstr.exe no specs #LUMMA philippines.pif chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs dspiptco.exe #LUMMA yq8vgfv.exe werfault.exe chrome.exe no specs #LUMMA yq8vgfv.exe dspiptco.exe werfault.exe chrome.exe no specs chrome.exe no specs #LUMMA 6y9kt1153ttqt.exe dspiptco.exe werfault.exe rent7wg.exe no specs msbuild.exe no specs msbuild.exe no specs msbuild.exe no specs #LUMMA msbuild.exe szdttmvptrja.exe msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs msedge.exe no specs dspiptco.exe werfault.exe tasklist.exe no specs findstr.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs chrome.exe msedge.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe no specs chrome.exe no specs msedge.exe no specs chrome.exe no specs tb3vwy3tkee.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs dspiptco.exe werfault.exe tasklist.exe no specs findstr.exe no specs k8kgyaj.exe no specs msedge.exe no specs msedge.exe no specs dspiptco.exe msedge.exe no specs msedge.exe no specs #VIDAR k8kgyaj.exe chrome.exe no specs werfault.exe msedge.exe no specs yxj9hvg.exe no specs msedge.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs extrac32.exe no specs findstr.exe no specs dspiptco.exe sqnhmrp.exe no specs werfault.exe him.pif no specs msbuild.exe no specs msbuild.exe no specs #LUMMA msbuild.exe #LUMMA msbuild.exe #LUMMA rrlardufw.exe dspiptco.exe v3434.exe no specs werfault.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs #VIDAR v3434.exe rnlsrzspre.exe cmd.exe no specs conhost.exe no specs werfault.exe 2c8fjyq.exe no specs cmd.exe no specs dspiptco.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs werfault.exe tse2e3k.exe no specs dspiptco.exe jhdd6pqvmogl.exe chrome.exe no specs werfault.exe no specs cmd.exe no specs chrome.exe no specs conhost.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
304"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=5700,i,5258382578471322267,1101648073479413296,262144 --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=5936 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
320C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1660 -s 544C:\Windows\SysWOW64\WerFault.exe
dSPiPTCo.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
320findstr "SophosHealth nsWscSvc ekrn bdservicehost AvastUI AVGUI & if not errorlevel 1 Set fIeCi=AutoIt3.exe & Set ZIoKKzPwFFbGod=.a3x & Set yZPyQjkdcs=300C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (QGREP) Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\user32.dll
436sc stop WaaSMedicSvc C:\Windows\System32\sc.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
472icacls "C:\WINDOWS\winloghelper.exe" /setowner "SYSTEM"C:\Windows\SysWOW64\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
472reg add "HKLM\TEMP_SYSTEM\ControlSet001\Services\wuauserv" /v Start /t REG_DWORD /d 4 /fC:\Windows\System32\reg.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
512"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3152,i,5015738639837734772,6398006927898690251,262144 --variations-seed-version=20250903-050052.843000 --mojo-platform-channel-handle=3220 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
532"C:\WINDOWS\dSPiPTCo.exe"C:\Windows\dSPiPTCo.exe
1G13S4.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
255
Modules
Images
c:\windows\dspiptco.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
532"C:\WINDOWS\dSPiPTCo.exe"C:\Windows\dSPiPTCo.exe
1G13S4.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
255
Modules
Images
c:\windows\dspiptco.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
620icacls "C:\WINDOWS\systemhelper.exe" /remove:d Everyone AdministratorsC:\Windows\SysWOW64\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
6
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
281 485
Read events
280 992
Write events
402
Delete events
91

Modification events

(PID) Process:(2368) 1G13S4.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application\DownloaderService
Operation:writeName:EventMessageFile
Value:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\EventLogMessages.dll
(PID) Process:(2880) WerFault.exeKey:\REGISTRY\A\{bad4d816-f494-34a4-bb91-53819f6ea80b}\Root\InventoryApplicationFile\dspiptco.exe|26a8f550e63d9fd8
Operation:writeName:ProgramId
Value:
00066551dc540b3dcc6f2dea88cfbcc3f32e0000ffff
(PID) Process:(2880) WerFault.exeKey:\REGISTRY\A\{bad4d816-f494-34a4-bb91-53819f6ea80b}\Root\InventoryApplicationFile\dspiptco.exe|26a8f550e63d9fd8
Operation:writeName:FileId
Value:
0000c1b667b0ff98bbb1d2495b4fd5dda1eeca494799
(PID) Process:(2880) WerFault.exeKey:\REGISTRY\A\{bad4d816-f494-34a4-bb91-53819f6ea80b}\Root\InventoryApplicationFile\dspiptco.exe|26a8f550e63d9fd8
Operation:writeName:LowerCaseLongPath
Value:
c:\windows\dspiptco.exe
(PID) Process:(2880) WerFault.exeKey:\REGISTRY\A\{bad4d816-f494-34a4-bb91-53819f6ea80b}\Root\InventoryApplicationFile\dspiptco.exe|26a8f550e63d9fd8
Operation:writeName:LongPathHash
Value:
dspiptco.exe|26a8f550e63d9fd8
(PID) Process:(2880) WerFault.exeKey:\REGISTRY\A\{bad4d816-f494-34a4-bb91-53819f6ea80b}\Root\InventoryApplicationFile\dspiptco.exe|26a8f550e63d9fd8
Operation:writeName:Name
Value:
dSPiPTCo.exe
(PID) Process:(2880) WerFault.exeKey:\REGISTRY\A\{bad4d816-f494-34a4-bb91-53819f6ea80b}\Root\InventoryApplicationFile\dspiptco.exe|26a8f550e63d9fd8
Operation:writeName:OriginalFileName
Value:
(PID) Process:(2880) WerFault.exeKey:\REGISTRY\A\{bad4d816-f494-34a4-bb91-53819f6ea80b}\Root\InventoryApplicationFile\dspiptco.exe|26a8f550e63d9fd8
Operation:writeName:Publisher
Value:
(PID) Process:(2880) WerFault.exeKey:\REGISTRY\A\{bad4d816-f494-34a4-bb91-53819f6ea80b}\Root\InventoryApplicationFile\dspiptco.exe|26a8f550e63d9fd8
Operation:writeName:Version
Value:
(PID) Process:(2880) WerFault.exeKey:\REGISTRY\A\{bad4d816-f494-34a4-bb91-53819f6ea80b}\Root\InventoryApplicationFile\dspiptco.exe|26a8f550e63d9fd8
Operation:writeName:BinFileVersion
Value:
Executable files
77
Suspicious files
341
Text files
308
Unknown types
0

Dropped files

PID
Process
Filename
Type
2880WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_dSPiPTCo.exe_ab5e1044b8c384276235db8e891ca16d6221c_a5c2b81c_1fddf66e-14cd-4db9-b2b0-7db0387e8d64\Report.wer
MD5:
SHA256:
33961G13S4.exeC:\Windows\winloghelper.exeexecutable
MD5:156F4A8F006779A3493D9D476F1E8DDA
SHA256:C36ED034D523DA1F54D43176334D4BDA9F9ADCB940948646B43902A620EBDA45
33961G13S4.exeC:\Windows\systemhelper.exeexecutable
MD5:517156BD8DF2DB756D5B89C59877FE4E
SHA256:33CB07C16A39056738F1CAD11A9793AF4514D73796622E00A4D25D3F41766143
2880WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WEREBF2.tmp.WERInternalMetadata.xmlxml
MD5:93F7733F9EEF4A4FEC7182322FB55EAA
SHA256:6A3A4EADC2D7676992CBA2FA422F9E6014863CB27CF64AA3CA166E6A2693AEC0
2880WerFault.exeC:\Windows\SysWOW64\config\systemprofile\AppData\Local\CrashDumps\dSPiPTCo.exe.6240.dmpbinary
MD5:38988D1C60D5F508381029B0D43C7235
SHA256:A5A5238996CE95BB645B72C9B492562C2026A0442C0D22341EBDEA87E1608EA6
2880WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WEREC12.tmp.xmlxml
MD5:77C5CC21D378315A19BB1FBA3CA9BD2A
SHA256:E03659D24CE30F826FDFEC8541648DAD67618E9F572EE2CA7F9504C2C001E61B
33961G13S4.exeC:\Users\admin\AppData\Local\Temp\WindowsLogsHelper.xmlxml
MD5:00BB4801C7CEF34837114CECE4717E33
SHA256:223A8EF483BEFE2B6D38DD8CF8A8A59C236295355213B16DF73AE6D77F60C428
5496WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_dSPiPTCo.exe_ab5e1044b8c384276235db8e891ca16d6221c_a5c2b81c_73cbd3ea-d124-4865-95b3-8aa9dcc59510\Report.wer
MD5:
SHA256:
1100systemhelper.exeC:\Users\admin\AppData\Local\Temp\U8cRb9f.battext
MD5:A43FFD6B86EC1D617FD2872FD3118AF5
SHA256:07BC6A2ED72E02E1988D152188BED752C21AB5282649F22C4C168A176CBDC690
1100systemhelper.exeC:\Users\admin\AppData\Local\Temp\hater\cecho.exeexecutable
MD5:E783BC59D0ED6CFBD8891F94AE23D1B3
SHA256:5C1211559DDA10592CFEDD57681F18F4A702410816D36EDA95AEE6C74E3C6A47
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
280
TCP/UDP connections
255
DNS requests
183
Threats
105

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1040
RUXIMICS.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
1040
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
NL
binary
814 b
whitelisted
POST
200
129.226.128.168:443
https://mastwin.in/qsaz
CN
binary
38.0 Kb
unknown
6164
winloghelper.exe
POST
200
94.154.35.25:80
http://94.154.35.25/di9ku38f/index.php
US
text
1.89 Kb
unknown
6164
winloghelper.exe
POST
200
94.154.35.25:80
http://94.154.35.25/di9ku38f/index.php
US
text
8 b
unknown
GET
200
142.250.185.195:443
https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=133
US
compressed
75.5 Kb
unknown
6164
winloghelper.exe
GET
200
178.16.55.189:80
http://178.16.55.189/luma/random.exe
DE
executable
1.71 Mb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1040
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1040
RUXIMICS.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
washerv.ru
malicious
mastwin.in
  • 129.226.128.168
unknown
watson.events.data.microsoft.com
  • 135.234.160.244
  • 135.234.160.245
  • 135.233.45.222
  • 135.233.45.221
  • 135.234.160.246
  • 135.233.45.223
  • 172.178.240.161
  • 172.178.240.163
whitelisted
clients2.google.com
  • 142.250.186.78
whitelisted
safebrowsingohttpgateway.googleapis.com
  • 172.217.18.10
  • 142.250.185.170
  • 216.58.212.138
  • 142.250.185.74
  • 142.250.185.106
  • 142.250.185.138
  • 142.250.186.74
  • 142.250.185.202
  • 142.250.185.234
  • 142.250.181.234
  • 216.58.206.42
  • 172.217.16.202
  • 216.58.212.170
  • 142.250.186.42
  • 172.217.18.106
  • 142.250.186.106
whitelisted
clientservices.googleapis.com
  • 142.250.186.35
whitelisted

Threats

PID
Process
Class
Message
2200
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washerv .ru)
2200
svchost.exe
Domain Observed Used for C2 Detected
MALWARE [ANY.RUN] Win32/Lumma CnC related domain (washerv .ru)
2200
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mastwin .in)
3628
2U9672.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (mastwin .in in TLS SNI)
6164
winloghelper.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 16
6164
winloghelper.exe
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
6164
winloghelper.exe
Malware Command and Control Activity Detected
ET MALWARE Amadey CnC Response
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Win32/Lumma CnC HTTP Activity observed
6164
winloghelper.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Win32/Generic related IP address
6164
winloghelper.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
Process
Message
2U9672.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
IObitUnlocker.exe
PostAction_Delete
IObitUnlocker.exe
FileCount:268
IObitUnlocker.exe
C:\ProgramData\Microsoft\Windows Defender--------
IObitUnlocker.exe
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection--------
IObitUnlocker.exe
C:\ProgramData\Microsoft\Windows Security Health--------
IObitUnlocker.exe
C:\ProgramData\Microsoft\Storage Health--------
IObitUnlocker.exe
C:\Program Files\Windows Defender--------
IObitUnlocker.exe
C:\Program Files\Windows Defender Advanced Threat Protection--------
IObitUnlocker.exe
C:\Program Files\Windows Security--------