File name:	_2841aab00ee6f00213e594dc562d03b982e6d8570a6de2a0797f3a147665f4ca.exe
Full analysis:	https://app.any.run/tasks/88198fcd-31f0-4efa-abea-8064bcbd4de6
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 23, 2026, 14:13:19
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	stealer stealc loader delphi inno installer upx auto-reg amadey botnet
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 5 sections
MD5:	ACF5499BC65F05513C3530D32C991D3E
SHA1:	AA42CC22BAB169F4295930471F5B8097B69BB4AE
SHA256:	2841AAB00EE6F00213E594DC562D03B982E6D8570A6DE2A0797F3A147665F4CA
SSDEEP:	768:qF0Q6kXxmV+KFxGE9KDyFSiD2RBaMhTxnfC:q56kBi+CxGE9JFfg5C

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2026:05:23 11:52:52+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.5
CodeSize:	19456
InitializedDataSize:	20992
UninitializedDataSize:	-
EntryPoint:	0x23d4
OSVersion:	6
ImageVersion:	4
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	7.9.2140.5
ProductVersionNumber:	7.9.2140.5
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Phoenix Technologies
FileDescription:	Node.js Event Loop Handler
FileVersion:	7.9.2140.5
InternalName:	V8Runtime
LegalCopyright:	2023 Phoenix Technologies. All rights reserved.
OriginalFileName:	tclsh86t.exe
ProductName:	Node.js Event Loop Handler
ProductVersion:	7.9.2140.5


(PID) Process:	(5384) _2841aab00ee6f00213e594dc562d03b982e6d8570a6de2a0797f3a147665f4ca.exe	Key:	HKEY_CURRENT_USER\Environment
Operation:	write	Name:	UserInitMprLogonScript
Value: "C:\WINDOWS\system32\cmd.exe" /c start /b "" "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Services\winhost.exe"
(PID) Process:	(7660) slui.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:	write	Name:	@%SystemRoot%\System32\sppcomapi.dll,-3200
Value: Software Licensing
(PID) Process:	(5384) _2841aab00ee6f00213e594dc562d03b982e6d8570a6de2a0797f3a147665f4ca.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(1176) 1n0x3fke.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(6104) FnHotkeyUtility.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Lenovo\Hotkey\VID_1915&PID_eee0
Operation:	write	Name:	Ex_9D
Value: 0C010310002F
(PID) Process:	(6104) FnHotkeyUtility.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Lenovo\Hotkey\VID_1915&PID_eee0
Operation:	write	Name:	Ex_9E
Value: 0C0103100030
(PID) Process:	(6104) FnHotkeyUtility.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Lenovo\Hotkey\VID_1915&PID_eee0
Operation:	write	Name:	Ex_9F
Value: 0C0103100031
(PID) Process:	(6104) FnHotkeyUtility.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Lenovo\Hotkey\VID_1915&PID_eee0
Operation:	write	Name:	Ex_40
Value: 0C0103100037
(PID) Process:	(6104) FnHotkeyUtility.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Lenovo\Hotkey\VID_1915&PID_eee0
Operation:	write	Name:	Ex_41
Value: 0C0103100039
(PID) Process:	(6104) FnHotkeyUtility.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Lenovo\Hotkey\VID_1915&PID_eee0
Operation:	write	Name:	Ex_42
Value: 0C010310003A

PID	Process	Filename		Type
5384	_2841aab00ee6f00213e594dc562d03b982e6d8570a6de2a0797f3a147665f4ca.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Services\winhost.exe		executable
		MD5:ACF5499BC65F05513C3530D32C991D3E	SHA256:2841AAB00EE6F00213E594DC562D03B982E6D8570A6DE2A0797F3A147665F4CA
7928	1n0x3fke.tmp	C:\Users\admin\AppData\Local\Temp\is-142OPYW7DX.tmp\_isetup\_setup64.tmp		executable
		MD5:E4211D6D009757C078A9FAC7FF4F03D4	SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
6140	1n0x3fke.exe	C:\Users\admin\AppData\Local\Temp\is-Y3NP0RVVH7.tmp\1n0x3fke.tmp		executable
		MD5:11AFCDCFE2B4F98F9A947FCFCA649452	SHA256:9AD6E0B378DD93244A5257A1A0CE49E61049E58FD3A14CF06DFD05855A1E90EB
7928	1n0x3fke.tmp	C:\ProgramData\TanGoldenRod\is-JPOB7UC7HZ.tmp		executable
		MD5:990A590EB079F420946FDE91975798B9	SHA256:A68A9AC35AA1E183FE3BD9E7144259631530DB07502112A339E5E1C8DCCC9A31
7928	1n0x3fke.tmp	C:\ProgramData\TanGoldenRod\vcruntime140.dll		executable
		MD5:C5BC6D2136F51D438AF4DBE8EF8103D1	SHA256:5DC711B1F190DF5B1257B92883E9C3F10CB4E953591DA13DD50D9F0C7A4AF695
1176	1n0x3fke.tmp	C:\Users\admin\AppData\Local\Temp\is-YP9CA7QKIO.tmp\_isetup\_isdecmp.dll		executable
		MD5:C6AE924AD02500284F7E4EFA11FA7CFC	SHA256:31D04C1E4BFDFA34704C142FA98F80C0A3076E4B312D6ADA57C4BE9D9C7DCF26
1176	1n0x3fke.tmp	C:\Users\admin\AppData\Local\Temp\is-YP9CA7QKIO.tmp\_isetup\_setup64.tmp		executable
		MD5:E4211D6D009757C078A9FAC7FF4F03D4	SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
5384	_2841aab00ee6f00213e594dc562d03b982e6d8570a6de2a0797f3a147665f4ca.exe	C:\Users\admin\AppData\Local\Temp\1n0x3fke.exe		executable
		MD5:DD900C31B79540CCB2E585F82FA9746D	SHA256:EB35E29E65134D98D2A84A140B804014FC52FE90361234E2AED8A52B593D6F7A
3560	1n0x3fke.exe	C:\Users\admin\AppData\Local\Temp\is-O5J3YPQR9Q.tmp\1n0x3fke.tmp		executable
		MD5:11AFCDCFE2B4F98F9A947FCFCA649452	SHA256:9AD6E0B378DD93244A5257A1A0CE49E61049E58FD3A14CF06DFD05855A1E90EB
7928	1n0x3fke.tmp	C:\Users\admin\AppData\Local\Temp\is-142OPYW7DX.tmp\_isetup\_isdecmp.dll		executable
		MD5:C6AE924AD02500284F7E4EFA11FA7CFC	SHA256:31D04C1E4BFDFA34704C142FA98F80C0A3076E4B312D6ADA57C4BE9D9C7DCF26

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4872	svchost.exe	GET	200	2.16.164.112:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted
4872	svchost.exe	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	US	binary	814 b	whitelisted
5384	_2841aab00ee6f00213e594dc562d03b982e6d8570a6de2a0797f3a147665f4ca.exe	POST	200	62.60.226.159:80	http://62.60.226.159/api.php	GB	binary	73 b	unknown
5384	_2841aab00ee6f00213e594dc562d03b982e6d8570a6de2a0797f3a147665f4ca.exe	GET	200	62.60.226.159:80	http://62.60.226.159/uploads/Polarised_6.7897.2734.4933_INSTALL.exe	GB	executable	11.6 Mb	malicious
7660	slui.exe	POST	500	48.192.1.64:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	xml	512 b	whitelisted
7660	slui.exe	POST	500	48.192.1.64:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	US	xml	512 b	whitelisted
5384	_2841aab00ee6f00213e594dc562d03b982e6d8570a6de2a0797f3a147665f4ca.exe	POST	200	62.60.226.159:80	http://62.60.226.159/api.php	GB	—	—	unknown
3280	svchost.exe	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	US	binary	400 b	whitelisted
7672	notepad.exe	POST	200	196.251.107.130:80	http://196.251.107.130/16b022998f754137b60a.php	GB	text	68 b	malicious
3280	svchost.exe	GET	200	23.52.181.212:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl	US	binary	814 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
—	—	48.209.138.189:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	48.209.138.168:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7312	slui.exe	48.192.1.64:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
4872	svchost.exe	2.16.164.112:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
4872	svchost.exe	23.52.181.212:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
5276	MoUsoCoreWorker.exe	48.209.138.189:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4872	svchost.exe	48.209.138.189:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5384	_2841aab00ee6f00213e594dc562d03b982e6d8570a6de2a0797f3a147665f4ca.exe	62.60.226.159:80	—	FEMOIT	GB	malicious

Domain	IP	Reputation
settings-win.data.microsoft.com	48.209.138.168 48.209.138.189	whitelisted
activation-v2.sls.microsoft.com	48.192.1.64	whitelisted
crl.microsoft.com	2.16.164.112 2.16.164.88 2.16.164.89 2.16.164.32 2.16.164.49 2.16.164.34 2.16.164.40 2.16.164.9 2.16.164.51 2.16.164.114	whitelisted
www.microsoft.com	23.52.181.212	whitelisted
google.com	142.251.14.138 142.251.14.101 142.251.14.102 142.251.14.139 142.251.14.113 142.251.14.100	whitelisted
3vrtaee2bswrutm97d6afhvg4zgqtagim.com	—	unknown
self.events.data.microsoft.com	52.168.117.170	whitelisted

PID	Process	Class	Message
5384	_2841aab00ee6f00213e594dc562d03b982e6d8570a6de2a0797f3a147665f4ca.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 9
5384	_2841aab00ee6f00213e594dc562d03b982e6d8570a6de2a0797f3a147665f4ca.exe	A Network Trojan was detected	ET MALWARE Executable Downloaded From Common Payload Delivery Host (GET)
5384	_2841aab00ee6f00213e594dc562d03b982e6d8570a6de2a0797f3a147665f4ca.exe	A Network Trojan was detected	ET MALWARE Observed StealC_V2 Payload Request (GET)
7672	notepad.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 45
5384	_2841aab00ee6f00213e594dc562d03b982e6d8570a6de2a0797f3a147665f4ca.exe	A Network Trojan was detected	ET MALWARE Executable Downloaded From Common Payload Delivery Host (GET)
4564	ohggf.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
4564	ohggf.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Win32/Amadey associated URI (/xvzpjyddlu/getdata.php)
4564	ohggf.exe	A Network Trojan was detected	ET MALWARE Observed StealC_V2 Payload Request (GET)
4564	ohggf.exe	A Network Trojan was detected	ET MALWARE Executable Downloaded From Common Payload Delivery Host (GET)
4564	ohggf.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)

General Info

_2841aab00ee6f00213e594dc562d03b982e6d8570a6de2a0797f3a147665f4ca.exe

ACF5499BC65F05513C3530D32C991D3E

AA42CC22BAB169F4295930471F5B8097B69BB4AE

2841AAB00EE6F00213E594DC562D03B982E6D8570A6DE2A0797F3A147665F4CA

768:qF0Q6kXxmV+KFxGE9KDyFSiD2RBaMhTxnfC:q56kBi+CxGE9JFfg5C

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was injected by another process

Runs injected code in another process

Changes the login/logoff helper path in the registry

STEALC has been detected

Changes the autorun value in the registry

AMADEY has been detected (SURICATA)

STEALC has been detected (SURICATA)

Stealers network behavior

SUSPICIOUS

Reads the date of Windows installation

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Reads the Windows owner or organization settings

The process drops C-runtime libraries

Starts CMD.EXE for commands execution

The executable file from the user directory is run by the CMD process

Start notepad (likely ransomware note)

The process executes via Task Scheduler

Starts itself from another location

INFO

Reads security settings of Internet Explorer

Create files in a temporary directory

Reads the computer name

Creates files or folders in the user directory

The sample compiled with english language support

Checks supported languages

Process checks computer location settings

Detects InnoSetup installer (YARA)

Compiled with Borland Delphi (YARA)

Password parameter in command-line

The sample compiled with chinese language support

Reads CPU info

UPX packer has been detected

Launching a file from a Registry key

Reads the machine GUID from the registry

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events