File name:

2942043b0e15669544746e28e364f12bfa6485bc7432253af7f0e6c65b0299ed.bin.exe

Full analysis: https://app.any.run/tasks/a051d92c-09b6-4edd-8baf-fe0aa18cec56
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: August 01, 2025, 02:21:39
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
lumma
stealer
themida
loader
amadey
auto
redline
generic
rdp
auto-reg
auto-startup
auto-sch
autoit
upx
salatstealer
golang
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

16E2BB06C27DF5C22BF155B76FF4A25D

SHA1:

CD3603896ACF478BA82F8DC398FC1FCD594B4F54

SHA256:

2942043B0E15669544746E28E364F12BFA6485BC7432253AF7F0E6C65B0299ED

SSDEEP:

98304:idMycRCnjJHXRgAtivAA2uR6vie5x2F7mE/XHJhoYEsks6WBrSbvvYV0GXotNWOs:8TC3M

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA mutex has been found

      • 2942043b0e15669544746e28e364f12bfa6485bc7432253af7f0e6c65b0299ed.bin.exe (PID: 5436)
      • 0fDKOL1HWgKn.exe (PID: 5752)
      • 775bdc8c0f.exe (PID: 7340)
      • MSBuild.exe (PID: 3160)

    • Actions looks like stealing of personal data

      • 2942043b0e15669544746e28e364f12bfa6485bc7432253af7f0e6c65b0299ed.bin.exe (PID: 5436)

    • Steals credentials from Web Browsers

      • 2942043b0e15669544746e28e364f12bfa6485bc7432253af7f0e6c65b0299ed.bin.exe (PID: 5436)

    • AMADEY mutex has been found

      • EYPKYOAFP8IU1IAK5VAN.exe (PID: 7612)
      • huran.exe (PID: 1472)
      • amnew.exe (PID: 7392)
      • huran.exe (PID: 6572)

    • REDLINE has been found (auto)

      • 2942043b0e15669544746e28e364f12bfa6485bc7432253af7f0e6c65b0299ed.bin.exe (PID: 5436)

    • GENERIC has been found (auto)

      • EYPKYOAFP8IU1IAK5VAN.exe (PID: 7612)

    • AMADEY has been detected (YARA)

      • EYPKYOAFP8IU1IAK5VAN.exe (PID: 7612)

    • Changes the autorun value in the registry

      • EYPKYOAFP8IU1IAK5VAN.exe (PID: 7612)
      • ls1FDZl.exe (PID: 2216)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 7936)

    • Create files in the Startup directory

      • cmd.exe (PID: 5988)
      • MSBuild.exe (PID: 2612)

    • SALATSTEALER has been detected (YARA)

      • explorer.exe (PID: 7300)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 1068)
      • NSudoLG.exe (PID: 7728)
      • cmd.exe (PID: 2620)
      • NSudoLG.exe (PID: 7692)

    • Changes Windows Defender settings

      • NSudoLG.exe (PID: 7728)
      • NSudoLG.exe (PID: 7692)

    • Changes the Windows auto-update feature

      • reg.exe (PID: 8164)
      • reg.exe (PID: 5620)

    • XWORM has been detected (YARA)

      • MSBuild.exe (PID: 2612)

    • STEALC has been detected

      • MSBuild.exe (PID: 7980)

  • SUSPICIOUS

    • Reads the BIOS version

      • 2942043b0e15669544746e28e364f12bfa6485bc7432253af7f0e6c65b0299ed.bin.exe (PID: 5436)
      • 775bdc8c0f.exe (PID: 7340)

    • Searches for installed software

      • 2942043b0e15669544746e28e364f12bfa6485bc7432253af7f0e6c65b0299ed.bin.exe (PID: 5436)

    • Executable content was dropped or overwritten

      • 2942043b0e15669544746e28e364f12bfa6485bc7432253af7f0e6c65b0299ed.bin.exe (PID: 5436)
      • EYPKYOAFP8IU1IAK5VAN.exe (PID: 7612)
      • g3kCi5h.exe (PID: 2460)
      • 6olpur0.exe (PID: 7752)
      • Nation.pif (PID: 7716)
      • 89d8d1ca98.exe (PID: 6688)
      • 7z.exe (PID: 7564)
      • Unlocker.exe (PID: 6348)
      • Unlocker.exe (PID: 5264)
      • 7af56553f6.exe (PID: 7984)
      • MSBuild.exe (PID: 2612)
      • 6olpur0.exe (PID: 1488)
      • amnew.exe (PID: 7392)
      • huran.exe (PID: 1472)
      • MissedScreens.exe (PID: 4624)
      • svchost015.exe (PID: 2400)
      • ls1FDZl.exe (PID: 2216)

    • Connects to the server without a host name

      • 2942043b0e15669544746e28e364f12bfa6485bc7432253af7f0e6c65b0299ed.bin.exe (PID: 5436)
      • EYPKYOAFP8IU1IAK5VAN.exe (PID: 7612)
      • svchost015.exe (PID: 2400)
      • huran.exe (PID: 1472)

    • Reads security settings of Internet Explorer

      • EYPKYOAFP8IU1IAK5VAN.exe (PID: 7612)
      • g3kCi5h.exe (PID: 7492)
      • 89d8d1ca98.exe (PID: 6688)
      • nircmd.exe (PID: 8156)
      • 89d8d1ca98.exe (PID: 7496)
      • nircmd.exe (PID: 2076)
      • Unlocker.exe (PID: 7656)
      • Unlocker.exe (PID: 6348)
      • Unlocker.exe (PID: 5264)
      • Unlocker.exe (PID: 1704)
      • Unlocker.exe (PID: 2320)
      • Unlocker.exe (PID: 8160)
      • IObitUnlocker.exe (PID: 6220)
      • svchost015.exe (PID: 2400)
      • StartMenuExperienceHost.exe (PID: 1204)
      • amnew.exe (PID: 7392)
      • huran.exe (PID: 1472)
      • ls1FDZl.exe (PID: 2216)
      • R4EpnnQ.exe (PID: 6848)
      • MSBuild.exe (PID: 7980)

    • Process requests binary or script from the Internet

      • EYPKYOAFP8IU1IAK5VAN.exe (PID: 7612)
      • 2942043b0e15669544746e28e364f12bfa6485bc7432253af7f0e6c65b0299ed.bin.exe (PID: 5436)

    • Application launched itself

      • g3kCi5h.exe (PID: 7492)
      • cmd.exe (PID: 7696)
      • cmd.exe (PID: 1068)
      • cmd.exe (PID: 2620)
      • cmd.exe (PID: 7652)
      • cmd.exe (PID: 3724)
      • R4EpnnQ.exe (PID: 6848)

    • There is functionality for taking screenshot (YARA)

      • EYPKYOAFP8IU1IAK5VAN.exe (PID: 7612)
      • explorer.exe (PID: 7300)
      • 6olpur0.exe (PID: 7752)
      • Nation.pif (PID: 7716)

    • There is functionality for enable RDP (YARA)

      • EYPKYOAFP8IU1IAK5VAN.exe (PID: 7612)

    • The process creates files with name similar to system file names

      • g3kCi5h.exe (PID: 2460)
      • 89d8d1ca98.exe (PID: 6688)

    • Starts itself from another location

      • g3kCi5h.exe (PID: 2460)
      • amnew.exe (PID: 7392)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 7696)
      • 6olpur0.exe (PID: 7752)
      • 89d8d1ca98.exe (PID: 6688)
      • nircmd.exe (PID: 8156)
      • NSudoLG.exe (PID: 2292)
      • cmd.exe (PID: 1068)
      • 89d8d1ca98.exe (PID: 7496)
      • nircmd.exe (PID: 2076)
      • NSudoLG.exe (PID: 3832)
      • cmd.exe (PID: 2620)
      • Unlocker.exe (PID: 7656)
      • Unlocker.exe (PID: 6348)
      • Unlocker.exe (PID: 5264)
      • Unlocker.exe (PID: 1704)
      • Unlocker.exe (PID: 8160)
      • Unlocker.exe (PID: 2320)
      • 6olpur0.exe (PID: 1488)
      • cmd.exe (PID: 7652)
      • MissedScreens.exe (PID: 4624)
      • cmd.exe (PID: 3724)
      • ls1FDZl.exe (PID: 2216)

    • Get information on the list of running processes

      • cmd.exe (PID: 7864)
      • cmd.exe (PID: 1068)
      • cmd.exe (PID: 2324)
      • cmd.exe (PID: 2620)
      • cmd.exe (PID: 6240)
      • cmd.exe (PID: 3572)
      • cmd.exe (PID: 5056)

    • Drops a file with a rarely used extension (PIF)

      • cmd.exe (PID: 7864)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7864)
      • cmd.exe (PID: 5340)
      • cmd.exe (PID: 2040)
      • cmd.exe (PID: 1068)
      • cmd.exe (PID: 5576)
      • cmd.exe (PID: 6348)
      • cmd.exe (PID: 2620)
      • cmd.exe (PID: 5056)
      • cmd.exe (PID: 3572)

    • The executable file from the user directory is run by the CMD process

      • Nation.pif (PID: 7716)
      • nircmd.exe (PID: 5240)
      • nircmd.exe (PID: 8156)
      • nircmd.exe (PID: 4460)
      • NSudoLG.exe (PID: 2292)
      • nircmd.exe (PID: 5968)
      • NSudoLG.exe (PID: 7728)
      • nircmd.exe (PID: 7916)
      • nircmd.exe (PID: 2076)
      • nircmd.exe (PID: 1976)
      • nircmd.exe (PID: 6788)
      • NSudoLG.exe (PID: 3832)
      • NSudoLG.exe (PID: 7692)
      • Unlocker.exe (PID: 7656)
      • 7z.exe (PID: 7564)
      • Unlocker.exe (PID: 6348)
      • 7z.exe (PID: 892)
      • Unlocker.exe (PID: 5264)
      • Unlocker.exe (PID: 1704)
      • Unlocker.exe (PID: 8160)
      • Unlocker.exe (PID: 2320)
      • Nation.pif (PID: 8664)
      • Offshore.com (PID: 8672)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 7864)
      • cmd.exe (PID: 3572)
      • cmd.exe (PID: 5056)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 7864)
      • cmd.exe (PID: 1068)
      • cmd.exe (PID: 2620)
      • cmd.exe (PID: 3572)
      • cmd.exe (PID: 5056)

    • Multiple wallet extension IDs have been found

      • explorer.exe (PID: 7300)

    • Executing commands from a ".bat" file

      • 89d8d1ca98.exe (PID: 6688)
      • nircmd.exe (PID: 8156)
      • NSudoLG.exe (PID: 2292)
      • 89d8d1ca98.exe (PID: 7496)
      • nircmd.exe (PID: 2076)
      • NSudoLG.exe (PID: 3832)

    • Reads the date of Windows installation

      • nircmd.exe (PID: 8156)
      • nircmd.exe (PID: 2076)
      • Unlocker.exe (PID: 7656)
      • Unlocker.exe (PID: 6348)
      • Unlocker.exe (PID: 5264)
      • Unlocker.exe (PID: 1704)
      • Unlocker.exe (PID: 2320)
      • Unlocker.exe (PID: 8160)
      • StartMenuExperienceHost.exe (PID: 1204)
      • SearchApp.exe (PID: 4832)
      • ls1FDZl.exe (PID: 2216)
      • R4EpnnQ.exe (PID: 6848)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 1068)
      • cmd.exe (PID: 6348)
      • cmd.exe (PID: 2620)
      • cmd.exe (PID: 2040)

    • Drops 7-zip archiver for unpacking

      • 89d8d1ca98.exe (PID: 6688)

    • PowerShell delay command usage (probably sleep evasion)

      • powershell.exe (PID: 2144)
      • powershell.exe (PID: 7664)

    • Starts POWERSHELL.EXE for commands execution

      • NSudoLG.exe (PID: 7728)
      • NSudoLG.exe (PID: 7692)

    • Script adds exclusion path to Windows Defender

      • NSudoLG.exe (PID: 7728)
      • NSudoLG.exe (PID: 7692)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 7348)
      • cmd.exe (PID: 1068)
      • cmd.exe (PID: 6356)
      • cmd.exe (PID: 1160)
      • cmd.exe (PID: 3556)
      • cmd.exe (PID: 5188)
      • cmd.exe (PID: 2620)
      • cmd.exe (PID: 6876)
      • cmd.exe (PID: 1336)
      • cmd.exe (PID: 2876)
      • cmd.exe (PID: 7964)

    • Stops a currently running service

      • sc.exe (PID: 8168)
      • sc.exe (PID: 7916)
      • sc.exe (PID: 3052)
      • sc.exe (PID: 5576)
      • sc.exe (PID: 5348)
      • sc.exe (PID: 2320)
      • sc.exe (PID: 7236)
      • sc.exe (PID: 7652)
      • sc.exe (PID: 7364)
      • sc.exe (PID: 3624)
      • sc.exe (PID: 7368)
      • sc.exe (PID: 7664)
      • sc.exe (PID: 7060)

    • Windows service management via SC.EXE

      • sc.exe (PID: 6524)
      • sc.exe (PID: 1964)
      • sc.exe (PID: 5712)
      • sc.exe (PID: 8160)
      • sc.exe (PID: 5028)
      • sc.exe (PID: 7912)
      • sc.exe (PID: 3112)
      • sc.exe (PID: 1936)
      • sc.exe (PID: 3944)
      • sc.exe (PID: 3968)
      • sc.exe (PID: 7720)
      • sc.exe (PID: 7924)
      • sc.exe (PID: 6836)
      • sc.exe (PID: 7568)
      • sc.exe (PID: 4560)
      • sc.exe (PID: 7284)
      • sc.exe (PID: 5952)
      • sc.exe (PID: 8032)
      • sc.exe (PID: 5432)

    • Creates or modifies Windows services

      • reg.exe (PID: 5248)
      • Unlocker.exe (PID: 6348)
      • reg.exe (PID: 2732)
      • Unlocker.exe (PID: 2320)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 7572)
      • cmd.exe (PID: 5168)
      • cmd.exe (PID: 7116)
      • cmd.exe (PID: 4100)
      • cmd.exe (PID: 7104)

    • Drops a system driver (possible attempt to evade defenses)

      • Unlocker.exe (PID: 6348)
      • Unlocker.exe (PID: 5264)

    • The process verifies whether the antivirus software is installed

      • Unlocker.exe (PID: 5264)
      • IObitUnlocker.exe (PID: 6220)

    • Process drops legitimate windows executable

      • MSBuild.exe (PID: 2612)

    • Connects to unusual port

      • MSBuild.exe (PID: 2612)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • MSBuild.exe (PID: 3160)

    • Uses powercfg.exe to modify the power settings

      • ls1FDZl.exe (PID: 2216)

    • The process executes via Task Scheduler

      • huran.exe (PID: 6572)

  • INFO

    • Checks supported languages

      • 2942043b0e15669544746e28e364f12bfa6485bc7432253af7f0e6c65b0299ed.bin.exe (PID: 5436)
      • EYPKYOAFP8IU1IAK5VAN.exe (PID: 7612)
      • g3kCi5h.exe (PID: 7492)
      • g3kCi5h.exe (PID: 2460)
      • not.exe (PID: 7380)
      • explorer.exe (PID: 7300)
      • not.exe (PID: 7576)
      • 6olpur0.exe (PID: 7752)
      • extrac32.exe (PID: 6620)
      • Nation.pif (PID: 7716)
      • 89d8d1ca98.exe (PID: 6688)
      • nircmd.exe (PID: 5240)
      • chcp.com (PID: 8164)
      • nircmd.exe (PID: 8156)
      • chcp.com (PID: 6636)
      • nircmd.exe (PID: 4460)
      • NSudoLG.exe (PID: 2292)
      • chcp.com (PID: 6856)
      • mode.com (PID: 6544)
      • 89d8d1ca98.exe (PID: 7496)
      • nircmd.exe (PID: 7916)
      • chcp.com (PID: 2228)
      • nircmd.exe (PID: 2076)
      • nircmd.exe (PID: 1976)
      • chcp.com (PID: 4760)
      • NSudoLG.exe (PID: 3832)
      • nircmd.exe (PID: 6788)
      • chcp.com (PID: 6356)
      • mode.com (PID: 6636)
      • NSudoLG.exe (PID: 7692)
      • MSBuild.exe (PID: 2612)
      • 7af56553f6.exe (PID: 7984)
      • Unlocker.exe (PID: 7656)
      • 7z.exe (PID: 7564)
      • nircmd.exe (PID: 5968)
      • NSudoLG.exe (PID: 7728)
      • Unlocker.exe (PID: 6348)
      • Unlocker.exe (PID: 5264)
      • svchost015.exe (PID: 2400)
      • 7z.exe (PID: 892)
      • Unlocker.exe (PID: 1704)
      • Unlocker.exe (PID: 8160)
      • IObitUnlocker.exe (PID: 6220)
      • Unlocker.exe (PID: 2320)
      • 087d0acb52.exe (PID: 3768)
      • StartMenuExperienceHost.exe (PID: 1204)
      • TextInputHost.exe (PID: 6440)
      • SearchApp.exe (PID: 4832)
      • 775bdc8c0f.exe (PID: 7340)
      • MSBuild.exe (PID: 3160)
      • 6olpur0.exe (PID: 1488)
      • huran.exe (PID: 1472)
      • amnew.exe (PID: 7392)
      • 0fDKOL1HWgKn.exe (PID: 5752)
      • MissedScreens.exe (PID: 4624)
      • 9UxKt8uPHIHsM.exe (PID: 6604)
      • ls1FDZl.exe (PID: 2216)
      • huran.exe (PID: 6572)
      • R4EpnnQ.exe (PID: 6720)
      • G4gtDRI.exe (PID: 848)
      • R4EpnnQ.exe (PID: 6848)
      • extrac32.exe (PID: 8576)
      • extrac32.exe (PID: 8536)
      • Offshore.com (PID: 8672)
      • MSBuild.exe (PID: 7980)
      • Nation.pif (PID: 8664)

    • Reads the computer name

      • 2942043b0e15669544746e28e364f12bfa6485bc7432253af7f0e6c65b0299ed.bin.exe (PID: 5436)
      • EYPKYOAFP8IU1IAK5VAN.exe (PID: 7612)
      • g3kCi5h.exe (PID: 7492)
      • g3kCi5h.exe (PID: 2460)
      • not.exe (PID: 7380)
      • explorer.exe (PID: 7300)
      • not.exe (PID: 7576)
      • 6olpur0.exe (PID: 7752)
      • extrac32.exe (PID: 6620)
      • Nation.pif (PID: 7716)
      • 89d8d1ca98.exe (PID: 6688)
      • nircmd.exe (PID: 8156)
      • NSudoLG.exe (PID: 2292)
      • NSudoLG.exe (PID: 7728)
      • 89d8d1ca98.exe (PID: 7496)
      • nircmd.exe (PID: 2076)
      • NSudoLG.exe (PID: 3832)
      • MSBuild.exe (PID: 2612)
      • NSudoLG.exe (PID: 7692)
      • Unlocker.exe (PID: 7656)
      • 7z.exe (PID: 7564)
      • Unlocker.exe (PID: 6348)
      • Unlocker.exe (PID: 5264)
      • Unlocker.exe (PID: 1704)
      • 7z.exe (PID: 892)
      • Unlocker.exe (PID: 8160)
      • Unlocker.exe (PID: 2320)
      • IObitUnlocker.exe (PID: 6220)
      • svchost015.exe (PID: 2400)
      • StartMenuExperienceHost.exe (PID: 1204)
      • SearchApp.exe (PID: 4832)
      • MSBuild.exe (PID: 3160)
      • TextInputHost.exe (PID: 6440)
      • 775bdc8c0f.exe (PID: 7340)
      • 6olpur0.exe (PID: 1488)
      • huran.exe (PID: 1472)
      • amnew.exe (PID: 7392)
      • MissedScreens.exe (PID: 4624)
      • 0fDKOL1HWgKn.exe (PID: 5752)
      • ls1FDZl.exe (PID: 2216)
      • R4EpnnQ.exe (PID: 6720)
      • R4EpnnQ.exe (PID: 6848)
      • extrac32.exe (PID: 8536)
      • extrac32.exe (PID: 8576)
      • MSBuild.exe (PID: 7980)

    • Application launched itself

      • chrome.exe (PID: 8092)
      • chrome.exe (PID: 6948)
      • chrome.exe (PID: 3624)
      • msedge.exe (PID: 6508)
      • chrome.exe (PID: 7256)
      • msedge.exe (PID: 2076)
      • msedge.exe (PID: 1160)
      • msedge.exe (PID: 6636)
      • msedge.exe (PID: 7764)
      • msedge.exe (PID: 1652)
      • chrome.exe (PID: 6208)
      • chrome.exe (PID: 6364)
      • chrome.exe (PID: 8508)

    • Reads the machine GUID from the registry

      • 2942043b0e15669544746e28e364f12bfa6485bc7432253af7f0e6c65b0299ed.bin.exe (PID: 5436)
      • g3kCi5h.exe (PID: 7492)
      • g3kCi5h.exe (PID: 2460)
      • explorer.exe (PID: 7300)
      • MSBuild.exe (PID: 2612)
      • Unlocker.exe (PID: 7656)
      • Unlocker.exe (PID: 6348)
      • Unlocker.exe (PID: 5264)
      • Unlocker.exe (PID: 1704)
      • Unlocker.exe (PID: 8160)
      • Unlocker.exe (PID: 2320)
      • svchost015.exe (PID: 2400)
      • SearchApp.exe (PID: 4832)
      • MSBuild.exe (PID: 3160)
      • 775bdc8c0f.exe (PID: 7340)
      • 0fDKOL1HWgKn.exe (PID: 5752)
      • huran.exe (PID: 1472)
      • R4EpnnQ.exe (PID: 6720)

    • Reads the software policy settings

      • 2942043b0e15669544746e28e364f12bfa6485bc7432253af7f0e6c65b0299ed.bin.exe (PID: 5436)
      • svchost015.exe (PID: 2400)
      • SearchApp.exe (PID: 4832)
      • MSBuild.exe (PID: 3160)
      • 775bdc8c0f.exe (PID: 7340)
      • slui.exe (PID: 2384)
      • huran.exe (PID: 1472)
      • 0fDKOL1HWgKn.exe (PID: 5752)
      • R4EpnnQ.exe (PID: 6720)

    • Themida protector has been detected

      • 2942043b0e15669544746e28e364f12bfa6485bc7432253af7f0e6c65b0299ed.bin.exe (PID: 5436)

    • Checks proxy server information

      • EYPKYOAFP8IU1IAK5VAN.exe (PID: 7612)
      • svchost015.exe (PID: 2400)
      • SearchApp.exe (PID: 4832)
      • slui.exe (PID: 2384)
      • huran.exe (PID: 1472)
      • MSBuild.exe (PID: 7980)

    • Create files in a temporary directory

      • EYPKYOAFP8IU1IAK5VAN.exe (PID: 7612)
      • 2942043b0e15669544746e28e364f12bfa6485bc7432253af7f0e6c65b0299ed.bin.exe (PID: 5436)
      • 6olpur0.exe (PID: 7752)
      • extrac32.exe (PID: 6620)
      • 89d8d1ca98.exe (PID: 6688)
      • 7z.exe (PID: 7564)
      • 7af56553f6.exe (PID: 7984)
      • 89d8d1ca98.exe (PID: 7496)
      • 6olpur0.exe (PID: 1488)
      • amnew.exe (PID: 7392)
      • MissedScreens.exe (PID: 4624)
      • huran.exe (PID: 1472)
      • R4EpnnQ.exe (PID: 6720)
      • extrac32.exe (PID: 8536)
      • extrac32.exe (PID: 8576)

    • Creates files or folders in the user directory

      • EYPKYOAFP8IU1IAK5VAN.exe (PID: 7612)
      • g3kCi5h.exe (PID: 2460)
      • Nation.pif (PID: 7716)
      • MSBuild.exe (PID: 2612)
      • svchost015.exe (PID: 2400)
      • huran.exe (PID: 1472)
      • ls1FDZl.exe (PID: 2216)

    • Process checks computer location settings

      • EYPKYOAFP8IU1IAK5VAN.exe (PID: 7612)
      • g3kCi5h.exe (PID: 7492)
      • 89d8d1ca98.exe (PID: 6688)
      • nircmd.exe (PID: 8156)
      • 89d8d1ca98.exe (PID: 7496)
      • nircmd.exe (PID: 2076)
      • StartMenuExperienceHost.exe (PID: 1204)
      • SearchApp.exe (PID: 4832)
      • amnew.exe (PID: 7392)
      • huran.exe (PID: 1472)
      • ls1FDZl.exe (PID: 2216)
      • R4EpnnQ.exe (PID: 6848)

    • Launching a file from a Registry key

      • EYPKYOAFP8IU1IAK5VAN.exe (PID: 7612)
      • ls1FDZl.exe (PID: 2216)

    • Manual execution by a user

      • not.exe (PID: 7576)
      • cmd.exe (PID: 7936)
      • cmd.exe (PID: 5988)
      • wscript.exe (PID: 8140)
      • 89d8d1ca98.exe (PID: 7496)

    • The sample compiled with english language support

      • EYPKYOAFP8IU1IAK5VAN.exe (PID: 7612)
      • Nation.pif (PID: 7716)
      • 89d8d1ca98.exe (PID: 6688)
      • Unlocker.exe (PID: 6348)
      • Unlocker.exe (PID: 5264)
      • 7af56553f6.exe (PID: 7984)
      • MSBuild.exe (PID: 2612)
      • svchost015.exe (PID: 2400)
      • ls1FDZl.exe (PID: 2216)

    • Reads mouse settings

      • Nation.pif (PID: 7716)
      • Offshore.com (PID: 8672)
      • Nation.pif (PID: 8664)

    • Launching a file from Task Scheduler

      • cmd.exe (PID: 7936)

    • Launching a file from the Startup directory

      • cmd.exe (PID: 5988)
      • MSBuild.exe (PID: 2612)

    • Application based on Golang

      • explorer.exe (PID: 7300)

    • Detects GO elliptic curve encryption (YARA)

      • explorer.exe (PID: 7300)

    • NirSoft software is detected

      • nircmd.exe (PID: 5240)
      • nircmd.exe (PID: 8156)
      • nircmd.exe (PID: 4460)
      • nircmd.exe (PID: 5968)
      • nircmd.exe (PID: 7916)
      • nircmd.exe (PID: 2076)
      • nircmd.exe (PID: 1976)
      • nircmd.exe (PID: 6788)

    • Changes the display of characters in the console

      • cmd.exe (PID: 5340)
      • cmd.exe (PID: 1068)
      • cmd.exe (PID: 5576)
      • cmd.exe (PID: 6348)
      • cmd.exe (PID: 2620)
      • cmd.exe (PID: 2040)

    • UPX packer has been detected

      • explorer.exe (PID: 7300)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 6544)
      • mode.com (PID: 6636)

    • Checks operating system version

      • cmd.exe (PID: 2620)
      • cmd.exe (PID: 1068)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 2144)
      • powershell.exe (PID: 7664)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2144)
      • powershell.exe (PID: 7664)

    • Creates files in the program directory

      • Unlocker.exe (PID: 1704)

    • Reads the time zone

      • explorer.exe (PID: 7548)

    • Changes appearance of the Explorer extensions

      • explorer.exe (PID: 7548)

    • Reads Environment values

      • SearchApp.exe (PID: 4832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Amadey

(PID) Process(7612) EYPKYOAFP8IU1IAK5VAN.exe
C294.154.35.25
URLhttp://94.154.35.25/di9ku38f/index.php
Version5.55
Options
Drop directory96a319e745
Drop nameSrxelqcif.exe
Strings (125)os:
" && timeout 1 && del
\App
&&
|
shutdown -s -t 0
Panda Security
r=
:::
" && ren
pc:
random
ProductName
bi:
#
POST
2016
msi
Content-Type: application/x-www-form-urlencoded
0123456789
0000043f
un:
st=s
S-%lu-
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
AVAST Software
cmd
Content-Disposition: form-data; name="data"; filename="
SOFTWARE\Microsoft\Windows NT\CurrentVersion
lv:
<c>
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
00000423
<d>
cred.dll|clip.dll|
exe
og:
Srxelqcif.exe
Powershell.exe
Comodo
5.55
&& Exit"
Startup
%-lu
DefaultSettings.YResolution
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
00000422
rundll32
2019
ps1
ar:
%USERPROFILE%
vs:
-executionpolicy remotesigned -File "
shell32.dll
/k
WinDefender
------
http://
cred.dll
Main
Bitdefender
.jpg
?scr=1
"taskkill /f /im "
rb
CurrentBuild
id:
Doctor Web
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
94.154.35.25
ESET
Sophos
00000419
VideoID
dm:
96a319e745
Keyboard Layout\Preload
AVG
------
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
2025
--
"
DefaultSettings.XResolution
/quiet
Norton
SYSTEM\ControlSet001\Services\BasicDisplay\Video
dll
zip
=
ProgramData\
cmd /C RMDIR /s/q
/Plugins/
e1
Programs
d1
&unit=
Rem
ComputerName
2022
rundll32.exe
e3
e2
Content-Type: multipart/form-data; boundary=----
-%lu
clip.dll
av:
kernel32.dll
GetNativeSystemInfo
360TotalSecurity
\0000
" Content-Type: application/octet-stream
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
+++
Kaspersky Lab
Avira
\
GET
/di9ku38f/index.php
sd:
abcdefghijklmnopqrstuvwxyz0123456789-_
wb
https://
-unicode-

XWorm

(PID) Process(2612) MSBuild.exe
C2hexa.dnsframe.com:66
Keys
AES<666>
Options
Splitter<Xwormmm>
Sleep time3
USB drop nameinj3ct0r HexaOpen
MutexFzSIsfqlHwWWhS56
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:07:31 17:52:51+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 304128
InitializedDataSize: 39424
UninitializedDataSize: -
EntryPoint: 0x478000
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
505
Monitored processes
353
Malicious processes
36
Suspicious processes
19

Behavior graph

Click at the process to see the details
start start #LUMMA 2942043b0e15669544746e28e364f12bfa6485bc7432253af7f0e6c65b0299ed.bin.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe #AMADEY eypkyoafp8iu1iak5van.exe g3kci5h.exe no specs g3kci5h.exe not.exe #SALATSTEALER explorer.exe not.exe no specs 6olpur0.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs tasklist.exe no specs findstr.exe no specs extrac32.exe no specs findstr.exe no specs nation.pif waitfor.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe conhost.exe no specs schtasks.exe no specs wscript.exe no specs 89d8d1ca98.exe cmd.exe no specs conhost.exe no specs nircmd.exe no specs chcp.com no specs reg.exe no specs nircmd.exe no specs cmd.exe conhost.exe no specs nircmd.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs nsudolg.exe no specs cmd.exe conhost.exe no specs nircmd.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs mode.com no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs tasklist.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs #XWORM msbuild.exe reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs find.exe no specs nsudolg.exe no specs powershell.exe no specs conhost.exe no specs 89d8d1ca98.exe no specs cmd.exe no specs conhost.exe no specs nircmd.exe no specs chcp.com no specs reg.exe no specs nircmd.exe no specs cmd.exe conhost.exe no specs nircmd.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs nsudolg.exe no specs cmd.exe conhost.exe no specs nircmd.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs mode.com no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs tasklist.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs find.exe no specs nsudolg.exe no specs powershell.exe no specs conhost.exe no specs 7af56553f6.exe reg.exe no specs find.exe no specs cmd.exe no specs findstr.exe no specs 7z.exe unlocker.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs unlocker.exe cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs unlocker.exe cmd.exe no specs conhost.exe no specs sc.exe no specs svchost015.exe reg.exe no specs find.exe no specs cmd.exe no specs findstr.exe no specs 7z.exe no specs unlocker.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs unlocker.exe no specs cmd.exe no specs conhost.exe no specs iobitunlocker.exe sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs unlocker.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs 087d0acb52.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs explorer.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs rundll32.exe no specs msbuild.exe no specs #LUMMA msbuild.exe tiworker.exe no specs startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe #LUMMA 775bdc8c0f.exe mobsync.exe no specs 6olpur0.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs tasklist.exe no specs findstr.exe no specs amnew.exe huran.exe #LUMMA 0fdkol1hwgkn.exe 9uxkt8uphihsm.exe no specs missedscreens.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs tasklist.exe no specs findstr.exe no specs ls1fdzl.exe powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs cmd.exe no specs conhost.exe no specs huran.exe no specs g4gtdri.exe no specs r4epnnq.exe no specs conhost.exe no specs r4epnnq.exe conhost.exe no specs #STEALC msbuild.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs extrac32.exe no specs extrac32.exe no specs findstr.exe no specs nation.pif no specs offshore.com no specs waitfor.exe no specs waitfor.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
236reg query "HKLM\System\CurrentControlSet\Services\WinDefend" C:\Windows\System32\reg.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
432reg query HKLM\System\CurrentControlset\Services\WdFilter C:\Windows\System32\reg.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
472"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3712,i,16223569633611658890,5537033840742466314,262144 --variations-seed-version --mojo-platform-channel-handle=3824 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
632"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3244,i,16223569633611658890,5537033840742466314,262144 --variations-seed-version --mojo-platform-channel-handle=3248 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
640reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" C:\Windows\System32\reg.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
684reg query "HKLM\System\CurrentControlSet\Services\MDCoreSvc" C:\Windows\System32\reg.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
684\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
684C:\WINDOWS\System32\mobsync.exe -EmbeddingC:\Windows\System32\mobsync.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Sync Center
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mobsync.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
700reg query "HKLM\System\CurrentControlSet\Services\WdNisSvc" C:\Windows\System32\reg.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
828"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2028,i,7062284398933179627,11984726493808266779,262144 --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=2016 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
89 859
Read events
89 664
Write events
192
Delete events
3

Modification events

(PID) Process:(6948) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(6948) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(6948) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(6948) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(6948) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(3624) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(3624) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(3624) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(3624) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(3624) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
Executable files
52
Suspicious files
146
Text files
215
Unknown types
23

Dropped files

PID
Process
Filename
Type
6948chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old~RF18f75b.TMP
MD5:
SHA256:
6948chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
6948chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF18f76b.TMP
MD5:
SHA256:
6948chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
6948chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old~RF18f78a.TMP
MD5:
SHA256:
6948chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF18f78a.TMP
MD5:
SHA256:
6948chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
6948chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RF18f78a.TMP
MD5:
SHA256:
6948chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
6948chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
207
TCP/UDP connections
211
DNS requests
155
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
45.61.165.8:443
https://mocadia.com/iuew
unknown
binary
32.7 Kb
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5528
RUXIMICS.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5528
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.159.68:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
400
40.126.31.0:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
POST
400
40.126.31.0:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5528
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5528
RUXIMICS.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 23.216.77.42
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
mocadia.com
  • 45.61.165.8
unknown
login.live.com
  • 40.126.32.68
  • 20.190.160.3
  • 40.126.32.74
  • 20.190.160.20
  • 40.126.32.140
  • 40.126.32.134
  • 40.126.32.133
  • 20.190.160.67
whitelisted
clientservices.googleapis.com
  • 142.250.185.195
  • 172.217.16.195
whitelisted
clients2.google.com
  • 216.58.206.78
whitelisted
safebrowsingohttpgateway.googleapis.com
  • 142.250.74.202
  • 142.250.185.106
  • 216.58.206.42
  • 142.250.184.202
  • 142.250.186.42
  • 142.250.186.138
  • 172.217.18.10
  • 142.250.184.234
  • 142.250.186.170
  • 216.58.206.74
  • 142.250.185.170
  • 172.217.16.138
  • 142.250.185.138
  • 142.250.185.74
  • 142.250.186.106
  • 142.250.186.74
  • 172.217.23.106
  • 172.217.18.106
whitelisted
accounts.google.com
  • 142.250.110.84
  • 64.233.167.84
whitelisted

Threats

No threats detected
Process
Message
2942043b0e15669544746e28e364f12bfa6485bc7432253af7f0e6c65b0299ed.bin.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
IObitUnlocker.exe
PostAction_Delete
IObitUnlocker.exe
FileCount:264
IObitUnlocker.exe
C:\ProgramData\Microsoft\Windows Defender--------
IObitUnlocker.exe
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection--------
IObitUnlocker.exe
C:\ProgramData\Microsoft\Windows Security Health--------
IObitUnlocker.exe
C:\ProgramData\Microsoft\Storage Health--------
IObitUnlocker.exe
C:\Program Files\Windows Defender--------
IObitUnlocker.exe
C:\Program Files\Windows Defender Advanced Threat Protection--------
IObitUnlocker.exe
C:\Program Files\Windows Security--------
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2942043b0e15669544746e28e364f12bfa6485bc7432253af7f0e6c65b0299ed.bin.exe