File name:	x318b10a24a51a601bb7209c69b593ac487b6c0a6e7d63a461048ce1fe506720a.exe
Full analysis:	https://app.any.run/tasks/e3b48f04-2fa9-4e82-9201-417f67ad77c8
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	May 24, 2026, 05:11:15
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	auto-sch stealc stealer auto-reg payload arch-doc nuitka amadey botnet python loader
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 7 sections
MD5:	7B82C72EC6FC0B5AF4B7FDCD6CB58D74
SHA1:	CA03E9B904DA6BE0891B3B816473720AAF261931
SHA256:	318B10A24A51A601BB7209C69B593AC487B6C0A6E7D63A461048CE1FE506720A
SSDEEP:	196608:jtFg5Phkd69LewhUMEUc4B3AAQKkYJuEpR+Nj0In:j7wkoZ0MEUc49AJ/YJhpRgAIn

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

MachineType:	AMD AMD64
TimeStamp:	2026:05:22 23:55:11+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.29
CodeSize:	44032
InitializedDataSize:	20839424
UninitializedDataSize:	-
EntryPoint:	0x1718
OSVersion:	6.1
ImageVersion:	-
SubsystemVersion:	6.1
Subsystem:	Windows GUI


(PID) Process:	(4696) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 23004100430042006C006F00620000000000000000000000010000000800000000000000
(PID) Process:	(3580) ngbkpzuq.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(3580) ngbkpzuq.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(3580) ngbkpzuq.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(7724) tj38atmk.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Microsoft Windows Host
Value: C:\Users\admin\Pictures\svchost.exe
(PID) Process:	(8060) 5uyxm5fr.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	WindowsSvcHost
Value: C:\Users\admin\AppData\Local\Microsoft\WindowsApps\WindowsStore.Update.exe
(PID) Process:	(7760) zy8kr7t5.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Windows Defender Security
Value: C:\Users\admin\AppData\Local\Temp\zy8kr7t5.exe
(PID) Process:	(4960) zh3ri4au.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(4960) zh3ri4au.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(4960) zh3ri4au.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
2528	x318b10a24a51a601bb7209c69b593ac487b6c0a6e7d63a461048ce1fe506720a.exe	C:\Users\admin\AppData\Local\Temp\tj38atmk.exe		executable
		MD5:5FCF42E6A22A4675A1C2E22383B86C23	SHA256:DF4AA1196A8A025EACBCF0316A4F533B489F254BB260E7157FAD9556FE3C5925
2528	x318b10a24a51a601bb7209c69b593ac487b6c0a6e7d63a461048ce1fe506720a.exe	C:\Users\admin\AppData\Local\Temp\ngbkpzuq.exe		executable
		MD5:F87FD8891C767F0695E85728F238D33B	SHA256:EFE7EB517CC449CC7721C5C0ACFB8CF454F28FDF2F37C08854AAD4DEEFD7EDC9
7672	l7lm2ai3.exe	C:\Users\admin\AppData\Local\Temp\onefile_7672_134240730929644639\main.dll		—
		MD5:—	SHA256:—
7724	tj38atmk.exe	C:\Users\admin\AppData\Roaming\tpjdzj.exe		executable
		MD5:5FCF42E6A22A4675A1C2E22383B86C23	SHA256:DF4AA1196A8A025EACBCF0316A4F533B489F254BB260E7157FAD9556FE3C5925
7724	tj38atmk.exe	C:\Users\admin\Pictures\svchost.exe		executable
		MD5:5FCF42E6A22A4675A1C2E22383B86C23	SHA256:DF4AA1196A8A025EACBCF0316A4F533B489F254BB260E7157FAD9556FE3C5925
8060	5uyxm5fr.exe	C:\Users\admin\AppData\Local\Microsoft\WindowsApps\WindowsStore.Update.exe		executable
		MD5:6799A792D2300B35BFC489147492DF29	SHA256:145F510530196C995CBF79BD7D778560C5E24FD2D15A73D17506E94A480B23BF
2528	x318b10a24a51a601bb7209c69b593ac487b6c0a6e7d63a461048ce1fe506720a.exe	C:\Users\admin\AppData\Local\Temp\zy8kr7t5.exe		executable
		MD5:B6928A2C4FD7143AA8A9CC38CCF7CC3F	SHA256:767A3D3129DC01E7648B3A9E014A94E1AC523A6005445E0A4A2855D096BF9464
2528	x318b10a24a51a601bb7209c69b593ac487b6c0a6e7d63a461048ce1fe506720a.exe	C:\Users\admin\AppData\Local\Temp\zh3ri4au.exe		executable
		MD5:9B30BA53508BEF0740E68F11DB534553	SHA256:76411376CA672758780751C9D2D9B4EA23C101D32F61E03A3F3286EEDE9CA8FB
2528	x318b10a24a51a601bb7209c69b593ac487b6c0a6e7d63a461048ce1fe506720a.exe	C:\Users\admin\AppData\Local\Temp\5uyxm5fr.exe		executable
		MD5:6799A792D2300B35BFC489147492DF29	SHA256:145F510530196C995CBF79BD7D778560C5E24FD2D15A73D17506E94A480B23BF
4960	zh3ri4au.exe	C:\ProgramData\{65b178c1-239c-11ed-b4aa-806e6f6e6963}\FTP Clients\FileZilla\layout.xml		xml
		MD5:4526724CD149C14EF9D37D86F825B9F7	SHA256:138167D8F03D48E88DA0AEC3DF38F723BC1895822F75660CCCB5E994814BEE90

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4968	kxxmu.exe	GET	200	62.60.226.159:80	http://62.60.226.159/uploads/rGJmtquOpsb.exe	GB	executable	251 Kb	malicious
4968	kxxmu.exe	POST	200	62.60.226.159:80	http://62.60.226.159/xvzpjyddlu/getdata.php	GB	—	—	malicious
3280	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl	US	binary	400 b	whitelisted
4968	kxxmu.exe	POST	200	62.60.226.159:80	http://62.60.226.159/xvzpjyddlu/getdata.php	GB	binary	50 b	malicious
4968	kxxmu.exe	GET	404	62.60.226.159:80	http://62.60.226.159/uplaods/OXaBlSZnTcE9.exe	GB	html	564 b	malicious
3280	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl	US	binary	814 b	whitelisted
3280	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	US	binary	400 b	whitelisted
3280	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl	US	binary	813 b	whitelisted
3280	svchost.exe	GET	200	88.221.169.152:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	US	binary	813 b	whitelisted
8044	svchost.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	NL	binary	825 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	48.209.133.15:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
—	—	128.24.231.65:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
8044	svchost.exe	23.216.77.28:80	crl.microsoft.com	AKAMAI-ASN1	NL	whitelisted
8044	svchost.exe	72.246.29.11:80	www.microsoft.com	AKAMAI-AS	US	whitelisted
5208	svchost.exe	48.209.133.15:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
2952	slui.exe	128.24.231.65:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3580	ngbkpzuq.exe	196.251.107.130:80	—	FEMOIT	GB	malicious
8044	svchost.exe	48.209.138.189:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
activation-v2.sls.microsoft.com	128.24.231.65	whitelisted
crl.microsoft.com	23.216.77.28 23.216.77.6	whitelisted
www.microsoft.com	72.246.29.11 88.221.169.152	whitelisted
google.com	142.251.127.139 142.251.127.102 142.251.127.113 142.251.127.100 142.251.127.101 142.251.127.138	whitelisted
settings-win.data.microsoft.com	48.209.138.189	whitelisted
self.events.data.microsoft.com	52.168.117.175	whitelisted

PID	Process	Class	Message
3580	ngbkpzuq.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 45
4960	zh3ri4au.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
4960	zh3ri4au.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 9
4960	zh3ri4au.exe	Potential Corporate Privacy Violation	POLICY [ANY.RUN] Sending Screenshot in Archive via POST Request
2996	iijg3iv5.exe	Potentially Bad Traffic	PAYLOAD [ANY.RUN] XORed Windows executable has been loaded
4968	kxxmu.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
4968	kxxmu.exe	A Network Trojan was detected	MALWARE [ANY.RUN] Win32/Amadey associated URI (/xvzpjyddlu/getdata.php)
4968	kxxmu.exe	A Network Trojan was detected	ET MALWARE Executable Downloaded From Common Payload Delivery Host (GET)
4968	kxxmu.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
4968	kxxmu.exe	A Network Trojan was detected	ET MALWARE Executable Downloaded From Common Payload Delivery Host (GET)

General Info

x318b10a24a51a601bb7209c69b593ac487b6c0a6e7d63a461048ce1fe506720a.exe

7B82C72EC6FC0B5AF4B7FDCD6CB58D74

CA03E9B904DA6BE0891B3B816473720AAF261931

318B10A24A51A601BB7209C69B593AC487B6C0A6E7D63A461048CE1FE506720A

196608:jtFg5Phkd69LewhUMEUc4B3AAQKkYJuEpR+Nj0In:j7wkoZ0MEUc49AJ/YJhpRgAIn

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

STEALC has been detected

Changes the autorun value in the registry

Uses Task Scheduler to run other applications

Application was injected by another process

Runs injected code in another process

Changes the login/logoff helper path in the registry

AMADEY has been detected (SURICATA)

STEALC has been detected (SURICATA)

Stealers network behavior

SUSPICIOUS

Reads the date of Windows installation

Executable content was dropped or overwritten

Executable file located in non-executable user directories

The process creates files with name similar to system file names

Lists all scheduled tasks

The process executes files with name similar to system file names

Possible stealing of messenger data

Possible stealing from crypto wallets

Potential Corporate Privacy Violation

NUITKA compiler has been detected

Process drops python dynamic module

The process drops C-runtime libraries

Starts itself from another location

Application launched itself

The process executes via Task Scheduler

Starts CMD.EXE for commands execution

Loads Python modules

INFO

Reads security settings of Internet Explorer

Checks supported languages

Reads the computer name

Create files in a temporary directory

The sample compiled with english language support

Process checks computer location settings

Creates files or folders in the user directory

Launching a file from a Registry key

Manual execution by a user

Launching a file from Task Scheduler

Reads the machine GUID from the registry

Checks operating system version

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules