File name:

38815ff6ac44a26a21fcc6975003af8e5d279a2ad393abdc7b05207df5942f9e.bin.exe

Full analysis: https://app.any.run/tasks/216226f3-1cce-4b26-9170-e4031cdb7422
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: July 16, 2025, 18:55:31
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
amadey
botnet
stealer
rdp
arch-exec
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

D842B6FC34ED57A71F893ABB0CF03DBA

SHA1:

45EE2C2EC4FB1E68A5DD29A0FE53AB43C014E7AC

SHA256:

38815FF6AC44A26A21FCC6975003AF8E5D279A2AD393ABDC7B05207DF5942F9E

SSDEEP:

98304:byi3gVdIBB1i3b0t+0G41F+coKogj0YjlPuxNc64MGwQtaPzMRB2yDxIRoLFJvHe:N+gnK/q8d

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 2028)

    • AMADEY mutex has been found

      • XHcy7FYl.exe (PID: 5808)
      • suker.exe (PID: 4100)
      • suker.exe (PID: 2456)
      • suker.exe (PID: 6540)
      • suker.exe (PID: 1440)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 5416)

    • Changes powershell execution policy (Bypass)

      • cmd.exe (PID: 4320)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 1160)
      • NSudoLG.exe (PID: 1156)

    • AMADEY has been detected (SURICATA)

      • suker.exe (PID: 4100)

    • Changes Windows Defender settings

      • NSudoLG.exe (PID: 1156)

    • Connects to the CnC server

      • suker.exe (PID: 4100)

    • AMADEY has been detected (YARA)

      • suker.exe (PID: 4100)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 38815ff6ac44a26a21fcc6975003af8e5d279a2ad393abdc7b05207df5942f9e.bin.exe (PID: 4044)
      • lzq6cnNx.exe (PID: 640)
      • XHcy7FYl.exe (PID: 5808)
      • nircmd.exe (PID: 32)
      • suker.exe (PID: 4100)
      • Unlocker.exe (PID: 5968)
      • Unlocker.exe (PID: 4844)
      • Unlocker.exe (PID: 1932)
      • Unlocker.exe (PID: 7020)
      • Unlocker.exe (PID: 4168)
      • Unlocker.exe (PID: 5300)

    • Drops 7-zip archiver for unpacking

      • 38815ff6ac44a26a21fcc6975003af8e5d279a2ad393abdc7b05207df5942f9e.bin.exe (PID: 4044)
      • lzq6cnNx.exe (PID: 640)

    • Executable content was dropped or overwritten

      • 38815ff6ac44a26a21fcc6975003af8e5d279a2ad393abdc7b05207df5942f9e.bin.exe (PID: 4044)
      • wmJkE0yM.exe (PID: 5248)
      • lzq6cnNx.exe (PID: 640)
      • XHcy7FYl.exe (PID: 5808)
      • 7z.exe (PID: 4552)
      • Unlocker.exe (PID: 1932)
      • Unlocker.exe (PID: 4844)
      • Unlocker.exe (PID: 4168)
      • Unlocker.exe (PID: 5300)

    • Starts CMD.EXE for commands execution

      • yCrZp7m6.exe (PID: 1632)
      • lzq6cnNx.exe (PID: 640)
      • nircmd.exe (PID: 32)
      • NSudoLG.exe (PID: 5288)
      • cmd.exe (PID: 1160)
      • Unlocker.exe (PID: 5968)
      • Unlocker.exe (PID: 1932)
      • Unlocker.exe (PID: 4844)
      • Unlocker.exe (PID: 7020)
      • Unlocker.exe (PID: 4168)
      • Unlocker.exe (PID: 5300)

    • The process creates files with name similar to system file names

      • lzq6cnNx.exe (PID: 640)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 4320)
      • NSudoLG.exe (PID: 1156)

    • The process bypasses the loading of PowerShell profile settings

      • cmd.exe (PID: 4320)

    • Executing commands from a ".bat" file

      • lzq6cnNx.exe (PID: 640)
      • nircmd.exe (PID: 32)
      • NSudoLG.exe (PID: 5288)

    • The executable file from the user directory is run by the CMD process

      • nircmd.exe (PID: 6796)
      • nircmd.exe (PID: 32)
      • nircmd.exe (PID: 768)
      • nircmd.exe (PID: 5808)
      • NSudoLG.exe (PID: 5288)
      • NSudoLG.exe (PID: 1156)
      • 7z.exe (PID: 4552)
      • Unlocker.exe (PID: 5968)
      • Unlocker.exe (PID: 1932)
      • Unlocker.exe (PID: 4844)
      • Unlocker.exe (PID: 7020)
      • Unlocker.exe (PID: 4168)
      • Unlocker.exe (PID: 5300)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6236)
      • cmd.exe (PID: 1160)
      • cmd.exe (PID: 4200)

    • Reads the date of Windows installation

      • nircmd.exe (PID: 32)
      • Unlocker.exe (PID: 5968)
      • Unlocker.exe (PID: 1932)
      • Unlocker.exe (PID: 4844)
      • Unlocker.exe (PID: 7020)
      • Unlocker.exe (PID: 4168)
      • Unlocker.exe (PID: 5300)

    • Starts itself from another location

      • XHcy7FYl.exe (PID: 5808)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 4200)
      • cmd.exe (PID: 1160)

    • Get information on the list of running processes

      • cmd.exe (PID: 6936)
      • cmd.exe (PID: 1160)

    • Application launched itself

      • cmd.exe (PID: 1160)

    • Contacting a server suspected of hosting an CnC

      • suker.exe (PID: 4100)

    • Connects to the server without a host name

      • suker.exe (PID: 4100)

    • Script adds exclusion path to Windows Defender

      • NSudoLG.exe (PID: 1156)

    • PowerShell delay command usage (probably sleep evasion)

      • powershell.exe (PID: 2148)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 1160)

    • There is functionality for enable RDP (YARA)

      • suker.exe (PID: 4100)

    • There is functionality for taking screenshot (YARA)

      • suker.exe (PID: 4100)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 5240)
      • cmd.exe (PID: 1156)
      • cmd.exe (PID: 4164)
      • cmd.exe (PID: 3576)
      • cmd.exe (PID: 1028)
      • cmd.exe (PID: 5952)
      • cmd.exe (PID: 5032)
      • cmd.exe (PID: 4372)
      • cmd.exe (PID: 2528)
      • cmd.exe (PID: 1944)
      • cmd.exe (PID: 4788)
      • cmd.exe (PID: 1160)
      • cmd.exe (PID: 952)

    • Windows service management via SC.EXE

      • sc.exe (PID: 1204)
      • sc.exe (PID: 1828)
      • sc.exe (PID: 1740)
      • sc.exe (PID: 5952)
      • sc.exe (PID: 6236)
      • sc.exe (PID: 5400)
      • sc.exe (PID: 6472)
      • sc.exe (PID: 3540)
      • sc.exe (PID: 3840)
      • sc.exe (PID: 2076)
      • sc.exe (PID: 1624)
      • sc.exe (PID: 1712)
      • sc.exe (PID: 6872)
      • sc.exe (PID: 6836)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3940)
      • cmd.exe (PID: 5032)
      • cmd.exe (PID: 6976)
      • cmd.exe (PID: 424)
      • cmd.exe (PID: 6228)

    • Stops a currently running service

      • sc.exe (PID: 640)
      • sc.exe (PID: 3400)
      • sc.exe (PID: 6372)
      • sc.exe (PID: 6180)
      • sc.exe (PID: 4528)
      • sc.exe (PID: 3852)

    • Creates or modifies Windows services

      • Unlocker.exe (PID: 1932)
      • Unlocker.exe (PID: 7020)
      • Unlocker.exe (PID: 4168)
      • Unlocker.exe (PID: 5300)

    • Drops a system driver (possible attempt to evade defenses)

      • Unlocker.exe (PID: 1932)
      • Unlocker.exe (PID: 4844)
      • Unlocker.exe (PID: 4168)
      • Unlocker.exe (PID: 5300)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 1160)

    • The process verifies whether the antivirus software is installed

      • IObitUnlocker.exe (PID: 6164)
      • Unlocker.exe (PID: 4844)
      • IObitUnlocker.exe (PID: 2380)
      • Unlocker.exe (PID: 4168)
      • IObitUnlocker.exe (PID: 4860)

    • The process executes via Task Scheduler

      • suker.exe (PID: 2456)
      • suker.exe (PID: 6540)
      • suker.exe (PID: 1440)

    • Executes application which crashes

      • Unlocker.exe (PID: 4168)
      • Unlocker.exe (PID: 5300)

  • INFO

    • Reads the computer name

      • 38815ff6ac44a26a21fcc6975003af8e5d279a2ad393abdc7b05207df5942f9e.bin.exe (PID: 4044)
      • wmJkE0yM.exe (PID: 5248)
      • lzq6cnNx.exe (PID: 640)
      • XHcy7FYl.exe (PID: 5808)
      • nircmd.exe (PID: 32)
      • suker.exe (PID: 4100)
      • NSudoLG.exe (PID: 5288)
      • NSudoLG.exe (PID: 1156)
      • 7z.exe (PID: 4552)
      • Unlocker.exe (PID: 5968)
      • Unlocker.exe (PID: 1932)
      • Unlocker.exe (PID: 4844)
      • IObitUnlocker.exe (PID: 6164)
      • Unlocker.exe (PID: 7020)
      • IObitUnlocker.exe (PID: 4692)
      • Unlocker.exe (PID: 4168)
      • IObitUnlocker.exe (PID: 4860)
      • IObitUnlocker.exe (PID: 2380)
      • Unlocker.exe (PID: 5300)

    • Checks supported languages

      • 38815ff6ac44a26a21fcc6975003af8e5d279a2ad393abdc7b05207df5942f9e.bin.exe (PID: 4044)
      • yCrZp7m6.exe (PID: 1632)
      • wmJkE0yM.exe (PID: 5248)
      • lzq6cnNx.exe (PID: 640)
      • XHcy7FYl.exe (PID: 5808)
      • chcp.com (PID: 4232)
      • nircmd.exe (PID: 32)
      • nircmd.exe (PID: 768)
      • nircmd.exe (PID: 6796)
      • suker.exe (PID: 4100)
      • chcp.com (PID: 2400)
      • NSudoLG.exe (PID: 5288)
      • nircmd.exe (PID: 5808)
      • chcp.com (PID: 4400)
      • NSudoLG.exe (PID: 1156)
      • mode.com (PID: 6164)
      • 7z.exe (PID: 4552)
      • Unlocker.exe (PID: 5968)
      • Unlocker.exe (PID: 1932)
      • Unlocker.exe (PID: 4844)
      • IObitUnlocker.exe (PID: 6164)
      • Unlocker.exe (PID: 7020)
      • suker.exe (PID: 2456)
      • IObitUnlocker.exe (PID: 4692)
      • Unlocker.exe (PID: 4168)
      • IObitUnlocker.exe (PID: 2380)
      • suker.exe (PID: 6540)
      • IObitUnlocker.exe (PID: 4860)
      • Unlocker.exe (PID: 5300)
      • suker.exe (PID: 1440)

    • Process checks computer location settings

      • 38815ff6ac44a26a21fcc6975003af8e5d279a2ad393abdc7b05207df5942f9e.bin.exe (PID: 4044)
      • lzq6cnNx.exe (PID: 640)
      • XHcy7FYl.exe (PID: 5808)
      • nircmd.exe (PID: 32)

    • The sample compiled with english language support

      • 38815ff6ac44a26a21fcc6975003af8e5d279a2ad393abdc7b05207df5942f9e.bin.exe (PID: 4044)
      • lzq6cnNx.exe (PID: 640)
      • Unlocker.exe (PID: 1932)
      • Unlocker.exe (PID: 4844)
      • Unlocker.exe (PID: 4168)
      • Unlocker.exe (PID: 5300)

    • Reads mouse settings

      • yCrZp7m6.exe (PID: 1632)

    • Create files in a temporary directory

      • lzq6cnNx.exe (PID: 640)
      • XHcy7FYl.exe (PID: 5808)
      • 7z.exe (PID: 4552)

    • NirSoft software is detected

      • nircmd.exe (PID: 6796)
      • nircmd.exe (PID: 768)
      • nircmd.exe (PID: 32)
      • nircmd.exe (PID: 5808)

    • Changes the display of characters in the console

      • cmd.exe (PID: 6236)
      • cmd.exe (PID: 4200)
      • cmd.exe (PID: 1160)

    • Checks proxy server information

      • suker.exe (PID: 4100)
      • slui.exe (PID: 5352)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 6164)

    • Checks operating system version

      • cmd.exe (PID: 1160)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5416)
      • powershell.exe (PID: 2148)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2148)

    • Reads the machine GUID from the registry

      • Unlocker.exe (PID: 5968)
      • Unlocker.exe (PID: 1932)
      • Unlocker.exe (PID: 4844)
      • Unlocker.exe (PID: 7020)
      • Unlocker.exe (PID: 4168)
      • Unlocker.exe (PID: 5300)

    • Manual execution by a user

      • IObitUnlocker.exe (PID: 6556)
      • IObitUnlocker.exe (PID: 4692)

    • Creates files in the program directory

      • IObitUnlocker.exe (PID: 4692)

    • Reads the software policy settings

      • WerFault.exe (PID: 2708)
      • slui.exe (PID: 5352)
      • WerFault.exe (PID: 1964)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Amadey

(PID) Process(4100) suker.exe
C2176.46.157.50
URLhttp://176.46.157.50/tu3d2rom/index.php
Version5.50
Options
Drop directorybd4cae89c3
Drop namesuker.exe
Strings (125):::
AVG
176.46.157.50
DefaultSettings.XResolution
Sophos
un:
#
/quiet
<c>
/Plugins/
Norton
0000043f
Content-Type: application/x-www-form-urlencoded
e1
Content-Disposition: form-data; name="data"; filename="
Comodo
Avira
"
Rem
dm:
rb
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
------
0123456789
CurrentBuild
Powershell.exe
------
ps1
zip
SOFTWARE\Microsoft\Windows NT\CurrentVersion
2016
" Content-Type: application/octet-stream
+++
ComputerName
-executionpolicy remotesigned -File "
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Bitdefender
vs:
cred.dll|clip.dll|
S-%lu-
%USERPROFILE%
%-lu
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
http://
POST
--
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
ESET
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
e2
exe
Keyboard Layout\Preload
" && ren
lv:
5.50
2025
shutdown -s -t 0
clip.dll
VideoID
00000419
00000423
\App
|
/k
\
e3
rundll32
.jpg
Doctor Web
abcdefghijklmnopqrstuvwxyz0123456789-_
Main
id:
cmd /C RMDIR /s/q
GetNativeSystemInfo
&& Exit"
bi:
bd4cae89c3
?scr=1
r=
d1
Programs
og:
cred.dll
-unicode-
/tu3d2rom/index.php
SYSTEM\ControlSet001\Services\BasicDisplay\Video
av:
Startup
os:
cmd
00000422
shell32.dll
ar:
GET
dll
DefaultSettings.YResolution
2019
-%lu
wb
Content-Type: multipart/form-data; boundary=----
Kaspersky Lab
ProductName
https://
=
random
360TotalSecurity
AVAST Software
suker.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
<d>
st=s
Panda Security
"taskkill /f /im "
kernel32.dll
" && timeout 1 && del
ProgramData\
WinDefender
&&
msi
&unit=
rundll32.exe
pc:
sd:
2022
\0000
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:03:03 13:15:57+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.3
CodeSize: 203776
InitializedDataSize: 77312
UninitializedDataSize: -
EntryPoint: 0x1f530
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
295
Monitored processes
146
Malicious processes
21
Suspicious processes
7

Behavior graph

Click at the process to see the details
start 38815ff6ac44a26a21fcc6975003af8e5d279a2ad393abdc7b05207df5942f9e.bin.exe ycrzp7m6.exe no specs cmd.exe no specs conhost.exe no specs wmjke0ym.exe xhcy7fyl.exe lzq6cnnx.exe cmd.exe no specs conhost.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs powershell.exe no specs cmd.exe no specs conhost.exe no specs nircmd.exe no specs #AMADEY suker.exe chcp.com no specs reg.exe no specs nircmd.exe no specs cmd.exe conhost.exe no specs nircmd.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs nsudolg.exe no specs cmd.exe conhost.exe no specs nircmd.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs mode.com no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs tasklist.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs find.exe no specs nsudolg.exe no specs powershell.exe no specs conhost.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs findstr.exe no specs 7z.exe unlocker.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs unlocker.exe cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs timeout.exe no specs unlocker.exe cmd.exe no specs conhost.exe no specs sc.exe no specs iobitunlocker.exe timeout.exe no specs unlocker.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs suker.exe no specs iobitunlocker.exe no specs iobitunlocker.exe slui.exe timeout.exe no specs unlocker.exe cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs iobitunlocker.exe iobitunlocker.exe suker.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs werfault.exe unlocker.exe cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs werfault.exe sc.exe no specs sc.exe no specs suker.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
32nircmd elevate "C:\Users\admin\AppData\Local\Temp\uIGUTnt.bat" any_word C:\Users\admin\AppData\Local\Temp\Work\nircmd.execmd.exe
User:
admin
Company:
NirSoft
Integrity Level:
MEDIUM
Description:
NirCmd
Exit code:
0
Version:
2.87
Modules
Images
c:\users\admin\appdata\local\temp\work\nircmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
424"C:\Windows\System32\cmd.exe" /c taskkill /f /pid "4168"C:\Windows\System32\cmd.exeUnlocker.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
516\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
620reg query "HKLM\System\CurrentControlSet\Services\webthreatdefsvc" C:\Windows\System32\reg.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
640"C:\IyJ3kk9\lzq6cnNx.exe"C:\IyJ3kk9\lzq6cnNx.exe
yCrZp7m6.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\iyj3kk9\lzq6cnnx.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
640sc stop IObitUnlocker C:\Windows\System32\sc.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
768nircmd win min process "cmd.exe"C:\Users\admin\AppData\Local\Temp\Work\nircmd.execmd.exe
User:
admin
Company:
NirSoft
Integrity Level:
HIGH
Description:
NirCmd
Exit code:
0
Version:
2.87
Modules
Images
c:\users\admin\appdata\local\temp\work\nircmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
952taskkill /f /pid "4168"C:\Windows\System32\taskkill.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Terminates Processes
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
952"C:\Windows\System32\cmd.exe" /c sc stop IObitUnlocker & sc delete IObitUnlockerC:\Windows\System32\cmd.exeUnlocker.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
984\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
34 772
Read events
34 706
Write events
60
Delete events
6

Modification events

(PID) Process:(32) nircmd.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value:
Windows Command Processor
(PID) Process:(32) nircmd.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value:
Microsoft Corporation
(PID) Process:(4100) suker.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4100) suker.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4100) suker.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3028) reg.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize
Operation:writeName:AppsUseLightTheme
Value:
0
(PID) Process:(6756) reg.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize
Operation:writeName:AppsUseLightTheme
Value:
0
(PID) Process:(5968) Unlocker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\DK
Operation:writeName:CurrentDiskSize
Value:
228533219328
(PID) Process:(1932) Unlocker.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IObitUnlocker
Operation:writeName:Type
Value:
1
(PID) Process:(1932) Unlocker.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IObitUnlocker
Operation:writeName:Start
Value:
3
Executable files
22
Suspicious files
8
Text files
16
Unknown types
4

Dropped files

PID
Process
Filename
Type
404438815ff6ac44a26a21fcc6975003af8e5d279a2ad393abdc7b05207df5942f9e.bin.exeC:\IyJ3kk9\yCrZp7m6.exeexecutable
MD5:688E5E0AD8B46093CCA08CD8AB5F095F
SHA256:F4FA60280D82CE377358192C9B65D8739A22E30792BA01E9CDA465CEBA4E1A3F
640lzq6cnNx.exeC:\Users\admin\AppData\Local\Temp\Work\7z.exeexecutable
MD5:426CCB645E50A3143811CFA0E42E2BA6
SHA256:CF878BFBD9ED93DC551AC038AFF8A8BBA4C935DDF8D48E62122BDDFDB3E08567
5808XHcy7FYl.exeC:\Users\admin\AppData\Local\Temp\bd4cae89c3\suker.exeexecutable
MD5:A5E6484EEF2B273591AD13582EB657DE
SHA256:93B52C63C8EA6E739CB32F1CCEDCD96C0ED769E06A5FBA5A1BDD5BBE9EB44999
5416powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_52fezfe5.xnf.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5416powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sncdbs44.fsr.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
640lzq6cnNx.exeC:\Users\admin\AppData\Local\Temp\Work\DKT.zipcompressed
MD5:CDEB126FF3F5BB9E843B4F16D7352755
SHA256:8C997A6CF3DB494BEBC7D2E518F3260475A57AD22DA492B94BC313D02227AB2A
404438815ff6ac44a26a21fcc6975003af8e5d279a2ad393abdc7b05207df5942f9e.bin.exeC:\IyJ3kk9\wmJkE0yM.exeexecutable
MD5:426CCB645E50A3143811CFA0E42E2BA6
SHA256:CF878BFBD9ED93DC551AC038AFF8A8BBA4C935DDF8D48E62122BDDFDB3E08567
640lzq6cnNx.exeC:\Users\admin\AppData\Local\Temp\Work\nircmd.exeexecutable
MD5:4A9DA765FD91E80DECFD2C9FE221E842
SHA256:2E81E048AB419FDC6E5F4336A951BD282ED6B740048DC38D7673678EE3490CDA
640lzq6cnNx.exeC:\Users\admin\AppData\Local\Temp\Work\cecho.exeexecutable
MD5:E783BC59D0ED6CFBD8891F94AE23D1B3
SHA256:5C1211559DDA10592CFEDD57681F18F4A702410816D36EDA95AEE6C74E3C6A47
404438815ff6ac44a26a21fcc6975003af8e5d279a2ad393abdc7b05207df5942f9e.bin.exeC:\IyJ3kk9\HPhhUus4.zipcompressed
MD5:AE7381F213543A4C567D69F5AD2D4F92
SHA256:EBCE9C3BF3A4482E275A96516E90A0AA9EF49940BBDDCB4993332C3F3AAC1F25
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
48
TCP/UDP connections
69
DNS requests
24
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.216.77.8:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.8:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7032
RUXIMICS.exe
GET
200
23.216.77.8:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.32.97.216:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.32.97.216:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7032
RUXIMICS.exe
GET
200
23.32.97.216:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4100
suker.exe
POST
200
176.46.157.50:80
http://176.46.157.50/tu3d2rom/index.php
unknown
malicious
4100
suker.exe
POST
200
176.46.157.50:80
http://176.46.157.50/tu3d2rom/index.php
unknown
malicious
POST
200
20.190.160.3:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
20.190.160.3:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
7032
RUXIMICS.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.8:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.216.77.8:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
7032
RUXIMICS.exe
23.216.77.8:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.32.97.216:80
www.microsoft.com
AKAMAI-AS
SE
whitelisted
1268
svchost.exe
23.32.97.216:80
www.microsoft.com
AKAMAI-AS
SE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 23.216.77.8
  • 23.216.77.11
  • 23.216.77.21
  • 23.216.77.12
  • 23.216.77.20
  • 23.216.77.18
  • 23.216.77.13
  • 23.216.77.16
  • 23.216.77.15
  • 23.55.110.211
  • 23.55.110.193
whitelisted
www.microsoft.com
  • 23.32.97.216
  • 72.246.169.155
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 20.73.194.208
  • 51.104.136.2
whitelisted
login.live.com
  • 20.190.159.64
  • 40.126.31.2
  • 40.126.31.1
  • 20.190.159.128
  • 40.126.31.129
  • 20.190.159.130
  • 20.190.159.4
  • 40.126.31.3
whitelisted
self.events.data.microsoft.com
  • 40.79.173.40
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

PID
Process
Class
Message
4100
suker.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 33
4100
suker.exe
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
4100
suker.exe
Malware Command and Control Activity Detected
ET MALWARE Amadey CnC Response
Process
Message
IObitUnlocker.exe
PostAction_Delete
IObitUnlocker.exe
FileCount:280
IObitUnlocker.exe
C:\ProgramData\Microsoft\Windows Defender--------
IObitUnlocker.exe
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection--------
IObitUnlocker.exe
C:\ProgramData\Microsoft\Windows Security Health--------
IObitUnlocker.exe
C:\ProgramData\Microsoft\Storage Health--------
IObitUnlocker.exe
C:\Program Files\Windows Defender--------
IObitUnlocker.exe
C:\Program Files\Windows Defender Advanced Threat Protection--------
IObitUnlocker.exe
C:\Program Files\Windows Security--------
IObitUnlocker.exe
C:\Program Files\PCHealthCheck--------
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
38815ff6ac44a26a21fcc6975003af8e5d279a2ad393abdc7b05207df5942f9e.bin.exe