File name:

Sigmanly_5622b7ef0cf5fd57c8d4c65f89188dbc06f328d72e489ae15e9c3ed86e91f9ae

Full analysis: https://app.any.run/tasks/cb24eae7-c68f-4272-8660-62d580f74154
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 15:04:15
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
lumma
stealer
amadey
botnet
auto
generic
themida
rdp
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

BA67EBE41EADEDCF2FFE70732CDDEBDD

SHA1:

BDCAC74E41251CB194F82BD2E9BE89BDFDE66C63

SHA256:

5622B7EF0CF5FD57C8D4C65F89188DBC06F328D72E489AE15E9C3ED86E91F9AE

SSDEEP:

98304:Wn2prnWLlseS/lb0ZyGc8u/a62NMPE1MMq2W+sdumP4S7GeN2sHO7ay9ha5BZlwv:3dQD54DRV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GENERIC has been found (auto)

      • R9c14.exe (PID: 3888)

    • AMADEY mutex has been found

      • 2w0935.exe (PID: 7012)
      • ramez.exe (PID: 4112)
      • ramez.exe (PID: 7264)
      • ramez.exe (PID: 2532)

    • Changes Windows Defender settings

      • NSudoLG.exe (PID: 7736)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 6972)
      • NSudoLG.exe (PID: 7736)

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2196)

    • Connects to the CnC server

      • svchost.exe (PID: 2196)
      • ramez.exe (PID: 4112)

    • AMADEY has been detected (SURICATA)

      • ramez.exe (PID: 4112)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 6972)

    • AMADEY has been detected (YARA)

      • ramez.exe (PID: 4112)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • Sigmanly_5622b7ef0cf5fd57c8d4c65f89188dbc06f328d72e489ae15e9c3ed86e91f9ae.exe (PID: 4120)
      • R9c14.exe (PID: 3888)

    • Process drops legitimate windows executable

      • Sigmanly_5622b7ef0cf5fd57c8d4c65f89188dbc06f328d72e489ae15e9c3ed86e91f9ae.exe (PID: 4120)
      • cmd.exe (PID: 6972)

    • Executable content was dropped or overwritten

      • R9c14.exe (PID: 3888)
      • Sigmanly_5622b7ef0cf5fd57c8d4c65f89188dbc06f328d72e489ae15e9c3ed86e91f9ae.exe (PID: 4120)
      • 1q80B9.exe (PID: 5008)
      • 2w0935.exe (PID: 7012)
      • 7z.exe (PID: 8128)
      • Unlocker.exe (PID: 7612)
      • cmd.exe (PID: 6972)

    • Reads security settings of Internet Explorer

      • 1q80B9.exe (PID: 5008)
      • nircmd.exe (PID: 5512)
      • 2w0935.exe (PID: 7012)
      • ramez.exe (PID: 4112)
      • Unlocker.exe (PID: 8148)
      • Unlocker.exe (PID: 7612)
      • Unlocker.exe (PID: 3332)

    • Drops 7-zip archiver for unpacking

      • 1q80B9.exe (PID: 5008)

    • The process creates files with name similar to system file names

      • 1q80B9.exe (PID: 5008)

    • Starts CMD.EXE for commands execution

      • 1q80B9.exe (PID: 5008)
      • cmd.exe (PID: 1676)
      • cmd.exe (PID: 5668)
      • NSudoLG.exe (PID: 5556)
      • nircmd.exe (PID: 5512)
      • cmd.exe (PID: 5668)
      • cmd.exe (PID: 6972)
      • Unlocker.exe (PID: 8148)
      • Unlocker.exe (PID: 7612)
      • Unlocker.exe (PID: 3332)

    • Executing commands from a ".bat" file

      • 1q80B9.exe (PID: 5008)
      • cmd.exe (PID: 1676)
      • cmd.exe (PID: 5668)
      • NSudoLG.exe (PID: 5556)
      • cmd.exe (PID: 5668)
      • nircmd.exe (PID: 5512)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6044)
      • cmd.exe (PID: 4244)
      • cmd.exe (PID: 6972)

    • Application launched itself

      • cmd.exe (PID: 1676)
      • cmd.exe (PID: 5668)
      • cmd.exe (PID: 5668)
      • cmd.exe (PID: 6972)

    • The executable file from the user directory is run by the CMD process

      • nircmd.exe (PID: 5512)
      • NSudoLG.exe (PID: 5556)
      • NSudoLG.exe (PID: 7736)
      • Unlocker.exe (PID: 8148)
      • 7z.exe (PID: 8128)
      • Unlocker.exe (PID: 7612)
      • Unlocker.exe (PID: 3332)

    • Reads the BIOS version

      • 2w0935.exe (PID: 7012)
      • 3D66x.exe (PID: 5008)
      • ramez.exe (PID: 4112)
      • ramez.exe (PID: 7264)
      • ramez.exe (PID: 2532)

    • Reads the date of Windows installation

      • nircmd.exe (PID: 5512)
      • Unlocker.exe (PID: 8148)
      • Unlocker.exe (PID: 7612)
      • Unlocker.exe (PID: 3332)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 4244)
      • cmd.exe (PID: 6972)

    • Get information on the list of running processes

      • cmd.exe (PID: 6972)
      • cmd.exe (PID: 680)

    • Starts itself from another location

      • 2w0935.exe (PID: 7012)

    • PowerShell delay command usage (probably sleep evasion)

      • powershell.exe (PID: 7756)

    • Starts POWERSHELL.EXE for commands execution

      • NSudoLG.exe (PID: 7736)

    • Script adds exclusion path to Windows Defender

      • NSudoLG.exe (PID: 7736)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2196)
      • ramez.exe (PID: 4112)

    • Connects to the server without a host name

      • ramez.exe (PID: 4112)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 1348)
      • cmd.exe (PID: 7668)
      • cmd.exe (PID: 6972)
      • cmd.exe (PID: 5436)
      • cmd.exe (PID: 4040)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6972)

    • Windows service management via SC.EXE

      • sc.exe (PID: 7564)
      • sc.exe (PID: 7588)
      • sc.exe (PID: 7308)
      • sc.exe (PID: 7516)
      • sc.exe (PID: 7720)
      • sc.exe (PID: 1164)
      • sc.exe (PID: 7968)
      • sc.exe (PID: 7324)
      • sc.exe (PID: 7736)
      • sc.exe (PID: 8064)
      • sc.exe (PID: 8132)
      • sc.exe (PID: 8048)
      • sc.exe (PID: 7364)
      • sc.exe (PID: 7332)
      • sc.exe (PID: 7552)
      • sc.exe (PID: 7348)
      • sc.exe (PID: 7480)
      • sc.exe (PID: 7536)
      • sc.exe (PID: 7680)
      • sc.exe (PID: 7700)
      • sc.exe (PID: 4868)
      • sc.exe (PID: 5776)
      • sc.exe (PID: 2580)
      • sc.exe (PID: 8156)
      • sc.exe (PID: 7412)
      • sc.exe (PID: 3896)
      • sc.exe (PID: 4756)
      • sc.exe (PID: 1580)
      • sc.exe (PID: 136)
      • sc.exe (PID: 5964)
      • sc.exe (PID: 6592)
      • sc.exe (PID: 7172)
      • sc.exe (PID: 456)
      • sc.exe (PID: 7244)
      • sc.exe (PID: 7992)
      • sc.exe (PID: 7952)
      • sc.exe (PID: 7636)
      • sc.exe (PID: 7236)
      • sc.exe (PID: 7240)
      • sc.exe (PID: 7368)
      • sc.exe (PID: 2552)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 7336)
      • cmd.exe (PID: 7176)
      • cmd.exe (PID: 2984)

    • Drops a system driver (possible attempt to evade defenses)

      • Unlocker.exe (PID: 7612)

    • Stops a currently running service

      • sc.exe (PID: 7852)
      • sc.exe (PID: 680)
      • sc.exe (PID: 8088)
      • sc.exe (PID: 856)
      • sc.exe (PID: 7460)
      • sc.exe (PID: 7508)
      • sc.exe (PID: 7732)
      • sc.exe (PID: 5556)
      • sc.exe (PID: 7420)
      • sc.exe (PID: 7380)
      • sc.exe (PID: 2088)
      • sc.exe (PID: 3100)
      • sc.exe (PID: 4488)
      • sc.exe (PID: 4920)
      • sc.exe (PID: 3156)
      • sc.exe (PID: 2424)
      • sc.exe (PID: 7660)

    • Creates or modifies Windows services

      • Unlocker.exe (PID: 7612)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 8044)
      • schtasks.exe (PID: 8060)
      • schtasks.exe (PID: 8116)
      • schtasks.exe (PID: 5304)
      • schtasks.exe (PID: 7800)

    • There is functionality for enable RDP (YARA)

      • ramez.exe (PID: 4112)

    • The process executes via Task Scheduler

      • ramez.exe (PID: 2532)
      • ramez.exe (PID: 7264)

  • INFO

    • Create files in a temporary directory

      • Sigmanly_5622b7ef0cf5fd57c8d4c65f89188dbc06f328d72e489ae15e9c3ed86e91f9ae.exe (PID: 4120)
      • R9c14.exe (PID: 3888)
      • 1q80B9.exe (PID: 5008)
      • 2w0935.exe (PID: 7012)
      • 7z.exe (PID: 8128)

    • Checks supported languages

      • Sigmanly_5622b7ef0cf5fd57c8d4c65f89188dbc06f328d72e489ae15e9c3ed86e91f9ae.exe (PID: 4120)
      • R9c14.exe (PID: 3888)
      • 1q80B9.exe (PID: 5008)
      • 2w0935.exe (PID: 7012)
      • chcp.com (PID: 4988)
      • nircmd.exe (PID: 5512)
      • chcp.com (PID: 2852)
      • NSudoLG.exe (PID: 5556)
      • 3D66x.exe (PID: 5008)
      • mode.com (PID: 1188)
      • ramez.exe (PID: 4112)
      • chcp.com (PID: 900)
      • NSudoLG.exe (PID: 7736)
      • 7z.exe (PID: 8128)
      • Unlocker.exe (PID: 8148)
      • Unlocker.exe (PID: 7612)
      • IObitUnlocker.exe (PID: 5352)
      • IObitUnlocker.exe (PID: 6676)
      • Unlocker.exe (PID: 3332)
      • ramez.exe (PID: 7264)
      • ramez.exe (PID: 2532)

    • The sample compiled with english language support

      • Sigmanly_5622b7ef0cf5fd57c8d4c65f89188dbc06f328d72e489ae15e9c3ed86e91f9ae.exe (PID: 4120)
      • 1q80B9.exe (PID: 5008)
      • Unlocker.exe (PID: 7612)
      • cmd.exe (PID: 6972)

    • Reads the computer name

      • 1q80B9.exe (PID: 5008)
      • nircmd.exe (PID: 5512)
      • 2w0935.exe (PID: 7012)
      • NSudoLG.exe (PID: 5556)
      • 3D66x.exe (PID: 5008)
      • ramez.exe (PID: 4112)
      • NSudoLG.exe (PID: 7736)
      • Unlocker.exe (PID: 8148)
      • 7z.exe (PID: 8128)
      • Unlocker.exe (PID: 7612)
      • IObitUnlocker.exe (PID: 5352)
      • IObitUnlocker.exe (PID: 6676)
      • Unlocker.exe (PID: 3332)

    • Process checks computer location settings

      • 1q80B9.exe (PID: 5008)
      • nircmd.exe (PID: 5512)
      • 2w0935.exe (PID: 7012)

    • Changes the display of characters in the console

      • cmd.exe (PID: 6044)
      • cmd.exe (PID: 4244)
      • cmd.exe (PID: 6972)

    • NirSoft software is detected

      • nircmd.exe (PID: 5512)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 1188)

    • Checks operating system version

      • cmd.exe (PID: 6972)

    • Reads the machine GUID from the registry

      • 3D66x.exe (PID: 5008)
      • Unlocker.exe (PID: 8148)
      • Unlocker.exe (PID: 7612)
      • Unlocker.exe (PID: 3332)

    • Reads the software policy settings

      • 3D66x.exe (PID: 5008)
      • slui.exe (PID: 7588)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7756)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7756)

    • Checks proxy server information

      • ramez.exe (PID: 4112)
      • slui.exe (PID: 7588)

    • Themida protector has been detected

      • ramez.exe (PID: 4112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Amadey

(PID) Process(4112) ramez.exe
C2185.156.72.96
URLhttp://185.156.72.96/te4h2nus/index.php
Version5.34
Options
Drop directoryd610cf342e
Drop nameramez.exe
Strings (125)lv:
msi
Kaspersky Lab
av:
|
#
"
\App
00000422
dm:
Powershell.exe
ProgramData\
ps1
rundll32
http://
Content-Disposition: form-data; name="data"; filename="
SOFTWARE\Microsoft\Windows NT\CurrentVersion
dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
id:
VideoID
cred.dll|clip.dll|
0000043f
cmd
00000423
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
-executionpolicy remotesigned -File "
2022
------
2016
og:
\0000
CurrentBuild
2019
:::
S-%lu-
" && timeout 1 && del
ProductName
Panda Security
ESET
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/k
+++
?scr=1
Doctor Web
GET
SYSTEM\ControlSet001\Services\BasicDisplay\Video
/quiet
.jpg
d610cf342e
vs:
sd:
rundll32.exe
"taskkill /f /im "
pc:
random
=
360TotalSecurity
<d>
wb
Content-Type: multipart/form-data; boundary=----
Startup
Norton
&& Exit"
os:
https://
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
2025
Avira
%-lu
zip
POST
" Content-Type: application/octet-stream
Rem
/te4h2nus/index.php
------
5.34
<c>
clip.dll
AVAST Software
\
shell32.dll
" && ren
e3
ramez.exe
kernel32.dll
DefaultSettings.XResolution
d1
DefaultSettings.YResolution
185.156.72.96
r=
cred.dll
--
GetNativeSystemInfo
-%lu
ComputerName
&unit=
Keyboard Layout\Preload
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
ar:
Sophos
%USERPROFILE%
exe
e1
e2
st=s
Programs
0123456789
un:
rb
bi:
abcdefghijklmnopqrstuvwxyz0123456789-_
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
cmd /C RMDIR /s/q
Bitdefender
-unicode-
AVG
WinDefender
&&
shutdown -s -t 0
Comodo
00000419
Content-Type: application/x-www-form-urlencoded
/Plugins/
Main
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:05:24 22:49:06+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.13
CodeSize: 25600
InitializedDataSize: 6471168
UninitializedDataSize: -
EntryPoint: 0x6a60
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 11.0.17763.1
ProductVersionNumber: 11.0.17763.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Win32 Cabinet Self-Extractor
FileVersion: 11.00.17763.1 (WinBuild.160101.0800)
InternalName: Wextract
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: WEXTRACT.EXE .MUI
ProductName: Internet Explorer
ProductVersion: 11.00.17763.1
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
318
Monitored processes
189
Malicious processes
15
Suspicious processes
6

Behavior graph

Click at the process to see the details
start sigmanly_5622b7ef0cf5fd57c8d4c65f89188dbc06f328d72e489ae15e9c3ed86e91f9ae.exe #GENERIC r9c14.exe 1q80b9.exe cmd.exe no specs conhost.exe no specs 2w0935.exe cmd.exe no specs conhost.exe no specs chcp.com no specs reg.exe no specs nircmd.exe no specs cmd.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs nsudolg.exe no specs cmd.exe conhost.exe no specs cmd.exe conhost.exe no specs #AMADEY ramez.exe chcp.com no specs 3d66x.exe reg.exe no specs reg.exe no specs mode.com no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs tasklist.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs find.exe no specs nsudolg.exe no specs powershell.exe no specs #LUMMA svchost.exe conhost.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs findstr.exe no specs 7z.exe unlocker.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs find.exe no specs sc.exe no specs sc.exe no specs unlocker.exe cmd.exe no specs conhost.exe no specs sc.exe no specs iobitunlocker.exe no specs iobitunlocker.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs unlocker.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs sc.exe no specs sc.exe no specs ramez.exe no specs slui.exe ramez.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
136sc config "SgrmAgent" start= disabled C:\Windows\System32\sc.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
140taskkill /f /pid "3332"C:\Windows\System32\taskkill.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Terminates Processes
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
456sc config "MsSecFlt" start= disabled C:\Windows\System32\sc.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
616reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" C:\Windows\System32\reg.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
664find /i "0x0" C:\Windows\System32\find.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
680C:\WINDOWS\system32\cmd.exe /c tasklistC:\Windows\System32\cmd.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
680sc stop "WdNisSvc" C:\Windows\System32\sc.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
856sc stop IObitUnlocker C:\Windows\System32\sc.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
900chcp 65001 C:\Windows\System32\chcp.comcmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Change CodePage Utility
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\chcp.com
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
1040\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
17 981
Read events
17 836
Write events
13
Delete events
132

Modification events

(PID) Process:(5008) 1q80B9.exeKey:HKEY_CURRENT_USER\SOFTWARE\Enigma Protector\BB3DF1FDBB935E9B-50AFA6E27F8A32AF\1D23E801FF916F1C-DF69CE3484AE41BB
Operation:writeName:AEF6E8B3
Value:
131F8A4BC3DE68A2588FC5B83747
(PID) Process:(4268) reg.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize
Operation:writeName:AppsUseLightTheme
Value:
0
(PID) Process:(5512) nircmd.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value:
Windows Command Processor
(PID) Process:(5512) nircmd.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value:
Microsoft Corporation
(PID) Process:(4268) reg.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize
Operation:writeName:AppsUseLightTheme
Value:
0
(PID) Process:(4112) ramez.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4112) ramez.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4112) ramez.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(8148) Unlocker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\DK
Operation:writeName:CurrentDiskSize
Value:
228903297024
(PID) Process:(7612) Unlocker.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IObitUnlocker
Operation:writeName:Type
Value:
1
Executable files
15
Suspicious files
6
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
4120Sigmanly_5622b7ef0cf5fd57c8d4c65f89188dbc06f328d72e489ae15e9c3ed86e91f9ae.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\3D66x.exeexecutable
MD5:5D4FC9BDB1645D3471FFF4B264A9AE37
SHA256:795FC149A846A08473EC9F574AAB38B91730908EA1DB607713A6FCAC714CF333
4120Sigmanly_5622b7ef0cf5fd57c8d4c65f89188dbc06f328d72e489ae15e9c3ed86e91f9ae.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\R9c14.exeexecutable
MD5:A7827C132746CC543CCC84FD11F9C748
SHA256:25EF9F80B435140485DB776D76B7B24FC95153BFA0505B1AE44093BCD66E06F8
50081q80B9.exeC:\Users\admin\AppData\Local\Temp\Work\7z.exeexecutable
MD5:426CCB645E50A3143811CFA0E42E2BA6
SHA256:CF878BFBD9ED93DC551AC038AFF8A8BBA4C935DDF8D48E62122BDDFDB3E08567
70122w0935.exeC:\Windows\Tasks\ramez.jobbinary
MD5:E11B5BD6CB24AE4668FB96B40B9B57A1
SHA256:B0C08A784BE15A2AFEECBC624746CC427CD46743FE16E6A37B803D9103BF1D37
50081q80B9.exeC:\Users\admin\AppData\Local\Temp\Work\nircmd.exeexecutable
MD5:4A9DA765FD91E80DECFD2C9FE221E842
SHA256:2E81E048AB419FDC6E5F4336A951BD282ED6B740048DC38D7673678EE3490CDA
50081q80B9.exeC:\Users\admin\AppData\Local\Temp\34.battext
MD5:350D172630B12F10564C78EEF37E3F95
SHA256:73BC1BD40DCB68AC6DBF25FFB5E0B708F43FD4CA8A17D08647EEB89641B37062
7756powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_key054cm.z0y.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3888R9c14.exeC:\Users\admin\AppData\Local\Temp\IXP001.TMP\1q80B9.exeexecutable
MD5:117E92EFAEB6E9CE06D12865A522E455
SHA256:B14707AAEBB5AEDA520E63A3B327F3A14CAE0B477FC20E4F6906358BC3880A82
81287z.exeC:\Users\admin\AppData\Local\Temp\Work\Unlocker.exeexecutable
MD5:49C7A62751050E4B46822CE25AF57E6F
SHA256:2EA997FB5896EBD2CBBCDEA7995DBB871F2358BF0BFF9470801845879506CE44
7612Unlocker.exeC:\Windows\Temp\IObitUnlocker\IObitUnlocker.dllexecutable
MD5:2C6233C8DBC560027EE1427F5413E4B1
SHA256:37D2A1626DC205D60F0BEC8746AB256569267E4EF2F8F84DFF4D9D792AA3AF30
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
25
DNS requests
17
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4112
ramez.exe
POST
200
185.156.72.96:80
http://185.156.72.96/te4h2nus/index.php
unknown
malicious
2104
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4112
ramez.exe
POST
200
185.156.72.96:80
http://185.156.72.96/te4h2nus/index.php
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5008
3D66x.exe
23.212.216.106:443
steamcommunity.com
AKAMAI-AS
AU
whitelisted
4112
ramez.exe
185.156.72.96:80
Tov Vaiz Partner
RU
malicious
5280
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
vecturar.top
malicious
stuffgull.top
malicious
ariosefqcu.shop
malicious
homewappzb.top
malicious
tortoisgfe.top
malicious
descenrugb.bet
malicious

Threats

PID
Process
Class
Message
2196
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected Domain Associated with Malware Distribution (vecturar .top)
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vecturar .top)
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (descenrugb .bet)
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (onemiltxny .shop)
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stuffgull .top)
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (homewappzb .top)
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tortoisgfe .top)
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ariosefqcu .shop)
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (octalfbsh .bet)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Sigmanly_5622b7ef0cf5fd57c8d4c65f89188dbc06f328d72e489ae15e9c3ed86e91f9ae