File name:

ab7c7484fc2615fea7cb9ffe0fc30416.exe

Full analysis: https://app.any.run/tasks/b8a54158-0fa1-4441-8423-721ef9237d1c
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: May 17, 2025, 14:37:46
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
lumma
stealer
themida
loader
amadey
botnet
rdp
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

AB7C7484FC2615FEA7CB9FFE0FC30416

SHA1:

C11B0C9DE38D4B8873D9FCEA471B53F87BC1CB33

SHA256:

5CDC51B9038AC44A9A44EC9F85082006BA9AA81DFDF4F41CA2FB0D3E31FF3A93

SSDEEP:

98304:NET4lMFz5skdb7+yn/vWebS0qCp2aukURN+jC6JZgF3yyKNRZvTb/mVHrx3vbXp9:NkZF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2196)
      • ab7c7484fc2615fea7cb9ffe0fc30416.exe (PID: 7428)

    • LUMMA mutex has been found

      • ab7c7484fc2615fea7cb9ffe0fc30416.exe (PID: 7428)

    • Connects to the CnC server

      • svchost.exe (PID: 2196)
      • ramez.exe (PID: 6132)

    • Steals credentials from Web Browsers

      • ab7c7484fc2615fea7cb9ffe0fc30416.exe (PID: 7428)

    • LUMMA has been detected (YARA)

      • ab7c7484fc2615fea7cb9ffe0fc30416.exe (PID: 7428)

    • Actions looks like stealing of personal data

      • ab7c7484fc2615fea7cb9ffe0fc30416.exe (PID: 7428)

    • AMADEY mutex has been found

      • ramez.exe (PID: 6132)
      • TNWUOCL3NY61T4TY4.exe (PID: 8084)
      • ramez.exe (PID: 1228)
      • ramez.exe (PID: 6248)

    • AMADEY has been detected (YARA)

      • ramez.exe (PID: 6132)

    • AMADEY has been detected (SURICATA)

      • ramez.exe (PID: 6132)

  • SUSPICIOUS

    • Reads the BIOS version

      • ab7c7484fc2615fea7cb9ffe0fc30416.exe (PID: 7428)
      • TNWUOCL3NY61T4TY4.exe (PID: 8084)
      • ramez.exe (PID: 6132)
      • ramez.exe (PID: 1228)
      • ramez.exe (PID: 6248)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2196)
      • ab7c7484fc2615fea7cb9ffe0fc30416.exe (PID: 7428)
      • ramez.exe (PID: 6132)

    • Searches for installed software

      • ab7c7484fc2615fea7cb9ffe0fc30416.exe (PID: 7428)

    • Process requests binary or script from the Internet

      • ab7c7484fc2615fea7cb9ffe0fc30416.exe (PID: 7428)

    • Connects to the server without a host name

      • ab7c7484fc2615fea7cb9ffe0fc30416.exe (PID: 7428)
      • ramez.exe (PID: 6132)

    • Potential Corporate Privacy Violation

      • ab7c7484fc2615fea7cb9ffe0fc30416.exe (PID: 7428)

    • Executable content was dropped or overwritten

      • ab7c7484fc2615fea7cb9ffe0fc30416.exe (PID: 7428)
      • TNWUOCL3NY61T4TY4.exe (PID: 8084)

    • Reads security settings of Internet Explorer

      • TNWUOCL3NY61T4TY4.exe (PID: 8084)
      • ramez.exe (PID: 6132)

    • Starts itself from another location

      • TNWUOCL3NY61T4TY4.exe (PID: 8084)

    • There is functionality for enable RDP (YARA)

      • ramez.exe (PID: 6132)

    • The process executes via Task Scheduler

      • ramez.exe (PID: 1228)
      • ramez.exe (PID: 6248)

  • INFO

    • Checks supported languages

      • ab7c7484fc2615fea7cb9ffe0fc30416.exe (PID: 7428)
      • TNWUOCL3NY61T4TY4.exe (PID: 8084)
      • ramez.exe (PID: 6132)
      • ramez.exe (PID: 1228)
      • ramez.exe (PID: 6248)

    • Reads the computer name

      • ab7c7484fc2615fea7cb9ffe0fc30416.exe (PID: 7428)
      • TNWUOCL3NY61T4TY4.exe (PID: 8084)
      • ramez.exe (PID: 6132)

    • Reads the software policy settings

      • ab7c7484fc2615fea7cb9ffe0fc30416.exe (PID: 7428)
      • slui.exe (PID: 1812)

    • Reads the machine GUID from the registry

      • ab7c7484fc2615fea7cb9ffe0fc30416.exe (PID: 7428)

    • Themida protector has been detected

      • ab7c7484fc2615fea7cb9ffe0fc30416.exe (PID: 7428)
      • ramez.exe (PID: 6132)

    • Create files in a temporary directory

      • ab7c7484fc2615fea7cb9ffe0fc30416.exe (PID: 7428)
      • TNWUOCL3NY61T4TY4.exe (PID: 8084)

    • Process checks computer location settings

      • TNWUOCL3NY61T4TY4.exe (PID: 8084)

    • Checks proxy server information

      • ramez.exe (PID: 6132)
      • slui.exe (PID: 1812)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Lumma

(PID) Process(7428) ab7c7484fc2615fea7cb9ffe0fc30416.exe
C2 (9)onehunqpom.life/zpxd
narrathfpt.top/tekq
featurlyin.top/pdal
overcovtcg.top/juhd
laminaflbx.shop/twoq
cornerdurv.top/adwq
posseswsnc.top/akds
jackthyfuc.run/xpas
blackswmxc.top/bgry

Amadey

(PID) Process(6132) ramez.exe
C2185.156.72.96
URLhttp://185.156.72.96/te4h2nus/index.php
Version5.34
Options
Drop directoryd610cf342e
Drop nameramez.exe
Strings (125)lv:
msi
Kaspersky Lab
av:
|
#
"
\App
00000422
dm:
Powershell.exe
ProgramData\
ps1
rundll32
http://
Content-Disposition: form-data; name="data"; filename="
SOFTWARE\Microsoft\Windows NT\CurrentVersion
dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
id:
VideoID
cred.dll|clip.dll|
0000043f
cmd
00000423
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
-executionpolicy remotesigned -File "
2022
------
2016
og:
\0000
CurrentBuild
2019
:::
S-%lu-
" && timeout 1 && del
ProductName
Panda Security
ESET
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/k
+++
?scr=1
Doctor Web
GET
SYSTEM\ControlSet001\Services\BasicDisplay\Video
/quiet
.jpg
d610cf342e
vs:
sd:
rundll32.exe
"taskkill /f /im "
pc:
random
=
360TotalSecurity
<d>
wb
Content-Type: multipart/form-data; boundary=----
Startup
Norton
&& Exit"
os:
https://
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
2025
Avira
%-lu
zip
POST
" Content-Type: application/octet-stream
Rem
/te4h2nus/index.php
------
5.34
<c>
clip.dll
AVAST Software
\
shell32.dll
" && ren
e3
ramez.exe
kernel32.dll
DefaultSettings.XResolution
d1
DefaultSettings.YResolution
185.156.72.96
r=
cred.dll
--
GetNativeSystemInfo
-%lu
ComputerName
&unit=
Keyboard Layout\Preload
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
ar:
Sophos
%USERPROFILE%
exe
e1
e2
st=s
Programs
0123456789
un:
rb
bi:
abcdefghijklmnopqrstuvwxyz0123456789-_
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
cmd /C RMDIR /s/q
Bitdefender
-unicode-
AVG
WinDefender
&&
shutdown -s -t 0
Comodo
00000419
Content-Type: application/x-www-form-urlencoded
/Plugins/
Main
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:15 15:45:51+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 322560
InitializedDataSize: 38400
UninitializedDataSize: -
EntryPoint: 0x494000
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
7
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #LUMMA ab7c7484fc2615fea7cb9ffe0fc30416.exe #LUMMA svchost.exe tnwuocl3ny61t4ty4.exe #AMADEY ramez.exe slui.exe ramez.exe no specs ramez.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1228"C:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exe"C:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\d610cf342e\ramez.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
1812C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6132"C:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exe" C:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exe
TNWUOCL3NY61T4TY4.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\d610cf342e\ramez.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Amadey
(PID) Process(6132) ramez.exe
C2185.156.72.96
URLhttp://185.156.72.96/te4h2nus/index.php
Version5.34
Options
Drop directoryd610cf342e
Drop nameramez.exe
Strings (125)lv:
msi
Kaspersky Lab
av:
|
#
"
\App
00000422
dm:
Powershell.exe
ProgramData\
ps1
rundll32
http://
Content-Disposition: form-data; name="data"; filename="
SOFTWARE\Microsoft\Windows NT\CurrentVersion
dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
id:
VideoID
cred.dll|clip.dll|
0000043f
cmd
00000423
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
-executionpolicy remotesigned -File "
2022
------
2016
og:
\0000
CurrentBuild
2019
:::
S-%lu-
" && timeout 1 && del
ProductName
Panda Security
ESET
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/k
+++
?scr=1
Doctor Web
GET
SYSTEM\ControlSet001\Services\BasicDisplay\Video
/quiet
.jpg
d610cf342e
vs:
sd:
rundll32.exe
"taskkill /f /im "
pc:
random
=
360TotalSecurity
<d>
wb
Content-Type: multipart/form-data; boundary=----
Startup
Norton
&& Exit"
os:
https://
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
2025
Avira
%-lu
zip
POST
" Content-Type: application/octet-stream
Rem
/te4h2nus/index.php
------
5.34
<c>
clip.dll
AVAST Software
\
shell32.dll
" && ren
e3
ramez.exe
kernel32.dll
DefaultSettings.XResolution
d1
DefaultSettings.YResolution
185.156.72.96
r=
cred.dll
--
GetNativeSystemInfo
-%lu
ComputerName
&unit=
Keyboard Layout\Preload
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
ar:
Sophos
%USERPROFILE%
exe
e1
e2
st=s
Programs
0123456789
un:
rb
bi:
abcdefghijklmnopqrstuvwxyz0123456789-_
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
cmd /C RMDIR /s/q
Bitdefender
-unicode-
AVG
WinDefender
&&
shutdown -s -t 0
Comodo
00000419
Content-Type: application/x-www-form-urlencoded
/Plugins/
Main
6248"C:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exe"C:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\d610cf342e\ramez.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
7428"C:\Users\admin\Desktop\ab7c7484fc2615fea7cb9ffe0fc30416.exe" C:\Users\admin\Desktop\ab7c7484fc2615fea7cb9ffe0fc30416.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\ab7c7484fc2615fea7cb9ffe0fc30416.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Lumma
(PID) Process(7428) ab7c7484fc2615fea7cb9ffe0fc30416.exe
C2 (9)onehunqpom.life/zpxd
narrathfpt.top/tekq
featurlyin.top/pdal
overcovtcg.top/juhd
laminaflbx.shop/twoq
cornerdurv.top/adwq
posseswsnc.top/akds
jackthyfuc.run/xpas
blackswmxc.top/bgry
8084"C:\Users\admin\AppData\Local\Temp\TNWUOCL3NY61T4TY4.exe"C:\Users\admin\AppData\Local\Temp\TNWUOCL3NY61T4TY4.exe
ab7c7484fc2615fea7cb9ffe0fc30416.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\tnwuocl3ny61t4ty4.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
7 498
Read events
7 495
Write events
3
Delete events
0

Modification events

(PID) Process:(6132) ramez.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6132) ramez.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6132) ramez.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
2
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
8084TNWUOCL3NY61T4TY4.exeC:\Windows\Tasks\ramez.jobbinary
MD5:31DBC50D657085A9D6C9186FD1FFAD75
SHA256:6A525A722A573B25CC9438C032061DB340AB822886F83458769912ECB709A46F
7428ab7c7484fc2615fea7cb9ffe0fc30416.exeC:\Users\admin\AppData\Local\Temp\TNWUOCL3NY61T4TY4.exeexecutable
MD5:0AB91DB8E520412B94BACF7BC00406DC
SHA256:6764AFA6D68FA5C4773D6CCD61A7D5D1C723876A18DD3B15EDDBDF3036FCD5CE
8084TNWUOCL3NY61T4TY4.exeC:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exeexecutable
MD5:0AB91DB8E520412B94BACF7BC00406DC
SHA256:6764AFA6D68FA5C4773D6CCD61A7D5D1C723876A18DD3B15EDDBDF3036FCD5CE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
64
DNS requests
22
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6700
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7892
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7892
SIHClient.exe
GET
200
23.216.77.20:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7892
SIHClient.exe
GET
200
23.216.77.20:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
7892
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7892
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7892
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
7428
ab7c7484fc2615fea7cb9ffe0fc30416.exe
GET
200
185.156.72.2:80
http://185.156.72.2/mine/random.exe
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6700
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
20.190.160.14:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.160.14:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
2104
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
6700
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
  • 51.124.78.146
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.160.14
  • 20.190.160.132
  • 20.190.160.131
  • 40.126.32.133
  • 40.126.32.136
  • 40.126.32.76
  • 40.126.32.74
  • 20.190.160.17
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 2.19.11.105
  • 2.19.11.120
  • 23.216.77.20
  • 23.216.77.37
  • 23.216.77.13
  • 23.216.77.18
  • 23.216.77.15
  • 23.216.77.25
  • 23.216.77.35
  • 23.216.77.8
  • 23.216.77.31
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
whitelisted
cornerdurv.top
  • 104.21.16.1
  • 104.21.48.1
  • 104.21.80.1
  • 104.21.32.1
  • 104.21.96.1
  • 104.21.64.1
  • 104.21.112.1
unknown
narrathfpt.top
  • 172.67.222.194
  • 104.21.83.105
unknown
jackthyfuc.run
  • 104.21.77.252
  • 172.67.214.17
unknown
onehunqpom.life
  • 104.21.16.209
  • 172.67.215.238
unknown

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cornerdurv .top)
7428
ab7c7484fc2615fea7cb9ffe0fc30416.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (cornerdurv .top) in TLS SNI
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (laminaflbx .shop)
7428
ab7c7484fc2615fea7cb9ffe0fc30416.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (laminaflbx .shop) in TLS SNI
7428
ab7c7484fc2615fea7cb9ffe0fc30416.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (laminaflbx .shop) in TLS SNI
7428
ab7c7484fc2615fea7cb9ffe0fc30416.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (laminaflbx .shop) in TLS SNI
7428
ab7c7484fc2615fea7cb9ffe0fc30416.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (laminaflbx .shop) in TLS SNI
7428
ab7c7484fc2615fea7cb9ffe0fc30416.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (laminaflbx .shop) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ab7c7484fc2615fea7cb9ffe0fc30416.exe