File name:

random.exe

Full analysis: https://app.any.run/tasks/fca15adf-2980-4e86-a7ac-3aa02a6d0e7c
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: April 04, 2025, 08:38:18
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
lumma
stealer
themida
loader
amadey
botnet
rdp
auto
generic
gcleaner
autoit
evasion
inno
installer
telegram
darkvision
remote
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

67D37F52A5C244776BE1BE30DB7D8547

SHA1:

40D29CCEA52E7FFB835BFC92D962EA552FF57483

SHA256:

651B121DD1F5A8F6D54CF5DEBE36E8DA4A4A3724DDF6295C4BF82FBF482E933C

SSDEEP:

98304:g8yA346jk0/ONm5dTvvZRjlewtealV0b1i4lrpJNuejG7GD4i+naY01CKUK+khYw:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA mutex has been found

      • random.exe (PID: 7816)
      • bd1d172291.exe (PID: 7692)
      • qhjMWht.exe (PID: 7304)
      • MSBuild.exe (PID: 6240)
      • 9sWdA2p.exe (PID: 7952)
      • MSBuild.exe (PID: 3024)
      • Jordan.com (PID: 6040)
      • Passwords.com (PID: 1096)

    • Actions looks like stealing of personal data

      • random.exe (PID: 7816)
      • bd1d172291.exe (PID: 7692)
      • qhjMWht.exe (PID: 7304)
      • MSBuild.exe (PID: 6240)
      • Yhihb8G.exe (PID: 6256)
      • 9sWdA2p.exe (PID: 7952)
      • MSBuild.exe (PID: 3024)
      • Jordan.com (PID: 6040)
      • w32tm.exe (PID: 2644)
      • Passwords.com (PID: 1096)

    • Steals credentials from Web Browsers

      • random.exe (PID: 7816)
      • bd1d172291.exe (PID: 7692)
      • qhjMWht.exe (PID: 7304)
      • MSBuild.exe (PID: 6240)
      • Yhihb8G.exe (PID: 6256)
      • 9sWdA2p.exe (PID: 7952)
      • MSBuild.exe (PID: 3024)

    • AMADEY mutex has been found

      • PYV2U67YDC38WBGDO5S5YNQ.exe (PID: 5048)
      • rapes.exe (PID: 5556)
      • TempMQSHAENT3OOH4ML85LI5KWU63CJ2GUEJ.EXE (PID: 6040)
      • rapes.exe (PID: 7460)

    • AMADEY has been detected (SURICATA)

      • rapes.exe (PID: 5556)

    • Connects to the CnC server

      • rapes.exe (PID: 5556)
      • svchost.exe (PID: 2196)
      • svchost.exe (PID: 2616)

    • AMADEY has been detected (YARA)

      • rapes.exe (PID: 5556)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 516)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6456)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 6456)

    • Request from PowerShell that ran from MSHTA.EXE

      • powershell.exe (PID: 6456)

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2196)
      • bd1d172291.exe (PID: 7692)
      • qhjMWht.exe (PID: 7304)
      • MSBuild.exe (PID: 6240)
      • MSBuild.exe (PID: 3024)
      • Passwords.com (PID: 1096)

    • Executing a file with an untrusted certificate

      • 6c8d76d628.exe (PID: 5400)
      • qhjMWht.exe (PID: 7304)
      • larBxd7.exe (PID: 5528)

    • GENERIC has been found (auto)

      • 6c8d76d628.exe (PID: 5400)
      • svchost015.exe (PID: 5956)
      • svchost015.exe (PID: 1040)
      • svchost.exe (PID: 2616)

    • GCLEANER has been detected (SURICATA)

      • svchost015.exe (PID: 1040)
      • svchost015.exe (PID: 5956)

    • GCLEANER has been detected (YARA)

      • svchost015.exe (PID: 1040)
      • svchost015.exe (PID: 5956)

    • Registers / Runs the DLL via REGSVR32.EXE

      • 6lMrSsvfK.tmp (PID: 4200)

    • LUMMA has been found (auto)

      • rapes.exe (PID: 5556)

    • Changes the autorun value in the registry

      • svchost.exe (PID: 2616)

    • DARKVISION has been detected (SURICATA)

      • svchost.exe (PID: 2616)

    • Changes Windows Defender settings

      • mmc.exe (PID: 672)

    • Adds path to the Windows Defender exclusion list

      • mmc.exe (PID: 672)

    • Known privilege escalation attack

      • dllhost.exe (PID: 7920)

  • SUSPICIOUS

    • Reads the BIOS version

      • random.exe (PID: 7816)
      • PYV2U67YDC38WBGDO5S5YNQ.exe (PID: 5048)
      • rapes.exe (PID: 5556)
      • bd1d172291.exe (PID: 7692)
      • TempMQSHAENT3OOH4ML85LI5KWU63CJ2GUEJ.EXE (PID: 6040)
      • e14715a91c.exe (PID: 1568)
      • rapes.exe (PID: 7460)
      • 7144c59ed1.exe (PID: 7264)

    • Searches for installed software

      • random.exe (PID: 7816)
      • bd1d172291.exe (PID: 7692)
      • qhjMWht.exe (PID: 7304)
      • MSBuild.exe (PID: 6240)
      • 9sWdA2p.exe (PID: 7952)
      • Passwords.com (PID: 1096)
      • Jordan.com (PID: 6040)

    • Potential Corporate Privacy Violation

      • random.exe (PID: 7816)
      • rapes.exe (PID: 5556)
      • powershell.exe (PID: 6456)
      • svchost015.exe (PID: 1040)
      • svchost015.exe (PID: 5956)
      • svchost.exe (PID: 2616)

    • Executable content was dropped or overwritten

      • random.exe (PID: 7816)
      • PYV2U67YDC38WBGDO5S5YNQ.exe (PID: 5048)
      • rapes.exe (PID: 5556)
      • powershell.exe (PID: 6456)
      • 6c8d76d628.exe (PID: 5400)
      • svchost015.exe (PID: 1040)
      • RTLlZGaz09.exe (PID: 6660)
      • RTLlZGaz09.tmp (PID: 7744)
      • duplicatefilefinder.exe (PID: 7856)
      • 6lMrSsvfK.exe (PID: 2384)
      • svchost015.exe (PID: 5956)
      • 6lMrSsvfK.tmp (PID: 6988)
      • 6lMrSsvfK.exe (PID: 1748)
      • 6lMrSsvfK.tmp (PID: 4200)
      • svchost.exe (PID: 2616)

    • Connects to the server without a host name

      • random.exe (PID: 7816)
      • rapes.exe (PID: 5556)
      • powershell.exe (PID: 6456)
      • svchost015.exe (PID: 1040)
      • svchost015.exe (PID: 5956)
      • 8nga8FH6RZ1M.exe (PID: 5720)
      • svchost.exe (PID: 2616)
      • mmc.exe (PID: 672)

    • Reads security settings of Internet Explorer

      • PYV2U67YDC38WBGDO5S5YNQ.exe (PID: 5048)
      • rapes.exe (PID: 5556)
      • svchost015.exe (PID: 1040)
      • svchost015.exe (PID: 5956)
      • duplicatefilefinder.exe (PID: 7856)
      • 6lMrSsvfK.tmp (PID: 6988)
      • larBxd7.exe (PID: 5528)
      • 7IIl2eE.exe (PID: 2420)

    • Starts itself from another location

      • PYV2U67YDC38WBGDO5S5YNQ.exe (PID: 5048)

    • Contacting a server suspected of hosting an CnC

      • rapes.exe (PID: 5556)
      • bd1d172291.exe (PID: 7692)
      • svchost.exe (PID: 2196)
      • qhjMWht.exe (PID: 7304)
      • MSBuild.exe (PID: 6240)
      • MSBuild.exe (PID: 3024)
      • Passwords.com (PID: 1096)

    • Process requests binary or script from the Internet

      • random.exe (PID: 7816)
      • rapes.exe (PID: 5556)
      • powershell.exe (PID: 6456)

    • There is functionality for enable RDP (YARA)

      • rapes.exe (PID: 5556)

    • Starts CMD.EXE for commands execution

      • e70cf2a3ff.exe (PID: 1180)
      • larBxd7.exe (PID: 5528)
      • cmd.exe (PID: 5668)
      • Yhihb8G.exe (PID: 6256)
      • 7IIl2eE.exe (PID: 2420)
      • cmd.exe (PID: 7316)
      • svchost.exe (PID: 2616)

    • Starts POWERSHELL.EXE for commands execution

      • mshta.exe (PID: 5064)
      • duplicatefilefinder.exe (PID: 7856)
      • regsvr32.exe (PID: 1132)
      • mmc.exe (PID: 672)

    • Found IP address in command line

      • powershell.exe (PID: 6456)

    • Manipulates environment variables

      • powershell.exe (PID: 6456)

    • Probably download files using WebClient

      • mshta.exe (PID: 5064)

    • Starts process via Powershell

      • powershell.exe (PID: 6456)

    • The process executes via Task Scheduler

      • rapes.exe (PID: 7460)

    • Reads the Windows owner or organization settings

      • RTLlZGaz09.tmp (PID: 7744)
      • 6lMrSsvfK.tmp (PID: 6988)
      • 6lMrSsvfK.tmp (PID: 4200)

    • The process drops C-runtime libraries

      • RTLlZGaz09.tmp (PID: 7744)

    • Process drops legitimate windows executable

      • RTLlZGaz09.tmp (PID: 7744)
      • 6lMrSsvfK.tmp (PID: 6988)
      • 6lMrSsvfK.tmp (PID: 4200)
      • rapes.exe (PID: 5556)

    • Executing commands from a ".bat" file

      • larBxd7.exe (PID: 5528)
      • 7IIl2eE.exe (PID: 2420)
      • svchost.exe (PID: 2616)

    • Get information on the list of running processes

      • cmd.exe (PID: 5668)
      • cmd.exe (PID: 7316)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 5668)
      • cmd.exe (PID: 2240)
      • cmd.exe (PID: 7316)

    • Application launched itself

      • cmd.exe (PID: 5668)
      • cmd.exe (PID: 7316)

    • Starts application with an unusual extension

      • cmd.exe (PID: 5668)
      • cmd.exe (PID: 2240)
      • cmd.exe (PID: 7748)
      • cmd.exe (PID: 7316)

    • The executable file from the user directory is run by the CMD process

      • Jordan.com (PID: 6040)
      • Passwords.com (PID: 1096)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 5668)
      • cmd.exe (PID: 7316)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • Yhihb8G.exe (PID: 6256)

    • The process bypasses the loading of PowerShell profile settings

      • regsvr32.exe (PID: 1132)

    • The process hide an interactive prompt from the user

      • regsvr32.exe (PID: 1132)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 2240)
      • cmd.exe (PID: 7748)

    • Loads DLL from Mozilla Firefox

      • Yhihb8G.exe (PID: 6256)

    • Connects to unusual port

      • Yhihb8G.exe (PID: 6256)

    • Detected use of alternative data streams (AltDS)

      • regsvr32.exe (PID: 1132)

    • Connects to SMTP port

      • regsvr32.exe (PID: 1132)

    • Starts a Microsoft application from unusual location

      • UZPt0hR.exe (PID: 4648)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Jordan.com (PID: 6040)

    • Script adds exclusion path to Windows Defender

      • mmc.exe (PID: 672)

  • INFO

    • Checks supported languages

      • random.exe (PID: 7816)
      • PYV2U67YDC38WBGDO5S5YNQ.exe (PID: 5048)
      • rapes.exe (PID: 5556)
      • e70cf2a3ff.exe (PID: 1180)
      • bd1d172291.exe (PID: 7692)
      • TempMQSHAENT3OOH4ML85LI5KWU63CJ2GUEJ.EXE (PID: 6040)
      • 6c8d76d628.exe (PID: 5400)
      • svchost015.exe (PID: 1040)
      • e14715a91c.exe (PID: 1568)
      • RTLlZGaz09.exe (PID: 6660)
      • qhjMWht.exe (PID: 7304)
      • svchost015.exe (PID: 5956)
      • rapes.exe (PID: 7460)
      • RTLlZGaz09.tmp (PID: 7744)
      • duplicatefilefinder.exe (PID: 7856)
      • ICQ0sog.exe (PID: 7392)
      • MSBuild.exe (PID: 6240)
      • 6lMrSsvfK.exe (PID: 2384)
      • 6lMrSsvfK.tmp (PID: 6988)
      • 6lMrSsvfK.exe (PID: 1748)
      • RkYrthdQ7pSK.exe (PID: 496)
      • 6lMrSsvfK.tmp (PID: 4200)
      • 8nga8FH6RZ1M.exe (PID: 5720)
      • larBxd7.exe (PID: 5528)
      • extrac32.exe (PID: 7216)
      • Jordan.com (PID: 6040)
      • Yhihb8G.exe (PID: 6256)
      • chcp.com (PID: 7764)
      • chcp.com (PID: 6228)
      • 9sWdA2p.exe (PID: 7952)
      • TbV75ZR.exe (PID: 3332)
      • MSBuild.exe (PID: 3024)
      • 7IIl2eE.exe (PID: 2420)
      • extrac32.exe (PID: 6744)
      • Passwords.com (PID: 1096)
      • UZPt0hR.exe (PID: 4648)
      • tzutil.exe (PID: 6712)
      • 7144c59ed1.exe (PID: 720)
      • 7144c59ed1.exe (PID: 7264)
      • w32tm.exe (PID: 2644)

    • Reads the machine GUID from the registry

      • random.exe (PID: 7816)
      • bd1d172291.exe (PID: 7692)
      • svchost015.exe (PID: 1040)
      • qhjMWht.exe (PID: 7304)
      • MSBuild.exe (PID: 6240)
      • svchost015.exe (PID: 5956)
      • Yhihb8G.exe (PID: 6256)
      • 9sWdA2p.exe (PID: 7952)
      • MSBuild.exe (PID: 3024)
      • w32tm.exe (PID: 2644)
      • Passwords.com (PID: 1096)

    • Reads the software policy settings

      • random.exe (PID: 7816)
      • bd1d172291.exe (PID: 7692)
      • qhjMWht.exe (PID: 7304)
      • MSBuild.exe (PID: 6240)
      • Yhihb8G.exe (PID: 6256)
      • slui.exe (PID: 7564)
      • 9sWdA2p.exe (PID: 7952)
      • MSBuild.exe (PID: 3024)
      • Jordan.com (PID: 6040)
      • Passwords.com (PID: 1096)

    • Reads the computer name

      • random.exe (PID: 7816)
      • rapes.exe (PID: 5556)
      • PYV2U67YDC38WBGDO5S5YNQ.exe (PID: 5048)
      • e70cf2a3ff.exe (PID: 1180)
      • bd1d172291.exe (PID: 7692)
      • 6c8d76d628.exe (PID: 5400)
      • svchost015.exe (PID: 1040)
      • e14715a91c.exe (PID: 1568)
      • svchost015.exe (PID: 5956)
      • RTLlZGaz09.tmp (PID: 7744)
      • duplicatefilefinder.exe (PID: 7856)
      • MSBuild.exe (PID: 6240)
      • qhjMWht.exe (PID: 7304)
      • 6lMrSsvfK.tmp (PID: 6988)
      • RkYrthdQ7pSK.exe (PID: 496)
      • 6lMrSsvfK.tmp (PID: 4200)
      • 8nga8FH6RZ1M.exe (PID: 5720)
      • larBxd7.exe (PID: 5528)
      • extrac32.exe (PID: 7216)
      • Jordan.com (PID: 6040)
      • Yhihb8G.exe (PID: 6256)
      • 9sWdA2p.exe (PID: 7952)
      • MSBuild.exe (PID: 3024)
      • 7IIl2eE.exe (PID: 2420)
      • Passwords.com (PID: 1096)
      • extrac32.exe (PID: 6744)
      • UZPt0hR.exe (PID: 4648)
      • tzutil.exe (PID: 6712)
      • w32tm.exe (PID: 2644)

    • Themida protector has been detected

      • random.exe (PID: 7816)
      • rapes.exe (PID: 5556)
      • bd1d172291.exe (PID: 7692)

    • Create files in a temporary directory

      • random.exe (PID: 7816)
      • PYV2U67YDC38WBGDO5S5YNQ.exe (PID: 5048)
      • e70cf2a3ff.exe (PID: 1180)
      • rapes.exe (PID: 5556)
      • 6c8d76d628.exe (PID: 5400)
      • RTLlZGaz09.exe (PID: 6660)
      • RTLlZGaz09.tmp (PID: 7744)
      • 6lMrSsvfK.exe (PID: 2384)
      • 6lMrSsvfK.tmp (PID: 6988)
      • 6lMrSsvfK.exe (PID: 1748)
      • 6lMrSsvfK.tmp (PID: 4200)
      • larBxd7.exe (PID: 5528)
      • extrac32.exe (PID: 7216)
      • Yhihb8G.exe (PID: 6256)
      • svchost015.exe (PID: 1040)
      • svchost015.exe (PID: 5956)
      • 7IIl2eE.exe (PID: 2420)
      • extrac32.exe (PID: 6744)
      • svchost.exe (PID: 2616)
      • w32tm.exe (PID: 2644)

    • Checks proxy server information

      • rapes.exe (PID: 5556)
      • powershell.exe (PID: 6456)
      • svchost015.exe (PID: 1040)
      • svchost015.exe (PID: 5956)
      • Yhihb8G.exe (PID: 6256)
      • slui.exe (PID: 7564)

    • Process checks computer location settings

      • PYV2U67YDC38WBGDO5S5YNQ.exe (PID: 5048)
      • rapes.exe (PID: 5556)
      • duplicatefilefinder.exe (PID: 7856)
      • 6lMrSsvfK.tmp (PID: 6988)
      • larBxd7.exe (PID: 5528)
      • 7IIl2eE.exe (PID: 2420)

    • Reads mouse settings

      • e70cf2a3ff.exe (PID: 1180)
      • Jordan.com (PID: 6040)
      • Passwords.com (PID: 1096)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 5064)

    • Creates files or folders in the user directory

      • rapes.exe (PID: 5556)
      • svchost015.exe (PID: 1040)
      • svchost015.exe (PID: 5956)
      • RTLlZGaz09.tmp (PID: 7744)
      • 6lMrSsvfK.tmp (PID: 4200)

    • Disables trace logs

      • powershell.exe (PID: 6456)
      • Yhihb8G.exe (PID: 6256)

    • The executable file from the user directory is run by the Powershell process

      • TempMQSHAENT3OOH4ML85LI5KWU63CJ2GUEJ.EXE (PID: 6040)

    • The sample compiled with english language support

      • 6c8d76d628.exe (PID: 5400)
      • RTLlZGaz09.tmp (PID: 7744)
      • duplicatefilefinder.exe (PID: 7856)
      • 6lMrSsvfK.tmp (PID: 6988)
      • 6lMrSsvfK.tmp (PID: 4200)
      • rapes.exe (PID: 5556)
      • svchost.exe (PID: 2616)

    • Creates a software uninstall entry

      • RTLlZGaz09.tmp (PID: 7744)
      • 6lMrSsvfK.tmp (PID: 4200)

    • Creates files in the program directory

      • duplicatefilefinder.exe (PID: 7856)
      • UZPt0hR.exe (PID: 4648)
      • svchost.exe (PID: 2616)

    • Changes the registry key values via Powershell

      • duplicatefilefinder.exe (PID: 7856)

    • Detects InnoSetup installer (YARA)

      • RTLlZGaz09.exe (PID: 6660)
      • RTLlZGaz09.tmp (PID: 7744)

    • Compiled with Borland Delphi (YARA)

      • RTLlZGaz09.tmp (PID: 7744)

    • Creates a new folder

      • cmd.exe (PID: 7500)
      • cmd.exe (PID: 5232)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5864)
      • powershell.exe (PID: 6820)
      • powershell.exe (PID: 7264)
      • powershell.exe (PID: 5728)

    • Changes the display of characters in the console

      • cmd.exe (PID: 2240)
      • cmd.exe (PID: 7748)

    • Reads CPU info

      • Yhihb8G.exe (PID: 6256)

    • Reads security settings of Internet Explorer

      • svchost.exe (PID: 2616)
      • dllhost.exe (PID: 7920)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Amadey

(PID) Process(5556) rapes.exe
C2176.113.115.6
URLhttp://176.113.115.6/Ni9kiput/index.php
Version5.21
Options
Drop directorybb556cff4a
Drop namerapes.exe
Strings (125)pc:
\App
2022
&unit=
rb
id:
Norton
------
http://
" && ren
2016
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
00000419
--
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
st=s
0123456789
5.21
Comodo
msi
Panda Security
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Doctor Web
/Plugins/
-unicode-
:::
&&
|
DefaultSettings.YResolution
dm:
/Ni9kiput/index.php
------
Main
ar:
cmd /C RMDIR /s/q
SOFTWARE\Microsoft\Windows NT\CurrentVersion
&& Exit"
rundll32
Content-Disposition: form-data; name="data"; filename="
<c>
/quiet
=
2019
<d>
Kaspersky Lab
cred.dll|clip.dll|
ps1
%-lu
un:
kernel32.dll
DefaultSettings.XResolution
ESET
WinDefender
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
rapes.exe
Powershell.exe
?scr=1
.jpg
ProductName
shutdown -s -t 0
random
POST
bi:
zip
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Programs
Sophos
r=
AVG
%USERPROFILE%
og:
176.113.115.6
cmd
rundll32.exe
Bitdefender
+++
exe
cred.dll
lv:
VideoID
S-%lu-
e2
d1
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
ProgramData\
sd:
GetNativeSystemInfo
360TotalSecurity
os:
\0000
Avira
abcdefghijklmnopqrstuvwxyz0123456789-_
-%lu
AVAST Software
-executionpolicy remotesigned -File "
SYSTEM\ControlSet001\Services\BasicDisplay\Video
e1
wb
bb556cff4a
" && timeout 1 && del
av:
dll
/k
"taskkill /f /im "
ComputerName
Startup
CurrentBuild
2025
00000423
GET
#
\
Content-Type: multipart/form-data; boundary=----
https://
"
vs:
" Content-Type: application/octet-stream
Content-Type: application/x-www-form-urlencoded
Rem
0000043f
shell32.dll
Keyboard Layout\Preload
e3
00000422
clip.dll
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:04:02 20:01:30+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 324608
InitializedDataSize: 46080
UninitializedDataSize: -
EntryPoint: 0x495000
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
222
Monitored processes
95
Malicious processes
41
Suspicious processes
4

Behavior graph

Click at the process to see the details
start #LUMMA random.exe pyv2u67ydc38wbgdo5s5ynq.exe #AMADEY rapes.exe e70cf2a3ff.exe no specs cmd.exe no specs mshta.exe no specs conhost.exe no specs schtasks.exe no specs powershell.exe conhost.exe no specs slui.exe #LUMMA bd1d172291.exe tempmqshaent3ooh4ml85li5kwu63cj2guej.exe no specs #LUMMA svchost.exe #GENERIC 6c8d76d628.exe #GCLEANER svchost015.exe e14715a91c.exe no specs #GCLEANER svchost015.exe #LUMMA qhjmwht.exe rtllzgaz09.exe rapes.exe no specs rtllzgaz09.tmp duplicatefilefinder.exe powershell.exe no specs conhost.exe no specs icq0sog.exe no specs #LUMMA msbuild.exe 6lmrssvfk.exe 6lmrssvfk.tmp rkyrthdq7psk.exe no specs 6lmrssvfk.exe 6lmrssvfk.tmp regsvr32.exe powershell.exe no specs conhost.exe no specs 8nga8fh6rz1m.exe larbxd7.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs extrac32.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs #LUMMA jordan.com choice.exe no specs yhihb8g.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs netsh.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs netsh.exe no specs powershell.exe no specs conhost.exe no specs #LUMMA 9swda2p.exe tbv75zr.exe no specs #LUMMA msbuild.exe 7iil2ee.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs extrac32.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs #LUMMA passwords.com choice.exe no specs uzpt0hr.exe no specs #DARKVISION svchost.exe tzutil.exe no specs cmd.exe no specs w32tm.exe conhost.exe no specs wuauclt.exe no specs 7144c59ed1.exe no specs wusa.exe mmc.exe powershell.exe no specs conhost.exe no specs CMSTPLUA 7144c59ed1.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
496"C:\Users\admin\AppData\Roaming\tmIGo\RkYrthdQ7pSK.exe"C:\Users\admin\AppData\Roaming\tmIGo\RkYrthdQ7pSK.exesvchost015.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Gcleanerapp
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\tmigo\rkyrthdq7psk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
516C:\WINDOWS\system32\cmd.exe /c schtasks /create /tn q2X9Gmao5bt /tr "mshta C:\Users\admin\AppData\Local\Temp\FPXVqEPEN.hta" /sc minute /mo 25 /ru "admin" /fC:\Windows\SysWOW64\cmd.exee70cf2a3ff.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
664tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
672\??\C:\WINDOWS\system32\mmc.exeC:\Windows\System32\mmc.exe
wusa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Management Console
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mmc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
680"C:\WINDOWS\system32\wuauclt.exe" /detectnowC:\Windows\System32\wuauclt.exetzutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wuauclt.exe
c:\windows\system32\ntdll.dll
720"C:\Users\admin\AppData\Local\Temp\10444500101\7144c59ed1.exe" C:\Users\admin\AppData\Local\Temp\10444500101\7144c59ed1.exerapes.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\10444500101\7144c59ed1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1040"C:\Users\admin\AppData\Local\Temp\10444400101\6c8d76d628.exe" C:\Users\admin\AppData\Local\Temp\svchost015.exe
6c8d76d628.exe
User:
admin
Company:
X-Ways Software Technology AG
Integrity Level:
MEDIUM
Description:
WinHex
Exit code:
0
Version:
21.1
Modules
Images
c:\users\admin\appdata\local\temp\svchost015.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1096Passwords.com N C:\Users\admin\AppData\Local\Temp\418377\Passwords.com
cmd.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script (Beta)
Version:
3, 3, 15, 5
Modules
Images
c:\users\admin\appdata\local\temp\418377\passwords.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
1132"regsvr32.exe" /s /i:INSTALL "C:\Users\admin\AppData\Roaming\\wldap329.drv"C:\Windows\SysWOW64\regsvr32.exe
6lMrSsvfK.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1180"C:\Users\admin\AppData\Local\Temp\10444380101\e70cf2a3ff.exe" C:\Users\admin\AppData\Local\Temp\10444380101\e70cf2a3ff.exerapes.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\10444380101\e70cf2a3ff.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
Total events
86 167
Read events
86 074
Write events
85
Delete events
8

Modification events

(PID) Process:(5556) rapes.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5556) rapes.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5556) rapes.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5064) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5064) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5064) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6456) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6456) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6456) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6456) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
Executable files
85
Suspicious files
69
Text files
37
Unknown types
1

Dropped files

PID
Process
Filename
Type
1180e70cf2a3ff.exeC:\Users\admin\AppData\Local\Temp\FPXVqEPEN.htahtml
MD5:47475A5E3C542FA6EE7D438D936D3F61
SHA256:06125CFDBBA06CB5B1009ED2A1CDBC7882767C8126AE95E0B5CF7BEB986C3E19
5048PYV2U67YDC38WBGDO5S5YNQ.exeC:\Windows\Tasks\rapes.jobbinary
MD5:C5253866074B88844269AFFF67E4839C
SHA256:6BBF93AA3A37248FE21A2BA68351372B3BADF2D709B089DD695B2AD479AE800B
5556rapes.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\random[1].exeexecutable
MD5:A798A2631AE2BC2F61B80CE937C75C65
SHA256:E41A1EF54E4F954BB11EC70D802E2998019510B8DD13ADDEDEB6D5692C6AAB2C
7816random.exeC:\Users\admin\AppData\Local\Temp\PYV2U67YDC38WBGDO5S5YNQ.exeexecutable
MD5:A616C70B521871A888C297266C93E4DC
SHA256:788C57B940278EB945AEC7589626E9282741922A6BF31769AB5BEB4427A83EFF
5048PYV2U67YDC38WBGDO5S5YNQ.exeC:\Users\admin\AppData\Local\Temp\bb556cff4a\rapes.exeexecutable
MD5:A616C70B521871A888C297266C93E4DC
SHA256:788C57B940278EB945AEC7589626E9282741922A6BF31769AB5BEB4427A83EFF
6456powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tyvo43ht.vei.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5556rapes.exeC:\Users\admin\AppData\Local\Temp\10444400101\6c8d76d628.exeexecutable
MD5:E05432C13D42B8526CE4BC0DC240D297
SHA256:574C5BA90E69460799A53EA6FC88D8C6BA4B2B749F739F61779E1975E53E15D9
5556rapes.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\random[1].exeexecutable
MD5:E05432C13D42B8526CE4BC0DC240D297
SHA256:574C5BA90E69460799A53EA6FC88D8C6BA4B2B749F739F61779E1975E53E15D9
5556rapes.exeC:\Users\admin\AppData\Local\Temp\10444410101\e14715a91c.exeexecutable
MD5:1FB7BEEA8967C3CE15E72E9A8D14DC28
SHA256:56208F729C6B9895DD87A0F120972A8B48320B247B4F668F6EF9F483044D3E48
5556rapes.exeC:\Users\admin\AppData\Local\Temp\10444380101\e70cf2a3ff.exeexecutable
MD5:A798A2631AE2BC2F61B80CE937C75C65
SHA256:E41A1EF54E4F954BB11EC70D802E2998019510B8DD13ADDEDEB6D5692C6AAB2C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
209
TCP/UDP connections
127
DNS requests
36
Threats
171

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
7816
random.exe
GET
200
176.113.115.7:80
http://176.113.115.7/mine/random.exe
unknown
malicious
GET
200
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
unknown
496
SIHClient.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
496
SIHClient.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
496
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
496
SIHClient.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
496
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
496
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
200
52.165.164.15:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
7816
random.exe
104.21.112.1:443
rlxspoty.run
CLOUDFLARENET
malicious
6544
svchost.exe
40.126.31.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
496
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7816
random.exe
176.113.115.7:80
Red Bytes LLC
RU
malicious
496
SIHClient.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
496
SIHClient.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
496
SIHClient.exe
40.69.42.241:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.46
whitelisted
rlxspoty.run
  • 104.21.112.1
  • 104.21.48.1
  • 104.21.80.1
  • 104.21.16.1
  • 104.21.32.1
  • 104.21.96.1
  • 104.21.64.1
malicious
login.live.com
  • 40.126.31.128
  • 40.126.31.1
  • 40.126.31.69
  • 20.190.159.64
  • 20.190.159.131
  • 40.126.31.130
  • 20.190.159.23
  • 40.126.31.3
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.14
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted
rodformi.run
malicious

Threats

PID
Process
Class
Message
7816
random.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 29
7816
random.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
7816
random.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7816
random.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
7816
random.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
5556
rapes.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 29
5556
rapes.exe
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
5556
rapes.exe
Malware Command and Control Activity Detected
ET MALWARE Amadey CnC Response
5556
rapes.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
5556
rapes.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
random.exe