File name:

random.exe

Full analysis: https://app.any.run/tasks/fca15adf-2980-4e86-a7ac-3aa02a6d0e7c
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: April 04, 2025, 08:38:18
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
lumma
stealer
themida
loader
amadey
botnet
rdp
auto
generic
gcleaner
autoit
evasion
inno
installer
telegram
darkvision
remote
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

67D37F52A5C244776BE1BE30DB7D8547

SHA1:

40D29CCEA52E7FFB835BFC92D962EA552FF57483

SHA256:

651B121DD1F5A8F6D54CF5DEBE36E8DA4A4A3724DDF6295C4BF82FBF482E933C

SSDEEP:

98304:g8yA346jk0/ONm5dTvvZRjlewtealV0b1i4lrpJNuejG7GD4i+naY01CKUK+khYw:

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • random.exe (PID: 7816)
      • bd1d172291.exe (PID: 7692)
      • qhjMWht.exe (PID: 7304)
      • MSBuild.exe (PID: 6240)
      • Yhihb8G.exe (PID: 6256)
      • 9sWdA2p.exe (PID: 7952)
      • MSBuild.exe (PID: 3024)
      • Jordan.com (PID: 6040)
      • w32tm.exe (PID: 2644)
      • Passwords.com (PID: 1096)

    • LUMMA mutex has been found

      • random.exe (PID: 7816)
      • bd1d172291.exe (PID: 7692)
      • qhjMWht.exe (PID: 7304)
      • MSBuild.exe (PID: 6240)
      • 9sWdA2p.exe (PID: 7952)
      • MSBuild.exe (PID: 3024)
      • Jordan.com (PID: 6040)
      • Passwords.com (PID: 1096)

    • Steals credentials from Web Browsers

      • random.exe (PID: 7816)
      • bd1d172291.exe (PID: 7692)
      • qhjMWht.exe (PID: 7304)
      • MSBuild.exe (PID: 6240)
      • Yhihb8G.exe (PID: 6256)
      • 9sWdA2p.exe (PID: 7952)
      • MSBuild.exe (PID: 3024)

    • AMADEY mutex has been found

      • PYV2U67YDC38WBGDO5S5YNQ.exe (PID: 5048)
      • rapes.exe (PID: 5556)
      • TempMQSHAENT3OOH4ML85LI5KWU63CJ2GUEJ.EXE (PID: 6040)
      • rapes.exe (PID: 7460)

    • AMADEY has been detected (SURICATA)

      • rapes.exe (PID: 5556)

    • Connects to the CnC server

      • rapes.exe (PID: 5556)
      • svchost.exe (PID: 2196)
      • svchost.exe (PID: 2616)

    • AMADEY has been detected (YARA)

      • rapes.exe (PID: 5556)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 516)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6456)

    • Request from PowerShell that ran from MSHTA.EXE

      • powershell.exe (PID: 6456)

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2196)
      • bd1d172291.exe (PID: 7692)
      • qhjMWht.exe (PID: 7304)
      • MSBuild.exe (PID: 6240)
      • MSBuild.exe (PID: 3024)
      • Passwords.com (PID: 1096)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 6456)

    • Executing a file with an untrusted certificate

      • 6c8d76d628.exe (PID: 5400)
      • qhjMWht.exe (PID: 7304)
      • larBxd7.exe (PID: 5528)

    • GENERIC has been found (auto)

      • 6c8d76d628.exe (PID: 5400)
      • svchost015.exe (PID: 5956)
      • svchost015.exe (PID: 1040)
      • svchost.exe (PID: 2616)

    • GCLEANER has been detected (SURICATA)

      • svchost015.exe (PID: 1040)
      • svchost015.exe (PID: 5956)

    • GCLEANER has been detected (YARA)

      • svchost015.exe (PID: 1040)
      • svchost015.exe (PID: 5956)

    • Registers / Runs the DLL via REGSVR32.EXE

      • 6lMrSsvfK.tmp (PID: 4200)

    • LUMMA has been found (auto)

      • rapes.exe (PID: 5556)

    • Changes the autorun value in the registry

      • svchost.exe (PID: 2616)

    • DARKVISION has been detected (SURICATA)

      • svchost.exe (PID: 2616)

    • Changes Windows Defender settings

      • mmc.exe (PID: 672)

    • Adds path to the Windows Defender exclusion list

      • mmc.exe (PID: 672)

    • Known privilege escalation attack

      • dllhost.exe (PID: 7920)

  • SUSPICIOUS

    • Reads the BIOS version

      • random.exe (PID: 7816)
      • PYV2U67YDC38WBGDO5S5YNQ.exe (PID: 5048)
      • rapes.exe (PID: 5556)
      • bd1d172291.exe (PID: 7692)
      • TempMQSHAENT3OOH4ML85LI5KWU63CJ2GUEJ.EXE (PID: 6040)
      • e14715a91c.exe (PID: 1568)
      • rapes.exe (PID: 7460)
      • 7144c59ed1.exe (PID: 7264)

    • Searches for installed software

      • random.exe (PID: 7816)
      • bd1d172291.exe (PID: 7692)
      • qhjMWht.exe (PID: 7304)
      • MSBuild.exe (PID: 6240)
      • 9sWdA2p.exe (PID: 7952)
      • Passwords.com (PID: 1096)
      • Jordan.com (PID: 6040)

    • Potential Corporate Privacy Violation

      • random.exe (PID: 7816)
      • rapes.exe (PID: 5556)
      • powershell.exe (PID: 6456)
      • svchost015.exe (PID: 1040)
      • svchost015.exe (PID: 5956)
      • svchost.exe (PID: 2616)

    • Process requests binary or script from the Internet

      • random.exe (PID: 7816)
      • rapes.exe (PID: 5556)
      • powershell.exe (PID: 6456)

    • Connects to the server without a host name

      • random.exe (PID: 7816)
      • rapes.exe (PID: 5556)
      • powershell.exe (PID: 6456)
      • svchost015.exe (PID: 1040)
      • svchost015.exe (PID: 5956)
      • 8nga8FH6RZ1M.exe (PID: 5720)
      • svchost.exe (PID: 2616)
      • mmc.exe (PID: 672)

    • Executable content was dropped or overwritten

      • random.exe (PID: 7816)
      • PYV2U67YDC38WBGDO5S5YNQ.exe (PID: 5048)
      • rapes.exe (PID: 5556)
      • powershell.exe (PID: 6456)
      • 6c8d76d628.exe (PID: 5400)
      • svchost015.exe (PID: 1040)
      • RTLlZGaz09.exe (PID: 6660)
      • RTLlZGaz09.tmp (PID: 7744)
      • duplicatefilefinder.exe (PID: 7856)
      • svchost015.exe (PID: 5956)
      • 6lMrSsvfK.tmp (PID: 6988)
      • 6lMrSsvfK.exe (PID: 2384)
      • 6lMrSsvfK.exe (PID: 1748)
      • 6lMrSsvfK.tmp (PID: 4200)
      • svchost.exe (PID: 2616)

    • Reads security settings of Internet Explorer

      • PYV2U67YDC38WBGDO5S5YNQ.exe (PID: 5048)
      • rapes.exe (PID: 5556)
      • svchost015.exe (PID: 1040)
      • svchost015.exe (PID: 5956)
      • duplicatefilefinder.exe (PID: 7856)
      • 6lMrSsvfK.tmp (PID: 6988)
      • larBxd7.exe (PID: 5528)
      • 7IIl2eE.exe (PID: 2420)

    • Starts itself from another location

      • PYV2U67YDC38WBGDO5S5YNQ.exe (PID: 5048)

    • Contacting a server suspected of hosting an CnC

      • rapes.exe (PID: 5556)
      • svchost.exe (PID: 2196)
      • bd1d172291.exe (PID: 7692)
      • qhjMWht.exe (PID: 7304)
      • MSBuild.exe (PID: 6240)
      • MSBuild.exe (PID: 3024)
      • Passwords.com (PID: 1096)

    • There is functionality for enable RDP (YARA)

      • rapes.exe (PID: 5556)

    • Starts CMD.EXE for commands execution

      • e70cf2a3ff.exe (PID: 1180)
      • larBxd7.exe (PID: 5528)
      • cmd.exe (PID: 5668)
      • Yhihb8G.exe (PID: 6256)
      • cmd.exe (PID: 7316)
      • 7IIl2eE.exe (PID: 2420)
      • svchost.exe (PID: 2616)

    • Manipulates environment variables

      • powershell.exe (PID: 6456)

    • Starts POWERSHELL.EXE for commands execution

      • mshta.exe (PID: 5064)
      • duplicatefilefinder.exe (PID: 7856)
      • regsvr32.exe (PID: 1132)
      • mmc.exe (PID: 672)

    • Found IP address in command line

      • powershell.exe (PID: 6456)

    • Probably download files using WebClient

      • mshta.exe (PID: 5064)

    • Starts process via Powershell

      • powershell.exe (PID: 6456)

    • The process executes via Task Scheduler

      • rapes.exe (PID: 7460)

    • Reads the Windows owner or organization settings

      • RTLlZGaz09.tmp (PID: 7744)
      • 6lMrSsvfK.tmp (PID: 6988)
      • 6lMrSsvfK.tmp (PID: 4200)

    • Process drops legitimate windows executable

      • RTLlZGaz09.tmp (PID: 7744)
      • 6lMrSsvfK.tmp (PID: 6988)
      • 6lMrSsvfK.tmp (PID: 4200)
      • rapes.exe (PID: 5556)

    • The process drops C-runtime libraries

      • RTLlZGaz09.tmp (PID: 7744)

    • Get information on the list of running processes

      • cmd.exe (PID: 5668)
      • cmd.exe (PID: 7316)

    • Executing commands from a ".bat" file

      • larBxd7.exe (PID: 5528)
      • 7IIl2eE.exe (PID: 2420)
      • svchost.exe (PID: 2616)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 5668)
      • cmd.exe (PID: 2240)
      • cmd.exe (PID: 7316)

    • Application launched itself

      • cmd.exe (PID: 5668)
      • cmd.exe (PID: 7316)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 5668)
      • cmd.exe (PID: 7316)

    • Starts application with an unusual extension

      • cmd.exe (PID: 5668)
      • cmd.exe (PID: 2240)
      • cmd.exe (PID: 7748)
      • cmd.exe (PID: 7316)

    • The executable file from the user directory is run by the CMD process

      • Jordan.com (PID: 6040)
      • Passwords.com (PID: 1096)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • Yhihb8G.exe (PID: 6256)

    • The process bypasses the loading of PowerShell profile settings

      • regsvr32.exe (PID: 1132)

    • The process hide an interactive prompt from the user

      • regsvr32.exe (PID: 1132)

    • Loads DLL from Mozilla Firefox

      • Yhihb8G.exe (PID: 6256)

    • Uses NETSH.EXE to obtain data on the network

      • cmd.exe (PID: 2240)
      • cmd.exe (PID: 7748)

    • Connects to unusual port

      • Yhihb8G.exe (PID: 6256)

    • Detected use of alternative data streams (AltDS)

      • regsvr32.exe (PID: 1132)

    • Connects to SMTP port

      • regsvr32.exe (PID: 1132)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Jordan.com (PID: 6040)

    • Starts a Microsoft application from unusual location

      • UZPt0hR.exe (PID: 4648)

    • Script adds exclusion path to Windows Defender

      • mmc.exe (PID: 672)

  • INFO

    • Checks supported languages

      • random.exe (PID: 7816)
      • PYV2U67YDC38WBGDO5S5YNQ.exe (PID: 5048)
      • rapes.exe (PID: 5556)
      • e70cf2a3ff.exe (PID: 1180)
      • bd1d172291.exe (PID: 7692)
      • TempMQSHAENT3OOH4ML85LI5KWU63CJ2GUEJ.EXE (PID: 6040)
      • 6c8d76d628.exe (PID: 5400)
      • svchost015.exe (PID: 1040)
      • e14715a91c.exe (PID: 1568)
      • qhjMWht.exe (PID: 7304)
      • svchost015.exe (PID: 5956)
      • RTLlZGaz09.exe (PID: 6660)
      • rapes.exe (PID: 7460)
      • RTLlZGaz09.tmp (PID: 7744)
      • duplicatefilefinder.exe (PID: 7856)
      • MSBuild.exe (PID: 6240)
      • ICQ0sog.exe (PID: 7392)
      • 6lMrSsvfK.exe (PID: 2384)
      • 6lMrSsvfK.tmp (PID: 6988)
      • 6lMrSsvfK.exe (PID: 1748)
      • 6lMrSsvfK.tmp (PID: 4200)
      • RkYrthdQ7pSK.exe (PID: 496)
      • larBxd7.exe (PID: 5528)
      • 8nga8FH6RZ1M.exe (PID: 5720)
      • extrac32.exe (PID: 7216)
      • Jordan.com (PID: 6040)
      • Yhihb8G.exe (PID: 6256)
      • chcp.com (PID: 6228)
      • chcp.com (PID: 7764)
      • 9sWdA2p.exe (PID: 7952)
      • TbV75ZR.exe (PID: 3332)
      • MSBuild.exe (PID: 3024)
      • 7IIl2eE.exe (PID: 2420)
      • extrac32.exe (PID: 6744)
      • Passwords.com (PID: 1096)
      • UZPt0hR.exe (PID: 4648)
      • 7144c59ed1.exe (PID: 720)
      • w32tm.exe (PID: 2644)
      • 7144c59ed1.exe (PID: 7264)
      • tzutil.exe (PID: 6712)

    • Reads the machine GUID from the registry

      • random.exe (PID: 7816)
      • bd1d172291.exe (PID: 7692)
      • svchost015.exe (PID: 1040)
      • qhjMWht.exe (PID: 7304)
      • MSBuild.exe (PID: 6240)
      • svchost015.exe (PID: 5956)
      • Yhihb8G.exe (PID: 6256)
      • 9sWdA2p.exe (PID: 7952)
      • MSBuild.exe (PID: 3024)
      • w32tm.exe (PID: 2644)
      • Passwords.com (PID: 1096)

    • Themida protector has been detected

      • random.exe (PID: 7816)
      • rapes.exe (PID: 5556)
      • bd1d172291.exe (PID: 7692)

    • Reads the software policy settings

      • random.exe (PID: 7816)
      • bd1d172291.exe (PID: 7692)
      • qhjMWht.exe (PID: 7304)
      • MSBuild.exe (PID: 6240)
      • Yhihb8G.exe (PID: 6256)
      • slui.exe (PID: 7564)
      • 9sWdA2p.exe (PID: 7952)
      • MSBuild.exe (PID: 3024)
      • Jordan.com (PID: 6040)
      • Passwords.com (PID: 1096)

    • Reads the computer name

      • random.exe (PID: 7816)
      • PYV2U67YDC38WBGDO5S5YNQ.exe (PID: 5048)
      • rapes.exe (PID: 5556)
      • e70cf2a3ff.exe (PID: 1180)
      • bd1d172291.exe (PID: 7692)
      • 6c8d76d628.exe (PID: 5400)
      • svchost015.exe (PID: 1040)
      • e14715a91c.exe (PID: 1568)
      • svchost015.exe (PID: 5956)
      • RTLlZGaz09.tmp (PID: 7744)
      • qhjMWht.exe (PID: 7304)
      • MSBuild.exe (PID: 6240)
      • duplicatefilefinder.exe (PID: 7856)
      • 6lMrSsvfK.tmp (PID: 6988)
      • RkYrthdQ7pSK.exe (PID: 496)
      • 6lMrSsvfK.tmp (PID: 4200)
      • larBxd7.exe (PID: 5528)
      • 8nga8FH6RZ1M.exe (PID: 5720)
      • extrac32.exe (PID: 7216)
      • Jordan.com (PID: 6040)
      • Yhihb8G.exe (PID: 6256)
      • 9sWdA2p.exe (PID: 7952)
      • MSBuild.exe (PID: 3024)
      • 7IIl2eE.exe (PID: 2420)
      • extrac32.exe (PID: 6744)
      • Passwords.com (PID: 1096)
      • UZPt0hR.exe (PID: 4648)
      • tzutil.exe (PID: 6712)
      • w32tm.exe (PID: 2644)

    • Create files in a temporary directory

      • random.exe (PID: 7816)
      • PYV2U67YDC38WBGDO5S5YNQ.exe (PID: 5048)
      • rapes.exe (PID: 5556)
      • e70cf2a3ff.exe (PID: 1180)
      • 6c8d76d628.exe (PID: 5400)
      • RTLlZGaz09.exe (PID: 6660)
      • RTLlZGaz09.tmp (PID: 7744)
      • 6lMrSsvfK.exe (PID: 2384)
      • 6lMrSsvfK.tmp (PID: 6988)
      • 6lMrSsvfK.exe (PID: 1748)
      • 6lMrSsvfK.tmp (PID: 4200)
      • larBxd7.exe (PID: 5528)
      • extrac32.exe (PID: 7216)
      • Yhihb8G.exe (PID: 6256)
      • svchost015.exe (PID: 5956)
      • svchost015.exe (PID: 1040)
      • 7IIl2eE.exe (PID: 2420)
      • extrac32.exe (PID: 6744)
      • svchost.exe (PID: 2616)
      • w32tm.exe (PID: 2644)

    • Process checks computer location settings

      • PYV2U67YDC38WBGDO5S5YNQ.exe (PID: 5048)
      • rapes.exe (PID: 5556)
      • duplicatefilefinder.exe (PID: 7856)
      • 6lMrSsvfK.tmp (PID: 6988)
      • larBxd7.exe (PID: 5528)
      • 7IIl2eE.exe (PID: 2420)

    • Checks proxy server information

      • rapes.exe (PID: 5556)
      • powershell.exe (PID: 6456)
      • svchost015.exe (PID: 1040)
      • svchost015.exe (PID: 5956)
      • Yhihb8G.exe (PID: 6256)
      • slui.exe (PID: 7564)

    • Creates files or folders in the user directory

      • rapes.exe (PID: 5556)
      • svchost015.exe (PID: 1040)
      • svchost015.exe (PID: 5956)
      • RTLlZGaz09.tmp (PID: 7744)
      • 6lMrSsvfK.tmp (PID: 4200)

    • Reads mouse settings

      • e70cf2a3ff.exe (PID: 1180)
      • Jordan.com (PID: 6040)
      • Passwords.com (PID: 1096)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 5064)

    • Disables trace logs

      • powershell.exe (PID: 6456)
      • Yhihb8G.exe (PID: 6256)

    • The executable file from the user directory is run by the Powershell process

      • TempMQSHAENT3OOH4ML85LI5KWU63CJ2GUEJ.EXE (PID: 6040)

    • The sample compiled with english language support

      • 6c8d76d628.exe (PID: 5400)
      • RTLlZGaz09.tmp (PID: 7744)
      • duplicatefilefinder.exe (PID: 7856)
      • 6lMrSsvfK.tmp (PID: 6988)
      • 6lMrSsvfK.tmp (PID: 4200)
      • rapes.exe (PID: 5556)
      • svchost.exe (PID: 2616)

    • Creates a software uninstall entry

      • RTLlZGaz09.tmp (PID: 7744)
      • 6lMrSsvfK.tmp (PID: 4200)

    • Creates files in the program directory

      • duplicatefilefinder.exe (PID: 7856)
      • UZPt0hR.exe (PID: 4648)
      • svchost.exe (PID: 2616)

    • Changes the registry key values via Powershell

      • duplicatefilefinder.exe (PID: 7856)

    • Detects InnoSetup installer (YARA)

      • RTLlZGaz09.exe (PID: 6660)
      • RTLlZGaz09.tmp (PID: 7744)

    • Compiled with Borland Delphi (YARA)

      • RTLlZGaz09.tmp (PID: 7744)

    • Creates a new folder

      • cmd.exe (PID: 7500)
      • cmd.exe (PID: 5232)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5864)
      • powershell.exe (PID: 6820)
      • powershell.exe (PID: 7264)
      • powershell.exe (PID: 5728)

    • Changes the display of characters in the console

      • cmd.exe (PID: 7748)
      • cmd.exe (PID: 2240)

    • Reads CPU info

      • Yhihb8G.exe (PID: 6256)

    • Reads security settings of Internet Explorer

      • svchost.exe (PID: 2616)
      • dllhost.exe (PID: 7920)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Amadey

(PID) Process(5556) rapes.exe
C2176.113.115.6
URLhttp://176.113.115.6/Ni9kiput/index.php
Version5.21
Options
Drop directorybb556cff4a
Drop namerapes.exe
Strings (125)pc:
\App
2022
&unit=
rb
id:
Norton
------
http://
" && ren
2016
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
00000419
--
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
st=s
0123456789
5.21
Comodo
msi
Panda Security
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Doctor Web
/Plugins/
-unicode-
:::
&&
|
DefaultSettings.YResolution
dm:
/Ni9kiput/index.php
------
Main
ar:
cmd /C RMDIR /s/q
SOFTWARE\Microsoft\Windows NT\CurrentVersion
&& Exit"
rundll32
Content-Disposition: form-data; name="data"; filename="
<c>
/quiet
=
2019
<d>
Kaspersky Lab
cred.dll|clip.dll|
ps1
%-lu
un:
kernel32.dll
DefaultSettings.XResolution
ESET
WinDefender
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
rapes.exe
Powershell.exe
?scr=1
.jpg
ProductName
shutdown -s -t 0
random
POST
bi:
zip
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Programs
Sophos
r=
AVG
%USERPROFILE%
og:
176.113.115.6
cmd
rundll32.exe
Bitdefender
+++
exe
cred.dll
lv:
VideoID
S-%lu-
e2
d1
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
ProgramData\
sd:
GetNativeSystemInfo
360TotalSecurity
os:
\0000
Avira
abcdefghijklmnopqrstuvwxyz0123456789-_
-%lu
AVAST Software
-executionpolicy remotesigned -File "
SYSTEM\ControlSet001\Services\BasicDisplay\Video
e1
wb
bb556cff4a
" && timeout 1 && del
av:
dll
/k
"taskkill /f /im "
ComputerName
Startup
CurrentBuild
2025
00000423
GET
#
\
Content-Type: multipart/form-data; boundary=----
https://
"
vs:
" Content-Type: application/octet-stream
Content-Type: application/x-www-form-urlencoded
Rem
0000043f
shell32.dll
Keyboard Layout\Preload
e3
00000422
clip.dll
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:04:02 20:01:30+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 324608
InitializedDataSize: 46080
UninitializedDataSize: -
EntryPoint: 0x495000
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
222
Monitored processes
95
Malicious processes
41
Suspicious processes
4

Behavior graph

Click at the process to see the details
start #LUMMA random.exe pyv2u67ydc38wbgdo5s5ynq.exe #AMADEY rapes.exe e70cf2a3ff.exe no specs cmd.exe no specs mshta.exe no specs conhost.exe no specs schtasks.exe no specs powershell.exe conhost.exe no specs slui.exe #LUMMA bd1d172291.exe tempmqshaent3ooh4ml85li5kwu63cj2guej.exe no specs #LUMMA svchost.exe #GENERIC 6c8d76d628.exe #GCLEANER svchost015.exe e14715a91c.exe no specs #GCLEANER svchost015.exe #LUMMA qhjmwht.exe rtllzgaz09.exe rapes.exe no specs rtllzgaz09.tmp duplicatefilefinder.exe powershell.exe no specs conhost.exe no specs icq0sog.exe no specs #LUMMA msbuild.exe 6lmrssvfk.exe 6lmrssvfk.tmp rkyrthdq7psk.exe no specs 6lmrssvfk.exe 6lmrssvfk.tmp regsvr32.exe powershell.exe no specs conhost.exe no specs 8nga8fh6rz1m.exe larbxd7.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs extrac32.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs #LUMMA jordan.com choice.exe no specs yhihb8g.exe powershell.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs netsh.exe no specs findstr.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs netsh.exe no specs powershell.exe no specs conhost.exe no specs #LUMMA 9swda2p.exe tbv75zr.exe no specs #LUMMA msbuild.exe 7iil2ee.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs extrac32.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs #LUMMA passwords.com choice.exe no specs uzpt0hr.exe no specs #DARKVISION svchost.exe tzutil.exe no specs cmd.exe no specs w32tm.exe conhost.exe no specs wuauclt.exe no specs 7144c59ed1.exe no specs wusa.exe mmc.exe powershell.exe no specs conhost.exe no specs CMSTPLUA 7144c59ed1.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
496"C:\Users\admin\AppData\Roaming\tmIGo\RkYrthdQ7pSK.exe"C:\Users\admin\AppData\Roaming\tmIGo\RkYrthdQ7pSK.exesvchost015.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Gcleanerapp
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\tmigo\rkyrthdq7psk.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
516C:\WINDOWS\system32\cmd.exe /c schtasks /create /tn q2X9Gmao5bt /tr "mshta C:\Users\admin\AppData\Local\Temp\FPXVqEPEN.hta" /sc minute /mo 25 /ru "admin" /fC:\Windows\SysWOW64\cmd.exee70cf2a3ff.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
664tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
672\??\C:\WINDOWS\system32\mmc.exeC:\Windows\System32\mmc.exe
wusa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Management Console
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mmc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
680"C:\WINDOWS\system32\wuauclt.exe" /detectnowC:\Windows\System32\wuauclt.exetzutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Update
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wuauclt.exe
c:\windows\system32\ntdll.dll
720"C:\Users\admin\AppData\Local\Temp\10444500101\7144c59ed1.exe" C:\Users\admin\AppData\Local\Temp\10444500101\7144c59ed1.exerapes.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\10444500101\7144c59ed1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1040"C:\Users\admin\AppData\Local\Temp\10444400101\6c8d76d628.exe" C:\Users\admin\AppData\Local\Temp\svchost015.exe
6c8d76d628.exe
User:
admin
Company:
X-Ways Software Technology AG
Integrity Level:
MEDIUM
Description:
WinHex
Exit code:
0
Version:
21.1
Modules
Images
c:\users\admin\appdata\local\temp\svchost015.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1096Passwords.com N C:\Users\admin\AppData\Local\Temp\418377\Passwords.com
cmd.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script (Beta)
Version:
3, 3, 15, 5
Modules
Images
c:\users\admin\appdata\local\temp\418377\passwords.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
1132"regsvr32.exe" /s /i:INSTALL "C:\Users\admin\AppData\Roaming\\wldap329.drv"C:\Windows\SysWOW64\regsvr32.exe
6lMrSsvfK.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
1180"C:\Users\admin\AppData\Local\Temp\10444380101\e70cf2a3ff.exe" C:\Users\admin\AppData\Local\Temp\10444380101\e70cf2a3ff.exerapes.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\10444380101\e70cf2a3ff.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
Total events
86 167
Read events
86 074
Write events
85
Delete events
8

Modification events

(PID) Process:(5556) rapes.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5556) rapes.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5556) rapes.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5064) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5064) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5064) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6456) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(6456) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(6456) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(6456) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
Executable files
85
Suspicious files
69
Text files
37
Unknown types
1

Dropped files

PID
Process
Filename
Type
5048PYV2U67YDC38WBGDO5S5YNQ.exeC:\Users\admin\AppData\Local\Temp\bb556cff4a\rapes.exeexecutable
MD5:A616C70B521871A888C297266C93E4DC
SHA256:788C57B940278EB945AEC7589626E9282741922A6BF31769AB5BEB4427A83EFF
5556rapes.exeC:\Users\admin\AppData\Local\Temp\10444380101\e70cf2a3ff.exeexecutable
MD5:A798A2631AE2BC2F61B80CE937C75C65
SHA256:E41A1EF54E4F954BB11EC70D802E2998019510B8DD13ADDEDEB6D5692C6AAB2C
5556rapes.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\random[1].exeexecutable
MD5:A798A2631AE2BC2F61B80CE937C75C65
SHA256:E41A1EF54E4F954BB11EC70D802E2998019510B8DD13ADDEDEB6D5692C6AAB2C
6456powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_odh3nsxy.koq.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6456powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tyvo43ht.vei.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1180e70cf2a3ff.exeC:\Users\admin\AppData\Local\Temp\FPXVqEPEN.htahtml
MD5:47475A5E3C542FA6EE7D438D936D3F61
SHA256:06125CFDBBA06CB5B1009ED2A1CDBC7882767C8126AE95E0B5CF7BEB986C3E19
6456powershell.exeC:\Users\admin\AppData\Local\TempMQSHAENT3OOH4ML85LI5KWU63CJ2GUEJ.EXEexecutable
MD5:A616C70B521871A888C297266C93E4DC
SHA256:788C57B940278EB945AEC7589626E9282741922A6BF31769AB5BEB4427A83EFF
7816random.exeC:\Users\admin\AppData\Local\Temp\PYV2U67YDC38WBGDO5S5YNQ.exeexecutable
MD5:A616C70B521871A888C297266C93E4DC
SHA256:788C57B940278EB945AEC7589626E9282741922A6BF31769AB5BEB4427A83EFF
1040svchost015.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\info[1].htmtext
MD5:FE9B08252F126DDFCB87FB82F9CC7677
SHA256:E63E7EBE4C2DB7E61FFC71AF0675E870BCDE0A9D8916E5B3BE0CB252478030BF
5556rapes.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\random[1].exeexecutable
MD5:E05432C13D42B8526CE4BC0DC240D297
SHA256:574C5BA90E69460799A53EA6FC88D8C6BA4B2B749F739F61779E1975E53E15D9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
209
TCP/UDP connections
127
DNS requests
36
Threats
171

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
7816
random.exe
GET
200
176.113.115.7:80
http://176.113.115.7/mine/random.exe
unknown
malicious
GET
200
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
496
SIHClient.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
496
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
496
SIHClient.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
496
SIHClient.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
496
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
496
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
496
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
7816
random.exe
104.21.112.1:443
rlxspoty.run
CLOUDFLARENET
malicious
6544
svchost.exe
40.126.31.128:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
496
SIHClient.exe
52.149.20.212:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7816
random.exe
176.113.115.7:80
Red Bytes LLC
RU
malicious
496
SIHClient.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
496
SIHClient.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
496
SIHClient.exe
40.69.42.241:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 216.58.206.46
whitelisted
rlxspoty.run
  • 104.21.112.1
  • 104.21.48.1
  • 104.21.80.1
  • 104.21.16.1
  • 104.21.32.1
  • 104.21.96.1
  • 104.21.64.1
malicious
login.live.com
  • 40.126.31.128
  • 40.126.31.1
  • 40.126.31.69
  • 20.190.159.64
  • 20.190.159.131
  • 40.126.31.130
  • 20.190.159.23
  • 40.126.31.3
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.14
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted
rodformi.run
malicious

Threats

PID
Process
Class
Message
7816
random.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 29
7816
random.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
7816
random.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7816
random.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
7816
random.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
5556
rapes.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 29
5556
rapes.exe
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
5556
rapes.exe
Malware Command and Control Activity Detected
ET MALWARE Amadey CnC Response
5556
rapes.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
5556
rapes.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
random.exe