File name:

random.exe

Full analysis: https://app.any.run/tasks/c1c45439-2640-488b-b4ef-243e989a0977
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: May 25, 2025, 11:51:43
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
amadey
botnet
stealer
loader
themida
rdp
auto
gcleaner
lumma
telegram
generic
arch-exec
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

0C66B2FE6481490EEE4720C91C8916A8

SHA1:

DDFFA7A244390D5F9D43762EA5708C486DB0DF48

SHA256:

7326028014380BB2EFFEA7393A321A5F83D8D954624E4AD179A70FC4A913C69B

SSDEEP:

98304:6f2PWt3iCOepS6ZLa1QRu/dI0kbHPyodFHxjEGOFHxns4DadiD3Cb1BioryIU/NW:FC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • AMADEY mutex has been found

      • random.exe (PID: 7308)
      • ramez.exe (PID: 7488)
      • ramez.exe (PID: 8152)
      • TempQNXMMZOLXYOVW5EFKGVIFN4KL6A3SR6P.EXE (PID: 5508)

    • AMADEY has been detected (SURICATA)

      • ramez.exe (PID: 7488)

    • Connects to the CnC server

      • ramez.exe (PID: 7488)
      • svchost.exe (PID: 2196)

    • GCLEANER has been found (auto)

      • ramez.exe (PID: 7488)

    • Executing a file with an untrusted certificate

      • c26fcfae71.exe (PID: 8168)

    • AMADEY has been detected (YARA)

      • ramez.exe (PID: 7488)

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2196)
      • MSBuild.exe (PID: 2384)
      • MSBuild.exe (PID: 5116)
      • 8d92deb131.exe (PID: 8048)
      • MSBuild.exe (PID: 8420)

    • LUMMA mutex has been found

      • MSBuild.exe (PID: 2384)
      • 8d92deb131.exe (PID: 8048)
      • MSBuild.exe (PID: 7900)
      • MSBuild.exe (PID: 5116)

    • Actions looks like stealing of personal data

      • MSBuild.exe (PID: 2384)
      • MSBuild.exe (PID: 5116)
      • 8d92deb131.exe (PID: 8048)
      • MSBuild.exe (PID: 7900)

    • Steals credentials from Web Browsers

      • MSBuild.exe (PID: 2384)
      • MSBuild.exe (PID: 5116)
      • 8d92deb131.exe (PID: 8048)
      • MSBuild.exe (PID: 7900)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 1184)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7084)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 7084)

    • LUMMA has been detected (YARA)

      • MSBuild.exe (PID: 2384)
      • MSBuild.exe (PID: 5116)
      • MSBuild.exe (PID: 7900)

    • GCLEANER has been detected (SURICATA)

      • cvtres.exe (PID: 6036)

    • GCLEANER has been detected (YARA)

      • cvtres.exe (PID: 6036)

    • Changes the autorun value in the registry

      • ramez.exe (PID: 7488)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 968)
      • NSudoLG.exe (PID: 5360)
      • cmd.exe (PID: 7952)
      • NSudoLG.exe (PID: 3020)

    • Changes Windows Defender settings

      • NSudoLG.exe (PID: 5360)
      • NSudoLG.exe (PID: 3020)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 968)
      • cmd.exe (PID: 7952)

    • GENERIC has been found (auto)

      • cvtres.exe (PID: 6036)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • random.exe (PID: 7308)
      • ramez.exe (PID: 7488)
      • cvtres.exe (PID: 6036)
      • 6f2ccc53d1.exe (PID: 2772)
      • nircmd.exe (PID: 7232)
      • 436bba2672.exe (PID: 4692)
      • nircmd.exe (PID: 5256)

    • Reads the BIOS version

      • random.exe (PID: 7308)
      • ramez.exe (PID: 7488)
      • ramez.exe (PID: 8152)
      • 8d92deb131.exe (PID: 8048)

    • Starts itself from another location

      • random.exe (PID: 7308)

    • Executable content was dropped or overwritten

      • random.exe (PID: 7308)
      • ramez.exe (PID: 7488)
      • powershell.exe (PID: 7084)
      • 6f2ccc53d1.exe (PID: 2772)
      • 7z.exe (PID: 7448)
      • Unlocker.exe (PID: 6656)
      • cmd.exe (PID: 968)
      • YCL.exe (PID: 3676)
      • cvtres.exe (PID: 6036)
      • cmd.exe (PID: 5668)
      • 7z.exe (PID: 9108)

    • Connects to the server without a host name

      • ramez.exe (PID: 7488)
      • powershell.exe (PID: 7084)
      • cvtres.exe (PID: 6036)
      • 8d92deb131.exe (PID: 8048)

    • Potential Corporate Privacy Violation

      • ramez.exe (PID: 7488)
      • powershell.exe (PID: 7084)
      • 8d92deb131.exe (PID: 8048)
      • cvtres.exe (PID: 6036)

    • Contacting a server suspected of hosting an CnC

      • ramez.exe (PID: 7488)
      • svchost.exe (PID: 2196)
      • MSBuild.exe (PID: 2384)
      • MSBuild.exe (PID: 5116)
      • 8d92deb131.exe (PID: 8048)
      • MSBuild.exe (PID: 8420)

    • Process requests binary or script from the Internet

      • ramez.exe (PID: 7488)
      • powershell.exe (PID: 7084)
      • 8d92deb131.exe (PID: 8048)

    • There is functionality for enable RDP (YARA)

      • ramez.exe (PID: 7488)

    • The process executes via Task Scheduler

      • ramez.exe (PID: 8152)
      • ramez.exe (PID: 8316)
      • ramez.exe (PID: 7896)
      • ramez.exe (PID: 8392)
      • ramez.exe (PID: 9040)

    • Starts CMD.EXE for commands execution

      • d42764253a.exe (PID: 1188)
      • cmd.exe (PID: 5436)
      • 6f2ccc53d1.exe (PID: 2772)
      • nircmd.exe (PID: 7232)
      • cmd.exe (PID: 3900)
      • NSudoLG.exe (PID: 4180)
      • cmd.exe (PID: 6272)
      • cmd.exe (PID: 968)
      • cmd.exe (PID: 5392)
      • 436bba2672.exe (PID: 4692)
      • nircmd.exe (PID: 5256)
      • cmd.exe (PID: 4756)
      • NSudoLG.exe (PID: 664)
      • cmd.exe (PID: 7952)
      • cmd.exe (PID: 5508)
      • Unlocker.exe (PID: 7896)
      • Unlocker.exe (PID: 6656)
      • Unlocker.exe (PID: 672)
      • Unlocker.exe (PID: 8836)
      • Unlocker.exe (PID: 2424)
      • YCL.exe (PID: 3676)

    • Manipulates environment variables

      • powershell.exe (PID: 7084)

    • Starts process via Powershell

      • powershell.exe (PID: 7084)

    • Probably download files using WebClient

      • mshta.exe (PID: 2236)

    • Found IP address in command line

      • powershell.exe (PID: 7084)

    • Starts POWERSHELL.EXE for commands execution

      • mshta.exe (PID: 2236)
      • NSudoLG.exe (PID: 5360)
      • NSudoLG.exe (PID: 3020)

    • Searches for installed software

      • MSBuild.exe (PID: 2384)
      • MSBuild.exe (PID: 5116)
      • 8d92deb131.exe (PID: 8048)
      • MSBuild.exe (PID: 7900)

    • Multiple wallet extension IDs have been found

      • MSBuild.exe (PID: 2384)
      • MSBuild.exe (PID: 5116)

    • There is functionality for taking screenshot (YARA)

      • MSBuild.exe (PID: 2384)
      • MSBuild.exe (PID: 5116)
      • MSBuild.exe (PID: 7900)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • MSBuild.exe (PID: 7900)

    • The process creates files with name similar to system file names

      • 6f2ccc53d1.exe (PID: 2772)

    • Application launched itself

      • cmd.exe (PID: 5436)
      • cmd.exe (PID: 3900)
      • cmd.exe (PID: 6272)
      • cmd.exe (PID: 968)
      • cmd.exe (PID: 5392)
      • cmd.exe (PID: 4756)
      • cmd.exe (PID: 7952)
      • cmd.exe (PID: 5508)

    • Executing commands from a ".bat" file

      • 6f2ccc53d1.exe (PID: 2772)
      • cmd.exe (PID: 5436)
      • nircmd.exe (PID: 7232)
      • cmd.exe (PID: 3900)
      • NSudoLG.exe (PID: 4180)
      • cmd.exe (PID: 6272)
      • 436bba2672.exe (PID: 4692)
      • cmd.exe (PID: 5392)
      • NSudoLG.exe (PID: 664)
      • nircmd.exe (PID: 5256)
      • cmd.exe (PID: 4756)
      • cmd.exe (PID: 5508)
      • YCL.exe (PID: 3676)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1240)
      • cmd.exe (PID: 6032)
      • cmd.exe (PID: 968)
      • cmd.exe (PID: 3240)
      • cmd.exe (PID: 7408)
      • cmd.exe (PID: 7952)

    • Drops 7-zip archiver for unpacking

      • 6f2ccc53d1.exe (PID: 2772)
      • YCL.exe (PID: 3676)

    • Reads the date of Windows installation

      • nircmd.exe (PID: 7232)
      • nircmd.exe (PID: 5256)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6032)
      • cmd.exe (PID: 968)
      • cmd.exe (PID: 7408)
      • cmd.exe (PID: 7952)

    • The executable file from the user directory is run by the CMD process

      • nircmd.exe (PID: 7232)
      • NSudoLG.exe (PID: 4180)
      • NSudoLG.exe (PID: 5360)
      • nircmd.exe (PID: 5256)
      • NSudoLG.exe (PID: 664)
      • NSudoLG.exe (PID: 3020)
      • 7z.exe (PID: 7448)
      • Unlocker.exe (PID: 7896)
      • Unlocker.exe (PID: 6656)
      • 7z.exe (PID: 7272)
      • Unlocker.exe (PID: 672)
      • Unlocker.exe (PID: 2424)
      • Unlocker.exe (PID: 8836)
      • svchost.exe (PID: 9092)
      • 7z.exe (PID: 9120)
      • 7z.exe (PID: 8852)
      • 7z.exe (PID: 9108)

    • Get information on the list of running processes

      • cmd.exe (PID: 968)
      • cmd.exe (PID: 7404)
      • cmd.exe (PID: 7952)
      • cmd.exe (PID: 8136)

    • PowerShell delay command usage (probably sleep evasion)

      • powershell.exe (PID: 6592)
      • powershell.exe (PID: 3768)

    • Script adds exclusion path to Windows Defender

      • NSudoLG.exe (PID: 5360)
      • NSudoLG.exe (PID: 3020)

    • Executes application which crashes

      • 8d92deb131.exe (PID: 8048)
      • svchost.exe (PID: 9092)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 968)
      • cmd.exe (PID: 7952)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 7336)
      • cmd.exe (PID: 2288)
      • cmd.exe (PID: 968)
      • cmd.exe (PID: 7444)
      • cmd.exe (PID: 632)
      • cmd.exe (PID: 7216)
      • cmd.exe (PID: 7952)
      • cmd.exe (PID: 8244)
      • cmd.exe (PID: 8940)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 7812)
      • cmd.exe (PID: 7856)
      • cmd.exe (PID: 2592)
      • cmd.exe (PID: 8412)
      • cmd.exe (PID: 9048)

    • Windows service management via SC.EXE

      • sc.exe (PID: 8136)
      • sc.exe (PID: 1240)
      • sc.exe (PID: 7240)
      • sc.exe (PID: 7944)
      • sc.exe (PID: 5756)
      • sc.exe (PID: 1012)
      • sc.exe (PID: 6184)
      • sc.exe (PID: 8056)
      • sc.exe (PID: 1040)
      • sc.exe (PID: 2800)
      • sc.exe (PID: 7232)
      • sc.exe (PID: 8164)
      • sc.exe (PID: 7352)
      • sc.exe (PID: 4976)
      • sc.exe (PID: 2488)
      • sc.exe (PID: 4920)
      • sc.exe (PID: 7976)
      • sc.exe (PID: 5868)
      • sc.exe (PID: 6248)
      • sc.exe (PID: 2228)
      • sc.exe (PID: 6112)
      • sc.exe (PID: 6516)
      • sc.exe (PID: 8156)
      • sc.exe (PID: 7464)
      • sc.exe (PID: 4284)
      • sc.exe (PID: 7448)
      • sc.exe (PID: 2664)
      • sc.exe (PID: 5544)
      • sc.exe (PID: 6488)
      • sc.exe (PID: 6040)
      • sc.exe (PID: 6268)
      • sc.exe (PID: 6540)
      • sc.exe (PID: 7244)
      • sc.exe (PID: 7872)
      • sc.exe (PID: 7740)
      • sc.exe (PID: 7192)
      • sc.exe (PID: 1088)
      • sc.exe (PID: 2268)
      • sc.exe (PID: 1052)
      • sc.exe (PID: 2580)
      • sc.exe (PID: 2400)
      • sc.exe (PID: 7228)
      • sc.exe (PID: 2852)
      • sc.exe (PID: 7988)
      • sc.exe (PID: 7928)
      • sc.exe (PID: 1184)
      • sc.exe (PID: 7156)
      • sc.exe (PID: 7900)
      • sc.exe (PID: 3008)
      • sc.exe (PID: 3968)
      • sc.exe (PID: 8120)
      • sc.exe (PID: 5780)
      • sc.exe (PID: 7832)
      • sc.exe (PID: 5020)
      • sc.exe (PID: 5756)
      • sc.exe (PID: 3240)
      • sc.exe (PID: 8088)
      • sc.exe (PID: 5956)
      • sc.exe (PID: 8128)
      • sc.exe (PID: 660)
      • sc.exe (PID: 3844)
      • sc.exe (PID: 5324)
      • sc.exe (PID: 3156)
      • sc.exe (PID: 5048)
      • sc.exe (PID: 2136)
      • sc.exe (PID: 6824)
      • sc.exe (PID: 7456)
      • sc.exe (PID: 6032)
      • sc.exe (PID: 8188)
      • sc.exe (PID: 8344)
      • sc.exe (PID: 8920)
      • sc.exe (PID: 5720)
      • sc.exe (PID: 4428)
      • sc.exe (PID: 2140)
      • sc.exe (PID: 9148)
      • sc.exe (PID: 8956)
      • sc.exe (PID: 9020)
      • sc.exe (PID: 9168)

    • Drops a system driver (possible attempt to evade defenses)

      • Unlocker.exe (PID: 6656)

    • Stops a currently running service

      • sc.exe (PID: 736)
      • sc.exe (PID: 2616)
      • sc.exe (PID: 7236)
      • sc.exe (PID: 7956)
      • sc.exe (PID: 7484)
      • sc.exe (PID: 1764)
      • sc.exe (PID: 7996)
      • sc.exe (PID: 2860)
      • sc.exe (PID: 4040)
      • sc.exe (PID: 4008)
      • sc.exe (PID: 1580)
      • sc.exe (PID: 136)
      • sc.exe (PID: 7944)
      • sc.exe (PID: 7824)
      • sc.exe (PID: 1748)
      • sc.exe (PID: 5200)
      • sc.exe (PID: 864)
      • sc.exe (PID: 5972)
      • sc.exe (PID: 8140)
      • sc.exe (PID: 1812)
      • sc.exe (PID: 1616)
      • sc.exe (PID: 6272)
      • sc.exe (PID: 8072)
      • sc.exe (PID: 6592)
      • sc.exe (PID: 7180)
      • sc.exe (PID: 6988)
      • sc.exe (PID: 2084)
      • sc.exe (PID: 2064)
      • sc.exe (PID: 8080)
      • sc.exe (PID: 6676)
      • sc.exe (PID: 8036)
      • sc.exe (PID: 8108)
      • sc.exe (PID: 5988)
      • sc.exe (PID: 2148)

    • Process drops legitimate windows executable

      • cmd.exe (PID: 968)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 5304)
      • schtasks.exe (PID: 6436)
      • schtasks.exe (PID: 2404)
      • schtasks.exe (PID: 6660)
      • schtasks.exe (PID: 6468)
      • schtasks.exe (PID: 2108)
      • schtasks.exe (PID: 8288)
      • schtasks.exe (PID: 8236)
      • schtasks.exe (PID: 8320)
      • schtasks.exe (PID: 8216)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 5668)

    • Executes as Windows Service

      • VSSVC.exe (PID: 8828)

  • INFO

    • Checks supported languages

      • random.exe (PID: 7308)
      • ramez.exe (PID: 7488)
      • c26fcfae71.exe (PID: 8168)
      • ramez.exe (PID: 8152)
      • bIoOQu3.exe (PID: 5576)
      • bIoOQu3.exe (PID: 7300)
      • MSBuild.exe (PID: 2384)
      • cvtres.exe (PID: 6036)
      • d42764253a.exe (PID: 1188)
      • MSBuild.exe (PID: 5116)
      • TempQNXMMZOLXYOVW5EFKGVIFN4KL6A3SR6P.EXE (PID: 5508)
      • 099ac5611c.exe (PID: 8052)
      • 8d92deb131.exe (PID: 8048)
      • MSBuild.exe (PID: 7900)
      • chcp.com (PID: 4008)
      • 6f2ccc53d1.exe (PID: 2772)
      • nircmd.exe (PID: 7232)
      • chcp.com (PID: 8184)
      • mode.com (PID: 7300)
      • chcp.com (PID: 7332)
      • NSudoLG.exe (PID: 4180)
      • NSudoLG.exe (PID: 5360)
      • 436bba2672.exe (PID: 4692)
      • chcp.com (PID: 1628)
      • NSudoLG.exe (PID: 664)
      • nircmd.exe (PID: 5256)
      • chcp.com (PID: 7472)
      • chcp.com (PID: 6828)
      • mode.com (PID: 7356)
      • NSudoLG.exe (PID: 3020)
      • 7z.exe (PID: 7448)
      • Unlocker.exe (PID: 7896)

    • Reads the computer name

      • random.exe (PID: 7308)
      • c26fcfae71.exe (PID: 8168)
      • MSBuild.exe (PID: 2384)
      • d42764253a.exe (PID: 1188)
      • cvtres.exe (PID: 6036)
      • MSBuild.exe (PID: 5116)
      • ramez.exe (PID: 7488)
      • MSBuild.exe (PID: 7900)
      • 8d92deb131.exe (PID: 8048)
      • 6f2ccc53d1.exe (PID: 2772)
      • nircmd.exe (PID: 7232)
      • NSudoLG.exe (PID: 4180)
      • NSudoLG.exe (PID: 5360)
      • nircmd.exe (PID: 5256)
      • 436bba2672.exe (PID: 4692)
      • NSudoLG.exe (PID: 664)
      • NSudoLG.exe (PID: 3020)
      • 7z.exe (PID: 7448)
      • Unlocker.exe (PID: 7896)

    • Process checks computer location settings

      • random.exe (PID: 7308)
      • ramez.exe (PID: 7488)
      • 6f2ccc53d1.exe (PID: 2772)
      • nircmd.exe (PID: 7232)
      • 436bba2672.exe (PID: 4692)
      • nircmd.exe (PID: 5256)

    • Create files in a temporary directory

      • random.exe (PID: 7308)
      • ramez.exe (PID: 7488)
      • d42764253a.exe (PID: 1188)
      • 6f2ccc53d1.exe (PID: 2772)
      • 436bba2672.exe (PID: 4692)
      • 7z.exe (PID: 7448)

    • Creates files or folders in the user directory

      • ramez.exe (PID: 7488)
      • cvtres.exe (PID: 6036)
      • WerFault.exe (PID: 7000)

    • Checks proxy server information

      • ramez.exe (PID: 7488)
      • cvtres.exe (PID: 6036)
      • powershell.exe (PID: 7084)

    • Themida protector has been detected

      • ramez.exe (PID: 7488)

    • The sample compiled with english language support

      • ramez.exe (PID: 7488)
      • 6f2ccc53d1.exe (PID: 2772)
      • Unlocker.exe (PID: 6656)
      • cmd.exe (PID: 968)
      • YCL.exe (PID: 3676)

    • Reads the machine GUID from the registry

      • c26fcfae71.exe (PID: 8168)
      • cvtres.exe (PID: 6036)

    • Manual execution by a user

      • cvtres.exe (PID: 6036)
      • YCL.exe (PID: 3676)
      • mspaint.exe (PID: 8664)

    • Reads the software policy settings

      • MSBuild.exe (PID: 2384)
      • cvtres.exe (PID: 6036)
      • 8d92deb131.exe (PID: 8048)
      • MSBuild.exe (PID: 7900)
      • MSBuild.exe (PID: 5116)

    • Reads mouse settings

      • d42764253a.exe (PID: 1188)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 2236)

    • Disables trace logs

      • powershell.exe (PID: 7084)

    • The executable file from the user directory is run by the Powershell process

      • TempQNXMMZOLXYOVW5EFKGVIFN4KL6A3SR6P.EXE (PID: 5508)

    • Changes the display of characters in the console

      • cmd.exe (PID: 1240)
      • cmd.exe (PID: 6032)
      • cmd.exe (PID: 968)
      • cmd.exe (PID: 3240)
      • cmd.exe (PID: 7408)
      • cmd.exe (PID: 7952)

    • NirSoft software is detected

      • nircmd.exe (PID: 7232)
      • nircmd.exe (PID: 5256)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 7300)
      • mode.com (PID: 7356)
      • mode.com (PID: 8980)

    • Checks operating system version

      • cmd.exe (PID: 968)
      • cmd.exe (PID: 7952)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6592)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6592)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Amadey

(PID) Process(7488) ramez.exe
C2185.156.72.96
URLhttp://185.156.72.96/te4h2nus/index.php
Version5.34
Options
Drop directoryd610cf342e
Drop nameramez.exe
Strings (125)lv:
msi
Kaspersky Lab
av:
|
#
"
\App
00000422
dm:
Powershell.exe
ProgramData\
ps1
rundll32
http://
Content-Disposition: form-data; name="data"; filename="
SOFTWARE\Microsoft\Windows NT\CurrentVersion
dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
id:
VideoID
cred.dll|clip.dll|
0000043f
cmd
00000423
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
-executionpolicy remotesigned -File "
2022
------
2016
og:
\0000
CurrentBuild
2019
:::
S-%lu-
" && timeout 1 && del
ProductName
Panda Security
ESET
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/k
+++
?scr=1
Doctor Web
GET
SYSTEM\ControlSet001\Services\BasicDisplay\Video
/quiet
.jpg
d610cf342e
vs:
sd:
rundll32.exe
"taskkill /f /im "
pc:
random
=
360TotalSecurity
<d>
wb
Content-Type: multipart/form-data; boundary=----
Startup
Norton
&& Exit"
os:
https://
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
2025
Avira
%-lu
zip
POST
" Content-Type: application/octet-stream
Rem
/te4h2nus/index.php
------
5.34
<c>
clip.dll
AVAST Software
\
shell32.dll
" && ren
e3
ramez.exe
kernel32.dll
DefaultSettings.XResolution
d1
DefaultSettings.YResolution
185.156.72.96
r=
cred.dll
--
GetNativeSystemInfo
-%lu
ComputerName
&unit=
Keyboard Layout\Preload
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
ar:
Sophos
%USERPROFILE%
exe
e1
e2
st=s
Programs
0123456789
un:
rb
bi:
abcdefghijklmnopqrstuvwxyz0123456789-_
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
cmd /C RMDIR /s/q
Bitdefender
-unicode-
AVG
WinDefender
&&
shutdown -s -t 0
Comodo
00000419
Content-Type: application/x-www-form-urlencoded
/Plugins/
Main

Lumma

(PID) Process(2384) MSBuild.exe
C2 (9)escczlv.top/bufi
korxddl.top/qidz
cornerdurv.top/adwq
localixbiw.top/zlpa
diecam.top/laur
citellcagt.top/gjtu
bogtkr.top/zhyk
narrathfpt.top/tekq
ordntx.top/pxla
(PID) Process(5116) MSBuild.exe
C2 (9)escczlv.top/bufi
korxddl.top/qidz
cornerdurv.top/adwq
localixbiw.top/zlpa
diecam.top/laur
citellcagt.top/gjtu
bogtkr.top/zhyk
narrathfpt.top/tekq
ordntx.top/pxla
(PID) Process(7900) MSBuild.exe
C2 (10)escczlv.top/bufi
https://t.me/yanserver
incqtq.run/jfsu
korxddl.top/qidz
localixbiw.top/zlpa
bogtkr.top/zhyk
diecam.top/laur
citellcagt.top/gjtu
narrathfpt.top/tekq
ordntx.top/pxla
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:01 04:57:19+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.29
CodeSize: 317952
InitializedDataSize: 107520
UninitializedDataSize: -
EntryPoint: 0x325000
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
571
Monitored processes
392
Malicious processes
28
Suspicious processes
20

Behavior graph

Click at the process to see the details
start random.exe #AMADEY ramez.exe sppextcomobj.exe no specs slui.exe ramez.exe no specs c26fcfae71.exe no specs biooqu3.exe no specs conhost.exe no specs #LUMMA msbuild.exe biooqu3.exe no specs conhost.exe no specs #GCLEANER cvtres.exe #LUMMA svchost.exe #LUMMA msbuild.exe d42764253a.exe no specs cmd.exe no specs mshta.exe no specs conhost.exe no specs schtasks.exe no specs powershell.exe conhost.exe no specs tempqnxmmzolxyovw5efkgvifn4kl6a3sr6p.exe no specs 099ac5611c.exe no specs conhost.exe no specs #LUMMA msbuild.exe #LUMMA 8d92deb131.exe 6f2ccc53d1.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs reg.exe no specs nircmd.exe no specs cmd.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs nsudolg.exe no specs cmd.exe conhost.exe no specs cmd.exe conhost.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs mode.com no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs tasklist.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs find.exe no specs nsudolg.exe no specs powershell.exe no specs conhost.exe no specs werfault.exe no specs 436bba2672.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs reg.exe no specs nircmd.exe no specs cmd.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs nsudolg.exe no specs cmd.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs mode.com no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs tasklist.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs find.exe no specs nsudolg.exe no specs powershell.exe no specs conhost.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs findstr.exe no specs 7z.exe unlocker.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs find.exe no specs sc.exe no specs sc.exe no specs unlocker.exe cmd.exe no specs conhost.exe no specs sc.exe no specs iobitunlocker.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs findstr.exe no specs 7z.exe no specs unlocker.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs iobitunlocker.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs taskkill.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs schtasks.exe no specs sc.exe no specs reg.exe no specs schtasks.exe no specs sc.exe no specs sc.exe no specs schtasks.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs schtasks.exe no specs sc.exe no specs sc.exe no specs schtasks.exe no specs reg.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs reg.exe no specs unlocker.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs taskkill.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs unlocker.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs sc.exe no specs sc.exe no specs slui.exe ramez.exe no specs mspaint.exe no specs ycl.exe cmd.exe conhost.exe no specs mode.com no specs 7z.exe no specs 7z.exe no specs 7z.exe attrib.exe no specs svchost.exe werfault.exe no specs ramez.exe no specs ramez.exe no specs biooqu3.exe no specs conhost.exe no specs #LUMMA msbuild.exe ramez.exe no specs msiexec.exe no specs vssvc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
136sc stop "WdBoot" C:\Windows\System32\sc.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
208\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
456reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /fC:\Windows\System32\reg.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
632"C:\Windows\System32\cmd.exe" /c sc query IObitUnlockerC:\Windows\System32\cmd.exeUnlocker.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
640reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /fC:\Windows\System32\reg.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
660sc config "SgrmAgent" start= disabled C:\Windows\System32\sc.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
664reg query "HKLM\System\CurrentControlSet\Services\MDCoreSvc" C:\Windows\System32\reg.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
664NSudoLG -U:T -P:E -UseCurrentConsole C:\Users\admin\AppData\Local\Temp\BDWc2nd.bat C:\Users\admin\AppData\Local\Temp\Work\NSudoLG.execmd.exe
User:
admin
Company:
M2-Team
Integrity Level:
HIGH
Description:
NSudo Launcher
Exit code:
0
Version:
9.0.2676.0
Modules
Images
c:\users\admin\appdata\local\temp\work\nsudolg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
672Unlocker /currentDiskSizeC:\Users\admin\AppData\Local\Temp\Work\Unlocker.execmd.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
Unlocker by Eject
Version:
1.1.0.0
Modules
Images
c:\users\admin\appdata\local\temp\work\unlocker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
684C:\WINDOWS\system32\WerFault.exe -u -p 9092 -s 956C:\Windows\System32\WerFault.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
Total events
38 036
Read events
37 663
Write events
218
Delete events
155

Modification events

(PID) Process:(7488) ramez.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7488) ramez.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7488) ramez.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2236) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2236) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2236) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7084) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7084) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7084) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7084) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
Executable files
36
Suspicious files
25
Text files
18
Unknown types
0

Dropped files

PID
Process
Filename
Type
7488ramez.exeC:\Users\admin\AppData\Local\Temp\10203560101\bIoOQu3.exeexecutable
MD5:F86D7CED003880D1997C75B218355BC1
SHA256:608E9D50B3E0C0A2E83F3F688866470BFFDAF00F56244B5D509800DA17EDBD4B
7308random.exeC:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exeexecutable
MD5:0C66B2FE6481490EEE4720C91C8916A8
SHA256:7326028014380BB2EFFEA7393A321A5F83D8D954624E4AD179A70FC4A913C69B
7308random.exeC:\Windows\Tasks\ramez.jobbinary
MD5:DCA91B90ABA91DBACB9054C722352D34
SHA256:C908C115E925FAE19A558CF5BE3EE253E4E1BB6077EC23C028472EF44455CED5
7488ramez.exeC:\Users\admin\AppData\Local\Temp\10203550101\c26fcfae71.exeexecutable
MD5:ECE1D1507B62C20327E999C6936A95A7
SHA256:8EB08322033F193A5E7EA16D83C0CD324EFAAAB628FB245BDB27F6977C2A6D86
7488ramez.exeC:\Users\admin\AppData\Local\Temp\10203570101\bIoOQu3.exeexecutable
MD5:F86D7CED003880D1997C75B218355BC1
SHA256:608E9D50B3E0C0A2E83F3F688866470BFFDAF00F56244B5D509800DA17EDBD4B
1188d42764253a.exeC:\Users\admin\AppData\Local\Temp\cs18m7Imv.htahtml
MD5:AA4D1FB35C71591F83073C2BC8F6C560
SHA256:8A489B8C42CD1F8E15DD10686BDDF13F97F4A1978E1A81D0905D7260E941B365
7488ramez.exeC:\Users\admin\AppData\Local\Temp\10203580101\d42764253a.exeexecutable
MD5:6534C8869B4AA99C645812ACAD22464D
SHA256:89649A445AEC60BAD655442F26E0853E4802BEAECA63E05542B29D7FB9AEA2FC
7488ramez.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\bIoOQu3[1].exeexecutable
MD5:F86D7CED003880D1997C75B218355BC1
SHA256:608E9D50B3E0C0A2E83F3F688866470BFFDAF00F56244B5D509800DA17EDBD4B
7084powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_uyidd1a0.aah.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6036cvtres.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:30A25C31C62E51DA7391BFE65BEEE3D9
SHA256:CC096EB613A2F79D61825B2F84886B352151A0C082F6CA5BC36FF16E3BDCEB8C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
52
TCP/UDP connections
92
DNS requests
32
Threats
80

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7488
ramez.exe
GET
200
185.156.72.2:80
http://185.156.72.2/files/unique2/random.exe
unknown
malicious
7488
ramez.exe
GET
200
185.156.72.2:80
http://185.156.72.2/files/1241621040/bIoOQu3.exe
unknown
malicious
7488
ramez.exe
POST
200
185.156.72.96:80
http://185.156.72.96/te4h2nus/index.php
unknown
unknown
7488
ramez.exe
POST
200
185.156.72.96:80
http://185.156.72.96/te4h2nus/index.php
unknown
unknown
7488
ramez.exe
POST
200
185.156.72.96:80
http://185.156.72.96/te4h2nus/index.php
unknown
unknown
7084
powershell.exe
GET
200
185.156.72.2:80
http://185.156.72.2/testmine/random.exe
unknown
malicious
6036
cvtres.exe
GET
200
172.217.23.99:80
http://o.pki.goog/we2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEQCvHnB5nf2iuRAMV95WTYAv
unknown
whitelisted
7488
ramez.exe
GET
200
185.156.72.2:80
http://185.156.72.2/files/fate/random.exe
unknown
malicious
4000
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
7488
ramez.exe
185.156.72.96:80
Tov Vaiz Partner
RU
unknown
6544
svchost.exe
40.126.31.67:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.31.67
  • 40.126.31.69
  • 20.190.159.68
  • 20.190.159.73
  • 40.126.31.71
  • 20.190.159.75
  • 40.126.31.73
  • 20.190.159.129
  • 20.190.160.22
  • 40.126.32.136
  • 20.190.160.20
  • 40.126.32.134
  • 20.190.160.4
  • 20.190.160.14
  • 20.190.160.130
  • 40.126.32.68
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 2.23.77.188
whitelisted
cornerdurv.top
unknown
narrathfpt.top
  • 172.67.222.194
  • 104.21.83.105
unknown
drive.usercontent.google.com
  • 142.250.186.129
whitelisted

Threats

PID
Process
Class
Message
7488
ramez.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 35
7488
ramez.exe
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
7488
ramez.exe
Malware Command and Control Activity Detected
ET MALWARE Amadey CnC Response
7488
ramez.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
7488
ramez.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7488
ramez.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
7488
ramez.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
7488
ramez.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 35
7488
ramez.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
random.exe