File name:

7c67757c02d67a568c675ae6e111c9ec2349d9eaa43c26961dd28eb7f7b32780.bin.exe

Full analysis: https://app.any.run/tasks/61abd3df-38bf-495a-990e-70a859363cac
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: August 01, 2025, 03:13:11
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
lumma
stealer
themida
loader
amadey
auto
redline
auto-reg
rdp
gcleaner
auto-startup
auto-sch
autoit
stealc
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

FFD93D6685990C74DB251CBB95B99002

SHA1:

3151B1E5A87EFB958A1EA41AC45157216D461ACB

SHA256:

7C67757C02D67A568C675AE6E111C9EC2349D9EAA43C26961DD28EB7F7B32780

SSDEEP:

98304:3dMnpXQKzxT9Im4Jmbpv2CVrzW9r2TBo3KZmE6qHSZwrqhaA7wPSXfzpQsCgURoh:amT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA mutex has been found

      • 7c67757c02d67a568c675ae6e111c9ec2349d9eaa43c26961dd28eb7f7b32780.bin.exe (PID: 6948)
      • MSBuild.exe (PID: 3768)
      • 0fa6a6e444.exe (PID: 4688)
      • LNGsNmnv4sm.exe (PID: 4776)

    • Steals credentials from Web Browsers

      • 7c67757c02d67a568c675ae6e111c9ec2349d9eaa43c26961dd28eb7f7b32780.bin.exe (PID: 6948)

    • Actions looks like stealing of personal data

      • 7c67757c02d67a568c675ae6e111c9ec2349d9eaa43c26961dd28eb7f7b32780.bin.exe (PID: 6948)

    • REDLINE has been found (auto)

      • 7c67757c02d67a568c675ae6e111c9ec2349d9eaa43c26961dd28eb7f7b32780.bin.exe (PID: 6948)

    • AMADEY mutex has been found

      • 6DKL4DDHY12W2AMNJ4B4KRTFDXXSCZB.exe (PID: 1828)
      • amnew.exe (PID: 4416)
      • huran.exe (PID: 5572)
      • huran.exe (PID: 5192)

    • AMADEY has been detected (YARA)

      • 6DKL4DDHY12W2AMNJ4B4KRTFDXXSCZB.exe (PID: 1828)

    • Changes the autorun value in the registry

      • 6DKL4DDHY12W2AMNJ4B4KRTFDXXSCZB.exe (PID: 1828)
      • ls1FDZl.exe (PID: 5972)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 8168)
      • NSudoLG.exe (PID: 6508)
      • cmd.exe (PID: 5900)
      • NSudoLG.exe (PID: 7600)

    • Changes Windows Defender settings

      • NSudoLG.exe (PID: 6508)
      • NSudoLG.exe (PID: 7600)

    • Changes the Windows auto-update feature

      • reg.exe (PID: 5708)
      • reg.exe (PID: 5824)

    • GCLEANER has been detected (YARA)

      • svchost015.exe (PID: 7644)

    • LUMMA has been found (auto)

      • svchost015.exe (PID: 7644)

    • Changes powershell execution policy (Bypass)

      • ls1FDZl.exe (PID: 5972)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6596)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6596)

    • Create files in the Startup directory

      • cmd.exe (PID: 1332)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 3872)

    • STEALC has been detected

      • MSBuild.exe (PID: 6940)

  • SUSPICIOUS

    • Reads the BIOS version

      • 7c67757c02d67a568c675ae6e111c9ec2349d9eaa43c26961dd28eb7f7b32780.bin.exe (PID: 6948)
      • 0fa6a6e444.exe (PID: 4688)

    • Searches for installed software

      • 7c67757c02d67a568c675ae6e111c9ec2349d9eaa43c26961dd28eb7f7b32780.bin.exe (PID: 6948)

    • Process requests binary or script from the Internet

      • 7c67757c02d67a568c675ae6e111c9ec2349d9eaa43c26961dd28eb7f7b32780.bin.exe (PID: 6948)
      • 6DKL4DDHY12W2AMNJ4B4KRTFDXXSCZB.exe (PID: 1828)

    • Connects to the server without a host name

      • 6DKL4DDHY12W2AMNJ4B4KRTFDXXSCZB.exe (PID: 1828)
      • 7c67757c02d67a568c675ae6e111c9ec2349d9eaa43c26961dd28eb7f7b32780.bin.exe (PID: 6948)
      • svchost015.exe (PID: 7644)
      • huran.exe (PID: 5572)

    • Executable content was dropped or overwritten

      • 7c67757c02d67a568c675ae6e111c9ec2349d9eaa43c26961dd28eb7f7b32780.bin.exe (PID: 6948)
      • 6DKL4DDHY12W2AMNJ4B4KRTFDXXSCZB.exe (PID: 1828)
      • a11451f287.exe (PID: 4684)
      • 7z.exe (PID: 7936)
      • Unlocker.exe (PID: 6164)
      • Unlocker.exe (PID: 8064)
      • 7a7b8a07c7.exe (PID: 5724)
      • 6olpur0.exe (PID: 3092)
      • amnew.exe (PID: 4416)
      • svchost015.exe (PID: 7644)
      • mgX0ROvfmspIE.exe (PID: 2276)
      • ls1FDZl.exe (PID: 5972)
      • Nation.pif (PID: 4952)

    • Reads security settings of Internet Explorer

      • 6DKL4DDHY12W2AMNJ4B4KRTFDXXSCZB.exe (PID: 1828)
      • a11451f287.exe (PID: 4684)
      • nircmd.exe (PID: 3392)
      • a11451f287.exe (PID: 7240)
      • nircmd.exe (PID: 864)
      • Unlocker.exe (PID: 7336)
      • Unlocker.exe (PID: 6164)
      • Unlocker.exe (PID: 8064)
      • Unlocker.exe (PID: 8000)
      • Unlocker.exe (PID: 424)
      • Unlocker.exe (PID: 6104)
      • IObitUnlocker.exe (PID: 4456)
      • svchost015.exe (PID: 7644)
      • StartMenuExperienceHost.exe (PID: 6452)
      • amnew.exe (PID: 4416)
      • huran.exe (PID: 5572)
      • ls1FDZl.exe (PID: 5972)

    • The process creates files with name similar to system file names

      • a11451f287.exe (PID: 4684)

    • The executable file from the user directory is run by the CMD process

      • nircmd.exe (PID: 3392)
      • nircmd.exe (PID: 3888)
      • nircmd.exe (PID: 8148)
      • NSudoLG.exe (PID: 8056)
      • nircmd.exe (PID: 1864)
      • NSudoLG.exe (PID: 6508)
      • nircmd.exe (PID: 2040)
      • nircmd.exe (PID: 864)
      • nircmd.exe (PID: 2992)
      • NSudoLG.exe (PID: 6164)
      • nircmd.exe (PID: 7044)
      • NSudoLG.exe (PID: 7600)
      • 7z.exe (PID: 7936)
      • Unlocker.exe (PID: 7336)
      • Unlocker.exe (PID: 6164)
      • Unlocker.exe (PID: 8064)
      • Unlocker.exe (PID: 8000)
      • 7z.exe (PID: 6736)
      • Unlocker.exe (PID: 424)
      • Unlocker.exe (PID: 6104)
      • Nation.pif (PID: 4952)
      • Market.com (PID: 476)

    • Executing commands from a ".bat" file

      • a11451f287.exe (PID: 4684)
      • nircmd.exe (PID: 3392)
      • NSudoLG.exe (PID: 8056)
      • a11451f287.exe (PID: 7240)
      • nircmd.exe (PID: 864)
      • NSudoLG.exe (PID: 6164)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7900)
      • cmd.exe (PID: 3944)
      • cmd.exe (PID: 8168)
      • cmd.exe (PID: 7060)
      • cmd.exe (PID: 5764)
      • cmd.exe (PID: 5900)
      • cmd.exe (PID: 5028)
      • cmd.exe (PID: 5548)

    • Reads the date of Windows installation

      • nircmd.exe (PID: 3392)
      • nircmd.exe (PID: 864)
      • Unlocker.exe (PID: 7336)
      • Unlocker.exe (PID: 6164)
      • Unlocker.exe (PID: 8064)
      • Unlocker.exe (PID: 8000)
      • Unlocker.exe (PID: 424)
      • Unlocker.exe (PID: 6104)
      • StartMenuExperienceHost.exe (PID: 6452)
      • SearchApp.exe (PID: 3488)
      • ls1FDZl.exe (PID: 5972)

    • Drops 7-zip archiver for unpacking

      • a11451f287.exe (PID: 4684)

    • Starts CMD.EXE for commands execution

      • a11451f287.exe (PID: 4684)
      • nircmd.exe (PID: 3392)
      • cmd.exe (PID: 8168)
      • NSudoLG.exe (PID: 8056)
      • a11451f287.exe (PID: 7240)
      • nircmd.exe (PID: 864)
      • NSudoLG.exe (PID: 6164)
      • cmd.exe (PID: 5900)
      • Unlocker.exe (PID: 7336)
      • Unlocker.exe (PID: 6164)
      • Unlocker.exe (PID: 8064)
      • Unlocker.exe (PID: 8000)
      • Unlocker.exe (PID: 424)
      • Unlocker.exe (PID: 6104)
      • 6olpur0.exe (PID: 3092)
      • cmd.exe (PID: 768)
      • mgX0ROvfmspIE.exe (PID: 2276)
      • ls1FDZl.exe (PID: 5972)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 3944)
      • cmd.exe (PID: 8168)
      • cmd.exe (PID: 5764)
      • cmd.exe (PID: 5900)

    • Get information on the list of running processes

      • cmd.exe (PID: 8168)
      • cmd.exe (PID: 2552)
      • cmd.exe (PID: 5900)
      • cmd.exe (PID: 3644)
      • cmd.exe (PID: 5028)
      • cmd.exe (PID: 5548)

    • There is functionality for taking screenshot (YARA)

      • 6DKL4DDHY12W2AMNJ4B4KRTFDXXSCZB.exe (PID: 1828)
      • svchost015.exe (PID: 7644)

    • Application launched itself

      • cmd.exe (PID: 8168)
      • cmd.exe (PID: 5900)
      • cmd.exe (PID: 768)
      • R4EpnnQ.exe (PID: 2388)

    • There is functionality for enable RDP (YARA)

      • 6DKL4DDHY12W2AMNJ4B4KRTFDXXSCZB.exe (PID: 1828)

    • Starts POWERSHELL.EXE for commands execution

      • NSudoLG.exe (PID: 6508)
      • NSudoLG.exe (PID: 7600)
      • ls1FDZl.exe (PID: 5972)

    • Script adds exclusion path to Windows Defender

      • NSudoLG.exe (PID: 6508)
      • NSudoLG.exe (PID: 7600)

    • PowerShell delay command usage (probably sleep evasion)

      • powershell.exe (PID: 7436)
      • powershell.exe (PID: 8020)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 8168)
      • cmd.exe (PID: 5900)
      • cmd.exe (PID: 5028)
      • cmd.exe (PID: 5548)

    • Windows service management via SC.EXE

      • sc.exe (PID: 7740)
      • sc.exe (PID: 6676)
      • sc.exe (PID: 1816)
      • sc.exe (PID: 7532)
      • sc.exe (PID: 5300)
      • sc.exe (PID: 4088)
      • sc.exe (PID: 4948)
      • sc.exe (PID: 1356)
      • sc.exe (PID: 7244)
      • sc.exe (PID: 5620)
      • sc.exe (PID: 7544)
      • sc.exe (PID: 7740)
      • sc.exe (PID: 6452)
      • sc.exe (PID: 6352)
      • sc.exe (PID: 2716)
      • sc.exe (PID: 6400)
      • sc.exe (PID: 7276)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 7824)
      • cmd.exe (PID: 8168)
      • cmd.exe (PID: 7892)
      • cmd.exe (PID: 6096)
      • cmd.exe (PID: 5188)
      • cmd.exe (PID: 4032)
      • cmd.exe (PID: 5900)
      • cmd.exe (PID: 2704)
      • cmd.exe (PID: 6900)

    • Stops a currently running service

      • sc.exe (PID: 6376)
      • sc.exe (PID: 2140)
      • sc.exe (PID: 3048)
      • sc.exe (PID: 4024)
      • sc.exe (PID: 5600)
      • sc.exe (PID: 5424)
      • sc.exe (PID: 7436)
      • sc.exe (PID: 868)
      • sc.exe (PID: 7820)
      • sc.exe (PID: 7928)
      • sc.exe (PID: 5348)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 7640)
      • cmd.exe (PID: 7764)
      • cmd.exe (PID: 7724)
      • cmd.exe (PID: 6488)
      • cmd.exe (PID: 7872)

    • Creates or modifies Windows services

      • reg.exe (PID: 6688)
      • Unlocker.exe (PID: 6164)
      • reg.exe (PID: 700)

    • Drops a system driver (possible attempt to evade defenses)

      • Unlocker.exe (PID: 6164)
      • Unlocker.exe (PID: 8064)

    • The process verifies whether the antivirus software is installed

      • Unlocker.exe (PID: 8064)
      • IObitUnlocker.exe (PID: 4456)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • MSBuild.exe (PID: 3768)

    • Starts itself from another location

      • amnew.exe (PID: 4416)

    • The process executes via Task Scheduler

      • huran.exe (PID: 5192)

    • Executing commands from ".cmd" file

      • mgX0ROvfmspIE.exe (PID: 2276)

    • BASE64 encoded PowerShell command has been detected

      • ls1FDZl.exe (PID: 5972)

    • The process bypasses the loading of PowerShell profile settings

      • ls1FDZl.exe (PID: 5972)

    • Base64-obfuscated command line is found

      • ls1FDZl.exe (PID: 5972)

    • Uses powercfg.exe to modify the power settings

      • ls1FDZl.exe (PID: 5972)

    • Drops a file with a rarely used extension (PIF)

      • cmd.exe (PID: 5028)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 5028)
      • cmd.exe (PID: 5548)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 5548)

  • INFO

    • Reads the machine GUID from the registry

      • 7c67757c02d67a568c675ae6e111c9ec2349d9eaa43c26961dd28eb7f7b32780.bin.exe (PID: 6948)
      • Unlocker.exe (PID: 6164)
      • Unlocker.exe (PID: 8000)
      • Unlocker.exe (PID: 8064)
      • Unlocker.exe (PID: 424)
      • Unlocker.exe (PID: 6104)
      • Unlocker.exe (PID: 7336)
      • SearchApp.exe (PID: 3488)
      • 0fa6a6e444.exe (PID: 4688)
      • MSBuild.exe (PID: 3768)
      • LNGsNmnv4sm.exe (PID: 4776)
      • svchost015.exe (PID: 7644)
      • MSBuild.exe (PID: 5216)

    • Checks supported languages

      • 7c67757c02d67a568c675ae6e111c9ec2349d9eaa43c26961dd28eb7f7b32780.bin.exe (PID: 6948)
      • 6DKL4DDHY12W2AMNJ4B4KRTFDXXSCZB.exe (PID: 1828)
      • a11451f287.exe (PID: 4684)
      • nircmd.exe (PID: 3888)
      • chcp.com (PID: 4948)
      • nircmd.exe (PID: 3392)
      • chcp.com (PID: 3836)
      • nircmd.exe (PID: 8148)
      • NSudoLG.exe (PID: 8056)
      • nircmd.exe (PID: 1864)
      • chcp.com (PID: 2148)
      • mode.com (PID: 7208)
      • NSudoLG.exe (PID: 6508)
      • a11451f287.exe (PID: 7240)
      • nircmd.exe (PID: 864)
      • nircmd.exe (PID: 2040)
      • chcp.com (PID: 6388)
      • nircmd.exe (PID: 2992)
      • chcp.com (PID: 2704)
      • NSudoLG.exe (PID: 6164)
      • nircmd.exe (PID: 7044)
      • chcp.com (PID: 7280)
      • mode.com (PID: 3888)
      • NSudoLG.exe (PID: 7600)
      • 7a7b8a07c7.exe (PID: 5724)
      • 7z.exe (PID: 7936)
      • Unlocker.exe (PID: 7336)
      • Unlocker.exe (PID: 6164)
      • Unlocker.exe (PID: 8064)
      • 7z.exe (PID: 6736)
      • Unlocker.exe (PID: 8000)
      • svchost015.exe (PID: 7644)
      • Unlocker.exe (PID: 424)
      • IObitUnlocker.exe (PID: 4456)
      • Unlocker.exe (PID: 6104)
      • TextInputHost.exe (PID: 3896)
      • StartMenuExperienceHost.exe (PID: 6452)
      • SearchApp.exe (PID: 3488)
      • 739e5ae6c0.exe (PID: 7544)
      • 0fa6a6e444.exe (PID: 4688)
      • 6olpur0.exe (PID: 3092)
      • MSBuild.exe (PID: 3768)
      • amnew.exe (PID: 4416)
      • huran.exe (PID: 5572)
      • huran.exe (PID: 5192)
      • KsyqOl3VygH.exe (PID: 5408)
      • mgX0ROvfmspIE.exe (PID: 2276)
      • LNGsNmnv4sm.exe (PID: 4776)
      • ls1FDZl.exe (PID: 5972)
      • G4gtDRI.exe (PID: 2980)
      • extrac32.exe (PID: 5336)
      • MSBuild.exe (PID: 5216)
      • RenT7Wg.exe (PID: 5164)

    • Reads the software policy settings

      • 7c67757c02d67a568c675ae6e111c9ec2349d9eaa43c26961dd28eb7f7b32780.bin.exe (PID: 6948)
      • svchost015.exe (PID: 7644)
      • SearchApp.exe (PID: 3488)
      • MSBuild.exe (PID: 3768)
      • slui.exe (PID: 4984)
      • 0fa6a6e444.exe (PID: 4688)
      • LNGsNmnv4sm.exe (PID: 4776)

    • Reads the computer name

      • 7c67757c02d67a568c675ae6e111c9ec2349d9eaa43c26961dd28eb7f7b32780.bin.exe (PID: 6948)
      • 6DKL4DDHY12W2AMNJ4B4KRTFDXXSCZB.exe (PID: 1828)
      • a11451f287.exe (PID: 4684)
      • nircmd.exe (PID: 3392)
      • NSudoLG.exe (PID: 8056)
      • NSudoLG.exe (PID: 6508)
      • a11451f287.exe (PID: 7240)
      • nircmd.exe (PID: 864)
      • NSudoLG.exe (PID: 6164)
      • NSudoLG.exe (PID: 7600)
      • 7z.exe (PID: 7936)
      • Unlocker.exe (PID: 7336)
      • Unlocker.exe (PID: 6164)
      • Unlocker.exe (PID: 8064)
      • 7z.exe (PID: 6736)
      • Unlocker.exe (PID: 8000)
      • Unlocker.exe (PID: 424)
      • IObitUnlocker.exe (PID: 4456)
      • svchost015.exe (PID: 7644)
      • Unlocker.exe (PID: 6104)
      • StartMenuExperienceHost.exe (PID: 6452)
      • TextInputHost.exe (PID: 3896)
      • SearchApp.exe (PID: 3488)
      • 0fa6a6e444.exe (PID: 4688)
      • 6olpur0.exe (PID: 3092)
      • MSBuild.exe (PID: 3768)
      • amnew.exe (PID: 4416)
      • huran.exe (PID: 5572)
      • LNGsNmnv4sm.exe (PID: 4776)
      • extrac32.exe (PID: 5336)
      • ls1FDZl.exe (PID: 5972)
      • Nation.pif (PID: 4952)
      • MSBuild.exe (PID: 5216)

    • Application launched itself

      • chrome.exe (PID: 6452)
      • chrome.exe (PID: 8040)
      • chrome.exe (PID: 7252)
      • chrome.exe (PID: 6780)
      • msedge.exe (PID: 7352)
      • msedge.exe (PID: 7856)
      • msedge.exe (PID: 7832)
      • msedge.exe (PID: 1828)
      • msedge.exe (PID: 1624)
      • msedge.exe (PID: 7732)
      • chrome.exe (PID: 5180)
      • chrome.exe (PID: 7676)
      • chrome.exe (PID: 5568)
      • chrome.exe (PID: 2708)
      • chrome.exe (PID: 7712)
      • chrome.exe (PID: 5748)
      • chrome.exe (PID: 7936)
      • chrome.exe (PID: 5412)

    • Themida protector has been detected

      • 7c67757c02d67a568c675ae6e111c9ec2349d9eaa43c26961dd28eb7f7b32780.bin.exe (PID: 6948)

    • Checks proxy server information

      • 6DKL4DDHY12W2AMNJ4B4KRTFDXXSCZB.exe (PID: 1828)
      • svchost015.exe (PID: 7644)
      • SearchApp.exe (PID: 3488)
      • slui.exe (PID: 4984)
      • huran.exe (PID: 5572)

    • Create files in a temporary directory

      • 6DKL4DDHY12W2AMNJ4B4KRTFDXXSCZB.exe (PID: 1828)
      • a11451f287.exe (PID: 4684)
      • 7c67757c02d67a568c675ae6e111c9ec2349d9eaa43c26961dd28eb7f7b32780.bin.exe (PID: 6948)
      • a11451f287.exe (PID: 7240)
      • 7z.exe (PID: 7936)
      • 7a7b8a07c7.exe (PID: 5724)
      • 6olpur0.exe (PID: 3092)
      • amnew.exe (PID: 4416)
      • mgX0ROvfmspIE.exe (PID: 2276)
      • extrac32.exe (PID: 5336)
      • extrac32.exe (PID: 3964)
      • R4EpnnQ.exe (PID: 6820)

    • Creates files or folders in the user directory

      • 6DKL4DDHY12W2AMNJ4B4KRTFDXXSCZB.exe (PID: 1828)
      • svchost015.exe (PID: 7644)
      • ls1FDZl.exe (PID: 5972)
      • Nation.pif (PID: 4952)

    • Process checks computer location settings

      • 6DKL4DDHY12W2AMNJ4B4KRTFDXXSCZB.exe (PID: 1828)
      • a11451f287.exe (PID: 4684)
      • nircmd.exe (PID: 3392)
      • a11451f287.exe (PID: 7240)
      • nircmd.exe (PID: 864)
      • StartMenuExperienceHost.exe (PID: 6452)
      • SearchApp.exe (PID: 3488)
      • amnew.exe (PID: 4416)
      • ls1FDZl.exe (PID: 5972)

    • NirSoft software is detected

      • nircmd.exe (PID: 3888)
      • nircmd.exe (PID: 3392)
      • nircmd.exe (PID: 8148)
      • nircmd.exe (PID: 1864)
      • nircmd.exe (PID: 2040)
      • nircmd.exe (PID: 864)
      • nircmd.exe (PID: 2992)
      • nircmd.exe (PID: 7044)

    • Changes the display of characters in the console

      • cmd.exe (PID: 7900)
      • cmd.exe (PID: 3944)
      • cmd.exe (PID: 8168)
      • cmd.exe (PID: 7060)
      • cmd.exe (PID: 5764)
      • cmd.exe (PID: 5900)

    • The sample compiled with english language support

      • a11451f287.exe (PID: 4684)
      • 6DKL4DDHY12W2AMNJ4B4KRTFDXXSCZB.exe (PID: 1828)
      • Unlocker.exe (PID: 6164)
      • Unlocker.exe (PID: 8064)
      • 7a7b8a07c7.exe (PID: 5724)
      • svchost015.exe (PID: 7644)
      • Nation.pif (PID: 4952)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 7208)
      • mode.com (PID: 3888)

    • Checks operating system version

      • cmd.exe (PID: 8168)
      • cmd.exe (PID: 5900)

    • Launching a file from a Registry key

      • 6DKL4DDHY12W2AMNJ4B4KRTFDXXSCZB.exe (PID: 1828)
      • ls1FDZl.exe (PID: 5972)

    • Manual execution by a user

      • a11451f287.exe (PID: 7240)
      • cmd.exe (PID: 3872)
      • cmd.exe (PID: 1332)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7436)
      • powershell.exe (PID: 8020)
      • powershell.exe (PID: 6596)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7436)
      • powershell.exe (PID: 8020)
      • powershell.exe (PID: 6596)

    • Creates files in the program directory

      • Unlocker.exe (PID: 424)

    • Reads the time zone

      • explorer.exe (PID: 5716)

    • Changes appearance of the Explorer extensions

      • explorer.exe (PID: 5716)

    • Reads Environment values

      • SearchApp.exe (PID: 3488)

    • Launching a file from Task Scheduler

      • cmd.exe (PID: 3872)

    • Launching a file from the Startup directory

      • cmd.exe (PID: 1332)

    • Reads mouse settings

      • Nation.pif (PID: 4952)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Amadey

(PID) Process(1828) 6DKL4DDHY12W2AMNJ4B4KRTFDXXSCZB.exe
C294.154.35.25
URLhttp://94.154.35.25/di9ku38f/index.php
Version5.55
Options
Drop directory96a319e745
Drop nameSrxelqcif.exe
Strings (125)os:
" && timeout 1 && del
\App
&&
|
shutdown -s -t 0
Panda Security
r=
:::
" && ren
pc:
random
ProductName
bi:
#
POST
2016
msi
Content-Type: application/x-www-form-urlencoded
0123456789
0000043f
un:
st=s
S-%lu-
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
AVAST Software
cmd
Content-Disposition: form-data; name="data"; filename="
SOFTWARE\Microsoft\Windows NT\CurrentVersion
lv:
<c>
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
00000423
<d>
cred.dll|clip.dll|
exe
og:
Srxelqcif.exe
Powershell.exe
Comodo
5.55
&& Exit"
Startup
%-lu
DefaultSettings.YResolution
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
00000422
rundll32
2019
ps1
ar:
%USERPROFILE%
vs:
-executionpolicy remotesigned -File "
shell32.dll
/k
WinDefender
------
http://
cred.dll
Main
Bitdefender
.jpg
?scr=1
"taskkill /f /im "
rb
CurrentBuild
id:
Doctor Web
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
94.154.35.25
ESET
Sophos
00000419
VideoID
dm:
96a319e745
Keyboard Layout\Preload
AVG
------
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
2025
--
"
DefaultSettings.XResolution
/quiet
Norton
SYSTEM\ControlSet001\Services\BasicDisplay\Video
dll
zip
=
ProgramData\
cmd /C RMDIR /s/q
/Plugins/
e1
Programs
d1
&unit=
Rem
ComputerName
2022
rundll32.exe
e3
e2
Content-Type: multipart/form-data; boundary=----
-%lu
clip.dll
av:
kernel32.dll
GetNativeSystemInfo
360TotalSecurity
\0000
" Content-Type: application/octet-stream
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
+++
Kaspersky Lab
Avira
\
GET
/di9ku38f/index.php
sd:
abcdefghijklmnopqrstuvwxyz0123456789-_
wb
https://
-unicode-
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:07:31 17:52:51+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 304128
InitializedDataSize: 39424
UninitializedDataSize: -
EntryPoint: 0x480000
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
502
Monitored processes
356
Malicious processes
28
Suspicious processes
11

Behavior graph

Click at the process to see the details
start #LUMMA 7c67757c02d67a568c675ae6e111c9ec2349d9eaa43c26961dd28eb7f7b32780.bin.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe #AMADEY 6dkl4ddhy12w2amnj4b4krtfdxxsczb.exe a11451f287.exe cmd.exe no specs conhost.exe no specs nircmd.exe no specs chcp.com no specs reg.exe no specs nircmd.exe no specs cmd.exe conhost.exe no specs nircmd.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs nsudolg.exe no specs cmd.exe conhost.exe no specs nircmd.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs mode.com no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs tasklist.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs find.exe no specs nsudolg.exe no specs powershell.exe no specs conhost.exe no specs a11451f287.exe no specs cmd.exe no specs conhost.exe no specs nircmd.exe no specs chcp.com no specs reg.exe no specs nircmd.exe no specs cmd.exe conhost.exe no specs nircmd.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs nsudolg.exe no specs cmd.exe conhost.exe no specs nircmd.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs mode.com no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs tasklist.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs find.exe no specs nsudolg.exe no specs powershell.exe no specs conhost.exe no specs 7a7b8a07c7.exe reg.exe no specs find.exe no specs cmd.exe no specs findstr.exe no specs 7z.exe unlocker.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs unlocker.exe cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs unlocker.exe cmd.exe no specs conhost.exe no specs sc.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs findstr.exe no specs 7z.exe no specs unlocker.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs #LUMMA svchost015.exe sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs unlocker.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs unlocker.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs iobitunlocker.exe reg.exe no specs reg.exe no specs reg.exe no specs explorer.exe no specs rundll32.exe no specs 739e5ae6c0.exe no specs startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe #LUMMA msbuild.exe mobsync.exe no specs #LUMMA 0fa6a6e444.exe 6olpur0.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs tasklist.exe no specs findstr.exe no specs amnew.exe huran.exe #LUMMA lngsnmnv4sm.exe huran.exe no specs ksyqol3vygh.exe no specs mgx0rovfmspie.exe cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs ls1fdzl.exe powershell.exe no specs conhost.exe no specs g4gtdri.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs powercfg.exe no specs conhost.exe cmd.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs extrac32.exe no specs tasklist.exe no specs findstr.exe no specs findstr.exe no specs #STEALC msbuild.exe nation.pif waitfor.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe conhost.exe no specs schtasks.exe no specs r4epnnq.exe no specs conhost.exe no specs extrac32.exe no specs findstr.exe no specs r4epnnq.exe conhost.exe no specs market.com no specs ping.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msbuild.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs rent7wg.exe no specs chrome.exe no specs chrome.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
188reg query "HKLM\System\CurrentControlSet\Services\webthreatdefusersvc" C:\Windows\System32\reg.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
236reg unload HKLM\TEMP_SYSTEMC:\Windows\System32\reg.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
424Unlocker /delwdC:\Users\admin\AppData\Local\Temp\Work\Unlocker.execmd.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
Unlocker by Eject NotOfficial
Exit code:
1
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\work\unlocker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
476Market.com z C:\Users\admin\AppData\Local\Temp\282683\Market.comcmd.exe
User:
admin
Company:
AutoIt Team
Integrity Level:
MEDIUM
Description:
AutoIt v3 Script (Beta)
Version:
3, 3, 17, 0
Modules
Images
c:\users\admin\appdata\local\temp\282683\market.com
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
516reg add "HKLM\TEMP_SYSTEM\ControlSet001\Services\UsoSvc" /v Start /t REG_DWORD /d 4 /fC:\Windows\System32\reg.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
592tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
620"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3476,i,707214195755894848,8305990671709591265,262144 --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=3732 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
700reg add "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /v "Start" /t REG_DWORD /d 4 /f C:\Windows\System32\reg.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
768cmd.exe /c cmd < Conditions.jpgC:\Windows\SysWOW64\cmd.exe6olpur0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
864nircmd elevate "C:\Users\admin\AppData\Local\Temp\ltBl7D8.bat" any_word C:\Users\admin\AppData\Local\Temp\Work\nircmd.execmd.exe
User:
admin
Company:
NirSoft
Integrity Level:
MEDIUM
Description:
NirCmd
Exit code:
0
Version:
2.87
Modules
Images
c:\users\admin\appdata\local\temp\work\nircmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
92 578
Read events
92 368
Write events
207
Delete events
3

Modification events

(PID) Process:(6452) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(6452) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(6452) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(6452) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(6452) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(7252) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(7252) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(7252) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(7252) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(7252) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
Executable files
45
Suspicious files
152
Text files
244
Unknown types
54

Dropped files

PID
Process
Filename
Type
6452chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old~RF18f037.TMP
MD5:
SHA256:
6452chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
6452chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF18f047.TMP
MD5:
SHA256:
6452chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
6452chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old~RF18f056.TMP
MD5:
SHA256:
6452chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\LOG.old~RF18f056.TMP
MD5:
SHA256:
6452chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF18f056.TMP
MD5:
SHA256:
6452chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old
MD5:
SHA256:
6452chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\LOG.old
MD5:
SHA256:
6452chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
186
TCP/UDP connections
220
DNS requests
147
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
142.250.185.131:443
https://update.googleapis.com/service/update2/json?cup2key=14:nS5tAcBelDJVz7titgf4Ni-k8ReTjfEbUdyXQfjpWwQ&cup2hreq=aa7546527745dfc17e4b64d864d4ae362d41ee4ee648a683f7c667d7c2abe91f
unknown
text
289 b
whitelisted
GET
200
142.250.186.99:443
https://www.gstatic.com/og/_/ss/k=og.qtm.WTFD-Esq6Ic.L.W.O/m=qmd,qcwid/excm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhawgm3,qhba,qhbr,qhbrgm3,qhch,qhchgm3,qhga,qhid,qhidgm3,qhin,qhlo,qhlogm3,qhmn,qhpc,qhsf,qhsfgm3,qhtt/d=1/ed=1/ct=zgms/rs=AA2YrTucqiq4kwAJLLHNcPdfuf5eZ8r2Fg
unknown
text
5.08 Kb
whitelisted
OPTIONS
200
142.250.181.234:443
https://ogads-pa.clients6.google.com/$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyncData
unknown
GET
200
142.250.186.99:443
https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
unknown
image
1.62 Kb
whitelisted
GET
200
142.250.186.46:443
https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.EYOBbsN3I2A.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo_iiC5gORPbsAUenRY5t2mRSbS18A/cb=gapi.loaded_0
unknown
POST
200
45.61.165.8:443
https://mocadia.com/iuew
unknown
binary
32.7 Kb
1268
svchost.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4084
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4084
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.216.77.42:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6948
7c67757c02d67a568c675ae6e111c9ec2349d9eaa43c26961dd28eb7f7b32780.bin.exe
45.61.165.8:443
mocadia.com
US
malicious
4084
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 172.217.23.110
whitelisted
crl.microsoft.com
  • 23.216.77.42
  • 23.216.77.28
  • 23.216.77.6
whitelisted
mocadia.com
  • 45.61.165.8
unknown
www.microsoft.com
  • 23.35.229.160
whitelisted
clients2.google.com
  • 172.217.16.142
  • 142.251.13.139
  • 142.251.13.102
  • 142.251.13.101
  • 142.251.13.113
  • 142.251.13.138
  • 142.251.13.100
whitelisted
clientservices.googleapis.com
  • 142.250.186.99
  • 172.217.16.195
whitelisted
safebrowsingohttpgateway.googleapis.com
  • 142.250.185.202
  • 172.217.16.138
  • 216.58.206.42
  • 142.250.185.74
  • 172.217.18.106
  • 142.250.185.234
  • 142.250.185.138
  • 142.250.184.234
  • 142.250.181.234
  • 172.217.18.10
  • 172.217.23.106
  • 142.250.184.202
  • 216.58.206.74
  • 142.250.185.106
  • 172.217.16.202
  • 142.250.185.170
  • 142.250.186.42
  • 142.250.186.74
  • 142.250.186.138
  • 142.250.186.170
  • 142.250.186.106
  • 142.250.74.202
whitelisted
accounts.google.com
  • 66.102.1.84
  • 64.233.184.84
whitelisted
www.google.com
  • 142.250.186.100
  • 142.250.74.196
whitelisted

Threats

No threats detected
Process
Message
7c67757c02d67a568c675ae6e111c9ec2349d9eaa43c26961dd28eb7f7b32780.bin.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
IObitUnlocker.exe
PostAction_Delete
IObitUnlocker.exe
FileCount:264
IObitUnlocker.exe
C:\ProgramData\Microsoft\Windows Defender--------
IObitUnlocker.exe
C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection--------
IObitUnlocker.exe
C:\ProgramData\Microsoft\Windows Security Health--------
IObitUnlocker.exe
C:\ProgramData\Microsoft\Storage Health--------
IObitUnlocker.exe
C:\Program Files\Windows Defender--------
IObitUnlocker.exe
C:\Program Files\Windows Defender Advanced Threat Protection--------
IObitUnlocker.exe
C:\Program Files\Windows Security--------
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
7c67757c02d67a568c675ae6e111c9ec2349d9eaa43c26961dd28eb7f7b32780.bin.exe