File name:	Game_Setup.zip
Full analysis:	https://app.any.run/tasks/7c2b42a3-885d-467b-80d6-919a1fd919cf
Verdict:	Malicious activity
Threats:	Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	June 21, 2025, 16:05:50
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec arch-doc themida miner winring0x64-sys vuln-driver amadey botnet stealer xmrig xor-url upx generic
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	95A6838ADE68096DDC7969F54F4FDDC7
SHA1:	3A3D8B521224595D5AB60307263393C80ABAEBFB
SHA256:	A03B1F38FD828330FFA3FDD97E54F063F6E735A6C15A4B906B09FB1B1AF707F2
SSDEEP:	98304:Jx7JVqdi6TmmHD3xNyX6duuadHEfFA0mdVlqDkywx2ESaptrYgHh9lc0shKVgGtm:szXuYZPRGjJERl

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2024:06:28 14:36:30
ZipCRC:	0xcc407c6f
ZipCompressedSize:	17363
ZipUncompressedSize:	2982144
ZipFileName:	Data1.repack


(PID) Process:	(5644) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(5644) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(5644) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(5644) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\Game_Setup.zip
(PID) Process:	(5644) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(5644) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(5644) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(5644) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(5644) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList
Operation:	write	Name:	ArcSort
Value: 32
(PID) Process:	(5644) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList
Operation:	write	Name:	ArcSort
Value: 0

PID	Process	Filename		Type
6384	Setup.exe	C:\ProgramData\LocalUpdateUpdate\install.exe		executable
		MD5:42DF176B4530E5B5434D66AE95B992A9	SHA256:94CAFF833F3196A7ADB6C25D96442F9316BF3B4044B8B1F95EE50C5CABC67EF3
3504	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_btajwxms.ndp.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4552	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:ACD29E0070F0F9065129EC287BC4DEE6	SHA256:3477591DF47C5F6C3E82F7CF98C983F115101DD6B94976357245BCB90DEDA57C
3504	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_ddvepqeo.3qx.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5008	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cbqmmejn.kih.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3504	powershell.exe	C:\Windows\Temp\__PSScriptPolicyTest_om2ix3vs.4th.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4552	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ynlvpubr.lns.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3852	install.exe	C:\Windows\Temp\vozzhmumpjds.sys		executable
		MD5:0C0195C48B6B8582FA6F6373032118DA	SHA256:11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
3504	powershell.exe	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:51D9D9E1E51140C5232D79510394A3A0	SHA256:7DA347A38A26BA84A5882C86B971B6F5E8D74D395566489C0B98BB1500166313
6384	Setup.exe	C:\Windows\System32\drivers\etc\hosts		text
		MD5:A3FB8664A45F92A22F28880820BE3701	SHA256:A6B5ED0BC2D4E6C476A582D79F5CDCD2FB428F84B157E6BEFDB25C0FE359346C

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.55.104.172:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted
—	—	POST	200	172.67.157.64:443	https://23865.fr/api/endpoint.php	unknown	binary	2 b	malicious
5944	MoUsoCoreWorker.exe	GET	200	23.55.104.172:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3572	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	172.67.157.64:443	https://23865.fr/api/endpoint.php	unknown	binary	17 b	malicious
5944	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3572	RUXIMICS.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
1268	svchost.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	23.55.104.172:80	crl.microsoft.com	Akamai International B.V.	US	whitelisted
5944	MoUsoCoreWorker.exe	23.55.104.172:80	crl.microsoft.com	Akamai International B.V.	US	whitelisted
1268	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
3572	RUXIMICS.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
5944	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
google.com	142.250.185.238	whitelisted
crl.microsoft.com	23.55.104.172 23.55.104.190	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
settings-win.data.microsoft.com	20.73.194.208	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted
xmr-eu1.nanopool.org	51.38.65.123 146.59.154.106 163.172.154.142 212.47.253.124 51.15.58.224 54.37.232.103 51.68.213.185 51.89.23.91 54.37.137.114 57.128.224.74 51.15.193.130 57.128.224.35 57.128.224.17 51.15.65.182 162.19.224.121 57.128.224.211 141.94.23.83	whitelisted
23865.fr	104.21.65.14 172.67.157.64	malicious
self.events.data.microsoft.com	20.44.10.122	whitelisted

PID	Process	Class	Message
2200	svchost.exe	Potential Corporate Privacy Violation	ET INFO Observed DNS Query to Coin Mining Domain (nanopool .org)
—	—	Misc activity	SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body
—	—	A Network Trojan was detected	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M3
—	—	A Network Trojan was detected	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M3

General Info

Game_Setup.zip

95A6838ADE68096DDC7969F54F4FDDC7

3A3D8B521224595D5AB60307263393C80ABAEBFB

A03B1F38FD828330FFA3FDD97E54F063F6E735A6C15A4B906B09FB1B1AF707F2

98304:Jx7JVqdi6TmmHD3xNyX6duuadHEfFA0mdVlqDkywx2ESaptrYgHh9lc0shKVgGtm:szXuYZPRGjJERl

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

Changes Windows Defender settings

Adds extension to the Windows Defender exclusion list

Uninstalls Malicious Software Removal Tool (MRT)

Vulnerable driver has been detected

MINER has been detected (SURICATA)

XMRIG has been detected (YARA)

XORed URL has been found (YARA)

SUSPICIOUS

Starts process via Powershell

Reads the BIOS version

Starts POWERSHELL.EXE for commands execution

Script adds exclusion extension to Windows Defender

Script adds exclusion path to Windows Defender

Manipulates environment variables

Starts CMD.EXE for commands execution

Process uninstalls Windows update

Stops a currently running service

Starts SC.EXE for service management

Creates a new Windows service

Executable content was dropped or overwritten

Modifies hosts file to alter network resolution

Windows service management via SC.EXE

Executes as Windows Service

Uses powercfg.exe to modify the power settings

Connects to unusual port

Drops a system driver (possible attempt to evade defenses)

Potential Corporate Privacy Violation

INFO

Checks supported languages

Manual execution by a user

Reads security settings of Internet Explorer

Process checks whether UAC notifications are on

Themida protector has been detected

Creates files in the program directory

The sample compiled with english language support

Checks if a key exists in the options dictionary (POWERSHELL)

Script raised an exception (POWERSHELL)

The sample compiled with japanese language support

UPX packer has been detected

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules