File name:

Sigmanly_adf7fc126864cb19d5ecbfff18695d5e3193f6cf4b4dc1976bfa3393c4f4c929

Full analysis: https://app.any.run/tasks/6eb824df-9f65-40ac-91cc-bd4bac2ef342
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 17:12:03
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
amadey
lumma
stealer
auto
generic
botnet
arch-exec
loader
telegram
gcleaner
evasion
themida
rdp
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

14C53582E7B7F2FCFF0EB3995B2D4B9F

SHA1:

35B5EA09E2E3B9B3A3BD715D21050EB5437CD784

SHA256:

ADF7FC126864CB19D5ECBFFF18695D5E3193F6CF4B4DC1976BFA3393C4F4C929

SSDEEP:

98304:pn2YQTL6Pt5xm/lq/ZyGF8u/aQeNMPc14Mj2WSsd0/s5o2Gw82wHJbayaT6rBZlV:pzQ6EBWqgXXoqvrt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • GENERIC has been found (auto)

      • R1m58.exe (PID: 960)

    • AMADEY mutex has been found

      • 2f3437.exe (PID: 7152)
      • ramez.exe (PID: 920)
      • ramez.exe (PID: 7488)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 5680)
      • NSudoLG.exe (PID: 728)

    • Changes Windows Defender settings

      • NSudoLG.exe (PID: 728)

    • Connects to the CnC server

      • svchost.exe (PID: 2196)
      • ramez.exe (PID: 920)

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2196)
      • MSBuild.exe (PID: 7860)
      • MSBuild.exe (PID: 5452)

    • AMADEY has been detected (SURICATA)

      • ramez.exe (PID: 920)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 5680)

    • AMADEY has been detected (YARA)

      • ramez.exe (PID: 920)

    • Stealers network behavior

      • svchost.exe (PID: 2196)

    • Executing a file with an untrusted certificate

      • j6J70wm.exe (PID: 8088)
      • HGVm49v.exe (PID: 6760)
      • ra02W4S.exe (PID: 7288)

    • Application was injected by another process

      • svchost.exe (PID: 2288)
      • svchost.exe (PID: 872)

    • Runs injected code in another process

      • e5jg7MM.exe (PID: 1748)

    • GCLEANER has been detected (SURICATA)

      • ra02W4S.exe (PID: 7288)
      • 0897a3c94e.exe (PID: 8052)

  • SUSPICIOUS

    • Starts a Microsoft application from unusual location

      • Sigmanly_adf7fc126864cb19d5ecbfff18695d5e3193f6cf4b4dc1976bfa3393c4f4c929.exe (PID: 5064)
      • R1m58.exe (PID: 960)
      • j6J70wm.exe (PID: 8088)
      • 08IyOOF.exe (PID: 7792)

    • Process drops legitimate windows executable

      • Sigmanly_adf7fc126864cb19d5ecbfff18695d5e3193f6cf4b4dc1976bfa3393c4f4c929.exe (PID: 5064)
      • cmd.exe (PID: 5680)
      • ramez.exe (PID: 920)
      • nuyKYK2ZH6ktt.tmp (PID: 8388)

    • Reads security settings of Internet Explorer

      • 1z96h6.exe (PID: 976)
      • nircmd.exe (PID: 6988)
      • 2f3437.exe (PID: 7152)
      • ramez.exe (PID: 920)
      • Unlocker.exe (PID: 4976)
      • Unlocker.exe (PID: 900)
      • Unlocker.exe (PID: 7968)
      • ra02W4S.exe (PID: 7288)

    • Executable content was dropped or overwritten

      • Sigmanly_adf7fc126864cb19d5ecbfff18695d5e3193f6cf4b4dc1976bfa3393c4f4c929.exe (PID: 5064)
      • R1m58.exe (PID: 960)
      • 2f3437.exe (PID: 7152)
      • 1z96h6.exe (PID: 976)
      • 7z.exe (PID: 6372)
      • Unlocker.exe (PID: 900)
      • ramez.exe (PID: 920)
      • cmd.exe (PID: 5680)
      • ra02W4S.exe (PID: 7288)
      • nuyKYK2ZH6ktt.exe (PID: 8368)
      • nuyKYK2ZH6ktt.tmp (PID: 8388)
      • globalsynapse398.exe (PID: 8412)
      • 0897a3c94e.exe (PID: 8052)

    • Starts CMD.EXE for commands execution

      • 1z96h6.exe (PID: 976)
      • cmd.exe (PID: 4724)
      • nircmd.exe (PID: 6988)
      • cmd.exe (PID: 6036)
      • cmd.exe (PID: 2656)
      • NSudoLG.exe (PID: 6480)
      • cmd.exe (PID: 5680)
      • Unlocker.exe (PID: 4976)
      • Unlocker.exe (PID: 900)
      • Unlocker.exe (PID: 7968)
      • svchost.exe (PID: 872)

    • Application launched itself

      • cmd.exe (PID: 4724)
      • cmd.exe (PID: 6036)
      • cmd.exe (PID: 2656)
      • cmd.exe (PID: 5680)
      • svchost.exe (PID: 2288)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 4724)
      • 1z96h6.exe (PID: 976)
      • nircmd.exe (PID: 6988)
      • cmd.exe (PID: 6036)
      • NSudoLG.exe (PID: 6480)
      • cmd.exe (PID: 2656)

    • The executable file from the user directory is run by the CMD process

      • nircmd.exe (PID: 6988)
      • NSudoLG.exe (PID: 6480)
      • NSudoLG.exe (PID: 728)
      • 7z.exe (PID: 6372)
      • Unlocker.exe (PID: 4976)
      • Unlocker.exe (PID: 900)
      • Unlocker.exe (PID: 7968)

    • Reads the BIOS version

      • 2f3437.exe (PID: 7152)
      • ramez.exe (PID: 920)
      • 3R42W.exe (PID: 900)
      • ramez.exe (PID: 7488)
      • e5jg7MM.exe (PID: 1748)

    • Reads the date of Windows installation

      • nircmd.exe (PID: 6988)
      • Unlocker.exe (PID: 4976)
      • Unlocker.exe (PID: 900)
      • Unlocker.exe (PID: 7968)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3884)
      • cmd.exe (PID: 516)
      • cmd.exe (PID: 5680)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 516)
      • cmd.exe (PID: 5680)

    • Get information on the list of running processes

      • cmd.exe (PID: 5680)
      • cmd.exe (PID: 516)

    • Starts itself from another location

      • 2f3437.exe (PID: 7152)

    • PowerShell delay command usage (probably sleep evasion)

      • powershell.exe (PID: 3676)

    • Script adds exclusion path to Windows Defender

      • NSudoLG.exe (PID: 728)

    • Starts POWERSHELL.EXE for commands execution

      • NSudoLG.exe (PID: 728)
      • globalsynapse398.exe (PID: 8412)

    • Contacting a server suspected of hosting an CnC

      • svchost.exe (PID: 2196)
      • ramez.exe (PID: 920)
      • MSBuild.exe (PID: 7860)
      • MSBuild.exe (PID: 5452)

    • Drops 7-zip archiver for unpacking

      • 1z96h6.exe (PID: 976)

    • The process creates files with name similar to system file names

      • 1z96h6.exe (PID: 976)

    • Connects to the server without a host name

      • ramez.exe (PID: 920)
      • svchost.exe (PID: 872)
      • ra02W4S.exe (PID: 7288)
      • 0897a3c94e.exe (PID: 8052)

    • Potential Corporate Privacy Violation

      • ramez.exe (PID: 920)
      • 0897a3c94e.exe (PID: 8052)
      • ra02W4S.exe (PID: 7288)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 5680)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 6576)
      • cmd.exe (PID: 5680)
      • cmd.exe (PID: 6268)
      • cmd.exe (PID: 3156)
      • cmd.exe (PID: 8072)

    • Windows service management via SC.EXE

      • sc.exe (PID: 4188)
      • sc.exe (PID: 7148)
      • sc.exe (PID: 728)
      • sc.exe (PID: 1388)
      • sc.exe (PID: 2552)
      • sc.exe (PID: 3176)
      • sc.exe (PID: 2144)
      • sc.exe (PID: 5556)
      • sc.exe (PID: 456)
      • sc.exe (PID: 7144)
      • sc.exe (PID: 2404)
      • sc.exe (PID: 3364)
      • sc.exe (PID: 5132)
      • sc.exe (PID: 6576)
      • sc.exe (PID: 7176)
      • sc.exe (PID: 7220)
      • sc.exe (PID: 2616)
      • sc.exe (PID: 2632)
      • sc.exe (PID: 2504)
      • sc.exe (PID: 7264)
      • sc.exe (PID: 7320)
      • sc.exe (PID: 7576)
      • sc.exe (PID: 7368)
      • sc.exe (PID: 7412)
      • sc.exe (PID: 7452)
      • sc.exe (PID: 7492)
      • sc.exe (PID: 7532)
      • sc.exe (PID: 7624)
      • sc.exe (PID: 7716)
      • sc.exe (PID: 7664)
      • sc.exe (PID: 8036)
      • sc.exe (PID: 7828)
      • sc.exe (PID: 7872)
      • sc.exe (PID: 7912)
      • sc.exe (PID: 7952)
      • sc.exe (PID: 7992)
      • sc.exe (PID: 8076)
      • sc.exe (PID: 7772)
      • sc.exe (PID: 8124)
      • sc.exe (PID: 7428)
      • sc.exe (PID: 7440)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 5384)
      • cmd.exe (PID: 1852)
      • cmd.exe (PID: 8176)

    • Drops a system driver (possible attempt to evade defenses)

      • Unlocker.exe (PID: 900)

    • Stops a currently running service

      • sc.exe (PID: 6264)
      • sc.exe (PID: 6032)
      • sc.exe (PID: 6944)
      • sc.exe (PID: 2440)
      • sc.exe (PID: 3008)
      • sc.exe (PID: 2804)
      • sc.exe (PID: 7340)
      • sc.exe (PID: 7240)
      • sc.exe (PID: 7432)
      • sc.exe (PID: 7512)
      • sc.exe (PID: 7604)
      • sc.exe (PID: 7696)
      • sc.exe (PID: 2692)
      • sc.exe (PID: 8056)
      • sc.exe (PID: 7892)
      • sc.exe (PID: 7972)
      • sc.exe (PID: 7808)

    • Creates or modifies Windows services

      • Unlocker.exe (PID: 900)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 8140)
      • schtasks.exe (PID: 8116)
      • schtasks.exe (PID: 8164)
      • schtasks.exe (PID: 8188)
      • schtasks.exe (PID: 7180)

    • There is functionality for enable RDP (YARA)

      • ramez.exe (PID: 920)

    • Connects to unusual port

      • 34cGHhH.exe (PID: 5176)

    • Process requests binary or script from the Internet

      • ramez.exe (PID: 920)

    • The process executes via Task Scheduler

      • ramez.exe (PID: 7488)
      • PLUGScheduler.exe (PID: 3012)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • MSBuild.exe (PID: 7904)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • svchost.exe (PID: 872)

    • Executes application which crashes

      • HGVm49v.exe (PID: 6760)

    • The process drops C-runtime libraries

      • nuyKYK2ZH6ktt.tmp (PID: 8388)

  • INFO

    • Create files in a temporary directory

      • Sigmanly_adf7fc126864cb19d5ecbfff18695d5e3193f6cf4b4dc1976bfa3393c4f4c929.exe (PID: 5064)
      • R1m58.exe (PID: 960)
      • 1z96h6.exe (PID: 976)
      • 2f3437.exe (PID: 7152)
      • ramez.exe (PID: 920)
      • 7z.exe (PID: 6372)
      • 34cGHhH.exe (PID: 5176)

    • The sample compiled with english language support

      • Sigmanly_adf7fc126864cb19d5ecbfff18695d5e3193f6cf4b4dc1976bfa3393c4f4c929.exe (PID: 5064)
      • 1z96h6.exe (PID: 976)
      • Unlocker.exe (PID: 900)
      • cmd.exe (PID: 5680)
      • ramez.exe (PID: 920)
      • nuyKYK2ZH6ktt.tmp (PID: 8388)
      • ra02W4S.exe (PID: 7288)

    • Checks supported languages

      • Sigmanly_adf7fc126864cb19d5ecbfff18695d5e3193f6cf4b4dc1976bfa3393c4f4c929.exe (PID: 5064)
      • R1m58.exe (PID: 960)
      • 2f3437.exe (PID: 7152)
      • chcp.com (PID: 5512)
      • nircmd.exe (PID: 6988)
      • chcp.com (PID: 976)
      • NSudoLG.exe (PID: 6480)
      • chcp.com (PID: 6240)
      • mode.com (PID: 1760)
      • 3R42W.exe (PID: 900)
      • ramez.exe (PID: 920)
      • NSudoLG.exe (PID: 728)
      • 1z96h6.exe (PID: 976)
      • 7z.exe (PID: 6372)
      • Unlocker.exe (PID: 4976)
      • Unlocker.exe (PID: 900)
      • IObitUnlocker.exe (PID: 300)
      • IObitUnlocker.exe (PID: 5400)
      • IObitUnlocker.exe (PID: 4188)
      • 34cGHhH.exe (PID: 5176)
      • Unlocker.exe (PID: 7968)
      • 08IyOOF.exe (PID: 7792)
      • MSBuild.exe (PID: 7860)
      • MSBuild.exe (PID: 5452)
      • j6J70wm.exe (PID: 8088)
      • 0897a3c94e.exe (PID: 8052)
      • ramez.exe (PID: 7488)
      • HGVm49v.exe (PID: 6760)
      • MSBuild.exe (PID: 7904)
      • ra02W4S.exe (PID: 7288)
      • e5jg7MM.exe (PID: 1748)

    • Changes the display of characters in the console

      • cmd.exe (PID: 3884)
      • cmd.exe (PID: 516)
      • cmd.exe (PID: 5680)

    • Process checks computer location settings

      • 1z96h6.exe (PID: 976)
      • nircmd.exe (PID: 6988)
      • 2f3437.exe (PID: 7152)
      • ramez.exe (PID: 920)

    • NirSoft software is detected

      • nircmd.exe (PID: 6988)

    • Reads the computer name

      • nircmd.exe (PID: 6988)
      • NSudoLG.exe (PID: 6480)
      • 2f3437.exe (PID: 7152)
      • ramez.exe (PID: 920)
      • 3R42W.exe (PID: 900)
      • NSudoLG.exe (PID: 728)
      • 1z96h6.exe (PID: 976)
      • 7z.exe (PID: 6372)
      • Unlocker.exe (PID: 4976)
      • Unlocker.exe (PID: 900)
      • IObitUnlocker.exe (PID: 300)
      • IObitUnlocker.exe (PID: 5400)
      • 34cGHhH.exe (PID: 5176)
      • IObitUnlocker.exe (PID: 4188)
      • Unlocker.exe (PID: 7968)
      • MSBuild.exe (PID: 7860)
      • MSBuild.exe (PID: 5452)
      • 0897a3c94e.exe (PID: 8052)
      • ra02W4S.exe (PID: 7288)
      • MSBuild.exe (PID: 7904)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 1760)

    • Checks operating system version

      • cmd.exe (PID: 5680)

    • Reads the software policy settings

      • 3R42W.exe (PID: 900)
      • MSBuild.exe (PID: 7860)
      • MSBuild.exe (PID: 5452)
      • ra02W4S.exe (PID: 7288)
      • MSBuild.exe (PID: 7904)

    • Checks proxy server information

      • ramez.exe (PID: 920)
      • 34cGHhH.exe (PID: 5176)
      • ra02W4S.exe (PID: 7288)

    • Reads the machine GUID from the registry

      • 3R42W.exe (PID: 900)
      • Unlocker.exe (PID: 4976)
      • Unlocker.exe (PID: 900)
      • Unlocker.exe (PID: 7968)
      • MSBuild.exe (PID: 7860)
      • MSBuild.exe (PID: 5452)
      • ra02W4S.exe (PID: 7288)
      • MSBuild.exe (PID: 7904)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3676)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 3676)

    • Creates files or folders in the user directory

      • ramez.exe (PID: 920)
      • ra02W4S.exe (PID: 7288)
      • WerFault.exe (PID: 4108)

    • Manual execution by a user

      • IObitUnlocker.exe (PID: 6752)
      • IObitUnlocker.exe (PID: 4188)
      • GlobalSynapse.exe (PID: 6092)

    • Creates files in the program directory

      • IObitUnlocker.exe (PID: 4188)
      • 34cGHhH.exe (PID: 5176)

    • Themida protector has been detected

      • ramez.exe (PID: 920)

    • Attempting to use instant messaging service

      • MSBuild.exe (PID: 7904)

    • Changes the registry key values via Powershell

      • globalsynapse398.exe (PID: 8412)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Amadey

(PID) Process(920) ramez.exe
C2185.156.72.96
URLhttp://185.156.72.96/te4h2nus/index.php
Version5.34
Options
Drop directoryd610cf342e
Drop nameramez.exe
Strings (125)lv:
msi
Kaspersky Lab
av:
|
#
"
\App
00000422
dm:
Powershell.exe
ProgramData\
ps1
rundll32
http://
Content-Disposition: form-data; name="data"; filename="
SOFTWARE\Microsoft\Windows NT\CurrentVersion
dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
id:
VideoID
cred.dll|clip.dll|
0000043f
cmd
00000423
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
-executionpolicy remotesigned -File "
2022
------
2016
og:
\0000
CurrentBuild
2019
:::
S-%lu-
" && timeout 1 && del
ProductName
Panda Security
ESET
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/k
+++
?scr=1
Doctor Web
GET
SYSTEM\ControlSet001\Services\BasicDisplay\Video
/quiet
.jpg
d610cf342e
vs:
sd:
rundll32.exe
"taskkill /f /im "
pc:
random
=
360TotalSecurity
<d>
wb
Content-Type: multipart/form-data; boundary=----
Startup
Norton
&& Exit"
os:
https://
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
2025
Avira
%-lu
zip
POST
" Content-Type: application/octet-stream
Rem
/te4h2nus/index.php
------
5.34
<c>
clip.dll
AVAST Software
\
shell32.dll
" && ren
e3
ramez.exe
kernel32.dll
DefaultSettings.XResolution
d1
DefaultSettings.YResolution
185.156.72.96
r=
cred.dll
--
GetNativeSystemInfo
-%lu
ComputerName
&unit=
Keyboard Layout\Preload
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
ar:
Sophos
%USERPROFILE%
exe
e1
e2
st=s
Programs
0123456789
un:
rb
bi:
abcdefghijklmnopqrstuvwxyz0123456789-_
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
cmd /C RMDIR /s/q
Bitdefender
-unicode-
AVG
WinDefender
&&
shutdown -s -t 0
Comodo
00000419
Content-Type: application/x-www-form-urlencoded
/Plugins/
Main
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:05:24 22:49:06+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.13
CodeSize: 25600
InitializedDataSize: 6539264
UninitializedDataSize: -
EntryPoint: 0x6a60
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 11.0.17763.1
ProductVersionNumber: 11.0.17763.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Win32 Cabinet Self-Extractor
FileVersion: 11.00.17763.1 (WinBuild.160101.0800)
InternalName: Wextract
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: WEXTRACT.EXE .MUI
ProductName: Internet Explorer
ProductVersion: 11.00.17763.1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
464
Monitored processes
220
Malicious processes
28
Suspicious processes
4

Behavior graph

Click at the process to see the details
start sigmanly_adf7fc126864cb19d5ecbfff18695d5e3193f6cf4b4dc1976bfa3393c4f4c929.exe #GENERIC r1m58.exe 1z96h6.exe cmd.exe no specs conhost.exe no specs 2f3437.exe cmd.exe no specs conhost.exe no specs chcp.com no specs reg.exe no specs nircmd.exe no specs cmd.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs nsudolg.exe no specs cmd.exe conhost.exe no specs cmd.exe conhost.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs mode.com no specs cmd.exe no specs reg.exe no specs find.exe no specs #AMADEY ramez.exe cmd.exe no specs 3r42w.exe tasklist.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs find.exe no specs nsudolg.exe no specs powershell.exe no specs #LUMMA svchost.exe conhost.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs findstr.exe no specs 7z.exe unlocker.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs find.exe no specs sc.exe no specs sc.exe no specs unlocker.exe cmd.exe no specs conhost.exe no specs sc.exe no specs iobitunlocker.exe no specs iobitunlocker.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs iobitunlocker.exe no specs iobitunlocker.exe sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs 34cghhh.exe sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs unlocker.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs sc.exe no specs sc.exe no specs 08iyoof.exe no specs msbuild.exe no specs #LUMMA msbuild.exe j6j70wm.exe no specs msbuild.exe no specs msbuild.exe no specs #LUMMA msbuild.exe #GCLEANER ra02w4s.exe #GCLEANER 0897a3c94e.exe ramez.exe no specs hgvm49v.exe msbuild.exe no specs msbuild.exe no specs msbuild.exe no specs msbuild.exe no specs msbuild.exe no specs msbuild.exe no specs msbuild.exe werfault.exe no specs e5jg7mm.exe no specs svchost.exe svchost.exe slui.exe no specs bqxuv7c.exe nuykyk2zh6ktt.exe nuykyk2zh6ktt.tmp globalsynapse398.exe powershell.exe no specs conhost.exe no specs plugscheduler.exe no specs globalsynapse.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
300findstr /c:"6.1.7601" C:\Windows\System32\findstr.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
300C:\WINDOWS\TEMP\IObitUnlocker\IObitUnlocker.exe /Delete /Advanced "C:\ProgramData\Microsoft\Windows Defender","C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection","C:\ProgramData\Microsoft\Windows Security Health","C:\ProgramData\Microsoft\Storage Health","C:\Program Files\Windows Defender","C:\Program Files\Windows Defender Sleep","C:\Program Files\Windows Defender Advanced Threat Protection","C:\Program Files\Windows Security","C:\Program Files\PCHealthCheck","C:\Program Files\Microsoft Update Health Tools","C:\Program Files (x86)\Windows Defender","C:\Program Files (x86)\Windows Defender Advanced Threat Protection","C:\WINDOWS\system32\security\database","C:\WINDOWS\system32\HealthAttestationClient","C:\WINDOWS\system32\SecurityHealth","C:\WINDOWS\system32\WebThreatDefSvc","C:\WINDOWS\system32\Sgrm","C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\Defender","C:\WINDOWS\system32\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\WINDOWS\system32\Tasks_Migrated\Microsoft\Windows\Windows Defender","C:\WINDOWS\system32\drivers\wd","C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\Modules\Defender","C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\Modules\DefenderPerformance","C:\WINDOWS\Containers\WindowsDefenderApplicationGuard.wim","C:\WINDOWS\Containers\serviced\WindowsDefenderApplicationGuard.wim","C:\WINDOWS\system32\SecurityHealthService.exe","C:\WINDOWS\system32\SecurityHealthService.exe_fuck","C:\WINDOWS\system32\SecurityHealthSystray.exe","C:\WINDOWS\system32\SecurityHealthHost.exe","C:\WINDOWS\system32\SecurityHealthAgent.dll","C:\WINDOWS\system32\SecurityHealthSSO.dll","C:\WINDOWS\system32\SecurityHealthProxyStub.dll","C:\WINDOWS\system32\LogFiles\WMI\RtBackup\EtwRTDefenderApiLogger.etl","C:\WINDOWS\system32\LogFiles\WMI\RtBackup\EtwRTDefenderAuditLogger.etl","C:\WINDOWS\system32\smartscreen.dll","C:\WINDOWS\system32\wscisvif.dll","C:\WINDOWS\system32\wscproxystub.dll","C:\WINDOWS\system32\windowsdefenderapplicationguardcsp.dll","C:\WINDOWS\system32\wscsvc.dll","C:\WINDOWS\system32\SecurityHealthCore.dll","C:\WINDOWS\system32\SecurityHealthSsoUdk.dll","C:\WINDOWS\system32\SecurityHealthUdk.dll","C:\WINDOWS\system32\smartscreen.exe","C:\WINDOWS\system32\smartscreen.exedel","C:\WINDOWS\SysWOW64\smartscreen.dll","C:\WINDOWS\SysWOW64\wscisvif.dll","C:\WINDOWS\SysWOW64\wscproxystub.dll","C:\WINDOWS\SysWOW64\windowsdefenderapplicationguardcsp.dll","C:\WINDOWS\system32\Tasks\Microsoft\Windows\Windows Defender"C:\Windows\Temp\IObitUnlocker\IObitUnlocker.exeUnlocker.exe
User:
SYSTEM
Company:
IObit Information Technology
Integrity Level:
SYSTEM
Description:
Unlocker
Exit code:
0
Version:
1.6.0.16
Modules
Images
c:\windows\temp\iobitunlocker\iobitunlocker.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
456sc delete "WinDefend" C:\Windows\System32\sc.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
516"C:\WINDOWS\system32\cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\34.bat" any_wordC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
516C:\WINDOWS\system32\cmd.exe /c tasklistC:\Windows\System32\cmd.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
516reg query "HKLM\System\CurrentControlSet\Services\SecurityHealthService" C:\Windows\System32\reg.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
516reg query "HKLM\Software\Microsoft\Windows Defender" C:\Windows\System32\reg.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
668"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeHGVm49v.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
728\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
728NSudoLG -U:E -ShowWindowMode:Hide -Wait PowerShell "[System.IO.DriveInfo]::GetDrives() | ForEach-Object { Add-MpPreference -ExclusionPath $_.Name }; Start-Sleep -Milliseconds 1000" C:\Users\admin\AppData\Local\Temp\Work\NSudoLG.execmd.exe
User:
SYSTEM
Company:
M2-Team
Integrity Level:
SYSTEM
Description:
NSudo Launcher
Exit code:
0
Version:
9.0.2676.0
Modules
Images
c:\users\admin\appdata\local\temp\work\nsudolg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
42 559
Read events
42 393
Write events
34
Delete events
132

Modification events

(PID) Process:(976) 1z96h6.exeKey:HKEY_CURRENT_USER\SOFTWARE\Enigma Protector\BB3DF1FDBB935E9B-50AFA6E27F8A32AF\1D23E801FF916F1C-DF69CE3484AE41BB
Operation:writeName:AEF6E8B3
Value:
131F8A4BC3DE68A2588FC5B83747
(PID) Process:(1244) reg.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize
Operation:writeName:AppsUseLightTheme
Value:
0
(PID) Process:(1628) reg.exeKey:HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize
Operation:writeName:AppsUseLightTheme
Value:
0
(PID) Process:(6988) nircmd.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value:
Windows Command Processor
(PID) Process:(6988) nircmd.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value:
Microsoft Corporation
(PID) Process:(920) ramez.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(920) ramez.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(920) ramez.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4976) Unlocker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\DK
Operation:writeName:CurrentDiskSize
Value:
228891000832
(PID) Process:(900) Unlocker.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\IObitUnlocker
Operation:writeName:Type
Value:
1
Executable files
61
Suspicious files
59
Text files
11
Unknown types
1

Dropped files

PID
Process
Filename
Type
9761z96h6.exeC:\Users\admin\AppData\Local\Temp\Work\NSudoLG.exeexecutable
MD5:423129DDB24FB923F35B2DD5787B13DD
SHA256:5094AD359D8CF6DC5324598605C35F68519CC5AF9C7ED5427E02A6B28121E4C7
3676powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4on1d5o0.bvm.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
960R1m58.exeC:\Users\admin\AppData\Local\Temp\IXP001.TMP\1z96h6.exeexecutable
MD5:117E92EFAEB6E9CE06D12865A522E455
SHA256:B14707AAEBB5AEDA520E63A3B327F3A14CAE0B477FC20E4F6906358BC3880A82
5064Sigmanly_adf7fc126864cb19d5ecbfff18695d5e3193f6cf4b4dc1976bfa3393c4f4c929.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\3R42W.exeexecutable
MD5:565A2361AF4C5E94A70BDDC143A1C257
SHA256:7AAB4182DDF172813A5A610AB7BD0F0E939B4126183C4631BD07C4B8AA2BAC2D
5064Sigmanly_adf7fc126864cb19d5ecbfff18695d5e3193f6cf4b4dc1976bfa3393c4f4c929.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\R1m58.exeexecutable
MD5:A7AC06CE5191CC93E33E47373BDD0983
SHA256:50024331EE5446199550AEEE0E77FA75D2F971AB1B1188EBB780467CF73CE360
9761z96h6.exeC:\Users\admin\AppData\Local\Temp\Work\cecho.exeexecutable
MD5:E783BC59D0ED6CFBD8891F94AE23D1B3
SHA256:5C1211559DDA10592CFEDD57681F18F4A702410816D36EDA95AEE6C74E3C6A47
9761z96h6.exeC:\Users\admin\AppData\Local\Temp\Work\7z.exeexecutable
MD5:426CCB645E50A3143811CFA0E42E2BA6
SHA256:CF878BFBD9ED93DC551AC038AFF8A8BBA4C935DDF8D48E62122BDDFDB3E08567
9761z96h6.exeC:\Users\admin\AppData\Local\Temp\Work\nircmd.exeexecutable
MD5:4A9DA765FD91E80DECFD2C9FE221E842
SHA256:2E81E048AB419FDC6E5F4336A951BD282ED6B740048DC38D7673678EE3490CDA
9761z96h6.exeC:\Users\admin\AppData\Local\Temp\F59E91F8binary
MD5:91267AD1E6E3B1BAACAEB0296F7223BD
SHA256:CE5958694F937603D7891BF5A7E4BD88A282E1BBB3285C0A68801389464AD6A1
960R1m58.exeC:\Users\admin\AppData\Local\Temp\IXP001.TMP\2f3437.exeexecutable
MD5:72C0D82D5282A6AF1C27E46A93B8CFD8
SHA256:C2E79F465694327AEADA760AFDD22AF4BAB47A855CE4433025174CBB22368E25
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
375
TCP/UDP connections
88
DNS requests
50
Threats
71

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.197.130.99:443
https://steamcommunity.com/profiles/76561199845513035
unknown
html
29.0 Kb
whitelisted
920
ramez.exe
POST
200
185.156.72.96:80
http://185.156.72.96/te4h2nus/index.php
unknown
malicious
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
920
ramez.exe
GET
200
185.156.72.2:80
http://185.156.72.2/files/2043702969/34cGHhH.exe
unknown
unknown
GET
200
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
compressed
23.9 Kb
whitelisted
920
ramez.exe
POST
200
185.156.72.96:80
http://185.156.72.96/te4h2nus/index.php
unknown
malicious
920
ramez.exe
POST
200
185.156.72.96:80
http://185.156.72.96/te4h2nus/index.php
unknown
malicious
7528
SIHClient.exe
GET
200
23.48.23.180:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7528
SIHClient.exe
GET
200
23.48.23.180:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
7528
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
900
3R42W.exe
23.197.130.99:443
steamcommunity.com
Akamai International B.V.
US
whitelisted
920
ramez.exe
185.156.72.96:80
Tov Vaiz Partner
RU
malicious
920
ramez.exe
185.156.72.2:80
Tov Vaiz Partner
RU
unknown
5176
34cGHhH.exe
91.92.46.179:7592
SPRINTLINK
US
unknown
7528
SIHClient.exe
20.12.23.50:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.78
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
vecturar.top
malicious
stuffgull.top
malicious
ariosefqcu.shop
malicious
homewappzb.top
malicious
tortoisgfe.top
malicious
descenrugb.bet
malicious
onemiltxny.shop
malicious

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2196
svchost.exe
A Network Trojan was detected
MALWARE [ANY.RUN] Suspected Domain Associated with Malware Distribution (vecturar .top)
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (homewappzb .top)
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vecturar .top)
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stuffgull .top)
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ariosefqcu .shop)
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tortoisgfe .top)
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (onemiltxny .shop)
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (descenrugb .bet)
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (octalfbsh .bet)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Sigmanly_adf7fc126864cb19d5ecbfff18695d5e3193f6cf4b4dc1976bfa3393c4f4c929