File name:

af2441fbe4a23b2f5005b598427ba4fcb8f96a3c191f732710e8249270c1e9c1.bin

Full analysis: https://app.any.run/tasks/29ed3c48-528d-4c61-932b-1b72a442e7f9
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: June 21, 2025, 07:58:34
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
lumma
stealer
themida
amadey
loader
botnet
rdp
auto-reg
gcleaner
autoit
inno
installer
delphi
telegram
auto
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

28AC543D1886C134B8741D32DEC51E10

SHA1:

C2328943A7D6A0E89A7818C79D9458358177E96A

SHA256:

AF2441FBE4A23B2F5005B598427BA4FCB8F96A3C191F732710E8249270C1E9C1

SSDEEP:

98304:BCyUx/W5dnY/7AfAxK5HDFs+gtWgskJrNnwcUcXdZU2d2o/JN9YGjViQDnmO/kUD:v

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA has been detected (YARA)

      • af2441fbe4a23b2f5005b598427ba4fcb8f96a3c191f732710e8249270c1e9c1.bin.exe (PID: 6172)
      • ceab3bf4b6.exe (PID: 5184)
      • ceab3bf4b6.exe (PID: 4560)

    • LUMMA mutex has been found

      • af2441fbe4a23b2f5005b598427ba4fcb8f96a3c191f732710e8249270c1e9c1.bin.exe (PID: 6172)
      • ceab3bf4b6.exe (PID: 5184)
      • ceab3bf4b6.exe (PID: 4560)
      • qfv7hNGwK.exe (PID: 3100)
      • Oc.com (PID: 4456)

    • Steals credentials from Web Browsers

      • af2441fbe4a23b2f5005b598427ba4fcb8f96a3c191f732710e8249270c1e9c1.bin.exe (PID: 6172)
      • ceab3bf4b6.exe (PID: 5184)
      • ceab3bf4b6.exe (PID: 4560)

    • Actions looks like stealing of personal data

      • af2441fbe4a23b2f5005b598427ba4fcb8f96a3c191f732710e8249270c1e9c1.bin.exe (PID: 6172)
      • ceab3bf4b6.exe (PID: 5184)
      • ceab3bf4b6.exe (PID: 4560)

    • AMADEY mutex has been found

      • 9FSTDVB10CFLAD45.exe (PID: 1508)
      • ramez.exe (PID: 1028)
      • ramez.exe (PID: 2760)
      • MBOF6GGGE4T7CVUDCNFQMGO8KCS2O.exe (PID: 7488)
      • ramez.exe (PID: 620)

    • AMADEY has been detected (SURICATA)

      • ramez.exe (PID: 1028)

    • Connects to the CnC server

      • ramez.exe (PID: 1028)

    • AMADEY has been detected (YARA)

      • ramez.exe (PID: 1028)

    • Executing a file with an untrusted certificate

      • 0573bd6ef9.exe (PID: 4040)
      • svchost015.exe (PID: 2664)
      • stOvAlNwCov.exe (PID: 7292)
      • KLuFMbnj6F.exe (PID: 8176)
      • KLuFMbnj6F.exe (PID: 7664)

    • Changes the autorun value in the registry

      • ramez.exe (PID: 1028)

    • GCLEANER has been detected (SURICATA)

      • svchost015.exe (PID: 2664)

    • GCLEANER has been detected (YARA)

      • svchost015.exe (PID: 2664)

    • Registers / Runs the DLL via REGSVR32.EXE

      • KLuFMbnj6F.tmp (PID: 8088)

    • GENERIC has been found (auto)

      • svchost015.exe (PID: 2664)

  • SUSPICIOUS

    • Reads the BIOS version

      • af2441fbe4a23b2f5005b598427ba4fcb8f96a3c191f732710e8249270c1e9c1.bin.exe (PID: 6172)
      • 9FSTDVB10CFLAD45.exe (PID: 1508)
      • ramez.exe (PID: 1028)
      • ceab3bf4b6.exe (PID: 5184)
      • ramez.exe (PID: 2760)
      • ceab3bf4b6.exe (PID: 4560)
      • qfv7hNGwK.exe (PID: 3100)
      • MBOF6GGGE4T7CVUDCNFQMGO8KCS2O.exe (PID: 7488)
      • ramez.exe (PID: 620)

    • Executable content was dropped or overwritten

      • af2441fbe4a23b2f5005b598427ba4fcb8f96a3c191f732710e8249270c1e9c1.bin.exe (PID: 6172)
      • 9FSTDVB10CFLAD45.exe (PID: 1508)
      • ramez.exe (PID: 1028)
      • 0573bd6ef9.exe (PID: 4040)
      • svchost015.exe (PID: 2664)
      • KxWorJv4PN.exe (PID: 2136)
      • KxWorJv4PN.tmp (PID: 1216)
      • openfilesviewer.exe (PID: 4680)
      • KLuFMbnj6F.exe (PID: 8176)
      • KLuFMbnj6F.tmp (PID: 7300)
      • KLuFMbnj6F.exe (PID: 7664)
      • ceab3bf4b6.exe (PID: 5184)
      • KLuFMbnj6F.tmp (PID: 8088)

    • Potential Corporate Privacy Violation

      • af2441fbe4a23b2f5005b598427ba4fcb8f96a3c191f732710e8249270c1e9c1.bin.exe (PID: 6172)
      • ramez.exe (PID: 1028)
      • svchost015.exe (PID: 2664)
      • ceab3bf4b6.exe (PID: 5184)

    • Starts itself from another location

      • 9FSTDVB10CFLAD45.exe (PID: 1508)

    • Reads security settings of Internet Explorer

      • 9FSTDVB10CFLAD45.exe (PID: 1508)
      • ramez.exe (PID: 1028)
      • svchost015.exe (PID: 2664)
      • openfilesviewer.exe (PID: 4680)
      • stOvAlNwCov.exe (PID: 7292)
      • KLuFMbnj6F.tmp (PID: 7300)

    • Process requests binary or script from the Internet

      • af2441fbe4a23b2f5005b598427ba4fcb8f96a3c191f732710e8249270c1e9c1.bin.exe (PID: 6172)
      • ramez.exe (PID: 1028)
      • ceab3bf4b6.exe (PID: 5184)

    • Connects to the server without a host name

      • af2441fbe4a23b2f5005b598427ba4fcb8f96a3c191f732710e8249270c1e9c1.bin.exe (PID: 6172)
      • ramez.exe (PID: 1028)
      • svchost015.exe (PID: 2664)
      • ceab3bf4b6.exe (PID: 5184)

    • Searches for installed software

      • af2441fbe4a23b2f5005b598427ba4fcb8f96a3c191f732710e8249270c1e9c1.bin.exe (PID: 6172)
      • ceab3bf4b6.exe (PID: 5184)

    • There is functionality for taking screenshot (YARA)

      • ramez.exe (PID: 1028)
      • svchost015.exe (PID: 2664)
      • stOvAlNwCov.exe (PID: 7292)

    • Contacting a server suspected of hosting an CnC

      • ramez.exe (PID: 1028)

    • There is functionality for enable RDP (YARA)

      • ramez.exe (PID: 1028)

    • The process executes via Task Scheduler

      • ramez.exe (PID: 2760)
      • ramez.exe (PID: 620)

    • Reads the Windows owner or organization settings

      • KxWorJv4PN.tmp (PID: 1216)
      • KLuFMbnj6F.tmp (PID: 7300)
      • KLuFMbnj6F.tmp (PID: 8088)

    • The process drops C-runtime libraries

      • KxWorJv4PN.tmp (PID: 1216)

    • Process drops legitimate windows executable

      • KxWorJv4PN.tmp (PID: 1216)

    • Starts POWERSHELL.EXE for commands execution

      • openfilesviewer.exe (PID: 4680)
      • regsvr32.exe (PID: 4156)

    • Get information on the list of running processes

      • cmd.exe (PID: 8180)

    • Executing commands from a ".bat" file

      • stOvAlNwCov.exe (PID: 7292)

    • Starts CMD.EXE for commands execution

      • stOvAlNwCov.exe (PID: 7292)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 8180)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 8180)

    • The executable file from the user directory is run by the CMD process

      • Oc.com (PID: 4456)

    • The process bypasses the loading of PowerShell profile settings

      • regsvr32.exe (PID: 4156)

    • The process hide an interactive prompt from the user

      • regsvr32.exe (PID: 4156)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Oc.com (PID: 4456)

    • Detected use of alternative data streams (AltDS)

      • regsvr32.exe (PID: 4156)

    • Connects to SMTP port

      • regsvr32.exe (PID: 4156)

    • Starts application with an unusual extension

      • cmd.exe (PID: 8180)

  • INFO

    • Checks supported languages

      • af2441fbe4a23b2f5005b598427ba4fcb8f96a3c191f732710e8249270c1e9c1.bin.exe (PID: 6172)
      • 9FSTDVB10CFLAD45.exe (PID: 1508)
      • ramez.exe (PID: 1028)
      • 0573bd6ef9.exe (PID: 4040)
      • ceab3bf4b6.exe (PID: 5184)
      • svchost015.exe (PID: 2664)
      • ramez.exe (PID: 2760)
      • ceab3bf4b6.exe (PID: 4560)
      • KxWorJv4PN.exe (PID: 2136)
      • KxWorJv4PN.tmp (PID: 1216)
      • openfilesviewer.exe (PID: 4680)
      • stOvAlNwCov.exe (PID: 7292)
      • OpenFilesViewer.exe (PID: 6656)
      • qfv7hNGwK.exe (PID: 3100)
      • extrac32.exe (PID: 3048)
      • Oc.com (PID: 4456)
      • KLuFMbnj6F.tmp (PID: 7300)
      • KLuFMbnj6F.exe (PID: 8176)
      • KLuFMbnj6F.exe (PID: 7664)
      • KLuFMbnj6F.tmp (PID: 8088)
      • MBOF6GGGE4T7CVUDCNFQMGO8KCS2O.exe (PID: 7488)
      • ramez.exe (PID: 620)

    • Reads the software policy settings

      • af2441fbe4a23b2f5005b598427ba4fcb8f96a3c191f732710e8249270c1e9c1.bin.exe (PID: 6172)
      • ceab3bf4b6.exe (PID: 5184)
      • svchost015.exe (PID: 2664)
      • ceab3bf4b6.exe (PID: 4560)
      • qfv7hNGwK.exe (PID: 3100)
      • slui.exe (PID: 436)
      • Oc.com (PID: 4456)

    • Reads the computer name

      • af2441fbe4a23b2f5005b598427ba4fcb8f96a3c191f732710e8249270c1e9c1.bin.exe (PID: 6172)
      • 9FSTDVB10CFLAD45.exe (PID: 1508)
      • ramez.exe (PID: 1028)
      • ceab3bf4b6.exe (PID: 5184)
      • svchost015.exe (PID: 2664)
      • ceab3bf4b6.exe (PID: 4560)
      • KxWorJv4PN.tmp (PID: 1216)
      • openfilesviewer.exe (PID: 4680)
      • OpenFilesViewer.exe (PID: 6656)
      • qfv7hNGwK.exe (PID: 3100)
      • extrac32.exe (PID: 3048)
      • Oc.com (PID: 4456)
      • KLuFMbnj6F.tmp (PID: 8088)
      • KLuFMbnj6F.tmp (PID: 7300)
      • stOvAlNwCov.exe (PID: 7292)

    • Reads the machine GUID from the registry

      • af2441fbe4a23b2f5005b598427ba4fcb8f96a3c191f732710e8249270c1e9c1.bin.exe (PID: 6172)
      • ceab3bf4b6.exe (PID: 5184)
      • svchost015.exe (PID: 2664)
      • ceab3bf4b6.exe (PID: 4560)
      • qfv7hNGwK.exe (PID: 3100)
      • Oc.com (PID: 4456)

    • Themida protector has been detected

      • af2441fbe4a23b2f5005b598427ba4fcb8f96a3c191f732710e8249270c1e9c1.bin.exe (PID: 6172)
      • ramez.exe (PID: 1028)
      • ceab3bf4b6.exe (PID: 5184)
      • ceab3bf4b6.exe (PID: 4560)

    • Application launched itself

      • chrome.exe (PID: 188)
      • chrome.exe (PID: 3960)
      • chrome.exe (PID: 4032)
      • msedge.exe (PID: 7052)
      • chrome.exe (PID: 4100)
      • msedge.exe (PID: 7132)
      • msedge.exe (PID: 3704)
      • msedge.exe (PID: 6304)
      • msedge.exe (PID: 3580)
      • msedge.exe (PID: 188)
      • chrome.exe (PID: 768)
      • chrome.exe (PID: 7324)
      • chrome.exe (PID: 8084)
      • chrome.exe (PID: 8000)
      • msedge.exe (PID: 4768)
      • msedge.exe (PID: 7280)
      • msedge.exe (PID: 7960)
      • chrome.exe (PID: 6364)
      • msedge.exe (PID: 7332)
      • msedge.exe (PID: 8156)
      • msedge.exe (PID: 7828)
      • msedge.exe (PID: 3944)
      • msedge.exe (PID: 6532)
      • chrome.exe (PID: 2348)
      • chrome.exe (PID: 7768)
      • chrome.exe (PID: 7952)
      • chrome.exe (PID: 8108)
      • chrome.exe (PID: 7552)
      • chrome.exe (PID: 7984)
      • msedge.exe (PID: 2040)

    • Create files in a temporary directory

      • af2441fbe4a23b2f5005b598427ba4fcb8f96a3c191f732710e8249270c1e9c1.bin.exe (PID: 6172)
      • 9FSTDVB10CFLAD45.exe (PID: 1508)
      • ramez.exe (PID: 1028)
      • 0573bd6ef9.exe (PID: 4040)
      • KxWorJv4PN.exe (PID: 2136)
      • KxWorJv4PN.tmp (PID: 1216)
      • stOvAlNwCov.exe (PID: 7292)
      • extrac32.exe (PID: 3048)
      • KLuFMbnj6F.exe (PID: 8176)
      • KLuFMbnj6F.tmp (PID: 7300)
      • KLuFMbnj6F.exe (PID: 7664)
      • KLuFMbnj6F.tmp (PID: 8088)
      • ceab3bf4b6.exe (PID: 5184)
      • svchost015.exe (PID: 2664)

    • Process checks computer location settings

      • 9FSTDVB10CFLAD45.exe (PID: 1508)
      • ramez.exe (PID: 1028)
      • stOvAlNwCov.exe (PID: 7292)
      • openfilesviewer.exe (PID: 4680)
      • svchost015.exe (PID: 2664)
      • KLuFMbnj6F.tmp (PID: 7300)

    • Checks proxy server information

      • ramez.exe (PID: 1028)
      • svchost015.exe (PID: 2664)
      • slui.exe (PID: 436)

    • Creates files or folders in the user directory

      • ramez.exe (PID: 1028)
      • svchost015.exe (PID: 2664)
      • KxWorJv4PN.tmp (PID: 1216)
      • KLuFMbnj6F.tmp (PID: 8088)

    • The sample compiled with chinese language support

      • ramez.exe (PID: 1028)

    • The sample compiled with english language support

      • 0573bd6ef9.exe (PID: 4040)
      • KxWorJv4PN.tmp (PID: 1216)
      • openfilesviewer.exe (PID: 4680)

    • Launching a file from a Registry key

      • ramez.exe (PID: 1028)

    • Manual execution by a user

      • ceab3bf4b6.exe (PID: 4560)
      • OpenFilesViewer.exe (PID: 6656)

    • Creates a software uninstall entry

      • KxWorJv4PN.tmp (PID: 1216)

    • Creates files in the program directory

      • openfilesviewer.exe (PID: 4680)

    • Changes the registry key values via Powershell

      • openfilesviewer.exe (PID: 4680)

    • Reads mouse settings

      • Oc.com (PID: 4456)

    • Detects InnoSetup installer (YARA)

      • KxWorJv4PN.exe (PID: 2136)
      • KxWorJv4PN.tmp (PID: 1216)

    • Compiled with Borland Delphi (YARA)

      • KxWorJv4PN.tmp (PID: 1216)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 8168)
      • powershell.exe (PID: 7852)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Lumma

(PID) Process(6172) af2441fbe4a23b2f5005b598427ba4fcb8f96a3c191f732710e8249270c1e9c1.bin.exe
C2 (9)ropyi.xyz/zadf
skjgx.xyz/riuw
gewgb.xyz/axgh
baviip.xyz/twiw
equidn.xyz/xapq
spjeo.xyz/axka
firddy.xyz/yhbc
shaeb.xyz/ikxz
trqqe.xyz/xudu
(PID) Process(5184) ceab3bf4b6.exe
C2 (9)ropyi.xyz/zadf
skjgx.xyz/riuw
gewgb.xyz/axgh
baviip.xyz/twiw
equidn.xyz/xapq
spjeo.xyz/axka
firddy.xyz/yhbc
shaeb.xyz/ikxz
trqqe.xyz/xudu
(PID) Process(4560) ceab3bf4b6.exe
C2 (9)ropyi.xyz/zadf
skjgx.xyz/riuw
gewgb.xyz/axgh
baviip.xyz/twiw
equidn.xyz/xapq
spjeo.xyz/axka
firddy.xyz/yhbc
shaeb.xyz/ikxz
trqqe.xyz/xudu

Amadey

(PID) Process(1028) ramez.exe
C2185.156.72.96
URLhttp://185.156.72.96/te4h2nus/index.php
Version5.34
Options
Drop directoryd610cf342e
Drop nameramez.exe
Strings (125)Powershell.exe
/te4h2nus/index.php
ramez.exe
bi:
185.156.72.96
AVAST Software
/Plugins/
------
id:
\0000
wb
Programs
-%lu
.jpg
AVG
r=
dm:
-executionpolicy remotesigned -File "
SOFTWARE\Microsoft\Windows NT\CurrentVersion
\
ProgramData\
Avira
e2
os:
http://
vs:
<c>
2025
ComputerName
og:
00000419
rb
2022
Content-Type: application/x-www-form-urlencoded
shell32.dll
https://
Main
Sophos
Norton
GET
#
S-%lu-
st=s
cmd /C RMDIR /s/q
lv:
msi
Content-Disposition: form-data; name="data"; filename="
5.34
d1
2016
ar:
cred.dll|clip.dll|
rundll32
WinDefender
Content-Type: multipart/form-data; boundary=----
Rem
CurrentBuild
0123456789
&& Exit"
un:
Kaspersky Lab
d610cf342e
Bitdefender
+++
av:
rundll32.exe
random
<d>
Keyboard Layout\Preload
shutdown -s -t 0
DefaultSettings.XResolution
/quiet
--
0000043f
Startup
e1
Doctor Web
2019
GetNativeSystemInfo
VideoID
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
:::
ESET
DefaultSettings.YResolution
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
" && ren
abcdefghijklmnopqrstuvwxyz0123456789-_
cmd
"taskkill /f /im "
00000423
-unicode-
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
cred.dll
360TotalSecurity
"
exe
00000422
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
&&
Comodo
" Content-Type: application/octet-stream
------
?scr=1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
zip
dll
/k
&unit=
ps1
" && timeout 1 && del
kernel32.dll
ProductName
%-lu
clip.dll
%USERPROFILE%
\App
SYSTEM\ControlSet001\Services\BasicDisplay\Video
pc:
sd:
POST
Panda Security
e3
|
=
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:06:16 14:51:43+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 311296
InitializedDataSize: 37888
UninitializedDataSize: -
EntryPoint: 0x487000
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
380
Monitored processes
244
Malicious processes
21
Suspicious processes
2

Behavior graph

Click at the process to see the details
start #LUMMA af2441fbe4a23b2f5005b598427ba4fcb8f96a3c191f732710e8249270c1e9c1.bin.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe 9fstdvb10cflad45.exe #AMADEY ramez.exe 0573bd6ef9.exe #LUMMA ceab3bf4b6.exe #GCLEANER svchost015.exe ramez.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs #LUMMA ceab3bf4b6.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs kxworjv4pn.exe kxworjv4pn.tmp openfilesviewer.exe powershell.exe no specs conhost.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs stovalnwcov.exe no specs chrome.exe no specs cmd.exe no specs conhost.exe no specs openfilesviewer.exe no specs tasklist.exe no specs findstr.exe no specs #LUMMA qfv7hngwk.exe tasklist.exe no specs findstr.exe no specs extrac32.exe no specs findstr.exe no specs #LUMMA oc.com choice.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs chrome.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs klufmbnj6f.exe klufmbnj6f.tmp klufmbnj6f.exe klufmbnj6f.tmp regsvr32.exe no specs regsvr32.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs mbof6ggge4t7cvudcnfqmgo8kcs2o.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs ramez.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188"C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe
af2441fbe4a23b2f5005b598427ba4fcb8f96a3c191f732710e8249270c1e9c1.bin.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
188"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunchC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
316"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.127 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffc44d0fff8,0x7ffc44d10004,0x7ffc44d10010C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
316"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3216,i,6926784689566647841,10372572873990809956,262144 --variations-seed-version --mojo-platform-channel-handle=3236 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
436C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
472"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3780,i,1901831505401305514,10769568079513972216,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
592"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3228,i,3772802500356884105,14104348393522871386,262144 --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=3240 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
620"C:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exe"C:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\d610cf342e\ramez.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
728tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
756"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=2172,i,4204441615542224175,6543861229849412798,262144 --variations-seed-version --mojo-platform-channel-handle=3028 /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
94 258
Read events
94 084
Write events
170
Delete events
4

Modification events

(PID) Process:(3960) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(3960) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(3960) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(3960) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(3960) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(4100) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(4100) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(4100) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(4100) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(4100) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
Executable files
89
Suspicious files
244
Text files
538
Unknown types
0

Dropped files

PID
Process
Filename
Type
3960chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old~RF178bd5.TMP
MD5:
SHA256:
3960chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
3960chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF178bd5.TMP
MD5:
SHA256:
3960chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
3960chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old~RF178bf4.TMP
MD5:
SHA256:
3960chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old
MD5:
SHA256:
3960chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old~RF178bf4.TMP
MD5:
SHA256:
3960chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
3960chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF178c03.TMP
MD5:
SHA256:
3960chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RF178c03.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
287
TCP/UDP connections
322
DNS requests
296
Threats
43

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
142.250.185.67:443
https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=133
unknown
compressed
59.2 Kb
whitelisted
POST
200
85.90.196.155:443
https://equidn.xyz/xapq
unknown
binary
32.7 Kb
GET
200
216.58.206.74:443
https://safebrowsingohttpgateway.googleapis.com/v1/ohttp/hpkekeyconfig?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE
unknown
binary
41 b
whitelisted
GET
200
172.217.16.132:443
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE
unknown
text
3.94 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.46
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
equidn.xyz
  • 85.90.196.155
unknown
clients2.google.com
  • 142.250.184.238
  • 216.58.206.78
whitelisted
safebrowsingohttpgateway.googleapis.com
  • 216.58.206.74
  • 142.250.185.106
  • 216.58.206.42
  • 142.250.185.138
  • 142.250.184.234
  • 172.217.16.202
  • 142.250.186.42
  • 172.217.18.10
  • 142.250.184.202
  • 142.250.185.74
  • 142.250.185.234
  • 142.250.185.202
  • 142.250.186.74
  • 216.58.212.138
  • 142.250.181.234
  • 142.250.185.170
whitelisted
clientservices.googleapis.com
  • 142.250.185.67
  • 142.250.186.67
whitelisted
accounts.google.com
  • 173.194.76.84
whitelisted
www.google.com
  • 142.250.186.100
whitelisted

Threats

PID
Process
Class
Message
6172
af2441fbe4a23b2f5005b598427ba4fcb8f96a3c191f732710e8249270c1e9c1.bin.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
6172
af2441fbe4a23b2f5005b598427ba4fcb8f96a3c191f732710e8249270c1e9c1.bin.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
6172
af2441fbe4a23b2f5005b598427ba4fcb8f96a3c191f732710e8249270c1e9c1.bin.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
6172
af2441fbe4a23b2f5005b598427ba4fcb8f96a3c191f732710e8249270c1e9c1.bin.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
6172
af2441fbe4a23b2f5005b598427ba4fcb8f96a3c191f732710e8249270c1e9c1.bin.exe
Misc activity
ET INFO Packed Executable Download
1028
ramez.exe
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
1028
ramez.exe
Malware Command and Control Activity Detected
ET MALWARE Amadey CnC Response
1028
ramez.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
1028
ramez.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
1028
ramez.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
Process
Message
af2441fbe4a23b2f5005b598427ba4fcb8f96a3c191f732710e8249270c1e9c1.bin.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
ceab3bf4b6.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
ceab3bf4b6.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
qfv7hNGwK.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
af2441fbe4a23b2f5005b598427ba4fcb8f96a3c191f732710e8249270c1e9c1.bin