File name:

random.exe

Full analysis: https://app.any.run/tasks/85c4e2b2-f2e4-4943-b255-ec29cb80bd94
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: May 16, 2025, 15:56:02
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
auto-sch
amadey
botnet
stealer
telegram
lumma
credentialflusher
auto-reg
rdp
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

0BB9A76CC29185477E69FCCB0A60A348

SHA1:

FDCB8A0D27FC4648507672B8B9481D524B9A9068

SHA256:

AFE7ACC3858BB8E050E0D62C456B8EE1D389DB3E36523217BA269A4A3826FA29

SSDEEP:

49152:dPPkzemqoSut3Jh4+QQ/btosJwIA4hHmZlKH2Tw/Pq83zw0bCjvk9G661QGtBFXo:BP/mp7t3T4+B/btosJwIA4hHmZlKH2TR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7316)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 7672)
      • powershell.exe (PID: 4208)
      • powershell.exe (PID: 9796)
      • powershell.exe (PID: 9392)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 7316)
      • powershell.exe (PID: 8164)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 7148)
      • cmd.exe (PID: 7348)
      • cmd.exe (PID: 9288)

    • Request from PowerShell that ran from MSHTA.EXE

      • powershell.exe (PID: 7316)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 7672)
      • powershell.exe (PID: 4208)
      • powershell.exe (PID: 9796)

    • AMADEY mutex has been found

      • TempKJYF2OWVOC2JMTVSAECJG2PGFTSHXVGT.EXE (PID: 7964)
      • ramez.exe (PID: 8028)
      • TempKJYF2OWVOC2JMTVSAECJG2PGFTSHXVGT.EXE (PID: 6808)

    • Connects to the CnC server

      • ramez.exe (PID: 8028)
      • svchost.exe (PID: 2196)

    • AMADEY has been detected (SURICATA)

      • ramez.exe (PID: 8028)

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2196)
      • 082e24a744.exe (PID: 5416)
      • 082e24a744.exe (PID: 1452)

    • LUMMA mutex has been found

      • MSBuild.exe (PID: 2852)
      • 082e24a744.exe (PID: 5416)

    • AMADEY has been detected (YARA)

      • ramez.exe (PID: 8028)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 7968)
      • NSudoLG.exe (PID: 3096)

    • Changes Windows Defender settings

      • NSudoLG.exe (PID: 3096)

    • Changes the autorun value in the registry

      • ramez.exe (PID: 8028)

    • Possible tool for stealing has been detected

      • 819090456b.exe (PID: 7656)
      • firefox.exe (PID: 2136)
      • 819090456b.exe (PID: 3848)
      • firefox.exe (PID: 5416)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 7968)
      • cmd.exe (PID: 8672)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7316)
      • TempKJYF2OWVOC2JMTVSAECJG2PGFTSHXVGT.EXE (PID: 7964)
      • ramez.exe (PID: 8028)
      • c478828452.exe (PID: 7760)
      • 7z.exe (PID: 2516)
      • Unlocker.exe (PID: 4152)
      • powershell.exe (PID: 7672)
      • cmd.exe (PID: 7968)
      • 7z.exe (PID: 2560)
      • powershell.exe (PID: 9796)

    • Potential Corporate Privacy Violation

      • powershell.exe (PID: 7316)
      • ramez.exe (PID: 8028)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 7672)
      • powershell.exe (PID: 4208)
      • powershell.exe (PID: 9796)

    • Starts process via Powershell

      • powershell.exe (PID: 7316)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 7672)
      • powershell.exe (PID: 4208)
      • powershell.exe (PID: 9796)
      • powershell.exe (PID: 9392)

    • Starts CMD.EXE for commands execution

      • random.exe (PID: 4880)
      • c478828452.exe (PID: 7760)
      • cmd.exe (PID: 7844)
      • cmd.exe (PID: 5384)
      • nircmd.exe (PID: 7868)
      • NSudoLG.exe (PID: 7344)
      • cmd.exe (PID: 7348)
      • cmd.exe (PID: 7968)
      • dbc96f1811.exe (PID: 6576)
      • Unlocker.exe (PID: 4652)
      • Unlocker.exe (PID: 4152)
      • c478828452.exe (PID: 2488)
      • nircmd.exe (PID: 8296)
      • cmd.exe (PID: 8396)
      • cmd.exe (PID: 7844)
      • NSudoLG.exe (PID: 8576)
      • cmd.exe (PID: 8596)
      • cmd.exe (PID: 8672)
      • Unlocker.exe (PID: 7564)
      • Unlocker.exe (PID: 872)
      • Unlocker.exe (PID: 720)
      • dbc96f1811.exe (PID: 9264)

    • Probably download files using WebClient

      • mshta.exe (PID: 7188)
      • mshta.exe (PID: 8064)
      • mshta.exe (PID: 8012)
      • mshta.exe (PID: 5020)
      • mshta.exe (PID: 9316)
      • mshta.exe (PID: 9296)

    • Manipulates environment variables

      • powershell.exe (PID: 7316)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 7672)
      • powershell.exe (PID: 4208)
      • powershell.exe (PID: 9796)
      • powershell.exe (PID: 9392)

    • Starts POWERSHELL.EXE for commands execution

      • mshta.exe (PID: 7188)
      • mshta.exe (PID: 8064)
      • NSudoLG.exe (PID: 3096)
      • mshta.exe (PID: 8012)
      • mshta.exe (PID: 5020)
      • mshta.exe (PID: 9316)
      • mshta.exe (PID: 9296)

    • Found IP address in command line

      • powershell.exe (PID: 7316)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 7672)
      • powershell.exe (PID: 4208)
      • powershell.exe (PID: 9796)
      • powershell.exe (PID: 9392)

    • Process requests binary or script from the Internet

      • powershell.exe (PID: 7316)
      • powershell.exe (PID: 8164)
      • ramez.exe (PID: 8028)
      • powershell.exe (PID: 7672)
      • powershell.exe (PID: 4208)
      • powershell.exe (PID: 9796)

    • Reads security settings of Internet Explorer

      • TempKJYF2OWVOC2JMTVSAECJG2PGFTSHXVGT.EXE (PID: 7964)
      • ramez.exe (PID: 8028)
      • nircmd.exe (PID: 7868)
      • c478828452.exe (PID: 7760)
      • Unlocker.exe (PID: 4652)

    • Connects to the server without a host name

      • powershell.exe (PID: 7316)
      • ramez.exe (PID: 8028)
      • powershell.exe (PID: 8164)
      • powershell.exe (PID: 7672)
      • powershell.exe (PID: 4208)
      • powershell.exe (PID: 9796)

    • Starts itself from another location

      • TempKJYF2OWVOC2JMTVSAECJG2PGFTSHXVGT.EXE (PID: 7964)

    • Contacting a server suspected of hosting an CnC

      • ramez.exe (PID: 8028)
      • svchost.exe (PID: 2196)
      • 082e24a744.exe (PID: 5416)
      • 082e24a744.exe (PID: 1452)

    • Executes application which crashes

      • 0e48b8933c.exe (PID: 6640)
      • Unlocker.exe (PID: 720)

    • Searches for installed software

      • MSBuild.exe (PID: 2852)
      • 082e24a744.exe (PID: 5416)

    • Reads the BIOS version

      • 082e24a744.exe (PID: 5416)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • MSBuild.exe (PID: 2852)

    • There is functionality for enable RDP (YARA)

      • ramez.exe (PID: 8028)

    • There is functionality for taking screenshot (YARA)

      • ramez.exe (PID: 8028)

    • Drops 7-zip archiver for unpacking

      • c478828452.exe (PID: 7760)

    • The process creates files with name similar to system file names

      • c478828452.exe (PID: 7760)

    • Application launched itself

      • cmd.exe (PID: 7844)
      • cmd.exe (PID: 5384)
      • cmd.exe (PID: 7348)
      • cmd.exe (PID: 7968)
      • cmd.exe (PID: 8396)
      • cmd.exe (PID: 7844)
      • cmd.exe (PID: 8596)
      • cmd.exe (PID: 8672)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 7844)
      • cmd.exe (PID: 5384)
      • nircmd.exe (PID: 7868)
      • NSudoLG.exe (PID: 7344)
      • cmd.exe (PID: 7348)
      • c478828452.exe (PID: 7760)
      • c478828452.exe (PID: 2488)
      • cmd.exe (PID: 7844)
      • nircmd.exe (PID: 8296)
      • cmd.exe (PID: 8396)
      • NSudoLG.exe (PID: 8576)
      • cmd.exe (PID: 8596)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7872)
      • cmd.exe (PID: 5756)
      • cmd.exe (PID: 7968)
      • cmd.exe (PID: 8196)
      • cmd.exe (PID: 8456)
      • cmd.exe (PID: 8672)

    • The executable file from the user directory is run by the CMD process

      • nircmd.exe (PID: 7868)
      • NSudoLG.exe (PID: 7344)
      • NSudoLG.exe (PID: 3096)
      • 7z.exe (PID: 2516)
      • Unlocker.exe (PID: 4652)
      • Unlocker.exe (PID: 4152)
      • nircmd.exe (PID: 8296)
      • NSudoLG.exe (PID: 8576)
      • 7z.exe (PID: 2560)
      • Unlocker.exe (PID: 7564)
      • Unlocker.exe (PID: 872)
      • Unlocker.exe (PID: 720)

    • Reads the date of Windows installation

      • nircmd.exe (PID: 7868)
      • Unlocker.exe (PID: 4652)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 5756)
      • cmd.exe (PID: 7968)
      • cmd.exe (PID: 8456)
      • cmd.exe (PID: 8672)

    • Get information on the list of running processes

      • cmd.exe (PID: 7968)
      • cmd.exe (PID: 8188)
      • cmd.exe (PID: 8868)
      • cmd.exe (PID: 8672)

    • PowerShell delay command usage (probably sleep evasion)

      • powershell.exe (PID: 6436)

    • Script adds exclusion path to Windows Defender

      • NSudoLG.exe (PID: 3096)

    • Uses TASKKILL.EXE to kill Browsers

      • 819090456b.exe (PID: 7656)
      • 819090456b.exe (PID: 3848)

    • Uses TASKKILL.EXE to kill process

      • 819090456b.exe (PID: 7656)
      • cmd.exe (PID: 7888)
      • cmd.exe (PID: 5640)
      • cmd.exe (PID: 8640)
      • 819090456b.exe (PID: 3848)
      • cmd.exe (PID: 7364)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 7968)
      • cmd.exe (PID: 8672)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 3888)
      • cmd.exe (PID: 7968)
      • cmd.exe (PID: 1116)
      • cmd.exe (PID: 7892)
      • cmd.exe (PID: 9132)
      • cmd.exe (PID: 8756)
      • cmd.exe (PID: 8672)
      • cmd.exe (PID: 2140)

    • Windows service management via SC.EXE

      • sc.exe (PID: 7880)
      • sc.exe (PID: 7844)
      • sc.exe (PID: 8160)
      • sc.exe (PID: 616)
      • sc.exe (PID: 672)
      • sc.exe (PID: 2440)
      • sc.exe (PID: 9136)
      • sc.exe (PID: 9176)
      • sc.exe (PID: 8452)
      • sc.exe (PID: 8280)
      • sc.exe (PID: 8212)
      • sc.exe (PID: 8300)
      • sc.exe (PID: 8336)
      • sc.exe (PID: 8588)
      • sc.exe (PID: 8524)
      • sc.exe (PID: 8644)
      • sc.exe (PID: 8628)
      • sc.exe (PID: 6828)
      • sc.exe (PID: 1116)
      • sc.exe (PID: 2152)
      • sc.exe (PID: 8344)
      • sc.exe (PID: 6572)
      • sc.exe (PID: 2580)
      • sc.exe (PID: 8528)
      • sc.exe (PID: 8364)
      • sc.exe (PID: 8484)
      • sc.exe (PID: 8776)
      • sc.exe (PID: 8852)
      • sc.exe (PID: 780)
      • sc.exe (PID: 8860)
      • sc.exe (PID: 5892)
      • sc.exe (PID: 7432)
      • sc.exe (PID: 4244)
      • sc.exe (PID: 7680)
      • sc.exe (PID: 2516)
      • sc.exe (PID: 8508)
      • sc.exe (PID: 8632)
      • sc.exe (PID: 8548)
      • sc.exe (PID: 7220)
      • sc.exe (PID: 7380)
      • sc.exe (PID: 6080)
      • sc.exe (PID: 7172)
      • sc.exe (PID: 7852)
      • sc.exe (PID: 4776)
      • sc.exe (PID: 516)
      • sc.exe (PID: 4408)
      • sc.exe (PID: 5176)
      • sc.exe (PID: 5232)
      • sc.exe (PID: 4068)
      • sc.exe (PID: 3008)
      • sc.exe (PID: 7548)
      • sc.exe (PID: 5740)
      • sc.exe (PID: 8244)
      • sc.exe (PID: 4868)
      • sc.exe (PID: 4724)
      • sc.exe (PID: 8180)
      • sc.exe (PID: 5280)
      • sc.exe (PID: 9104)
      • sc.exe (PID: 5328)
      • sc.exe (PID: 5868)
      • sc.exe (PID: 5512)
      • sc.exe (PID: 2240)
      • sc.exe (PID: 7752)
      • sc.exe (PID: 7084)
      • sc.exe (PID: 8132)
      • sc.exe (PID: 7608)
      • sc.exe (PID: 4688)
      • sc.exe (PID: 6208)
      • sc.exe (PID: 5776)
      • sc.exe (PID: 920)
      • sc.exe (PID: 2108)
      • sc.exe (PID: 5576)
      • sc.exe (PID: 6228)
      • sc.exe (PID: 8480)
      • sc.exe (PID: 8572)
      • sc.exe (PID: 7424)
      • sc.exe (PID: 9148)

    • Drops a system driver (possible attempt to evade defenses)

      • Unlocker.exe (PID: 4152)

    • Stops a currently running service

      • sc.exe (PID: 6736)
      • sc.exe (PID: 9156)
      • sc.exe (PID: 8208)
      • sc.exe (PID: 8316)
      • sc.exe (PID: 8424)
      • sc.exe (PID: 8732)
      • sc.exe (PID: 8476)
      • sc.exe (PID: 7788)
      • sc.exe (PID: 1280)
      • sc.exe (PID: 6108)
      • sc.exe (PID: 4488)
      • sc.exe (PID: 8328)
      • sc.exe (PID: 8520)
      • sc.exe (PID: 8800)
      • sc.exe (PID: 4728)
      • sc.exe (PID: 4000)
      • sc.exe (PID: 7724)
      • sc.exe (PID: 4464)
      • sc.exe (PID: 7232)
      • sc.exe (PID: 4452)
      • sc.exe (PID: 7412)
      • sc.exe (PID: 2384)
      • sc.exe (PID: 1128)
      • sc.exe (PID: 5736)
      • sc.exe (PID: 5592)
      • sc.exe (PID: 5136)
      • sc.exe (PID: 8272)
      • sc.exe (PID: 8900)
      • sc.exe (PID: 8636)
      • sc.exe (PID: 616)
      • sc.exe (PID: 1188)
      • sc.exe (PID: 7984)
      • sc.exe (PID: 4736)

    • Process drops legitimate windows executable

      • cmd.exe (PID: 7968)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 2100)
      • schtasks.exe (PID: 7828)
      • schtasks.exe (PID: 6068)
      • schtasks.exe (PID: 2136)
      • schtasks.exe (PID: 7780)
      • schtasks.exe (PID: 7612)
      • schtasks.exe (PID: 6264)
      • schtasks.exe (PID: 8304)
      • schtasks.exe (PID: 5344)
      • schtasks.exe (PID: 6584)

    • The process executes via Task Scheduler

      • ramez.exe (PID: 140)
      • ramez.exe (PID: 10840)

  • INFO

    • Checks supported languages

      • random.exe (PID: 4880)
      • TempKJYF2OWVOC2JMTVSAECJG2PGFTSHXVGT.EXE (PID: 7964)
      • ramez.exe (PID: 8028)
      • 0e48b8933c.exe (PID: 6640)
      • TempKJYF2OWVOC2JMTVSAECJG2PGFTSHXVGT.EXE (PID: 6808)
      • MSBuild.exe (PID: 2852)
      • 082e24a744.exe (PID: 5416)
      • c478828452.exe (PID: 7760)
      • chcp.com (PID: 7892)
      • nircmd.exe (PID: 7868)
      • chcp.com (PID: 2040)
      • NSudoLG.exe (PID: 7344)
      • mode.com (PID: 5776)
      • NSudoLG.exe (PID: 3096)
      • chcp.com (PID: 8128)
      • 819090456b.exe (PID: 7656)
      • 7z.exe (PID: 2516)
      • Unlocker.exe (PID: 4652)
      • Unlocker.exe (PID: 4152)
      • dbc96f1811.exe (PID: 6576)

    • The sample compiled with english language support

      • random.exe (PID: 4880)
      • c478828452.exe (PID: 7760)
      • ramez.exe (PID: 8028)
      • Unlocker.exe (PID: 4152)
      • cmd.exe (PID: 7968)

    • Reads the computer name

      • random.exe (PID: 4880)
      • TempKJYF2OWVOC2JMTVSAECJG2PGFTSHXVGT.EXE (PID: 7964)
      • ramez.exe (PID: 8028)
      • MSBuild.exe (PID: 2852)
      • 082e24a744.exe (PID: 5416)
      • c478828452.exe (PID: 7760)
      • nircmd.exe (PID: 7868)
      • NSudoLG.exe (PID: 7344)
      • NSudoLG.exe (PID: 3096)
      • 819090456b.exe (PID: 7656)
      • dbc96f1811.exe (PID: 6576)
      • 7z.exe (PID: 2516)
      • Unlocker.exe (PID: 4652)
      • Unlocker.exe (PID: 4152)

    • Reads mouse settings

      • random.exe (PID: 4880)
      • 819090456b.exe (PID: 7656)
      • dbc96f1811.exe (PID: 6576)

    • Auto-launch of the file from Task Scheduler

      • cmd.exe (PID: 7148)
      • cmd.exe (PID: 7348)
      • cmd.exe (PID: 9288)

    • Disables trace logs

      • powershell.exe (PID: 7316)
      • powershell.exe (PID: 8164)

    • Checks proxy server information

      • powershell.exe (PID: 7316)
      • ramez.exe (PID: 8028)
      • powershell.exe (PID: 8164)

    • Create files in a temporary directory

      • random.exe (PID: 4880)
      • TempKJYF2OWVOC2JMTVSAECJG2PGFTSHXVGT.EXE (PID: 7964)
      • ramez.exe (PID: 8028)
      • c478828452.exe (PID: 7760)
      • dbc96f1811.exe (PID: 6576)
      • 7z.exe (PID: 2516)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 7188)
      • mshta.exe (PID: 8064)
      • mshta.exe (PID: 8012)

    • The executable file from the user directory is run by the Powershell process

      • TempKJYF2OWVOC2JMTVSAECJG2PGFTSHXVGT.EXE (PID: 7964)
      • TempKJYF2OWVOC2JMTVSAECJG2PGFTSHXVGT.EXE (PID: 6808)
      • TempZNSYRFB1ZKHBYRK33UCCAAQLIFVDMXFV.EXE (PID: 5428)
      • TempZNSYRFB1ZKHBYRK33UCCAAQLIFVDMXFV.EXE (PID: 1748)
      • TempTK35WWJAZLUJIMVGEDMUXKUUWOKLVF3P.EXE (PID: 10252)
      • TempTK35WWJAZLUJIMVGEDMUXKUUWOKLVF3P.EXE (PID: 10284)

    • Process checks computer location settings

      • TempKJYF2OWVOC2JMTVSAECJG2PGFTSHXVGT.EXE (PID: 7964)
      • ramez.exe (PID: 8028)
      • c478828452.exe (PID: 7760)
      • nircmd.exe (PID: 7868)

    • Manual execution by a user

      • mshta.exe (PID: 8064)
      • mshta.exe (PID: 5020)
      • 082e24a744.exe (PID: 1452)
      • c478828452.exe (PID: 2488)
      • 819090456b.exe (PID: 3848)
      • dbc96f1811.exe (PID: 9264)
      • mshta.exe (PID: 9296)

    • Creates files or folders in the user directory

      • ramez.exe (PID: 8028)
      • WerFault.exe (PID: 2088)

    • Reads the software policy settings

      • MSBuild.exe (PID: 2852)
      • 082e24a744.exe (PID: 5416)

    • Changes the display of characters in the console

      • cmd.exe (PID: 7872)
      • cmd.exe (PID: 5756)
      • cmd.exe (PID: 7968)
      • cmd.exe (PID: 8456)
      • cmd.exe (PID: 8672)
      • cmd.exe (PID: 8196)

    • NirSoft software is detected

      • nircmd.exe (PID: 7868)
      • nircmd.exe (PID: 8296)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 5776)
      • mode.com (PID: 8784)

    • Checks operating system version

      • cmd.exe (PID: 7968)
      • cmd.exe (PID: 8672)

    • Auto-launch of the file from Registry key

      • ramez.exe (PID: 8028)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6436)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6436)

    • Application launched itself

      • firefox.exe (PID: 2136)
      • firefox.exe (PID: 7264)
      • firefox.exe (PID: 5416)
      • firefox.exe (PID: 7556)

    • Reads the machine GUID from the registry

      • Unlocker.exe (PID: 4652)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Amadey

(PID) Process(8028) ramez.exe
C2185.156.72.96
URLhttp://185.156.72.96/te4h2nus/index.php
Version5.34
Options
Drop directoryd610cf342e
Drop nameramez.exe
Strings (125)lv:
msi
Kaspersky Lab
av:
|
#
"
\App
00000422
dm:
Powershell.exe
ProgramData\
ps1
rundll32
http://
Content-Disposition: form-data; name="data"; filename="
SOFTWARE\Microsoft\Windows NT\CurrentVersion
dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
id:
VideoID
cred.dll|clip.dll|
0000043f
cmd
00000423
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
-executionpolicy remotesigned -File "
2022
------
2016
og:
\0000
CurrentBuild
2019
:::
S-%lu-
" && timeout 1 && del
ProductName
Panda Security
ESET
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/k
+++
?scr=1
Doctor Web
GET
SYSTEM\ControlSet001\Services\BasicDisplay\Video
/quiet
.jpg
d610cf342e
vs:
sd:
rundll32.exe
"taskkill /f /im "
pc:
random
=
360TotalSecurity
<d>
wb
Content-Type: multipart/form-data; boundary=----
Startup
Norton
&& Exit"
os:
https://
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
2025
Avira
%-lu
zip
POST
" Content-Type: application/octet-stream
Rem
/te4h2nus/index.php
------
5.34
<c>
clip.dll
AVAST Software
\
shell32.dll
" && ren
e3
ramez.exe
kernel32.dll
DefaultSettings.XResolution
d1
DefaultSettings.YResolution
185.156.72.96
r=
cred.dll
--
GetNativeSystemInfo
-%lu
ComputerName
&unit=
Keyboard Layout\Preload
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
ar:
Sophos
%USERPROFILE%
exe
e1
e2
st=s
Programs
0123456789
un:
rb
bi:
abcdefghijklmnopqrstuvwxyz0123456789-_
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
cmd /C RMDIR /s/q
Bitdefender
-unicode-
AVG
WinDefender
&&
shutdown -s -t 0
Comodo
00000419
Content-Type: application/x-www-form-urlencoded
/Plugins/
Main
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:16 13:36:08+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 633856
InitializedDataSize: 326144
UninitializedDataSize: -
EntryPoint: 0x20577
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
564
Monitored processes
426
Malicious processes
39
Suspicious processes
9

Behavior graph

Click at the process to see the details
start random.exe no specs cmd.exe no specs conhost.exe no specs mshta.exe no specs schtasks.exe no specs powershell.exe conhost.exe no specs sppextcomobj.exe no specs slui.exe tempkjyf2owvoc2jmtvsaecjg2pgftshxvgt.exe #AMADEY ramez.exe mshta.exe no specs powershell.exe conhost.exe no specs 0e48b8933c.exe tempkjyf2owvoc2jmtvsaecjg2pgftshxvgt.exe no specs #LUMMA msbuild.exe #LUMMA 082e24a744.exe werfault.exe no specs #LUMMA svchost.exe c478828452.exe cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs reg.exe no specs nircmd.exe no specs cmd.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs nsudolg.exe no specs cmd.exe conhost.exe no specs cmd.exe conhost.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs mode.com no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs tasklist.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs find.exe no specs nsudolg.exe no specs powershell.exe no specs conhost.exe no specs #CREDENTIALFLUSHER 819090456b.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs dbc96f1811.exe no specs taskkill.exe no specs conhost.exe no specs cmd.exe no specs mshta.exe no specs conhost.exe no specs schtasks.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs #CREDENTIALFLUSHER firefox.exe no specs findstr.exe no specs 7z.exe firefox.exe powershell.exe unlocker.exe no specs conhost.exe no specs firefox.exe no specs firefox.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs firefox.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs firefox.exe no specs sc.exe no specs find.exe no specs sc.exe no specs sc.exe no specs unlocker.exe firefox.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs iobitunlocker.exe no specs tempznsyrfb1zkhbyrk33uccaaqlifvdmxfv.exe no specs iobitunlocker.exe no specs cmd.exe no specs conhost.exe no specs #CREDENTIALFLUSHER 819090456b.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs taskkill.exe no specs conhost.exe no specs #LUMMA 082e24a744.exe mshta.exe no specs powershell.exe conhost.exe no specs c478828452.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs reg.exe no specs nircmd.exe no specs cmd.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs nsudolg.exe no specs cmd.exe conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs mode.com no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs tasklist.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs tempznsyrfb1zkhbyrk33uccaaqlifvdmxfv.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs sc.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs schtasks.exe no specs reg.exe no specs schtasks.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs findstr.exe no specs schtasks.exe no specs 7z.exe schtasks.exe no specs schtasks.exe no specs reg.exe no specs reg.exe no specs unlocker.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs unlocker.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs reg.exe no specs taskkill.exe no specs conhost.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs schtasks.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs unlocker.exe cmd.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs sc.exe no specs werfault.exe no specs taskkill.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs sc.exe no specs sc.exe no specs ramez.exe no specs sc.exe no specs sc.exe no specs #CREDENTIALFLUSHER firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs dbc96f1811.exe no specs cmd.exe no specs mshta.exe no specs conhost.exe no specs schtasks.exe no specs powershell.exe conhost.exe no specs mshta.exe no specs powershell.exe no specs conhost.exe no specs temptk35wwjazlujimvgedmuxkuuwoklvf3p.exe no specs temptk35wwjazlujimvgedmuxkuuwoklvf3p.exe no specs slui.exe no specs firefox.exe no specs firefox.exe no specs ramez.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
140"C:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exe"C:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\d610cf342e\ramez.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
208\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
516sc config "Sense" start= disabled C:\Windows\System32\sc.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
616sc start WinDefend C:\Windows\System32\sc.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Exit code:
5
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
616sc stop "MsSecWfp" C:\Windows\System32\sc.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
668reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /fC:\Windows\System32\reg.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
672sc query IObitUnlockerC:\Windows\System32\sc.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
720Unlocker /newDiskSizeC:\Users\admin\AppData\Local\Temp\Work\Unlocker.exe
cmd.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Description:
Unlocker by Eject
Version:
1.1.0.0
Modules
Images
c:\users\admin\appdata\local\temp\work\unlocker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
780sc delete "SecurityHealthService" C:\Windows\System32\sc.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Service Control Manager Configuration Tool
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
812\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
92 578
Read events
92 366
Write events
75
Delete events
137

Modification events

(PID) Process:(7188) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7188) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7188) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7316) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7316) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7316) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7316) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7316) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7316) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7316) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
26
Suspicious files
192
Text files
46
Unknown types
1

Dropped files

PID
Process
Filename
Type
2088WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_0e48b8933c.exe_1a7c963ffbd14d7d3f379d2b7d7f4660d4f4e8c2_95122643_6030979b-6f87-41ba-bf27-cfce6bdfcad7\Report.wer
MD5:
SHA256:
4880random.exeC:\Users\admin\AppData\Local\Temp\jo2DSRpc1.htahtml
MD5:437ABD96550D0652FF582AE63D23EB81
SHA256:F9037412817397DD99CBE7AB4478375D77E6EFD5703F21B8B051BBFDFD10C7C6
7316powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kxfjkr1i.n1f.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7964TempKJYF2OWVOC2JMTVSAECJG2PGFTSHXVGT.EXEC:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exeexecutable
MD5:26CC5A6CFD8E8ECC433337413C14CDDB
SHA256:2D904D576B46236BAF504DBA21775F6EBBBD0F65272A9C2FCA1C6798184FA4E8
8164powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kurf1ybj.2v2.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7316powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:81DC3190DF07B582085BC19801147625
SHA256:EBCBD3D18C864D862CD694EEC9C203BBD3D81FA93634075C21B019F0ECA9525A
7316powershell.exeC:\Users\admin\AppData\Local\TempKJYF2OWVOC2JMTVSAECJG2PGFTSHXVGT.EXEexecutable
MD5:26CC5A6CFD8E8ECC433337413C14CDDB
SHA256:2D904D576B46236BAF504DBA21775F6EBBBD0F65272A9C2FCA1C6798184FA4E8
7964TempKJYF2OWVOC2JMTVSAECJG2PGFTSHXVGT.EXEC:\Windows\Tasks\ramez.jobbinary
MD5:DA6BCE869B09F6E9CAF1D107DB91792D
SHA256:F327FDF877F80C65099BB85D3C08E31B62CAD49DDA39C892403374F13748ACFE
8028ramez.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\random[1].exeexecutable
MD5:B3EDC4D046207F50B2075C84430FFBC8
SHA256:C0E19BB95FB9541F2F82FAF23AEA1B917611EF9364E82474927F5B89E32A7743
8028ramez.exeC:\Users\admin\AppData\Local\Temp\10126810101\0e48b8933c.exeexecutable
MD5:B3EDC4D046207F50B2075C84430FFBC8
SHA256:C0E19BB95FB9541F2F82FAF23AEA1B917611EF9364E82474927F5B89E32A7743
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
72
TCP/UDP connections
165
DNS requests
153
Threats
60

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
23.216.77.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7316
powershell.exe
GET
200
185.156.72.2:80
http://185.156.72.2/testmine/random.exe
unknown
unknown
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
8028
ramez.exe
POST
200
185.156.72.96:80
http://185.156.72.96/te4h2nus/index.php
unknown
malicious
8028
ramez.exe
POST
200
185.156.72.96:80
http://185.156.72.96/te4h2nus/index.php
unknown
malicious
8028
ramez.exe
GET
200
185.156.72.2:80
http://185.156.72.2/files/fate/random.exe
unknown
unknown
8028
ramez.exe
GET
200
185.156.72.2:80
http://185.156.72.2/luma/random.exe
unknown
unknown
8028
ramez.exe
POST
200
185.156.72.96:80
http://185.156.72.96/te4h2nus/index.php
unknown
malicious
8164
powershell.exe
GET
200
185.156.72.2:80
http://185.156.72.2/testmine/random.exe
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
23.216.77.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.0:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
7316
powershell.exe
185.156.72.2:80
Tov Vaiz Partner
RU
unknown
8028
ramez.exe
185.156.72.96:80
Tov Vaiz Partner
RU
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.216.77.19
  • 23.216.77.13
  • 23.216.77.20
  • 23.216.77.37
  • 23.216.77.6
  • 23.216.77.42
  • 23.216.77.38
  • 23.216.77.21
  • 23.216.77.41
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 142.250.185.174
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 20.190.159.0
  • 20.190.159.131
  • 20.190.159.73
  • 40.126.31.130
  • 40.126.31.69
  • 40.126.31.0
  • 40.126.31.129
  • 40.126.31.131
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
t.me
  • 149.154.167.99
whitelisted
anesthwtcm.run
  • 172.67.156.51
  • 104.21.50.36
unknown
cornerdurv.top
  • 104.21.16.1
  • 104.21.112.1
  • 104.21.32.1
  • 104.21.48.1
  • 104.21.80.1
  • 104.21.96.1
  • 104.21.64.1
unknown

Threats

PID
Process
Class
Message
7316
powershell.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
7316
powershell.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7316
powershell.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
7316
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
7316
powershell.exe
Misc activity
ET INFO Packed Executable Download
8028
ramez.exe
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
8028
ramez.exe
Malware Command and Control Activity Detected
ET MALWARE Amadey CnC Response
8028
ramez.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
8028
ramez.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
8028
ramez.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
random.exe