File name:

9bd46b1371d0897f7b8f5afe6360eabd.exe

Full analysis: https://app.any.run/tasks/6017e72e-ba8d-46e5-b759-0f67257b43ec
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: June 10, 2025, 00:52:01
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
lumma
stealer
themida
loader
auto-sch
amadey
botnet
rdp
auto
auto-reg
unlocker-eject
tool
pastebin
arch-exec
telegram
coinminer
miner
generic
evasion
clipper
diamotrix
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

9BD46B1371D0897F7B8F5AFE6360EABD

SHA1:

BB30C0A5A2A6C08D2A0903DC8B6748A3BA172236

SHA256:

E582744F2AECB54CB6C921BBBE85695F0DAAEB1B67BBE1457E02415D718C1349

SSDEEP:

98304:pbuOPnQSOpRr3ATmuhlHUS9BBpz5LlJnJtNai7MFgQjyyUW/hPgqPBlFF8iHPYYB:lHNAP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • MSBuild.exe (PID: 1660)
      • MSBuild.exe (PID: 5124)

    • Steals credentials from Web Browsers

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • MSBuild.exe (PID: 1660)
      • MSBuild.exe (PID: 5124)

    • LUMMA mutex has been found

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • MSBuild.exe (PID: 1660)
      • MSBuild.exe (PID: 5124)

    • LUMMA has been detected (SURICATA)

      • svchost.exe (PID: 2196)
      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • rZBRvVk.exe (PID: 3140)
      • MSBuild.exe (PID: 4784)

    • Connects to the CnC server

      • svchost.exe (PID: 2196)
      • ramez.exe (PID: 7444)
      • varen.exe (PID: 6476)

    • LUMMA has been detected (YARA)

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • MSBuild.exe (PID: 5124)
      • MSBuild.exe (PID: 1660)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 5400)

    • AMADEY mutex has been found

      • INXDJVC9U3G3FQK4Z.exe (PID: 5728)
      • ramez.exe (PID: 7444)
      • Temp9WBMQSZQQJSTZCFQJTGOIR7V7YZBU8YM.EXE (PID: 7612)
      • Temp9WBMQSZQQJSTZCFQJTGOIR7V7YZBU8YM.EXE (PID: 4040)
      • amnew.exe (PID: 3008)
      • varen.exe (PID: 6476)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 2392)
      • powershell.exe (PID: 7728)
      • powershell.exe (PID: 6892)

    • AMADEY has been detected (SURICATA)

      • ramez.exe (PID: 7444)
      • varen.exe (PID: 6476)

    • Request from PowerShell that ran from MSHTA.EXE

      • powershell.exe (PID: 2392)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 2392)
      • powershell.exe (PID: 7728)

    • AMADEY has been found (auto)

      • amnew.exe (PID: 3008)
      • ramez.exe (PID: 7444)

    • AMADEY has been detected (YARA)

      • ramez.exe (PID: 7444)
      • varen.exe (PID: 6476)

    • Changes the autorun value in the registry

      • ramez.exe (PID: 7444)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 6992)
      • NSudoLG.exe (PID: 236)
      • cmd.exe (PID: 4404)
      • NSudoLG.exe (PID: 5960)

    • Changes Windows Defender settings

      • NSudoLG.exe (PID: 236)
      • NSudoLG.exe (PID: 5960)

    • Changes powershell execution policy (Bypass)

      • MSBuild.exe (PID: 5124)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6148)

    • Executing a file with an untrusted certificate

      • sGe7ljJ.exe (PID: 7508)
      • jaWoO4E.exe (PID: 8144)
      • 3Svu0S9.exe (PID: 3124)
      • jaWoO4E.exe (PID: 8040)
      • XPFix.exe (PID: 2428)
      • XPFix.exe (PID: 208)

    • COINMINER has been found (auto)

      • ramez.exe (PID: 7444)

    • Registers / Runs the DLL via REGSVR32.EXE

      • jaWoO4E.tmp (PID: 8048)

    • GENERIC has been found (auto)

      • Generator-Circuit.exe (PID: 7084)
      • TransmitterDe.exe (PID: 6560)

    • DIAMOTRIX has been detected (SURICATA)

      • explorer.exe (PID: 5492)

  • SUSPICIOUS

    • Reads the BIOS version

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • INXDJVC9U3G3FQK4Z.exe (PID: 5728)
      • ramez.exe (PID: 7444)
      • Temp9WBMQSZQQJSTZCFQJTGOIR7V7YZBU8YM.EXE (PID: 4040)
      • Temp9WBMQSZQQJSTZCFQJTGOIR7V7YZBU8YM.EXE (PID: 7612)

    • Contacting a server suspected of hosting an CnC

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • svchost.exe (PID: 2196)
      • ramez.exe (PID: 7444)
      • varen.exe (PID: 6476)
      • rZBRvVk.exe (PID: 3140)
      • MSBuild.exe (PID: 4784)

    • Searches for installed software

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • MSBuild.exe (PID: 1660)

    • Process requests binary or script from the Internet

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • powershell.exe (PID: 2392)
      • ramez.exe (PID: 7444)
      • varen.exe (PID: 6476)
      • MSBuild.exe (PID: 1660)

    • Connects to the server without a host name

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • powershell.exe (PID: 2392)
      • ramez.exe (PID: 7444)
      • varen.exe (PID: 6476)
      • explorer.exe (PID: 5492)

    • Executable content was dropped or overwritten

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • INXDJVC9U3G3FQK4Z.exe (PID: 5728)
      • powershell.exe (PID: 2392)
      • ramez.exe (PID: 7444)
      • amnew.exe (PID: 3008)
      • 94b4b3baba.exe (PID: 7524)
      • varen.exe (PID: 6476)
      • joker12321.exe (PID: 208)
      • cee54fc4e9.exe (PID: 7336)
      • 7z.exe (PID: 3192)
      • Unlocker.exe (PID: 7364)
      • Unlocker.exe (PID: 2284)
      • Hnrh7mE.exe (PID: 6156)
      • EngineX-Aurora.exe (PID: 7676)
      • EngineX-Aurora.exe (PID: 6892)
      • jaWoO4E.exe (PID: 8144)
      • jaWoO4E.tmp (PID: 5980)
      • jaWoO4E.exe (PID: 8040)
      • powershell.exe (PID: 6892)
      • PortalDoc.exe (PID: 7560)
      • jaWoO4E.tmp (PID: 8048)
      • Generator-Circuit.exe (PID: 7084)
      • jzQILRF.exe (PID: 6228)
      • TransmitterDe.exe (PID: 1052)
      • TransmitterDe.exe (PID: 6560)
      • mRM6vf2pOmt1S0IDANR.exe (PID: 7708)
      • 6fc786bd14.exe (PID: 6416)

    • Starts CMD.EXE for commands execution

      • A3EUOYIDV149TAWBG7ZH.exe (PID: 1852)
      • ramez.exe (PID: 7444)
      • 94b4b3baba.exe (PID: 7524)
      • nircmd.exe (PID: 5968)
      • NSudoLG.exe (PID: 1680)
      • cmd.exe (PID: 6992)
      • 94b4b3baba.exe (PID: 5428)
      • nircmd.exe (PID: 2040)
      • NSudoLG.exe (PID: 7968)
      • cmd.exe (PID: 4404)
      • Unlocker.exe (PID: 6584)
      • Unlocker.exe (PID: 7364)
      • Unlocker.exe (PID: 7476)
      • Unlocker.exe (PID: 2284)
      • Unlocker.exe (PID: 8000)
      • Unlocker.exe (PID: 2840)
      • 6fc786bd14.exe (PID: 6416)
      • cmd.exe (PID: 6272)
      • B4HaM6C.exe (PID: 7316)

    • Reads security settings of Internet Explorer

      • INXDJVC9U3G3FQK4Z.exe (PID: 5728)
      • ramez.exe (PID: 7444)
      • amnew.exe (PID: 3008)
      • varen.exe (PID: 6476)
      • nircmd.exe (PID: 5968)
      • joker12321.exe (PID: 208)
      • 94b4b3baba.exe (PID: 5428)
      • 94b4b3baba.exe (PID: 7524)
      • nircmd.exe (PID: 2040)
      • cee54fc4e9.exe (PID: 7336)
      • Unlocker.exe (PID: 6584)
      • Unlocker.exe (PID: 7364)
      • Unlocker.exe (PID: 2284)

    • Found IP address in command line

      • powershell.exe (PID: 2392)
      • powershell.exe (PID: 7728)

    • Manipulates environment variables

      • powershell.exe (PID: 2392)
      • powershell.exe (PID: 7728)

    • Starts process via Powershell

      • powershell.exe (PID: 2392)
      • powershell.exe (PID: 7728)

    • Starts POWERSHELL.EXE for commands execution

      • mshta.exe (PID: 4212)
      • mshta.exe (PID: 7296)
      • NSudoLG.exe (PID: 236)
      • NSudoLG.exe (PID: 5960)
      • MSBuild.exe (PID: 5124)
      • jaWoO4E.tmp (PID: 8048)
      • regsvr32.exe (PID: 2616)
      • regsvr32.exe (PID: 2320)

    • Starts itself from another location

      • INXDJVC9U3G3FQK4Z.exe (PID: 5728)
      • amnew.exe (PID: 3008)
      • EngineX-Aurora.exe (PID: 6892)
      • TransmitterDe.exe (PID: 1052)

    • Probably download files using WebClient

      • mshta.exe (PID: 4212)
      • mshta.exe (PID: 7296)

    • Potential Corporate Privacy Violation

      • powershell.exe (PID: 2392)
      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • ramez.exe (PID: 7444)
      • varen.exe (PID: 6476)

    • Executing commands from ".cmd" file

      • ramez.exe (PID: 7444)

    • There is functionality for enable RDP (YARA)

      • ramez.exe (PID: 7444)
      • varen.exe (PID: 6476)

    • Drops 7-zip archiver for unpacking

      • 94b4b3baba.exe (PID: 7524)

    • The process creates files with name similar to system file names

      • 94b4b3baba.exe (PID: 7524)

    • The executable file from the user directory is run by the CMD process

      • nircmd.exe (PID: 2432)
      • nircmd.exe (PID: 5968)
      • nircmd.exe (PID: 5176)
      • NSudoLG.exe (PID: 1680)
      • nircmd.exe (PID: 4652)
      • NSudoLG.exe (PID: 236)
      • nircmd.exe (PID: 1052)
      • nircmd.exe (PID: 2040)
      • nircmd.exe (PID: 6572)
      • NSudoLG.exe (PID: 7968)
      • nircmd.exe (PID: 2796)
      • NSudoLG.exe (PID: 5960)
      • 7z.exe (PID: 3192)
      • Unlocker.exe (PID: 6584)
      • Unlocker.exe (PID: 7364)
      • Unlocker.exe (PID: 2284)
      • 7z.exe (PID: 4208)
      • Unlocker.exe (PID: 7476)
      • Unlocker.exe (PID: 8000)
      • Unlocker.exe (PID: 2840)
      • GoogleChrome.exe (PID: 1760)

    • Executing commands from a ".bat" file

      • 94b4b3baba.exe (PID: 7524)
      • nircmd.exe (PID: 5968)
      • NSudoLG.exe (PID: 1680)
      • 94b4b3baba.exe (PID: 5428)
      • nircmd.exe (PID: 2040)
      • NSudoLG.exe (PID: 7968)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1132)
      • cmd.exe (PID: 6992)
      • cmd.exe (PID: 7528)
      • cmd.exe (PID: 6584)
      • cmd.exe (PID: 5592)
      • cmd.exe (PID: 4404)

    • Reads the date of Windows installation

      • nircmd.exe (PID: 5968)
      • nircmd.exe (PID: 2040)
      • Unlocker.exe (PID: 6584)
      • Unlocker.exe (PID: 7364)
      • Unlocker.exe (PID: 2284)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6584)
      • cmd.exe (PID: 6992)
      • cmd.exe (PID: 5592)
      • cmd.exe (PID: 4404)

    • Get information on the list of running processes

      • cmd.exe (PID: 6456)
      • cmd.exe (PID: 6992)
      • cmd.exe (PID: 4404)
      • cmd.exe (PID: 8112)

    • Application launched itself

      • cmd.exe (PID: 6992)
      • cmd.exe (PID: 4404)
      • cmd.exe (PID: 6272)

    • Process drops legitimate windows executable

      • joker12321.exe (PID: 208)
      • cee54fc4e9.exe (PID: 7336)
      • ramez.exe (PID: 7444)
      • TransmitterDe.exe (PID: 1052)
      • mRM6vf2pOmt1S0IDANR.exe (PID: 7708)
      • jzQILRF.exe (PID: 6228)

    • Script adds exclusion path to Windows Defender

      • NSudoLG.exe (PID: 236)
      • NSudoLG.exe (PID: 5960)

    • PowerShell delay command usage (probably sleep evasion)

      • powershell.exe (PID: 240)
      • powershell.exe (PID: 7148)

    • There is functionality for taking screenshot (YARA)

      • varen.exe (PID: 6476)
      • MSBuild.exe (PID: 1660)
      • MSBuild.exe (PID: 5124)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6992)
      • cmd.exe (PID: 4404)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2152)
      • cmd.exe (PID: 4996)
      • cmd.exe (PID: 7708)
      • cmd.exe (PID: 5552)
      • cmd.exe (PID: 3180)
      • cmd.exe (PID: 4728)
      • cmd.exe (PID: 7632)
      • cmd.exe (PID: 6992)
      • cmd.exe (PID: 444)

    • Windows service management via SC.EXE

      • sc.exe (PID: 8148)
      • sc.exe (PID: 4736)
      • sc.exe (PID: 7568)
      • sc.exe (PID: 8152)
      • sc.exe (PID: 5512)
      • sc.exe (PID: 1072)
      • sc.exe (PID: 7388)
      • sc.exe (PID: 7668)
      • sc.exe (PID: 2116)
      • sc.exe (PID: 716)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 7564)
      • cmd.exe (PID: 4244)
      • cmd.exe (PID: 5980)

    • Connects to unusual port

      • Final123.exe (PID: 6800)
      • 9FjbR7l.exe (PID: 7876)

    • Creates or modifies Windows services

      • Unlocker.exe (PID: 7364)

    • Stops a currently running service

      • sc.exe (PID: 7712)
      • sc.exe (PID: 3096)

    • Drops a system driver (possible attempt to evade defenses)

      • Unlocker.exe (PID: 7364)
      • Unlocker.exe (PID: 2284)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 6992)

    • Executes application which crashes

      • Unlocker.exe (PID: 8000)
      • Unlocker.exe (PID: 2840)

    • Starts a Microsoft application from unusual location

      • sGe7ljJ.exe (PID: 7508)
      • 79iRboZ.exe (PID: 3804)
      • 08IyOOF.exe (PID: 5956)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • MSBuild.exe (PID: 772)
      • MSBuild.exe (PID: 496)
      • GoogleChrome.exe (PID: 1760)

    • The process bypasses the loading of PowerShell profile settings

      • regsvr32.exe (PID: 2616)

    • The process hide an interactive prompt from the user

      • regsvr32.exe (PID: 2616)

    • The process drops C-runtime libraries

      • jzQILRF.exe (PID: 6228)
      • TransmitterDe.exe (PID: 1052)
      • mRM6vf2pOmt1S0IDANR.exe (PID: 7708)

    • Checks for external IP

      • 6fc786bd14.exe (PID: 6416)
      • svchost.exe (PID: 2196)
      • GoogleChrome.exe (PID: 1760)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 2404)

    • Uses WMIC.EXE to obtain BIOS management information

      • cmd.exe (PID: 7360)

    • Uses WMIC.EXE to obtain physical disk drive information

      • cmd.exe (PID: 5508)

    • The process executes via Task Scheduler

      • regsvr32.exe (PID: 2320)

    • Uses WMIC.EXE to obtain CPU information

      • cmd.exe (PID: 3028)

  • INFO

    • Reads the computer name

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • A3EUOYIDV149TAWBG7ZH.exe (PID: 1852)
      • INXDJVC9U3G3FQK4Z.exe (PID: 5728)
      • ramez.exe (PID: 7444)
      • amnew.exe (PID: 3008)
      • varen.exe (PID: 6476)
      • 94b4b3baba.exe (PID: 7524)
      • nircmd.exe (PID: 5968)
      • NSudoLG.exe (PID: 1680)
      • joker12321.exe (PID: 208)
      • NSudoLG.exe (PID: 236)
      • MSBuild.exe (PID: 1660)
      • 94b4b3baba.exe (PID: 5428)
      • nircmd.exe (PID: 2040)
      • NSudoLG.exe (PID: 7968)
      • NSudoLG.exe (PID: 5960)
      • Final123.exe (PID: 6800)
      • cee54fc4e9.exe (PID: 7336)
      • 7z.exe (PID: 3192)
      • Unlocker.exe (PID: 6584)
      • Unlocker.exe (PID: 7364)
      • MSBuild.exe (PID: 5124)
      • Unlocker.exe (PID: 2284)
      • 7z.exe (PID: 4208)
      • Unlocker.exe (PID: 7476)

    • Checks supported languages

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • INXDJVC9U3G3FQK4Z.exe (PID: 5728)
      • A3EUOYIDV149TAWBG7ZH.exe (PID: 1852)
      • ramez.exe (PID: 7444)
      • Temp9WBMQSZQQJSTZCFQJTGOIR7V7YZBU8YM.EXE (PID: 4040)
      • Temp9WBMQSZQQJSTZCFQJTGOIR7V7YZBU8YM.EXE (PID: 7612)
      • amnew.exe (PID: 3008)
      • varen.exe (PID: 6476)
      • 94b4b3baba.exe (PID: 7524)
      • chcp.com (PID: 2104)
      • nircmd.exe (PID: 2432)
      • nircmd.exe (PID: 5968)
      • nircmd.exe (PID: 5176)
      • chcp.com (PID: 3996)
      • NSudoLG.exe (PID: 1680)
      • nircmd.exe (PID: 4652)
      • joker12321.exe (PID: 208)
      • chcp.com (PID: 5332)
      • mode.com (PID: 7372)
      • CK2AXADoRs.exe (PID: 4208)
      • LbtCy1wbUn.exe (PID: 8084)
      • NSudoLG.exe (PID: 236)
      • MSBuild.exe (PID: 1660)
      • 94b4b3baba.exe (PID: 5428)
      • nircmd.exe (PID: 1052)
      • chcp.com (PID: 7048)
      • nircmd.exe (PID: 2040)
      • nircmd.exe (PID: 6572)
      • chcp.com (PID: 716)
      • NSudoLG.exe (PID: 7968)
      • nircmd.exe (PID: 2796)
      • chcp.com (PID: 8148)
      • cee54fc4e9.exe (PID: 7336)
      • mode.com (PID: 8088)
      • KXlC1NeBmn.exe (PID: 1804)
      • Bwm8bYoKCA.exe (PID: 7204)
      • NSudoLG.exe (PID: 5960)
      • Final123.exe (PID: 6800)
      • 7z.exe (PID: 3192)
      • Unlocker.exe (PID: 6584)
      • Unlocker.exe (PID: 7364)
      • MSBuild.exe (PID: 5124)
      • Unlocker.exe (PID: 2284)
      • Unlocker.exe (PID: 7476)
      • 7z.exe (PID: 4208)

    • Reads the machine GUID from the registry

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • MSBuild.exe (PID: 1660)
      • Final123.exe (PID: 6800)
      • Unlocker.exe (PID: 6584)
      • Unlocker.exe (PID: 7364)
      • MSBuild.exe (PID: 5124)
      • Unlocker.exe (PID: 2284)

    • Reads the software policy settings

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • MSBuild.exe (PID: 1660)
      • MSBuild.exe (PID: 5124)

    • Themida protector has been detected

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • ramez.exe (PID: 7444)

    • Create files in a temporary directory

      • A3EUOYIDV149TAWBG7ZH.exe (PID: 1852)
      • INXDJVC9U3G3FQK4Z.exe (PID: 5728)
      • ramez.exe (PID: 7444)
      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • amnew.exe (PID: 3008)
      • 94b4b3baba.exe (PID: 7524)
      • varen.exe (PID: 6476)
      • 7z.exe (PID: 3192)
      • 94b4b3baba.exe (PID: 5428)

    • Launching a file from Task Scheduler

      • cmd.exe (PID: 5400)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 4212)
      • mshta.exe (PID: 7296)

    • Process checks computer location settings

      • INXDJVC9U3G3FQK4Z.exe (PID: 5728)
      • ramez.exe (PID: 7444)
      • amnew.exe (PID: 3008)
      • 94b4b3baba.exe (PID: 7524)
      • nircmd.exe (PID: 5968)
      • joker12321.exe (PID: 208)
      • 94b4b3baba.exe (PID: 5428)
      • nircmd.exe (PID: 2040)
      • varen.exe (PID: 6476)
      • cee54fc4e9.exe (PID: 7336)

    • Manual execution by a user

      • mshta.exe (PID: 7296)
      • 94b4b3baba.exe (PID: 5428)
      • IObitUnlocker.exe (PID: 1056)
      • IObitUnlocker.exe (PID: 6512)
      • WINWORD.EXE (PID: 5512)

    • Reads mouse settings

      • A3EUOYIDV149TAWBG7ZH.exe (PID: 1852)

    • Checks proxy server information

      • ramez.exe (PID: 7444)
      • powershell.exe (PID: 2392)
      • varen.exe (PID: 6476)

    • Disables trace logs

      • powershell.exe (PID: 2392)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7728)
      • powershell.exe (PID: 240)
      • powershell.exe (PID: 7148)

    • The executable file from the user directory is run by the Powershell process

      • Temp9WBMQSZQQJSTZCFQJTGOIR7V7YZBU8YM.EXE (PID: 4040)
      • Temp9WBMQSZQQJSTZCFQJTGOIR7V7YZBU8YM.EXE (PID: 7612)

    • Creates files or folders in the user directory

      • ramez.exe (PID: 7444)
      • varen.exe (PID: 6476)
      • joker12321.exe (PID: 208)
      • cee54fc4e9.exe (PID: 7336)

    • The sample compiled with english language support

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • 94b4b3baba.exe (PID: 7524)
      • joker12321.exe (PID: 208)
      • cee54fc4e9.exe (PID: 7336)
      • Unlocker.exe (PID: 7364)
      • Unlocker.exe (PID: 2284)
      • Hnrh7mE.exe (PID: 6156)
      • EngineX-Aurora.exe (PID: 7676)
      • EngineX-Aurora.exe (PID: 6892)
      • ramez.exe (PID: 7444)
      • jzQILRF.exe (PID: 6228)
      • TransmitterDe.exe (PID: 1052)
      • mRM6vf2pOmt1S0IDANR.exe (PID: 7708)

    • NirSoft software is detected

      • nircmd.exe (PID: 2432)
      • nircmd.exe (PID: 5968)
      • nircmd.exe (PID: 5176)
      • nircmd.exe (PID: 4652)
      • nircmd.exe (PID: 1052)
      • nircmd.exe (PID: 2040)
      • nircmd.exe (PID: 6572)
      • nircmd.exe (PID: 2796)

    • Changes the display of characters in the console

      • cmd.exe (PID: 1132)
      • cmd.exe (PID: 6992)
      • cmd.exe (PID: 7528)
      • cmd.exe (PID: 6584)
      • cmd.exe (PID: 5592)
      • cmd.exe (PID: 4404)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 7372)
      • mode.com (PID: 8088)

    • Checks operating system version

      • cmd.exe (PID: 6992)
      • cmd.exe (PID: 4404)

    • Launching a file from a Registry key

      • ramez.exe (PID: 7444)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 240)
      • powershell.exe (PID: 7148)

    • Reads Environment values

      • Final123.exe (PID: 6800)

    • UNLOCKER BY EJECT mutex has been found

      • Unlocker.exe (PID: 7364)
      • Unlocker.exe (PID: 6584)

    • The sample compiled with chinese language support

      • Generator-Circuit.exe (PID: 7084)
      • TransmitterDe.exe (PID: 6560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:06:03 17:31:21+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 322048
InitializedDataSize: 38400
UninitializedDataSize: -
EntryPoint: 0x49f000
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
394
Monitored processes
258
Malicious processes
42
Suspicious processes
22

Behavior graph

Click at the process to see the details
start #LUMMA 9bd46b1371d0897f7b8f5afe6360eabd.exe #LUMMA svchost.exe inxdjvc9u3g3fqk4z.exe a3euoyidv149tawbg7zh.exe no specs cmd.exe no specs mshta.exe no specs conhost.exe no specs schtasks.exe no specs powershell.exe conhost.exe no specs #AMADEY ramez.exe mshta.exe no specs powershell.exe no specs conhost.exe no specs temp9wbmqszqqjstzcfqjtgoir7v7yzbu8ym.exe no specs temp9wbmqszqqjstzcfqjtgoir7v7yzbu8ym.exe no specs cmd.exe conhost.exe no specs #AMADEY amnew.exe #AMADEY varen.exe 94b4b3baba.exe cmd.exe no specs conhost.exe no specs nircmd.exe no specs chcp.com no specs reg.exe no specs nircmd.exe no specs cmd.exe conhost.exe no specs nircmd.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs nsudolg.exe no specs cmd.exe conhost.exe no specs nircmd.exe no specs joker12321.exe chcp.com no specs reg.exe no specs reg.exe no specs mode.com no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs tasklist.exe no specs ck2axadors.exe no specs conhost.exe no specs lbtcy1wbun.exe conhost.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs find.exe no specs nsudolg.exe no specs powershell.exe no specs conhost.exe no specs #LUMMA msbuild.exe 94b4b3baba.exe no specs cmd.exe no specs conhost.exe no specs nircmd.exe no specs chcp.com no specs reg.exe no specs nircmd.exe no specs cmd.exe conhost.exe no specs nircmd.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs nsudolg.exe no specs cmd.exe conhost.exe no specs nircmd.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs cee54fc4e9.exe mode.com no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs tasklist.exe no specs reg.exe no specs reg.exe no specs kxlc1nebmn.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs bwm8byokca.exe conhost.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs find.exe no specs nsudolg.exe no specs powershell.exe no specs conhost.exe no specs reg.exe no specs find.exe no specs final123.exe cmd.exe no specs findstr.exe no specs 7z.exe unlocker.exe no specs #LUMMA msbuild.exe cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs unlocker.exe cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs timeout.exe no specs unlocker.exe reg.exe no specs find.exe no specs cmd.exe no specs findstr.exe no specs 7z.exe no specs unlocker.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs iobitunlocker.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs hnrh7me.exe enginex-aurora.exe timeout.exe no specs enginex-aurora.exe unlocker.exe cmd.exe no specs conhost.exe no specs sc.exe no specs werfault.exe no specs iobitunlocker.exe no specs iobitunlocker.exe unlocker.exe cmd.exe no specs conhost.exe no specs sc.exe no specs werfault.exe no specs powershell.exe no specs conhost.exe no specs sc.exe no specs 9fjbr7l.exe sc.exe no specs 9fjbr7l.exe no specs portaldoc.exe sge7ljj.exe no specs conhost.exe no specs slui.exe msbuild.exe jawoo4e.exe jawoo4e.tmp jawoo4e.exe jawoo4e.tmp powershell.exe conhost.exe no specs tcpvcon.exe no specs regsvr32.exe no specs powershell.exe no specs conhost.exe no specs 3svu0s9.exe no specs winword.exe powershell.exe no specs conhost.exe no specs ai.exe no specs mrm6vf2pomt1s0idanr.exe #GENERIC generator-circuit.exe jzqilrf.exe transmitterde.exe #GENERIC transmitterde.exe quancluster86.exe 79irboz.exe no specs conhost.exe no specs msbuild.exe no specs msbuild.exe cmd.exe conhost.exe no specs ssimulator.exe xpfix.exe no specs #LUMMA rzbrvvk.exe xpfix.exe no specs 6fc786bd14.exe cmd.exe no specs conhost.exe no specs #DIAMOTRIX explorer.exe cmd.exe no specs conhost.exe no specs ping.exe no specs googlechrome.exe 08iyoof.exe no specs conhost.exe no specs #LUMMA msbuild.exe b4ham6c.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs regsvr32.exe no specs powershell.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208"C:\Users\admin\AppData\Local\Temp\10001980101\joker12321.exe" C:\Users\admin\AppData\Local\Temp\10001980101\joker12321.exe
varen.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\10001980101\joker12321.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
208"C:\Users\admin\AppData\Roaming\systemFast_BYY\XPFix.exe" "C:\Users\admin\AppData\Roaming\systemFast_BYY\XPFix.exe" /uC:\Users\admin\AppData\Roaming\systemFast_BYY\XPFix.exeTransmitterDe.exe
User:
admin
Company:
360.cn
Integrity Level:
MEDIUM
Description:
360安全卫士 安全防护中心模块
Version:
1, 0, 0, 1013
236NSudoLG -U:E -ShowWindowMode:Hide -Wait PowerShell "[System.IO.DriveInfo]::GetDrives() | ForEach-Object { Add-MpPreference -ExclusionPath $_.Name }; Start-Sleep -Milliseconds 1000" C:\Users\admin\AppData\Local\Temp\Work\NSudoLG.execmd.exe
User:
SYSTEM
Company:
M2-Team
Integrity Level:
SYSTEM
Description:
NSudo Launcher
Exit code:
0
Version:
9.0.2676.0
Modules
Images
c:\users\admin\appdata\local\temp\work\nsudolg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
240PowerShell "[System.IO.DriveInfo]::GetDrives() | ForEach-Object { Add-MpPreference -ExclusionPath $_.Name }; Start-Sleep -Milliseconds 1000" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNSudoLG.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
444"C:\Windows\System32\cmd.exe" /c sc query IObitUnlockerC:\Windows\System32\cmd.exeUnlocker.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
456reg query "HKLM\System\CurrentControlSet\Services\MsSecCore" C:\Windows\System32\reg.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
456reg query "HKLM\System\CurrentControlSet\Services\WdFilter" C:\Windows\System32\reg.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
496"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
79iRboZ.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
656find /i "Windows 7" C:\Windows\System32\find.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
672reg query "HKU\S-1-5-19" C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
208 490
Read events
207 976
Write events
475
Delete events
39

Modification events

(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
00000000000000000000000000000000030001000100010012000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C0000000E000000000000006F006E0070006F006F0072002E0070006E0067003E00200020000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C000000150000000000000068006900670068006C00790064006900730070006C00610079002E007200740066003E00200020000000160000000000000069006E007400650072006E0061006C006D0065006400690075006D002E007200740066003E00200020000000130000000000000069006E007400650072006E0061006C007000720065002E006A00700067003E0020002000000011000000000000006F00740068006500720066006100690072002E0070006E0067003E0020002000000017000000000000007000750062006C00690063006100740069006F006E00670061006D0065002E007200740066003E0020002000000017000000000000007200650070006F00720074007300700061007300730077006F00720064002E007200740066003E0020002000000013000000000000007300650063006F006E006400660069006E0061006C002E007200740066003E002000200000001400000000000000760069007200670069006E0069006100680074006D006C002E0070006E0067003E002000200000002800000000000000390062006400340036006200310033003700310064003000380039003700660037006200380066003500610066006500360033003600300065006100620064002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001200000000000000000000000000000000000000803F0000404009000000803F000080400A000000803F0000A0400B000000000000008040040000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000000000803F01000000000000000040020000000000000040400300000000000000A04005000000803F0000000006000000803F0000803F07000000803F000000400800000000400000A0401100
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconNameVersion
Value:
1
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
BB81476800000000
(PID) Process:(4212) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4212) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4212) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:000000000008031C
Operation:writeName:VirtualDesktop
Value:
1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:000000000008031C
Operation:delete keyName:(default)
Value:
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:00000000000B0322
Operation:writeName:VirtualDesktop
Value:
1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:00000000000B0322
Operation:delete keyName:(default)
Value:
Executable files
129
Suspicious files
147
Text files
48
Unknown types
0

Dropped files

PID
Process
Filename
Type
5728INXDJVC9U3G3FQK4Z.exeC:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exeexecutable
MD5:24D2B8410259D129DF232EF1133F17B1
SHA256:CB2FD6B3B28746AC104997E10449EC52E883ED8353F1DBC1F007E0AD4DB32966
1852A3EUOYIDV149TAWBG7ZH.exeC:\Users\admin\AppData\Local\Temp\cRjKobv7a.htahtml
MD5:CDEB6D76889E1124804CC53C45F65F8C
SHA256:74D9E59F8D8358F32BB5BED91FBF4AF61FF234071F0A2A4DD4E45CF5E0D850F5
2392powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_szxyq2tb.2ev.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7728powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_glgipdsj.jmr.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2392powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fbzvinjd.xo0.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7444ramez.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\70X66Ui[1].battext
MD5:FC2BAA1A20B4D5190B122B383D7449FD
SHA256:6B8DCA09E851A987050463C9C60603E9AD797BA09117056FC2E0C07BCAC66E43
7444ramez.exeC:\Users\admin\AppData\Local\Temp\10348010101\amnew.exeexecutable
MD5:9BF93861C32C3A2A30EA0D4D995CCC3F
SHA256:3C7CD0B8620A6B6E75110C604F7F5DDD5CB51B9FBCF8CEE963623AD0E04C4C19
26529bd46b1371d0897f7b8f5afe6360eabd.exeC:\Users\admin\AppData\Local\Temp\INXDJVC9U3G3FQK4Z.exeexecutable
MD5:24D2B8410259D129DF232EF1133F17B1
SHA256:CB2FD6B3B28746AC104997E10449EC52E883ED8353F1DBC1F007E0AD4DB32966
7728powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ar2y3g1y.ktd.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7444ramez.exeC:\Users\admin\AppData\Local\Temp\10348210101\94b4b3baba.exeexecutable
MD5:9598A1F8BC22BEEBC03BD00636B34837
SHA256:3FA426BDA40884F9B6E5AC2B22DE88F423E121108A413C21F970612C7CBD9EF0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
251
TCP/UDP connections
169
DNS requests
41
Threats
118

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
195.82.147.188:443
https://battlefled.top/gaoi
unknown
binary
32.7 Kb
POST
200
195.82.147.188:443
https://battlefled.top/gaoi
unknown
binary
69 b
POST
200
195.82.147.188:443
https://battlefled.top/gaoi
unknown
binary
69 b
POST
200
195.82.147.188:443
https://battlefled.top/gaoi
unknown
binary
69 b
POST
200
195.82.147.188:443
https://battlefled.top/gaoi
unknown
binary
160 b
POST
200
195.82.147.188:443
https://battlefled.top/gaoi
unknown
binary
69 b
2652
9bd46b1371d0897f7b8f5afe6360eabd.exe
GET
200
185.156.72.2:80
http://185.156.72.2/mine/random.exe
unknown
unknown
POST
200
195.82.147.188:443
https://battlefled.top/gaoi
unknown
binary
69 b
2392
powershell.exe
GET
200
185.156.72.2:80
http://185.156.72.2/testmine/random.exe
unknown
unknown
7444
ramez.exe
POST
200
185.156.72.96:80
http://185.156.72.96/te4h2nus/index.php
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2088
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2088
RUXIMICS.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2652
9bd46b1371d0897f7b8f5afe6360eabd.exe
195.82.147.188:443
battlefled.top
Dreamtorrent Corp
RU
malicious
2088
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2652
9bd46b1371d0897f7b8f5afe6360eabd.exe
185.156.72.2:80
Tov Vaiz Partner
RU
unknown
7444
ramez.exe
185.156.72.96:80
Tov Vaiz Partner
RU
unknown
2392
powershell.exe
185.156.72.2:80
Tov Vaiz Partner
RU
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.46
whitelisted
battlefled.top
  • 195.82.147.188
unknown
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
  • 23.216.77.42
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 23.219.150.101
whitelisted
sstemxehg.shop
  • 195.82.147.188
unknown
pastebin.com
  • 172.67.25.94
  • 104.22.69.199
  • 104.22.68.199
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
t.me
  • 149.154.167.99
whitelisted
kinwlyo.xyz
  • 195.82.147.188
unknown

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (battlefled .top)
2652
9bd46b1371d0897f7b8f5afe6360eabd.exe
Misc Attack
ET DROP Dshield Block Listed Source group 1
2652
9bd46b1371d0897f7b8f5afe6360eabd.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (battlefled .top) in TLS SNI
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
2652
9bd46b1371d0897f7b8f5afe6360eabd.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (battlefled .top) in TLS SNI
2652
9bd46b1371d0897f7b8f5afe6360eabd.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (battlefled .top) in TLS SNI
2652
9bd46b1371d0897f7b8f5afe6360eabd.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (battlefled .top) in TLS SNI
2652
9bd46b1371d0897f7b8f5afe6360eabd.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (battlefled .top) in TLS SNI
2652
9bd46b1371d0897f7b8f5afe6360eabd.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (battlefled .top) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
9bd46b1371d0897f7b8f5afe6360eabd.exe