File name:

9bd46b1371d0897f7b8f5afe6360eabd.exe

Full analysis: https://app.any.run/tasks/6017e72e-ba8d-46e5-b759-0f67257b43ec
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: June 10, 2025, 00:52:01
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
lumma
stealer
themida
loader
auto-sch
amadey
botnet
rdp
auto
auto-reg
unlocker-eject
tool
pastebin
arch-exec
telegram
coinminer
miner
generic
evasion
clipper
diamotrix
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 7 sections
MD5:

9BD46B1371D0897F7B8F5AFE6360EABD

SHA1:

BB30C0A5A2A6C08D2A0903DC8B6748A3BA172236

SHA256:

E582744F2AECB54CB6C921BBBE85695F0DAAEB1B67BBE1457E02415D718C1349

SSDEEP:

98304:pbuOPnQSOpRr3ATmuhlHUS9BBpz5LlJnJtNai7MFgQjyyUW/hPgqPBlFF8iHPYYB:lHNAP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • LUMMA has been detected (SURICATA)

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • svchost.exe (PID: 2196)
      • rZBRvVk.exe (PID: 3140)
      • MSBuild.exe (PID: 4784)

    • Connects to the CnC server

      • svchost.exe (PID: 2196)
      • ramez.exe (PID: 7444)
      • varen.exe (PID: 6476)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 5400)

    • AMADEY mutex has been found

      • INXDJVC9U3G3FQK4Z.exe (PID: 5728)
      • ramez.exe (PID: 7444)
      • Temp9WBMQSZQQJSTZCFQJTGOIR7V7YZBU8YM.EXE (PID: 7612)
      • Temp9WBMQSZQQJSTZCFQJTGOIR7V7YZBU8YM.EXE (PID: 4040)
      • amnew.exe (PID: 3008)
      • varen.exe (PID: 6476)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 2392)
      • powershell.exe (PID: 7728)
      • powershell.exe (PID: 6892)

    • Request from PowerShell that ran from MSHTA.EXE

      • powershell.exe (PID: 2392)

    • AMADEY has been detected (SURICATA)

      • ramez.exe (PID: 7444)
      • varen.exe (PID: 6476)

    • Steals credentials from Web Browsers

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • MSBuild.exe (PID: 1660)
      • MSBuild.exe (PID: 5124)

    • LUMMA has been detected (YARA)

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • MSBuild.exe (PID: 1660)
      • MSBuild.exe (PID: 5124)

    • Actions looks like stealing of personal data

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • MSBuild.exe (PID: 1660)
      • MSBuild.exe (PID: 5124)

    • LUMMA mutex has been found

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • MSBuild.exe (PID: 1660)
      • MSBuild.exe (PID: 5124)

    • Script downloads file (POWERSHELL)

      • powershell.exe (PID: 2392)
      • powershell.exe (PID: 7728)

    • AMADEY has been detected (YARA)

      • ramez.exe (PID: 7444)
      • varen.exe (PID: 6476)

    • AMADEY has been found (auto)

      • ramez.exe (PID: 7444)
      • amnew.exe (PID: 3008)

    • Adds path to the Windows Defender exclusion list

      • cmd.exe (PID: 6992)
      • NSudoLG.exe (PID: 236)
      • cmd.exe (PID: 4404)
      • NSudoLG.exe (PID: 5960)

    • Changes Windows Defender settings

      • NSudoLG.exe (PID: 236)
      • NSudoLG.exe (PID: 5960)

    • Changes the autorun value in the registry

      • ramez.exe (PID: 7444)

    • Changes powershell execution policy (Bypass)

      • MSBuild.exe (PID: 5124)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 6148)

    • Executing a file with an untrusted certificate

      • sGe7ljJ.exe (PID: 7508)
      • jaWoO4E.exe (PID: 8144)
      • 3Svu0S9.exe (PID: 3124)
      • jaWoO4E.exe (PID: 8040)
      • XPFix.exe (PID: 208)
      • XPFix.exe (PID: 2428)

    • Registers / Runs the DLL via REGSVR32.EXE

      • jaWoO4E.tmp (PID: 8048)

    • COINMINER has been found (auto)

      • ramez.exe (PID: 7444)

    • GENERIC has been found (auto)

      • Generator-Circuit.exe (PID: 7084)
      • TransmitterDe.exe (PID: 6560)

    • DIAMOTRIX has been detected (SURICATA)

      • explorer.exe (PID: 5492)

  • SUSPICIOUS

    • Connects to the server without a host name

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • powershell.exe (PID: 2392)
      • ramez.exe (PID: 7444)
      • varen.exe (PID: 6476)
      • explorer.exe (PID: 5492)

    • Reads the BIOS version

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • INXDJVC9U3G3FQK4Z.exe (PID: 5728)
      • ramez.exe (PID: 7444)
      • Temp9WBMQSZQQJSTZCFQJTGOIR7V7YZBU8YM.EXE (PID: 4040)
      • Temp9WBMQSZQQJSTZCFQJTGOIR7V7YZBU8YM.EXE (PID: 7612)

    • Contacting a server suspected of hosting an CnC

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • svchost.exe (PID: 2196)
      • ramez.exe (PID: 7444)
      • varen.exe (PID: 6476)
      • rZBRvVk.exe (PID: 3140)
      • MSBuild.exe (PID: 4784)

    • Executable content was dropped or overwritten

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • INXDJVC9U3G3FQK4Z.exe (PID: 5728)
      • powershell.exe (PID: 2392)
      • ramez.exe (PID: 7444)
      • amnew.exe (PID: 3008)
      • 94b4b3baba.exe (PID: 7524)
      • varen.exe (PID: 6476)
      • joker12321.exe (PID: 208)
      • cee54fc4e9.exe (PID: 7336)
      • 7z.exe (PID: 3192)
      • Unlocker.exe (PID: 7364)
      • Unlocker.exe (PID: 2284)
      • EngineX-Aurora.exe (PID: 6892)
      • EngineX-Aurora.exe (PID: 7676)
      • Hnrh7mE.exe (PID: 6156)
      • powershell.exe (PID: 6892)
      • jaWoO4E.exe (PID: 8040)
      • jaWoO4E.tmp (PID: 8048)
      • PortalDoc.exe (PID: 7560)
      • mRM6vf2pOmt1S0IDANR.exe (PID: 7708)
      • jaWoO4E.exe (PID: 8144)
      • jaWoO4E.tmp (PID: 5980)
      • Generator-Circuit.exe (PID: 7084)
      • TransmitterDe.exe (PID: 1052)
      • TransmitterDe.exe (PID: 6560)
      • jzQILRF.exe (PID: 6228)
      • 6fc786bd14.exe (PID: 6416)

    • Process requests binary or script from the Internet

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • ramez.exe (PID: 7444)
      • powershell.exe (PID: 2392)
      • varen.exe (PID: 6476)
      • MSBuild.exe (PID: 1660)

    • Reads security settings of Internet Explorer

      • INXDJVC9U3G3FQK4Z.exe (PID: 5728)
      • ramez.exe (PID: 7444)
      • amnew.exe (PID: 3008)
      • varen.exe (PID: 6476)
      • 94b4b3baba.exe (PID: 7524)
      • nircmd.exe (PID: 5968)
      • joker12321.exe (PID: 208)
      • 94b4b3baba.exe (PID: 5428)
      • nircmd.exe (PID: 2040)
      • cee54fc4e9.exe (PID: 7336)
      • Unlocker.exe (PID: 6584)
      • Unlocker.exe (PID: 7364)
      • Unlocker.exe (PID: 2284)

    • Found IP address in command line

      • powershell.exe (PID: 2392)
      • powershell.exe (PID: 7728)

    • Starts CMD.EXE for commands execution

      • A3EUOYIDV149TAWBG7ZH.exe (PID: 1852)
      • ramez.exe (PID: 7444)
      • 94b4b3baba.exe (PID: 7524)
      • nircmd.exe (PID: 5968)
      • NSudoLG.exe (PID: 1680)
      • cmd.exe (PID: 6992)
      • 94b4b3baba.exe (PID: 5428)
      • nircmd.exe (PID: 2040)
      • NSudoLG.exe (PID: 7968)
      • cmd.exe (PID: 4404)
      • Unlocker.exe (PID: 6584)
      • Unlocker.exe (PID: 7364)
      • Unlocker.exe (PID: 7476)
      • Unlocker.exe (PID: 2284)
      • Unlocker.exe (PID: 8000)
      • Unlocker.exe (PID: 2840)
      • cmd.exe (PID: 6272)
      • 6fc786bd14.exe (PID: 6416)
      • B4HaM6C.exe (PID: 7316)

    • Probably download files using WebClient

      • mshta.exe (PID: 4212)
      • mshta.exe (PID: 7296)

    • Starts POWERSHELL.EXE for commands execution

      • mshta.exe (PID: 4212)
      • mshta.exe (PID: 7296)
      • NSudoLG.exe (PID: 236)
      • NSudoLG.exe (PID: 5960)
      • MSBuild.exe (PID: 5124)
      • regsvr32.exe (PID: 2616)
      • jaWoO4E.tmp (PID: 8048)
      • regsvr32.exe (PID: 2320)

    • Manipulates environment variables

      • powershell.exe (PID: 2392)
      • powershell.exe (PID: 7728)

    • Starts process via Powershell

      • powershell.exe (PID: 2392)
      • powershell.exe (PID: 7728)

    • Starts itself from another location

      • INXDJVC9U3G3FQK4Z.exe (PID: 5728)
      • amnew.exe (PID: 3008)
      • EngineX-Aurora.exe (PID: 6892)
      • TransmitterDe.exe (PID: 1052)

    • Potential Corporate Privacy Violation

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • powershell.exe (PID: 2392)
      • ramez.exe (PID: 7444)
      • varen.exe (PID: 6476)

    • Searches for installed software

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • MSBuild.exe (PID: 1660)

    • Executing commands from ".cmd" file

      • ramez.exe (PID: 7444)

    • There is functionality for enable RDP (YARA)

      • ramez.exe (PID: 7444)
      • varen.exe (PID: 6476)

    • The process creates files with name similar to system file names

      • 94b4b3baba.exe (PID: 7524)

    • Drops 7-zip archiver for unpacking

      • 94b4b3baba.exe (PID: 7524)

    • Executing commands from a ".bat" file

      • 94b4b3baba.exe (PID: 7524)
      • nircmd.exe (PID: 5968)
      • NSudoLG.exe (PID: 1680)
      • 94b4b3baba.exe (PID: 5428)
      • nircmd.exe (PID: 2040)
      • NSudoLG.exe (PID: 7968)

    • The executable file from the user directory is run by the CMD process

      • nircmd.exe (PID: 2432)
      • nircmd.exe (PID: 5968)
      • nircmd.exe (PID: 5176)
      • NSudoLG.exe (PID: 1680)
      • nircmd.exe (PID: 4652)
      • NSudoLG.exe (PID: 236)
      • nircmd.exe (PID: 2040)
      • nircmd.exe (PID: 1052)
      • nircmd.exe (PID: 6572)
      • NSudoLG.exe (PID: 7968)
      • nircmd.exe (PID: 2796)
      • NSudoLG.exe (PID: 5960)
      • 7z.exe (PID: 3192)
      • Unlocker.exe (PID: 6584)
      • Unlocker.exe (PID: 7364)
      • Unlocker.exe (PID: 2284)
      • 7z.exe (PID: 4208)
      • Unlocker.exe (PID: 7476)
      • Unlocker.exe (PID: 8000)
      • Unlocker.exe (PID: 2840)
      • GoogleChrome.exe (PID: 1760)

    • Starts application with an unusual extension

      • cmd.exe (PID: 1132)
      • cmd.exe (PID: 6584)
      • cmd.exe (PID: 6992)
      • cmd.exe (PID: 7528)
      • cmd.exe (PID: 5592)
      • cmd.exe (PID: 4404)

    • Reads the date of Windows installation

      • nircmd.exe (PID: 5968)
      • nircmd.exe (PID: 2040)
      • Unlocker.exe (PID: 6584)
      • Unlocker.exe (PID: 7364)
      • Unlocker.exe (PID: 2284)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 6584)
      • cmd.exe (PID: 6992)
      • cmd.exe (PID: 5592)
      • cmd.exe (PID: 4404)

    • Get information on the list of running processes

      • cmd.exe (PID: 6992)
      • cmd.exe (PID: 6456)
      • cmd.exe (PID: 8112)
      • cmd.exe (PID: 4404)

    • Process drops legitimate windows executable

      • joker12321.exe (PID: 208)
      • cee54fc4e9.exe (PID: 7336)
      • ramez.exe (PID: 7444)
      • mRM6vf2pOmt1S0IDANR.exe (PID: 7708)
      • jzQILRF.exe (PID: 6228)
      • TransmitterDe.exe (PID: 1052)

    • Application launched itself

      • cmd.exe (PID: 6992)
      • cmd.exe (PID: 4404)
      • cmd.exe (PID: 6272)

    • Script adds exclusion path to Windows Defender

      • NSudoLG.exe (PID: 236)
      • NSudoLG.exe (PID: 5960)

    • PowerShell delay command usage (probably sleep evasion)

      • powershell.exe (PID: 240)
      • powershell.exe (PID: 7148)

    • There is functionality for taking screenshot (YARA)

      • varen.exe (PID: 6476)
      • MSBuild.exe (PID: 1660)
      • MSBuild.exe (PID: 5124)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6992)
      • cmd.exe (PID: 4404)

    • Windows service management via SC.EXE

      • sc.exe (PID: 8148)
      • sc.exe (PID: 4736)
      • sc.exe (PID: 7568)
      • sc.exe (PID: 8152)
      • sc.exe (PID: 5512)
      • sc.exe (PID: 1072)
      • sc.exe (PID: 7388)
      • sc.exe (PID: 7668)
      • sc.exe (PID: 2116)
      • sc.exe (PID: 716)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 2152)
      • cmd.exe (PID: 4996)
      • cmd.exe (PID: 7708)
      • cmd.exe (PID: 5552)
      • cmd.exe (PID: 3180)
      • cmd.exe (PID: 4728)
      • cmd.exe (PID: 7632)
      • cmd.exe (PID: 444)
      • cmd.exe (PID: 6992)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 7564)
      • cmd.exe (PID: 4244)
      • cmd.exe (PID: 5980)

    • Connects to unusual port

      • Final123.exe (PID: 6800)
      • 9FjbR7l.exe (PID: 7876)

    • Creates or modifies Windows services

      • Unlocker.exe (PID: 7364)

    • Stops a currently running service

      • sc.exe (PID: 7712)
      • sc.exe (PID: 3096)

    • Drops a system driver (possible attempt to evade defenses)

      • Unlocker.exe (PID: 7364)
      • Unlocker.exe (PID: 2284)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 6992)

    • Executes application which crashes

      • Unlocker.exe (PID: 8000)
      • Unlocker.exe (PID: 2840)

    • Starts a Microsoft application from unusual location

      • sGe7ljJ.exe (PID: 7508)
      • 79iRboZ.exe (PID: 3804)
      • 08IyOOF.exe (PID: 5956)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • MSBuild.exe (PID: 772)
      • GoogleChrome.exe (PID: 1760)
      • MSBuild.exe (PID: 496)

    • The process hide an interactive prompt from the user

      • regsvr32.exe (PID: 2616)

    • The process bypasses the loading of PowerShell profile settings

      • regsvr32.exe (PID: 2616)

    • The process drops C-runtime libraries

      • TransmitterDe.exe (PID: 1052)
      • jzQILRF.exe (PID: 6228)
      • mRM6vf2pOmt1S0IDANR.exe (PID: 7708)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 2404)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • 6fc786bd14.exe (PID: 6416)
      • GoogleChrome.exe (PID: 1760)

    • Uses WMIC.EXE to obtain physical disk drive information

      • cmd.exe (PID: 5508)

    • Uses WMIC.EXE to obtain BIOS management information

      • cmd.exe (PID: 7360)

    • Uses WMIC.EXE to obtain CPU information

      • cmd.exe (PID: 3028)

    • The process executes via Task Scheduler

      • regsvr32.exe (PID: 2320)

  • INFO

    • Checks supported languages

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • INXDJVC9U3G3FQK4Z.exe (PID: 5728)
      • A3EUOYIDV149TAWBG7ZH.exe (PID: 1852)
      • ramez.exe (PID: 7444)
      • Temp9WBMQSZQQJSTZCFQJTGOIR7V7YZBU8YM.EXE (PID: 7612)
      • Temp9WBMQSZQQJSTZCFQJTGOIR7V7YZBU8YM.EXE (PID: 4040)
      • amnew.exe (PID: 3008)
      • varen.exe (PID: 6476)
      • 94b4b3baba.exe (PID: 7524)
      • chcp.com (PID: 2104)
      • nircmd.exe (PID: 2432)
      • nircmd.exe (PID: 5968)
      • NSudoLG.exe (PID: 1680)
      • nircmd.exe (PID: 5176)
      • chcp.com (PID: 3996)
      • nircmd.exe (PID: 4652)
      • joker12321.exe (PID: 208)
      • chcp.com (PID: 5332)
      • mode.com (PID: 7372)
      • CK2AXADoRs.exe (PID: 4208)
      • LbtCy1wbUn.exe (PID: 8084)
      • NSudoLG.exe (PID: 236)
      • MSBuild.exe (PID: 1660)
      • 94b4b3baba.exe (PID: 5428)
      • nircmd.exe (PID: 2040)
      • chcp.com (PID: 7048)
      • nircmd.exe (PID: 1052)
      • nircmd.exe (PID: 6572)
      • chcp.com (PID: 716)
      • NSudoLG.exe (PID: 7968)
      • nircmd.exe (PID: 2796)
      • chcp.com (PID: 8148)
      • mode.com (PID: 8088)
      • cee54fc4e9.exe (PID: 7336)
      • Bwm8bYoKCA.exe (PID: 7204)
      • KXlC1NeBmn.exe (PID: 1804)
      • NSudoLG.exe (PID: 5960)
      • Final123.exe (PID: 6800)
      • 7z.exe (PID: 3192)
      • Unlocker.exe (PID: 6584)
      • Unlocker.exe (PID: 7364)
      • MSBuild.exe (PID: 5124)
      • Unlocker.exe (PID: 2284)
      • 7z.exe (PID: 4208)
      • Unlocker.exe (PID: 7476)

    • Themida protector has been detected

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • ramez.exe (PID: 7444)

    • Create files in a temporary directory

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • A3EUOYIDV149TAWBG7ZH.exe (PID: 1852)
      • INXDJVC9U3G3FQK4Z.exe (PID: 5728)
      • ramez.exe (PID: 7444)
      • amnew.exe (PID: 3008)
      • 94b4b3baba.exe (PID: 7524)
      • varen.exe (PID: 6476)
      • 94b4b3baba.exe (PID: 5428)
      • 7z.exe (PID: 3192)

    • Reads the computer name

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • A3EUOYIDV149TAWBG7ZH.exe (PID: 1852)
      • INXDJVC9U3G3FQK4Z.exe (PID: 5728)
      • ramez.exe (PID: 7444)
      • amnew.exe (PID: 3008)
      • varen.exe (PID: 6476)
      • 94b4b3baba.exe (PID: 7524)
      • nircmd.exe (PID: 5968)
      • NSudoLG.exe (PID: 1680)
      • joker12321.exe (PID: 208)
      • NSudoLG.exe (PID: 236)
      • MSBuild.exe (PID: 1660)
      • 94b4b3baba.exe (PID: 5428)
      • nircmd.exe (PID: 2040)
      • NSudoLG.exe (PID: 7968)
      • cee54fc4e9.exe (PID: 7336)
      • NSudoLG.exe (PID: 5960)
      • Final123.exe (PID: 6800)
      • 7z.exe (PID: 3192)
      • Unlocker.exe (PID: 6584)
      • Unlocker.exe (PID: 7364)
      • MSBuild.exe (PID: 5124)
      • Unlocker.exe (PID: 2284)
      • 7z.exe (PID: 4208)
      • Unlocker.exe (PID: 7476)

    • Reads the machine GUID from the registry

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • MSBuild.exe (PID: 1660)
      • Final123.exe (PID: 6800)
      • Unlocker.exe (PID: 6584)
      • Unlocker.exe (PID: 7364)
      • MSBuild.exe (PID: 5124)
      • Unlocker.exe (PID: 2284)

    • Reads the software policy settings

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • MSBuild.exe (PID: 1660)
      • MSBuild.exe (PID: 5124)

    • The sample compiled with english language support

      • 9bd46b1371d0897f7b8f5afe6360eabd.exe (PID: 2652)
      • 94b4b3baba.exe (PID: 7524)
      • joker12321.exe (PID: 208)
      • cee54fc4e9.exe (PID: 7336)
      • Unlocker.exe (PID: 7364)
      • Unlocker.exe (PID: 2284)
      • EngineX-Aurora.exe (PID: 6892)
      • EngineX-Aurora.exe (PID: 7676)
      • Hnrh7mE.exe (PID: 6156)
      • ramez.exe (PID: 7444)
      • mRM6vf2pOmt1S0IDANR.exe (PID: 7708)
      • jzQILRF.exe (PID: 6228)
      • TransmitterDe.exe (PID: 1052)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 4212)
      • mshta.exe (PID: 7296)

    • Reads mouse settings

      • A3EUOYIDV149TAWBG7ZH.exe (PID: 1852)

    • Launching a file from Task Scheduler

      • cmd.exe (PID: 5400)

    • Process checks computer location settings

      • INXDJVC9U3G3FQK4Z.exe (PID: 5728)
      • ramez.exe (PID: 7444)
      • amnew.exe (PID: 3008)
      • 94b4b3baba.exe (PID: 7524)
      • nircmd.exe (PID: 5968)
      • varen.exe (PID: 6476)
      • joker12321.exe (PID: 208)
      • nircmd.exe (PID: 2040)
      • cee54fc4e9.exe (PID: 7336)
      • 94b4b3baba.exe (PID: 5428)

    • Manual execution by a user

      • mshta.exe (PID: 7296)
      • 94b4b3baba.exe (PID: 5428)
      • IObitUnlocker.exe (PID: 6512)
      • IObitUnlocker.exe (PID: 1056)
      • WINWORD.EXE (PID: 5512)

    • Checks proxy server information

      • ramez.exe (PID: 7444)
      • powershell.exe (PID: 2392)
      • varen.exe (PID: 6476)

    • Disables trace logs

      • powershell.exe (PID: 2392)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7728)
      • powershell.exe (PID: 240)
      • powershell.exe (PID: 7148)

    • The executable file from the user directory is run by the Powershell process

      • Temp9WBMQSZQQJSTZCFQJTGOIR7V7YZBU8YM.EXE (PID: 4040)
      • Temp9WBMQSZQQJSTZCFQJTGOIR7V7YZBU8YM.EXE (PID: 7612)

    • Creates files or folders in the user directory

      • ramez.exe (PID: 7444)
      • varen.exe (PID: 6476)
      • joker12321.exe (PID: 208)
      • cee54fc4e9.exe (PID: 7336)

    • NirSoft software is detected

      • nircmd.exe (PID: 2432)
      • nircmd.exe (PID: 5968)
      • nircmd.exe (PID: 5176)
      • nircmd.exe (PID: 4652)
      • nircmd.exe (PID: 2040)
      • nircmd.exe (PID: 1052)
      • nircmd.exe (PID: 6572)
      • nircmd.exe (PID: 2796)

    • Changes the display of characters in the console

      • cmd.exe (PID: 1132)
      • cmd.exe (PID: 6584)
      • cmd.exe (PID: 6992)
      • cmd.exe (PID: 7528)
      • cmd.exe (PID: 5592)
      • cmd.exe (PID: 4404)

    • Starts MODE.COM to configure console settings

      • mode.com (PID: 7372)
      • mode.com (PID: 8088)

    • Checks operating system version

      • cmd.exe (PID: 6992)
      • cmd.exe (PID: 4404)

    • Launching a file from a Registry key

      • ramez.exe (PID: 7444)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 240)
      • powershell.exe (PID: 7148)

    • Reads Environment values

      • Final123.exe (PID: 6800)

    • UNLOCKER BY EJECT mutex has been found

      • Unlocker.exe (PID: 6584)
      • Unlocker.exe (PID: 7364)

    • The sample compiled with chinese language support

      • TransmitterDe.exe (PID: 6560)
      • Generator-Circuit.exe (PID: 7084)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:06:03 17:31:21+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 322048
InitializedDataSize: 38400
UninitializedDataSize: -
EntryPoint: 0x49f000
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
394
Monitored processes
258
Malicious processes
42
Suspicious processes
22

Behavior graph

Click at the process to see the details
start #LUMMA 9bd46b1371d0897f7b8f5afe6360eabd.exe #LUMMA svchost.exe inxdjvc9u3g3fqk4z.exe a3euoyidv149tawbg7zh.exe no specs cmd.exe no specs mshta.exe no specs conhost.exe no specs schtasks.exe no specs powershell.exe conhost.exe no specs #AMADEY ramez.exe mshta.exe no specs powershell.exe no specs conhost.exe no specs temp9wbmqszqqjstzcfqjtgoir7v7yzbu8ym.exe no specs temp9wbmqszqqjstzcfqjtgoir7v7yzbu8ym.exe no specs cmd.exe conhost.exe no specs #AMADEY amnew.exe #AMADEY varen.exe 94b4b3baba.exe cmd.exe no specs conhost.exe no specs nircmd.exe no specs chcp.com no specs reg.exe no specs nircmd.exe no specs cmd.exe conhost.exe no specs nircmd.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs nsudolg.exe no specs cmd.exe conhost.exe no specs nircmd.exe no specs joker12321.exe chcp.com no specs reg.exe no specs reg.exe no specs mode.com no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs tasklist.exe no specs ck2axadors.exe no specs conhost.exe no specs lbtcy1wbun.exe conhost.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs find.exe no specs nsudolg.exe no specs powershell.exe no specs conhost.exe no specs #LUMMA msbuild.exe 94b4b3baba.exe no specs cmd.exe no specs conhost.exe no specs nircmd.exe no specs chcp.com no specs reg.exe no specs nircmd.exe no specs cmd.exe conhost.exe no specs nircmd.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs nsudolg.exe no specs cmd.exe conhost.exe no specs nircmd.exe no specs chcp.com no specs reg.exe no specs reg.exe no specs cee54fc4e9.exe mode.com no specs cmd.exe no specs reg.exe no specs find.exe no specs cmd.exe no specs tasklist.exe no specs reg.exe no specs reg.exe no specs kxlc1nebmn.exe no specs reg.exe no specs conhost.exe no specs reg.exe no specs bwm8byokca.exe conhost.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs find.exe no specs nsudolg.exe no specs powershell.exe no specs conhost.exe no specs reg.exe no specs find.exe no specs final123.exe cmd.exe no specs findstr.exe no specs 7z.exe unlocker.exe no specs #LUMMA msbuild.exe cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs unlocker.exe cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs timeout.exe no specs unlocker.exe reg.exe no specs find.exe no specs cmd.exe no specs findstr.exe no specs 7z.exe no specs unlocker.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs iobitunlocker.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs hnrh7me.exe enginex-aurora.exe timeout.exe no specs enginex-aurora.exe unlocker.exe cmd.exe no specs conhost.exe no specs sc.exe no specs werfault.exe no specs iobitunlocker.exe no specs iobitunlocker.exe unlocker.exe cmd.exe no specs conhost.exe no specs sc.exe no specs werfault.exe no specs powershell.exe no specs conhost.exe no specs sc.exe no specs 9fjbr7l.exe sc.exe no specs 9fjbr7l.exe no specs portaldoc.exe sge7ljj.exe no specs conhost.exe no specs slui.exe msbuild.exe jawoo4e.exe jawoo4e.tmp jawoo4e.exe jawoo4e.tmp powershell.exe conhost.exe no specs tcpvcon.exe no specs regsvr32.exe no specs powershell.exe no specs conhost.exe no specs 3svu0s9.exe no specs winword.exe powershell.exe no specs conhost.exe no specs ai.exe no specs mrm6vf2pomt1s0idanr.exe #GENERIC generator-circuit.exe jzqilrf.exe transmitterde.exe #GENERIC transmitterde.exe quancluster86.exe 79irboz.exe no specs conhost.exe no specs msbuild.exe no specs msbuild.exe cmd.exe conhost.exe no specs ssimulator.exe xpfix.exe no specs #LUMMA rzbrvvk.exe xpfix.exe no specs 6fc786bd14.exe cmd.exe no specs conhost.exe no specs #DIAMOTRIX explorer.exe cmd.exe no specs conhost.exe no specs ping.exe no specs googlechrome.exe 08iyoof.exe no specs conhost.exe no specs #LUMMA msbuild.exe b4ham6c.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs cmd.exe no specs conhost.exe no specs wmic.exe no specs regsvr32.exe no specs powershell.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208"C:\Users\admin\AppData\Local\Temp\10001980101\joker12321.exe" C:\Users\admin\AppData\Local\Temp\10001980101\joker12321.exe
varen.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\10001980101\joker12321.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
208"C:\Users\admin\AppData\Roaming\systemFast_BYY\XPFix.exe" "C:\Users\admin\AppData\Roaming\systemFast_BYY\XPFix.exe" /uC:\Users\admin\AppData\Roaming\systemFast_BYY\XPFix.exeTransmitterDe.exe
User:
admin
Company:
360.cn
Integrity Level:
MEDIUM
Description:
360安全卫士 安全防护中心模块
Version:
1, 0, 0, 1013
236NSudoLG -U:E -ShowWindowMode:Hide -Wait PowerShell "[System.IO.DriveInfo]::GetDrives() | ForEach-Object { Add-MpPreference -ExclusionPath $_.Name }; Start-Sleep -Milliseconds 1000" C:\Users\admin\AppData\Local\Temp\Work\NSudoLG.execmd.exe
User:
SYSTEM
Company:
M2-Team
Integrity Level:
SYSTEM
Description:
NSudo Launcher
Exit code:
0
Version:
9.0.2676.0
Modules
Images
c:\users\admin\appdata\local\temp\work\nsudolg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
240PowerShell "[System.IO.DriveInfo]::GetDrives() | ForEach-Object { Add-MpPreference -ExclusionPath $_.Name }; Start-Sleep -Milliseconds 1000" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNSudoLG.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
444"C:\Windows\System32\cmd.exe" /c sc query IObitUnlockerC:\Windows\System32\cmd.exeUnlocker.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
1060
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
456reg query "HKLM\System\CurrentControlSet\Services\MsSecCore" C:\Windows\System32\reg.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
456reg query "HKLM\System\CurrentControlSet\Services\WdFilter" C:\Windows\System32\reg.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ws2_32.dll
496"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
79iRboZ.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shell32.dll
656find /i "Windows 7" C:\Windows\System32\find.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Find String (grep) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\fsutilext.dll
672reg query "HKU\S-1-5-19" C:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
208 490
Read events
207 976
Write events
475
Delete events
39

Modification events

(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
00000000000000000000000000000000030001000100010012000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C0000000E000000000000006F006E0070006F006F0072002E0070006E0067003E00200020000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C000000150000000000000068006900670068006C00790064006900730070006C00610079002E007200740066003E00200020000000160000000000000069006E007400650072006E0061006C006D0065006400690075006D002E007200740066003E00200020000000130000000000000069006E007400650072006E0061006C007000720065002E006A00700067003E0020002000000011000000000000006F00740068006500720066006100690072002E0070006E0067003E0020002000000017000000000000007000750062006C00690063006100740069006F006E00670061006D0065002E007200740066003E0020002000000017000000000000007200650070006F00720074007300700061007300730077006F00720064002E007200740066003E0020002000000013000000000000007300650063006F006E006400660069006E0061006C002E007200740066003E002000200000001400000000000000760069007200670069006E0069006100680074006D006C002E0070006E0067003E002000200000002800000000000000390062006400340036006200310033003700310064003000380039003700660037006200380066003500610066006500360033003600300065006100620064002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001200000000000000000000000000000000000000803F0000404009000000803F000080400A000000803F0000A0400B000000000000008040040000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000000000803F01000000000000000040020000000000000040400300000000000000A04005000000803F0000000006000000803F0000803F07000000803F000000400800000000400000A0401100
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconNameVersion
Value:
1
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
BB81476800000000
(PID) Process:(4212) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4212) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(4212) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:000000000008031C
Operation:writeName:VirtualDesktop
Value:
1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:000000000008031C
Operation:delete keyName:(default)
Value:
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:00000000000B0322
Operation:writeName:VirtualDesktop
Value:
1000000030304456BFA0DB55E4278845B426357D5B5F97B3
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:00000000000B0322
Operation:delete keyName:(default)
Value:
Executable files
129
Suspicious files
147
Text files
48
Unknown types
0

Dropped files

PID
Process
Filename
Type
26529bd46b1371d0897f7b8f5afe6360eabd.exeC:\Users\admin\AppData\Local\Temp\A3EUOYIDV149TAWBG7ZH.exeexecutable
MD5:D4FD0EA5AAE4E0C6A48FF7F1C07D88EA
SHA256:293BF1F2B901F02F23AF5C9221989AC82F27B2DE061D7DF9A035E09E713F914D
5492explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
7728powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_glgipdsj.jmr.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5728INXDJVC9U3G3FQK4Z.exeC:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exeexecutable
MD5:24D2B8410259D129DF232EF1133F17B1
SHA256:CB2FD6B3B28746AC104997E10449EC52E883ED8353F1DBC1F007E0AD4DB32966
7728powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ar2y3g1y.ktd.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2392powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_szxyq2tb.2ev.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2392powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fbzvinjd.xo0.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2392powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:07AA0DC09457C9CEE275C36B0B74650F
SHA256:B9328CE96A3050793575E942E77BAA3A6BD9B27AA753D9BF6EDC9602FBB867A3
5728INXDJVC9U3G3FQK4Z.exeC:\Windows\Tasks\ramez.jobbinary
MD5:E2BCB8D705DB3127CFD247C5A992AE9F
SHA256:080A481E3F5579EA7757941AA2AB70193FF895367C27BB012D092A22A98CFF7C
7444ramez.exeC:\Users\admin\AppData\Local\Temp\10348010101\amnew.exeexecutable
MD5:9BF93861C32C3A2A30EA0D4D995CCC3F
SHA256:3C7CD0B8620A6B6E75110C604F7F5DDD5CB51B9FBCF8CEE963623AD0E04C4C19
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
251
TCP/UDP connections
169
DNS requests
41
Threats
118

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
200
195.82.147.188:443
https://battlefled.top/gaoi
unknown
binary
32.7 Kb
unknown
2088
RUXIMICS.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2088
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
195.82.147.188:443
https://battlefled.top/gaoi
unknown
binary
69 b
unknown
POST
200
195.82.147.188:443
https://battlefled.top/gaoi
unknown
binary
69 b
unknown
POST
200
195.82.147.188:443
https://battlefled.top/gaoi
unknown
binary
69 b
unknown
POST
200
195.82.147.188:443
https://battlefled.top/gaoi
unknown
binary
69 b
unknown
POST
200
195.82.147.188:443
https://battlefled.top/gaoi
unknown
binary
69 b
unknown
POST
200
195.82.147.188:443
https://battlefled.top/gaoi
unknown
binary
69 b
unknown
POST
200
195.82.147.188:443
https://battlefled.top/gaoi
unknown
binary
160 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2088
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
2088
RUXIMICS.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2652
9bd46b1371d0897f7b8f5afe6360eabd.exe
195.82.147.188:443
battlefled.top
Dreamtorrent Corp
RU
malicious
2088
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2652
9bd46b1371d0897f7b8f5afe6360eabd.exe
185.156.72.2:80
Tov Vaiz Partner
RU
unknown
7444
ramez.exe
185.156.72.96:80
Tov Vaiz Partner
RU
unknown
2392
powershell.exe
185.156.72.2:80
Tov Vaiz Partner
RU
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.46
whitelisted
battlefled.top
  • 195.82.147.188
unknown
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
  • 23.216.77.42
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 23.219.150.101
whitelisted
sstemxehg.shop
  • 195.82.147.188
unknown
pastebin.com
  • 172.67.25.94
  • 104.22.69.199
  • 104.22.68.199
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
t.me
  • 149.154.167.99
whitelisted
kinwlyo.xyz
  • 195.82.147.188
unknown

Threats

PID
Process
Class
Message
2196
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2196
svchost.exe
Domain Observed Used for C2 Detected
ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (battlefled .top)
2652
9bd46b1371d0897f7b8f5afe6360eabd.exe
Misc Attack
ET DROP Dshield Block Listed Source group 1
2652
9bd46b1371d0897f7b8f5afe6360eabd.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (battlefled .top) in TLS SNI
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
2652
9bd46b1371d0897f7b8f5afe6360eabd.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (battlefled .top) in TLS SNI
2652
9bd46b1371d0897f7b8f5afe6360eabd.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (battlefled .top) in TLS SNI
2652
9bd46b1371d0897f7b8f5afe6360eabd.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (battlefled .top) in TLS SNI
2652
9bd46b1371d0897f7b8f5afe6360eabd.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (battlefled .top) in TLS SNI
2652
9bd46b1371d0897f7b8f5afe6360eabd.exe
Domain Observed Used for C2 Detected
ET MALWARE Observed Win32/Lumma Stealer Related Domain (battlefled .top) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
9bd46b1371d0897f7b8f5afe6360eabd.exe