Threat name:
Amadey, CryptOne, GCleaner, Vidar
Alert
Classification:
spre.troj.adwa.spyw.evad
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Detected unpacking (creates a PE file in dynamic memory)
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Hides threads from debuggers
Hijacks the control flow in another process
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Performs DNS queries to domains with low reputation
Powershell creates an autostart link
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell create lnk in startup
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal from password manager
Tries to steal Mail credentials (via file / registry access)
Unusual module load detection (module proxying)
Writes to foreign memory regions
Yara detected Amadeys Clipper DLL
Yara detected CryptOne packer
Yara detected Vidar stealer
behaviorgraph
top1
dnsIp2
2
Behavior Graph
ID:
1941300
Sample:
Setup.exe
Startdate:
13/07/2026
Architecture:
WINDOWS
Score:
100
134
geminyw.xyz
2->134
136
45.91.200.135
PODAONLV
Netherlands
2->136
138
14 other IPs or domains
2->138
184
Suricata IDS alerts
for network traffic
2->184
186
Found malware configuration
2->186
188
Antivirus detection
for URL or domain
2->188
192
19 other signatures
2->192
14
Setup.exe
2->14
started
17
H2TestDrive.exe
2->17
started
19
svchost.exe
2->19
started
21
7 other processes
2->21
signatures3
190
Performs DNS queries
to domains with low
reputation
134->190
process4
dnsIp5
218
Overwrites code with
unconditional jumps
- possibly settings
hooks in foreign process
14->218
220
Hijacks the control
flow in another process
14->220
222
Contains functionality
to inject code into
remote processes
14->222
232
4 other signatures
14->232
24
svchost.exe
49
14->24
started
224
Antivirus detection
for dropped file
17->224
226
Multi AV Scanner detection
for dropped file
17->226
228
Unusual module load
detection (module proxying)
17->228
230
Changes security center
settings (notifications,
updates, antivirus,
firewall)
19->230
29
MpCmdRun.exe
19->29
started
140
127.0.0.1
unknown
unknown
21->140
signatures6
process7
dnsIp8
146
158.94.209.95, 49700, 49714, 80
OMEGATECH-ASSC
Netherlands
24->146
148
drive.usercontent.google.com
142.251.167.132, 443, 49699
GOOGLE-GoogleLLCUS
United States
24->148
120
C:\Users\user\AppData\...\17MYeQpqioIt.exe, PE32
24->120
dropped
122
C:\Users\user\AppData\...\08REsPkOv9MRb.exe, PE32+
24->122
dropped
124
C:\Users\user\AppData\...\K3IZtd8LL.exe, PE32+
24->124
dropped
126
15 other malicious files
24->126
dropped
204
System process connects
to network (likely due
to code injection or
exploit)
24->204
206
Unusual module load
detection (module proxying)
24->206
31
TizOOy44mA.exe
24->31
started
36
17MYeQpqioIt.exe
2
24->36
started
38
Lbk9VwNzfj.exe
24->38
started
42
13 other processes
24->42
40
conhost.exe
29->40
started
file9
signatures10
process11
dnsIp12
150
faab.sa
192.250.239.85
WHG-LONGB
United Kingdom
31->150
152
dum.paptogel.net
104.21.41.228
CLOUDFLARENET-CloudflareIncUS
Canada
31->152
154
telegram.me
149.154.167.99, 443, 49716
TELEGRAMVG
United Kingdom
31->154
94
C:\Users\user\AppData\Local\...\f1eb122e.exe, PE32
31->94
dropped
96
C:\Users\user\AppData\Local\...\e1eda99e.exe, PE32+
31->96
dropped
164
Tries to harvest and
steal Putty / WinSCP
information (sessions,
passwords, etc)
31->164
166
Tries to harvest and
steal ftp login credentials
31->166
168
Tries to harvest and
steal browser information
(history, passwords,
etc)
31->168
182
2 other signatures
31->182
44
cmd.exe
31->44
started
46
cmd.exe
31->46
started
98
C:\Users\user\AppData\...\17MYeQpqioIt.tmp, PE32
36->98
dropped
48
17MYeQpqioIt.tmp
18
20
36->48
started
170
Tries to steal Mail
credentials (via file
/ registry access)
38->170
172
Tries to steal Crypto
Currency Wallets
38->172
174
Unusual module load
detection (module proxying)
38->174
176
Tries to steal from
password manager
38->176
100
C:\Users\user\AppData\Local\...\pUrm9U7uP.tmp, PE32
42->100
dropped
102
C:\Users\user\AppData\...\Fw8sSbv0sO9N.tmp, PE32
42->102
dropped
104
C:\Users\user\AppData\Local\...\Bwale.exe, PE32
42->104
dropped
178
Detected unpacking (creates
a PE file in dynamic
memory)
42->178
180
Queries sensitive video
device information (via
WMI, Win32_VideoController,
often done to detect
virtual machines)
42->180
51
Bwale.exe
42->51
started
54
pUrm9U7uP.tmp
42->54
started
56
Fw8sSbv0sO9N.tmp
42->56
started
58
9 other processes
42->58
file13
signatures14
process15
file16
60
e1eda99e.exe
44->60
started
63
conhost.exe
44->63
started
65
conhost.exe
46->65
started
67
f1eb122e.exe
46->67
started
106
C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32
48->106
dropped
108
C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+
48->108
dropped
110
C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32
48->110
dropped
116
22 other malicious files
48->116
dropped
69
h2testdrive.exe
18
48->69
started
194
Antivirus detection
for dropped file
51->194
196
Multi AV Scanner detection
for dropped file
51->196
198
Detected unpacking (creates
a PE file in dynamic
memory)
51->198
200
Unusual module load
detection (module proxying)
51->200
112
C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32
54->112
dropped
114
C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32
56->114
dropped
signatures17
process18
dnsIp19
208
Suspicious powershell
command line found
60->208
210
Tries to detect sandboxes
and other dynamic analysis
tools (window names)
60->210
212
Adds a directory exclusion
to Windows Defender
60->212
214
3 other signatures
60->214
73
powershell.exe
60->73
started
142
196.251.121.77
Hero-TelecomsZA
Turkey
69->142
144
64.89.160.142
GHOSTYNETWORKSUS
Luxembourg
69->144
118
C:\ProgramData\H2TestDrive\H2TestDrive.exe, PE32
69->118
dropped
75
powershell.exe
69->75
started
file20
signatures21
process22
file23
79
e1eda99e.exe
73->79
started
83
conhost.exe
73->83
started
128
C:\Users\user\AppData\...\oH2TestDrive32.lnk, MS
75->128
dropped
216
Powershell creates an
autostart link
75->216
85
conhost.exe
75->85
started
signatures24
process25
file26
130
C:\ProgramDatabehaviorgraphoogle\Chrome\updater.exe, PE32+
79->130
dropped
132
C:\Windows\System32\drivers\etc\hosts, ASCII
79->132
dropped
156
Modifies the context
of a thread in another
process (thread injection)
79->156
158
Modifies the hosts file
79->158
160
Adds a directory exclusion
to Windows Defender
79->160
162
4 other signatures
79->162
87
powershell.exe
79->87
started
90
cmd.exe
79->90
started
signatures27
process28
signatures29
202
Loading BitLocker PowerShell
Module
87->202
92
conhost.exe
87->92
started
process30
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.