File name:

Phoebe.7z

Full analysis: https://app.any.run/tasks/bf61570c-a154-4c24-84a0-208d39ee9a43
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: March 31, 2025, 17:13:23
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
inno
installer
delphi
auto
generic
amadey
botnet
stealer
rdp
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

AFE24F694A4DDB64979B71736EBA0A06

SHA1:

EF9E2E1000D3A4EBF533A110F842041846D1BD83

SHA256:

42DD3883809BA13BE0D89458C44A96F87DB3A9F6EE7C8EFBD8C0E6E5EA59E2D8

SSDEEP:

98304:BMkfrTG+IDVF1YGpbD6xn4kDmoDlTgIdwkXVk+25y4B/oQm5GhO4y463W6xJEsL6:BjVXAp3wBlmMljCyHPg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • Phoebe.exe (PID: 5056)
      • Phoebe.exe (PID: 3784)
      • BlurayConverterUltimate.exe (PID: 5936)

    • Generic archive extractor

      • WinRAR.exe (PID: 4756)

    • Create files in the Startup directory

      • Phoebe.tmp (PID: 5008)

    • GENERIC has been found (auto)

      • Phoebe.tmp (PID: 5008)

    • AMADEY has been detected (SURICATA)

      • InstallUtil.exe (PID: 856)

    • Connects to the CnC server

      • InstallUtil.exe (PID: 856)

    • AMADEY has been detected (YARA)

      • InstallUtil.exe (PID: 856)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Phoebe.exe (PID: 5056)
      • Phoebe.tmp (PID: 6988)
      • Phoebe.exe (PID: 3784)
      • Phoebe.tmp (PID: 5008)

    • Reads the Windows owner or organization settings

      • Phoebe.tmp (PID: 6988)
      • Phoebe.tmp (PID: 5008)

    • Process drops legitimate windows executable

      • Phoebe.tmp (PID: 6988)
      • Phoebe.tmp (PID: 5008)

    • Reads security settings of Internet Explorer

      • Phoebe.tmp (PID: 6988)
      • InstallUtil.exe (PID: 856)

    • The process drops C-runtime libraries

      • Phoebe.tmp (PID: 5008)

    • Connects to the server without a host name

      • InstallUtil.exe (PID: 856)

    • Contacting a server suspected of hosting an CnC

      • InstallUtil.exe (PID: 856)

    • There is functionality for enable RDP (YARA)

      • InstallUtil.exe (PID: 856)

    • There is functionality for taking screenshot (YARA)

      • InstallUtil.exe (PID: 856)

  • INFO

    • Manual execution by a user

      • Phoebe.exe (PID: 5056)
      • InstallUtil.exe (PID: 856)

    • Create files in a temporary directory

      • Phoebe.tmp (PID: 6988)
      • Phoebe.exe (PID: 5056)
      • Phoebe.exe (PID: 3784)
      • Phoebe.tmp (PID: 5008)

    • Checks supported languages

      • Phoebe.tmp (PID: 6988)
      • Phoebe.exe (PID: 5056)
      • Phoebe.exe (PID: 3784)
      • BlurayConverterUltimate.exe (PID: 5936)
      • InstallUtil.exe (PID: 856)
      • Phoebe.tmp (PID: 5008)

    • The sample compiled with english language support

      • Phoebe.tmp (PID: 6988)
      • Phoebe.tmp (PID: 5008)

    • Reads the computer name

      • Phoebe.tmp (PID: 6988)
      • Phoebe.tmp (PID: 5008)
      • BlurayConverterUltimate.exe (PID: 5936)
      • InstallUtil.exe (PID: 856)

    • Process checks computer location settings

      • Phoebe.tmp (PID: 6988)

    • Detects InnoSetup installer (YARA)

      • Phoebe.exe (PID: 3784)
      • Phoebe.tmp (PID: 5008)
      • BlurayConverterUltimate.exe (PID: 5936)

    • Compiled with Borland Delphi (YARA)

      • Phoebe.exe (PID: 3784)
      • Phoebe.tmp (PID: 5008)
      • BlurayConverterUltimate.exe (PID: 5936)

    • Creates files or folders in the user directory

      • Phoebe.tmp (PID: 5008)

    • Reads the machine GUID from the registry

      • BlurayConverterUltimate.exe (PID: 5936)

    • Checks proxy server information

      • InstallUtil.exe (PID: 856)
      • slui.exe (PID: 2644)

    • Reads the software policy settings

      • slui.exe (PID: 2644)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Amadey

(PID) Process(856) InstallUtil.exe
C2185.147.124.116
URLhttp://185.147.124.116/M0XmDru/index.php
Version5.33
Options
Drop directory01e54bdc5a
Drop nametgvazx.exe
Strings (125)pc:
\App
2022
&unit=
rb
id:
Norton
------
http://
" && ren
2016
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
00000419
--
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
st=s
0123456789
Comodo
msi
Panda Security
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Doctor Web
/Plugins/
-unicode-
:::
&&
|
DefaultSettings.YResolution
dm:
------
01e54bdc5a
Main
ar:
cmd /C RMDIR /s/q
SOFTWARE\Microsoft\Windows NT\CurrentVersion
&& Exit"
rundll32
Content-Disposition: form-data; name="data"; filename="
<c>
/quiet
=
2019
<d>
Kaspersky Lab
cred.dll|clip.dll|
ps1
%-lu
un:
kernel32.dll
DefaultSettings.XResolution
ESET
tgvazx.exe
WinDefender
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
5.33
Powershell.exe
?scr=1
185.147.124.116
.jpg
ProductName
shutdown -s -t 0
random
POST
bi:
zip
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Programs
Sophos
r=
AVG
%USERPROFILE%
og:
cmd
rundll32.exe
Bitdefender
+++
exe
cred.dll
lv:
VideoID
S-%lu-
e2
d1
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
ProgramData\
sd:
GetNativeSystemInfo
360TotalSecurity
os:
\0000
Avira
abcdefghijklmnopqrstuvwxyz0123456789-_
-%lu
AVAST Software
-executionpolicy remotesigned -File "
SYSTEM\ControlSet001\Services\BasicDisplay\Video
/M0XmDru/index.php
e1
wb
" && timeout 1 && del
av:
dll
/k
"taskkill /f /im "
ComputerName
Startup
CurrentBuild
2025
00000423
GET
#
\
Content-Type: multipart/form-data; boundary=----
https://
"
vs:
" Content-Type: application/octet-stream
Content-Type: application/x-www-form-urlencoded
Rem
0000043f
shell32.dll
Keyboard Layout\Preload
e3
00000422
clip.dll
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)

EXIF

ZIP

FileVersion: 7z v0.04
ModifyDate: 2025:03:31 17:03:43+00:00
ArchivedFileName: Phoebe.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
8
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs phoebe.exe phoebe.tmp phoebe.exe #GENERIC phoebe.tmp blurayconverterultimate.exe no specs #AMADEY installutil.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
856"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
.NET Framework installation utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\installutil.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Amadey
(PID) Process(856) InstallUtil.exe
C2185.147.124.116
URLhttp://185.147.124.116/M0XmDru/index.php
Version5.33
Options
Drop directory01e54bdc5a
Drop nametgvazx.exe
Strings (125)pc:
\App
2022
&unit=
rb
id:
Norton
------
http://
" && ren
2016
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
00000419
--
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
st=s
0123456789
Comodo
msi
Panda Security
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Doctor Web
/Plugins/
-unicode-
:::
&&
|
DefaultSettings.YResolution
dm:
------
01e54bdc5a
Main
ar:
cmd /C RMDIR /s/q
SOFTWARE\Microsoft\Windows NT\CurrentVersion
&& Exit"
rundll32
Content-Disposition: form-data; name="data"; filename="
<c>
/quiet
=
2019
<d>
Kaspersky Lab
cred.dll|clip.dll|
ps1
%-lu
un:
kernel32.dll
DefaultSettings.XResolution
ESET
tgvazx.exe
WinDefender
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
5.33
Powershell.exe
?scr=1
185.147.124.116
.jpg
ProductName
shutdown -s -t 0
random
POST
bi:
zip
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Programs
Sophos
r=
AVG
%USERPROFILE%
og:
cmd
rundll32.exe
Bitdefender
+++
exe
cred.dll
lv:
VideoID
S-%lu-
e2
d1
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
ProgramData\
sd:
GetNativeSystemInfo
360TotalSecurity
os:
\0000
Avira
abcdefghijklmnopqrstuvwxyz0123456789-_
-%lu
AVAST Software
-executionpolicy remotesigned -File "
SYSTEM\ControlSet001\Services\BasicDisplay\Video
/M0XmDru/index.php
e1
wb
" && timeout 1 && del
av:
dll
/k
"taskkill /f /im "
ComputerName
Startup
CurrentBuild
2025
00000423
GET
#
\
Content-Type: multipart/form-data; boundary=----
https://
"
vs:
" Content-Type: application/octet-stream
Content-Type: application/x-www-form-urlencoded
Rem
0000043f
shell32.dll
Keyboard Layout\Preload
e3
00000422
clip.dll
2644C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3784"C:\Users\admin\Desktop\Phoebe.exe" /VERYSILENTC:\Users\admin\Desktop\Phoebe.exe
Phoebe.tmp
User:
admin
Company:
Lunascape Corporation
Integrity Level:
MEDIUM
Description:
Web Browser
Exit code:
0
Version:
0.31.0
Modules
Images
c:\users\admin\desktop\phoebe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
4756"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\Phoebe.7zC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5008"C:\Users\admin\AppData\Local\Temp\is-2BQB7.tmp\Phoebe.tmp" /SL5="$60294,7774804,119296,C:\Users\admin\Desktop\Phoebe.exe" /VERYSILENTC:\Users\admin\AppData\Local\Temp\is-2BQB7.tmp\Phoebe.tmp
Phoebe.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-2bqb7.tmp\phoebe.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
5056"C:\Users\admin\Desktop\Phoebe.exe" C:\Users\admin\Desktop\Phoebe.exe
explorer.exe
User:
admin
Company:
Lunascape Corporation
Integrity Level:
MEDIUM
Description:
Web Browser
Exit code:
1
Version:
0.31.0
Modules
Images
c:\users\admin\desktop\phoebe.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
5936"C:\Users\admin\AppData\Roaming\{72B206D3-8386-4E92-B006-EDB8B6A2BE6F}\BlurayConverterUltimate.exe" C:\Users\admin\AppData\Roaming\{72B206D3-8386-4E92-B006-EDB8B6A2BE6F}\BlurayConverterUltimate.exePhoebe.tmp
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
4294967295
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\roaming\{72b206d3-8386-4e92-b006-edb8b6a2be6f}\blurayconverterultimate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
6988"C:\Users\admin\AppData\Local\Temp\is-IU99L.tmp\Phoebe.tmp" /SL5="$40272,7774804,119296,C:\Users\admin\Desktop\Phoebe.exe" C:\Users\admin\AppData\Local\Temp\is-IU99L.tmp\Phoebe.tmp
Phoebe.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
1
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-iu99l.tmp\phoebe.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
Total events
5 795
Read events
5 775
Write events
20
Delete events
0

Modification events

(PID) Process:(4756) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(4756) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4756) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4756) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\Phoebe.7z
(PID) Process:(4756) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4756) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4756) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4756) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4756) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList
Operation:writeName:ArcSort
Value:
32
(PID) Process:(4756) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
Executable files
66
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6988Phoebe.tmpC:\Users\admin\AppData\Local\Temp\is-AEI7P.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
5008Phoebe.tmpC:\Users\admin\AppData\Local\Temp\is-5UTVO.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
3784Phoebe.exeC:\Users\admin\AppData\Local\Temp\is-2BQB7.tmp\Phoebe.tmpexecutable
MD5:B1F9D665E52C29972B50D7145D88DCE1
SHA256:2FFABB0018D335267D2D0101A41CAC7AC7D1AA80956FAE91825E46AAA85C0787
5008Phoebe.tmpC:\Users\admin\AppData\Local\Temp\is-5UTVO.tmp\_isetup\_isdecmp.dllexecutable
MD5:A813D18268AFFD4763DDE940246DC7E5
SHA256:E19781AABE466DD8779CB9C8FA41BBB73375447066BB34E876CF388A6ED63C64
5008Phoebe.tmpC:\Users\admin\AppData\Local\Temp\is-5UTVO.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
5008Phoebe.tmpC:\Users\admin\AppData\Roaming\{72B206D3-8386-4E92-B006-EDB8B6A2BE6F}\is-7G9QO.tmpexecutable
MD5:18687AB631C41B3C5F838D341BF6418F
SHA256:0D0CAAF6C9647A7962BB13D6FB4D06800722DFD52E3695895366B1917689C3E9
5056Phoebe.exeC:\Users\admin\AppData\Local\Temp\is-IU99L.tmp\Phoebe.tmpexecutable
MD5:B1F9D665E52C29972B50D7145D88DCE1
SHA256:2FFABB0018D335267D2D0101A41CAC7AC7D1AA80956FAE91825E46AAA85C0787
5008Phoebe.tmpC:\Users\admin\AppData\Roaming\{72B206D3-8386-4E92-B006-EDB8B6A2BE6F}\is-6POPT.tmpexecutable
MD5:F486CC0C9EB2A5A647D86A8831CC3E2B
SHA256:01DFC325B46B3E30D22C68A38CD15170AD8C8465C7387B2A76665CDED253634A
5008Phoebe.tmpC:\Users\admin\AppData\Roaming\{72B206D3-8386-4E92-B006-EDB8B6A2BE6F}\CfApiShellExtensions.dllexecutable
MD5:F486CC0C9EB2A5A647D86A8831CC3E2B
SHA256:01DFC325B46B3E30D22C68A38CD15170AD8C8465C7387B2A76665CDED253634A
6988Phoebe.tmpC:\Users\admin\AppData\Local\Temp\is-AEI7P.tmp\_isetup\_setup64.tmpexecutable
MD5:E4211D6D009757C078A9FAC7FF4F03D4
SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
51
DNS requests
17
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
664
SIHClient.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
4944
RUXIMICS.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
664
SIHClient.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
664
SIHClient.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
664
SIHClient.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
664
SIHClient.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
664
SIHClient.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
200
52.165.164.15:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4944
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.172.255.216:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2104
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4944
RUXIMICS.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6544
svchost.exe
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.110
whitelisted
client.wns.windows.com
  • 172.172.255.216
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
  • 23.48.23.156
  • 23.48.23.194
  • 23.48.23.166
  • 23.48.23.180
  • 23.48.23.143
  • 23.48.23.145
  • 23.48.23.164
  • 23.48.23.141
whitelisted
login.live.com
  • 20.190.159.68
  • 40.126.31.69
  • 40.126.31.3
  • 40.126.31.1
  • 20.190.159.131
  • 20.190.159.2
  • 40.126.31.67
  • 20.190.159.130
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
www.microsoft.com
  • 2.19.217.218
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.31
whitelisted

Threats

PID
Process
Class
Message
856
InstallUtil.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 31
856
InstallUtil.exe
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
856
InstallUtil.exe
Malware Command and Control Activity Detected
ET MALWARE Amadey CnC Response
856
InstallUtil.exe
Malware Command and Control Activity Detected
ET MALWARE Amadey CnC Response
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Phoebe.7z