File name:

qeIL(I980.exe

Full analysis: https://app.any.run/tasks/05aa7651-95be-4bb2-b28a-52b7a5c84b44
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: October 17, 2025, 14:03:45
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
amadey
botnet
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

4675B31E9440D31FD9D979A434FF1653

SHA1:

240BDF81B33AD530313DB40C980863B2D5F825FD

SHA256:

598562FBDFA095C50086D024311AF279C35BE464E0E002D29AC921B5DBB51680

SSDEEP:

98304:+Ear0NvtF039I3Vu82OeA8grZxHce/Unba+O+CB3jD9tOBX1V1LUqP2puiiRf:u

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • qeIL(I980.exe (PID: 8740)
      • Fhfuoesp.exe (PID: 9084)
      • Fhfuoesp.exe (PID: 5340)

    • Connects to the CnC server

      • Fhfuoesp.exe (PID: 9084)

    • AMADEY has been detected (SURICATA)

      • Fhfuoesp.exe (PID: 9084)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • qeIL(I980.exe (PID: 8740)

    • Reads security settings of Internet Explorer

      • qeIL(I980.exe (PID: 8740)
      • Fhfuoesp.exe (PID: 9084)

    • Starts itself from another location

      • qeIL(I980.exe (PID: 8740)

    • Contacting a server suspected of hosting an CnC

      • Fhfuoesp.exe (PID: 9084)

    • The process executes via Task Scheduler

      • Fhfuoesp.exe (PID: 5340)

  • INFO

    • Checks supported languages

      • qeIL(I980.exe (PID: 8740)
      • Fhfuoesp.exe (PID: 9084)
      • Fhfuoesp.exe (PID: 5340)

    • Reads the computer name

      • qeIL(I980.exe (PID: 8740)
      • Fhfuoesp.exe (PID: 9084)

    • Create files in a temporary directory

      • qeIL(I980.exe (PID: 8740)

    • Process checks computer location settings

      • qeIL(I980.exe (PID: 8740)

    • The sample compiled with english language support

      • qeIL(I980.exe (PID: 8740)

    • Checks proxy server information

      • Fhfuoesp.exe (PID: 9084)
      • slui.exe (PID: 800)

    • Reads the software policy settings

      • slui.exe (PID: 800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (18)
.exe | Win32 Executable (generic) (2.9)
.exe | Generic Win/DOS Executable (1.3)
.exe | DOS Executable Generic (1.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:05:25 08:15:57+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 1416704
InitializedDataSize: 2274816
UninitializedDataSize: -
EntryPoint: 0x12ba07
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.1
ProductVersionNumber: 1.0.0.1
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: TODO: <Company name>
FileDescription: MFCApplication1
FileVersion: 1.0.0.1
InternalName: MFCApplication1.exe
LegalCopyright: TODO: (c) <Company name>. All rights reserved.
OriginalFileName: MFCApplication1.exe
ProductName: TODO: <Product name>
ProductVersion: 1.0.0.1
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
171
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start qeil(i980.exe #AMADEY fhfuoesp.exe slui.exe fhfuoesp.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
800C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5340"C:\Users\admin\AppData\Local\Temp\ccf24ad3d4\Fhfuoesp.exe"C:\Users\admin\AppData\Local\Temp\ccf24ad3d4\Fhfuoesp.exesvchost.exe
User:
admin
Company:
TODO: <Company name>
Integrity Level:
MEDIUM
Description:
MFCApplication1
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\users\admin\appdata\local\temp\ccf24ad3d4\fhfuoesp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
8740"C:\Users\admin\AppData\Local\Temp\qeIL(I980.exe" C:\Users\admin\AppData\Local\Temp\qeIL(I980.exe
explorer.exe
User:
admin
Company:
TODO: <Company name>
Integrity Level:
MEDIUM
Description:
MFCApplication1
Exit code:
0
Version:
1.0.0.1
Modules
Images
c:\users\admin\appdata\local\temp\qeil(i980.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
9084"C:\Users\admin\AppData\Local\Temp\ccf24ad3d4\Fhfuoesp.exe" C:\Users\admin\AppData\Local\Temp\ccf24ad3d4\Fhfuoesp.exe
qeIL(I980.exe
User:
admin
Company:
TODO: <Company name>
Integrity Level:
MEDIUM
Description:
MFCApplication1
Version:
1.0.0.1
Modules
Images
c:\users\admin\appdata\local\temp\ccf24ad3d4\fhfuoesp.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
4 214
Read events
4 211
Write events
3
Delete events
0

Modification events

(PID) Process:(9084) Fhfuoesp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(9084) Fhfuoesp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(9084) Fhfuoesp.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
8740qeIL(I980.exeC:\Windows\Tasks\Fhfuoesp.jobbinary
MD5:CBD728D46C91DE43B90D9CD05CF7E8A5
SHA256:5D5C9913FD4625BEB5F12736483ECBE08694235CA39968D07837EB2C81FB4D15
8740qeIL(I980.exeC:\Users\admin\AppData\Local\Temp\ccf24ad3d4\Fhfuoesp.exeexecutable
MD5:4675B31E9440D31FD9D979A434FF1653
SHA256:598562FBDFA095C50086D024311AF279C35BE464E0E002D29AC921B5DBB51680
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
38
DNS requests
18
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1136
svchost.exe
GET
200
172.66.2.5:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
8304
backgroundTaskHost.exe
GET
200
172.66.2.5:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1136
svchost.exe
GET
200
172.66.2.5:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
8348
backgroundTaskHost.exe
GET
200
172.66.2.5:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
8420
backgroundTaskHost.exe
GET
200
172.66.2.5:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
9084
Fhfuoesp.exe
POST
200
45.134.26.131:80
http://45.134.26.131/kaWt2QXfpPueNM/index.php
unknown
unknown
9084
Fhfuoesp.exe
POST
200
45.134.26.131:80
http://45.134.26.131/kaWt2QXfpPueNM/index.php
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
6016
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2864
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5224
SearchApp.exe
2.19.193.25:443
www.bing.com
Akamai International B.V.
TR
whitelisted
1136
svchost.exe
40.126.32.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1136
svchost.exe
172.66.2.5:80
ocsp.digicert.com
US
whitelisted
8304
backgroundTaskHost.exe
2.19.193.25:443
www.bing.com
Akamai International B.V.
TR
whitelisted
8304
backgroundTaskHost.exe
172.66.2.5:80
ocsp.digicert.com
US
whitelisted
3464
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
www.bing.com
  • 2.19.193.25
  • 2.19.193.97
  • 2.19.193.98
  • 2.19.193.136
  • 2.19.193.112
  • 2.19.193.105
  • 2.19.193.115
  • 2.19.193.11
  • 2.19.193.88
whitelisted
google.com
  • 216.58.206.78
whitelisted
login.live.com
  • 40.126.32.68
  • 40.126.32.72
  • 40.126.32.136
  • 20.190.160.22
  • 20.190.160.64
  • 40.126.32.133
  • 20.190.160.14
  • 20.190.160.65
whitelisted
ocsp.digicert.com
  • 172.66.2.5
  • 162.159.142.9
whitelisted
th.bing.com
  • 2.19.193.25
  • 2.19.193.34
  • 2.19.193.43
  • 2.19.193.50
  • 2.19.193.49
  • 2.19.193.51
  • 2.19.193.11
  • 2.19.193.136
  • 2.19.193.115
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.249
whitelisted
arc.msn.com
  • 20.223.35.26
  • 20.74.47.205
whitelisted
fd.api.iris.microsoft.com
  • 20.31.169.57
whitelisted
slscr.update.microsoft.com
  • 20.165.94.63
whitelisted

Threats

PID
Process
Class
Message
9084
Fhfuoesp.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 5
9084
Fhfuoesp.exe
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
9084
Fhfuoesp.exe
Malware Command and Control Activity Detected
ET MALWARE Amadey CnC Response
9084
Fhfuoesp.exe
Malware Command and Control Activity Detected
ET MALWARE Amadey CnC Response
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
qeIL(I980.exe