| File name: | 700b9d150d08eb2f75204e27756af52dec5ab54fda41fd581a03e8d9a5dec726.bin |
| Full analysis: | https://app.any.run/tasks/b31d4cb6-9eb5-46bd-a6b4-54d83cd5f463 |
| Verdict: | Malicious activity |
| Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
| Analysis date: | June 21, 2025, 23:10:28 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections |
| MD5: | 51C455F615CE7083B92D2B7D985EAF56 |
| SHA1: | 839A19049931E2409654FF3A1BE5B7706EEED3CC |
| SHA256: | 700B9D150D08EB2F75204E27756AF52DEC5AB54FDA41FD581A03E8D9A5DEC726 |
| SSDEEP: | 49152:RPPkzemqoSut3Jh4+QQ/btosJwIA4hHmZlKH2Tw/Pq83zw0bCjvk9G661QGtE8X4:tP/mp7t3T4+B/btosJwIA4hHmZlKH2TT |
MALICIOUS
Uses Task Scheduler to run other applications
- cmd.exe (PID: 2996)
Run PowerShell with an invisible window
- powershell.exe (PID: 5692)
Script downloads file (POWERSHELL)
- powershell.exe (PID: 5692)
AMADEY mutex has been found
- RoamingF8XPWSOZYEA8A552ESRMI7RNOR06XDVE.EXE (PID: 1760)
- ramez.exe (PID: 3756)
- ramez.exe (PID: 4088)
- ramez.exe (PID: 3668)
- ramez.exe (PID: 6360)
AMADEY has been detected (YARA)
- ramez.exe (PID: 3756)
AMADEY has been detected (SURICATA)
- ramez.exe (PID: 3756)
Connects to the CnC server
- ramez.exe (PID: 3756)
Request from PowerShell that ran from MSHTA.EXE
- powershell.exe (PID: 5692)
SUSPICIOUS
Starts CMD.EXE for commands execution
- 700b9d150d08eb2f75204e27756af52dec5ab54fda41fd581a03e8d9a5dec726.bin.exe (PID: 1044)
Starts POWERSHELL.EXE for commands execution
- mshta.exe (PID: 2492)
Probably download files using WebClient
- mshta.exe (PID: 2492)
Manipulates environment variables
- powershell.exe (PID: 5692)
Process requests binary or script from the Internet
- powershell.exe (PID: 5692)
Executable content was dropped or overwritten
- powershell.exe (PID: 5692)
- RoamingF8XPWSOZYEA8A552ESRMI7RNOR06XDVE.EXE (PID: 1760)
Potential Corporate Privacy Violation
- powershell.exe (PID: 5692)
Reads security settings of Internet Explorer
- RoamingF8XPWSOZYEA8A552ESRMI7RNOR06XDVE.EXE (PID: 1760)
- ramez.exe (PID: 3756)
Contacting a server suspected of hosting an CnC
- ramez.exe (PID: 3756)
Connects to the server without a host name
- ramez.exe (PID: 3756)
- powershell.exe (PID: 5692)
Starts itself from another location
- RoamingF8XPWSOZYEA8A552ESRMI7RNOR06XDVE.EXE (PID: 1760)
There is functionality for taking screenshot (YARA)
- ramez.exe (PID: 3756)
The process executes via Task Scheduler
- ramez.exe (PID: 3668)
- ramez.exe (PID: 6360)
- ramez.exe (PID: 4088)
There is functionality for enable RDP (YARA)
- ramez.exe (PID: 3756)
Starts process via Powershell
- powershell.exe (PID: 5692)
Found IP address in command line
- powershell.exe (PID: 5692)
INFO
Checks supported languages
- 700b9d150d08eb2f75204e27756af52dec5ab54fda41fd581a03e8d9a5dec726.bin.exe (PID: 1044)
- RoamingF8XPWSOZYEA8A552ESRMI7RNOR06XDVE.EXE (PID: 1760)
- ramez.exe (PID: 3756)
- ramez.exe (PID: 3668)
- ramez.exe (PID: 4088)
- ramez.exe (PID: 6360)
Reads mouse settings
- 700b9d150d08eb2f75204e27756af52dec5ab54fda41fd581a03e8d9a5dec726.bin.exe (PID: 1044)
The sample compiled with english language support
- 700b9d150d08eb2f75204e27756af52dec5ab54fda41fd581a03e8d9a5dec726.bin.exe (PID: 1044)
Reads the computer name
- 700b9d150d08eb2f75204e27756af52dec5ab54fda41fd581a03e8d9a5dec726.bin.exe (PID: 1044)
- RoamingF8XPWSOZYEA8A552ESRMI7RNOR06XDVE.EXE (PID: 1760)
- ramez.exe (PID: 3756)
Reads Internet Explorer settings
- mshta.exe (PID: 2492)
The executable file from the user directory is run by the Powershell process
- RoamingF8XPWSOZYEA8A552ESRMI7RNOR06XDVE.EXE (PID: 1760)
Checks proxy server information
- ramez.exe (PID: 3756)
- slui.exe (PID: 3980)
- powershell.exe (PID: 5692)
Process checks computer location settings
- RoamingF8XPWSOZYEA8A552ESRMI7RNOR06XDVE.EXE (PID: 1760)
Create files in a temporary directory
- RoamingF8XPWSOZYEA8A552ESRMI7RNOR06XDVE.EXE (PID: 1760)
Reads the software policy settings
- slui.exe (PID: 3980)
Disables trace logs
- powershell.exe (PID: 5692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Amadey
(PID) Process(3756) ramez.exe
C2185.156.72.96
URLhttp://185.156.72.96/te4h2nus/index.php
Version5.34
Options
Drop directoryd610cf342e
Drop nameramez.exe
Strings (125)Powershell.exe
/te4h2nus/index.php
ramez.exe
bi:
185.156.72.96
AVAST Software
/Plugins/
------
id:
\0000
wb
Programs
-%lu
.jpg
AVG
r=
dm:
-executionpolicy remotesigned -File "
SOFTWARE\Microsoft\Windows NT\CurrentVersion
\
ProgramData\
Avira
e2
os:
http://
vs:
<c>
2025
ComputerName
og:
00000419
rb
2022
Content-Type: application/x-www-form-urlencoded
shell32.dll
https://
Main
Sophos
Norton
GET
#
S-%lu-
st=s
cmd /C RMDIR /s/q
lv:
msi
Content-Disposition: form-data; name="data"; filename="
5.34
d1
2016
ar:
cred.dll|clip.dll|
rundll32
WinDefender
Content-Type: multipart/form-data; boundary=----
Rem
CurrentBuild
0123456789
&& Exit"
un:
Kaspersky Lab
d610cf342e
Bitdefender
+++
av:
rundll32.exe
random
<d>
Keyboard Layout\Preload
shutdown -s -t 0
DefaultSettings.XResolution
/quiet
--
0000043f
Startup
e1
Doctor Web
2019
GetNativeSystemInfo
VideoID
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
:::
ESET
DefaultSettings.YResolution
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
" && ren
abcdefghijklmnopqrstuvwxyz0123456789-_
cmd
"taskkill /f /im "
00000423
-unicode-
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
cred.dll
360TotalSecurity
"
exe
00000422
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
&&
Comodo
"
Content-Type: application/octet-stream
------
?scr=1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
zip
dll
/k
&unit=
ps1
" && timeout 1 && del
kernel32.dll
ProductName
%-lu
clip.dll
%USERPROFILE%
\App
SYSTEM\ControlSet001\Services\BasicDisplay\Video
pc:
sd:
POST
Panda Security
e3
|
=
TRiD
| .exe | | | Win64 Executable (generic) (76.4) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (12.4) |
| .exe | | | Generic Win/DOS Executable (5.5) |
| .exe | | | DOS Executable Generic (5.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2025:06:21 22:49:07+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.16 |
| CodeSize: | 633856 |
| InitializedDataSize: | 326144 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x20577 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (British) |
| CharacterSet: | Unicode |
Total processes
145
Monitored processes
13
Malicious processes
8
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1044 | "C:\Users\admin\Desktop\700b9d150d08eb2f75204e27756af52dec5ab54fda41fd581a03e8d9a5dec726.bin.exe" | C:\Users\admin\Desktop\700b9d150d08eb2f75204e27756af52dec5ab54fda41fd581a03e8d9a5dec726.bin.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1520 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1760 | "C:\Users\admin\AppData\RoamingF8XPWSOZYEA8A552ESRMI7RNOR06XDVE.EXE" | C:\Users\admin\AppData\RoamingF8XPWSOZYEA8A552ESRMI7RNOR06XDVE.EXE | powershell.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2492 | mshta C:\Users\admin\Desktop\HIJUwfPxX.hta | C:\Windows\SysWOW64\mshta.exe | — | 700b9d150d08eb2f75204e27756af52dec5ab54fda41fd581a03e8d9a5dec726.bin.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2996 | C:\WINDOWS\system32\cmd.exe /c schtasks /create /tn 6PWi5maC17C /tr "mshta C:\Users\admin\Desktop\HIJUwfPxX.hta" /sc minute /mo 10 /ru "admin" /f | C:\Windows\SysWOW64\cmd.exe | — | 700b9d150d08eb2f75204e27756af52dec5ab54fda41fd581a03e8d9a5dec726.bin.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3668 | "C:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exe" | C:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exe | — | svchost.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 3756 | "C:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exe" | C:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exe | RoamingF8XPWSOZYEA8A552ESRMI7RNOR06XDVE.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
Amadey(PID) Process(3756) ramez.exe C2185.156.72.96 URLhttp://185.156.72.96/te4h2nus/index.php Version5.34 Options Drop directoryd610cf342e Drop nameramez.exe Strings (125)Powershell.exe /te4h2nus/index.php ramez.exe bi: 185.156.72.96 AVAST Software /Plugins/ ------ id: \0000 wb Programs -%lu .jpg AVG r= dm: -executionpolicy remotesigned -File " SOFTWARE\Microsoft\Windows NT\CurrentVersion \ ProgramData\ Avira e2 os: http:// vs: <c> 2025 ComputerName og: 00000419 rb 2022 Content-Type: application/x-www-form-urlencoded shell32.dll https:// Main Sophos Norton GET # S-%lu- st=s cmd /C RMDIR /s/q lv: msi Content-Disposition: form-data; name="data"; filename=" 5.34 d1 2016 ar: cred.dll|clip.dll| rundll32 WinDefender Content-Type: multipart/form-data; boundary=---- Rem CurrentBuild 0123456789 && Exit" un: Kaspersky Lab d610cf342e Bitdefender +++ av: rundll32.exe random <d> Keyboard Layout\Preload shutdown -s -t 0 DefaultSettings.XResolution /quiet -- 0000043f Startup e1 Doctor Web 2019 GetNativeSystemInfo VideoID SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\ ::: ESET DefaultSettings.YResolution SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce " && ren abcdefghijklmnopqrstuvwxyz0123456789-_ cmd "taskkill /f /im " 00000423 -unicode- SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName cred.dll 360TotalSecurity " exe 00000422 SOFTWARE\Microsoft\Windows\CurrentVersion\Run && Comodo "
Content-Type: application/octet-stream ------ ?scr=1 SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders zip dll /k &unit= ps1 " && timeout 1 && del kernel32.dll ProductName %-lu clip.dll %USERPROFILE% \App SYSTEM\ControlSet001\Services\BasicDisplay\Video pc: sd: POST Panda Security e3 | = | |||||||||||||||
| 3980 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4088 | "C:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exe" | C:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exe | — | svchost.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 4528 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
9 565
Read events
9 545
Write events
20
Delete events
0
Modification events
| (PID) Process: | (2492) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (2492) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (2492) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (5692) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (5692) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (5692) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (5692) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (5692) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (5692) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
| (PID) Process: | (5692) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
Executable files
2
Suspicious files
2
Text files
3
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1044 | 700b9d150d08eb2f75204e27756af52dec5ab54fda41fd581a03e8d9a5dec726.bin.exe | C:\Users\admin\Desktop\HIJUwfPxX.hta | html | |
MD5:0DDEE407270EE6B519F4B79A1750D4B5 | SHA256:73715E6A39E17461F3D25AC528825A15D3BDFD0722562991E30E25A664F4CE53 | |||
| 5692 | powershell.exe | C:\Users\admin\AppData\RoamingF8XPWSOZYEA8A552ESRMI7RNOR06XDVE.EXE | executable | |
MD5:26CC5A6CFD8E8ECC433337413C14CDDB | SHA256:2D904D576B46236BAF504DBA21775F6EBBBD0F65272A9C2FCA1C6798184FA4E8 | |||
| 5692 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ht4kke5y.fmu.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1760 | RoamingF8XPWSOZYEA8A552ESRMI7RNOR06XDVE.EXE | C:\Windows\Tasks\ramez.job | binary | |
MD5:AF7082E3FE576EDD0336A2CF6EBE83AA | SHA256:27ED25C842D1590FBF5AB0FD5A8542C750CC941A91F82AC4FB05B79078C6378A | |||
| 5692 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_grxltaat.poy.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1760 | RoamingF8XPWSOZYEA8A552ESRMI7RNOR06XDVE.EXE | C:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exe | executable | |
MD5:26CC5A6CFD8E8ECC433337413C14CDDB | SHA256:2D904D576B46236BAF504DBA21775F6EBBBD0F65272A9C2FCA1C6798184FA4E8 | |||
| 5692 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:76673CB8ACFECDB0C785BBA8B6520EC2 | SHA256:5554FE5F8535C7D6FDD1BA7C503B5E1320AEA217F9C8E34308D4D6A183B1EF7C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
21
DNS requests
8
Threats
7
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1268 | svchost.exe | GET | 200 | 184.24.77.37:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
3964 | RUXIMICS.exe | GET | 200 | 184.24.77.37:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
3964 | RUXIMICS.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 184.24.77.37:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5692 | powershell.exe | GET | 200 | 185.156.72.2:80 | http://185.156.72.2/testmine/random.exe | unknown | — | — | unknown |
3756 | ramez.exe | POST | 200 | 185.156.72.96:80 | http://185.156.72.96/te4h2nus/index.php | unknown | — | — | unknown |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
5944 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
3964 | RUXIMICS.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
1268 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 184.24.77.37:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
3964 | RUXIMICS.exe | 184.24.77.37:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1268 | svchost.exe | 184.24.77.37:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
3964 | RUXIMICS.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
5692 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
5692 | powershell.exe | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
5692 | powershell.exe | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |
5692 | powershell.exe | Misc activity | ET INFO Packed Executable Download |
5692 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
3756 | ramez.exe | Malware Command and Control Activity Detected | BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s) |
3756 | ramez.exe | Malware Command and Control Activity Detected | ET MALWARE Amadey CnC Response |