File name:

885e1d96bfbf210d1170054fddd7ec31c4c95ca6951a7be4f8ae3c07d1b9e6de.exe

Full analysis: https://app.any.run/tasks/6d165602-bfa9-4ff6-8c30-0dbffce9001c
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: August 23, 2024, 09:10:45
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
amadey
botnet
stealer
themida
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

44AE545CA405437B73165B8247A83569

SHA1:

632951C3548897F801D0C0FC3256CF788B7FB285

SHA256:

885E1D96BFBF210D1170054FDDD7EC31C4C95CA6951A7BE4F8AE3C07D1B9E6DE

SSDEEP:

98304:se3iaF0VGN2Y82oJWv+M2+gCZnHcFQb9Yvhpt2dwZcozB7Mm7FIBokVUQ+XRsDB6:s0Z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • AMADEY has been detected (SURICATA)

      • axplong.exe (PID: 6552)

    • AMADEY has been detected (YARA)

      • axplong.exe (PID: 6552)

    • Connects to the CnC server

      • axplong.exe (PID: 6552)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • 885e1d96bfbf210d1170054fddd7ec31c4c95ca6951a7be4f8ae3c07d1b9e6de.exe (PID: 6280)

    • Reads the BIOS version

      • 885e1d96bfbf210d1170054fddd7ec31c4c95ca6951a7be4f8ae3c07d1b9e6de.exe (PID: 6280)
      • axplong.exe (PID: 6552)
      • axplong.exe (PID: 6472)
      • axplong.exe (PID: 1048)
      • axplong.exe (PID: 6956)
      • axplong.exe (PID: 1432)
      • axplong.exe (PID: 5248)
      • axplong.exe (PID: 6804)
      • axplong.exe (PID: 7140)
      • axplong.exe (PID: 6032)
      • axplong.exe (PID: 6148)
      • axplong.exe (PID: 6620)
      • axplong.exe (PID: 3032)
      • axplong.exe (PID: 5180)

    • Reads security settings of Internet Explorer

      • 885e1d96bfbf210d1170054fddd7ec31c4c95ca6951a7be4f8ae3c07d1b9e6de.exe (PID: 6280)
      • axplong.exe (PID: 6552)

    • Executable content was dropped or overwritten

      • 885e1d96bfbf210d1170054fddd7ec31c4c95ca6951a7be4f8ae3c07d1b9e6de.exe (PID: 6280)

    • Reads the date of Windows installation

      • 885e1d96bfbf210d1170054fddd7ec31c4c95ca6951a7be4f8ae3c07d1b9e6de.exe (PID: 6280)

    • Starts itself from another location

      • 885e1d96bfbf210d1170054fddd7ec31c4c95ca6951a7be4f8ae3c07d1b9e6de.exe (PID: 6280)

    • The process executes via Task Scheduler

      • axplong.exe (PID: 6472)
      • axplong.exe (PID: 1048)
      • axplong.exe (PID: 6956)
      • axplong.exe (PID: 1432)
      • axplong.exe (PID: 5248)
      • axplong.exe (PID: 7140)
      • axplong.exe (PID: 6032)
      • axplong.exe (PID: 6804)
      • axplong.exe (PID: 6148)
      • axplong.exe (PID: 6620)
      • axplong.exe (PID: 5180)
      • axplong.exe (PID: 3032)

    • Contacting a server suspected of hosting an CnC

      • axplong.exe (PID: 6552)

    • Connects to the server without a host name

      • axplong.exe (PID: 6552)

  • INFO

    • Checks supported languages

      • 885e1d96bfbf210d1170054fddd7ec31c4c95ca6951a7be4f8ae3c07d1b9e6de.exe (PID: 6280)
      • axplong.exe (PID: 6552)
      • axplong.exe (PID: 6472)
      • axplong.exe (PID: 6956)
      • axplong.exe (PID: 1048)
      • axplong.exe (PID: 1432)
      • axplong.exe (PID: 6804)
      • axplong.exe (PID: 7140)
      • axplong.exe (PID: 6032)
      • axplong.exe (PID: 6148)
      • axplong.exe (PID: 6620)
      • axplong.exe (PID: 5248)
      • axplong.exe (PID: 5180)
      • axplong.exe (PID: 3032)

    • Reads the computer name

      • 885e1d96bfbf210d1170054fddd7ec31c4c95ca6951a7be4f8ae3c07d1b9e6de.exe (PID: 6280)
      • axplong.exe (PID: 6552)

    • Reads Environment values

      • 885e1d96bfbf210d1170054fddd7ec31c4c95ca6951a7be4f8ae3c07d1b9e6de.exe (PID: 6280)
      • axplong.exe (PID: 6552)

    • Create files in a temporary directory

      • 885e1d96bfbf210d1170054fddd7ec31c4c95ca6951a7be4f8ae3c07d1b9e6de.exe (PID: 6280)

    • Themida protector has been detected

      • axplong.exe (PID: 6552)

    • Checks proxy server information

      • axplong.exe (PID: 6552)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Amadey

(PID) Process(6552) axplong.exe
C2185.215.113.16
URLhttp://185.215.113.16/Jo89Ku7d/index.php
Version4.41
Options
Drop directory44111dbc49
Drop nameaxplong.exe
Strings (119)SOFTWARE\Microsoft\Windows NT\CurrentVersion
Rem
" && ren
%-lu
&& Exit"
&unit=
GET
/k
-executionpolicy remotesigned -File "
------
ps1
?scr=1
<c>
og:
wb
" Content-Type: application/octet-stream
4.41
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
AVG
0123456789
Content-Disposition: form-data; name="data"; filename="
d1
/Plugins/
rundll32
#
-%lu
%USERPROFILE%
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
2022
:::
dm:
ESET
ProgramData\
id:
kernel32.dll
185.215.113.16
\App
r=
AVAST Software
Avira
Bitdefender
|
random
shutdown -s -t 0
cmd
Content-Type: application/x-www-form-urlencoded
-unicode-
44111dbc49
cred.dll
msi
CurrentBuild
av:
Panda Security
POST
DefaultSettings.XResolution
------
"
https://
" && timeout 1 && del
abcdefghijklmnopqrstuvwxyz0123456789-_
ComputerName
Sophos
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
e0
pc:
.jpg
vs:
/Jo89Ku7d/index.php
=
Norton
--
rb
Content-Type: multipart/form-data; boundary=----
2019
rundll32.exe
S-%lu-
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
SYSTEM\ControlSet001\Services\BasicDisplay\Video
Powershell.exe
VideoID
<d>
Kaspersky Lab
zip
os:
&&
bi:
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
WinDefender
ProductName
shell32.dll
ar:
Comodo
GetNativeSystemInfo
http://
clip.dll
cmd /C RMDIR /s/q
lv:
DefaultSettings.YResolution
e2
+++
exe
Main
\
un:
Doctor Web
Programs
\0000
e1
dll
cred.dll|clip.dll|
"taskkill /f /im "
Startup
axplong.exe
sd:
360TotalSecurity
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
/quiet
st=s
2016
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:25 12:10:38+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.24
CodeSize: 321024
InitializedDataSize: 117248
UninitializedDataSize: -
EntryPoint: 0x4c1000
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
16
Malicious processes
14
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 885e1d96bfbf210d1170054fddd7ec31c4c95ca6951a7be4f8ae3c07d1b9e6de.exe #AMADEY axplong.exe axplong.exe axplong.exe axplong.exe axplong.exe axplong.exe ucpdmgr.exe no specs conhost.exe no specs axplong.exe axplong.exe axplong.exe axplong.exe axplong.exe axplong.exe axplong.exe

Process information

PID
CMD
Path
Indicators
Parent process
1048"C:\Users\admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\admin\AppData\Local\Temp\44111dbc49\axplong.exe
svchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\44111dbc49\axplong.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
1072\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUCPDMgr.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1432"C:\Users\admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\admin\AppData\Local\Temp\44111dbc49\axplong.exe
svchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\44111dbc49\axplong.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
3032"C:\Users\admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\admin\AppData\Local\Temp\44111dbc49\axplong.exe
svchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\44111dbc49\axplong.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
4820"C:\WINDOWS\system32\UCPDMgr.exe"C:\Windows\System32\UCPDMgr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
User Choice Protection Manager
Exit code:
0
Version:
1.0.0.414301
Modules
Images
c:\windows\system32\ucpdmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5180"C:\Users\admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\admin\AppData\Local\Temp\44111dbc49\axplong.exe
svchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\shell32.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\combase.dll
c:\windows\syswow64\wininet.dll
c:\windows\syswow64\ws2_32.dll
5248"C:\Users\admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\admin\AppData\Local\Temp\44111dbc49\axplong.exe
svchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\44111dbc49\axplong.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
6032"C:\Users\admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\admin\AppData\Local\Temp\44111dbc49\axplong.exe
svchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\44111dbc49\axplong.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
6148"C:\Users\admin\AppData\Local\Temp\44111dbc49\axplong.exe"C:\Users\admin\AppData\Local\Temp\44111dbc49\axplong.exe
svchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\44111dbc49\axplong.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
6280"C:\Users\admin\Desktop\885e1d96bfbf210d1170054fddd7ec31c4c95ca6951a7be4f8ae3c07d1b9e6de.exe" C:\Users\admin\Desktop\885e1d96bfbf210d1170054fddd7ec31c4c95ca6951a7be4f8ae3c07d1b9e6de.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\885e1d96bfbf210d1170054fddd7ec31c4c95ca6951a7be4f8ae3c07d1b9e6de.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
4 566
Read events
4 547
Write events
19
Delete events
0

Modification events

(PID) Process:(6280) 885e1d96bfbf210d1170054fddd7ec31c4c95ca6951a7be4f8ae3c07d1b9e6de.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6280) 885e1d96bfbf210d1170054fddd7ec31c4c95ca6951a7be4f8ae3c07d1b9e6de.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6280) 885e1d96bfbf210d1170054fddd7ec31c4c95ca6951a7be4f8ae3c07d1b9e6de.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6280) 885e1d96bfbf210d1170054fddd7ec31c4c95ca6951a7be4f8ae3c07d1b9e6de.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6552) axplong.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6552) axplong.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6552) axplong.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6552) axplong.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6552) axplong.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6552) axplong.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
Executable files
1
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6280885e1d96bfbf210d1170054fddd7ec31c4c95ca6951a7be4f8ae3c07d1b9e6de.exeC:\Users\admin\AppData\Local\Temp\44111dbc49\axplong.exeexecutable
MD5:44AE545CA405437B73165B8247A83569
SHA256:885E1D96BFBF210D1170054FDDD7EC31C4C95CA6951A7BE4F8AE3C07D1B9E6DE
6280885e1d96bfbf210d1170054fddd7ec31c4c95ca6951a7be4f8ae3c07d1b9e6de.exeC:\Windows\Tasks\axplong.jobbinary
MD5:91D830C9E7C62CD7892A917C615CAE37
SHA256:E7CAD7CE9B849306002BE8E7D31D78FA5D6681531072793F304B756BBEBF25E1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
32
DNS requests
12
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6552
axplong.exe
POST
200
185.215.113.16:80
http://185.215.113.16/Jo89Ku7d/index.php
unknown
6552
axplong.exe
POST
200
185.215.113.16:80
http://185.215.113.16/Jo89Ku7d/index.php
unknown
6552
axplong.exe
POST
200
185.215.113.16:80
http://185.215.113.16/Jo89Ku7d/index.php
unknown
508
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
6552
axplong.exe
POST
200
185.215.113.16:80
http://185.215.113.16/Jo89Ku7d/index.php
unknown
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.242.39.171:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
508
SIHClient.exe
GET
200
95.101.54.122:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
GET
200
20.12.23.50:443
https://slscr.update.microsoft.com/sls/ping
unknown
508
SIHClient.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:138
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
6552
axplong.exe
185.215.113.16:80
1337team Limited
SC
malicious
2024
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
508
SIHClient.exe
40.68.123.157:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
508
SIHClient.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
508
SIHClient.exe
95.101.54.122:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
508
SIHClient.exe
20.242.39.171:443
fe3cr.delivery.mp.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
420
backgroundTaskHost.exe
20.103.156.88:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.142
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
whitelisted
slscr.update.microsoft.com
  • 40.68.123.157
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
crl.microsoft.com
  • 95.101.54.122
  • 2.16.202.115
  • 95.101.54.209
  • 95.101.54.139
  • 95.101.54.211
  • 95.101.54.129
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
self.events.data.microsoft.com
  • 20.189.173.1
whitelisted
arc.msn.com
  • 20.103.156.88
whitelisted
fd.api.iris.microsoft.com
  • 20.199.58.43
whitelisted

Threats

PID
Process
Class
Message
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
2 ETPRO signatures available at the full report
Process
Message
885e1d96bfbf210d1170054fddd7ec31c4c95ca6951a7be4f8ae3c07d1b9e6de.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
axplong.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
885e1d96bfbf210d1170054fddd7ec31c4c95ca6951a7be4f8ae3c07d1b9e6de.exe