| File name: | random.exe |
| Full analysis: | https://app.any.run/tasks/cf53973c-0bbf-42d6-bf5c-e5a5a1387536 |
| Verdict: | Malicious activity |
| Threats: | Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks. |
| Analysis date: | May 23, 2025, 12:07:36 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections |
| MD5: | F46D4566AFAA814583025EF00CCD3994 |
| SHA1: | C349B76C158634AD3DB37F338EAB6ECC1E409F86 |
| SHA256: | AD17DA46B75FA06965FEB392AFBED39D656FEF9C286850967F4A44DD6E691F86 |
| SSDEEP: | 49152:yPPkzemqoSut3Jh4+QQ/btosJwIA4hHmZlKH2Tw/Pq83zw0bCjvk9G661QGtBaXo:4P/mp7t3T4+B/btosJwIA4hHmZlKH2TG |
MALICIOUS
Script downloads file (POWERSHELL)
- powershell.exe (PID: 7796)
- powershell.exe (PID: 660)
Run PowerShell with an invisible window
- powershell.exe (PID: 7796)
- powershell.exe (PID: 660)
- powershell.exe (PID: 8072)
- powershell.exe (PID: 2192)
Uses Task Scheduler to run other applications
- cmd.exe (PID: 7484)
AMADEY mutex has been found
- Temp7UFVMBYEPT34HF3QFX0XBF2NA1KL0QST.EXE (PID: 6480)
- ramez.exe (PID: 4000)
- ramez.exe (PID: 2984)
- Temp7UFVMBYEPT34HF3QFX0XBF2NA1KL0QST.EXE (PID: 4980)
Request from PowerShell that ran from MSHTA.EXE
- powershell.exe (PID: 7796)
- powershell.exe (PID: 660)
AMADEY has been detected (SURICATA)
- ramez.exe (PID: 4000)
- saren.exe (PID: 7204)
Connects to the CnC server
- ramez.exe (PID: 4000)
- svchost.exe (PID: 2196)
- saren.exe (PID: 7204)
- explorer.exe (PID: 5492)
- explorer.exe (PID: 3784)
- explorer.exe (PID: 6112)
GCLEANER has been found (auto)
- ramez.exe (PID: 4000)
- saren.exe (PID: 7204)
Executing a file with an untrusted certificate
- 4cf388aa40.exe (PID: 6080)
- cawzlaZ.exe (PID: 5036)
- i0vIpjm.exe (PID: 7504)
- f3e73ed6ee.exe (PID: 7340)
AMADEY has been detected (YARA)
- ramez.exe (PID: 4000)
LUMMA has been detected (YARA)
- ramez.exe (PID: 4000)
LUMMA has been detected (SURICATA)
- svchost.exe (PID: 2196)
- qc8MT4h.exe (PID: 7792)
- MSBuild.exe (PID: 5212)
- MSBuild.exe (PID: 6040)
- 2CQL4X7vd.exe (PID: 2644)
- osWTC1Otv70YP.exe (PID: 6404)
- MSBuild.exe (PID: 7272)
- 758a04c164.exe (PID: 8100)
LUMMA mutex has been found
- qc8MT4h.exe (PID: 7792)
- MSBuild.exe (PID: 5212)
- MSBuild.exe (PID: 6040)
Steals credentials from Web Browsers
- qc8MT4h.exe (PID: 7792)
- MSBuild.exe (PID: 5212)
- MSBuild.exe (PID: 6040)
Actions looks like stealing of personal data
- qc8MT4h.exe (PID: 7792)
- MSBuild.exe (PID: 5212)
- MSBuild.exe (PID: 6040)
XMRig has been detected
- oxDU0MW.exe (PID: 6132)
- WinTemp-v4.exe (PID: 5436)
Known privilege escalation attack
- dllhost.exe (PID: 6828)
- dllhost.exe (PID: 7876)
Adds process to the Windows Defender exclusion list
- WinTemp-v4.exe (PID: 5436)
Changes Windows Defender settings
- WinTemp-v4.exe (PID: 5436)
- NSudoLG.exe (PID: 6980)
- NSudoLG.exe (PID: 8916)
GCLEANER has been detected (SURICATA)
- cvtres.exe (PID: 5392)
- cvtres.exe (PID: 2616)
GCLEANER has been detected (YARA)
- cvtres.exe (PID: 5392)
GENERIC has been found (auto)
- cvtres.exe (PID: 5392)
- cvtres.exe (PID: 5392)
Starts REAGENTC.EXE to disable the Windows Recovery Environment
- ReAgentc.exe (PID: 5376)
Bypass User Account Control (ComputerDefaults)
- ComputerDefaults.exe (PID: 6660)
Starts CMD.EXE for self-deleting
- MSBuild.exe (PID: 5936)
Adds path to the Windows Defender exclusion list
- cmd.exe (PID: 3768)
- NSudoLG.exe (PID: 6980)
- NSudoLG.exe (PID: 8916)
- cmd.exe (PID: 5360)
SUSPICIOUS
Starts POWERSHELL.EXE for commands execution
- mshta.exe (PID: 7520)
- mshta.exe (PID: 7256)
- WinTemp-v4.exe (PID: 5436)
- cmd.exe (PID: 4784)
- perfectfilemanager.exe (PID: 2284)
- Mmw5WKs.exe (PID: 2100)
- NSudoLG.exe (PID: 6980)
- NSudoLG.exe (PID: 8916)
Starts process via Powershell
- powershell.exe (PID: 7796)
- powershell.exe (PID: 660)
Potential Corporate Privacy Violation
- powershell.exe (PID: 7796)
- ramez.exe (PID: 4000)
- powershell.exe (PID: 660)
- cvtres.exe (PID: 5392)
- MSBuild.exe (PID: 6040)
- saren.exe (PID: 7204)
- 2CQL4X7vd.exe (PID: 2644)
Executable content was dropped or overwritten
- powershell.exe (PID: 7796)
- Temp7UFVMBYEPT34HF3QFX0XBF2NA1KL0QST.EXE (PID: 6480)
- ramez.exe (PID: 4000)
- rundll32.exe (PID: 728)
- oxDU0MW.exe (PID: 6132)
- cvtres.exe (PID: 5392)
- kr8StFkTDv.exe (PID: 7580)
- kr8StFkTDv.tmp (PID: 904)
- perfectfilemanager.exe (PID: 2284)
- MSBuild.exe (PID: 6040)
- SBTQ99IOUEEBAW4HBFDVLT.exe (PID: 4560)
- saren.exe (PID: 7204)
- powershell.exe (PID: 8072)
- WinTemp-v4.exe (PID: 5436)
- 2CQL4X7vd.exe (PID: 2644)
- GQW8R4EBRDBIO4ZQ7BHN.exe (PID: 3096)
- Mmw5WKs.exe (PID: 2100)
- 1512426418.exe (PID: 5024)
- 7z.exe (PID: 8360)
Connects to the server without a host name
- powershell.exe (PID: 7796)
- ramez.exe (PID: 4000)
- powershell.exe (PID: 660)
- cvtres.exe (PID: 5392)
- MSBuild.exe (PID: 6040)
- MSBuild.exe (PID: 5936)
- saren.exe (PID: 7204)
- 2CQL4X7vd.exe (PID: 2644)
- cvtres.exe (PID: 2616)
Process requests binary or script from the Internet
- powershell.exe (PID: 7796)
- ramez.exe (PID: 4000)
- powershell.exe (PID: 660)
- MSBuild.exe (PID: 6040)
- saren.exe (PID: 7204)
- 2CQL4X7vd.exe (PID: 2644)
Reads security settings of Internet Explorer
- Temp7UFVMBYEPT34HF3QFX0XBF2NA1KL0QST.EXE (PID: 6480)
- ramez.exe (PID: 4000)
- cvtres.exe (PID: 5392)
- YwDbjxV.exe (PID: 7896)
Starts itself from another location
- Temp7UFVMBYEPT34HF3QFX0XBF2NA1KL0QST.EXE (PID: 6480)
- SBTQ99IOUEEBAW4HBFDVLT.exe (PID: 4560)
Contacting a server suspected of hosting an CnC
- ramez.exe (PID: 4000)
- qc8MT4h.exe (PID: 7792)
- svchost.exe (PID: 2196)
- MSBuild.exe (PID: 5212)
- MSBuild.exe (PID: 6040)
- 2CQL4X7vd.exe (PID: 2644)
- saren.exe (PID: 7204)
- osWTC1Otv70YP.exe (PID: 6404)
- MSBuild.exe (PID: 7272)
- 758a04c164.exe (PID: 8100)
- explorer.exe (PID: 5492)
- explorer.exe (PID: 3784)
- explorer.exe (PID: 6112)
The process executes via Task Scheduler
- ramez.exe (PID: 2984)
- ramez.exe (PID: 728)
- saren.exe (PID: 7764)
There is functionality for enable RDP (YARA)
- ramez.exe (PID: 4000)
There is functionality for taking screenshot (YARA)
- ramez.exe (PID: 4000)
Manipulates environment variables
- powershell.exe (PID: 660)
- powershell.exe (PID: 7796)
Found IP address in command line
- powershell.exe (PID: 660)
- powershell.exe (PID: 7796)
Probably download files using WebClient
- mshta.exe (PID: 7256)
- mshta.exe (PID: 7520)
- cmd.exe (PID: 4784)
Searches for installed software
- qc8MT4h.exe (PID: 7792)
- MSBuild.exe (PID: 5212)
Starts CMD.EXE for commands execution
- random.exe (PID: 7448)
- ramez.exe (PID: 4000)
- cmd.exe (PID: 2692)
- WinTemp-v4.exe (PID: 5436)
- MSBuild.exe (PID: 5936)
- Mmw5WKs.exe (PID: 2100)
- GQW8R4EBRDBIO4ZQ7BHN.exe (PID: 3096)
- cmd.exe (PID: 5868)
- nircmd.exe (PID: 8096)
- cmd.exe (PID: 4016)
- cmd.exe (PID: 2564)
- cmd.exe (PID: 3768)
- NSudoLG.exe (PID: 7836)
- 8b7aa19274.exe (PID: 7192)
- cmd.exe (PID: 4880)
- NSudoLG.exe (PID: 2332)
- nircmd.exe (PID: 7996)
- cmd.exe (PID: 1240)
- cmd.exe (PID: 5360)
- cmd.exe (PID: 4016)
Executes as Windows Service
- VSSVC.exe (PID: 8028)
- ScreenConnect.ClientService.exe (PID: 9212)
Script adds exclusion process to Windows Defender
- WinTemp-v4.exe (PID: 5436)
The process drops C-runtime libraries
- kr8StFkTDv.tmp (PID: 904)
- 1512426418.exe (PID: 5024)
Script adds exclusion path to Windows Defender
- WinTemp-v4.exe (PID: 5436)
- NSudoLG.exe (PID: 6980)
- NSudoLG.exe (PID: 8916)
Process drops legitimate windows executable
- kr8StFkTDv.tmp (PID: 904)
- explorer.exe (PID: 5492)
- 1512426418.exe (PID: 5024)
Executing commands from ".cmd" file
- cmd.exe (PID: 2692)
- ramez.exe (PID: 4000)
Application launched itself
- cmd.exe (PID: 2692)
- cmd.exe (PID: 5868)
- cmd.exe (PID: 4016)
- cmd.exe (PID: 2564)
- cmd.exe (PID: 3768)
- cmd.exe (PID: 4880)
- cmd.exe (PID: 1240)
- explorer.exe (PID: 5492)
- cmd.exe (PID: 5360)
- cmd.exe (PID: 4016)
The process bypasses the loading of PowerShell profile settings
- cmd.exe (PID: 4784)
The process hides Powershell's copyright startup banner
- cmd.exe (PID: 4784)
Process communicates with Telegram (possibly using it as an attacker's C2 server)
- MSBuild.exe (PID: 7208)
- osWTC1Otv70YP.exe (PID: 6404)
- MSBuild.exe (PID: 7272)
Executes application which crashes
- Win-v42.exe (PID: 5172)
Uses TIMEOUT.EXE to delay execution
- cmd.exe (PID: 7296)
Drops 7-zip archiver for unpacking
- GQW8R4EBRDBIO4ZQ7BHN.exe (PID: 3096)
The executable file from the user directory is run by the CMD process
- sys.exe (PID: 5116)
- nircmd.exe (PID: 8096)
- NSudoLG.exe (PID: 7836)
- NSudoLG.exe (PID: 6980)
- 1512426418.exe (PID: 5024)
- nircmd.exe (PID: 7996)
- NSudoLG.exe (PID: 2332)
- NSudoLG.exe (PID: 8916)
- 7z.exe (PID: 8360)
- Unlocker.exe (PID: 8336)
Starts application with an unusual extension
- cmd.exe (PID: 5668)
- cmd.exe (PID: 3620)
- cmd.exe (PID: 3768)
- cmd.exe (PID: 7952)
- cmd.exe (PID: 7176)
- cmd.exe (PID: 5360)
Executing commands from a ".bat" file
- GQW8R4EBRDBIO4ZQ7BHN.exe (PID: 3096)
- cmd.exe (PID: 5868)
- nircmd.exe (PID: 8096)
- cmd.exe (PID: 4016)
- cmd.exe (PID: 2564)
- NSudoLG.exe (PID: 7836)
- cmd.exe (PID: 4880)
- 8b7aa19274.exe (PID: 7192)
- nircmd.exe (PID: 7996)
- cmd.exe (PID: 1240)
- NSudoLG.exe (PID: 2332)
- cmd.exe (PID: 4016)
Get information on the list of running processes
- Mmw5WKs.exe (PID: 2100)
- cmd.exe (PID: 3768)
- cmd.exe (PID: 2332)
- cmd.exe (PID: 5360)
- cmd.exe (PID: 8264)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 3620)
- cmd.exe (PID: 3768)
- cmd.exe (PID: 7176)
- cmd.exe (PID: 5360)
Uses ATTRIB.EXE to modify file attributes
- Mmw5WKs.exe (PID: 2100)
Probably obfuscated PowerShell command line is found
- Mmw5WKs.exe (PID: 2100)
Uses TASKKILL.EXE to kill Browsers
- Mmw5WKs.exe (PID: 2100)
Process drops python dynamic module
- 1512426418.exe (PID: 5024)
PowerShell delay command usage (probably sleep evasion)
- powershell.exe (PID: 6724)
- powershell.exe (PID: 8972)
Uses TASKKILL.EXE to kill process
- Mmw5WKs.exe (PID: 2100)
Uses ICACLS.EXE to modify access control lists
- cmd.exe (PID: 4008)
- cmd.exe (PID: 7852)
Uses powercfg.exe to modify the power settings
- WinTemp-v4.exe (PID: 5436)
Takes ownership (TAKEOWN.EXE)
- cmd.exe (PID: 1164)
Hides command output
- cmd.exe (PID: 8104)
Checks for external IP
- svchost.exe (PID: 2196)
- WinTemp-v4.exe (PID: 5436)
Connects to unusual port
- WinTemp-v4.exe (PID: 5436)
- ScreenConnect.ClientService.exe (PID: 9212)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 3768)
Screenconnect has been detected
- ScreenConnect.ClientService.exe (PID: 9212)
INFO
Reads mouse settings
- random.exe (PID: 7448)
Checks supported languages
- random.exe (PID: 7448)
- Temp7UFVMBYEPT34HF3QFX0XBF2NA1KL0QST.EXE (PID: 6480)
- ramez.exe (PID: 4000)
- ramez.exe (PID: 2984)
- 4cf388aa40.exe (PID: 6080)
- qc8MT4h.exe (PID: 7792)
- cvtres.exe (PID: 5392)
- 08IyOOF.exe (PID: 1852)
- Temp7UFVMBYEPT34HF3QFX0XBF2NA1KL0QST.EXE (PID: 4980)
- MSBuild.exe (PID: 5212)
- YwDbjxV.exe (PID: 7896)
- msiexec.exe (PID: 864)
- msiexec.exe (PID: 8088)
- fPbjy1Q.exe (PID: 7840)
- oxDU0MW.exe (PID: 6132)
- WinTemp-v4.exe (PID: 5436)
- MSBuild.exe (PID: 6040)
- TIX1nL9.exe (PID: 4220)
The sample compiled with english language support
- random.exe (PID: 7448)
- ramez.exe (PID: 4000)
- kr8StFkTDv.tmp (PID: 904)
- powershell.exe (PID: 8072)
- saren.exe (PID: 7204)
- GQW8R4EBRDBIO4ZQ7BHN.exe (PID: 3096)
- explorer.exe (PID: 5492)
- 1512426418.exe (PID: 5024)
Disables trace logs
- powershell.exe (PID: 7796)
- powershell.exe (PID: 660)
Checks proxy server information
- powershell.exe (PID: 7796)
- ramez.exe (PID: 4000)
- cvtres.exe (PID: 5392)
Create files in a temporary directory
- random.exe (PID: 7448)
- Temp7UFVMBYEPT34HF3QFX0XBF2NA1KL0QST.EXE (PID: 6480)
- ramez.exe (PID: 4000)
- YwDbjxV.exe (PID: 7896)
- rundll32.exe (PID: 728)
- oxDU0MW.exe (PID: 6132)
Reads the computer name
- random.exe (PID: 7448)
- Temp7UFVMBYEPT34HF3QFX0XBF2NA1KL0QST.EXE (PID: 6480)
- ramez.exe (PID: 4000)
- 4cf388aa40.exe (PID: 6080)
- qc8MT4h.exe (PID: 7792)
- cvtres.exe (PID: 5392)
- MSBuild.exe (PID: 5212)
- YwDbjxV.exe (PID: 7896)
- msiexec.exe (PID: 864)
- msiexec.exe (PID: 8088)
- oxDU0MW.exe (PID: 6132)
- MSBuild.exe (PID: 6040)
Auto-launch of the file from Task Scheduler
- cmd.exe (PID: 7484)
Process checks computer location settings
- Temp7UFVMBYEPT34HF3QFX0XBF2NA1KL0QST.EXE (PID: 6480)
- ramez.exe (PID: 4000)
- YwDbjxV.exe (PID: 7896)
The executable file from the user directory is run by the Powershell process
- Temp7UFVMBYEPT34HF3QFX0XBF2NA1KL0QST.EXE (PID: 6480)
- Temp7UFVMBYEPT34HF3QFX0XBF2NA1KL0QST.EXE (PID: 4980)
Creates files or folders in the user directory
- ramez.exe (PID: 4000)
- cvtres.exe (PID: 5392)
Manual execution by a user
- mshta.exe (PID: 7256)
- cvtres.exe (PID: 5392)
- Win-v42.exe (PID: 5172)
- cvtres.exe (PID: 2616)
Reads Internet Explorer settings
- mshta.exe (PID: 7256)
- mshta.exe (PID: 7520)
Reads the software policy settings
- qc8MT4h.exe (PID: 7792)
- cvtres.exe (PID: 5392)
- MSBuild.exe (PID: 5212)
- MSBuild.exe (PID: 6040)
Reads the machine GUID from the registry
- 4cf388aa40.exe (PID: 6080)
- cvtres.exe (PID: 5392)
- YwDbjxV.exe (PID: 7896)
- oxDU0MW.exe (PID: 6132)
Executable content was dropped or overwritten
- msiexec.exe (PID: 5112)
- msiexec.exe (PID: 864)
CONNECTWISE has been detected
- msiexec.exe (PID: 5112)
Checks transactions between databases Windows and Oracle
- oxDU0MW.exe (PID: 6132)
Reads security settings of Internet Explorer
- dllhost.exe (PID: 6828)
Changes the registry key values via Powershell
- perfectfilemanager.exe (PID: 2284)
Uses Task Scheduler to autorun other applications (AUTOMATE)
- WinTemp-v4.exe (PID: 5436)
Attempting to use instant messaging service
- osWTC1Otv70YP.exe (PID: 6404)
Changes the display of characters in the console
- cmd.exe (PID: 5668)
- cmd.exe (PID: 3620)
- cmd.exe (PID: 3768)
- cmd.exe (PID: 7952)
- cmd.exe (PID: 7176)
- cmd.exe (PID: 5360)
NirSoft software is detected
- nircmd.exe (PID: 8096)
- 1512426418.exe (PID: 5024)
- nircmd.exe (PID: 7996)
Checks operating system version
- cmd.exe (PID: 3768)
- cmd.exe (PID: 5360)
Starts MODE.COM to configure console settings
- mode.com (PID: 3784)
- mode.com (PID: 6072)
Manages system restore points
- SrTasks.exe (PID: 5556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Amadey
(PID) Process(4000) ramez.exe
C2185.156.72.96
URLhttp://185.156.72.96/te4h2nus/index.php
Version5.34
Options
Drop directoryd610cf342e
Drop nameramez.exe
Strings (125)lv:
msi
Kaspersky Lab
av:
|
#
"
\App
00000422
dm:
Powershell.exe
ProgramData\
ps1
rundll32
http://
Content-Disposition: form-data; name="data"; filename="
SOFTWARE\Microsoft\Windows NT\CurrentVersion
dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
id:
VideoID
cred.dll|clip.dll|
0000043f
cmd
00000423
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
-executionpolicy remotesigned -File "
2022
------
2016
og:
\0000
CurrentBuild
2019
:::
S-%lu-
" && timeout 1 && del
ProductName
Panda Security
ESET
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
/k
+++
?scr=1
Doctor Web
GET
SYSTEM\ControlSet001\Services\BasicDisplay\Video
/quiet
.jpg
d610cf342e
vs:
sd:
rundll32.exe
"taskkill /f /im "
pc:
random
=
360TotalSecurity
<d>
wb
Content-Type: multipart/form-data; boundary=----
Startup
Norton
&& Exit"
os:
https://
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
2025
Avira
%-lu
zip
POST
"
Content-Type: application/octet-stream
Rem
/te4h2nus/index.php
------
5.34
<c>
clip.dll
AVAST Software
\
shell32.dll
" && ren
e3
ramez.exe
kernel32.dll
DefaultSettings.XResolution
d1
DefaultSettings.YResolution
185.156.72.96
r=
cred.dll
--
GetNativeSystemInfo
-%lu
ComputerName
&unit=
Keyboard Layout\Preload
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
ar:
Sophos
%USERPROFILE%
exe
e1
e2
st=s
Programs
0123456789
un:
rb
bi:
abcdefghijklmnopqrstuvwxyz0123456789-_
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
cmd /C RMDIR /s/q
Bitdefender
-unicode-
AVG
WinDefender
&&
shutdown -s -t 0
Comodo
00000419
Content-Type: application/x-www-form-urlencoded
/Plugins/
Main
TRiD
| .exe | | | Win64 Executable (generic) (76.4) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (12.4) |
| .exe | | | Generic Win/DOS Executable (5.5) |
| .exe | | | DOS Executable Generic (5.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2025:05:23 11:49:34+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.16 |
| CodeSize: | 633856 |
| InitializedDataSize: | 326144 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x20577 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (British) |
| CharacterSet: | Unicode |
Total processes
450
Monitored processes
311
Malicious processes
45
Suspicious processes
14
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 208 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powercfg.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 208 | find /i "Windows 7" | C:\Windows\System32\find.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Find String (grep) Utility Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 496 | reg query "HKLM\System\CurrentControlSet\Services\webthreatdefsvc" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Registry Console Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 516 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 536 | reg query HKLM\System\CurrentControlset\Services\WdFilter | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 540 | reg query "HKLM\System\CurrentControlSet\Services\MDCoreSvc" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Registry Console Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 540 | find /i "C:\" | C:\Windows\System32\find.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Find String (grep) Utility Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 540 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powercfg.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 540 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 540 | reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v "ProductName" | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
101 341
Read events
100 890
Write events
355
Delete events
96
Modification events
| (PID) Process: | (7520) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (7520) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (7520) mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (5492) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:000000000005034E |
| Operation: | write | Name: | VirtualDesktop |
Value: 1000000030304456BFA0DB55E4278845B426357D5B5F97B3 | |||
| (PID) Process: | (5492) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\5\ApplicationViewManagement\W32:000000000005034E |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (7796) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (7796) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (7796) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (7796) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (7796) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
Executable files
181
Suspicious files
107
Text files
258
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7796 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:2AF8C1D2488C358AF9578A4816F395C5 | SHA256:A3AA068C88A4473B075E404DC20F5C2A49D02482F2E2366B8A6697A1CEF215BC | |||
| 7796 | powershell.exe | C:\Users\admin\AppData\Local\Temp7UFVMBYEPT34HF3QFX0XBF2NA1KL0QST.EXE | executable | |
MD5:26CC5A6CFD8E8ECC433337413C14CDDB | SHA256:2D904D576B46236BAF504DBA21775F6EBBBD0F65272A9C2FCA1C6798184FA4E8 | |||
| 5492 | explorer.exe | C:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat | binary | |
MD5:E49C56350AEDF784BFE00E444B879672 | SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E | |||
| 6480 | Temp7UFVMBYEPT34HF3QFX0XBF2NA1KL0QST.EXE | C:\Users\admin\AppData\Local\Temp\d610cf342e\ramez.exe | executable | |
MD5:26CC5A6CFD8E8ECC433337413C14CDDB | SHA256:2D904D576B46236BAF504DBA21775F6EBBBD0F65272A9C2FCA1C6798184FA4E8 | |||
| 6480 | Temp7UFVMBYEPT34HF3QFX0XBF2NA1KL0QST.EXE | C:\Windows\Tasks\ramez.job | binary | |
MD5:3C017A3FA07A77E5C06CC1D6EB9CC93F | SHA256:99C767793984623BFCA8F8FE3A8DD1A9BCE3E88CDF3F515A886BEDB545CB6B66 | |||
| 7896 | YwDbjxV.exe | C:\Users\admin\AppData\Local\Temp\ScreenConnect\24.4.4.9118\4b50367a0c90cf67\ScreenConnect.ClientSetup.msi | — | |
MD5:— | SHA256:— | |||
| 7448 | random.exe | C:\Users\admin\AppData\Local\Temp\QuU6v0vl3.hta | html | |
MD5:EF1FD67D8F81DAA7694B91EFB9D541CB | SHA256:FC3F1269EC36AACD5656C6E0437411DF890C0FDAE95258355A9429AAB25593E4 | |||
| 4000 | ramez.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\random[1].exe | executable | |
MD5:ECE1D1507B62C20327E999C6936A95A7 | SHA256:8EB08322033F193A5E7EA16D83C0CD324EFAAAB628FB245BDB27F6977C2A6D86 | |||
| 7796 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_agjgpgv4.non.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7796 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pp2nfibp.4jf.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
97
TCP/UDP connections
117
DNS requests
42
Threats
140
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5496 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
7796 | powershell.exe | GET | 200 | 185.156.72.2:80 | http://185.156.72.2/testmine/random.exe | unknown | — | — | malicious |
4000 | ramez.exe | POST | 200 | 185.156.72.96:80 | http://185.156.72.96/te4h2nus/index.php | unknown | — | — | unknown |
4000 | ramez.exe | GET | 200 | 185.156.72.2:80 | http://185.156.72.2/files/unique2/random.exe | unknown | — | — | malicious |
4000 | ramez.exe | POST | 200 | 185.156.72.96:80 | http://185.156.72.96/te4h2nus/index.php | unknown | — | — | unknown |
4000 | ramez.exe | POST | 200 | 185.156.72.96:80 | http://185.156.72.96/te4h2nus/index.php | unknown | — | — | unknown |
7460 | SIHClient.exe | GET | 200 | 2.23.246.101:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
4000 | ramez.exe | GET | 200 | 185.156.72.2:80 | http://185.156.72.2/files/6092752623/qc8MT4h.exe | unknown | — | — | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2104 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5496 | MoUsoCoreWorker.exe | 23.216.77.28:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5496 | MoUsoCoreWorker.exe | 2.23.246.101:80 | www.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
6544 | svchost.exe | 40.126.31.2:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | DE | whitelisted |
— | — | 172.211.123.248:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | FR | whitelisted |
5496 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5112 | RUXIMICS.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
diecam.top |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
7796 | powershell.exe | Misc activity | ET INFO Packed Executable Download |
7796 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
7796 | powershell.exe | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
7796 | powershell.exe | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |
7796 | powershell.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
7796 | powershell.exe | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 35 |
4000 | ramez.exe | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 35 |
4000 | ramez.exe | Malware Command and Control Activity Detected | BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s) |
4000 | ramez.exe | Malware Command and Control Activity Detected | ET MALWARE Amadey CnC Response |
4000 | ramez.exe | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
3 ETPRO signatures available at the full report