File name:

SecuriteInfo.com.Win32.Malware-gen.25412.18433.exe

Full analysis: https://app.any.run/tasks/cdbee19d-1985-40b9-b893-e5161bed26ea
Verdict: Malicious activity
Threats:

Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.

Malware Trends Tracker     >>>
Analysis date: September 15, 2024, 16:41:55
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
amadey
botnet
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

2A74B1D6A6B7EBA4BDD50502A38A1974

SHA1:

FDABDA6ACC64E72ED21376A697DFDD0651F66DBB

SHA256:

CDB6691590D96507F7DA2721E46C34C33DF5A3ACF58BE611F008BB4ACEABA3E4

SSDEEP:

98304:702SJ/GReH2LgvZ9y97aLpJIIII8cLruG/El8q3xOpyOdsSS3YzwQETLWfE6FUMv:hUMPYRz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • AMADEY has been detected (SURICATA)

      • Hkbsse.exe (PID: 5104)

    • Changes the autorun value in the registry

      • Hkbsse.exe (PID: 7040)
      • SecuriteInfo.com.Win32.Malware-gen.25412.18433.exe (PID: 7004)
      • Hkbsse.exe (PID: 6268)
      • Hkbsse.exe (PID: 5044)

    • Connects to the CnC server

      • Hkbsse.exe (PID: 5104)

    • AMADEY has been detected (YARA)

      • Hkbsse.exe (PID: 5104)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • SecuriteInfo.com.Win32.Malware-gen.25412.18433.exe (PID: 6596)
      • Hkbsse.exe (PID: 5104)

    • Executable content was dropped or overwritten

      • SecuriteInfo.com.Win32.Malware-gen.25412.18433.exe (PID: 6596)

    • There is functionality for communication over UDP network (YARA)

      • SecuriteInfo.com.Win32.Malware-gen.25412.18433.exe (PID: 7004)
      • Hkbsse.exe (PID: 7040)
      • Hkbsse.exe (PID: 6268)
      • Hkbsse.exe (PID: 5044)
      • Hkbsse.exe (PID: 5104)

    • Application launched itself

      • SecuriteInfo.com.Win32.Malware-gen.25412.18433.exe (PID: 7004)
      • Hkbsse.exe (PID: 7040)
      • Hkbsse.exe (PID: 6268)
      • Hkbsse.exe (PID: 5044)

    • Connects to the server without a host name

      • Hkbsse.exe (PID: 5104)

    • Contacting a server suspected of hosting an CnC

      • Hkbsse.exe (PID: 5104)

    • Starts itself from another location

      • SecuriteInfo.com.Win32.Malware-gen.25412.18433.exe (PID: 6596)

    • The process executes via Task Scheduler

      • Hkbsse.exe (PID: 6268)
      • Hkbsse.exe (PID: 5044)

    • Process requests binary or script from the Internet

      • Hkbsse.exe (PID: 5104)

  • INFO

    • Reads the computer name

      • SecuriteInfo.com.Win32.Malware-gen.25412.18433.exe (PID: 7004)
      • SecuriteInfo.com.Win32.Malware-gen.25412.18433.exe (PID: 6596)
      • Hkbsse.exe (PID: 7040)
      • Hkbsse.exe (PID: 5104)
      • Hkbsse.exe (PID: 6268)
      • Hkbsse.exe (PID: 5044)

    • Checks supported languages

      • SecuriteInfo.com.Win32.Malware-gen.25412.18433.exe (PID: 7004)
      • SecuriteInfo.com.Win32.Malware-gen.25412.18433.exe (PID: 6596)
      • Hkbsse.exe (PID: 7040)
      • Hkbsse.exe (PID: 5104)
      • Hkbsse.exe (PID: 6268)
      • Hkbsse.exe (PID: 5044)
      • Hkbsse.exe (PID: 5888)
      • Hkbsse.exe (PID: 2492)

    • Create files in a temporary directory

      • SecuriteInfo.com.Win32.Malware-gen.25412.18433.exe (PID: 6596)
      • Hkbsse.exe (PID: 5104)

    • Process checks computer location settings

      • SecuriteInfo.com.Win32.Malware-gen.25412.18433.exe (PID: 6596)

    • The process uses the downloaded file

      • SecuriteInfo.com.Win32.Malware-gen.25412.18433.exe (PID: 6596)

    • Checks proxy server information

      • Hkbsse.exe (PID: 5104)

    • Creates files or folders in the user directory

      • Hkbsse.exe (PID: 5104)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Amadey

(PID) Process(5104) Hkbsse.exe
C223.227.196.203
URLhttp://23.227.196.203/NfjxzZz9jn/index.php
Version4.41
Options
Drop directoryc540ded511
Drop nameHkbsse.exe
Strings (119)VideoID
st=s
id:
" Content-Type: application/octet-stream
2022
exe
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
-unicode-
<d>
Doctor Web
AVG
4.41
dll
Main
Norton
" && ren
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
c540ded511
&unit=
/Plugins/
rb
cred.dll
#
ProgramData\
rundll32.exe
cmd
--
vs:
DefaultSettings.XResolution
random
?scr=1
GetNativeSystemInfo
%-lu
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
og:
Powershell.exe
" && timeout 1 && del
/quiet
r=
AVAST Software
360TotalSecurity
dm:
Comodo
Sophos
23.227.196.203
GET
=
wb
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
/NfjxzZz9jn/index.php
lv:
Rem
Content-Disposition: form-data; name="data"; filename="
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Bitdefender
DefaultSettings.YResolution
un:
https://
SYSTEM\ControlSet001\Services\BasicDisplay\Video
shutdown -s -t 0
Hkbsse.exe
ProductName
sd:
"taskkill /f /im "
&& Exit"
Panda Security
http://
POST
Content-Type: application/x-www-form-urlencoded
ComputerName
------
0123456789
CurrentBuild
rundll32
cred.dll|clip.dll|
.jpg
clip.dll
kernel32.dll
:::
S-%lu-
WinDefender
ar:
Kaspersky Lab
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\App
SOFTWARE\Microsoft\Windows NT\CurrentVersion
\0000
e2
"
|
-%lu
os:
-executionpolicy remotesigned -File "
ESET
------
pc:
+++
Content-Type: multipart/form-data; boundary=----
av:
\
cmd /C RMDIR /s/q
ps1
Programs
%USERPROFILE%
e0
&&
zip
<c>
e1
bi:
msi
Startup
Avira
d1
shell32.dll
abcdefghijklmnopqrstuvwxyz0123456789-_
2016
2019
/k
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (53.4)
.exe | Win64 Executable (generic) (35.5)
.exe | Win32 Executable (generic) (5.8)
.exe | Generic Win/DOS Executable (2.5)
.exe | DOS Executable Generic (2.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2006:09:06 17:06:08+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 7.1
CodeSize: 4501504
InitializedDataSize: 1740800
UninitializedDataSize: -
EntryPoint: 0x41fa63
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
8
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start THREAT securiteinfo.com.win32.malware-gen.25412.18433.exe securiteinfo.com.win32.malware-gen.25412.18433.exe THREAT hkbsse.exe #AMADEY hkbsse.exe THREAT hkbsse.exe hkbsse.exe no specs THREAT hkbsse.exe hkbsse.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2492"C:\Users\admin\AppData\Local\Temp\c540ded511\Hkbsse.exe"C:\Users\admin\AppData\Local\Temp\c540ded511\Hkbsse.exeHkbsse.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\c540ded511\hkbsse.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
5044"C:\Users\admin\AppData\Local\Temp\c540ded511\Hkbsse.exe"C:\Users\admin\AppData\Local\Temp\c540ded511\Hkbsse.exe
svchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\c540ded511\hkbsse.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\win32u.dll
5104"C:\Users\admin\AppData\Local\Temp\c540ded511\Hkbsse.exe"C:\Users\admin\AppData\Local\Temp\c540ded511\Hkbsse.exe
Hkbsse.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\c540ded511\hkbsse.exe
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
c:\windows\syswow64\gdi32.dll
Amadey
(PID) Process(5104) Hkbsse.exe
C223.227.196.203
URLhttp://23.227.196.203/NfjxzZz9jn/index.php
Version4.41
Options
Drop directoryc540ded511
Drop nameHkbsse.exe
Strings (119)VideoID
st=s
id:
" Content-Type: application/octet-stream
2022
exe
SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
-unicode-
<d>
Doctor Web
AVG
4.41
dll
Main
Norton
" && ren
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
c540ded511
&unit=
/Plugins/
rb
cred.dll
#
ProgramData\
rundll32.exe
cmd
--
vs:
DefaultSettings.XResolution
random
?scr=1
GetNativeSystemInfo
%-lu
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
og:
Powershell.exe
" && timeout 1 && del
/quiet
r=
AVAST Software
360TotalSecurity
dm:
Comodo
Sophos
23.227.196.203
GET
=
wb
SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
/NfjxzZz9jn/index.php
lv:
Rem
Content-Disposition: form-data; name="data"; filename="
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Bitdefender
DefaultSettings.YResolution
un:
https://
SYSTEM\ControlSet001\Services\BasicDisplay\Video
shutdown -s -t 0
Hkbsse.exe
ProductName
sd:
"taskkill /f /im "
&& Exit"
Panda Security
http://
POST
Content-Type: application/x-www-form-urlencoded
ComputerName
------
0123456789
CurrentBuild
rundll32
cred.dll|clip.dll|
.jpg
clip.dll
kernel32.dll
:::
S-%lu-
WinDefender
ar:
Kaspersky Lab
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\App
SOFTWARE\Microsoft\Windows NT\CurrentVersion
\0000
e2
"
|
-%lu
os:
-executionpolicy remotesigned -File "
ESET
------
pc:
+++
Content-Type: multipart/form-data; boundary=----
av:
\
cmd /C RMDIR /s/q
ps1
Programs
%USERPROFILE%
e0
&&
zip
<c>
e1
bi:
msi
Startup
Avira
d1
shell32.dll
abcdefghijklmnopqrstuvwxyz0123456789-_
2016
2019
/k
5888"C:\Users\admin\AppData\Local\Temp\c540ded511\Hkbsse.exe"C:\Users\admin\AppData\Local\Temp\c540ded511\Hkbsse.exeHkbsse.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\c540ded511\hkbsse.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
6268"C:\Users\admin\AppData\Local\Temp\c540ded511\Hkbsse.exe"C:\Users\admin\AppData\Local\Temp\c540ded511\Hkbsse.exe
svchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\c540ded511\hkbsse.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\gdi32.dll
c:\windows\syswow64\win32u.dll
6596"C:\Users\admin\Desktop\SecuriteInfo.com.Win32.Malware-gen.25412.18433.exe"C:\Users\admin\Desktop\SecuriteInfo.com.Win32.Malware-gen.25412.18433.exe
SecuriteInfo.com.Win32.Malware-gen.25412.18433.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\securiteinfo.com.win32.malware-gen.25412.18433.exe
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
c:\windows\syswow64\gdi32.dll
7004"C:\Users\admin\Desktop\SecuriteInfo.com.Win32.Malware-gen.25412.18433.exe" C:\Users\admin\Desktop\SecuriteInfo.com.Win32.Malware-gen.25412.18433.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\securiteinfo.com.win32.malware-gen.25412.18433.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
7040"C:\Users\admin\AppData\Local\Temp\c540ded511\Hkbsse.exe" C:\Users\admin\AppData\Local\Temp\c540ded511\Hkbsse.exe
SecuriteInfo.com.Win32.Malware-gen.25412.18433.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\c540ded511\hkbsse.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
Total events
814
Read events
803
Write events
11
Delete events
0

Modification events

(PID) Process:(7004) SecuriteInfo.com.Win32.Malware-gen.25412.18433.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
SecuriteInfo.com.Win32.Malware-gen.25412.18433.exe
(PID) Process:(7040) Hkbsse.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
Hkbsse.exe
(PID) Process:(7004) SecuriteInfo.com.Win32.Malware-gen.25412.18433.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:AgentLauncher
Value:
C:\Users\admin\Pictures\ClientAgent\AgentLauncher.exe
(PID) Process:(5104) Hkbsse.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5104) Hkbsse.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5104) Hkbsse.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7040) Hkbsse.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:AgentLauncher
Value:
C:\Users\admin\Pictures\ClientAgent\AgentLauncher.exe
(PID) Process:(6268) Hkbsse.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
Hkbsse.exe
(PID) Process:(6268) Hkbsse.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:AgentLauncher
Value:
C:\Users\admin\Pictures\ClientAgent\AgentLauncher.exe
(PID) Process:(5044) Hkbsse.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Direct3D\MostRecentApplication
Operation:writeName:Name
Value:
Hkbsse.exe
Executable files
1
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7004SecuriteInfo.com.Win32.Malware-gen.25412.18433.exeC:\Users\admin\Pictures\ClientAgent\AgentLauncher.exe
MD5:
SHA256:
6596SecuriteInfo.com.Win32.Malware-gen.25412.18433.exeC:\Users\admin\AppData\Local\Temp\c540ded511\Hkbsse.exeexecutable
MD5:2A74B1D6A6B7EBA4BDD50502A38A1974
SHA256:CDB6691590D96507F7DA2721E46C34C33DF5A3ACF58BE611F008BB4ACEABA3E4
5104Hkbsse.exeC:\Users\admin\AppData\Local\Temp\693682860607image
MD5:BE88FDE4FA723C87843670844A1B86C0
SHA256:4E046DEEFADEB780F449DFFA8853993D622521709E2C6B5DFACEA58A94C30882
6596SecuriteInfo.com.Win32.Malware-gen.25412.18433.exeC:\Windows\Tasks\Hkbsse.jobbinary
MD5:1DC7D2BA4DF001C4666FD91FDAA3A262
SHA256:24A61BE9A9EA1C8A2BE0414A3B72607EDFFDDF49836606040A3A2CFE50C3CD55
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
25
DNS requests
4
Threats
17

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5104
Hkbsse.exe
POST
23.227.196.203:80
http://23.227.196.203/NfjxzZz9jn/index.php
unknown
unknown
892
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5104
Hkbsse.exe
POST
23.227.196.203:80
http://23.227.196.203/NfjxzZz9jn/index.php?scr=1
unknown
unknown
5104
Hkbsse.exe
GET
23.227.196.203:80
http://23.227.196.203/NfjxzZz9jn/Plugins/cred64.dll
unknown
unknown
5104
Hkbsse.exe
GET
23.227.196.203:80
http://23.227.196.203/NfjxzZz9jn/Plugins/cred64.dll
unknown
unknown
5104
Hkbsse.exe
POST
23.227.196.203:80
http://23.227.196.203/NfjxzZz9jn/index.php
unknown
unknown
5104
Hkbsse.exe
GET
23.227.196.203:80
http://23.227.196.203/NfjxzZz9jn/Plugins/cred64.dll
unknown
unknown
5104
Hkbsse.exe
GET
23.227.196.203:80
http://23.227.196.203/NfjxzZz9jn/Plugins/clip64.dll
unknown
unknown
5104
Hkbsse.exe
GET
23.227.196.203:80
http://23.227.196.203/NfjxzZz9jn/Plugins/clip64.dll
unknown
unknown
5104
Hkbsse.exe
GET
23.227.196.203:80
http://23.227.196.203/NfjxzZz9jn/Plugins/clip64.dll
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6552
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
892
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
892
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6552
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4324
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.184.238
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

PID
Process
Class
Message
5104
Hkbsse.exe
A Network Trojan was detected
ET MALWARE Amadey Bot Activity (POST) M1
5104
Hkbsse.exe
Malware Command and Control Activity Detected
BOTNET [ANY.RUN] Amadey HTTP POST Request (st=s)
5104
Hkbsse.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
5104
Hkbsse.exe
A Network Trojan was detected
BOTNET [ANY.RUN] Amadey Stealer plugin download request
5104
Hkbsse.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
5104
Hkbsse.exe
A Network Trojan was detected
BOTNET [ANY.RUN] Amadey Stealer plugin download request
5104
Hkbsse.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
5104
Hkbsse.exe
A Network Trojan was detected
BOTNET [ANY.RUN] Amadey Stealer plugin download request
5104
Hkbsse.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host DLL Request
5104
Hkbsse.exe
A Network Trojan was detected
BOTNET [ANY.RUN] Amadey Clipper plugin download request
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SecuriteInfo.com.Win32.Malware-gen.25412.18433.exe