| File name: | 33bdd49c66f302dfd47c1831d7c0bb3a18df8998f397c4c631c12f10502727fd.exe |
| Full analysis: | https://app.any.run/tasks/9a10b645-ec02-4756-9b03-c11041438ec2 |
| Verdict: | Malicious activity |
| Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
| Analysis date: | October 09, 2024, 14:11:26 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 9FF1678929D6AD43DC7963A456A5853F |
| SHA1: | E5279E79882E0913397F19E5BE7A6CF711D0AD09 |
| SHA256: | 33BDD49C66F302DFD47C1831D7C0BB3A18DF8998F397C4C631C12F10502727FD |
| SSDEEP: | 24576:Immj3JXBEXdJO1aSkoKIs4xtKKR2cNm2kkTusEiq1N+eDA+1CCqOBxR7U18HBIrq:Immj3JXBEXdJO1aSkoKINxtKKR2cNm2Q |
MALICIOUS
FORMBOOK has been detected (YARA)
- grpconv.exe (PID: 612)
Connects to the CnC server
- explorer.exe (PID: 4616)
FORMBOOK has been detected (SURICATA)
- explorer.exe (PID: 4616)
Stealers network behavior
- explorer.exe (PID: 4616)
Uses Task Scheduler to run other applications
- 33bdd49c66f302dfd47c1831d7c0bb3a18df8998f397c4c631c12f10502727fd.exe (PID: 6572)
SUSPICIOUS
Contacting a server suspected of hosting an CnC
- explorer.exe (PID: 4616)
Executable content was dropped or overwritten
- 33bdd49c66f302dfd47c1831d7c0bb3a18df8998f397c4c631c12f10502727fd.exe (PID: 6572)
INFO
The process uses the downloaded file
- explorer.exe (PID: 4616)
Reads security settings of Internet Explorer
- explorer.exe (PID: 4616)
Checks supported languages
- 33bdd49c66f302dfd47c1831d7c0bb3a18df8998f397c4c631c12f10502727fd.exe (PID: 6572)
Reads the machine GUID from the registry
- 33bdd49c66f302dfd47c1831d7c0bb3a18df8998f397c4c631c12f10502727fd.exe (PID: 6572)
Manual execution by a user
- grpconv.exe (PID: 612)
Reads the computer name
- 33bdd49c66f302dfd47c1831d7c0bb3a18df8998f397c4c631c12f10502727fd.exe (PID: 6572)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Formbook
(PID) Process(612) grpconv.exe
C2www.yedurrum.xyz
Strings (159)2Be2tATGCTtzPWIA7pd+qq9l
q6S8+dYoWPA=
uK5f6dq1HPYtHGWLla4T2Aru1w==
f0y2nkRZDDIUqVK2
NFayOMjq9FPCowzlhQ==
eeIjXH6ipwycRYk=
uh2Imj8M8S96OQo=
xZhPiUjPjOrXzh7G1c3nJj+mdEtF
VWXSEgDMJf4hMMo=
pYyMe+LAzJA=
0YyrTsx7DOhedwUolg==
tyY75hB1Hn5Jef9jKMnaCVhyzYp7
sxMjfD1YjRx2AZvEG6cSp5fVlEA8
wQI9w1i5hRM+zYMBXAw4rlNX
YGAuy/kn2C6hF/MZG48=
oerlHcFPvmCV9w6V+7ZN44N7Klc=
/qowLWRTihd1y7ZY0U4EsYgcgXY=
oRTp99+WR2IQ1b8zm0hCCPu5pgg=
xuMnzTUsGIAqwMM/Wg==
HAafzSWOPbPA59Rw3dQ=
alnO3qI+XjA+w67Qcn0Xg8h0N0g=
UCL/N7hhNtbhcGEn9yYT
J2nZRqNJivQyK4Dk46s=
hfky8gqIvBQwLyK6FChvag==
MaDUs1Z67gImIcm/ze98p/BONN8=
YtgWk5AHQ8arjUPyIRA=
aDA8zfIndWUP99w=
bkhPZcwJU/c3OaJUjTE=
o0AFgFGJQEGbDmAj0ro=
3sYlF1awQx+56SQiVQ==
B1zDaLGYcMy5AQ==
tHOReRZZDAN/2g==
fhGnCeSAAVtr7uefClFxGZAV
ckzYGFJl5n2jKLWszQ==
WEYEL4ZWDOJUvo/8a2Q=
6nTUUtgE6MwxASeY
Fj1l4KOmRP9PtZiPLFs42VtOS2mi
H6/7I5pqnps0eYkS7Q==
l9mrCBmenzE70GjROywXxtH/x80=
0ECjd6/SoTI7zrasA7w=
wHB+io0VentCoZI=
LB7CYEqbtXT9+wHnyDIJ
rDyii/5oR4YQRQc=
5jsR3g/3mGutKRG8zYe2AXyZdoM=
cGdlW3BD70UdiadEZw==
XdVXUlzH4TDWw03DjpxWLaHS
mnKaa1ctlKt/na066xeeEE44iQ==
dkjj+0NccJg5cg==
EjEAKMlbwPSIFkLEm+4ASA==
M5CpuYeQJt7rK4E=
+DzWVGihmzV/ZYw=
0sHxgG0iZz417NlwBA==
T76+3cThDaNaTQ==
xSxh5ThEoBZjQEMAPh+3DL66Rw==
mJGgyo+jFf2+oYOo
M1/ciCI0adaHlQ==
ArxkiI+l5kvtVpAU21g=
DUaiPYTa3ckCpYc=
2NH61ZGp2x+SLNlbWmZbcf9H
qq9tKLqbxHum
UQELqNQ5GM5dcnMQ+fXNcoxYrEQ=
j2+Cegmq4BcWkdc=
WLrZp0UVD7F0
MgWwaeMkSyrP1FmoT//xx2Dt
pu2jiAwmrPifypepdJw5ww==
grpconv.exe
cscript.exe
at.exe
ipconfig.exe
typeperf.exe
ARP.EXE
RmClient.exe
dvdplay.exe
makecab.exe
psr.exe
msinfo32.exe
dialer.exe
kernel32.dll
advapi32.dll
ws2_32.dll
USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
COMPUTERNAME
ProgramFiles
/c copy "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\Mail\
\Foxmail
\Storage\
\Accounts\Account.rec0
\Data\AccCfg\Accounts.tdat
\Google\Chrome\User Data\Default\Login Data
SeShutdownPrivilege
\BaseNamedObjects
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control:
Origin: http://
Content-Type: application/x-www-form-urlencoded
Accept:
Referer: http://
Accept-Language:
Accept-Encoding:
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
PowerShell.exe
\Opera Software\Opera Stable
kernel32.dll
user32.dll
wininet.dll
rg.ini
Recovery
profiles.ini
guid
Connection: close
pass
token
email
login
signin
account
persistent
GET
GET
PUT
POST
OPTIONS
User-Agent:
API-
MS-W
_301 Moved
_302 Found
InternetOpenA
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
InternetReadFile
InternetCloseHandle
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (82.9) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (7.4) |
| .exe | | | Win32 Executable (generic) (5.1) |
| .exe | | | Generic Win/DOS Executable (2.2) |
| .exe | | | DOS Executable Generic (2.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:10:03 21:40:18+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 48 |
| CodeSize: | 756736 |
| InitializedDataSize: | 11776 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xbaa56 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | - |
| CompanyName: | - |
| FileDescription: | NorthwindPresentacion |
| FileVersion: | 1.0.0.0 |
| InternalName: | RYdn.exe |
| LegalCopyright: | Copyright © 2015 |
| LegalTrademarks: | - |
| OriginalFileName: | RYdn.exe |
| ProductName: | NorthwindPresentacion |
| ProductVersion: | 1.0.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Total processes
132
Monitored processes
7
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 612 | "C:\Windows\SysWOW64\grpconv.exe" | C:\Windows\SysWOW64\grpconv.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Progman Group Converter Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
Formbook(PID) Process(612) grpconv.exe C2www.yedurrum.xyz Strings (159)2Be2tATGCTtzPWIA7pd+qq9l q6S8+dYoWPA= uK5f6dq1HPYtHGWLla4T2Aru1w== f0y2nkRZDDIUqVK2 NFayOMjq9FPCowzlhQ== eeIjXH6ipwycRYk= uh2Imj8M8S96OQo= xZhPiUjPjOrXzh7G1c3nJj+mdEtF VWXSEgDMJf4hMMo= pYyMe+LAzJA= 0YyrTsx7DOhedwUolg== tyY75hB1Hn5Jef9jKMnaCVhyzYp7 sxMjfD1YjRx2AZvEG6cSp5fVlEA8 wQI9w1i5hRM+zYMBXAw4rlNX YGAuy/kn2C6hF/MZG48= oerlHcFPvmCV9w6V+7ZN44N7Klc= /qowLWRTihd1y7ZY0U4EsYgcgXY= oRTp99+WR2IQ1b8zm0hCCPu5pgg= xuMnzTUsGIAqwMM/Wg== HAafzSWOPbPA59Rw3dQ= alnO3qI+XjA+w67Qcn0Xg8h0N0g= UCL/N7hhNtbhcGEn9yYT J2nZRqNJivQyK4Dk46s= hfky8gqIvBQwLyK6FChvag== MaDUs1Z67gImIcm/ze98p/BONN8= YtgWk5AHQ8arjUPyIRA= aDA8zfIndWUP99w= bkhPZcwJU/c3OaJUjTE= o0AFgFGJQEGbDmAj0ro= 3sYlF1awQx+56SQiVQ== B1zDaLGYcMy5AQ== tHOReRZZDAN/2g== fhGnCeSAAVtr7uefClFxGZAV ckzYGFJl5n2jKLWszQ== WEYEL4ZWDOJUvo/8a2Q= 6nTUUtgE6MwxASeY Fj1l4KOmRP9PtZiPLFs42VtOS2mi H6/7I5pqnps0eYkS7Q== l9mrCBmenzE70GjROywXxtH/x80= 0ECjd6/SoTI7zrasA7w= wHB+io0VentCoZI= LB7CYEqbtXT9+wHnyDIJ rDyii/5oR4YQRQc= 5jsR3g/3mGutKRG8zYe2AXyZdoM= cGdlW3BD70UdiadEZw== XdVXUlzH4TDWw03DjpxWLaHS mnKaa1ctlKt/na066xeeEE44iQ== dkjj+0NccJg5cg== EjEAKMlbwPSIFkLEm+4ASA== M5CpuYeQJt7rK4E= +DzWVGihmzV/ZYw= 0sHxgG0iZz417NlwBA== T76+3cThDaNaTQ== xSxh5ThEoBZjQEMAPh+3DL66Rw== mJGgyo+jFf2+oYOo M1/ciCI0adaHlQ== ArxkiI+l5kvtVpAU21g= DUaiPYTa3ckCpYc= 2NH61ZGp2x+SLNlbWmZbcf9H qq9tKLqbxHum UQELqNQ5GM5dcnMQ+fXNcoxYrEQ= j2+Cegmq4BcWkdc= WLrZp0UVD7F0 MgWwaeMkSyrP1FmoT//xx2Dt pu2jiAwmrPifypepdJw5ww== grpconv.exe cscript.exe at.exe ipconfig.exe typeperf.exe ARP.EXE RmClient.exe dvdplay.exe makecab.exe psr.exe msinfo32.exe dialer.exe kernel32.dll advapi32.dll ws2_32.dll USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP COMPUTERNAME ProgramFiles /c copy " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \Mail\ \Foxmail \Storage\ \Accounts\Account.rec0 \Data\AccCfg\Accounts.tdat \Google\Chrome\User Data\Default\Login Data SeShutdownPrivilege \BaseNamedObjects POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: Origin: http:// Content-Type: application/x-www-form-urlencoded Accept: Referer: http:// Accept-Language: Accept-Encoding: Set-ExecutionPolicy RemoteSigned -Scope CurrentUser PowerShell.exe \Opera Software\Opera Stable kernel32.dll user32.dll wininet.dll rg.ini Recovery profiles.ini guid Connection: close pass token email login signin account persistent GET GET PUT POST OPTIONS User-Agent: API- MS-W _301 Moved _302 Found InternetOpenA InternetConnectA HttpOpenRequestA HttpSendRequestA InternetReadFile InternetCloseHandle | |||||||||||||||
| 3948 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | — | grpconv.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 123.0 Modules
| |||||||||||||||
| 4616 | C:\WINDOWS\Explorer.EXE | C:\Windows\explorer.exe | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6396 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | — | 33bdd49c66f302dfd47c1831d7c0bb3a18df8998f397c4c631c12f10502727fd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft .NET Services Installation Utility Exit code: 0 Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
| 6572 | "C:\Users\admin\Desktop\33bdd49c66f302dfd47c1831d7c0bb3a18df8998f397c4c631c12f10502727fd.exe" | C:\Users\admin\Desktop\33bdd49c66f302dfd47c1831d7c0bb3a18df8998f397c4c631c12f10502727fd.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: NorthwindPresentacion Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 7116 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | schtasks.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7160 | "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ScvXSCgRf" /XML "C:\Users\admin\AppData\Local\Temp\tmpEAB7.tmp" | C:\Windows\SysWOW64\schtasks.exe | — | 33bdd49c66f302dfd47c1831d7c0bb3a18df8998f397c4c631c12f10502727fd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
1 547
Read events
1 542
Write events
5
Delete events
0
Modification events
| (PID) Process: | (4616) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0 |
| Operation: | write | Name: | CheckSetting |
Value: 23004100430042006C006F00620000000000000000000000010000000100000000FE700C | |||
| (PID) Process: | (4616) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts |
| Operation: | write | Name: | LastUpdate |
Value: 168F066700000000 | |||
| (PID) Process: | (612) grpconv.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (612) grpconv.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (612) grpconv.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
Executable files
1
Suspicious files
1
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6572 | 33bdd49c66f302dfd47c1831d7c0bb3a18df8998f397c4c631c12f10502727fd.exe | C:\Users\admin\AppData\Roaming\ScvXSCgRf.exe | executable | |
MD5:9FF1678929D6AD43DC7963A456A5853F | SHA256:33BDD49C66F302DFD47C1831D7C0BB3A18DF8998F397C4C631C12F10502727FD | |||
| 612 | grpconv.exe | C:\Users\admin\AppData\Local\Temp\n20vz2H | binary | |
MD5:A45465CDCDC6CB30C8906F3DA4EC114C | SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209 | |||
| 6572 | 33bdd49c66f302dfd47c1831d7c0bb3a18df8998f397c4c631c12f10502727fd.exe | C:\Users\admin\AppData\Local\Temp\tmpEAB7.tmp | xml | |
MD5:CB47DB381FAA2A757EF6866FC249C8B9 | SHA256:1B0812BF92205CD10EECFCE1DFF52A0D46A4EFFE23AC3DF99E7A095508540889 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
33
DNS requests
14
Threats
7
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1764 | RUXIMICS.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4616 | explorer.exe | GET | 200 | 3.33.130.190:80 | http://www.onemuslimmentors.xyz/3ay4/?oVevn=ci1_3s&Kk-Byfs=PuBQ/hOdVJANNwUQzzdTEa+zkfApgSPKgEqDhBASYMURWxyMHIenPOgyajIMF/2zFWCzDmFiAIipEGyvhu7lGIZ3uwKKI5hn/osEOZl7WYEWFX1qFNsVx3O0uQfdTiGVfqlqZ/M= | unknown | — | — | malicious |
4616 | explorer.exe | POST | — | 116.213.43.190:80 | http://www.ajpphqc.lol/b508/ | unknown | — | — | malicious |
4616 | explorer.exe | POST | — | 116.213.43.190:80 | http://www.ajpphqc.lol/b508/ | unknown | — | — | malicious |
6944 | svchost.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4616 | explorer.exe | GET | — | 116.213.43.190:80 | http://www.ajpphqc.lol/b508/?oVevn=ci1_3s&Kk-Byfs=k3DyZSlSg9BeL/nEa2PC/Npg/tlVdZCgjtcRtOLJtCTPq/iI4T5YuVf+nqbwCbbSV5S/ZraN3pPjsluWolTc5JlyABzWgi5+X73Xx70gcto6/HthSNXRGJXgZvFUH0I7MeHWUOI= | unknown | — | — | malicious |
6944 | svchost.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1764 | RUXIMICS.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4616 | explorer.exe | POST | — | 116.213.43.190:80 | http://www.ajpphqc.lol/b508/ | unknown | — | — | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
6944 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
1764 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5488 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 92.123.104.67:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6944 | svchost.exe | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1764 | RUXIMICS.exe | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
6944 | svchost.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5488 | MoUsoCoreWorker.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
www.amkmos.online |
| unknown |
www.yedurrum.xyz |
| malicious |
self.events.data.microsoft.com |
| whitelisted |
www.onemuslimmentors.xyz |
| malicious |
www.hawalaz.xyz |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Malware Command and Control Activity Detected | ET MALWARE FormBook CnC Checkin (GET) M5 |
— | — | A Network Trojan was detected | STEALER [ANY.RUN] Formbook HTTP Header |
— | — | A Network Trojan was detected | STEALER [ANY.RUN] Formbook HTTP Header |
— | — | A Network Trojan was detected | STEALER [ANY.RUN] Formbook HTTP Header |
— | — | Malware Command and Control Activity Detected | ET MALWARE FormBook CnC Checkin (GET) M5 |
2 ETPRO signatures available at the full report