analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

PO#051497.pdf.exe

Full analysis: https://app.any.run/tasks/1cc01aeb-cf4a-48a5-b058-08a5824bd14e
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: January 17, 2020, 14:26:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
formbook
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

852E8D71E329E74D669EECE001FCF3B7

SHA1:

D1B13735FCF5C1328B1B5A52F57047836EA3E81C

SHA256:

45B35DE21E69AD137AD6BCF56FD93359B145FBAC7F20FA7484C3EB14133FDB61

SSDEEP:

12288:56+13sf8irOhRxuX+yvWWegrXvfJ5e7HkjYy86iKSakCKEqx:Ty1JvfrIkjA6VMzx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • Thermidorian.exe (PID: 792)
    • Application was dropped or rewritten from another process

      • Thermidorian.exe (PID: 792)
      • cmd.exe (PID: 2204)
      • cmd.exe (PID: 2928)
      • cmd.exe (PID: 928)
      • cmd.exe (PID: 2856)
      • igfx8pk.exe (PID: 3972)
      • ehg47bmx.exe (PID: 3388)
    • Runs app for hidden code execution

      • Thermidorian.exe (PID: 792)
      • explorer.exe (PID: 352)
    • FORMBOOK was detected

      • explorer.exe (PID: 352)
      • cmd.exe (PID: 2856)
      • Firefox.exe (PID: 3880)
    • Connects to CnC server

      • explorer.exe (PID: 352)
    • Changes the autorun value in the registry

      • cmd.exe (PID: 2856)
    • Actions looks like stealing of personal data

      • cmd.exe (PID: 2856)
    • Stealing of credential data

      • cmd.exe (PID: 2856)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 2204)
      • Thermidorian.exe (PID: 792)
      • explorer.exe (PID: 352)
      • cmd.exe (PID: 2856)
    • Application launched itself

      • cmd.exe (PID: 2204)
      • cmd.exe (PID: 2856)
    • Executable content was dropped or overwritten

      • PO#051497.pdf.exe (PID: 2496)
      • cmd.exe (PID: 928)
      • explorer.exe (PID: 352)
      • DllHost.exe (PID: 3036)
      • cmd.exe (PID: 2856)
    • Creates files in the user directory

      • cmd.exe (PID: 928)
      • cmd.exe (PID: 2856)
    • Executed via COM

      • DllHost.exe (PID: 3036)
    • Creates files in the program directory

      • DllHost.exe (PID: 3036)
    • Loads DLL from Mozilla Firefox

      • cmd.exe (PID: 2856)
  • INFO

    • Manual execution by user

      • cmd.exe (PID: 2856)
    • Reads the hosts file

      • cmd.exe (PID: 2856)
    • Creates files in the user directory

      • Firefox.exe (PID: 3880)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:12:16 01:50:47+01:00
PEType: PE32
LinkerVersion: 6
CodeSize: 25600
InitializedDataSize: 141824
UninitializedDataSize: 2048
EntryPoint: 0x33c4
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 16-Dec-2019 00:50:47
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000C8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 16-Dec-2019 00:50:47
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0000631A
0x00006400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.44843
.rdata
0x00008000
0x00001384
0x00001400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.13881
.data
0x0000A000
0x00020318
0x00000600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.90283
.ndata
0x0002B000
0x0001C000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00047000
0x0005B280
0x0005B400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.22237

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.29665
1059
UNKNOWN
English - United States
RT_MANIFEST
2
3.26157
67624
UNKNOWN
English - United States
RT_ICON
3
3.5647
16936
UNKNOWN
English - United States
RT_ICON
4
3.76345
9640
UNKNOWN
English - United States
RT_ICON
5
4.01618
4264
UNKNOWN
English - United States
RT_ICON
6
4.1728
1128
UNKNOWN
English - United States
RT_ICON
7
0
296
UNKNOWN
English - United States
RT_ICON
103
2.51066
104
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.73893
514
UNKNOWN
English - United States
RT_DIALOG
107
2.52183
160
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
11
Malicious processes
4
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start po#051497.pdf.exe thermidorian.exe no specs cmd.exe no specs cmd.exe #FORMBOOK cmd.exe cmd.exe no specs #FORMBOOK explorer.exe Copy/Move/Rename/Delete/Link Object igfx8pk.exe no specs #FORMBOOK firefox.exe no specs ehg47bmx.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2496"C:\Users\admin\AppData\Local\Temp\PO#051497.pdf.exe" C:\Users\admin\AppData\Local\Temp\PO#051497.pdf.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
2
792C:\Users\admin\AppData\Local\Temp\Thermidorian.exeC:\Users\admin\AppData\Local\Temp\Thermidorian.exePO#051497.pdf.exe
User:
admin
Company:
Sonic Solutions
Integrity Level:
MEDIUM
Description:
DVDBValidateDlg.dll
Exit code:
0
Version:
12.2.1.92
2204"C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exeThermidorian.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
928C:\Windows\system32\cmd.exe /c "COPY /Y /B "C:\Users\admin\AppData\Local\Temp\PO#051497.pdf.exe" "C:\Users\admin\AppData\Roaming\Microsoft\Crypto\cmdkey.exe""C:\Windows\system32\cmd.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2856"C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2928/c del "C:\Windows\system32\cmd.exe"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
352C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3036C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3972"C:\Program Files\Cnvch\igfx8pk.exe"C:\Program Files\Cnvch\igfx8pk.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3880"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe
cmd.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
Total events
2 606
Read events
2 595
Write events
11
Delete events
0

Modification events

(PID) Process:(2856) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:ZLVHL8LHJJ
Value:
C:\Program Files\Cnvch\igfx8pk.exe
(PID) Process:(352) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2856) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2856) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(352) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Paipu\vtsk8cx.rkr
Value:
000000000000000000000000C0D40100000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF000000000000000000000000
(PID) Process:(352) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:HRZR_PGYFRFFVBA
Value:
000000003200000037000000DEB31400090000000D000000CC19050033003000380030003400360042003000410046003400410033003900430042000000460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E006500780065000000740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C0049006E007400650072006E006500740020004500780070006C006F007200650072005C0051007500690063006B0020004C00610075006E00630068005C0055007300650072002000500069006E006E006500000000000034FF01F832FF01D4E3E1013DA94A7600000000FBFFFF7FF8E3E101987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF000000000000000000000000534275066D42750653427506000000000000000000000000080000002E006C00E72F0A77A48EF37600000000AC032E0000002E00E72F0A77B08EF37603005B019604010000002E005B148D23020000006CE4E101B07F0A7744E5E1010000000058005A0044E5E1010200000010E5E101F2700A7791830A771C8FF37611000000B8453100B045310078192F00F8FD580600E500008F148D23B0E4E10182914A7600E5E101B4E4E10127954A7600000000CC90FF01DCE4E101CD944A76CC90FF0188E5E101408CFF01E1944A7600000000408CFF0188E5E101E4E4E101090000000D000000CC19050033003000380030003400360042003000410046003400410033003900430042000000460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E006500780065000000740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C0049006E007400650072006E006500740020004500780070006C006F007200650072005C0051007500690063006B0020004C00610075006E00630068005C0055007300650072002000500069006E006E006500000000000034FF01F832FF01D4E3E1013DA94A7600000000FBFFFF7FF8E3E101987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF000000000000000000000000534275066D42750653427506000000000000000000000000080000002E006C00E72F0A77A48EF37600000000AC032E0000002E00E72F0A77B08EF37603005B019604010000002E005B148D23020000006CE4E101B07F0A7744E5E1010000000058005A0044E5E1010200000010E5E101F2700A7791830A771C8FF37611000000B8453100B045310078192F00F8FD580600E500008F148D23B0E4E10182914A7600E5E101B4E4E10127954A7600000000CC90FF01DCE4E101CD944A76CC90FF0188E5E101408CFF01E1944A7600000000408CFF0188E5E101E4E4E101090000000D000000CC19050033003000380030003400360042003000410046003400410033003900430042000000460032002D0039003300300035002D003600370044004500300042003200380046004300320033007D005C006500780070006C006F007200650072002E006500780065000000740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C0049006E007400650072006E006500740020004500780070006C006F007200650072005C0051007500690063006B0020004C00610075006E00630068005C0055007300650072002000500069006E006E006500000000000034FF01F832FF01D4E3E1013DA94A7600000000FBFFFF7FF8E3E101987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF000000000000000000000000534275066D42750653427506000000000000000000000000080000002E006C00E72F0A77A48EF37600000000AC032E0000002E00E72F0A77B08EF37603005B019604010000002E005B148D23020000006CE4E101B07F0A7744E5E1010000000058005A0044E5E1010200000010E5E101F2700A7791830A771C8FF37611000000B8453100B045310078192F00F8FD580600E500008F148D23B0E4E10182914A7600E5E101B4E4E10127954A7600000000CC90FF01DCE4E101CD944A76CC90FF0188E5E101408CFF01E1944A7600000000408CFF0188E5E101E4E4E101
Executable files
10
Suspicious files
80
Text files
52
Unknown types
2

Dropped files

PID
Process
Filename
Type
2496PO#051497.pdf.exeC:\Users\admin\AppData\Local\Temp\bb-hist\psql\XMLSDKA.HxKxml
MD5:6223A207067B298A99782A5372E11A63
SHA256:885A217F5E6015478815E1DA1C95A106ECED995207BF0F812FFAB593495B07D1
2496PO#051497.pdf.exeC:\Users\admin\AppData\Local\Temp\bb-hist\psql\9.opends60.dllbinary
MD5:FB839DA15DBBCFDB7AFE5F082FE605DF
SHA256:8CC0AD9C334DD6AB129C49C07CE7336F8408C7E8E86E933618EC1DDC459AF54F
2496PO#051497.pdf.exeC:\Users\admin\AppData\Local\Temp\bb-hist\psql\pgmedge.1.gzcompressed
MD5:ECE29F694D140B029A071B45CAF9295B
SHA256:AD2D2C2F73DBFCACE916FFF452F029E9D0225ABC0EAA3F574C0AF79048F0DDB6
2496PO#051497.pdf.exeC:\Users\admin\AppData\Local\Temp\network\null\R\scriptlet\pear\gnome-software-common.listtext
MD5:71E73FDBFEAAB35B3E93135A5C82F593
SHA256:FF1498D536916E30997F4BE7C0F7429372529F00536B2EDF7DC258A6BBB25294
2496PO#051497.pdf.exeC:\Users\admin\AppData\Local\Temp\bb-hist\psql\1501.GIFimage
MD5:39B3DE346DC70E051D0BE0AC72C91123
SHA256:3A8B55263FECFBF27BAE6607B3F33CB163EF10C9CF1C11F82E2EF575C3C76A16
2496PO#051497.pdf.exeC:\Users\admin\AppData\Local\Temp\hitcount\da\phpmyadmin\x-karbon.xmlxml
MD5:F72D77F1AF72237FCD7D28D2A8D8B81C
SHA256:789929CC79D31C724A694A2A9E12982BA4400CE1C26361027C9B61229A9D3397
2496PO#051497.pdf.exeC:\Users\admin\AppData\Local\Temp\oldie\cr\ADM\DirControlUI.dllexecutable
MD5:8336D745ED766DC246E589BF94552946
SHA256:B35FF83DBE38EEB755C1DED81F308C414DA1CF34B57823B8F2A08400352C1A1B
2496PO#051497.pdf.exeC:\Users\admin\AppData\Local\Temp\oldie\cr\ADM\VSLauncher.exexml
MD5:3898B8F9B521E8AF2B6C194637004D55
SHA256:A40B94527551FD604F4D548BBB61AA7AB76525209B22F9D27F35701C25E188E4
2496PO#051497.pdf.exeC:\Users\admin\AppData\Local\Temp\hitcount\da\phpmyadmin\ip-ntable.8.gzcompressed
MD5:8A09FD16F60B3C3F2A818941DD70D409
SHA256:6A602F38C1036320898F8209D76DB83EABFF210D9ABA30FCAC62E8C69AF6AA0B
2496PO#051497.pdf.exeC:\Users\admin\AppData\Local\Temp\oldie\cr\ADM\doculabsws07.gifimage
MD5:2BACC8CA23BB8C553BA0D3B18C08C158
SHA256:FA757FBF829AD3C3D13EFDDA73EEBFFE63944B90555D89C85D206D984FCF5097
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
14
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
352
explorer.exe
GET
198.185.159.144:80
http://www.kaseyandersonmusic.com/sa/?LX10r0H=xwlUphGcljDq4VdtMAIAXu1Aucpda0PK6WggYWQEY7PXIJ0kGq340WR1Xy/xH723DlRDpA==&FrXl=ndvHwjQ8X&sql=1
US
malicious
352
explorer.exe
GET
154.86.131.150:80
http://www.cheapmonclerjacketsoutlets.com/sa/?LX10r0H=GEYap0e+DccOkxrWkQyYWzauM5SzDQgnZAOcYVYblqLnHR/1oKsCb3YKyf4fU9nmHWIBgA==&FrXl=ndvHwjQ8X
US
malicious
352
explorer.exe
GET
301
68.65.122.35:80
http://www.platinumpowerplanet.com/sa/?LX10r0H=FMNZ+0IdmlbWClhIRL1zH4ioMZAu2cNWWZdSVvCo/W0rMf8qfMIhQ09QKucyhlyjNaLzUA==&FrXl=ndvHwjQ8X
US
malicious
352
explorer.exe
GET
63.250.33.103:80
http://www.skylod.com/sa/?LX10r0H=SM5LhZrjIDszq8dWOR01LJjTq42xusFjlyDX+xwSOXHFKXRdwY68gAObCx9XlQsiARbQ5A==&FrXl=ndvHwjQ8X
US
malicious
352
explorer.exe
POST
68.65.122.35:80
http://www.platinumpowerplanet.com/sa/
US
malicious
352
explorer.exe
POST
63.250.33.103:80
http://www.skylod.com/sa/
US
malicious
352
explorer.exe
POST
68.65.122.35:80
http://www.platinumpowerplanet.com/sa/
US
malicious
352
explorer.exe
POST
63.250.33.103:80
http://www.skylod.com/sa/
US
malicious
352
explorer.exe
POST
198.185.159.144:80
http://www.kaseyandersonmusic.com/sa/
US
malicious
352
explorer.exe
POST
404
63.250.33.103:80
http://www.skylod.com/sa/
US
html
290 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
352
explorer.exe
198.185.159.144:80
www.kaseyandersonmusic.com
Squarespace, Inc.
US
malicious
352
explorer.exe
154.86.131.150:80
www.cheapmonclerjacketsoutlets.com
MULTACOM CORPORATION
US
malicious
352
explorer.exe
63.250.33.103:80
www.skylod.com
Frontline Data Services, Inc
US
malicious
352
explorer.exe
68.65.122.35:80
www.platinumpowerplanet.com
Namecheap, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
www.cheapmonclerjacketsoutlets.com
  • 154.86.131.150
malicious
www.artisanstradingcompany.com
unknown
www.phochain.com
unknown
www.rionagray.com
unknown
www.kaseyandersonmusic.com
  • 198.185.159.144
  • 198.185.159.145
  • 198.49.23.144
  • 198.49.23.145
malicious
www.skylod.com
  • 63.250.33.103
malicious
www.kunquanchao.net
unknown
www.imaginease.com
shared
www.hsctsu.com
unknown
www.origamiformal.win
unknown

Threats

PID
Process
Class
Message
352
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
352
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
352
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
352
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
352
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
352
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
352
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
352
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
352
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
352
explorer.exe
A Network Trojan was detected
SPYWARE [PTsecurity] FormBook
10 ETPRO signatures available at the full report
No debug info