| File name: | 573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe |
| Full analysis: | https://app.any.run/tasks/29c546f2-9d30-4156-8933-96aa808bf7e3 |
| Verdict: | Malicious activity |
| Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
| Analysis date: | August 15, 2024, 09:20:33 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows |
| MD5: | 15C4948711C3AC6250FF98D0E5272B27 |
| SHA1: | 545A473D3A8FC3810FBB0FF04E2D4D28AB95BEDB |
| SHA256: | 573D8EE9678CEF8163E96937A6A5A4F14A5ADE12F5646AB05550C0038C770E5D |
| SSDEEP: | 49152:4Yi+Vg9c/VhZTxpV8SNNOD/dGhrjHYPynS8yM:ri+Vx/VD14SNG1G1jWynSXM |
MALICIOUS
Adds path to the Windows Defender exclusion list
- 573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe (PID: 6460)
Changes the autorun value in the registry
- msdt.exe (PID: 6304)
Actions looks like stealing of personal data
- msdt.exe (PID: 6304)
- cmd.exe (PID: 2064)
FORMBOOK has been detected (YARA)
- msdt.exe (PID: 6304)
- svchost.exe (PID: 7060)
Connects to the CnC server
- explorer.exe (PID: 4552)
FORMBOOK has been detected (SURICATA)
- explorer.exe (PID: 4552)
SUSPICIOUS
Drops the executable file immediately after the start
- 573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe (PID: 6460)
Reads security settings of Internet Explorer
- 573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe (PID: 6460)
Reads the date of Windows installation
- 573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe (PID: 6460)
Script adds exclusion path to Windows Defender
- 573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe (PID: 6460)
Starts POWERSHELL.EXE for commands execution
- 573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe (PID: 6460)
Executes application which crashes
- 573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe (PID: 6460)
Starts CMD.EXE for commands execution
- msdt.exe (PID: 6304)
Contacting a server suspected of hosting an CnC
- explorer.exe (PID: 4552)
INFO
Reads the computer name
- 573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe (PID: 6460)
Checks supported languages
- 573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe (PID: 6460)
Process checks computer location settings
- 573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe (PID: 6460)
Reads the machine GUID from the registry
- 573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe (PID: 6460)
Manual execution by a user
- msdt.exe (PID: 6304)
Checks proxy server information
- WerFault.exe (PID: 6384)
Reads the software policy settings
- WerFault.exe (PID: 6384)
Creates files or folders in the user directory
- WerFault.exe (PID: 6384)
- msdt.exe (PID: 6304)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 7016)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 7016)
Reads security settings of Internet Explorer
- msdt.exe (PID: 6304)
Create files in a temporary directory
- cmd.exe (PID: 2064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Formbook
(PID) Process(7060) svchost.exe
C2www.dunia188j.store/gy15/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate
dat=
f-start
f-end
Decoy C2 (64)yb40w.top
286live.com
poozonlife.com
availableweedsonline.com
22926839.com
petlovepet.fun
halbaexpress.com
newswingbd.com
discountdesh.com
jwoalhbn.xyz
dandevonald.com
incrediblyxb.christmas
ailia.pro
ga3ki3.com
99812.photos
richiecom.net
ummahskills.online
peakleyva.store
a1cbloodtest.com
insurancebygarry.com
onz-cg3.xyz
erektiepil.com
hs-steuerberater.info
20allhen.online
mariaslakedistrict.com
losterrrcossmpm.com
tmb6x.rest
bagelsliders.com
njoku.net
tatoways.com
jmwmanglobalsolutionscom.com
midnightemporium.shop
gunaihotels.com
midsouthhealthcare.com
rtptt80.site
carmen-asa.com
gypsyjudyscott.com
djkleel.com
sophhia.site
tqqft8l5.xyz
00050385.xyz
oiupa.xyz
purenutrixion.com
worldinfopedia.com
8886493.com
1e0bfijiz43k6c8.skin
bunkerlabsgolf.com
twinportslocal.com
ttyijlaw.com
poiulkj.top
yuejiazy888.com
betbox2347.com
gettingcraftywitro.com
mantap303game.icu
skillspartner.net
cbla.info
rs-alohafactorysaleuua.shop
bt365434.com
redrivercompany.store
abc8win5.com
46431.club
vivehogar.net
menloparkshop.com
1776biz.live
(PID) Process(6304) msdt.exe
C2www.dunia188j.store/gy15/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate
dat=
f-start
f-end
Decoy C2 (64)yb40w.top
286live.com
poozonlife.com
availableweedsonline.com
22926839.com
petlovepet.fun
halbaexpress.com
newswingbd.com
discountdesh.com
jwoalhbn.xyz
dandevonald.com
incrediblyxb.christmas
ailia.pro
ga3ki3.com
99812.photos
richiecom.net
ummahskills.online
peakleyva.store
a1cbloodtest.com
insurancebygarry.com
onz-cg3.xyz
erektiepil.com
hs-steuerberater.info
20allhen.online
mariaslakedistrict.com
losterrrcossmpm.com
tmb6x.rest
bagelsliders.com
njoku.net
tatoways.com
jmwmanglobalsolutionscom.com
midnightemporium.shop
gunaihotels.com
midsouthhealthcare.com
rtptt80.site
carmen-asa.com
gypsyjudyscott.com
djkleel.com
sophhia.site
tqqft8l5.xyz
00050385.xyz
oiupa.xyz
purenutrixion.com
worldinfopedia.com
8886493.com
1e0bfijiz43k6c8.skin
bunkerlabsgolf.com
twinportslocal.com
ttyijlaw.com
poiulkj.top
yuejiazy888.com
betbox2347.com
gettingcraftywitro.com
mantap303game.icu
skillspartner.net
cbla.info
rs-alohafactorysaleuua.shop
bt365434.com
redrivercompany.store
abc8win5.com
46431.club
vivehogar.net
menloparkshop.com
1776biz.live
TRiD
| .exe | | | Generic Win/DOS Executable (50) |
|---|---|---|
| .exe | | | DOS Executable Generic (49.9) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2024:08:14 12:26:47+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 48 |
| CodeSize: | 18514 |
| InitializedDataSize: | 1430 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x0000 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows command line |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | - |
| CompanyName: | - |
| FileDescription: | Strong |
| FileVersion: | 1.0.0.0 |
| InternalName: | Strong.exe |
| LegalCopyright: | Copyright © 2024 |
| LegalTrademarks: | - |
| OriginalFileName: | Strong.exe |
| ProductName: | Strong |
| ProductVersion: | 1.0.0.0 |
| AssemblyVersion: | 1.0.0.0 |
Total processes
134
Monitored processes
13
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1292 | "C:\Program Files (x86)\Internet Explorer\iexplore.exe" | C:\Program Files (x86)\Internet Explorer\iexplore.exe | — | 573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.19041.1 (WinBuild.160101.0800) | |||||||||||||||
| 2064 | /c copy "C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\admin\AppData\Local\Temp\DB1" /V | C:\Windows\SysWOW64\cmd.exe | msdt.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4552 | C:\WINDOWS\Explorer.EXE | C:\Windows\explorer.exe | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5248 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6192 | "C:\Program Files\Mozilla Firefox\Firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | — | msdt.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 3221225534 Version: 123.0 Modules
| |||||||||||||||
| 6304 | "C:\Windows\SysWOW64\msdt.exe" | C:\Windows\SysWOW64\msdt.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Diagnostics Troubleshooting Wizard Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
Formbook(PID) Process(6304) msdt.exe C2www.dunia188j.store/gy15/ Strings (79)USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP ProgramFiles CommonProgramFiles ALLUSERSPROFILE /c copy " /c del " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \signons.sqlite \Microsoft\Vault\ SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins \Google\Chrome\User Data\Default\Login Data SELECT origin_url, username_value, password_value FROM logins .exe .com .scr .pif .cmd .bat ms win gdi mfc vga igfx user help config update regsvc chkdsk systray audiodg certmgr autochk taskhost colorcpl services IconCache ThumbCache Cookies SeDebugPrivilege SeShutdownPrivilege \BaseNamedObjects config.php POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: no-cache Origin: http:// User-Agent: Mozilla Firefox/4.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http:// Accept-Language: en-US Accept-Encoding: gzip, deflate
dat= f-start f-end Decoy C2 (64)yb40w.top 286live.com poozonlife.com availableweedsonline.com 22926839.com petlovepet.fun halbaexpress.com newswingbd.com discountdesh.com jwoalhbn.xyz dandevonald.com incrediblyxb.christmas ailia.pro ga3ki3.com 99812.photos richiecom.net ummahskills.online peakleyva.store a1cbloodtest.com insurancebygarry.com onz-cg3.xyz erektiepil.com hs-steuerberater.info 20allhen.online mariaslakedistrict.com losterrrcossmpm.com tmb6x.rest bagelsliders.com njoku.net tatoways.com jmwmanglobalsolutionscom.com midnightemporium.shop gunaihotels.com midsouthhealthcare.com rtptt80.site carmen-asa.com gypsyjudyscott.com djkleel.com sophhia.site tqqft8l5.xyz 00050385.xyz oiupa.xyz purenutrixion.com worldinfopedia.com 8886493.com 1e0bfijiz43k6c8.skin bunkerlabsgolf.com twinportslocal.com ttyijlaw.com poiulkj.top yuejiazy888.com betbox2347.com gettingcraftywitro.com mantap303game.icu skillspartner.net cbla.info rs-alohafactorysaleuua.shop bt365434.com redrivercompany.store abc8win5.com 46431.club vivehogar.net menloparkshop.com 1776biz.live | |||||||||||||||
| 6384 | C:\WINDOWS\system32\WerFault.exe -u -p 6460 -s 992 | C:\Windows\System32\WerFault.exe | 573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6460 | "C:\Users\admin\Desktop\573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe" | C:\Users\admin\Desktop\573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Strong Exit code: 3221226356 Version: 1.0.0.0 Modules
| |||||||||||||||
| 6468 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | 573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7016 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\admin\Desktop\573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe" -Force | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | 573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
16 005
Read events
15 985
Write events
19
Delete events
1
Modification events
| (PID) Process: | (4552) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop |
| Operation: | write | Name: | IconLayouts |
Value: 00000000000000000000000000000000030001000100010015000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C000000120000000000000063006900760069006C00660069006C00650073002E007200740066003E00200020000000160000000000000065006D00610069006C0073006F006C007500740069006F006E0073002E007200740066003E0020002000000019000000000000006A0061006E00750061007200790073006300690065006E00740069006600690063002E0070006E0067003E0020002000000017000000000000006D0065006D006200650072007300680069007000680065006100720074002E006A00700067003E002000200000000C000000000000006D00790074006F002E0070006E0067003E0020002000000010000000000000006E0063006D006F00640065006C0073002E007200740066003E002000200000000E000000000000006E006F0068006100760065002E0070006E0067003E002000200000001300000000000000720061006E0064006F006D0066006F007200630065002E0070006E0067003E002000200000001600000000000000730074006100740069006F006E006D0061006300680069006E0065002E007200740066003E0020002000000011000000000000007400790070006500730068006F006D0065002E007200740066003E002000200000001000000000000000770061007300740065007000680070002E0070006E0067003E0020002000000012000000000000007900640065007400650072006D0069006E0065002E0070006E0067003E00200020000000480000000000000035003700330064003800650065003900360037003800630065006600380031003600330065003900360039003300370061003600610035006100340066003100340061003500610064006500310032006600350036003400360061006200300035003500350030006300300030003300380063003700370030006500350064002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001500000000000000000000000000000000000000803F0000004008000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000400000A040110000004040000000001200000040400000803F1300000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F0700000080410000A0401400 | |||
| (PID) Process: | (4552) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop |
| Operation: | write | Name: | IconNameVersion |
Value: 1 | |||
| (PID) Process: | (4552) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0044 |
| Operation: | write | Name: | VirtualDesktop |
Value: 1000000030304456033BCEE44DE41B4E8AEC331E84F566D2 | |||
| (PID) Process: | (4552) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop |
| Operation: | write | Name: | IconLayouts |
Value: 00000000000000000000000000000000030001000100010015000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C000000120000000000000063006900760069006C00660069006C00650073002E007200740066003E00200020000000160000000000000065006D00610069006C0073006F006C007500740069006F006E0073002E007200740066003E0020002000000019000000000000006A0061006E00750061007200790073006300690065006E00740069006600690063002E0070006E0067003E0020002000000017000000000000006D0065006D006200650072007300680069007000680065006100720074002E006A00700067003E002000200000000C000000000000006D00790074006F002E0070006E0067003E0020002000000010000000000000006E0063006D006F00640065006C0073002E007200740066003E002000200000000E000000000000006E006F0068006100760065002E0070006E0067003E002000200000001300000000000000720061006E0064006F006D0066006F007200630065002E0070006E0067003E002000200000001600000000000000730074006100740069006F006E006D0061006300680069006E0065002E007200740066003E0020002000000011000000000000007400790070006500730068006F006D0065002E007200740066003E002000200000001000000000000000770061007300740065007000680070002E0070006E0067003E0020002000000012000000000000007900640065007400650072006D0069006E0065002E0070006E0067003E00200020000000480000000000000035003700330064003800650065003900360037003800630065006600380031003600330065003900360039003300370061003600610035006100340066003100340061003500610064006500310032006600350036003400360061006200300035003500350030006300300030003300380063003700370030006500350064002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001500000000000000000000000000000000000000803F0000004008000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000400000A040110000004040000000001200000040400000803F1300000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F070000004040000000401400 | |||
| (PID) Process: | (4552) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts |
| Operation: | write | Name: | LastUpdate |
Value: 6AC8BD6600000000 | |||
| (PID) Process: | (4552) explorer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000C0044 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (6460) 573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance |
| Operation: | write | Name: | Enabled |
Value: 0 | |||
| (PID) Process: | (6460) 573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (6460) 573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (6460) 573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
Executable files
0
Suspicious files
7
Text files
6
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6384 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_573d8ee9678cef81_ee8eea335a984c2dc3f7a1e75712bd456ac99057_f8aaee6d_97f3e017-f078-4d9d-a07f-b6c4c44d1973\Report.wer | — | |
MD5:— | SHA256:— | |||
| 6384 | WerFault.exe | C:\Users\admin\AppData\Local\CrashDumps\573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe.6460.dmp | — | |
MD5:— | SHA256:— | |||
| 4552 | explorer.exe | C:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat | binary | |
MD5:E49C56350AEDF784BFE00E444B879672 | SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E | |||
| 6384 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER728D.tmp.WERInternalMetadata.xml | xml | |
MD5:EF68411ED2891F5641D18C9A53C43D70 | SHA256:8ABDA803AEDDE8E2DE64945B12EBC283138027B997A4604003F42F75655B4FCD | |||
| 6384 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER72AD.tmp.xml | xml | |
MD5:C4E7359D53ABAE54D1192CD821C0691D | SHA256:5A5E126E79B16F68576DFB10807625AC0BF6B73751D663D581CB0A87764B3BF7 | |||
| 7016 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_riundrcn.lvu.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 7016 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ilg0gnoa.vag.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6304 | msdt.exe | C:\Users\admin\AppData\Roaming\L534P6U8\L53logri.ini | binary | |
MD5:D63A82E5D81E02E399090AF26DB0B9CB | SHA256:EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE | |||
| 2064 | cmd.exe | C:\Users\admin\AppData\Local\Temp\DB1 | binary | |
MD5:A45465CDCDC6CB30C8906F3DA4EC114C | SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209 | |||
| 6304 | msdt.exe | C:\Users\admin\AppData\Roaming\L534P6U8\L53logrv.ini | binary | |
MD5:BA3B6BC807D4F76794C4B81B09BB9BA5 | SHA256:6EEBF968962745B2E9DE2CA969AF7C424916D4E3FE3CC0BB9B3D414ABFCE9507 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
27
DNS requests
9
Threats
12
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4552 | explorer.exe | POST | — | 157.53.227.1:80 | http://www.carmen-asa.com/gy15/ | unknown | — | — | unknown |
4552 | explorer.exe | GET | 301 | 157.53.227.1:80 | http://www.carmen-asa.com/gy15/?QFNX=ojuzNIgk8lJwbGAfPYIecm58HYsz0PWD/adWnxcLSOv/0CtFh7ct+QMG65BxlQu2JCsq&Ab_xnj=VlblOXdxRnH8ln | unknown | — | — | malicious |
4552 | explorer.exe | GET | — | 132.148.176.133:80 | http://www.insurancebygarry.com/gy15/?QFNX=lEjklkRC71hPsxLcCRRFBTDa7+TgMkM5D1NW0DxYpPUTiFRADCuItg+T97BSTJhLINi1&Ab_xnj=VlblOXdxRnH8ln | unknown | — | — | malicious |
4552 | explorer.exe | GET | — | 23.227.38.32:80 | http://www.midnightemporium.shop/gy15/?QFNX=gg9Rt/YQWr+bn+6HO2u6qpUSvHmKN/Dqef1A/chBCoDoZdMk4oqPsLoddYP7kSSI3it4&Ab_xnj=VlblOXdxRnH8ln | unknown | — | — | malicious |
4552 | explorer.exe | POST | — | 132.148.176.133:80 | http://www.insurancebygarry.com/gy15/ | unknown | — | — | unknown |
4552 | explorer.exe | POST | — | 132.148.176.133:80 | http://www.insurancebygarry.com/gy15/ | unknown | — | — | unknown |
4552 | explorer.exe | GET | — | 170.39.213.118:80 | http://www.petlovepet.fun/gy15/?QFNX=iC43Yolht55VctuQ5x817duDMf4/7Oqr6dUEfXzadHuhm9o1RzNmy9XlgeYCd5I4mTuS&Ab_xnj=VlblOXdxRnH8ln | unknown | — | — | malicious |
4552 | explorer.exe | POST | — | 23.227.38.32:80 | http://www.midnightemporium.shop/gy15/ | unknown | — | — | unknown |
4552 | explorer.exe | POST | — | 23.227.38.32:80 | http://www.midnightemporium.shop/gy15/ | unknown | — | — | unknown |
4552 | explorer.exe | POST | — | 170.39.213.118:80 | http://www.petlovepet.fun/gy15/ | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3044 | RUXIMICS.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 192.168.100.255:138 | — | — | — | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
2120 | MoUsoCoreWorker.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5796 | svchost.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2120 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5796 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4324 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6384 | WerFault.exe | 20.189.173.21:443 | watson.events.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
4552 | explorer.exe | 157.53.227.1:80 | www.carmen-asa.com | NetActuate, Inc | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
watson.events.data.microsoft.com |
| whitelisted |
www.carmen-asa.com |
| malicious |
www.insurancebygarry.com |
| malicious |
www.midnightemporium.shop |
| malicious |
www.twinportslocal.com |
| malicious |
www.22926839.com |
| malicious |
www.petlovepet.fun |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
4552 | explorer.exe | Malware Command and Control Activity Detected | ET MALWARE FormBook CnC Checkin (GET) |
4552 | explorer.exe | Malware Command and Control Activity Detected | ET MALWARE FormBook CnC Checkin (GET) |
4552 | explorer.exe | Malware Command and Control Activity Detected | ET MALWARE FormBook CnC Checkin (GET) |
4552 | explorer.exe | Malware Command and Control Activity Detected | ET MALWARE FormBook CnC Checkin (GET) |
8 ETPRO signatures available at the full report