URL: | http://www.plumbytes.com/download/cuid/?tid=rwid_p00000 |
Full analysis: | https://app.any.run/tasks/f035cc5c-5926-4d50-8ec5-900948826c92 |
Verdict: | Malicious activity |
Analysis date: | May 24, 2019, 17:22:10 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | FB272237645C97D5C553376D8DCBDAA4 |
SHA1: | 48F28A6C7F1F990EDDF86FBCAFC7F270B088BC16 |
SHA256: | 67F1CC45583ECFB089FF1E8DC279FFCEB7030860BC11212D1AA02F178DCFC96B |
SSDEEP: | 3:N1KJS4pdWKL2X0d/V:Cc4pdNk0FV |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2940 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3228 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2940 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3660 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\cuid[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\cuid[1].exe | — | iexplore.exe |
User: admin Company: Plumbytes Software Lp Integrity Level: MEDIUM Description: Plumbytes Anti-Malware Exit code: 3221226540 Version: 1.0.5.3 | ||||
2748 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\cuid[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\cuid[1].exe | iexplore.exe | |
User: admin Company: Plumbytes Software Lp Integrity Level: HIGH Description: Plumbytes Anti-Malware Exit code: 0 Version: 1.0.5.3 | ||||
3572 | "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\wininet.dll",DispatchAPICall 1 | C:\Windows\system32\rundll32.exe | — | cuid[1].exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3928 | /S | C:\Users\admin\AppData\Local\Temp\pai364C.tmp | cuid[1].exe | |
User: admin Company: Plumbytes Software Lp Integrity Level: HIGH Description: Plumbytes Anti-Malware Exit code: 0 Version: 1.0.5.3 | ||||
3120 | "C:\Program Files\Plumbytes Software\Plumbytes Anti-Malware\AmwService.exe" run | C:\Program Files\Plumbytes Software\Plumbytes Anti-Malware\AmwService.exe | services.exe | |
User: SYSTEM Company: Plumbytes Software Lp Integrity Level: SYSTEM Description: Anti-Malware Service Version: 0.9.0.648 | ||||
2712 | "C:\Program Files\Plumbytes Software\Plumbytes Anti-Malware\Plumbytes.exe" | C:\Program Files\Plumbytes Software\Plumbytes Anti-Malware\Plumbytes.exe | pai364C.tmp | |
User: admin Company: Plumbytes Software Lp Integrity Level: HIGH Description: Plumbytes Anti-Malware Version: 1.0.5.3 | ||||
3404 | "C:\Program Files\Plumbytes Software\Plumbytes Anti-Malware\AmwService.exe" getenv 1 | C:\Program Files\Plumbytes Software\Plumbytes Anti-Malware\AmwService.exe | — | AmwService.exe |
User: admin Company: Plumbytes Software Lp Integrity Level: MEDIUM Description: Anti-Malware Service Exit code: 0 Version: 0.9.0.648 | ||||
2572 | "C:\Program Files\Plumbytes Software\Plumbytes Anti-Malware\AmwService.exe" getenv 2 | C:\Program Files\Plumbytes Software\Plumbytes Anti-Malware\AmwService.exe | — | AmwService.exe |
User: admin Company: Plumbytes Software Lp Integrity Level: MEDIUM Description: Anti-Malware Service Exit code: 0 Version: 0.9.0.648 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2940 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2940 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2940 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFA1D1107E99BBB696.TMP | — | |
MD5:— | SHA256:— | |||
2940 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{805C922E-7E48-11E9-B3B3-5254004A04AF}.dat | binary | |
MD5:8AD79C54ADB125E6F186942502376AF2 | SHA256:2FF427288CAD4B5CDAB6C6958E196FD3DA417F1ABDC926B7109315B29E140148 | |||
3228 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:9B323F9706E1CC496BC6972D2349BA7A | SHA256:DC701A3C373D1C354AD6913C22E82A49AFB5B35662FFB82ED157453981BC9148 | |||
3228 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@plumbytes[1].txt | text | |
MD5:1CD377DF19008A7F26F3A16AD64E0FD6 | SHA256:E99CE70CF77E96744E94354C4132FF0E4D77ADD61657D20302F1CF4BFFB110C8 | |||
2940 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFF2FDF2E4BAFDC413.TMP | — | |
MD5:— | SHA256:— | |||
2940 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\cuid[1].exe | executable | |
MD5:F36109A59AC6AA22CE9DC878778EBC72 | SHA256:FD5CE06CB117B435237BEE8B689F717CE1F1900402C6E555CFBA66C1E20907C8 | |||
3228 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VPOIEHBO\antimalwaresetup[1].exe | executable | |
MD5:F36109A59AC6AA22CE9DC878778EBC72 | SHA256:FD5CE06CB117B435237BEE8B689F717CE1F1900402C6E555CFBA66C1E20907C8 | |||
3228 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:D10F5317143C3571ACCBB97358925673 | SHA256:B997F883C9C8B9DDB303F4CFD1E9E3C1908909E7E6F1504D39A6379C4946FF44 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2748 | cuid[1].exe | GET | — | 45.55.29.117:80 | http://45.55.29.117/download/nsis/pb_nsissetup.exe | US | — | — | suspicious |
2748 | cuid[1].exe | GET | — | 45.55.29.117:80 | http://45.55.29.117/download/nsis/pb_nsissetup.exe | US | — | — | suspicious |
3228 | iexplore.exe | GET | 301 | 45.55.29.117:80 | http://www.plumbytes.com/download/cuid/?tid=rwid_p00000 | US | html | 260 b | suspicious |
3928 | pai364C.tmp | GET | 301 | 45.55.29.117:80 | http://plumbytes.com/logs.php?cuid=ver_ | US | html | 248 b | suspicious |
2748 | cuid[1].exe | GET | — | 45.55.29.117:80 | http://45.55.29.117/download/nsis/pb_nsissetup.exe | US | — | — | suspicious |
2940 | iexplore.exe | GET | 200 | 13.107.21.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
2712 | Plumbytes.exe | GET | 301 | 45.55.29.117:80 | http://www.plumbytes.com/settings/amw.xml | US | html | 246 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2940 | iexplore.exe | 13.107.21.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3228 | iexplore.exe | 45.55.29.117:443 | www.plumbytes.com | Digital Ocean, Inc. | US | suspicious |
3928 | pai364C.tmp | 45.55.29.117:80 | www.plumbytes.com | Digital Ocean, Inc. | US | suspicious |
3228 | iexplore.exe | 45.55.29.117:80 | www.plumbytes.com | Digital Ocean, Inc. | US | suspicious |
2748 | cuid[1].exe | 45.55.29.117:80 | www.plumbytes.com | Digital Ocean, Inc. | US | suspicious |
3928 | pai364C.tmp | 45.55.29.117:443 | www.plumbytes.com | Digital Ocean, Inc. | US | suspicious |
2712 | Plumbytes.exe | 45.55.29.117:80 | www.plumbytes.com | Digital Ocean, Inc. | US | suspicious |
2712 | Plumbytes.exe | 45.55.29.117:443 | www.plumbytes.com | Digital Ocean, Inc. | US | suspicious |
3120 | AmwService.exe | 152.199.19.161:443 | plumbytes.azureedge.net | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2712 | Plumbytes.exe | 104.40.92.107:443 | license.plumbytes.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
www.plumbytes.com |
| suspicious |
plumbytes.com |
| suspicious |
plumbytes.azureedge.net |
| whitelisted |
license.plumbytes.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2748 | cuid[1].exe | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
2748 | cuid[1].exe | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
2748 | cuid[1].exe | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
2748 | cuid[1].exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2748 | cuid[1].exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
3928 | pai364C.tmp | A Network Trojan was detected | ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers |
3928 | pai364C.tmp | Misc activity | SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer |
2748 | cuid[1].exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2748 | cuid[1].exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |