File name:

Novi upit #876567-AWB.exe

Full analysis: https://app.any.run/tasks/5698e443-29de-4773-bb43-d363cef793a5
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: August 11, 2024, 07:12:45
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
netreactor
formbook
stealer
xloader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

1E07F9E0E115B0D56B8C051C9E38563E

SHA1:

E5A7B7EB96343D506AB16B17868D281CC0D9188B

SHA256:

6F4EF07076EBAD36EEA92EEAEB42B91BDF910D4E93BC0BF6B4FC40E6D191ED83

SSDEEP:

24576:tWoyz8pQKWB+N64khFztxT/0ucViCjJHVh0+JZrLN0fr7KBa9JTI3r1I9:tWoyz8pQKWB+N64khFztxT/0ucICjJHY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • Novi upit #876567-AWB.exe (PID: 6276)

    • Connects to the CnC server

      • explorer.exe (PID: 4552)

    • FORMBOOK has been detected (SURICATA)

      • explorer.exe (PID: 4552)

    • FORMBOOK has been detected (YARA)

      • help.exe (PID: 6428)

  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • Novi upit #876567-AWB.exe (PID: 6276)

    • Reads security settings of Internet Explorer

      • Novi upit #876567-AWB.exe (PID: 6276)

    • Reads the date of Windows installation

      • Novi upit #876567-AWB.exe (PID: 6276)

    • Executable content was dropped or overwritten

      • Novi upit #876567-AWB.exe (PID: 6276)

    • Starts CMD.EXE for commands execution

      • help.exe (PID: 6428)

    • Deletes system .NET executable

      • cmd.exe (PID: 7100)

    • Contacting a server suspected of hosting an CnC

      • explorer.exe (PID: 4552)

  • INFO

    • Checks supported languages

      • Novi upit #876567-AWB.exe (PID: 6276)
      • RegSvcs.exe (PID: 5984)

    • Reads the computer name

      • Novi upit #876567-AWB.exe (PID: 6276)
      • RegSvcs.exe (PID: 5984)

    • Creates files or folders in the user directory

      • Novi upit #876567-AWB.exe (PID: 6276)

    • Process checks computer location settings

      • Novi upit #876567-AWB.exe (PID: 6276)

    • Create files in a temporary directory

      • Novi upit #876567-AWB.exe (PID: 6276)

    • Reads the machine GUID from the registry

      • Novi upit #876567-AWB.exe (PID: 6276)

    • .NET Reactor protector has been detected

      • Novi upit #876567-AWB.exe (PID: 6276)

    • Manual execution by a user

      • help.exe (PID: 6428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Formbook

(PID) Process(6428) help.exe
C2www.upcyclecharms.com/md02/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)onsen1508.com
partymaxclubmen36.click
texasshelvingwarehouse.com
tiantiying.com
taxcredits-pr.com
33mgbet.com
equipoleiremnacional.com
andrewghita.com
zbbnp.xyz
englandbreaking.com
a1b5v.xyz
vizamag.com
h0lg3.rest
ux-design-courses-17184.bond
of84.top
qqkartel88v1.com
avalynkate.com
cpuk-finance.com
yeslabs.xyz
webuyandsellpa.com
barnesassetrecovery.store
hecxion.xyz
theopencomputeproject.net
breezyvw.christmas
mumazyl.com
woby.xyz
jalaios10.vip
lynxpire.com
sparkbpo.com
333689z.com
rslotrank.win
adscendmfmarketing.com
detroitreels.com
xojiliv1.com
mzhhxxff.xyz
hitcomply.com
piedge-taiko.net
chiri.lat
bookmygaddi.com
hjemfinesse.shop
zruypj169g.top
solarfundis.com
pittsparking.com
teplo-invest.com
j3k7n.xyz
coloradoskinwellness.com
z8ggd.com
coinbureau.xyz
mamasprinkleofjoy.com
xotj7a.xyz
nijssenadventures.com
ysa-cn.com
tigajco69.fun
localhomeservicesadvisor.com
attorney-services-8344642.zone
rnwaifu.xyz
nyverian.com
family-lawyers-7009103.world
117myw.com
kingdom66.lat
tdshomesolution.com
momof2filiricans.com
saeutah.com
rakring.com
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (49.4)
.scr | Windows screen saver (23.4)
.dll | Win32 Dynamic Link Library (generic) (11.7)
.exe | Win32 Executable (generic) (8)
.exe | Generic Win/DOS Executable (3.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:08:09 03:40:55+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 628736
InitializedDataSize: 8704
UninitializedDataSize: -
EntryPoint: 0x9b75e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: -
FileVersion: 0.0.0.0
InternalName: uzYq.exe
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: uzYq.exe
ProductName: -
ProductVersion: 0.0.0.0
AssemblyVersion: 0.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
139
Monitored processes
8
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start THREAT novi upit #876567-awb.exe schtasks.exe no specs conhost.exe no specs regsvcs.exe no specs #FORMBOOK help.exe no specs cmd.exe no specs conhost.exe no specs #FORMBOOK explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
4552C:\WINDOWS\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\smartscreenps.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\aepic.dll
4772"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZtrukSbkRD" /XML "C:\Users\admin\AppData\Local\Temp\tmp8EDE.tmp"C:\Windows\SysWOW64\schtasks.exeNovi upit #876567-AWB.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5064\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5984"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeNovi upit #876567-AWB.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6276"C:\Users\admin\AppData\Local\Temp\Novi upit #876567-AWB.exe" C:\Users\admin\AppData\Local\Temp\Novi upit #876567-AWB.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\novi upit #876567-awb.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6428"C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Help Utility
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\help.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
Formbook
(PID) Process(6428) help.exe
C2www.upcyclecharms.com/md02/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)onsen1508.com
partymaxclubmen36.click
texasshelvingwarehouse.com
tiantiying.com
taxcredits-pr.com
33mgbet.com
equipoleiremnacional.com
andrewghita.com
zbbnp.xyz
englandbreaking.com
a1b5v.xyz
vizamag.com
h0lg3.rest
ux-design-courses-17184.bond
of84.top
qqkartel88v1.com
avalynkate.com
cpuk-finance.com
yeslabs.xyz
webuyandsellpa.com
barnesassetrecovery.store
hecxion.xyz
theopencomputeproject.net
breezyvw.christmas
mumazyl.com
woby.xyz
jalaios10.vip
lynxpire.com
sparkbpo.com
333689z.com
rslotrank.win
adscendmfmarketing.com
detroitreels.com
xojiliv1.com
mzhhxxff.xyz
hitcomply.com
piedge-taiko.net
chiri.lat
bookmygaddi.com
hjemfinesse.shop
zruypj169g.top
solarfundis.com
pittsparking.com
teplo-invest.com
j3k7n.xyz
coloradoskinwellness.com
z8ggd.com
coinbureau.xyz
mamasprinkleofjoy.com
xotj7a.xyz
nijssenadventures.com
ysa-cn.com
tigajco69.fun
localhomeservicesadvisor.com
attorney-services-8344642.zone
rnwaifu.xyz
nyverian.com
family-lawyers-7009103.world
117myw.com
kingdom66.lat
tdshomesolution.com
momof2filiricans.com
saeutah.com
rakring.com
7096\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7100/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\SysWOW64\cmd.exehelp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
3 179
Read events
3 169
Write events
9
Delete events
1

Modification events

(PID) Process:(6276) Novi upit #876567-AWB.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6276) Novi upit #876567-AWB.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6276) Novi upit #876567-AWB.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6276) Novi upit #876567-AWB.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000005030C
Operation:writeName:VirtualDesktop
Value:
1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:(4552) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000005030C
Operation:delete keyName:(default)
Value:
Executable files
1
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
4552explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
6276Novi upit #876567-AWB.exeC:\Users\admin\AppData\Roaming\ZtrukSbkRD.exeexecutable
MD5:1E07F9E0E115B0D56B8C051C9E38563E
SHA256:6F4EF07076EBAD36EEA92EEAEB42B91BDF910D4E93BC0BF6B4FC40E6D191ED83
6276Novi upit #876567-AWB.exeC:\Users\admin\AppData\Local\Temp\tmp8EDE.tmpxml
MD5:92DF28005EBAD9F254D28A8A6D6AB8C7
SHA256:6F51A7B520899463B064DE113C98E73D8E5EDDF82016245F0BF9E0EC4657F57E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
43
DNS requests
21
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4592
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4592
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6768
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6800
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
4552
explorer.exe
GET
301
172.64.144.227:80
http://www.33mgbet.com/md02/?O6b=ArtXnxghTFsXu&8pglW=t+COfq1k/EMJMtGJy4ffQF6Jo9EOeFI2rokLIpdDcdgn8qfouM+tADvwOSFN9mFOfn1x
unknown
unknown
4552
explorer.exe
GET
301
44.227.65.245:80
http://www.tdshomesolution.com/md02/?8pglW=MJ1SYRKDU9XmoJmyQnKLBLocVjntbnqBrFS3SLZ7opa/ORO3G8lQC5QM4+1uNRG2tsfn&O6b=ArtXnxghTFsXu
unknown
whitelisted
4552
explorer.exe
GET
409
104.18.188.223:80
http://www.family-lawyers-7009103.world/md02/?8pglW=+rGk6srJhsAzJTxWXOqbvfHcFkXzJFDgSVtcy/CEJGBVj5Q96m42xQsdUHgdn1NUwr/L&O6b=ArtXnxghTFsXu
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
5060
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3164
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5336
SearchApp.exe
104.126.37.128:443
www.bing.com
Akamai International B.V.
DE
unknown
5336
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4592
svchost.exe
40.126.32.74:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4592
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.184.206
whitelisted
www.bing.com
  • 104.126.37.128
  • 104.126.37.137
  • 104.126.37.170
  • 104.126.37.130
  • 104.126.37.186
  • 104.126.37.177
  • 104.126.37.161
  • 104.126.37.163
  • 104.126.37.178
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.74
  • 40.126.32.136
  • 40.126.32.140
  • 40.126.32.134
  • 40.126.32.76
  • 40.126.32.138
  • 20.190.160.14
  • 20.190.160.20
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
th.bing.com
  • 104.126.37.177
  • 104.126.37.154
  • 104.126.37.163
  • 104.126.37.161
  • 104.126.37.130
  • 104.126.37.170
  • 104.126.37.128
  • 104.126.37.186
  • 104.126.37.178
whitelisted
fd.api.iris.microsoft.com
  • 20.223.36.55
whitelisted
arc.msn.com
  • 20.103.156.88
whitelisted
slscr.update.microsoft.com
  • 20.114.59.183
whitelisted

Threats

PID
Process
Class
Message
4552
explorer.exe
Malware Command and Control Activity Detected
ET MALWARE FormBook CnC Checkin (GET)
4552
explorer.exe
Malware Command and Control Activity Detected
ET MALWARE FormBook CnC Checkin (GET)
4552
explorer.exe
Malware Command and Control Activity Detected
ET MALWARE FormBook CnC Checkin (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Novi upit #876567-AWB.exe