Malware analysis PAYMENT ERROR.exe Malicious activity

Add for printing

File name:	PAYMENT ERROR.exe
Full analysis:	https://app.any.run/tasks/353912fd-2e6e-408b-bda0-ccba4c8be84f
Verdict:	Malicious activity
Threats:	FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	August 07, 2024, 16:34:33
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	formbook xloader stealer
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
MD5:	3D93AD3D9374E100842FC9A5C683D86B
SHA1:	6D84040392C2B071DD1546A85CE7C8F527D7E1B3
SHA256:	8AC8568934D1A0AB9A9923449BF11C0D44D97ABCA0BCABD60B94348642F046AC
SSDEEP:	49152:RD3bZMoA/b7m+9H8UEqWl4HVl4128WivlOd1Hd6P7uMG:R3f0OiH8UEG343kJ4y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - PAYMENT ERROR.exe (PID: 6440)
- FORMBOOK has been detected (YARA)
  - netsh.exe (PID: 6728)
- Connects to the CnC server
  - explorer.exe (PID: 4552)
- FORMBOOK has been detected (SURICATA)
  - explorer.exe (PID: 4552)
SUSPICIOUS
- Executes application which crashes
  - PAYMENT ERROR.exe (PID: 6440)
- Deletes system .NET executable
  - cmd.exe (PID: 6884)
- Suspicious use of NETSH.EXE
  - explorer.exe (PID: 4552)
- Starts CMD.EXE for commands execution
  - netsh.exe (PID: 6728)
- Contacting a server suspected of hosting an CnC
  - explorer.exe (PID: 4552)
INFO
- Checks supported languages
  - PAYMENT ERROR.exe (PID: 6440)
  - ngen.exe (PID: 6540)
- Reads the machine GUID from the registry
  - PAYMENT ERROR.exe (PID: 6440)
- Manual execution by a user
  - netsh.exe (PID: 6728)
- Checks proxy server information
  - WerFault.exe (PID: 6708)
- Reads the software policy settings
  - WerFault.exe (PID: 6708)
- Creates files or folders in the user directory
  - WerFault.exe (PID: 6708)
- Reads the computer name
  - ngen.exe (PID: 6540)
  - PAYMENT ERROR.exe (PID: 6440)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Formbook

(PID) Process(6728) netsh.exe

C2www.selalujadipemenang.com/oi12/

Strings (79)USERNAME

LOCALAPPDATA

USERPROFILE

APPDATA

TEMP

ProgramFiles

CommonProgramFiles

ALLUSERSPROFILE

/c copy "

/c del "

\Run

\Policies

\Explorer

\Registry\User

\Registry\Machine

\SOFTWARE\Microsoft\Windows\CurrentVersion

Office\15.0\Outlook\Profiles\Outlook\

NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

\SOFTWARE\Mozilla\Mozilla

\Mozilla

Username:

Password:

formSubmitURL

usernameField

encryptedUsername

encryptedPassword

\logins.json

\signons.sqlite

\Microsoft\Vault\

SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins

\Google\Chrome\User Data\Default\Login Data

SELECT origin_url, username_value, password_value FROM logins

.exe

.com

.scr

.pif

.cmd

.bat

win

gdi

mfc

vga

igfx

user

help

config

update

regsvc

chkdsk

systray

audiodg

certmgr

autochk

taskhost

colorcpl

services

IconCache

ThumbCache

SeDebugPrivilege

SeShutdownPrivilege

\BaseNamedObjects

config.php

POST

HTTP/1.1

Host:

Connection: close

Content-Length:

Cache-Control: no-cache

Origin: http://

User-Agent: Mozilla Firefox/4.0

Content-Type: application/x-www-form-urlencoded

Accept: */*

Referer: http://

Accept-Language: en-US

Accept-Encoding: gzip, deflate dat=

f-start

f-end

Decoy C2 (64)exobello.bio

boinga.xyz

animasriversurf.com

gamesflashg.com

hayatbagievleri.online

washington-living.com

july7.store

x-pod-technologies.com

farmhouseflaire.com

qb52aa.top

datasynthing.xyz

5v28n.rest

legacycommerceltd.com

mundodelosjuguetes.com

wjblades.com

z9b6g8.com

eskimotech.net

dreziuy.xyz

bestsolarcompanies.services

vertemisconsulting.com

rockinrioviagogo.com

acimed.net

tdrfwb.shop

xd4tp.top

bihungoreng19.click

tcnhbv301y.top

triumphbusinessconsultancy.com

menuconfig.store

seikoubento.com

defiram.com

bespokearomatics.com

yellprint.com

flickeringlc.christmas

aidiagnostics.xyz

ok66g.app

z3o6i8.com

dacoylomarkemilcajes.online

rummymeett.xyz

arazivearsa.xyz

crystalpalaces.store

qtsandbox.com

wkbbb.com

abusedcode.com

puzzle-escape.info

jagoboss.com

seguro-pagamento.life

luxindicator.site

mxtp.coffee

okumafishing.xyz

gaffelshop.shop

optimusgs.com

qtsandbox.com

bt365332.com

kernphoto.art

p0uhx.pro

agsaydinlatma.online

korbidholdings.net

nsservicescorp.com

healthcare-trends-22748.bond

xtraslot.link

travelblitarjuandabmtrans.com

linlinda.com

gnonhcav.xyz

05544.xyz

No Malware configuration.

Add for printing

TRiD

.exe	\|	Generic Win/DOS Executable (50)
.exe	\|	DOS Executable Generic (49.9)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2024:08:05 16:16:25+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	48
CodeSize:	21154
InitializedDataSize:	2560
UninitializedDataSize:	-
EntryPoint:	0x0000
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows command line
FileVersionNumber:	4.30.497.82
ProductVersionNumber:	4.30.497.82
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	Obiwaququboqoposuq
ProductName:	Osokiwilogi
FileDescription:	Axejagewi Ocudazapunotoy Azezewofe Uvovarudakomac Iwucike.
FileVersion:	4.30.497.82
ProductVersion:	4.30.497.82
OriginalFileName:	Onozupocen
InternalName:	Eqihefejija
LegalCopyright:	© 2027 Obiwaququboqoposuq

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

137

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2256

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

4552

C:\WINDOWS\Explorer.EXE

C:\Windows\explorer.exe

—

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\smartscreenps.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\aepic.dll

6440

"C:\Users\admin\AppData\Local\Temp\PAYMENT ERROR.exe"

C:\Users\admin\AppData\Local\Temp\PAYMENT ERROR.exe

explorer.exe

User:

admin

Company:

Obiwaququboqoposuq

Integrity Level:

MEDIUM

Description:

Axejagewi Ocudazapunotoy Azezewofe Uvovarudakomac Iwucike.

Exit code:

3762504530

Version:

4.30.497.82

Modules

Images
c:\users\admin\appdata\local\temp\payment error.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

6448

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

PAYMENT ERROR.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6540

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe

—

PAYMENT ERROR.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Common Language Runtime native compiler

Exit code:

Version:

4.8.9093.0 built by: NET481REL1LAST_C

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\ngen.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

6708

C:\WINDOWS\system32\WerFault.exe -u -p 6440 -s 1148

C:\Windows\System32\WerFault.exe

PAYMENT ERROR.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll

6728

"C:\Windows\SysWOW64\netsh.exe"

C:\Windows\SysWOW64\netsh.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Network Command Shell

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\netsh.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll

Formbook

(PID) Process(6728) netsh.exe

C2www.selalujadipemenang.com/oi12/

Strings (79)USERNAME

LOCALAPPDATA

USERPROFILE

APPDATA

TEMP

ProgramFiles

CommonProgramFiles

ALLUSERSPROFILE

/c copy "

/c del "

\Run

\Policies

\Explorer

\Registry\User

\Registry\Machine

\SOFTWARE\Microsoft\Windows\CurrentVersion

Office\15.0\Outlook\Profiles\Outlook\

NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

\SOFTWARE\Mozilla\Mozilla

\Mozilla

Username:

Password:

formSubmitURL

usernameField

encryptedUsername

encryptedPassword

\logins.json

\signons.sqlite

\Microsoft\Vault\

SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins

\Google\Chrome\User Data\Default\Login Data

SELECT origin_url, username_value, password_value FROM logins

.exe

.com

.scr

.pif

.cmd

.bat

win

gdi

mfc

vga

igfx

user

help

config

update

regsvc

chkdsk

systray

audiodg

certmgr

autochk

taskhost

colorcpl

services

IconCache

ThumbCache

SeDebugPrivilege

SeShutdownPrivilege

\BaseNamedObjects

config.php

POST

HTTP/1.1

Host:

Connection: close

Content-Length:

Cache-Control: no-cache

Origin: http://

User-Agent: Mozilla Firefox/4.0

Content-Type: application/x-www-form-urlencoded

Accept: */*

Referer: http://

Accept-Language: en-US

Accept-Encoding: gzip, deflate dat=

f-start

f-end

Decoy C2 (64)exobello.bio

boinga.xyz

animasriversurf.com

gamesflashg.com

hayatbagievleri.online

washington-living.com

july7.store

x-pod-technologies.com

farmhouseflaire.com

qb52aa.top

datasynthing.xyz

5v28n.rest

legacycommerceltd.com

mundodelosjuguetes.com

wjblades.com

z9b6g8.com

eskimotech.net

dreziuy.xyz

bestsolarcompanies.services

vertemisconsulting.com

rockinrioviagogo.com

acimed.net

tdrfwb.shop

xd4tp.top

bihungoreng19.click

tcnhbv301y.top

triumphbusinessconsultancy.com

menuconfig.store

seikoubento.com

defiram.com

bespokearomatics.com

yellprint.com

flickeringlc.christmas

aidiagnostics.xyz

ok66g.app

z3o6i8.com

dacoylomarkemilcajes.online

rummymeett.xyz

arazivearsa.xyz

crystalpalaces.store

qtsandbox.com

wkbbb.com

abusedcode.com

puzzle-escape.info

jagoboss.com

seguro-pagamento.life

luxindicator.site

mxtp.coffee

okumafishing.xyz

gaffelshop.shop

optimusgs.com

qtsandbox.com

bt365332.com

kernphoto.art

p0uhx.pro

agsaydinlatma.online

korbidholdings.net

nsservicescorp.com

healthcare-trends-22748.bond

xtraslot.link

travelblitarjuandabmtrans.com

linlinda.com

gnonhcav.xyz

05544.xyz

6884

/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"

C:\Windows\SysWOW64\cmd.exe

—

netsh.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

6892

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

6 447

Read events

6 445

Write events

Delete events

Modification events


(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000502F0
Operation:	write	Name:	VirtualDesktop
Value: 1000000030304456033BCEE44DE41B4E8AEC331E84F566D2
(PID) Process:	(4552) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000502F0
Operation:	delete key	Name:	(default)
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6708	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_PAYMENT ERROR.ex_8729092a584363c94d8f2b2641526124fdd4b5_e91a3f7f_4f0b6c47-1446-4b0e-85ed-eeb17e8f4c4a\Report.wer		—
		MD5:—	SHA256:—
6708	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\PAYMENT ERROR.exe.6440.dmp		—
		MD5:—	SHA256:—
6708	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER79A1.tmp.WERInternalMetadata.xml		xml
		MD5:7A67018F6DB6167EEBAA3DA2DF710906	SHA256:5961951B4476C0ABD4C9BA35701807DAC514499632E147A5F4ECBC1D664AE7B0
4552	explorer.exe	C:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat		binary
		MD5:E49C56350AEDF784BFE00E444B879672	SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
6708	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER77DB.tmp.dmp		dmp
		MD5:DE72AC5022B17DD34B000A200EA18BB8	SHA256:8E69DBAF56F2D275FE8A4F9B7F15B4B5A05B772B3FAA473E7BBFB6FFCB1EB476
6708	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER79E1.tmp.xml		xml
		MD5:E7038CCD2BC9E595399A4A1A9D0A3F29	SHA256:148F781096191791C1B790D5AD918D9C3CEC9F15749B7C9CA6CE09908B5C281F
6708	WerFault.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE		binary
		MD5:FB64A9EBEDF48D3895381D5B7D80743D	SHA256:EA21D495930AD76F267A33A0F593DBF0C7EA75E457FCAE49A29DAAD8BD920F42
6708	WerFault.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\21253908F3CB05D51B1C2DA8B681A785		binary
		MD5:82C30E45BF5F93A5DB1D5E47F913053B	SHA256:2C6BBFF9207065E8800C4AF0CB2748818ABB3CFFC0D6D518FE17F76A232F8967

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
4544	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4544	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7100	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
4552	explorer.exe	GET	301	185.63.191.68:80	http://www.gamesflashg.com/oi12/?YvPh6=Plb0srchS&tPRL3=eIuv3wZ2kp79JIs6jXRb5Lgy0+pj2kePTydLRKTXyGZHt1Ci7GFXkH70HW6SDNwiD6RB	unknown	—	—	whitelisted
7084	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
4552	explorer.exe	GET	530	206.119.185.133:80	http://www.05544.xyz/oi12/?tPRL3=VEG9pKblbsgSnCWsGKPKP1Hmb05x3B62Vvzf8wp10Gf5CfmNDoWnnzfTrf2vfBElSOBL&YvPh6=Plb0srchS	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1248	RUXIMICS.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2120	MoUsoCoreWorker.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1224	svchost.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
1224	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
6708	WerFault.exe	20.42.65.92:443	watson.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
5336	SearchApp.exe	104.126.37.170:443	www.bing.com	Akamai International B.V.	DE	unknown
5336	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.185.174	whitelisted
settings-win.data.microsoft.com	40.127.240.158 51.124.78.146	whitelisted
watson.events.data.microsoft.com	20.42.65.92	whitelisted
www.bing.com	104.126.37.170 104.126.37.177 104.126.37.171 104.126.37.160 104.126.37.163 104.126.37.169 104.126.37.186 104.126.37.147 104.126.37.161	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
client.wns.windows.com	40.115.3.253	whitelisted
login.live.com	20.190.160.17 40.126.32.136 20.190.160.14 40.126.32.134 20.190.160.22 40.126.32.76 20.190.160.20 40.126.32.72	whitelisted
th.bing.com	104.126.37.186 104.126.37.179 104.126.37.139 104.126.37.123 104.126.37.144 104.126.37.146 104.126.37.130 104.126.37.128 104.126.37.136	whitelisted
fd.api.iris.microsoft.com	20.223.36.55	whitelisted
arc.msn.com	20.103.156.88	whitelisted

Threats

PID	Process	Class	Message
2256	svchost.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
4552	explorer.exe	Malware Command and Control Activity Detected	ET MALWARE FormBook CnC Checkin (GET)
4552	explorer.exe	Potentially Bad Traffic	ET HUNTING Request to .XYZ Domain with Minimal Headers
4552	explorer.exe	Malware Command and Control Activity Detected	ET MALWARE FormBook CnC Checkin (GET)

Add for printing

No debug info

General Info

PAYMENT ERROR.exe

3D93AD3D9374E100842FC9A5C683D86B

6D84040392C2B071DD1546A85CE7C8F527D7E1B3

8AC8568934D1A0AB9A9923449BF11C0D44D97ABCA0BCABD60B94348642F046AC

49152:RD3bZMoA/b7m+9H8UEqWl4HVl4128WivlOd1Hd6P7uMG:R3f0OiH8UEG343kJ4y

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

FORMBOOK has been detected (YARA)

Connects to the CnC server

FORMBOOK has been detected (SURICATA)

SUSPICIOUS

Executes application which crashes

Deletes system .NET executable

Suspicious use of NETSH.EXE

Starts CMD.EXE for commands execution

Contacting a server suspected of hosting an CnC

INFO

Checks supported languages

Reads the machine GUID from the registry

Manual execution by a user

Checks proxy server information

Reads the software policy settings

Creates files or folders in the user directory

Reads the computer name

Malware configuration

Formbook

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

Formbook

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings