File name:

SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781

Full analysis: https://app.any.run/tasks/85c1735c-35e9-4265-9bb3-005430c5a0bf
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: December 06, 2022, 03:36:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
formbook
xloader
trojan
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

2671DB3CBA1E1848EC04B0DFB326FEA8

SHA1:

E78905B037BECF55E0049AA3247F1BCECC379CD3

SHA256:

93887029EDA377FA78729CBF1C96C582C029A828A8F721B731D5ECDDA7555FEC

SSDEEP:

6144:qBnmeG0xkz6C2U/2aqg9JBP/W5/tuzQxgJhyESBNoliLAmtESJwx6rbs8S:OGlaKpW5/tuxJhyfB6iLA8ac/S

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • opwovm.exe (PID: 2584)
      • opwovm.exe (PID: 3136)
    • Changes the autorun value in the registry

      • opwovm.exe (PID: 2584)
    • FORMBOOK detected by memory dumps

      • colorcpl.exe (PID: 3212)
    • Formbook is detected

      • colorcpl.exe (PID: 3212)
    • Loads dropped or rewritten executable

      • colorcpl.exe (PID: 3212)
    • FORMBOOK was detected

      • Explorer.EXE (PID: 576)
    • Connects to the CnC server

      • Explorer.EXE (PID: 576)
    • Unusual connection from system programs

      • Explorer.EXE (PID: 576)
  • SUSPICIOUS

    • Loads DLL from Mozilla Firefox

      • colorcpl.exe (PID: 3212)
    • Application launched itself

      • opwovm.exe (PID: 2584)
    • Reads browser cookies

      • colorcpl.exe (PID: 3212)
    • Process drops SQLite DLL files

      • colorcpl.exe (PID: 3212)
  • INFO

    • Checks supported languages

      • opwovm.exe (PID: 3136)
      • SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe (PID: 2656)
      • opwovm.exe (PID: 2584)
    • Checks proxy server information

      • colorcpl.exe (PID: 3212)
    • Reads the computer name

      • SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe (PID: 2656)
      • opwovm.exe (PID: 3136)
    • Process checks computer location settings

      • opwovm.exe (PID: 3136)
    • Creates a file in a temporary directory

      • SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe (PID: 2656)
      • colorcpl.exe (PID: 3212)
    • Manual execution by a user

      • colorcpl.exe (PID: 3212)
    • Executable content was dropped or overwritten

      • colorcpl.exe (PID: 3212)
    • Drops the executable file immediately after the start

      • colorcpl.exe (PID: 3212)
    • Drops a file that was compiled in debug mode

      • colorcpl.exe (PID: 3212)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Formbook

(PID) Process(3212) colorcpl.exe
Decoy C2 (64)codelifed.com
doctorbodymake.com
amspustaka.com
olanger.email
3821c8.com
cityasset.net
varanasiexpedia.com
lodehewulan.yachts
700544.com
alypw.com
publickit.website
new-thinking.digital
toggabudhabi.xyz
davidemarone.com
isc-chemical.com
newpublictransit.com
kasslot.com
oonrreward.xyz
seismoeng.com
techilmain.com
tommy57.shop
serverdecipher.com
peqevent.com
tobewell.store
lee-perez.com
codacodes.com
zr387.com
ybkos.link
api2022.top
leicesterurology.com
ope-cctv.com
info-akb.com
gallerigate.com
frwqc.com
v32.xyz
92toys.com
yt82ra5c.com
dailyheraldresearch.com
shopcheap.club
zuzutrading.com
shura-asia.org
porggiret.site
deckcork.com
visitleknes.com
eventualstudios.com
rajahparkhotelcebu.com
cscvlehelp.com
gmrsnodes.com
3815ww.com
bengalindex.com
mahalaburn.com
kredity-express.online
festpay.pro
bookmygennie.com
mgalese.com
villaimmaginare.com
vienuongdamos1.click
thebrotherhood.shop
0755lrfk.com
zhukojobs.com
kyototravel.net
shusemarang.com
kmuregister.com
cuttingedgeprime.com
Strings (75)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Mail\
\Foxmail
\Storage\
\Accounts\Account.rec0
\Data\AccCfg\Accounts.tdat
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
C2www.spirituallyzen.com/m9ae/
Decoy C2 (64)nWTQpX6TYm6dfT3Lcw==
7JaBLgMm8EKn2AlTy5Ksj4Jq
yWRJIhE3viQgqEpZS3o=
ES9dFo0bytF8vlvRcg==
aX/aBZn29pD+cg==
lU64sYOZV7ZVpUy1ag==
9BpOCYAPv8L8TyIFAiTp2PSqLg==
uEJ2RyQ1BcBXfFr8kT5Z1KV0
oVM42Ury9pD+cg==
0Zl3VkcuKaY+
OjZeGI8dw67Z6eWtnOoBfoI=
ytwFn9j4i+N8nKYRSgcfh3xn5LU=
xMb1+YkOyxmbxJ53JsP7Pg==
HODQpzTBS1gVoi4X0hStKQ==
fQ417ycwD+ziKt1u0hStKQ==
nsApOqE62sA8uS735uCXVP+YcrQ=
4aobG3oZ3AHqTPs=
P2LEwJatZbQZUTayTW0=
/bopO7NR6clCfT3Lcw==
bBxRRkFY01R+20pZS3o=
enylSY//R0Euo5Hc
s3hoHGn+blzIzLD2XcWsj4Jq
MvZlcWyHEnNHRGHB
qDJgM38Zlp2BriDZBnI=
JlaRDbpPJo43fT3Lcw==
aZgM/YERpLJOfT3Lcw==
dgcdTgcuKaY+
N12TQ5X0uI7/dA==
85d5Cn4gEuXNHOY=
XGyjNRUvzkzpFEb98NiZYf+YcrQ=
nUc1kamtJHlHRGHB
M+1WZ6NvT6VHRGHB
k1iSQqU6E3biHW3Ev1x/
yoeZZ9suKaY+
yiqErKzdOA==
I8FYQ4Mx9pD+cg==
e3sMggibmaRHRGHB
YBxPTjVYD4c2WVRYdfxP9f/w5W+IU0g=
A6GFXmNsA4y3ByPuEXU=
RkSck9R+79lCe5vEv1x/
c4Hf8OWx18LuWN4pPnA=
IK6UOZcpvKTL2/PbBHI=
dpbLY0FV8mxHRGHB
RoTt48Dgi/aZtJ/Ev1x/
4/FRPhpH3TPGD0uYB7Yf2PSqLg==
5A5CBZYyzanG52lgk7V7K8G4gdDu5w==
p8IpCMzdxqyj2UpZS3o=
cToa+3QRpLJOfT3Lcw==
Lat9/Yk19pD+cg==
CrjklYWQN6tXfIjEv1x/
SfQyB+TxpJSt20pZS3o=
eTEdrAOeVYJ4Cx6WSxqnYGgz01Yv7w==
NP7rnOJz7QXxQfk=
hrYdLa1V+exp20UX0hStKQ==
R+gl+MvhTQHqTPs=
CC6YqK+3hWJYpEseExvt2PSqLg==
VmybWD1f6EIreDUVP47Yw5la3rI=
Sgv5moChVKcQSZYjwYWyvbeuMw==
rtxt7QYo5mxHRGHB
cH/l/4Ecn61OfT3Lcw==
T4iddmuQEGhd1NwMviZm
cyH/sQGRb8s6e5vEv1x/
Y3DL3M3XS86ftJ7Ev1x/
U2jGyqnCYcDDJt3mAjZDxf+YcrQ=
Strings (75)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Mail\
\Foxmail
\Storage\
\Accounts\Account.rec0
\Data\AccCfg\Accounts.tdat
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
C2www.spirituallyzen.com/m9ae/
Decoy C2 (64)nWTQpX6TYm6dfT3Lcw==
7JaBLgMm8EKn2AlTy5Ksj4Jq
yWRJIhE3viQgqEpZS3o=
ES9dFo0bytF8vlvRcg==
aX/aBZn29pD+cg==
lU64sYOZV7ZVpUy1ag==
9BpOCYAPv8L8TyIFAiTp2PSqLg==
uEJ2RyQ1BcBXfFr8kT5Z1KV0
oVM42Ury9pD+cg==
0Zl3VkcuKaY+
OjZeGI8dw67Z6eWtnOoBfoI=
ytwFn9j4i+N8nKYRSgcfh3xn5LU=
xMb1+YkOyxmbxJ53JsP7Pg==
HODQpzTBS1gVoi4X0hStKQ==
fQ417ycwD+ziKt1u0hStKQ==
nsApOqE62sA8uS735uCXVP+YcrQ=
4aobG3oZ3AHqTPs=
P2LEwJatZbQZUTayTW0=
/bopO7NR6clCfT3Lcw==
bBxRRkFY01R+20pZS3o=
enylSY//R0Euo5Hc
s3hoHGn+blzIzLD2XcWsj4Jq
MvZlcWyHEnNHRGHB
qDJgM38Zlp2BriDZBnI=
JlaRDbpPJo43fT3Lcw==
aZgM/YERpLJOfT3Lcw==
dgcdTgcuKaY+
N12TQ5X0uI7/dA==
85d5Cn4gEuXNHOY=
XGyjNRUvzkzpFEb98NiZYf+YcrQ=
nUc1kamtJHlHRGHB
M+1WZ6NvT6VHRGHB
k1iSQqU6E3biHW3Ev1x/
yoeZZ9suKaY+
yiqErKzdOA==
I8FYQ4Mx9pD+cg==
e3sMggibmaRHRGHB
YBxPTjVYD4c2WVRYdfxP9f/w5W+IU0g=
A6GFXmNsA4y3ByPuEXU=
RkSck9R+79lCe5vEv1x/
c4Hf8OWx18LuWN4pPnA=
IK6UOZcpvKTL2/PbBHI=
dpbLY0FV8mxHRGHB
RoTt48Dgi/aZtJ/Ev1x/
4/FRPhpH3TPGD0uYB7Yf2PSqLg==
5A5CBZYyzanG52lgk7V7K8G4gdDu5w==
p8IpCMzdxqyj2UpZS3o=
cToa+3QRpLJOfT3Lcw==
Lat9/Yk19pD+cg==
CrjklYWQN6tXfIjEv1x/
SfQyB+TxpJSt20pZS3o=
eTEdrAOeVYJ4Cx6WSxqnYGgz01Yv7w==
NP7rnOJz7QXxQfk=
hrYdLa1V+exp20UX0hStKQ==
R+gl+MvhTQHqTPs=
CC6YqK+3hWJYpEseExvt2PSqLg==
VmybWD1f6EIreDUVP47Yw5la3rI=
Sgv5moChVKcQSZYjwYWyvbeuMw==
rtxt7QYo5mxHRGHB
cH/l/4Ecn61OfT3Lcw==
T4iddmuQEGhd1NwMviZm
cyH/sQGRb8s6e5vEv1x/
Y3DL3M3XS86ftJ7Ev1x/
U2jGyqnCYcDDJt3mAjZDxf+YcrQ=
Strings (75)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Mail\
\Foxmail
\Storage\
\Accounts\Account.rec0
\Data\AccCfg\Accounts.tdat
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
C2www.spirituallyzen.com/m9ae/
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2015-Dec-27 05:38:52
Detected languages:
  • English - United States

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 216

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2015-Dec-27 05:38:52
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
23626
24064
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.41076
.rdata
28672
4446
4608
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.14255
.data
36864
110712
1536
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.22522
.ndata
151552
32768
0
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc
184320
202592
202752
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.93641

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.90959
67624
UNKNOWN
English - United States
RT_ICON
2
7.96373
38581
UNKNOWN
English - United States
RT_ICON
3
5.17077
38056
UNKNOWN
English - United States
RT_ICON
4
5.22062
21640
UNKNOWN
English - United States
RT_ICON
5
5.1977
16936
UNKNOWN
English - United States
RT_ICON
6
5.26928
9640
UNKNOWN
English - United States
RT_ICON
7
5.3399
4264
UNKNOWN
English - United States
RT_ICON
8
5.49489
2440
UNKNOWN
English - United States
RT_ICON
9
5.20658
1128
UNKNOWN
English - United States
RT_ICON
103
3.03466
132
UNKNOWN
English - United States
RT_GROUP_ICON

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
6
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start drop and start securiteinfo.com.gen.variant.nemesis.1957.29333.23781.exe no specs opwovm.exe opwovm.exe no specs #FORMBOOK colorcpl.exe #FORMBOOK explorer.exe firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2656"C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe" C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
2
Modules
Images
c:\users\admin\appdata\local\temp\securiteinfo.com.gen.variant.nemesis.1957.29333.23781.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2584"C:\Users\admin\AppData\Local\Temp\opwovm.exe" C:\Users\admin\AppData\Local\Temp\jzacvyuruta.yvC:\Users\admin\AppData\Local\Temp\opwovm.exe
SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\opwovm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wsnmp32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
3136"C:\Users\admin\AppData\Local\Temp\opwovm.exe"C:\Users\admin\AppData\Local\Temp\opwovm.exeopwovm.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\opwovm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3212"C:\Windows\System32\colorcpl.exe"C:\Windows\System32\colorcpl.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Color Control Panel
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\colorcpl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\colorui.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Formbook
(PID) Process(3212) colorcpl.exe
Decoy C2 (64)codelifed.com
doctorbodymake.com
amspustaka.com
olanger.email
3821c8.com
cityasset.net
varanasiexpedia.com
lodehewulan.yachts
700544.com
alypw.com
publickit.website
new-thinking.digital
toggabudhabi.xyz
davidemarone.com
isc-chemical.com
newpublictransit.com
kasslot.com
oonrreward.xyz
seismoeng.com
techilmain.com
tommy57.shop
serverdecipher.com
peqevent.com
tobewell.store
lee-perez.com
codacodes.com
zr387.com
ybkos.link
api2022.top
leicesterurology.com
ope-cctv.com
info-akb.com
gallerigate.com
frwqc.com
v32.xyz
92toys.com
yt82ra5c.com
dailyheraldresearch.com
shopcheap.club
zuzutrading.com
shura-asia.org
porggiret.site
deckcork.com
visitleknes.com
eventualstudios.com
rajahparkhotelcebu.com
cscvlehelp.com
gmrsnodes.com
3815ww.com
bengalindex.com
mahalaburn.com
kredity-express.online
festpay.pro
bookmygennie.com
mgalese.com
villaimmaginare.com
vienuongdamos1.click
thebrotherhood.shop
0755lrfk.com
zhukojobs.com
kyototravel.net
shusemarang.com
kmuregister.com
cuttingedgeprime.com
Strings (75)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Mail\
\Foxmail
\Storage\
\Accounts\Account.rec0
\Data\AccCfg\Accounts.tdat
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
C2www.spirituallyzen.com/m9ae/
(PID) Process(3212) colorcpl.exe
Decoy C2 (64)nWTQpX6TYm6dfT3Lcw==
7JaBLgMm8EKn2AlTy5Ksj4Jq
yWRJIhE3viQgqEpZS3o=
ES9dFo0bytF8vlvRcg==
aX/aBZn29pD+cg==
lU64sYOZV7ZVpUy1ag==
9BpOCYAPv8L8TyIFAiTp2PSqLg==
uEJ2RyQ1BcBXfFr8kT5Z1KV0
oVM42Ury9pD+cg==
0Zl3VkcuKaY+
OjZeGI8dw67Z6eWtnOoBfoI=
ytwFn9j4i+N8nKYRSgcfh3xn5LU=
xMb1+YkOyxmbxJ53JsP7Pg==
HODQpzTBS1gVoi4X0hStKQ==
fQ417ycwD+ziKt1u0hStKQ==
nsApOqE62sA8uS735uCXVP+YcrQ=
4aobG3oZ3AHqTPs=
P2LEwJatZbQZUTayTW0=
/bopO7NR6clCfT3Lcw==
bBxRRkFY01R+20pZS3o=
enylSY//R0Euo5Hc
s3hoHGn+blzIzLD2XcWsj4Jq
MvZlcWyHEnNHRGHB
qDJgM38Zlp2BriDZBnI=
JlaRDbpPJo43fT3Lcw==
aZgM/YERpLJOfT3Lcw==
dgcdTgcuKaY+
N12TQ5X0uI7/dA==
85d5Cn4gEuXNHOY=
XGyjNRUvzkzpFEb98NiZYf+YcrQ=
nUc1kamtJHlHRGHB
M+1WZ6NvT6VHRGHB
k1iSQqU6E3biHW3Ev1x/
yoeZZ9suKaY+
yiqErKzdOA==
I8FYQ4Mx9pD+cg==
e3sMggibmaRHRGHB
YBxPTjVYD4c2WVRYdfxP9f/w5W+IU0g=
A6GFXmNsA4y3ByPuEXU=
RkSck9R+79lCe5vEv1x/
c4Hf8OWx18LuWN4pPnA=
IK6UOZcpvKTL2/PbBHI=
dpbLY0FV8mxHRGHB
RoTt48Dgi/aZtJ/Ev1x/
4/FRPhpH3TPGD0uYB7Yf2PSqLg==
5A5CBZYyzanG52lgk7V7K8G4gdDu5w==
p8IpCMzdxqyj2UpZS3o=
cToa+3QRpLJOfT3Lcw==
Lat9/Yk19pD+cg==
CrjklYWQN6tXfIjEv1x/
SfQyB+TxpJSt20pZS3o=
eTEdrAOeVYJ4Cx6WSxqnYGgz01Yv7w==
NP7rnOJz7QXxQfk=
hrYdLa1V+exp20UX0hStKQ==
R+gl+MvhTQHqTPs=
CC6YqK+3hWJYpEseExvt2PSqLg==
VmybWD1f6EIreDUVP47Yw5la3rI=
Sgv5moChVKcQSZYjwYWyvbeuMw==
rtxt7QYo5mxHRGHB
cH/l/4Ecn61OfT3Lcw==
T4iddmuQEGhd1NwMviZm
cyH/sQGRb8s6e5vEv1x/
Y3DL3M3XS86ftJ7Ev1x/
U2jGyqnCYcDDJt3mAjZDxf+YcrQ=
Strings (75)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Mail\
\Foxmail
\Storage\
\Accounts\Account.rec0
\Data\AccCfg\Accounts.tdat
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
C2www.spirituallyzen.com/m9ae/
(PID) Process(3212) colorcpl.exe
Decoy C2 (64)nWTQpX6TYm6dfT3Lcw==
7JaBLgMm8EKn2AlTy5Ksj4Jq
yWRJIhE3viQgqEpZS3o=
ES9dFo0bytF8vlvRcg==
aX/aBZn29pD+cg==
lU64sYOZV7ZVpUy1ag==
9BpOCYAPv8L8TyIFAiTp2PSqLg==
uEJ2RyQ1BcBXfFr8kT5Z1KV0
oVM42Ury9pD+cg==
0Zl3VkcuKaY+
OjZeGI8dw67Z6eWtnOoBfoI=
ytwFn9j4i+N8nKYRSgcfh3xn5LU=
xMb1+YkOyxmbxJ53JsP7Pg==
HODQpzTBS1gVoi4X0hStKQ==
fQ417ycwD+ziKt1u0hStKQ==
nsApOqE62sA8uS735uCXVP+YcrQ=
4aobG3oZ3AHqTPs=
P2LEwJatZbQZUTayTW0=
/bopO7NR6clCfT3Lcw==
bBxRRkFY01R+20pZS3o=
enylSY//R0Euo5Hc
s3hoHGn+blzIzLD2XcWsj4Jq
MvZlcWyHEnNHRGHB
qDJgM38Zlp2BriDZBnI=
JlaRDbpPJo43fT3Lcw==
aZgM/YERpLJOfT3Lcw==
dgcdTgcuKaY+
N12TQ5X0uI7/dA==
85d5Cn4gEuXNHOY=
XGyjNRUvzkzpFEb98NiZYf+YcrQ=
nUc1kamtJHlHRGHB
M+1WZ6NvT6VHRGHB
k1iSQqU6E3biHW3Ev1x/
yoeZZ9suKaY+
yiqErKzdOA==
I8FYQ4Mx9pD+cg==
e3sMggibmaRHRGHB
YBxPTjVYD4c2WVRYdfxP9f/w5W+IU0g=
A6GFXmNsA4y3ByPuEXU=
RkSck9R+79lCe5vEv1x/
c4Hf8OWx18LuWN4pPnA=
IK6UOZcpvKTL2/PbBHI=
dpbLY0FV8mxHRGHB
RoTt48Dgi/aZtJ/Ev1x/
4/FRPhpH3TPGD0uYB7Yf2PSqLg==
5A5CBZYyzanG52lgk7V7K8G4gdDu5w==
p8IpCMzdxqyj2UpZS3o=
cToa+3QRpLJOfT3Lcw==
Lat9/Yk19pD+cg==
CrjklYWQN6tXfIjEv1x/
SfQyB+TxpJSt20pZS3o=
eTEdrAOeVYJ4Cx6WSxqnYGgz01Yv7w==
NP7rnOJz7QXxQfk=
hrYdLa1V+exp20UX0hStKQ==
R+gl+MvhTQHqTPs=
CC6YqK+3hWJYpEseExvt2PSqLg==
VmybWD1f6EIreDUVP47Yw5la3rI=
Sgv5moChVKcQSZYjwYWyvbeuMw==
rtxt7QYo5mxHRGHB
cH/l/4Ecn61OfT3Lcw==
T4iddmuQEGhd1NwMviZm
cyH/sQGRb8s6e5vEv1x/
Y3DL3M3XS86ftJ7Ev1x/
U2jGyqnCYcDDJt3mAjZDxf+YcrQ=
Strings (75)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Mail\
\Foxmail
\Storage\
\Accounts\Account.rec0
\Data\AccCfg\Accounts.tdat
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
C2www.spirituallyzen.com/m9ae/
576C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2576"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.execolorcpl.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
83.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msasn1.dll
Total events
2 114
Read events
2 090
Write events
24
Delete events
0

Modification events

(PID) Process:(2584) opwovm.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:satytuyqndhqqq
Value:
C:\Users\admin\AppData\Roaming\pugcbmf\wnrbbehkxrwbgu.exe "C:\Users\admin\AppData\Local\Temp\opwovm.exe" C:\Users\admin\AppData\L
(PID) Process:(3212) colorcpl.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3212) colorcpl.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3212) colorcpl.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3212) colorcpl.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3212) colorcpl.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3212) colorcpl.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3212) colorcpl.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3212) colorcpl.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3212) colorcpl.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Executable files
3
Suspicious files
4
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
2656SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exeC:\Users\admin\AppData\Local\Temp\jzacvyuruta.yvfli
MD5:9A98BCBAEADC635D0612286A89C766A9
SHA256:1E740C732EEB938A59122B1B15E3EC15D56AC5B2A6462F1662C8B98465243181
3212colorcpl.exeC:\Users\admin\AppData\Local\Temp\chwxv.zipcompressed
MD5:C42EC8F35C6A06666E6AD54471A2728B
SHA256:22BB304AAB3EC7A51FC4DC7749F304BBE01C5EC014144FBC8F86012DC3B0708B
3212colorcpl.exeC:\Users\admin\AppData\Local\Temp\sqlite3.dllexecutable
MD5:07FB6D31F37FB1B4164BEF301306C288
SHA256:06DDF0A370AF00D994824605A8E1307BA138F89B2D864539F0D19E8804EDAC02
3212colorcpl.exeC:\Users\admin\AppData\Local\Temp\sqlite3.deftext
MD5:248209B7183B5D5B667DFD77EE847763
SHA256:9FB7168694EBFA19383DE44AC8AA1B5341DEA5FC228DC7CCE8008C643807FDCE
2656SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exeC:\Users\admin\AppData\Local\Temp\sjxwsz.gzbinary
MD5:6D5C5D1FB0C5217DDAF28DB7AE4E5A91
SHA256:3C483F7DFD417A90A73FB0305E3DEDD0E5A91BDB2B17C8209308E4D90C2AB1BA
3212colorcpl.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\sqlite-dll-win32-x86-3210000[1].zipcompressed
MD5:C42EC8F35C6A06666E6AD54471A2728B
SHA256:22BB304AAB3EC7A51FC4DC7749F304BBE01C5EC014144FBC8F86012DC3B0708B
2584opwovm.exeC:\Users\admin\AppData\Roaming\pugcbmf\wnrbbehkxrwbgu.exeexecutable
MD5:6E53EC51F109B4B2F96DF15D9F57B63C
SHA256:6814D2488B5DFE90C8985BF2B482655457CC44B24D58C4094E5D69A42EDC8C0E
2656SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exeC:\Users\admin\AppData\Local\Temp\nsiC997.tmpbinary
MD5:92E55FCD8EB9EEF4BB4987C3E494567B
SHA256:CA32FF43950CE7C3F44226499F056DC2C2913E60955E60739B098CE496F26C21
2656SecuriteInfo.com.Gen.Variant.Nemesis.1957.29333.23781.exeC:\Users\admin\AppData\Local\Temp\opwovm.exeexecutable
MD5:6E53EC51F109B4B2F96DF15D9F57B63C
SHA256:6814D2488B5DFE90C8985BF2B482655457CC44B24D58C4094E5D69A42EDC8C0E
3212colorcpl.exeC:\Users\admin\AppData\Local\Temp\456b6ELMQsqlite
MD5:CC104C4E4E904C3AD7AD5C45FBFA7087
SHA256:321BE844CECC903EF1E7F875B729C96BB3ED0D4986314384CD5944A29A670C9B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
33
DNS requests
9
Threats
49

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
576
Explorer.EXE
POST
404
192.185.90.105:80
http://www.gmrsnodes.com/m9ae/
US
html
4.57 Kb
malicious
576
Explorer.EXE
POST
405
172.67.214.243:80
http://www.dailyheraldresearch.com/m9ae/
US
html
154 b
malicious
3212
colorcpl.exe
GET
200
45.33.6.223:80
http://www.sqlite.org/2017/sqlite-dll-win32-x86-3210000.zip
US
compressed
435 Kb
whitelisted
576
Explorer.EXE
POST
404
192.185.90.105:80
http://www.gmrsnodes.com/m9ae/
US
html
4.57 Kb
malicious
576
Explorer.EXE
GET
302
188.114.96.3:80
http://www.oonrreward.xyz/m9ae/?Ar2=LevhYPqdwsQo7WECDbB459ZspyUUr+LEH/unqFqLIkFUX6m7L7+nz6QxOZtEbUGpwXH1U9LeHXBcQ/Z4BofTkIyqmkMy/StFRpalI38=&_jG4N=hBclaNlx48
US
malicious
576
Explorer.EXE
POST
404
192.185.90.105:80
http://www.gmrsnodes.com/m9ae/
US
html
4.57 Kb
malicious
576
Explorer.EXE
POST
404
192.185.90.105:80
http://www.gmrsnodes.com/m9ae/
US
html
4.57 Kb
malicious
576
Explorer.EXE
POST
404
192.185.90.105:80
http://www.gmrsnodes.com/m9ae/
US
html
4.57 Kb
malicious
576
Explorer.EXE
POST
405
172.67.214.243:80
http://www.dailyheraldresearch.com/m9ae/
US
html
154 b
malicious
576
Explorer.EXE
GET
404
192.185.90.105:80
http://www.gmrsnodes.com/m9ae/?Ar2=mwF44ViOu9spAX9yirmP6xmlB9nqplTR930/p+8373gvxGpTfL4ouZObAVq0rWSH8GeW4++fOqUmcVqtvF+Qx0yHgDRGkE5qxmkgXJI=&_jG4N=hBclaNlx48
US
html
11.5 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
188.114.96.3:80
www.oonrreward.xyz
CLOUDFLARENET
NL
malicious
45.33.6.223:80
www.sqlite.org
Linode, LLC
US
suspicious
576
Explorer.EXE
172.67.214.243:80
www.dailyheraldresearch.com
CLOUDFLARENET
US
malicious
576
Explorer.EXE
192.185.90.105:80
www.gmrsnodes.com
UNIFIEDLAYER-AS-1
US
malicious
576
Explorer.EXE
216.40.34.41:80
www.lee-perez.com
TUCOWS
CA
malicious
576
Explorer.EXE
93.179.126.52:80
www.700544.com
IT7NET
HK
unknown
576
Explorer.EXE
38.40.166.195:80
www.frwqc.com
PEGTECHINC
US
malicious
576
Explorer.EXE
74.208.236.65:80
www.tommy57.shop
IONOS SE
US
malicious

DNS requests

Domain
IP
Reputation
www.oonrreward.xyz
  • 188.114.96.3
  • 188.114.97.3
malicious
www.sqlite.org
  • 45.33.6.223
whitelisted
www.gmrsnodes.com
  • 192.185.90.105
malicious
www.dailyheraldresearch.com
  • 172.67.214.243
  • 104.21.83.59
malicious
www.publickit.website
unknown
www.lee-perez.com
  • 216.40.34.41
malicious
www.frwqc.com
  • 38.40.166.195
malicious
www.tommy57.shop
  • 74.208.236.65
malicious
www.700544.com
  • 93.179.126.52
  • 93.179.125.85
  • 93.179.126.25
malicious

Threats

PID
Process
Class
Message
576
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
576
Explorer.EXE
Potentially Bad Traffic
ET INFO Request to .XYZ Domain with Minimal Headers
576
Explorer.EXE
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
576
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
576
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
576
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
576
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
576
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
576
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (POST) M2
576
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
10 ETPRO signatures available at the full report
No debug info