File name:

igcc.exe

Full analysis: https://app.any.run/tasks/d24998d3-4740-4ea6-b11d-1994a8190726
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: June 11, 2024, 09:57:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
formbook
xloader
stealer
spyware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

13DBE8962D2BBEB39C6BFB0D71690D43

SHA1:

79CCD479791B06A740C2FC3BDA72E8362F508EA8

SHA256:

A8A554BDF952647B35451356C13C06B528C705C0A4DF4AAFA14B066595291DC4

SSDEEP:

24576:/oiBVIDRWo0q6vbEks4ssY6+8im9763BVoRggw+tSit7q/a0ae1lmffUGsig86hN:/oiBVIDRWo0q6vbEksbsY6+8t9763BVp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • igcc.exe (PID: 3980)

    • FORMBOOK has been detected (YARA)

      • runonce.exe (PID: 2072)

    • FORMBOOK has been detected (SURICATA)

      • explorer.exe (PID: 1180)

    • Connects to the CnC server

      • explorer.exe (PID: 1180)

    • Steals credentials

      • runonce.exe (PID: 2072)

    • Actions looks like stealing of personal data

      • runonce.exe (PID: 2072)

  • SUSPICIOUS

    • Application launched itself

      • igcc.exe (PID: 3980)

    • Reads the Internet Settings

      • runonce.exe (PID: 2072)

    • Loads DLL from Mozilla Firefox

      • runonce.exe (PID: 2072)

    • Contacting a server suspected of hosting an CnC

      • explorer.exe (PID: 1180)

    • Process drops SQLite DLL files

      • runonce.exe (PID: 2072)

    • Executable content was dropped or overwritten

      • runonce.exe (PID: 2072)

  • INFO

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 1180)
      • runonce.exe (PID: 2072)

    • Checks supported languages

      • igcc.exe (PID: 3980)
      • igcc.exe (PID: 4024)
      • wmpnscfg.exe (PID: 1064)

    • Reads the computer name

      • igcc.exe (PID: 3980)
      • wmpnscfg.exe (PID: 1064)

    • Reads the machine GUID from the registry

      • igcc.exe (PID: 3980)

    • Manual execution by a user

      • runonce.exe (PID: 2072)

    • Checks proxy server information

      • runonce.exe (PID: 2072)

    • Creates files or folders in the user directory

      • runonce.exe (PID: 2072)

    • Create files in a temporary directory

      • runonce.exe (PID: 2072)

    • Drops the executable file immediately after the start

      • runonce.exe (PID: 2072)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Formbook

(PID) Process(2072) runonce.exe
C2www.12315fc.top
Strings (160)Napz74P5GUwl0aA84L/tY9o4wJru
tlh74G56Jp6+p5/Q
b1omP2A+j8xrV/uypLgADc/P/xc=
4O+3XrDZQAIOvdoQ
xeDmcyXG4PeaNU+WidogaE5ayd+4
Nra/HdfDK4PY/3Q=
A6kfCyhheKLvRA==
PCZH9D6fl/v5X2Xp8w==
H0KzOUzaF9HZV765lFHoPu1+giNRyg==
tRjUjrtp7wq+ge7AAghYtcI=
BrDEUw3ijz7Edtn+pJdYU0qH9N2P
oJeHXAOYtldft0XbtlXPxA==
UuJpEkIgZyOUxKrN
jUrzivnvFd1ac74Ip7TbvA==
++IxErcgST5RTe8=
GAmqV1kwKLEPKwpZfhbTDLQk
OUa1bGR7qUFx
/RyEuPvkxwhm9B7yKgbuPrQ=
2+0Crx4JzvQxs7zytxTNQ4m/u+ui
F6FFaKwBvPUgjor5eWJjJsiAO9q/XQ==
U0eb/uf/S7OGAByJOZ83rfzh
RSKJlD5Sx6Az1asw4QI=
mR+oIQ3TrN+meWovrQ==
BiVb0cWnB4CLtThJBXMt
Duc4RbbRKXL0qFakiLen2yQ=
enA0lxPzJT8w5/cpD57uNjztdQ==
8bcPzXv2vaYQx/E=
Srz+zAg+/7LG0MBhy+QNvnIBRg==
QA61vksPGlCAlLzNZQ==
VlfYfqoot/+IilapkQo=
GTlrsuJoHhpkUSdf
VvG+z9i9YBMidzielA==
wrROpVaYKXlTTpR91a8=
w8M8o9PPeWygQ6gNg4w=
xnHTSiwd91K0WXqrjd4=
S8CkUrH0OYkq
o1urrmVpjLcF
hS+reFGUgWNoh01fUzw=
Y6zY17yTG2Q+B7E5iQ==
LD85S8PRdUz3YvnQ0AfTDw==
HQV1M2cOfNknPuceqKw=
tZaOpZe9c14H7a3xPtOlgMqxucn2MRM=
D4c1TpvVBqcLtHo=
2t2Z5BF27E1GsFiYbteWs7TW
rl0zK/h9nySP3AVBtc7jyw==
0oOR8tr48OGIawEc4n0iD3cR
u5czz8jnQ352Hw==
plfxhLS1v0xZF9LzqjAxeA==
fcvfzgZuZytTrVA=
b4LFPTPdORdTLOEJE4t/9MkJ
Sq7yK5j8TBoi738=
JDxIKITRvexXbBAobg==
McQ5Wlnssks4CsuKvA==
kmy6amXfCglgfwQ=
n78zR6/gvmZszQQHKA==
UH62bz2CzW0QPLFgBcyp4rCtX9Ba
mbs4p4VCgj5MS7knkmoq
mUCpmI8kfO6W3wEeNq3VxFGTl1EQ
7ejRcqel0TWs4a60
TDAiyye7+Gg9FZoz1kPa54rVhpvYUQTEXQ==
8yYOxj8DY3ajUGbtAzai
sp57K3uVI4J8R42juQ==
ITRyQBXDyFkwyxVlm4GLwX74Zw==
E2LwFvTSAmUbUPkCGVinAz+iXA==
XElKAoTcBrNL2tp9dfRz
runonce.exe
RMActivate.exe
mobsync.exe
net.exe
cmdl32.exe
auditpol.exe
shutdown.exe
pcaui.exe
waitfor.exe
rundll32.exe
RMActivate_isv.exe
regini.exe
kernel32.dll
advapi32.dll
ws2_32.dll
USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
COMPUTERNAME
ProgramFiles
/c copy "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\Mail\
\Foxmail
\Storage\
\Accounts\Account.rec0
\Data\AccCfg\Accounts.tdat
\Google\Chrome\User Data\Default\Login Data
SeShutdownPrivilege
\BaseNamedObjects
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control:
Origin: http://
Content-Type: application/x-www-form-urlencoded
Accept:
Referer: http://
Accept-Language:
Accept-Encoding:
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
-noexit "& ""
PowerShell.exe
\Opera Software\Opera Stable
kernel32.dll
user32.dll
wininet.dll
rg.ini
Recovery
profiles.ini
guid
Connection: close
pass
token
email
login
signin
account
persistent
GET
GET
PUT
POST
OPTIONS
User-Agent:
API-
MS-W
_301 Moved
_302 Found
InternetOpenA
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
InternetReadFile
InternetCloseHandle
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (70.7)
.scr | Windows screen saver (12.6)
.dll | Win32 Dynamic Link Library (generic) (6.3)
.exe | Win32 Executable (generic) (4.3)
.exe | Win16/32 Executable Delphi generic (2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:06:10 18:24:33+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 751616
InitializedDataSize: 8192
UninitializedDataSize: -
EntryPoint: 0xb972e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 5.3.0.0
ProductVersionNumber: 5.3.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: 2 Ways
FileDescription: Database Image Add-2WAYS
FileVersion: 5.3.0.0
InternalName: KqRVW.exe
LegalCopyright: Copyright © 2013
LegalTrademarks: 2 Ways
OriginalFileName: KqRVW.exe
ProductName: Database Image Add-2WAYS
ProductVersion: 5.3.0.0
AssemblyVersion: 5.3.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start igcc.exe no specs igcc.exe no specs #FORMBOOK runonce.exe #FORMBOOK explorer.exe wmpnscfg.exe no specs firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1064"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1180C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\users\admin\appdata\local\temp\igcc.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
1768"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exerunonce.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
115.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
2072"C:\Windows\System32\runonce.exe"C:\Windows\System32\runonce.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Run Once Wrapper
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\runonce.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Formbook
(PID) Process(2072) runonce.exe
C2www.12315fc.top
Strings (160)Napz74P5GUwl0aA84L/tY9o4wJru
tlh74G56Jp6+p5/Q
b1omP2A+j8xrV/uypLgADc/P/xc=
4O+3XrDZQAIOvdoQ
xeDmcyXG4PeaNU+WidogaE5ayd+4
Nra/HdfDK4PY/3Q=
A6kfCyhheKLvRA==
PCZH9D6fl/v5X2Xp8w==
H0KzOUzaF9HZV765lFHoPu1+giNRyg==
tRjUjrtp7wq+ge7AAghYtcI=
BrDEUw3ijz7Edtn+pJdYU0qH9N2P
oJeHXAOYtldft0XbtlXPxA==
UuJpEkIgZyOUxKrN
jUrzivnvFd1ac74Ip7TbvA==
++IxErcgST5RTe8=
GAmqV1kwKLEPKwpZfhbTDLQk
OUa1bGR7qUFx
/RyEuPvkxwhm9B7yKgbuPrQ=
2+0Crx4JzvQxs7zytxTNQ4m/u+ui
F6FFaKwBvPUgjor5eWJjJsiAO9q/XQ==
U0eb/uf/S7OGAByJOZ83rfzh
RSKJlD5Sx6Az1asw4QI=
mR+oIQ3TrN+meWovrQ==
BiVb0cWnB4CLtThJBXMt
Duc4RbbRKXL0qFakiLen2yQ=
enA0lxPzJT8w5/cpD57uNjztdQ==
8bcPzXv2vaYQx/E=
Srz+zAg+/7LG0MBhy+QNvnIBRg==
QA61vksPGlCAlLzNZQ==
VlfYfqoot/+IilapkQo=
GTlrsuJoHhpkUSdf
VvG+z9i9YBMidzielA==
wrROpVaYKXlTTpR91a8=
w8M8o9PPeWygQ6gNg4w=
xnHTSiwd91K0WXqrjd4=
S8CkUrH0OYkq
o1urrmVpjLcF
hS+reFGUgWNoh01fUzw=
Y6zY17yTG2Q+B7E5iQ==
LD85S8PRdUz3YvnQ0AfTDw==
HQV1M2cOfNknPuceqKw=
tZaOpZe9c14H7a3xPtOlgMqxucn2MRM=
D4c1TpvVBqcLtHo=
2t2Z5BF27E1GsFiYbteWs7TW
rl0zK/h9nySP3AVBtc7jyw==
0oOR8tr48OGIawEc4n0iD3cR
u5czz8jnQ352Hw==
plfxhLS1v0xZF9LzqjAxeA==
fcvfzgZuZytTrVA=
b4LFPTPdORdTLOEJE4t/9MkJ
Sq7yK5j8TBoi738=
JDxIKITRvexXbBAobg==
McQ5Wlnssks4CsuKvA==
kmy6amXfCglgfwQ=
n78zR6/gvmZszQQHKA==
UH62bz2CzW0QPLFgBcyp4rCtX9Ba
mbs4p4VCgj5MS7knkmoq
mUCpmI8kfO6W3wEeNq3VxFGTl1EQ
7ejRcqel0TWs4a60
TDAiyye7+Gg9FZoz1kPa54rVhpvYUQTEXQ==
8yYOxj8DY3ajUGbtAzai
sp57K3uVI4J8R42juQ==
ITRyQBXDyFkwyxVlm4GLwX74Zw==
E2LwFvTSAmUbUPkCGVinAz+iXA==
XElKAoTcBrNL2tp9dfRz
runonce.exe
RMActivate.exe
mobsync.exe
net.exe
cmdl32.exe
auditpol.exe
shutdown.exe
pcaui.exe
waitfor.exe
rundll32.exe
RMActivate_isv.exe
regini.exe
kernel32.dll
advapi32.dll
ws2_32.dll
USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
COMPUTERNAME
ProgramFiles
/c copy "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\Mail\
\Foxmail
\Storage\
\Accounts\Account.rec0
\Data\AccCfg\Accounts.tdat
\Google\Chrome\User Data\Default\Login Data
SeShutdownPrivilege
\BaseNamedObjects
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control:
Origin: http://
Content-Type: application/x-www-form-urlencoded
Accept:
Referer: http://
Accept-Language:
Accept-Encoding:
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser
-noexit "& ""
PowerShell.exe
\Opera Software\Opera Stable
kernel32.dll
user32.dll
wininet.dll
rg.ini
Recovery
profiles.ini
guid
Connection: close
pass
token
email
login
signin
account
persistent
GET
GET
PUT
POST
OPTIONS
User-Agent:
API-
MS-W
_301 Moved
_302 Found
InternetOpenA
InternetConnectA
HttpOpenRequestA
HttpSendRequestA
InternetReadFile
InternetCloseHandle
3980"C:\Users\admin\AppData\Local\Temp\igcc.exe" C:\Users\admin\AppData\Local\Temp\igcc.exeexplorer.exe
User:
admin
Company:
2 Ways
Integrity Level:
MEDIUM
Description:
Database Image Add-2WAYS
Exit code:
0
Version:
5.3.0.0
Modules
Images
c:\users\admin\appdata\local\temp\igcc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
4024"C:\Users\admin\AppData\Local\Temp\igcc.exe"C:\Users\admin\AppData\Local\Temp\igcc.exeigcc.exe
User:
admin
Company:
2 Ways
Integrity Level:
MEDIUM
Description:
Database Image Add-2WAYS
Exit code:
0
Version:
5.3.0.0
Modules
Images
c:\users\admin\appdata\local\temp\igcc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
3 454
Read events
3 421
Write events
27
Delete events
6

Modification events

(PID) Process:(1180) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000863B6D370E28EF408EE5744C30A2920700000000020000000000106600000001000020000000968318B51BBA3C48F7EC0868F0CE68DA41C2E90323ABF8F142C8CA29CB5C5892000000000E80000000020000200000004DF698FD9D952F69A9E834DB84483ADC4C18F6CE2315D15024467DBA35E007363000000037F878449F021BBA62F51C0DD5F2978100F6A03CC19E9B99B36C7484FD8A1CDE7D1B802E5624CD2835A4BA23E2D3373C400000007B1A976D8816CFE9A97E848E6EDCAF0185E754865F767B6AE24402A2B3B0E9DA13FBABBCC50B97252E03666884E71A2B8F58C0E203AE1C7F7684A61A712F83AA
(PID) Process:(1180) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2072) runonce.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2072) runonce.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2072) runonce.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2072) runonce.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2072) runonce.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyServer
Value:
(PID) Process:(2072) runonce.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:ProxyOverride
Value:
(PID) Process:(2072) runonce.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoConfigURL
Value:
(PID) Process:(2072) runonce.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:delete valueName:AutoDetect
Value:
Executable files
1
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2072runonce.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\sqlite-dll-win32-x86-3240000[1].zipcompressed
MD5:D71848944418C67F6EB230682F9A969A
SHA256:EFFF0464180FCB34EC33E7835086EA58ADC84BC3F0B08A7323EF1D58B258E59E
2072runonce.exeC:\Users\admin\AppData\Local\Temp\sqlite3.dllexecutable
MD5:87F9E5A6318AC1EC5EE05AA94A919D7A
SHA256:7705B87603E0D772E1753441001FCF1AC2643EE41BF14A8177DE2C056628665C
2072runonce.exeC:\Users\admin\AppData\Local\Temp\3-zmD5K6binary
MD5:52E51471E9281235323F633CD0DEA56C
SHA256:147F3137B387FE4FBE3215B7864568404580A799D031009FE9C718F4C2EF87D0
2072runonce.exeC:\Users\admin\AppData\Local\Temp\odcd1vvx.zipcompressed
MD5:D71848944418C67F6EB230682F9A969A
SHA256:EFFF0464180FCB34EC33E7835086EA58ADC84BC3F0B08A7323EF1D58B258E59E
2072runonce.exeC:\Users\admin\AppData\Local\Temp\sqlite3.deftext
MD5:DF728FE35F4E5FE7A1DBFB2BC8C99972
SHA256:82064FB9C414C8A50F090C6E8F9D17269B3F9B1B35E9EFE78C70ADBCB31929FD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
28
DNS requests
17
Threats
44

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1180
explorer.exe
GET
301
162.241.253.174:80
http://www.ndhockeyprospects.com/nce6/?4dM=Ed8kY/rwObA0p5m52huI+RHFUZJ6SE6iAjj4r6cZewWhLhgYO7hQxr4Ktdnsbj/KbLEakTji3+PsoJpUjdCsj+OsGHmDJ7H1CxScXge5Dq6TW5jR93+6+BbVCztq&vl3Px=ctbhLT8Py
unknown
2072
runonce.exe
GET
200
45.33.6.223:80
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3240000.zip
unknown
1180
explorer.exe
POST
400
202.95.21.152:80
http://www.qmancha.com/3in6/
unknown
1180
explorer.exe
POST
400
202.95.21.152:80
http://www.qmancha.com/3in6/
unknown
1180
explorer.exe
POST
400
202.95.21.152:80
http://www.qmancha.com/3in6/
unknown
1180
explorer.exe
POST
400
202.95.21.152:80
http://www.qmancha.com/3in6/
unknown
1180
explorer.exe
POST
400
202.95.21.152:80
http://www.qmancha.com/3in6/
unknown
1180
explorer.exe
GET
404
202.95.21.152:80
http://www.qmancha.com/3in6/?4dM=Beo4F/wq8RdFDjebenHVn10hxzM6jO0rNdTrW7vwt6cBBJ1fMwEG0WxeA2f1nEETpN0HaKEkhCdRxKBFbeKzW4UWlK7G/hG5zy3ChYjtNBnICHtO/swRubsTKm05&vl3Px=ctbhLT8Py
unknown
1180
explorer.exe
POST
400
202.95.21.152:80
http://www.qmancha.com/3in6/
unknown
1180
explorer.exe
POST
404
66.29.145.248:80
http://www.zonenail.info/kscn/
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
unknown
1088
svchost.exe
224.0.0.252:5355
unknown
1180
explorer.exe
162.241.253.174:80
www.ndhockeyprospects.com
UNIFIEDLAYER-AS-1
US
unknown
2072
runonce.exe
45.33.6.223:80
www.sqlite.org
Linode, LLC
US
unknown
1180
explorer.exe
202.95.21.152:80
www.qmancha.com
BGPNET Global ASN
HK
unknown
1180
explorer.exe
66.29.145.248:80
www.zonenail.info
NAMECHEAP-NET
US
unknown
1180
explorer.exe
188.114.97.3:80
www.okbharat.best
CLOUDFLARENET
NL
unknown
1180
explorer.exe
49.13.77.253:80
www.12315fc.top
Hetzner Online GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
www.ndhockeyprospects.com
  • 162.241.253.174
unknown
www.sqlite.org
  • 45.33.6.223
unknown
www.qmancha.com
  • 202.95.21.152
unknown
www.cloud-force.club
unknown
www.zonenail.info
  • 66.29.145.248
unknown
www.okbharat.best
  • 188.114.97.3
  • 188.114.96.3
unknown
www.12315fc.top
  • 49.13.77.253
unknown
dns.msftncsi.com
  • 131.107.255.255
unknown

Threats

PID
Process
Class
Message
Malware Command and Control Activity Detected
ET MALWARE FormBook CnC Checkin (GET) M5
A Network Trojan was detected
STEALER [ANY.RUN] Formbook HTTP Header
A Network Trojan was detected
STEALER [ANY.RUN] Formbook HTTP Header
A Network Trojan was detected
STEALER [ANY.RUN] Formbook HTTP Header
A Network Trojan was detected
STEALER [ANY.RUN] Formbook HTTP Header
A Network Trojan was detected
STEALER [ANY.RUN] Formbook HTTP Header
A Network Trojan was detected
STEALER [ANY.RUN] Formbook HTTP Header
Malware Command and Control Activity Detected
ET MALWARE FormBook CnC Checkin (GET) M5
A Network Trojan was detected
STEALER [ANY.RUN] Formbook HTTP Header
A Network Trojan was detected
STEALER [ANY.RUN] Formbook HTTP Header
22 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
igcc.exe