dba983e27f0b2b80b77c0363781e14f7d35110c1bbef263e1fa018cc4d0bd783

General Info

File name: Order.scr

Full analysis: https://app.any.run/tasks/0062a893-dc21-427c-957e-11817c3b7472

Verdict: Malicious activity

Threats:

Formbook

FormBook is a data stealer that is being distributed as a MaaS. It differs from a lot of competing malware by its extreme ease of use that allows even the nobbiest threat actors to use this virus.

Malware Trends Tracker

More details

Analysis date: 7/18/2019, 09:58:05

OS:: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)

Tags:: trojan

formbook

stealer

Indicators:

MIME:: application/x-dosexec

File info:: PE32 executable (GUI) Intel 80386, for MS Windows

MD5: e14c35e758d0383e7cc34336ae9b4d15

SHA1: 6d5812c23779cad1fda1b22e784d53314e62908a

SHA256: dba983e27f0b2b80b77c0363781e14f7d35110c1bbef263e1fa018cc4d0bd783

SSDEEP: 12288:bnEEEwy86zboSChS/7Ov+q/7Ov+iFS7ZSqvhJOhJsom4vFA3BJcS3XzMIi+dZqaK:AW7+rQkeTW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration: 300 seconds

Additional time used: 240 seconds

Fakenet option: off

Heavy Evaision option: off

MITM proxy: off

Route via Tor: off

Network geolocation: off

Privacy: Public submission

Autoconfirmation of UAC: on

Software preset

Internet Explorer 8.0.7601.17514
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Behavior activities

MALICIOUS	SUSPICIOUS	INFO
Formbook was detected Firefox.exe (PID: 3772) audiodg.exe (PID: 2240) FORMBOOK was detected explorer.exe (PID: 124) Actions looks like stealing of personal data audiodg.exe (PID: 2240) Changes the autorun value in the registry audiodg.exe (PID: 2240) Connects to CnC server explorer.exe (PID: 124) Stealing of credential data audiodg.exe (PID: 2240)	Uses NETSH.EXE for network configuration explorer.exe (PID: 124) Executable content was dropped or overwritten DllHost.exe (PID: 3620) explorer.exe (PID: 124) Application launched itself helpcljhuf.exe (PID: 2156) Order.scr (PID: 3572) Starts CMD.EXE for commands execution audiodg.exe (PID: 2240) Creates files in the user directory audiodg.exe (PID: 2240) Starts application with an unusual extension explorer.exe (PID: 124) Order.scr (PID: 3572) Loads DLL from Mozilla Firefox audiodg.exe (PID: 2240) Executed via COM DllHost.exe (PID: 3620) Creates files in the program directory DllHost.exe (PID: 3620)	Creates files in the user directory Firefox.exe (PID: 3772) Manual execution by user audiodg.exe (PID: 2240)

MALICIOUS

SUSPICIOUS

INFO

Formbook was detected

Firefox.exe (PID: 3772)
audiodg.exe (PID: 2240)

FORMBOOK was detected

explorer.exe (PID: 124)

Actions looks like stealing of personal data

audiodg.exe (PID: 2240)

Changes the autorun value in the registry

audiodg.exe (PID: 2240)

Connects to CnC server

explorer.exe (PID: 124)

Stealing of credential data

audiodg.exe (PID: 2240)

Uses NETSH.EXE for network configuration

explorer.exe (PID: 124)

Executable content was dropped or overwritten

DllHost.exe (PID: 3620)
explorer.exe (PID: 124)

Application launched itself

helpcljhuf.exe (PID: 2156)
Order.scr (PID: 3572)

Starts CMD.EXE for commands execution

audiodg.exe (PID: 2240)

Creates files in the user directory

audiodg.exe (PID: 2240)

Starts application with an unusual extension

explorer.exe (PID: 124)
Order.scr (PID: 3572)

Loads DLL from Mozilla Firefox

audiodg.exe (PID: 2240)

Executed via COM

DllHost.exe (PID: 3620)

Creates files in the program directory

DllHost.exe (PID: 3620)

Creates files in the user directory

Firefox.exe (PID: 3772)

Manual execution by user

audiodg.exe (PID: 2240)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD

.exe

| Win32 Executable Microsoft Visual Basic 6 (84.4%)

.dll

| Win32 Dynamic Link Library (generic) (6.7%)

.exe

| Win32 Executable (generic) (4.6%)

.exe

| Generic Win/DOS Executable (2%)

.exe

| DOS Executable Generic (2%)

EXIF

MachineType:

Intel 386 or later, and compatibles

TimeStamp:

2003:01:09 12:34:05+01:00

PEType:

PE32

LinkerVersion:

CodeSize:

569344

InitializedDataSize:

32768

UninitializedDataSize:

null

EntryPoint:

0x1128

OSVersion:

ImageVersion:

1.6

SubsystemVersion:

Subsystem:

Windows GUI

FileVersionNumber:

1.6.0.6

ProductVersionNumber:

1.6.0.6

FileFlagsMask:

0x0000

FileFlags:

(none)

FileOS:

Win32

ObjectFileType:

Executable application

FileSubtype:

null

LanguageCode:

English (U.S.)

CharacterSet:

Unicode

CompanyName:

bainton

FileDescription:

AFGHANIS10

ProductName:

RUGOSELY7

FileVersion:

1.06.0006

ProductVersion:

1.06.0006

InternalName:

Appraisingly10

OriginalFileName:

Appraisingly10.exe

Summary

Architecture:

IMAGE_FILE_MACHINE_I386

Subsystem:

IMAGE_SUBSYSTEM_WINDOWS_GUI

Compilation Date:

09-Jan-2003 11:34:05

Detected languages

English - United States

CompanyName:

bainton

FileDescription:

AFGHANIS10

ProductName:

RUGOSELY7

FileVersion:

1.06.0006

ProductVersion:

1.06.0006

InternalName:

Appraisingly10

OriginalFilename:

Appraisingly10.exe

DOS Header

Magic number:

Bytes on last page of file:

0x0090

Pages in file:

0x0003

Relocations:

0x0000

Size of header:

0x0004

Min extra paragraphs:

0x0000

Max extra paragraphs:

0xFFFF

Initial SS value:

0x0000

Initial SP value:

0x00B8

Checksum:

0x0000

Initial IP value:

0x0000

Initial CS value:

0x0000

Overlay number:

0x0000

OEM identifier:

0x0000

OEM information:

0x0000

Address of NE header:

0x000000B0

PE Headers

Signature:

Machine:

IMAGE_FILE_MACHINE_I386

Number of sections:

Time date stamp:

09-Jan-2003 11:34:05

Pointer to Symbol Table:

0x00000000

Number of symbols:

Size of Optional Header:

0x00E0

Characteristics

IMAGE_FILE_32BIT_MACHINE

IMAGE_FILE_EXECUTABLE_IMAGE

IMAGE_FILE_LINE_NUMS_STRIPPED

IMAGE_FILE_LOCAL_SYMS_STRIPPED

IMAGE_FILE_RELOCS_STRIPPED

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x0008A900	0x0008B000	IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ	6.31451
.data	0x0008C000	0x00001CBC	0x00000000	IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE	0
.rsrc	0x0008E000	0x00005EF4	0x00006000	IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ	5.40216

Resources

Imports

MSVBVM60.DLL

Exports

No exports.

Screenshots

Screenshot of dba983e27f0b2b80b77c0363781e14f7d35110c1bbef263e1fa018cc4d0bd783 taken from 18849 ms from task started

Screenshot of dba983e27f0b2b80b77c0363781e14f7d35110c1bbef263e1fa018cc4d0bd783 taken from 57777 ms from task started

Screenshot of dba983e27f0b2b80b77c0363781e14f7d35110c1bbef263e1fa018cc4d0bd783 taken from 70796 ms from task started

Processes

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

–

Specs description

Program did not start

Integrity level elevation

Task сontains an error or was rebooted

Process has crashed

Task contains several apps running

Executable file was dropped

Debug information is available

Process was injected

Network attacks were detected

Application downloaded the executable file

Actions similar to stealing personal data

Behavior similar to exploiting the vulnerability

Inspected object has sucpicious PE structure

File is detected by antivirus software

CPU overrun

RAM overrun

Process starts the services

Process was added to the startup

Behavior similar to spam

Low-level access to the HDD

Probably Tor was used

System was rebooted

Connects to the network

Known threat

Process information

Click at the process to see the details.

PID: 124

CMD: C:\Windows\Explorer.EXE

Path: C:\Windows\explorer.exe

Indicators

Parent process: ––

User: admin

Integrity Level: MEDIUM

Version:

Company: Microsoft Corporation

Description: Windows Explorer

Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Image
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\slc.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\sndvolsso.dll
c:\windows\system32\hid.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\timedate.cpl
c:\windows\system32\atl.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\actxprxy.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\userenv.dll
c:\windows\system32\shacct.dll
c:\windows\system32\samlib.dll
c:\windows\system32\samcli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\msftedit.dll
c:\windows\system32\msls31.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\authui.dll
c:\windows\system32\cryptui.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\gameux.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\wer.dll
c:\windows\system32\msiltcfg.dll
c:\windows\system32\version.dll
c:\windows\system32\msi.dll
c:\windows\system32\winsta.dll
c:\windows\system32\psapi.dll
c:\windows\system32\networkexplorer.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wdmaud.drv
c:\windows\system32\ksuser.dll
c:\windows\system32\avrt.dll
c:\windows\system32\audioses.dll
c:\windows\system32\msacm32.drv
c:\windows\system32\msacm32.dll
c:\windows\system32\midimap.dll
c:\windows\system32\msutb.dll
c:\windows\system32\stobject.dll
c:\windows\system32\batmeter.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\es.dll
c:\windows\system32\prnfldr.dll
c:\windows\system32\winspool.drv
c:\windows\system32\dxp.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\syncreg.dll
c:\windows\ehome\ehsso.dll
c:\windows\system32\netshell.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\alttab.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\program files\filezilla ftp client\fzshellext.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\taskschd.dll
c:\windows\system32\mssprxy.dll
c:\windows\system32\pnidui.dll
c:\windows\system32\qutil.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\npmproxy.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\wwanapi.dll
c:\windows\system32\wwapi.dll
c:\windows\system32\qagent.dll
c:\windows\system32\srchadmin.dll
c:\windows\system32\sxs.dll
c:\windows\system32\bthprops.cpl
c:\windows\system32\ieframe.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\synccenter.dll
c:\windows\system32\actioncenter.dll
c:\windows\system32\imapi2.dll
c:\windows\system32\hgcpl.dll
c:\windows\system32\provsvc.dll
c:\windows\system32\netprofm.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\fxsst.dll
c:\windows\system32\fxsapi.dll
c:\windows\system32\fxsresm.dll
c:\program files\internet explorer\ieproxy.dll
c:\windows\system32\mpr.dll
c:\windows\system32\structuredquery.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\wscinterop.dll
c:\windows\system32\wscapi.dll
c:\windows\system32\wscui.cpl
c:\windows\system32\werconcpl.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wercplsupport.dll
c:\windows\system32\msxml6.dll
c:\windows\system32\hcproviders.dll
c:\program files\winrar\rarext.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\syncui.dll
c:\windows\system32\synceng.dll
c:\windows\system32\searchfolder.dll
c:\windows\system32\naturallanguage6.dll
c:\windows\system32\nlsdata0009.dll
c:\windows\system32\nlslexicons0009.dll
c:\windows\system32\thumbcache.dll
c:\windows\system32\tquery.dll
c:\program files\microsoft office\office14\onfilter.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\users\admin\appdata\local\temp\order.scr
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\audiodg.exe
c:\windows\system32\dnsapi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wship6.dll
c:\windows\system32\comsvcs.dll
c:\program files\ftxlptx\helpcljhuf.exe

PID: 3572

CMD: "C:\Users\admin\AppData\Local\Temp\Order.scr" /S

Path: C:\Users\admin\AppData\Local\Temp\Order.scr

Indicators: No indicators

Parent process: explorer.exe

User: admin

Integrity Level: MEDIUM

Exit code: 0

Version:

Company: bainton

Description: AFGHANIS10

Version: 1.06.0006

Modules

Image
c:\users\admin\appdata\local\temp\order.scr
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\version.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\apphelp.dll

PID: 3968

CMD: C:\Users\admin\AppData\Local\Temp\Order.scr" /S

Path: C:\Users\admin\AppData\Local\Temp\Order.scr

Indicators: No indicators

Parent process: Order.scr

User: admin

Integrity Level: MEDIUM

Exit code: 0

Version:

Company: bainton

Description: AFGHANIS10

Version: 1.06.0006

Modules

Image
c:\users\admin\appdata\local\temp\order.scr
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll

PID: 2240

CMD: "C:\Windows\System32\audiodg.exe"

Path: C:\Windows\System32\audiodg.exe

Indicators

Parent process: explorer.exe

User: admin

Integrity Level: MEDIUM

Version:

Company: Microsoft Corporation

Description: Windows Audio Device Graph Isolation

Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Image
c:\windows\system32\audiodg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\mmdevapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\shell32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\mlang.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\program files\mozilla firefox\nss3.dll
c:\windows\system32\vaultcli.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\windowscodecs.dll
c:\program files\mozilla firefox\firefox.exe

PID: 1528

CMD: /c del "C:\Users\admin\AppData\Local\Temp\Order.scr"

Path: C:\Windows\System32\cmd.exe

Indicators: No indicators

Parent process: audiodg.exe

User: admin

Integrity Level: MEDIUM

Exit code: 0

Version:

Company: Microsoft Corporation

Description: Windows Command Processor

Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID: 3620

CMD: C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}

Path: C:\Windows\system32\DllHost.exe

Indicators

Parent process: ––

User: admin

Integrity Level: HIGH

Exit code: 0

Version:

Company: Microsoft Corporation

Description: COM Surrogate

Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Image
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\actxprxy.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\mssprxy.dll

PID: 2156

CMD: "C:\Program Files\Ftxlptx\helpcljhuf.exe"

Path: C:\Program Files\Ftxlptx\helpcljhuf.exe

Indicators: No indicators

Parent process: explorer.exe

User: admin

Integrity Level: MEDIUM

Exit code: 0

Version:

Company: bainton

Description: AFGHANIS10

Version: 1.06.0006

Modules

Image
c:\program files\ftxlptx\helpcljhuf.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll

PID: 3772

CMD: "C:\Program Files\Mozilla Firefox\Firefox.exe"

Path: C:\Program Files\Mozilla Firefox\Firefox.exe

Indicators

Parent process: audiodg.exe

User: admin

Integrity Level: MEDIUM

Exit code: 0

Version:

Company: Mozilla Corporation

Description: Firefox

Version: 67.0.4

Modules

Image
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\version.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\api-ms-win-crt-runtime-l1-1-0.dll
c:\program files\mozilla firefox\ucrtbase.dll
c:\program files\mozilla firefox\api-ms-win-core-localization-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-core-processthreads-l1-1-1.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-core-timezone-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-core-file-l2-1-0.dll
c:\program files\mozilla firefox\api-ms-win-core-synch-l1-2-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-string-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-heap-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-stdio-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-convert-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-locale-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-math-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-time-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-filesystem-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-environment-l1-1-0.dll
c:\program files\mozilla firefox\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\nsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\mozilla firefox\nss3.dll
c:\windows\system32\winmm.dll
c:\windows\system32\wsock32.dll
c:\program files\mozilla firefox\api-ms-win-crt-multibyte-l1-1-0.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\program files\mozilla firefox\softokn3.dll
c:\program files\mozilla firefox\freebl3.dll
c:\windows\system32\cryptbase.dll

PID: 356

CMD: C:\Program Files\Ftxlptx\helpcljhuf.exe"

Path: C:\Program Files\Ftxlptx\helpcljhuf.exe

Indicators: No indicators

Parent process: helpcljhuf.exe

User: admin

Integrity Level: MEDIUM

Exit code: 0

Version:

Company: bainton

Description: AFGHANIS10

Version: 1.06.0006

Modules

Image
c:\program files\ftxlptx\helpcljhuf.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll

PID: 3828

CMD: "C:\Windows\System32\netsh.exe"

Path: C:\Windows\System32\netsh.exe

Indicators: No indicators

Parent process: explorer.exe

User: admin

Integrity Level: MEDIUM

Exit code: 0

Version:

Company: Microsoft Corporation

Description: Network Command Shell

Version: 6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Image
c:\windows\system32\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll

Registry activity

Total events

Read events

Write events

Delete events

Modification events

PID

Process

Operation

Key

Name

Value

2240

audiodg.exe

write

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

E0XHBT2XL8B

C:\Program Files\Ftxlptx\helpcljhuf.exe

Files activity

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID

Process

Filename

Type

124

explorer.exe

C:\Users\admin\AppData\Local\Temp\Ftxlptx\helpcljhuf.exe

executable

MD5: e14c35e758d0383e7cc34336ae9b4d15

SHA256: dba983e27f0b2b80b77c0363781e14f7d35110c1bbef263e1fa018cc4d0bd783

3620

DllHost.exe

C:\Program Files\Ftxlptx\helpcljhuf.exe

executable

MD5: e14c35e758d0383e7cc34336ae9b4d15

SHA256: dba983e27f0b2b80b77c0363781e14f7d35110c1bbef263e1fa018cc4d0bd783

2240

audiodg.exe

C:\Users\admin\AppData\Roaming\K3R2C6P4\K3Rlogrv.ini

binary

MD5: ba3b6bc807d4f76794c4b81b09bb9ba5

SHA256: 6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

2240

audiodg.exe

C:\Users\admin\AppData\Roaming\K3R2C6P4\K3Rlogrc.ini

binary

MD5: 2855a82ecdd565b4d957ec2ee05aed26

SHA256: 88e38da5b12dd96afd9dc90c79929ec31d8604b1afdebdd5a02b19249c08c939

2240

audiodg.exe

C:\Users\admin\AppData\Roaming\K3R2C6P4\K3Rlogri.ini

binary

MD5: d63a82e5d81e02e399090af26db0b9cb

SHA256: eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

2240

audiodg.exe

C:\Users\admin\AppData\Roaming\K3R2C6P4\K3Rlogrc.ini

binary

MD5: 68d3a607f17148cdff0595b26605c0fb

SHA256: 0647675aa83f674026500d0f789d6227f7698d298368093de4c0e9d4b5257243

2240

audiodg.exe

C:\Users\admin\AppData\Roaming\K3R2C6P4\K3Rlogrc.ini

binary

MD5: e0a6c1b41af1c05bc35d65b74c576d50

SHA256: a7f8316d837f1c26e5703ab4832889c3008e96ad855cd02ad721092ac871e2a7

2240

audiodg.exe

C:\Users\admin\AppData\Roaming\K3R2C6P4\K3Rlogrc.ini

binary

MD5: 54e961a7b1cc98561867c295b20a773a

SHA256: da971755a5966a6e814b575069fb840477b54177f9d58368c3a88f3c760c35de

2240

audiodg.exe

C:\Users\admin\AppData\Roaming\K3R2C6P4\K3Rlogrc.ini

binary

MD5: bbe5a214c65a658cb48ea811f5febbb9

SHA256: 1cd2f02ae835ab45d1e01ce9e6b81f975bfa11270021ed2389fe8ee43b76ee36

2240

audiodg.exe

C:\Users\admin\AppData\Roaming\K3R2C6P4\K3Rlogrc.ini

binary

MD5: f82c1a614c146ab2df37e61a588154dc

SHA256: 351cb87b17a56ad080d8e937ed3931ed4a999988dfe216ab0e38f0336c65d4ce

2240

audiodg.exe

C:\Users\admin\AppData\Roaming\K3R2C6P4\K3Rlogrc.ini

binary

MD5: f39c3df0ebc92bd0947d8a37874bb163

SHA256: 2b8f57a0c12027a7852fffa2d0454b51a30cbda0849439bcb0e4df30c32da0ba

2240

audiodg.exe

C:\Users\admin\AppData\Roaming\K3R2C6P4\K3Rlogrc.ini

binary

MD5: b16976e8b37caabff9130df96804eeac

SHA256: fee3f48be280b6d6fc25351035d45d3a1d2b333559a1b56398cdf46b0774f232

2240

audiodg.exe

C:\Users\admin\AppData\Roaming\K3R2C6P4\K3Rlogrc.ini

binary

MD5: b20c06ba2c05651d58e4619aa4a61e26

SHA256: 50a6e9a665b6b81cb6762ce37b0800fbbc9700973ac1125a6ebf4a8d3683c394

2240

audiodg.exe

C:\Users\admin\AppData\Roaming\K3R2C6P4\K3Rlogrc.ini

binary

MD5: c96fae1320857b982300f4d4389649bc

SHA256: a69f1173ff36e1cb4bc2e96fa78750aff16b4157d331c9d6f2bfbe973fc299b2

2240

audiodg.exe

C:\Users\admin\AppData\Roaming\K3R2C6P4\K3Rlogrc.ini

binary

MD5: 834950cde115c0e256cf005e838f97b3

SHA256: df4bbed42842ac68d0ff795fbdca3353cc73075809c50cbe8129d8b29ed0c71c

2240

audiodg.exe

C:\Users\admin\AppData\Roaming\K3R2C6P4\K3Rlogrc.ini

binary

MD5: f98680360e637bf2854a070b7d6a6852

SHA256: 9514a8a77ec7f930979ae2cf6f2d05ce844e9a809119620c5b52250c76e45853

2240

audiodg.exe

C:\Users\admin\AppData\Roaming\K3R2C6P4\K3Rlogrc.ini

binary

MD5: 7dd5ef3dbbb351acfc3671a6e0f49047

SHA256: bcd6e29ec1d7f26598284623704d15326637f2e083f4addb0a82ff876fdc2b99

2240

audiodg.exe

C:\Users\admin\AppData\Roaming\K3R2C6P4\K3Rlogrc.ini

binary

MD5: fe4907cdd4aecf290ffd0c81d57ad6cf

SHA256: 06638eb314e61e81afe0b8cd01c8542999f0c8ceff492983774e8008077ced64

2240

audiodg.exe

C:\Users\admin\AppData\Roaming\K3R2C6P4\K3Rlogrc.ini

binary

MD5: 057fe372fb972284ea95bda0ac41e68f

SHA256: 62fc94fee0ec1153fb3e5ca4ab6036f9e53412cfcfa8384f62ba24eaca43f162

3772

Firefox.exe

C:\Users\admin\AppData\Roaming\K3R2C6P4\K3Rlogrf.ini

binary

MD5: 53028481b5b5795f1501241ccc7abff6

SHA256: 75b5f3045e20c80f264568707e2d444dc7498db119d9661ae51a91575960fc5a

2240

audiodg.exe

C:\Users\admin\AppData\Roaming\K3R2C6P4\K3Rlogim.jpeg

image

MD5: 2c716ee5d0947d50373e50553d04237a

SHA256: 8afd98de6d49bd2822ccfd0146580886c1e3d75fb0a0053f0c86439bf1d614c0

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
124	explorer.exe	GET	––	198.54.117.210:80	http://www.earnsaverewrite.com/an27/?Ul9=f+o/aoqd8IgEcx1+HV4ymMAyIa1tW/At632OIwa5X/MFtAy1WtN68cROPTOAf+LlGMameA==&5j=tFBXnDRxx08t	US	––	––	malicious
124	explorer.exe	GET	––	35.153.222.37:80	http://www.tudopreto.com/an27/?Ul9=Jw9Bu32DHdXgmwT0+E6V7dpB7F87aMmNgE6sW0blUFvzdlvjcw1P5Uez4REPrg0saLUQ+g==&5j=tFBXnDRxx08t&sql=1	US	––	––	malicious
124	explorer.exe	POST	––	35.153.222.37:80	http://www.tudopreto.com/an27/	US	text ––	313 b ––	malicious
124	explorer.exe	POST	––	35.153.222.37:80	http://www.tudopreto.com/an27/	US	text ––	3.68 Kb ––	malicious
124	explorer.exe	GET	––	198.2.238.71:80	http://www.281clara.com/an27/?Ul9=KjGaWduyFsOqMT7KaapBTxLEISP9NI1vh/QMr+OV4tDgHFiZv1hcbbDT4b6qNNX3CYunSw==&5j=tFBXnDRxx08t&sql=1	CN	––	––	malicious
124	explorer.exe	POST	––	198.2.238.71:80	http://www.281clara.com/an27/	CN	text ––	313 b ––	malicious
124	explorer.exe	POST	––	198.2.238.71:80	http://www.281clara.com/an27/	CN	text ––	3.68 Kb ––	malicious
124	explorer.exe	POST	––	198.2.238.71:80	http://www.281clara.com/an27/	CN	text ––	113 Kb ––	malicious
124	explorer.exe	GET	301	85.13.161.89:80	http://www.neustadt-steuerberatung.com/an27/?Ul9=OURdvKc11GvwcjWg+5/ow1gVfvRIjCwTiJycxr4QzXbUoF62FbKe8E5yxDPbTPuvWxf1fg==&5j=tFBXnDRxx08t&sql=1	DE	html	354 b	malicious
124	explorer.exe	POST	––	85.13.161.89:80	http://www.neustadt-steuerberatung.com/an27/	DE	text ––	313 b ––	malicious
124	explorer.exe	POST	––	85.13.161.89:80	http://www.neustadt-steuerberatung.com/an27/	DE	text ––	3.68 Kb ––	malicious
124	explorer.exe	POST	––	85.13.161.89:80	http://www.neustadt-steuerberatung.com/an27/	DE	text ––	113 Kb ––	malicious
124	explorer.exe	GET	––	207.150.212.3:80	http://www.countertopmercenaries.com/an27/?Ul9=o1iMCKrwfVKywwawnFbpKuma6anurgD+Nptu8GPx3L5rj7sfDMEteI1AWpiHKGa1UIYlMQ==&5j=tFBXnDRxx08t&sql=1	US	––	––	malicious
124	explorer.exe	POST	––	207.150.212.3:80	http://www.countertopmercenaries.com/an27/	US	text ––	313 b ––	malicious
124	explorer.exe	POST	––	207.150.212.3:80	http://www.countertopmercenaries.com/an27/	US	text ––	3.68 Kb ––	malicious
124	explorer.exe	POST	––	207.150.212.3:80	http://www.countertopmercenaries.com/an27/	US	text ––	113 Kb ––	malicious
124	explorer.exe	GET	404	162.213.249.180:80	http://www.mansiobbok.info/an27/?Ul9=h9MyZ+ZpXOV3phF/c4/xkV1VqOaGADn+VJs1v3YILA84QEnyiHIeDawKlC3QZQCGse6bOA==&5j=tFBXnDRxx08t	US	html	328 b	malicious
124	explorer.exe	POST	404	162.213.249.180:80	http://www.mansiobbok.info/an27/	US	text html	313 b 297 b	malicious
124	explorer.exe	POST	404	162.213.249.180:80	http://www.mansiobbok.info/an27/	US	text html	3.68 Kb 297 b	malicious
124	explorer.exe	POST	––	162.213.249.180:80	http://www.mansiobbok.info/an27/	US	text ––	113 Kb ––	malicious
124	explorer.exe	GET	404	149.56.22.104:80	http://www.sandcreteengineeringgroup.com/an27/?Ul9=bD8xSA5BUGx3zR7ICGfxHt/6Ummew1Kxe0Ubekgrl/l9Yd0x0i0DvXeN3dxucWupnpAIfA==&5j=tFBXnDRxx08t	CA	html	1.12 Kb	malicious
124	explorer.exe	POST	––	149.56.22.104:80	http://www.sandcreteengineeringgroup.com/an27/	CA	text ––	313 b ––	malicious
124	explorer.exe	POST	––	149.56.22.104:80	http://www.sandcreteengineeringgroup.com/an27/	CA	text ––	3.68 Kb ––	malicious
124	explorer.exe	GET	––	23.20.239.12:80	http://www.southeastart.com/an27/?Ul9=r6jj9T2pgkysj66jOnX9vzP/W68FNykrVyQLLzuRcl8ibRtwaAgFh9U6KO1d5bua+1fH8g==&5j=tFBXnDRxx08t	US	––	––	shared

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	ASN	CN	Reputation
124	explorer.exe	198.54.117.210:80	Namecheap, Inc.	US	malicious
124	explorer.exe	35.153.222.37:80		US	malicious
124	explorer.exe	198.2.238.71:80	PEG TECH INC	CN	malicious
124	explorer.exe	85.13.161.89:80	Neue Medien Muennich GmbH	DE	malicious
124	explorer.exe	207.150.212.3:80	Hostway Corporation	US	malicious
124	explorer.exe	162.213.249.180:80	Namecheap, Inc.	US	malicious
124	explorer.exe	149.56.22.104:80	OVH SAS	CA	malicious
––	––	23.20.239.12:80	Amazon.com, Inc.	US	shared

DNS requests

Domain	IP	Reputation
www.earnsaverewrite.com	198.54.117.210 198.54.117.217 198.54.117.218 198.54.117.216 198.54.117.215 198.54.117.212 198.54.117.211	malicious
www.tudopreto.com	35.153.222.37 52.72.132.249	malicious
www.281clara.com	198.2.238.71	malicious
www.newquestmuscle.com	No response	unknown
www.neustadt-steuerberatung.com	85.13.161.89	malicious
www.countertopmercenaries.com	207.150.212.3	malicious
www.mansiobbok.info	162.213.249.180	malicious
www.ovio.plus	No response	unknown
www.yinheyule80.com	No response	unknown
www.sandcreteengineeringgroup.com	149.56.22.104	malicious
www.southeastart.com	23.20.239.12	shared

Threats

PID	Process	Class	Message
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] FormBook CnC Checkin (GET)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] FormBook CnC Checkin (GET)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] FormBook CnC Checkin (POST)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] FormBook CnC Checkin (POST)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] FormBook CnC Checkin (GET)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] FormBook CnC Checkin (POST)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] FormBook CnC Checkin (POST)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] FormBook CnC Checkin (GET)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] FormBook CnC Checkin (POST)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] FormBook CnC Checkin (POST)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] FormBook CnC Checkin (POST)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] FormBook CnC Checkin (POST)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] FormBook CnC Checkin (GET)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] FormBook CnC Checkin (POST)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] FormBook CnC Checkin (POST)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] FormBook CnC Checkin (POST)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] FormBook CnC Checkin (GET)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] FormBook CnC Checkin (POST)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] FormBook CnC Checkin (POST)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] FormBook CnC Checkin (POST)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] FormBook CnC Checkin (POST)
124	explorer.exe	A Network Trojan was detected	MALWARE [PTsecurity] FormBook CnC Checkin (GET)

19 ETPRO signatures available at the full report

Debug output strings

No debug info.

General Info

Order.scr

trojan

formbook

stealer

Take your security to the next level

e14c35e758d0383e7cc34336ae9b4d15

6d5812c23779cad1fda1b22e784d53314e62908a

dba983e27f0b2b80b77c0363781e14f7d35110c1bbef263e1fa018cc4d0bd783

12288:bnEEEwy86zboSChS/7Ov+q/7Ov+iFS7ZSqvhJOhJsom4vFA3BJcS3XzMIi+dZqaK:AW7+rQkeTW

Launch configuration

Software preset

Hotfixes

Behavior activities

Static information

Screenshots

Processes

Behavior graph

Process information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings

Take your security
to the next level