| File name: | 1.exe |
| Full analysis: | https://app.any.run/tasks/5a565a8e-79db-4419-9aaa-f72dff1187fc |
| Verdict: | Malicious activity |
| Threats: | CryptBot is an advanced Windows-targeting infostealer delivered via pirate sites with "cracked" software. It has been first observed in the wild in 2019. |
| Analysis date: | September 14, 2024, 15:54:17 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 95BB292A795C5C517E405F698FBD3FED |
| SHA1: | F53472AE5A6EF6C84A22BA968AE52B7B8AF2C059 |
| SHA256: | DBF462D222344D6C78ED9548922560993B9D8BD2A9860B381476310319945D80 |
| SSDEEP: | 49152:88nkHwl23x7UyiWJHd+vDVnuk9OX+lP+k99JXYKHuIH/tbAFGrWzmISJUWlY0Ni0:+PAakT0VKP |
MALICIOUS
Actions looks like stealing of personal data
- 1.exe (PID: 7164)
CRYPTBOT has been detected (YARA)
- 1.exe (PID: 7164)
CRYPTBOT has been detected (SURICATA)
- 1.exe (PID: 7164)
Connects to the CnC server
- 1.exe (PID: 7164)
Uses Task Scheduler to run other applications
- 1.exe (PID: 7164)
SUSPICIOUS
Searches for installed software
- 1.exe (PID: 7164)
Reads security settings of Internet Explorer
- 1.exe (PID: 7164)
Found regular expressions for crypto-addresses (YARA)
- service123.exe (PID: 3672)
The process executes via Task Scheduler
- service123.exe (PID: 1164)
- service123.exe (PID: 740)
INFO
Checks supported languages
- 1.exe (PID: 7164)
- service123.exe (PID: 3672)
- service123.exe (PID: 1164)
- service123.exe (PID: 740)
Reads the computer name
- 1.exe (PID: 7164)
Reads CPU info
- 1.exe (PID: 7164)
Create files in a temporary directory
- 1.exe (PID: 7164)
The process uses the downloaded file
- 1.exe (PID: 7164)
Process checks computer location settings
- 1.exe (PID: 7164)
Reads the machine GUID from the registry
- service123.exe (PID: 3672)
- service123.exe (PID: 1164)
- service123.exe (PID: 740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
CryptBot
(PID) Process(7164) 1.exe
C2 (1)tventyvd20ht.top
Strings (364)/c schtasks /create /tn \Service\Data /tr """"%wS""" """%wS"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f
\MGxZBwjMBm
RmGetList
WinHttpReadDataEx
GetModuleHandleA
strtod
ExtractFilesA
log.txt
shlwapi.dll
WinHttpSendRequest
DISPLAY
swprintf_s
DuplicateHandle
WaitForSingleObject
LocalAlloc
CreateDirectoryW
RmRegisterResources
Files
RegEnumKeyExA
GetSystemInfo
SHCreateMemStream
FindFirstFileNameA
winhttp.dll
Process32FirstW
GetDiskFreeSpaceExA
VirtualProtect
LocalFree
GdipGetImageEncoders
InternetConnectW
HttpSendRequestW
An error occurred while starting the application (0xc000007b). To exit the application, click OK.
FindClose
PathIsDirectoryA
UserProfile
GetCurrentThread
GetThreadId
realloc
WriteConsoleA
HeapSize
VirtualFree
Apps
GetFileAttributesW
CloseHandle
accept
GdipLoadImageFromFile
wininet.dll
htons
HeapFree
winsqlite3.dll
InternetCrackUrlW
InternetOpenW
LocalAppData
CreateProcessW
wprintf
GlobalMemoryStatusEx
StrStrIA
SetErrorMode
msvcrt.dll
"encrypted_key":"
OpenThread
ole32.dll
IsWow64Process
RmEndSession
GetCurrentDirectoryA
CreateRemoteThread
HttpQueryInfoA
vswprintf
HTTPS
PathIsDirectoryW
GetDIBits
CreateRemoteThreadEx
FCIFlushFolder
GdipCreateBitmapFromHBITMAP
\ServiceData\Clip.au3
gdiplus.dll
HttpQueryInfoW
GetObjectA
gdi32.dll
RemoveDirectoryA
/index.php
CoUninitialize
GetComputerNameA
URLOpenBlockingStreamW
FileTimeToSystemTime
calloc
GetFileAttributesA
advapi32.dll
ReadFile
RegQueryInfoKeyA
InternetConnectA
inet_addr
LoadLibraryExA
InternetOpenA
GetDiskFreeSpaceExW
LoadLibraryW
NULL
socket
printf
CreateDirectoryA
Extract
GetNativeSystemInfo
SystemTimeToFileTime
FindFirstFileW
GdipGetImageEncodersSize
FindNextFileA
RegQueryValueExW
sprintf_s
\ServiceData\Clip.exe
IsWow64Process2
SaveImageToStream
WinHttpQueryOption
GetSystemMetrics
ReadConsoleA
SetFilePointer
MoveFileA
_swprintf
crypt32.dll
_snwprintf_s
CopyFileExA
HeapReAlloc
GetTickCount64
WriteConsoleW
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
HeapAlloc
GetLogicalDriveStringsW
ShellExecuteW
advpack.dll
StrStrIW
recvfrom
\ServiceData
ReleaseDC
BitBlt
free
kernel32.dll
curl/8.0.1
CopyFileExW
GetDeviceCaps
GetEnvironmentVariableW
RegQueryValueExA
GetCurrentDirectoryW
bind
WriteFile
GetBitmapBits
FreeLibrary
GetSystemWow64DirectoryW
InternetOpenUrlA
/zip.php
RmStartSession
InternetCrackUrlA
ComSpec
WinHttpQueryHeaders
GetCurrentProcess
atoi
MultiByteToWideChar
rstrtmgr.dll
LoadLibraryA
swprintf
FindFirstFileA
WideCharToMultiByte
FindFirstFileNameW
PathFileExistsW
tventyvd20ht.top
vsnprintf
_snwprintf
VirtualAlloc
shell32.dll
UserID.txt
PathFileExistsA
CreateFileA
clock
GetLocaleInfoA
MessageBoxA
Process32NextW
ReleaseMutex
SHUnicodeToAnsi
ExitProcess
ExpandEnvironmentStringsA
wsprintfA
DeleteObject
SHAnsiToUnicode
AppData
GetModuleFileNameA
WinHttpSetOption
Others
CreateFileW
CreateFileMappingA
CreateMutexA
IsBadReadPtr
sprintf
CoInitialize
closesocket
GetLogicalDriveStringsA
ReadConsoleW
DPAPI
GetEnvironmentVariableA
SleepEx
HTTP
GetComputerNameW
MoveFileExW
GetTimeZoneInformation
EnumDisplaySettingsW
FindNextFileNameA
RegQueryInfoKeyW
CreateToolhelp32Snapshot
IStream_Read
WinHttpCloseHandle
IStream_Size
WinHttpAddRequestHeaders
GetCommandLineW
WinExec
RtlGetVersion
GetModuleFileNameExA
GetFileAttributesExW
VirtualProtectEx
Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko
URLDownloadToFileW
VirtualFreeEx
CreateMutexW
User's Computer Information.txt
FileTimeToDosDateTime
analforeverlovyu.top
IStream_Reset
Process32FirstA
WinHttpConnect
GetFileInformationByHandle
Browsers
GetProcAddress
URLDownloadToFileA
CopyFileA
GetVolumeInformationA
_vscwprintf
_wtoi
GdiplusShutdown
CreateThread
Process32NextA
QueryPerformanceCounter
StretchBlt
GetModuleHandleExW
GetTempPathW
UnmapViewOfFile
RegCloseKey
GetLocaleInfoW
MapViewOfFile
End.txt
GetProcessId
send
_vscprintf
GetCommandLineA
WinHttpCrackUrl
GetUserNameA
FindFirstFileExW
SHGetFolderPathW
GetProcessHeap
GetFileSize
DeleteFileA
GetTempFileNameW
ExitThread
user32.dll
CreateStreamOnHGlobal
InternetCloseHandle
GetLocalTime
WinHttpReadData
GetTickCount
RegOpenKeyExW
TerminateProcess
wnsprintfA
FCIAddFile
OpenProcess
LoadLibraryExW
WSACleanup
GetTempPathA
SelectObject
GdipSaveImageToStream
/v1/upload.php
Debug.txt
GetModuleFileNameW
DeleteDC
CopyFileW
WinHttpReceiveResponse
$CREEN.JPEG
SHGetFolderPathA
GdipSaveImageToFile
RegEnumKeyExW
GetDriveTypeW
ExpandEnvironmentStringsW
WSAStartup
WSAGetLastError
FindNextFileW
InternetReadFileExW
CreateCompatibleBitmap
GetUserDefaultLocaleName
GdiplusStartup
VirtualAllocEx
abs
GetModuleHandleW
FindNextFileNameW
RemoveDirectoryW
_snprintf
HeapCreate
FCICreate
FCIDestroy
MoveFileW
GET
Wallets
ntdll.dll
CreateCompatibleDC
cabinet.dll
GetUserNameW
listen
SetFilePointerEx
CreateFileMappingW
RegOpenKeyExA
recv
GetModuleFileNameExW
DeleteFileW
FCIFlushCabinet
POST
FindFirstFileExA
ScreenShot.jpeg
ws2_32.dll
Content-Length: %lu
InternetOpenUrlW
HttpOpenRequestW
Desktop
ShellExecuteA
GetDriveTypeA
GetFileAttributesExA
InternetReadFile
WinHttpOpen
InternetReadFileExA
ExtractFilesW
GetSystemDirectoryA
CryptUnprotectData
GetLastError
CreateDCW
HttpOpenRequestA
GetFileSizeEx
GetTempFileNameA
URLOpenBlockingStreamA
GetObjectW
GetKeyboardLayoutList
GetSystemDirectoryW
wsprintfW
MessageBoxW
CreateProcessA
GetVolumeInformationW
isspace
GetModuleHandleExA
GetSystemWow64DirectoryA
System Error
CreateDCA
malloc
WinHttpOpenRequest
EnumDisplaySettingsA
Sleep
Temp
HttpSendRequestA
wnsprintfW
LkgwUi
GetConsoleMode
/gate.php
GetExitCodeThread
MoveFileExA
urlmon.dll
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.3) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:09:12 12:27:41+00:00 |
| ImageFileCharacteristics: | Executable, No line numbers, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 2.35 |
| CodeSize: | 4712960 |
| InitializedDataSize: | 5928960 |
| UninitializedDataSize: | 6743040 |
| EntryPoint: | 0x14b0 |
| OSVersion: | 4 |
| ImageVersion: | 1 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
127
Monitored processes
7
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 740 | "C:\Users\admin\AppData\Local\Temp\/service123.exe" | C:\Users\admin\AppData\Local\Temp\service123.exe | — | svchost.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1076 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | schtasks.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1164 | "C:\Users\admin\AppData\Local\Temp\/service123.exe" | C:\Users\admin\AppData\Local\Temp\service123.exe | — | svchost.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2256 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3672 | "C:\Users\admin\AppData\Local\Temp\service123.exe" | C:\Users\admin\AppData\Local\Temp\service123.exe | 1.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
| 4404 | "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f | C:\Windows\SysWOW64\schtasks.exe | — | 1.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7164 | "C:\Users\admin\Desktop\1.exe" | C:\Users\admin\Desktop\1.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
CryptBot(PID) Process(7164) 1.exe C2 (1)tventyvd20ht.top Strings (364)/c schtasks /create /tn \Service\Data /tr """"%wS""" """%wS"""" /st 00:01 /du 9800:59 /sc once /ri 1 /f \MGxZBwjMBm RmGetList WinHttpReadDataEx GetModuleHandleA strtod ExtractFilesA log.txt shlwapi.dll WinHttpSendRequest DISPLAY swprintf_s DuplicateHandle WaitForSingleObject LocalAlloc CreateDirectoryW RmRegisterResources Files RegEnumKeyExA GetSystemInfo SHCreateMemStream FindFirstFileNameA winhttp.dll Process32FirstW GetDiskFreeSpaceExA VirtualProtect LocalFree GdipGetImageEncoders InternetConnectW HttpSendRequestW An error occurred while starting the application (0xc000007b). To exit the application, click OK. FindClose PathIsDirectoryA UserProfile GetCurrentThread GetThreadId realloc WriteConsoleA HeapSize VirtualFree Apps GetFileAttributesW CloseHandle accept GdipLoadImageFromFile wininet.dll htons HeapFree winsqlite3.dll InternetCrackUrlW InternetOpenW LocalAppData CreateProcessW wprintf GlobalMemoryStatusEx StrStrIA SetErrorMode msvcrt.dll "encrypted_key":" OpenThread ole32.dll IsWow64Process RmEndSession GetCurrentDirectoryA CreateRemoteThread HttpQueryInfoA vswprintf HTTPS PathIsDirectoryW GetDIBits CreateRemoteThreadEx FCIFlushFolder GdipCreateBitmapFromHBITMAP \ServiceData\Clip.au3 gdiplus.dll HttpQueryInfoW GetObjectA gdi32.dll RemoveDirectoryA /index.php CoUninitialize GetComputerNameA URLOpenBlockingStreamW FileTimeToSystemTime calloc GetFileAttributesA advapi32.dll ReadFile RegQueryInfoKeyA InternetConnectA inet_addr LoadLibraryExA InternetOpenA GetDiskFreeSpaceExW LoadLibraryW NULL socket printf CreateDirectoryA Extract GetNativeSystemInfo SystemTimeToFileTime FindFirstFileW GdipGetImageEncodersSize FindNextFileA RegQueryValueExW sprintf_s \ServiceData\Clip.exe IsWow64Process2 SaveImageToStream WinHttpQueryOption GetSystemMetrics ReadConsoleA SetFilePointer MoveFileA _swprintf crypt32.dll _snwprintf_s CopyFileExA HeapReAlloc GetTickCount64 WriteConsoleW Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 HeapAlloc GetLogicalDriveStringsW ShellExecuteW advpack.dll StrStrIW recvfrom \ServiceData ReleaseDC BitBlt free kernel32.dll curl/8.0.1 CopyFileExW GetDeviceCaps GetEnvironmentVariableW RegQueryValueExA GetCurrentDirectoryW bind WriteFile GetBitmapBits FreeLibrary GetSystemWow64DirectoryW InternetOpenUrlA /zip.php RmStartSession InternetCrackUrlA ComSpec WinHttpQueryHeaders GetCurrentProcess atoi MultiByteToWideChar rstrtmgr.dll LoadLibraryA swprintf FindFirstFileA WideCharToMultiByte FindFirstFileNameW PathFileExistsW tventyvd20ht.top vsnprintf _snwprintf VirtualAlloc shell32.dll UserID.txt PathFileExistsA CreateFileA clock GetLocaleInfoA MessageBoxA Process32NextW ReleaseMutex SHUnicodeToAnsi ExitProcess ExpandEnvironmentStringsA wsprintfA DeleteObject SHAnsiToUnicode AppData GetModuleFileNameA WinHttpSetOption Others CreateFileW CreateFileMappingA CreateMutexA IsBadReadPtr sprintf CoInitialize closesocket GetLogicalDriveStringsA ReadConsoleW DPAPI GetEnvironmentVariableA SleepEx HTTP GetComputerNameW MoveFileExW GetTimeZoneInformation EnumDisplaySettingsW FindNextFileNameA RegQueryInfoKeyW CreateToolhelp32Snapshot IStream_Read WinHttpCloseHandle IStream_Size WinHttpAddRequestHeaders GetCommandLineW WinExec RtlGetVersion GetModuleFileNameExA GetFileAttributesExW VirtualProtectEx Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; rv:11.0) like Gecko URLDownloadToFileW VirtualFreeEx CreateMutexW User's Computer Information.txt FileTimeToDosDateTime analforeverlovyu.top IStream_Reset Process32FirstA WinHttpConnect GetFileInformationByHandle Browsers GetProcAddress URLDownloadToFileA CopyFileA GetVolumeInformationA _vscwprintf _wtoi GdiplusShutdown CreateThread Process32NextA QueryPerformanceCounter StretchBlt GetModuleHandleExW GetTempPathW UnmapViewOfFile RegCloseKey GetLocaleInfoW MapViewOfFile End.txt GetProcessId send _vscprintf GetCommandLineA WinHttpCrackUrl GetUserNameA FindFirstFileExW SHGetFolderPathW GetProcessHeap GetFileSize DeleteFileA GetTempFileNameW ExitThread user32.dll CreateStreamOnHGlobal InternetCloseHandle GetLocalTime WinHttpReadData GetTickCount RegOpenKeyExW TerminateProcess wnsprintfA FCIAddFile OpenProcess LoadLibraryExW WSACleanup GetTempPathA SelectObject GdipSaveImageToStream /v1/upload.php Debug.txt GetModuleFileNameW DeleteDC CopyFileW WinHttpReceiveResponse $CREEN.JPEG SHGetFolderPathA GdipSaveImageToFile RegEnumKeyExW GetDriveTypeW ExpandEnvironmentStringsW WSAStartup WSAGetLastError FindNextFileW InternetReadFileExW CreateCompatibleBitmap GetUserDefaultLocaleName GdiplusStartup VirtualAllocEx abs GetModuleHandleW FindNextFileNameW RemoveDirectoryW _snprintf HeapCreate FCICreate FCIDestroy MoveFileW GET Wallets ntdll.dll CreateCompatibleDC cabinet.dll GetUserNameW listen SetFilePointerEx CreateFileMappingW RegOpenKeyExA recv GetModuleFileNameExW DeleteFileW FCIFlushCabinet POST FindFirstFileExA ScreenShot.jpeg ws2_32.dll Content-Length: %lu InternetOpenUrlW HttpOpenRequestW Desktop ShellExecuteA GetDriveTypeA GetFileAttributesExA InternetReadFile WinHttpOpen InternetReadFileExA ExtractFilesW GetSystemDirectoryA CryptUnprotectData GetLastError CreateDCW HttpOpenRequestA GetFileSizeEx GetTempFileNameA URLOpenBlockingStreamA GetObjectW GetKeyboardLayoutList GetSystemDirectoryW wsprintfW MessageBoxW CreateProcessA GetVolumeInformationW isspace GetModuleHandleExA GetSystemWow64DirectoryA System Error CreateDCA malloc WinHttpOpenRequest EnumDisplaySettingsA Sleep Temp HttpSendRequestA wnsprintfW LkgwUi GetConsoleMode /gate.php GetExitCodeThread MoveFileExA urlmon.dll | |||||||||||||||
Total events
1 231
Read events
1 231
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7164 | 1.exe | C:\Users\admin\AppData\Local\Temp\service123.exe | — | |
MD5:— | SHA256:— | |||
| 7164 | 1.exe | C:\Users\admin\AppData\Local\Temp\cSguAKlGssbLNAQUYhcr.dll | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
19
DNS requests
6
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2120 | MoUsoCoreWorker.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1356 | svchost.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6280 | RUXIMICS.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
7164 | 1.exe | POST | 200 | 194.87.248.136:80 | http://tventyvd20ht.top/v1/upload.php | unknown | — | — | unknown |
7164 | 1.exe | POST | 200 | 194.87.248.136:80 | http://tventyvd20ht.top/v1/upload.php | unknown | — | — | unknown |
7164 | 1.exe | POST | 200 | 194.87.248.136:80 | http://tventyvd20ht.top/v1/upload.php | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1356 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6280 | RUXIMICS.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2120 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
1356 | svchost.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
6280 | RUXIMICS.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
2120 | MoUsoCoreWorker.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
2120 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4324 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
tventyvd20ht.top |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2256 | svchost.exe | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
7164 | 1.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
7164 | 1.exe | A Network Trojan was detected | ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 |
7164 | 1.exe | A Network Trojan was detected | ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 |
7164 | 1.exe | A Network Trojan was detected | ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 |