File name: | Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe |
Full analysis: | https://app.any.run/tasks/af159601-8ba7-452d-850b-9e3353040507 |
Verdict: | Malicious activity |
Threats: | FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus. |
Analysis date: | August 12, 2022, 18:39:12 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 44C1E6130AA76C92DFD421D2011DDE75 |
SHA1: | A96F2A85EF4408780DF380451455F11A3BC679E4 |
SHA256: | E5A1E1A656EF91AFFC572F8BA5759039FCB047F43912BA1FA9F7B280CCECA5CD |
SSDEEP: | 12288:z8HA79b9hfYBkePys94ClAFJXCrJ/0KbLtyB4pWRqbudaYz:+Axb3YBkeP944AFJYs0Li/8ikYz |
.exe | | | InstallShield setup (21.8) |
---|---|---|
.exe | | | Win32 Executable Delphi generic (7.1) |
.scr | | | Windows screen saver (6.6) |
.exe | | | Win32 Executable (generic) (2.2) |
Comments: | Factory!,(c) 1997-2005 e-merge GmbH, http://www.emerge.de |
---|---|
ProductVersion: | 02.69.00.00 |
ProductName: | Wi2ce |
OriginalFileName: | - |
LegalTrademarks: | 1997-2007 ACE Compression Software & e-merge GmbH |
LegalCopyright: | 1997-2007 ACE Compression Software & e-merge GmbH |
InternalName: | - |
FileVersion: | 2.69.0.0 |
FileDescription: | Factory.wi3.com |
CompanyName: | e-m-Factory |
CharacterSet: | Windows, Latin1 |
LanguageCode: | German |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 2.6.4.0 |
FileVersionNumber: | 2.69.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x6b7f0 |
UninitializedDataSize: | - |
InitializedDataSize: | 561152 |
CodeSize: | 433664 |
LinkerVersion: | 2.25 |
PEType: | PE32 |
TimeStamp: | 1992:06:20 00:22:17+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 19-Jun-1992 22:22:17 |
Detected languages: |
|
CompanyName: | e-m-Factory |
FileDescription: | Factory.wi3.com |
FileVersion: | 2.69.0.0 |
InternalName: | - |
LegalCopyright: | 1997-2007 ACE Compression Software & e-merge GmbH |
LegalTrademarks: | 1997-2007 ACE Compression Software & e-merge GmbH |
OriginalFilename: | - |
ProductName: | Wi2ce |
ProductVersion: | 02.69.00.00 |
Comments: | Factory!,(c) 1997-2005 e-merge GmbH, http://www.emerge.de |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0050 |
Pages in file: | 0x0002 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x000F |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x001A |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 9 |
Time date stamp: | 19-Jun-1992 22:22:17 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0006921C | 0x00069400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.55154 |
.itext | 0x0006B000 | 0x00000850 | 0x00000A00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.62669 |
.data | 0x0006C000 | 0x00001D3C | 0x00001E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.88964 |
.bss | 0x0006E000 | 0x000037C4 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x00072000 | 0x00002A52 | 0x00002C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.02663 |
.tls | 0x00075000 | 0x00000034 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x00076000 | 0x00000018 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 0.210826 |
.reloc | 0x00077000 | 0x00007390 | 0x00007400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.67399 |
.rsrc | 0x0007F000 | 0x0007D000 | 0x0007D000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.69621 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.49778 | 1000 | UNKNOWN | German - Germany | RT_VERSION |
2 | 2.80231 | 308 | UNKNOWN | English - United States | RT_CURSOR |
3 | 3.00046 | 308 | UNKNOWN | English - United States | RT_CURSOR |
4 | 2.56318 | 308 | UNKNOWN | English - United States | RT_CURSOR |
5 | 2.6949 | 308 | UNKNOWN | English - United States | RT_CURSOR |
6 | 2.62527 | 308 | UNKNOWN | English - United States | RT_CURSOR |
7 | 2.91604 | 308 | UNKNOWN | English - United States | RT_CURSOR |
69 | 2.46191 | 4264 | UNKNOWN | UNKNOWN | RT_ICON |
72 | 3.08459 | 1128 | UNKNOWN | UNKNOWN | RT_ICON |
4083 | 3.25813 | 1276 | UNKNOWN | UNKNOWN | RT_STRING |
URL |
advapi32.dll |
comctl32.dll |
gdi32.dll |
kernel32.dll |
ole32.dll |
oleaut32.dll |
shell32.dll |
user32.dll |
version.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1204 | "C:\Users\admin\AppData\Local\Temp\Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe" | C:\Users\admin\AppData\Local\Temp\Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | Explorer.EXE | ||||||||||||
User: admin Company: e-m-Factory Integrity Level: MEDIUM Description: Factory.wi3.com Exit code: 0 Version: 2.69.0.0 Modules
| |||||||||||||||
948 | "C:\Windows\System32\cmd.exe" | C:\Windows\System32\cmd.exe | — | Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3444 | "C:\Windows\System32\wlanext.exe" | C:\Windows\System32\wlanext.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Wireless LAN 802.11 Extensibility Framework Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
Formbook(PID) Process(3444) wlanext.exe Modules (42)kernel32.dll advapi32.dll ws2_32.dll svchost.exe msiexec.exe wuauclt.exe lsass.exe wlanext.exe msg.exe lsm.exe dwm.exe help.exe chkdsk.exe cmmon32.exe nbtstat.exe spoolsv.exe rdpclip.exe control.exe taskhost.exe rundll32.exe systray.exe audiodg.exe wininit.exe services.exe autochk.exe autoconv.exe autofmt.exe cmstp.exe colorcpl.exe cscript.exe explorer.exe WWAHost.exe ipconfig.exe msdt.exe mstsc.exe NAPSTAT.EXE netsh.exe NETSTAT.EXE raserver.exe wscript.exe wuapp.exe cmd.exe Decoys and strings (143)USERNAME LOCALAPPDATA USERPROFILE APPDATA TEMP ProgramFiles CommonProgramFiles ALLUSERSPROFILE /c copy " /c del " \Run \Policies \Explorer \Registry\User \Registry\Machine \SOFTWARE\Microsoft\Windows\CurrentVersion Office\15.0\Outlook\Profiles\Outlook\ NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ \SOFTWARE\Mozilla\Mozilla \Mozilla Username: Password: formSubmitURL usernameField encryptedUsername encryptedPassword \logins.json \signons.sqlite \Microsoft\Vault\ SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins \Google\Chrome\User Data\Default\Login Data SELECT origin_url, username_value, password_value FROM logins .exe .com .scr .pif .cmd .bat ms win gdi mfc vga igfx user help config update regsvc chkdsk systray audiodg certmgr autochk taskhost colorcpl services IconCache ThumbCache Cookies SeDebugPrivilege SeShutdownPrivilege \BaseNamedObjects config.php POST HTTP/1.1 Host: Connection: close Content-Length: Cache-Control: no-cache Origin: http:// User-Agent: Mozilla Firefox/4.0 Content-Type: application/x-www-form-urlencoded Accept: */* Referer: http:// Accept-Language: en-US Accept-Encoding: gzip, deflate
dat= f-start stagcasm.com harryherbst.com globalbaike.com profitcryptosignals.space xxxxgalactic.com amazingearth.one inaurahome.co.uk broadscopefp.co.uk wbeauty.co.uk kingsweetener.com plentinainvest.com cruises-64228.com montipiozzsx-abc.one adolphobia.com sarahforrest.com probateconsultant.com boardmoors.com nomornots.com hailanghua88.com blackhatwizardd.com case-ology.com thelyttleknownllc.com kogoro01.com rs-ubytovani.info zabxl.com 475uk.com vy52.online genesisfuneralcremation.com shraddha.school holavacaciones.com chandxt.online dickybisinglasi.com hsuansally.com liliheng.com prosubroofingconstruction.com simplyperfume.net 2wendengrovestkildaeast.com multi-sarana.com cloudmoy.com sreenjoy.com studiotrips.com perkins-hawaii.com fulltiktok.net henryvalentine.com hanstitches.com 537181.com prowrapppf.com celeryumbellifer.com casealmaresardegna.com daneparkfortworth.com validpersona.com dakotaisadick.com insurancebrokersnationwide.com directorialsuit.com escapistory.com truthseeker12.com fairyimage.sbs quangdangprinting.com atlanticpietra.com uniavan.com nikeksa.com 1200fun.com 10bestsidegigs.com qjvgxy.com f-end C2www.mmapalvelut.info/ok27/ | |||||||||||||||
2088 | /c del "C:\Windows\System32\cmd.exe" | C:\Windows\System32\cmd.exe | — | wlanext.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
1176 | C:\Windows\Explorer.EXE | C:\Windows\Explorer.EXE | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (1176) Explorer.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0 |
Operation: | write | Name: | CheckSetting |
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB010000004F702234D272384A8433780897940A9E00000000020000000000106600000001000020000000D98FECCF0FD9EE3C53E08656BD16184990CD688646BF6D97C6554F50FA9D80FF000000000E80000000020000200000005D201AEBFD5858250E9FA48EFCCFB6AE1CF10D2E61F3D5FB69A24337EC7A8EBF3000000041B5C1610DBD8665A7753C6B0DE5F4B31FB64F9FC007F13CA9B18CDCA60B0951BFD03E714BDCF577A5E04B931F68AACD400000005C199FD54F1B6E7CC0FF252B76A555DAB329518D58EBF6C5CAF6BD75B94A7A5DDDEDCBDC1DCDE00DBD9195C22C381785CCC4BDA7A86DEA7C1431A20F3CB6D55E | |||
(PID) Process: | (1204) Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (1204) Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
(PID) Process: | (1204) Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (1204) Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (1204) Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (1204) Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (1204) Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (1204) Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (1204) Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1204 | Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868 | binary | |
MD5:BEF398AFE8C9C23823815C59B9A566EA | SHA256:651702E5DC870475DF695F7984EC2C20C0553D6462AD09B03D54BC900DE6B1C8 | |||
1204 | Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442 | binary | |
MD5:DAEC35E6C512B24456E3670CA3C30635 | SHA256:68D657C4864B7ACD6125FD0215654CC09518D3DE7C664E4B2FAB8EF501D583E3 | |||
1204 | Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:C3F796CBE5F3023DE356F2AA05A35842 | SHA256:2E1EED87591CF3FA24E422CE7DD00AEB238237128FFAB0533F342D605AF21177 | |||
1204 | Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\GTOJSI04.txt | text | |
MD5:3494C60049790F9E3EF477965F520998 | SHA256:4063EEA1543DCF4DDB94D5C27900B1ACF058426130BE5B3125775EE69F30BFB7 | |||
1204 | Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | C:\Users\Public\Libraries\Zcuhyptde.exe | executable | |
MD5:44C1E6130AA76C92DFD421D2011DDE75 | SHA256:E5A1E1A656EF91AFFC572F8BA5759039FCB047F43912BA1FA9F7B280CCECA5CD | |||
1204 | Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442 | der | |
MD5:191BE156BB8730F8E2AE266A98F5EEEF | SHA256:ECD32D2E73B2FE5FB12139B83293CCCBD0DB54D681F5E53741C02B037A1DD128 | |||
1204 | Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868 | der | |
MD5:49104231C9773032E068B11AFAC5DDF4 | SHA256:F53E869D1967A2C4DCE334CD686834554B95496380DCEA880847CDD16236C3ED | |||
1204 | Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\1WOF7SS9.txt | text | |
MD5:C4C21E43C761BBD49763E8DDAA9E450E | SHA256:9E2AF2A4A89039A12A1894B924DC6F27D29CF6D0FB4BF4FFA95A8C1B55CFF846 | |||
1204 | Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | C:\Users\Public\Libraries\edtpyhucZ.url | text | |
MD5:DD86148D78B0169262334C9B4149063D | SHA256:8935204368F02083AD4E92AF92F655A2FC271A9E384DEBCDFBBCD17E9D00DE4B | |||
1204 | Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | compressed | |
MD5:F7DCB24540769805E5BB30D193944DCE | SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1204 | Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D | US | der | 1.47 Kb | whitelisted |
1204 | Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D | US | der | 471 b | whitelisted |
1176 | Explorer.EXE | GET | — | 198.54.117.217:80 | http://www.mmapalvelut.info/ok27/?Aln=oJd0DhCpQZ&GzvH-=2oeiEHdOLrw0fjnW9sctH6Us/p/Vrpv2rMAqRHfg6xTQH43bJJv3LxMB/1/9YYVSR3k8Tw== | US | — | — | malicious |
1204 | Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | GET | 200 | 178.79.242.128:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?18fbcffbbdb5ae41 | DE | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1204 | Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1204 | Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | 178.79.242.128:80 | ctldl.windowsupdate.com | Limelight Networks, Inc. | DE | malicious |
1204 | Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | 13.107.43.13:443 | onedrive.live.com | Microsoft Corporation | US | malicious |
1176 | Explorer.EXE | 198.54.117.217:80 | www.mmapalvelut.info | Namecheap, Inc. | US | malicious |
1204 | Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe | 13.107.43.12:443 | pvunxa.db.files.1drv.com | Microsoft Corporation | US | suspicious |
Domain | IP | Reputation |
---|---|---|
onedrive.live.com |
| shared |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
pvunxa.db.files.1drv.com |
| suspicious |
www.mmapalvelut.info |
| malicious |
www.fulltiktok.net |
| unknown |
www.profitcryptosignals.space |
| unknown |
www.globalbaike.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
1176 | Explorer.EXE | Generic Protocol Command Decode | SURICATA HTTP Unexpected Request body |
1176 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1176 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |
1176 | Explorer.EXE | A Network Trojan was detected | ET TROJAN FormBook CnC Checkin (GET) |