analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe

Full analysis: https://app.any.run/tasks/af159601-8ba7-452d-850b-9e3353040507
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Analysis date: August 12, 2022, 18:39:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
formbook
trojan
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

44C1E6130AA76C92DFD421D2011DDE75

SHA1:

A96F2A85EF4408780DF380451455F11A3BC679E4

SHA256:

E5A1E1A656EF91AFFC572F8BA5759039FCB047F43912BA1FA9F7B280CCECA5CD

SSDEEP:

12288:z8HA79b9hfYBkePys94ClAFJXCrJ/0KbLtyB4pWRqbudaYz:+Axb3YBkeP944AFJYs0Li/8ikYz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes settings of System certificates

      • Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe (PID: 1204)
    • Changes the autorun value in the registry

      • Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe (PID: 1204)
    • Drops executable file immediately after starts

      • Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe (PID: 1204)
    • FORMBOOK was detected

      • Explorer.EXE (PID: 1176)
    • Connects to CnC server

      • Explorer.EXE (PID: 1176)
    • FORMBOOK detected by memory dumps

      • wlanext.exe (PID: 3444)
  • SUSPICIOUS

    • Checks supported languages

      • Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe (PID: 1204)
      • cmd.exe (PID: 948)
    • Reads the computer name

      • Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe (PID: 1204)
      • cmd.exe (PID: 948)
    • Adds / modifies Windows certificates

      • Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe (PID: 1204)
    • Executable content was dropped or overwritten

      • Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe (PID: 1204)
    • Drops a file with a compile date too recent

      • Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe (PID: 1204)
    • Reads Environment values

      • wlanext.exe (PID: 3444)
  • INFO

    • Reads settings of System Certificates

      • Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe (PID: 1204)
    • Checks Windows Trust Settings

      • Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe (PID: 1204)
    • Manual execution by user

      • wlanext.exe (PID: 3444)
    • Checks supported languages

      • cmd.exe (PID: 2088)
      • wlanext.exe (PID: 3444)
    • Reads the computer name

      • wlanext.exe (PID: 3444)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Formbook

(PID) Process(3444) wlanext.exe
Modules (42)kernel32.dll
advapi32.dll
ws2_32.dll
svchost.exe
msiexec.exe
wuauclt.exe
lsass.exe
wlanext.exe
msg.exe
lsm.exe
dwm.exe
help.exe
chkdsk.exe
cmmon32.exe
nbtstat.exe
spoolsv.exe
rdpclip.exe
control.exe
taskhost.exe
rundll32.exe
systray.exe
audiodg.exe
wininit.exe
services.exe
autochk.exe
autoconv.exe
autofmt.exe
cmstp.exe
colorcpl.exe
cscript.exe
explorer.exe
WWAHost.exe
ipconfig.exe
msdt.exe
mstsc.exe
NAPSTAT.EXE
netsh.exe
NETSTAT.EXE
raserver.exe
wscript.exe
wuapp.exe
cmd.exe
Decoys and strings (143)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
stagcasm.com
harryherbst.com
globalbaike.com
profitcryptosignals.space
xxxxgalactic.com
amazingearth.one
inaurahome.co.uk
broadscopefp.co.uk
wbeauty.co.uk
kingsweetener.com
plentinainvest.com
cruises-64228.com
montipiozzsx-abc.one
adolphobia.com
sarahforrest.com
probateconsultant.com
boardmoors.com
nomornots.com
hailanghua88.com
blackhatwizardd.com
case-ology.com
thelyttleknownllc.com
kogoro01.com
rs-ubytovani.info
zabxl.com
475uk.com
vy52.online
genesisfuneralcremation.com
shraddha.school
holavacaciones.com
chandxt.online
dickybisinglasi.com
hsuansally.com
liliheng.com
prosubroofingconstruction.com
simplyperfume.net
2wendengrovestkildaeast.com
multi-sarana.com
cloudmoy.com
sreenjoy.com
studiotrips.com
perkins-hawaii.com
fulltiktok.net
henryvalentine.com
hanstitches.com
537181.com
prowrapppf.com
celeryumbellifer.com
casealmaresardegna.com
daneparkfortworth.com
validpersona.com
dakotaisadick.com
insurancebrokersnationwide.com
directorialsuit.com
escapistory.com
truthseeker12.com
fairyimage.sbs
quangdangprinting.com
atlanticpietra.com
uniavan.com
nikeksa.com
1200fun.com
10bestsidegigs.com
qjvgxy.com
f-end
C2www.mmapalvelut.info/ok27/
No Malware configuration.

TRiD

.exe | InstallShield setup (21.8)
.exe | Win32 Executable Delphi generic (7.1)
.scr | Windows screen saver (6.6)
.exe | Win32 Executable (generic) (2.2)

EXIF

EXE

Comments: Factory!,(c) 1997-2005 e-merge GmbH, http://www.emerge.de
ProductVersion: 02.69.00.00
ProductName: Wi2ce
OriginalFileName: -
LegalTrademarks: 1997-2007 ACE Compression Software & e-merge GmbH
LegalCopyright: 1997-2007 ACE Compression Software & e-merge GmbH
InternalName: -
FileVersion: 2.69.0.0
FileDescription: Factory.wi3.com
CompanyName: e-m-Factory
CharacterSet: Windows, Latin1
LanguageCode: German
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 2.6.4.0
FileVersionNumber: 2.69.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x6b7f0
UninitializedDataSize: -
InitializedDataSize: 561152
CodeSize: 433664
LinkerVersion: 2.25
PEType: PE32
TimeStamp: 1992:06:20 00:22:17+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 19-Jun-1992 22:22:17
Detected languages:
  • English - United States
  • German - Germany
CompanyName: e-m-Factory
FileDescription: Factory.wi3.com
FileVersion: 2.69.0.0
InternalName: -
LegalCopyright: 1997-2007 ACE Compression Software & e-merge GmbH
LegalTrademarks: 1997-2007 ACE Compression Software & e-merge GmbH
OriginalFilename: -
ProductName: Wi2ce
ProductVersion: 02.69.00.00
Comments: Factory!,(c) 1997-2005 e-merge GmbH, http://www.emerge.de

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0050
Pages in file: 0x0002
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x000F
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x001A
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 9
Time date stamp: 19-Jun-1992 22:22:17
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0006921C
0x00069400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.55154
.itext
0x0006B000
0x00000850
0x00000A00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.62669
.data
0x0006C000
0x00001D3C
0x00001E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.88964
.bss
0x0006E000
0x000037C4
0x00000000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.idata
0x00072000
0x00002A52
0x00002C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.02663
.tls
0x00075000
0x00000034
0x00000000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rdata
0x00076000
0x00000018
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0.210826
.reloc
0x00077000
0x00007390
0x00007400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.67399
.rsrc
0x0007F000
0x0007D000
0x0007D000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.69621

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.49778
1000
UNKNOWN
German - Germany
RT_VERSION
2
2.80231
308
UNKNOWN
English - United States
RT_CURSOR
3
3.00046
308
UNKNOWN
English - United States
RT_CURSOR
4
2.56318
308
UNKNOWN
English - United States
RT_CURSOR
5
2.6949
308
UNKNOWN
English - United States
RT_CURSOR
6
2.62527
308
UNKNOWN
English - United States
RT_CURSOR
7
2.91604
308
UNKNOWN
English - United States
RT_CURSOR
69
2.46191
4264
UNKNOWN
UNKNOWN
RT_ICON
72
3.08459
1128
UNKNOWN
UNKNOWN
RT_ICON
4083
3.25813
1276
UNKNOWN
UNKNOWN
RT_STRING

Imports

URL
advapi32.dll
comctl32.dll
gdi32.dll
kernel32.dll
ole32.dll
oleaut32.dll
shell32.dll
user32.dll
version.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start zcuhyptdeijgoloimqknekinfmygrrtrzj.exe cmd.exe no specs #FORMBOOK wlanext.exe no specs cmd.exe no specs #FORMBOOK explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
1204"C:\Users\admin\AppData\Local\Temp\Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe" C:\Users\admin\AppData\Local\Temp\Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe
Explorer.EXE
User:
admin
Company:
e-m-Factory
Integrity Level:
MEDIUM
Description:
Factory.wi3.com
Exit code:
0
Version:
2.69.0.0
Modules
Images
c:\users\admin\appdata\local\temp\zcuhyptdeijgoloimqknekinfmygrrtrzj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
948"C:\Windows\System32\cmd.exe" C:\Windows\System32\cmd.exeZcuhyptdeijgoloimqknekinfmygrrtrzj.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3444"C:\Windows\System32\wlanext.exe"C:\Windows\System32\wlanext.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Wireless LAN 802.11 Extensibility Framework
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wlanext.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
Formbook
(PID) Process(3444) wlanext.exe
Modules (42)kernel32.dll
advapi32.dll
ws2_32.dll
svchost.exe
msiexec.exe
wuauclt.exe
lsass.exe
wlanext.exe
msg.exe
lsm.exe
dwm.exe
help.exe
chkdsk.exe
cmmon32.exe
nbtstat.exe
spoolsv.exe
rdpclip.exe
control.exe
taskhost.exe
rundll32.exe
systray.exe
audiodg.exe
wininit.exe
services.exe
autochk.exe
autoconv.exe
autofmt.exe
cmstp.exe
colorcpl.exe
cscript.exe
explorer.exe
WWAHost.exe
ipconfig.exe
msdt.exe
mstsc.exe
NAPSTAT.EXE
netsh.exe
NETSTAT.EXE
raserver.exe
wscript.exe
wuapp.exe
cmd.exe
Decoys and strings (143)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
stagcasm.com
harryherbst.com
globalbaike.com
profitcryptosignals.space
xxxxgalactic.com
amazingearth.one
inaurahome.co.uk
broadscopefp.co.uk
wbeauty.co.uk
kingsweetener.com
plentinainvest.com
cruises-64228.com
montipiozzsx-abc.one
adolphobia.com
sarahforrest.com
probateconsultant.com
boardmoors.com
nomornots.com
hailanghua88.com
blackhatwizardd.com
case-ology.com
thelyttleknownllc.com
kogoro01.com
rs-ubytovani.info
zabxl.com
475uk.com
vy52.online
genesisfuneralcremation.com
shraddha.school
holavacaciones.com
chandxt.online
dickybisinglasi.com
hsuansally.com
liliheng.com
prosubroofingconstruction.com
simplyperfume.net
2wendengrovestkildaeast.com
multi-sarana.com
cloudmoy.com
sreenjoy.com
studiotrips.com
perkins-hawaii.com
fulltiktok.net
henryvalentine.com
hanstitches.com
537181.com
prowrapppf.com
celeryumbellifer.com
casealmaresardegna.com
daneparkfortworth.com
validpersona.com
dakotaisadick.com
insurancebrokersnationwide.com
directorialsuit.com
escapistory.com
truthseeker12.com
fairyimage.sbs
quangdangprinting.com
atlanticpietra.com
uniavan.com
nikeksa.com
1200fun.com
10bestsidegigs.com
qjvgxy.com
f-end
C2www.mmapalvelut.info/ok27/
2088/c del "C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exewlanext.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1176C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
4 764
Read events
4 722
Write events
40
Delete events
2

Modification events

(PID) Process:(1176) Explorer.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
01000000D08C9DDF0115D1118C7A00C04FC297EB010000004F702234D272384A8433780897940A9E00000000020000000000106600000001000020000000D98FECCF0FD9EE3C53E08656BD16184990CD688646BF6D97C6554F50FA9D80FF000000000E80000000020000200000005D201AEBFD5858250E9FA48EFCCFB6AE1CF10D2E61F3D5FB69A24337EC7A8EBF3000000041B5C1610DBD8665A7753C6B0DE5F4B31FB64F9FC007F13CA9B18CDCA60B0951BFD03E714BDCF577A5E04B931F68AACD400000005C199FD54F1B6E7CC0FF252B76A555DAB329518D58EBF6C5CAF6BD75B94A7A5DDDEDCBDC1DCDE00DBD9195C22C381785CCC4BDA7A86DEA7C1431A20F3CB6D55E
(PID) Process:(1204) Zcuhyptdeijgoloimqknekinfmygrrtrzj.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1204) Zcuhyptdeijgoloimqknekinfmygrrtrzj.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1204) Zcuhyptdeijgoloimqknekinfmygrrtrzj.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1204) Zcuhyptdeijgoloimqknekinfmygrrtrzj.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1204) Zcuhyptdeijgoloimqknekinfmygrrtrzj.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1204) Zcuhyptdeijgoloimqknekinfmygrrtrzj.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1204) Zcuhyptdeijgoloimqknekinfmygrrtrzj.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1204) Zcuhyptdeijgoloimqknekinfmygrrtrzj.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1204) Zcuhyptdeijgoloimqknekinfmygrrtrzj.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
1
Suspicious files
4
Text files
3
Unknown types
2

Dropped files

PID
Process
Filename
Type
1204Zcuhyptdeijgoloimqknekinfmygrrtrzj.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868binary
MD5:BEF398AFE8C9C23823815C59B9A566EA
SHA256:651702E5DC870475DF695F7984EC2C20C0553D6462AD09B03D54BC900DE6B1C8
1204Zcuhyptdeijgoloimqknekinfmygrrtrzj.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442binary
MD5:DAEC35E6C512B24456E3670CA3C30635
SHA256:68D657C4864B7ACD6125FD0215654CC09518D3DE7C664E4B2FAB8EF501D583E3
1204Zcuhyptdeijgoloimqknekinfmygrrtrzj.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:C3F796CBE5F3023DE356F2AA05A35842
SHA256:2E1EED87591CF3FA24E422CE7DD00AEB238237128FFAB0533F342D605AF21177
1204Zcuhyptdeijgoloimqknekinfmygrrtrzj.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\GTOJSI04.txttext
MD5:3494C60049790F9E3EF477965F520998
SHA256:4063EEA1543DCF4DDB94D5C27900B1ACF058426130BE5B3125775EE69F30BFB7
1204Zcuhyptdeijgoloimqknekinfmygrrtrzj.exeC:\Users\Public\Libraries\Zcuhyptde.exeexecutable
MD5:44C1E6130AA76C92DFD421D2011DDE75
SHA256:E5A1E1A656EF91AFFC572F8BA5759039FCB047F43912BA1FA9F7B280CCECA5CD
1204Zcuhyptdeijgoloimqknekinfmygrrtrzj.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442der
MD5:191BE156BB8730F8E2AE266A98F5EEEF
SHA256:ECD32D2E73B2FE5FB12139B83293CCCBD0DB54D681F5E53741C02B037A1DD128
1204Zcuhyptdeijgoloimqknekinfmygrrtrzj.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868der
MD5:49104231C9773032E068B11AFAC5DDF4
SHA256:F53E869D1967A2C4DCE334CD686834554B95496380DCEA880847CDD16236C3ED
1204Zcuhyptdeijgoloimqknekinfmygrrtrzj.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\1WOF7SS9.txttext
MD5:C4C21E43C761BBD49763E8DDAA9E450E
SHA256:9E2AF2A4A89039A12A1894B924DC6F27D29CF6D0FB4BF4FFA95A8C1B55CFF846
1204Zcuhyptdeijgoloimqknekinfmygrrtrzj.exeC:\Users\Public\Libraries\edtpyhucZ.urltext
MD5:DD86148D78B0169262334C9B4149063D
SHA256:8935204368F02083AD4E92AF92F655A2FC271A9E384DEBCDFBBCD17E9D00DE4B
1204Zcuhyptdeijgoloimqknekinfmygrrtrzj.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:F7DCB24540769805E5BB30D193944DCE
SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
6
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1204
Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
1204
Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D
US
der
471 b
whitelisted
1176
Explorer.EXE
GET
198.54.117.217:80
http://www.mmapalvelut.info/ok27/?Aln=oJd0DhCpQZ&GzvH-=2oeiEHdOLrw0fjnW9sctH6Us/p/Vrpv2rMAqRHfg6xTQH43bJJv3LxMB/1/9YYVSR3k8Tw==
US
malicious
1204
Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe
GET
200
178.79.242.128:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?18fbcffbbdb5ae41
DE
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1204
Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1204
Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe
178.79.242.128:80
ctldl.windowsupdate.com
Limelight Networks, Inc.
DE
malicious
1204
Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe
13.107.43.13:443
onedrive.live.com
Microsoft Corporation
US
malicious
1176
Explorer.EXE
198.54.117.217:80
www.mmapalvelut.info
Namecheap, Inc.
US
malicious
1204
Zcuhyptdeijgoloimqknekinfmygrrtrzj.exe
13.107.43.12:443
pvunxa.db.files.1drv.com
Microsoft Corporation
US
suspicious

DNS requests

Domain
IP
Reputation
onedrive.live.com
  • 13.107.43.13
shared
ctldl.windowsupdate.com
  • 178.79.242.128
  • 178.79.242.0
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
pvunxa.db.files.1drv.com
  • 13.107.43.12
suspicious
www.mmapalvelut.info
  • 198.54.117.217
  • 198.54.117.216
  • 198.54.117.212
  • 198.54.117.215
  • 198.54.117.211
  • 198.54.117.218
  • 198.54.117.210
malicious
www.fulltiktok.net
unknown
www.profitcryptosignals.space
unknown
www.globalbaike.com
unknown

Threats

PID
Process
Class
Message
1176
Explorer.EXE
Generic Protocol Command Decode
SURICATA HTTP Unexpected Request body
1176
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
1176
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
1176
Explorer.EXE
A Network Trojan was detected
ET TROJAN FormBook CnC Checkin (GET)
No debug info