File name:

ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exe

Full analysis: https://app.any.run/tasks/f5dca767-ded5-494d-9d74-8b2d68af39fe
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: July 27, 2024, 17:26:08
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
formbook
xloader
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

01FBCC6559C010E59BE1DC7B66C12E4F

SHA1:

657F058D4032447658F71265803F7A6D52A64532

SHA256:

EE7DD9158F6175700AA6D58F346036F949889F8DEEBF8DBEE83C40874BBC1F26

SSDEEP:

24576:W2TRhstm8oKNe/1UJWS1OAX64OchZA4KRPcdMsC8xYfVpO/aZNlBI:XTRhs88oKNe/1UJWS1OAX64OchZA4KRC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exe (PID: 2132)

    • Uses Task Scheduler to run other applications

      • ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exe (PID: 2132)

    • FORMBOOK has been detected (YARA)

      • cscript.exe (PID: 1296)

    • Connects to the CnC server

      • explorer.exe (PID: 5016)

    • FORMBOOK has been detected (SURICATA)

      • explorer.exe (PID: 5016)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exe (PID: 2132)

    • Starts CMD.EXE for commands execution

      • cscript.exe (PID: 1296)

    • Reads security settings of Internet Explorer

      • ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exe (PID: 2132)

    • Reads the date of Windows installation

      • ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exe (PID: 2132)

    • Deletes system .NET executable

      • cmd.exe (PID: 2508)

    • Contacting a server suspected of hosting an CnC

      • explorer.exe (PID: 5016)

  • INFO

    • Reads the machine GUID from the registry

      • ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exe (PID: 2132)

    • Checks supported languages

      • ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exe (PID: 2132)
      • RegSvcs.exe (PID: 7032)

    • Reads the software policy settings

      • slui.exe (PID: 3488)

    • Reads the computer name

      • ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exe (PID: 2132)
      • RegSvcs.exe (PID: 7032)

    • Create files in a temporary directory

      • ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exe (PID: 2132)

    • Checks proxy server information

      • slui.exe (PID: 3488)

    • Process checks computer location settings

      • ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exe (PID: 2132)

    • Manual execution by a user

      • cscript.exe (PID: 1296)

    • Creates files or folders in the user directory

      • ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exe (PID: 2132)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Formbook

(PID) Process(1296) cscript.exe
C2www.dunia188j.store/gy15/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)yb40w.top
286live.com
poozonlife.com
availableweedsonline.com
22926839.com
petlovepet.fun
halbaexpress.com
newswingbd.com
discountdesh.com
jwoalhbn.xyz
dandevonald.com
incrediblyxb.christmas
ailia.pro
ga3ki3.com
99812.photos
richiecom.net
ummahskills.online
peakleyva.store
a1cbloodtest.com
insurancebygarry.com
onz-cg3.xyz
erektiepil.com
hs-steuerberater.info
20allhen.online
mariaslakedistrict.com
losterrrcossmpm.com
tmb6x.rest
bagelsliders.com
njoku.net
tatoways.com
jmwmanglobalsolutionscom.com
midnightemporium.shop
gunaihotels.com
midsouthhealthcare.com
rtptt80.site
carmen-asa.com
gypsyjudyscott.com
djkleel.com
sophhia.site
tqqft8l5.xyz
00050385.xyz
oiupa.xyz
purenutrixion.com
worldinfopedia.com
8886493.com
1e0bfijiz43k6c8.skin
bunkerlabsgolf.com
twinportslocal.com
ttyijlaw.com
poiulkj.top
yuejiazy888.com
betbox2347.com
gettingcraftywitro.com
mantap303game.icu
skillspartner.net
cbla.info
rs-alohafactorysaleuua.shop
bt365434.com
redrivercompany.store
abc8win5.com
46431.club
vivehogar.net
menloparkshop.com
1776biz.live
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:07:26 07:08:24+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 572416
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x8da46
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.1.0
ProductVersionNumber: 1.0.1.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: -
FileDescription: PopupControl
FileVersion: 1.0.1.0
InternalName: dKJy.exe
LegalCopyright: Copyright © 2014
LegalTrademarks: -
OriginalFileName: dKJy.exe
ProductName: PopupControl
ProductVersion: 1.0.1.0
AssemblyVersion: 1.0.1.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
10
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exe slui.exe schtasks.exe no specs conhost.exe no specs regsvcs.exe no specs regsvcs.exe no specs #FORMBOOK cscript.exe no specs cmd.exe no specs conhost.exe no specs #FORMBOOK explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
892\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1296"C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Console Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\cscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
Formbook
(PID) Process(1296) cscript.exe
C2www.dunia188j.store/gy15/
Strings (79)USERNAME
LOCALAPPDATA
USERPROFILE
APPDATA
TEMP
ProgramFiles
CommonProgramFiles
ALLUSERSPROFILE
/c copy "
/c del "
\Run
\Policies
\Explorer
\Registry\User
\Registry\Machine
\SOFTWARE\Microsoft\Windows\CurrentVersion
Office\15.0\Outlook\Profiles\Outlook\
NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
\SOFTWARE\Mozilla\Mozilla
\Mozilla
Username:
Password:
formSubmitURL
usernameField
encryptedUsername
encryptedPassword
\logins.json
\signons.sqlite
\Microsoft\Vault\
SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins
\Google\Chrome\User Data\Default\Login Data
SELECT origin_url, username_value, password_value FROM logins
.exe
.com
.scr
.pif
.cmd
.bat
ms
win
gdi
mfc
vga
igfx
user
help
config
update
regsvc
chkdsk
systray
audiodg
certmgr
autochk
taskhost
colorcpl
services
IconCache
ThumbCache
Cookies
SeDebugPrivilege
SeShutdownPrivilege
\BaseNamedObjects
config.php
POST
HTTP/1.1
Host:
Connection: close
Content-Length:
Cache-Control: no-cache
Origin: http://
User-Agent: Mozilla Firefox/4.0
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: http://
Accept-Language: en-US
Accept-Encoding: gzip, deflate dat=
f-start
f-end
Decoy C2 (64)yb40w.top
286live.com
poozonlife.com
availableweedsonline.com
22926839.com
petlovepet.fun
halbaexpress.com
newswingbd.com
discountdesh.com
jwoalhbn.xyz
dandevonald.com
incrediblyxb.christmas
ailia.pro
ga3ki3.com
99812.photos
richiecom.net
ummahskills.online
peakleyva.store
a1cbloodtest.com
insurancebygarry.com
onz-cg3.xyz
erektiepil.com
hs-steuerberater.info
20allhen.online
mariaslakedistrict.com
losterrrcossmpm.com
tmb6x.rest
bagelsliders.com
njoku.net
tatoways.com
jmwmanglobalsolutionscom.com
midnightemporium.shop
gunaihotels.com
midsouthhealthcare.com
rtptt80.site
carmen-asa.com
gypsyjudyscott.com
djkleel.com
sophhia.site
tqqft8l5.xyz
00050385.xyz
oiupa.xyz
purenutrixion.com
worldinfopedia.com
8886493.com
1e0bfijiz43k6c8.skin
bunkerlabsgolf.com
twinportslocal.com
ttyijlaw.com
poiulkj.top
yuejiazy888.com
betbox2347.com
gettingcraftywitro.com
mantap303game.icu
skillspartner.net
cbla.info
rs-alohafactorysaleuua.shop
bt365434.com
redrivercompany.store
abc8win5.com
46431.club
vivehogar.net
menloparkshop.com
1776biz.live
1912\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2132"C:\Users\admin\Desktop\ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exe" C:\Users\admin\Desktop\ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
PopupControl
Exit code:
0
Version:
1.0.1.0
Modules
Images
c:\users\admin\desktop\ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
2508/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\SysWOW64\cmd.execscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
3488C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4544"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\admin\AppData\Local\Temp\tmp4ADB.tmp"C:\Windows\SysWOW64\schtasks.exeee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
5016C:\WINDOWS\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
7032"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7076"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Exit code:
4294967295
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
5 705
Read events
5 697
Write events
8
Delete events
0

Modification events

(PID) Process:(2132) ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2132) ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2132) ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2132) ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
1
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2132ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exeC:\Users\admin\AppData\Roaming\KfYvtUBOq.exeexecutable
MD5:01FBCC6559C010E59BE1DC7B66C12E4F
SHA256:EE7DD9158F6175700AA6D58F346036F949889F8DEEBF8DBEE83C40874BBC1F26
2132ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exeC:\Users\admin\AppData\Local\Temp\tmp4ADB.tmpxml
MD5:45FE1378EE9A78389A72E13633D5F407
SHA256:971AD7B926A4CB1FDA675D6BF34FE1443864E22D58071EF0950D6B6FA4D3B510
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
23
DNS requests
12
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5016
explorer.exe
GET
198.49.23.144:80
http://www.richiecom.net/gy15/?7nNL=YbR846mhflpTm&XVKdQ=TTZR2wlr/MxrhzX+SnaLsdUlltp/1vbiq4YxRT2RTMceCDutU9TRczaT3ju4hBXy0WhA
unknown
whitelisted
5016
explorer.exe
GET
206.188.193.146:80
http://www.cbla.info/gy15/?7nNL=YbR846mhflpTm&XVKdQ=N/r7kI863h9bLFUDwfuMD4dYv13loHpQbf0O8wCFz2ETvEDvy8EkwFUOlO9FqHyhy+lj
unknown
unknown
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
POST
200
51.104.15.253:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6572
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
92.123.104.34:443
www.bing.com
Akamai International B.V.
DE
unknown
6012
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3992
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5860
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
6012
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown

DNS requests

Domain
IP
Reputation
t-ring-fdv2.msedge.net
  • 13.107.237.254
unknown
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
www.bing.com
  • 92.123.104.34
  • 92.123.104.35
  • 92.123.104.32
  • 92.123.104.27
  • 92.123.104.30
  • 92.123.104.26
  • 92.123.104.33
  • 92.123.104.24
  • 92.123.104.29
whitelisted
google.com
  • 142.250.181.238
whitelisted
self.events.data.microsoft.com
  • 51.104.15.253
whitelisted
www.tqqft8l5.xyz
unknown
www.dunia188j.store
unknown
www.richiecom.net
  • 198.49.23.144
  • 198.185.159.145
  • 198.185.159.144
  • 198.49.23.145
unknown
www.twinportslocal.com
unknown

Threats

PID
Process
Class
Message
5016
explorer.exe
Malware Command and Control Activity Detected
ET MALWARE FormBook CnC Checkin (GET)
5016
explorer.exe
Malware Command and Control Activity Detected
ET MALWARE FormBook CnC Checkin (GET)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26.exe