formbook | c3825d126fba5b9662997439e5f20da9fede82e4902172c86632299f7e512d74

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 11:18 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order #PO11774.exe
Size

640KB
MD5

e0d5a1d3be5203913a112da74dde9326
SHA1

9a0c4da5adc288a9921d0ef9103ed27da1e0464d
SHA256

a15006eb6ff449cff64e2df7ed41e85051eb25c0e179b14c9e04f7464ff69bb2
SHA512

44ee9fa209cfc9478bf79c97ea0cd1eaaa6e2301c7ee0228850c1136db3da247fa1902559241e0e726ef4e47d05387aee99c4319e1673b8ada500a4c0b8f1593
SSDEEP

12288:0eQiKaxzulQ0BXdLVymkQwF1712Me7g69MQyCjrED:1Qi5uxBXtVlkQw1jv699JoD

Score

10^/10

formbook a03d discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a03d

Decoy

nfluencer-marketing-13524.bond

cebepu.info

lphatechblog.xyz

haoyun.website

itiz.xyz

orld-visa-center.online

si.art

alata.xyz

mmarketing.xyz

elnqdjc.shop

ensentoto.cloud

voyagu.info

onvert.today

1fuli9902.shop

otelhafnia.info

rumpchiefofstaff.store

urvivalflashlights.shop

0090.pizza

ings-hu-13.today

oliticalpatriot.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/4584-43-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4584-87-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3528-90-0x0000000001030000-0x000000000105F000-memory.dmp	formbook

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4656	powershell.exe
4784	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	Purchase Order #PO11774.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1920 set thread context of 4584	1920	Purchase Order #PO11774.exe	101
PID 4584 set thread context of 3424	4584	MSBuild.exe	56
PID 4584 set thread context of 3424	4584	MSBuild.exe	56
PID 3528 set thread context of 3424	3528	cmd.exe	56

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Purchase Order #PO11774.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
1920	Purchase Order #PO11774.exe
4656	powershell.exe
4784	powershell.exe
4656	powershell.exe
1920	Purchase Order #PO11774.exe
4584	MSBuild.exe
4584	MSBuild.exe
4584	MSBuild.exe
4584	MSBuild.exe
4784	powershell.exe
4584	MSBuild.exe
4584	MSBuild.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe
3528	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3424	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
4584	MSBuild.exe
4584	MSBuild.exe
4584	MSBuild.exe
4584	MSBuild.exe
3528	cmd.exe
3528	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1920	Purchase Order #PO11774.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	4584	MSBuild.exe
Token: SeShutdownPrivilege	3424	Explorer.EXE
Token: SeCreatePagefilePrivilege	3424	Explorer.EXE
Token: SeShutdownPrivilege	3424	Explorer.EXE
Token: SeCreatePagefilePrivilege	3424	Explorer.EXE
Token: SeDebugPrivilege	3528	cmd.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3424	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 4656	1920	Purchase Order #PO11774.exe	95
PID 1920 wrote to memory of 4656	1920	Purchase Order #PO11774.exe	95
PID 1920 wrote to memory of 4656	1920	Purchase Order #PO11774.exe	95
PID 1920 wrote to memory of 4784	1920	Purchase Order #PO11774.exe	97
PID 1920 wrote to memory of 4784	1920	Purchase Order #PO11774.exe	97
PID 1920 wrote to memory of 4784	1920	Purchase Order #PO11774.exe	97
PID 1920 wrote to memory of 1936	1920	Purchase Order #PO11774.exe	99
PID 1920 wrote to memory of 1936	1920	Purchase Order #PO11774.exe	99
PID 1920 wrote to memory of 1936	1920	Purchase Order #PO11774.exe	99
PID 1920 wrote to memory of 4584	1920	Purchase Order #PO11774.exe	101
PID 1920 wrote to memory of 4584	1920	Purchase Order #PO11774.exe	101
PID 1920 wrote to memory of 4584	1920	Purchase Order #PO11774.exe	101
PID 1920 wrote to memory of 4584	1920	Purchase Order #PO11774.exe	101
PID 1920 wrote to memory of 4584	1920	Purchase Order #PO11774.exe	101
PID 1920 wrote to memory of 4584	1920	Purchase Order #PO11774.exe	101
PID 3424 wrote to memory of 3528	3424	Explorer.EXE	102
PID 3424 wrote to memory of 3528	3424	Explorer.EXE	102
PID 3424 wrote to memory of 3528	3424	Explorer.EXE	102
PID 3528 wrote to memory of 6100	3528	cmd.exe	103
PID 3528 wrote to memory of 6100	3528	cmd.exe	103
PID 3528 wrote to memory of 6100	3528	cmd.exe	103

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Users\Admin\AppData\Local\Temp\Purchase Order #PO11774.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order #PO11774.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Purchase Order #PO11774.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4656
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QsKldZxyVDfk.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4784
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QsKldZxyVDfk" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBF77.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1936
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4584
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\SysWOW64\cmd.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3528
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6100

Network

DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360288102_1UBFDLT4HJHZEPK84&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360288102_1UBFDLT4HJHZEPK84&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 537551
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AAE6B1D4B5FD47748F8038E0E9165BAA Ref B: LON04EDGE1013 Ref C: 2025-03-28T11:18:46Z
date: Fri, 28 Mar 2025 11:18:45 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388054_102MSIJZMD11N1LFS&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239339388054_102MSIJZMD11N1LFS&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 743602
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E6FEC5E242A3409BBBB8D659825E2ECB Ref B: LON04EDGE1013 Ref C: 2025-03-28T11:18:46Z
date: Fri, 28 Mar 2025 11:18:45 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388055_1XESFY6X2CFT4STX4&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239339388055_1XESFY6X2CFT4STX4&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 634521
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A6C969D932224330B5F997248AD741ED Ref B: LON04EDGE1013 Ref C: 2025-03-28T11:18:46Z
date: Fri, 28 Mar 2025 11:18:45 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360289361_1Y3IOPY47MV63L7US&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239360289361_1Y3IOPY47MV63L7US&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 665884
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 19371F3A6ED94B8EBAB74F2B19787BD8 Ref B: LON04EDGE1013 Ref C: 2025-03-28T11:18:46Z
date: Fri, 28 Mar 2025 11:18:45 GMT
DNS

www.xurobo.info

Remote address:

8.8.8.8:53

Request

www.xurobo.info

IN A

Response
DNS

www.arimatch-in.legal

Remote address:

8.8.8.8:53

Request

www.arimatch-in.legal

IN A

Response
DNS

c.pki.goog

Remote address:

8.8.8.8:53

Request

c.pki.goog

IN A

Response

c.pki.goog

IN CNAME

pki-goog.l.google.com

pki-goog.l.google.com

IN A

142.250.179.227
GET

http://c.pki.goog/r/r1.crl

Remote address:

142.250.179.227:80

Request

GET /r/r1.crl HTTP/1.1
Cache-Control: max-age = 3000
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
User-Agent: Microsoft-CryptoAPI/10.0
Host: c.pki.goog

Response

HTTP/1.1 304 Not Modified

Date: Fri, 28 Mar 2025 11:01:17 GMT
Expires: Fri, 28 Mar 2025 11:51:17 GMT
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Cache-Control: public, max-age=3000
Vary: Accept-Encoding
Age: 1104
DNS

www.argloscaremedia.info

Remote address:

8.8.8.8:53

Request

www.argloscaremedia.info

IN A

Response
DNS

www.aportsystems.store

Remote address:

8.8.8.8:53

Request

www.aportsystems.store

IN A

Response
DNS

www.avid-hildebrand.info

Remote address:

8.8.8.8:53

Request

www.avid-hildebrand.info

IN A

Response

150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239360289361_1Y3IOPY47MV63L7US&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

92.2kB
2.7MB
1938
1934

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360288102_1UBFDLT4HJHZEPK84&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388054_102MSIJZMD11N1LFS&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388055_1XESFY6X2CFT4STX4&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360289361_1Y3IOPY47MV63L7US&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200
142.250.179.227:80

http://c.pki.goog/r/r1.crl

http

384 B
355 B
4
3

HTTP Request

GET http://c.pki.goog/r/r1.crl

HTTP Response

304

8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

www.xurobo.info

dns

61 B
140 B
1
1

DNS Request

www.xurobo.info
8.8.8.8:53

www.arimatch-in.legal

dns

67 B
135 B
1
1

DNS Request

www.arimatch-in.legal
8.8.8.8:53

c.pki.goog

dns

56 B
107 B
1
1

DNS Request

c.pki.goog

DNS Response

142.250.179.227
8.8.8.8:53

www.argloscaremedia.info

dns

70 B
149 B
1
1

DNS Request

www.argloscaremedia.info
8.8.8.8:53

www.aportsystems.store

dns

68 B
133 B
1
1

DNS Request

www.aportsystems.store
8.8.8.8:53

www.avid-hildebrand.info

dns

70 B
149 B
1
1

DNS Request

www.avid-hildebrand.info

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f12da4a9d23aaaa3e96e2b3492bffe16

SHA1
62ae12d31192684754021d9a5d80a0ecba164148

SHA256
b7b432a14b8aed5fad983bc1bd38e03141513f3fd74e40756cf09797ca907300

SHA512
469ce44d98bffd7eb748d151880709ce5b76229f211a0d85d2be8facbaaeb0fc6c4b1b8040b8f980cf6af39a6ab1e9b8d9b589101e8b7d11bed83d5a0adda5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4zyn31yu.gbk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBF77.tmp

Filesize
1KB

MD5
983df35f57dbbdbb5969cb49dd996480

SHA1
32aa93064e0b16667eaaa155ac299aa3ad7bbfa8

SHA256
2ad27ebd1eef62aede1ed2ecd38ff0222f927ecb978ba4e13d80991835882f23

SHA512
c814d29e2d9d2739fec3a9dd5220c4e985b45dc67f0048f59a02b3f9e263ab70f76c582759e374304d3e95ad4a4f42b5e2d498b76e16c95ff2b3aad734f988e6

Download Submit
memory/1920-10-0x0000000006A30000-0x0000000006AA8000-memory.dmp

Filesize
480KB

Download
memory/1920-4-0x0000000005590000-0x000000000559A000-memory.dmp

Filesize
40KB

Download
memory/1920-5-0x00000000058F0000-0x000000000598C000-memory.dmp

Filesize
624KB

Download
memory/1920-7-0x0000000005880000-0x0000000005898000-memory.dmp

Filesize
96KB

Download
memory/1920-8-0x000000007481E000-0x000000007481F000-memory.dmp

Filesize
4KB

Download
memory/1920-9-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/1920-46-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/1920-1-0x0000000000B40000-0x0000000000BE4000-memory.dmp

Filesize
656KB

Download
memory/1920-0-0x000000007481E000-0x000000007481F000-memory.dmp

Filesize
4KB

Download
memory/1920-2-0x0000000005CA0000-0x0000000006244000-memory.dmp

Filesize
5.6MB

Download
memory/1920-3-0x00000000055D0000-0x0000000005662000-memory.dmp

Filesize
584KB

Download
memory/1920-6-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/3424-92-0x0000000002CE0000-0x0000000002DB2000-memory.dmp

Filesize
840KB

Download
memory/3528-88-0x00000000008D0000-0x000000000092A000-memory.dmp

Filesize
360KB

Download
memory/3528-89-0x00000000008D0000-0x000000000092A000-memory.dmp

Filesize
360KB

Download
memory/3528-90-0x0000000001030000-0x000000000105F000-memory.dmp

Filesize
188KB

Download
memory/4584-87-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4584-43-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4656-16-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4656-74-0x0000000007120000-0x000000000712A000-memory.dmp

Filesize
40KB

Download
memory/4656-30-0x00000000057B0000-0x0000000005B04000-memory.dmp

Filesize
3.3MB

Download
memory/4656-48-0x0000000006160000-0x00000000061AC000-memory.dmp

Filesize
304KB

Download
memory/4656-49-0x0000000006350000-0x0000000006382000-memory.dmp

Filesize
200KB

Download
memory/4656-50-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/4656-60-0x0000000006330000-0x000000000634E000-memory.dmp

Filesize
120KB

Download
memory/4656-45-0x0000000005D80000-0x0000000005D9E000-memory.dmp

Filesize
120KB

Download
memory/4656-61-0x0000000006D70000-0x0000000006E13000-memory.dmp

Filesize
652KB

Download
memory/4656-72-0x00000000076F0000-0x0000000007D6A000-memory.dmp

Filesize
6.5MB

Download
memory/4656-73-0x00000000070A0000-0x00000000070BA000-memory.dmp

Filesize
104KB

Download
memory/4656-17-0x0000000004F30000-0x0000000005558000-memory.dmp

Filesize
6.2MB

Download
memory/4656-15-0x00000000047C0000-0x00000000047F6000-memory.dmp

Filesize
216KB

Download
memory/4656-18-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4656-77-0x00000000072D0000-0x00000000072DE000-memory.dmp

Filesize
56KB

Download
memory/4656-78-0x00000000072E0000-0x00000000072F4000-memory.dmp

Filesize
80KB

Download
memory/4656-79-0x00000000073E0000-0x00000000073FA000-memory.dmp

Filesize
104KB

Download
memory/4656-80-0x00000000073C0000-0x00000000073C8000-memory.dmp

Filesize
32KB

Download
memory/4656-22-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4656-21-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/4656-86-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/4656-19-0x0000000004EC0000-0x0000000004EE2000-memory.dmp

Filesize
136KB

Download
memory/4656-20-0x00000000055D0000-0x0000000005636000-memory.dmp

Filesize
408KB

Download
memory/4784-62-0x000000006F920000-0x000000006F96C000-memory.dmp

Filesize
304KB

Download
memory/4784-76-0x00000000076E0000-0x00000000076F1000-memory.dmp

Filesize
68KB

Download
memory/4784-75-0x0000000007760000-0x00000000077F6000-memory.dmp

Filesize
600KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.