File name:

26032026_1229_26032026_RFQ-Q886445-Q896446.Pdf.tar

Full analysis: https://app.any.run/tasks/0d7336b3-3df0-4c60-8e35-f2b23615c4f3
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: March 26, 2026, 12:36:07
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
formbook
stealer
xloader
Indicators:
MIME: application/x-tar
File info: POSIX tar archive (GNU)
MD5:

EC36C3CF030BBB9724AB9AC7D3F9FEB3

SHA1:

34C3E18E5B97E9E7C45A9B205F8CDBA7F89A9C96

SHA256:

1173C042DD3B9B8277A82D65776DA4AA5B1CCF8E02C8457FE3CE58453566DF38

SSDEEP:

49152:R256pUA7/n/eEbEGRzdgcy0lq/ktw10eIG3X5otrZ5hoQd9pcLY/9HodJovVkb3B:RA6pUS/WcRzePlM21/IHtt5d9pF/9Hop

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • FORMBOOK has been detected (YARA)

      • AtBroker.exe (PID: 6796)

    • Actions looks like stealing of personal data

      • AtBroker.exe (PID: 6796)

    • FORMBOOK has been detected (SURICATA)

      • WinRAR.exe (PID: 4316)

  • SUSPICIOUS

    • Executing commands from a ".bat" file

      • WinRAR.exe (PID: 4316)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 5704)

    • Contacting a server suspected of hosting an CnC

      • WinRAR.exe (PID: 4316)

  • INFO

    • Generic archive extractor

      • WinRAR.exe (PID: 4316)

    • Reads the computer name

      • RFQ-Q886445-Q896446.Pdf.scr (PID: 6064)
      • MpCmdRun.exe (PID: 7544)

    • Checks supported languages

      • RFQ-Q886445-Q896446.Pdf.scr (PID: 6064)
      • RegSvcs.exe (PID: 7336)
      • MpCmdRun.exe (PID: 7544)

    • Reads the machine GUID from the registry

      • RFQ-Q886445-Q896446.Pdf.scr (PID: 6064)

    • Manual execution by a user

      • RFQ-Q886445-Q896446.Pdf.scr (PID: 6064)

    • Create files in a temporary directory

      • AtBroker.exe (PID: 6796)
      • MpCmdRun.exe (PID: 7544)

    • Reads security settings of Internet Explorer

      • AtBroker.exe (PID: 6796)
      • WinRAR.exe (PID: 4316)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4316)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.tar | TAR - Tape ARchive (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
142
Monitored processes
10
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #FORMBOOK winrar.exe slui.exe rfq-q886445-q896446.pdf.scr no specs regsvcs.exe no specs #FORMBOOK atbroker.exe firefox.exe no specs cmd.exe no specs conhost.exe no specs mpcmdrun.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2232C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2940\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4316"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\26032026_1229_26032026_RFQ-Q886445-Q896446.Pdf.tarC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5704C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\Rar$VR4316.27111\Rar$Scan56916.bat" "C:\Windows\System32\cmd.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
c:\windows\system32\advapi32.dll
5716"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exeAtBroker.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
c:\windows\system32\bcrypt.dll
c:\program files\mozilla firefox\vcruntime140.dll
6064"C:\Users\admin\Desktop\RFQ-Q886445-Q896446.Pdf.scr" /SC:\Users\admin\Desktop\RFQ-Q886445-Q896446.Pdf.screxplorer.exe
User:
admin
Company:
beoefheo
Integrity Level:
MEDIUM
Description:
hskblfbeg
Exit code:
0
Version:
13.12.11.10
Modules
Images
c:\users\admin\desktop\rfq-q886445-q896446.pdf.scr
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6796"C:\Windows\SysWOW64\AtBroker.exe"C:\Windows\SysWOW64\AtBroker.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Assistive Technology Manager
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\atbroker.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
7336"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRFQ-Q886445-Q896446.Pdf.scr
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7544"C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR4316.27111"C:\Program Files\Windows Defender\MpCmdRun.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Malware Protection Command Line Utility
Exit code:
2
Version:
4.18.1909.6 (WinBuild.160101.0800)
Modules
Images
c:\program files\windows defender\mpcmdrun.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
8156C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
5 748
Read events
5 734
Write events
14
Delete events
0

Modification events

(PID) Process:(4316) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4316) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4316) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Downloads\chromium_build 1.zip
(PID) Process:(4316) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\26032026_1229_26032026_RFQ-Q886445-Q896446.Pdf.tar
(PID) Process:(4316) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4316) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4316) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4316) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(8156) slui.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@%SystemRoot%\System32\sppcomapi.dll,-3200
Value:
Software Licensing
(PID) Process:(4316) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@shell32,-10162
Value:
Screen saver
Executable files
1
Suspicious files
1
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
7544MpCmdRun.exeC:\Users\admin\AppData\Local\Temp\MpCmdRun.logtext
MD5:C1CDEB07F6EF7A4B1038105C23DF6095
SHA256:C2C9EEA81A4147A0C052FAA04FCC5D9BDC5E647498F7DD554AFADDA73251666A
6796AtBroker.exeC:\Users\admin\AppData\Local\Temp\2890h6-sbinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
4316WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR4316.27111\26032026_1229_26032026_RFQ-Q886445-Q896446.Pdf.tar\RFQ-Q886445-Q896446.Pdf.screxecutable
MD5:AF2FE384AFCEE3BF153C3F7025195C4A
SHA256:4E0F98D5F8E2809E6A7D59BBE16FFD61B98A645F2D858225C75CB98E3288B61C
4316WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$VR4316.27111\Rar$Scan56916.battext
MD5:FF9931EA24DD3871E5394CF04ACDFE9A
SHA256:CC67FDF4B79B0B3E3B6E922F6AA26E0F5468DC5963737B9135AB5C4999753BE4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
81
TCP/UDP connections
70
DNS requests
25
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2156
SIHClient.exe
GET
304
135.232.92.137:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
4212
svchost.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
8156
slui.exe
POST
500
48.192.1.64:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
512 b
whitelisted
5316
svchost.exe
POST
200
20.190.159.4:443
https://login.live.com/RST2.srf
US
1.24 Kb
whitelisted
POST
400
20.190.177.149:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
5316
svchost.exe
POST
400
20.190.159.4:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
203 b
whitelisted
POST
400
20.190.177.149:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
203 b
whitelisted
2156
SIHClient.exe
GET
200
74.178.240.51:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
US
whitelisted
5316
svchost.exe
POST
400
20.190.159.4:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
8028
slui.exe
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
184.86.251.9:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
4212
svchost.exe
2.16.241.12:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
4212
svchost.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
4212
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5276
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
www.bing.com
  • 184.86.251.9
  • 184.86.251.25
  • 184.86.251.7
  • 184.86.251.28
  • 184.86.251.30
  • 184.86.251.29
  • 184.86.251.31
  • 184.86.251.26
  • 184.86.251.8
whitelisted
google.com
  • 192.178.183.138
  • 192.178.183.113
  • 192.178.183.102
  • 192.178.183.101
  • 192.178.183.100
  • 192.178.183.139
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 23.52.181.212
  • 88.221.169.152
whitelisted
client.wns.windows.com
  • 172.187.86.74
whitelisted
login.live.com
  • 20.190.159.4
  • 20.190.159.73
  • 20.190.159.131
  • 40.126.31.0
  • 20.190.159.23
  • 40.126.31.1
  • 20.190.159.2
  • 20.190.159.71
whitelisted
slscr.update.microsoft.com
  • 135.232.92.137
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 74.178.240.51
whitelisted

Threats

PID
Process
Class
Message
4316
WinRAR.exe
Malware Command and Control Activity Detected
ET MALWARE FormBook CnC Checkin (GET) M5
4316
WinRAR.exe
A Network Trojan was detected
STEALER [ANY.RUN] Formbook HTTP Header
4316
WinRAR.exe
A Network Trojan was detected
STEALER [ANY.RUN] Formbook HTTP Header
4316
WinRAR.exe
Malware Command and Control Activity Detected
ET MALWARE FormBook CnC Checkin (GET) M5
4316
WinRAR.exe
A Network Trojan was detected
STEALER [ANY.RUN] Formbook HTTP Header
4316
WinRAR.exe
Malware Command and Control Activity Detected
ET MALWARE FormBook CnC Checkin (GET) M5
4316
WinRAR.exe
A Network Trojan was detected
STEALER [ANY.RUN] Formbook HTTP Header
4316
WinRAR.exe
A Network Trojan was detected
STEALER [ANY.RUN] Formbook HTTP Header
4316
WinRAR.exe
Malware Command and Control Activity Detected
ET MALWARE FormBook CnC Checkin (GET) M5
4316
WinRAR.exe
A Network Trojan was detected
STEALER [ANY.RUN] Formbook HTTP Header
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
26032026_1229_26032026_RFQ-Q886445-Q896446.Pdf.tar