URL:

http://efaxbusiness.xyz/w.php?download=efax-07210774714-7882-56980

Full analysis: https://app.any.run/tasks/ea61b5c0-b93f-451c-beaf-4de6cec2bb5f
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: September 18, 2019, 16:00:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
evasion
trojan
ransomware
buran
Indicators:
MD5:

77B06C9C42BEA7E16311CA633923BD38

SHA1:

7F6549C33EA65F64A833C1538E8AFF336887EFB6

SHA256:

456F44E53F1EC299495244BE110C363024FF787A85BA82CFC007D5DA9C0FD52B

SSDEEP:

3:N1Kby+WLKh60FAD0IVS+uSALXn:C+pLK23S+uSqn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2872)

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 2872)

    • Application was dropped or rewritten from another process

      • fsffsggf.bbv (PID: 3316)
      • fsffsggf.bbv (PID: 2600)
      • fsffsggf.bbv (PID: 2792)
      • fsffsggf.bbv (PID: 2656)

    • Downloads executable files from IP

      • WINWORD.EXE (PID: 2872)

    • Requests a remote executable file from MS Office

      • WINWORD.EXE (PID: 2872)

    • Changes settings of System certificates

      • fsffsggf.bbv (PID: 3316)

    • BURAN was detected

      • fsffsggf.bbv (PID: 3316)

    • Changes the autorun value in the registry

      • reg.exe (PID: 2824)

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • firefox.exe (PID: 2420)
      • WINWORD.EXE (PID: 2872)

    • Application launched itself

      • WINWORD.EXE (PID: 2872)
      • fsffsggf.bbv (PID: 3316)

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 2872)

    • Starts application with an unusual extension

      • WINWORD.EXE (PID: 2872)
      • fsffsggf.bbv (PID: 3316)

    • Creates files in the Windows directory

      • WINWORD.EXE (PID: 2872)

    • Starts CMD.EXE for commands execution

      • fsffsggf.bbv (PID: 3316)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 2996)

    • Creates files in the user directory

      • fsffsggf.bbv (PID: 3316)

    • Adds / modifies Windows certificates

      • fsffsggf.bbv (PID: 3316)

    • Executed via COM

      • DllHost.exe (PID: 3492)

    • Creates files in the program directory

      • fsffsggf.bbv (PID: 2656)

  • INFO

    • Application launched itself

      • firefox.exe (PID: 2420)
      • firefox.exe (PID: 3544)

    • Reads CPU info

      • firefox.exe (PID: 2420)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3132)
      • WINWORD.EXE (PID: 2872)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2872)
      • firefox.exe (PID: 2420)

    • Manual execution by user

      • rundll32.exe (PID: 1264)
      • explorer.exe (PID: 2996)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
59
Monitored processes
17
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe winword.exe winword.exe no specs #BURAN fsffsggf.bbv cmd.exe no specs reg.exe fsffsggf.bbv no specs fsffsggf.bbv no specs fsffsggf.bbv no specs explorer.exe no specs Shell Security Editor no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1264"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\Temp\fsffsggf.bbvC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
2176"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.20.1865393533\2032595120" -childID 3 -isForBrowser -prefsHandle 3804 -prefMapHandle 3836 -prefsLen 6718 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 3848 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
68.0.1
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
2384"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.3.1631032610\700455295" -childID 1 -isForBrowser -prefsHandle 1704 -prefMapHandle 1700 -prefsLen 1 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 1724 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
68.0.1
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
2420"C:\Program Files\Mozilla Firefox\firefox.exe" http://efaxbusiness.xyz/w.php?download=efax-07210774714-7882-56980C:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
68.0.1
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
2600"C:\Windows\Temp\fsffsggf.bbv" -agent 0C:\Windows\Temp\fsffsggf.bbvfsffsggf.bbv
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\temp\fsffsggf.bbv
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2656"C:\Windows\Temp\fsffsggf.bbv" -agent 1C:\Windows\Temp\fsffsggf.bbvfsffsggf.bbv
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\temp\fsffsggf.bbv
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2792"C:\Windows\Temp\fsffsggf.bbv" -agent 2C:\Windows\Temp\fsffsggf.bbvfsffsggf.bbv
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\temp\fsffsggf.bbv
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2808"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.13.976912827\1298184220" -childID 2 -isForBrowser -prefsHandle 2872 -prefMapHandle 2876 -prefsLen 5996 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 2888 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
68.0.1
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
2824reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /V "Local Security Authority Subsystem Service" /t REG_SZ /F /D "\"C:\Users\admin\AppData\Roaming\Microsoft\Windows\lsass.exe\" -start"C:\Windows\system32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2872"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\efax-07210774714-7882-56980.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
firefox.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
Total events
2 962
Read events
2 491
Write events
461
Delete events
10

Modification events

(PID) Process:(3544) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Launcher
Value:
48BA783601000000
(PID) Process:(2420) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Browser
Value:
47947C3601000000
(PID) Process:(2420) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry
Value:
1
(PID) Process:(2420) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2420) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2420) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2420) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2420) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.doc\OpenWithProgids
Operation:writeName:Word.Document.8
Value:
(PID) Process:(2420) firefox.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109D30000000000000000F01FEC\Usage
Operation:writeName:WORDFiles
Value:
1328676894
(PID) Process:(2872) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:-s$
Value:
2D732400380B0000010000000000000000000000
Executable files
2
Suspicious files
83
Text files
389
Unknown types
43

Dropped files

PID
Process
Filename
Type
2420firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin
MD5:
SHA256:
2420firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
2420firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
2420firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.tmp
MD5:
SHA256:
2420firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4jsonlz4
MD5:
SHA256:
2420firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.jstext
MD5:
SHA256:
2420firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\allow-flashallow-digest256.sbstorebinary
MD5:D886A47C89D9C49C795DA345BC236990
SHA256:A03C5E2656D2F292BF5794C8EEB8D223CD6BA4F4BFB2ED1F325460E879D0BCF7
2420firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\allow-flashallow-digest256.psetcdxl
MD5:076933FF9904D1110D896E2C525E39E5
SHA256:4CBBD8CA5215B8D161AEC181A74B694F4E24B001D5B081DC0030ED797A8973E0
2420firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.binbinary
MD5:
SHA256:
2420firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\base-track-digest256.sbstorebinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
31
DNS requests
74
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2420
firefox.exe
POST
200
72.21.91.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2872
WINWORD.EXE
GET
200
108.174.199.10:80
http://108.174.199.10/wordupd3.tmp
US
executable
425 Kb
suspicious
2420
firefox.exe
POST
200
72.21.91.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2420
firefox.exe
POST
200
172.217.16.131:80
http://ocsp.pki.goog/gts1o1
US
der
471 b
whitelisted
2420
firefox.exe
GET
200
108.174.200.186:80
http://efaxbusiness.xyz/w.php?download=efax-07210774714-7882-56980
US
document
146 Kb
suspicious
3316
fsffsggf.bbv
GET
301
158.69.67.193:80
http://geoiptool.com/
CA
html
184 b
whitelisted
3316
fsffsggf.bbv
GET
301
88.99.66.31:80
http://iplogger.ru/1Oh8E.jpeg
DE
html
178 b
malicious
2420
firefox.exe
POST
200
72.21.91.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2420
firefox.exe
2.16.186.50:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
2420
firefox.exe
108.174.200.186:80
efaxbusiness.xyz
Hostwinds LLC.
US
suspicious
2420
firefox.exe
52.36.193.139:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
2420
firefox.exe
72.21.91.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2420
firefox.exe
54.69.118.22:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
2420
firefox.exe
216.58.206.10:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
2420
firefox.exe
172.217.16.131:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2420
firefox.exe
52.222.167.27:443
firefox.settings.services.mozilla.com
Amazon.com, Inc.
US
whitelisted
2420
firefox.exe
216.58.206.14:443
sb-ssl.google.com
Google Inc.
US
whitelisted
2420
firefox.exe
35.164.3.68:443
shavar.services.mozilla.com
Amazon.com, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
efaxbusiness.xyz
  • 108.174.200.186
suspicious
detectportal.firefox.com
  • 2.16.186.50
  • 2.16.186.112
  • 2.18.212.66
  • 2.18.212.72
whitelisted
a1089.dscd.akamai.net
  • 2.16.186.112
  • 2.16.186.50
  • 2.18.212.72
  • 2.18.212.66
whitelisted
search.services.mozilla.com
  • 52.36.193.139
  • 52.26.8.178
  • 34.210.145.79
whitelisted
search.r53-2.services.mozilla.com
  • 34.210.145.79
  • 52.26.8.178
  • 52.36.193.139
whitelisted
push.services.mozilla.com
  • 54.149.205.191
whitelisted
autopush.prod.mozaws.net
  • 54.149.205.191
whitelisted
snippets.cdn.mozilla.net
  • 13.33.241.237
whitelisted
d228z91au11ukj.cloudfront.net
  • 13.33.241.237
whitelisted
tiles.services.mozilla.com
  • 54.69.118.22
  • 34.210.204.38
  • 35.166.89.106
  • 54.68.132.173
  • 54.149.29.182
  • 54.186.225.209
  • 35.162.117.80
  • 54.69.207.70
whitelisted

Threats

PID
Process
Class
Message
2420
firefox.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
2420
firefox.exe
Potentially Bad Traffic
ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project
1060
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .cloud TLD
1060
svchost.exe
Potentially Bad Traffic
ET INFO Observed DNS Query to .cloud TLD
2872
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
2872
WINWORD.EXE
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2872
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
2872
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2872
WINWORD.EXE
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
2872
WINWORD.EXE
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
5 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://efaxbusiness.xyz/w.php?download=efax-07210774714-7882-56980