File name:

trdockfw3166.exe

Full analysis: https://app.any.run/tasks/6602ef32-f33c-4d5d-bdf1-e97171d76a40
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 16, 2020, 08:21:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
loader
ransomware
wannacry
wannacryptor
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

40127280ADDBF78B41D451AE7A956780

SHA1:

B39245F88E24918DA1120721D03653639BC6BBE0

SHA256:

7E870FAB2631EEE1959AA0796FC1E8C4B9BEB1F132CA67E8C602E5B684BAC7F0

SSDEEP:

98304:TmHP+0SEGiG5tmtqrkUohm2J04mShZjklKF8OOriKtEV8/0QBl11VNrdA553UH2v:0+vOYtcqrD4bFR8OOepVSJRLNrdM5CwV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • TRDock_FwUpdate.exe (PID: 4092)
      • trdockfw3166.tmp (PID: 1008)
      • wannacry.exe (PID: 968)
      • taskdl.exe (PID: 744)
      • taskhsvc.exe (PID: 2356)
      • @WanaDecryptor@.exe (PID: 3636)
      • @WanaDecryptor@.exe (PID: 2808)
      • taskdl.exe (PID: 1464)
      • @WanaDecryptor@.exe (PID: 3192)
      • taskdl.exe (PID: 1248)
      • @WanaDecryptor@.exe (PID: 2672)
      • @WanaDecryptor@.exe (PID: 740)
      • taskdl.exe (PID: 2376)

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 2564)

    • Writes file to Word startup folder

      • wannacry.exe (PID: 968)

    • Modifies files in Chrome extension folder

      • wannacry.exe (PID: 968)

    • Loads dropped or rewritten executable

      • taskhsvc.exe (PID: 2356)

    • WannaCry Ransomware was detected

      • wannacry.exe (PID: 968)
      • cmd.exe (PID: 272)

    • Starts BCDEDIT.EXE to disable recovery

      • cmd.exe (PID: 2096)

    • Actions looks like stealing of personal data

      • wannacry.exe (PID: 968)
      • @WanaDecryptor@.exe (PID: 3192)

    • Deletes shadow copies

      • cmd.exe (PID: 2096)

    • Loads the Task Scheduler COM API

      • wbengine.exe (PID: 2528)

    • Changes the autorun value in the registry

      • reg.exe (PID: 2060)

  • SUSPICIOUS

    • Creates files in the Windows directory

      • trdockfw3166.exe (PID: 2068)
      • TRDock_FwUpdate.exe (PID: 4092)
      • wbadmin.exe (PID: 2360)

    • Reads the Windows organization settings

      • trdockfw3166.tmp (PID: 1008)

    • Starts application with an unusual extension

      • trdockfw3166.exe (PID: 2068)

    • Executable content was dropped or overwritten

      • trdockfw3166.exe (PID: 2616)
      • trdockfw3166.exe (PID: 2068)
      • trdockfw3166.tmp (PID: 1008)
      • iexplore.exe (PID: 3168)
      • wannacry.exe (PID: 968)
      • iexplore.exe (PID: 2564)
      • @WanaDecryptor@.exe (PID: 3636)

    • Reads Windows owner or organization settings

      • trdockfw3166.tmp (PID: 1008)

    • Removes files from Windows directory

      • trdockfw3166.exe (PID: 2068)
      • trdockfw3166.tmp (PID: 1008)

    • Uses ATTRIB.EXE to modify file attributes

      • wannacry.exe (PID: 968)

    • Executes scripts

      • cmd.exe (PID: 3112)

    • Creates files like Ransomware instruction

      • wannacry.exe (PID: 968)

    • Uses ICACLS.EXE to modify access control list

      • wannacry.exe (PID: 968)

    • Starts CMD.EXE for commands execution

      • wannacry.exe (PID: 968)
      • @WanaDecryptor@.exe (PID: 2808)

    • Creates files in the program directory

      • wannacry.exe (PID: 968)

    • Creates files in the user directory

      • taskhsvc.exe (PID: 2356)
      • wannacry.exe (PID: 968)
      • @WanaDecryptor@.exe (PID: 3192)

    • Low-level read access rights to disk partition

      • wbengine.exe (PID: 2528)
      • vds.exe (PID: 2652)

    • Executed as Windows Service

      • vds.exe (PID: 2652)
      • wbengine.exe (PID: 2528)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3732)

    • Executed via COM

      • vdsldr.exe (PID: 1452)

  • INFO

    • Application was dropped or rewritten from another process

      • trdockfw3166.tmp (PID: 3020)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2564)

    • Manual execution by user

      • iexplore.exe (PID: 3168)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3168)
      • iexplore.exe (PID: 2564)

    • Application launched itself

      • iexplore.exe (PID: 3168)

    • Changes internet zones settings

      • iexplore.exe (PID: 3168)

    • Creates files in the user directory

      • iexplore.exe (PID: 2564)
      • iexplore.exe (PID: 3168)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 2564)
      • wannacry.exe (PID: 968)
      • taskhsvc.exe (PID: 2356)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3168)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2564)
      • iexplore.exe (PID: 3168)

    • Dropped object may contain URL to Tor Browser

      • wannacry.exe (PID: 968)

    • Dropped object may contain TOR URL's

      • wannacry.exe (PID: 968)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3168)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3168)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (42.2)
.exe | Win32 EXE PECompact compressed (generic) (40.8)
.dll | Win32 Dynamic Link Library (generic) (6.4)
.exe | Win32 Executable (generic) (4.4)
.exe | Win16/32 Executable Delphi generic (2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:01:06 07:31:46+01:00
PEType: PE32
LinkerVersion: 2.25
CodeSize: 151552
InitializedDataSize: 27648
UninitializedDataSize: -
EntryPoint: 0x25be0
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 3.1.66.0
ProductVersionNumber: 3.1.66.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Lenovo Group Limited
FileDescription: For Lenovo Updates Catalog
FileVersion: 3.1.66
LegalCopyright: Copyright © Lenovo 2005 - 2017.
ProductName: ThinkPad TBT3 TR Dock FW update Tool
ProductVersion: 3.1.66

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 06-Jan-2020 06:31:46
Detected languages:
  • Dutch - Netherlands
  • English - United States
Comments: This installation was built with Inno Setup.
CompanyName: Lenovo Group Limited
FileDescription: For Lenovo Updates Catalog
FileVersion: 3.1.66
LegalCopyright: Copyright © Lenovo 2005 - 2017.
ProductName: ThinkPad TBT3 TR Dock FW update Tool
ProductVersion: 3.1.66

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0050
Pages in file: 0x0002
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x000F
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x001A
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 10
Time date stamp: 06-Jan-2020 06:31:46
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00023AA0
0x00023C00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.32291
.itext
0x00025000
0x00001368
0x00001400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.91348
.data
0x00027000
0x00001628
0x00001800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.32921
.bss
0x00029000
0x00006158
0x00000000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.idata
0x00030000
0x00000648
0x00000800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.08948
.didata
0x00031000
0x00000E3E
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.2563
.edata
0x00032000
0x00000071
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.3265
.tls
0x00033000
0x00000014
0x00000000
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rdata
0x00034000
0x0000005D
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.37999
.rsrc
0x00035000
0x00003800
0x00003800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.78881

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.18481
2676
UNKNOWN
English - United States
RT_MANIFEST
2
3.47151
1384
UNKNOWN
Dutch - Netherlands
RT_ICON
3
3.91708
744
UNKNOWN
Dutch - Netherlands
RT_ICON
4
3.91366
2216
UNKNOWN
Dutch - Netherlands
RT_ICON
4090
3.19198
480
UNKNOWN
UNKNOWN
RT_STRING
4091
3.49576
404
UNKNOWN
UNKNOWN
RT_STRING
4092
3.34698
204
UNKNOWN
UNKNOWN
RT_STRING
4093
3.3307
468
UNKNOWN
UNKNOWN
RT_STRING
4094
3.29214
736
UNKNOWN
UNKNOWN
RT_STRING
4095
3.31877
852
UNKNOWN
UNKNOWN
RT_STRING

Imports

advapi32.dll
comctl32.dll
kernel32.dll
kernel32.dll (delay-loaded)
oleaut32.dll
user32.dll

Exports

Title
Ordinal
Address
dbkFCallWrapperAddr
1
0x0002C58C
__dbk_fcall_wrapper
2
0x0000B294
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
94
Monitored processes
34
Malicious processes
11
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start trdockfw3166.exe trdockfw3166.tmp no specs trdockfw3166.exe trdockfw3166.tmp trdock_fwupdate.exe iexplore.exe iexplore.exe #WANNACRY wannacry.exe attrib.exe no specs icacls.exe no specs taskdl.exe no specs cmd.exe no specs cscript.exe no specs @wanadecryptor@.exe #WANNACRY cmd.exe no specs @wanadecryptor@.exe no specs taskhsvc.exe cmd.exe vssadmin.exe no specs wmic.exe no specs bcdedit.exe no specs bcdedit.exe no specs wbadmin.exe no specs wbengine.exe no specs vdsldr.exe no specs vds.exe no specs taskdl.exe no specs @wanadecryptor@.exe cmd.exe no specs reg.exe taskdl.exe no specs @wanadecryptor@.exe no specs taskdl.exe no specs @wanadecryptor@.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
272cmd.exe /c start /b @WanaDecryptor@.exe vsC:\Windows\system32\cmd.exe
wannacry.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
740@WanaDecryptor@.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\@WanaDecryptor@.exewannacry.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Load PerfMon Counters
Exit code:
3221225794
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\78rfyb7z\@wanadecryptor@.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mfc42.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
744taskdl.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\taskdl.exewannacry.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
SQL Client Configuration Utility EXE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\78rfyb7z\taskdl.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp60.dll
c:\windows\system32\msvcrt.dll
968"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\wannacry.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\wannacry.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
DiskPart
Exit code:
1073807364
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\78rfyb7z\wannacry.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1008"C:\Windows\TempInst\is-3M508.tmp\trdockfw3166.tmp" /SL5="$10013A,5690958,180224,C:\Users\admin\AppData\Local\Temp\trdockfw3166.exe" /SPAWNWND=$801C0 /NOTIFYWND=$D01A0 C:\Windows\TempInst\is-3M508.tmp\trdockfw3166.tmp
trdockfw3166.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
20
Version:
51.1052.0.0
Modules
Images
c:\windows\tempinst\is-3m508.tmp\trdockfw3166.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winspool.drv
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1248bcdedit /set {default} bootstatuspolicy ignoreallfailures C:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\bcdedit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1248taskdl.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\taskdl.exewannacry.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
SQL Client Configuration Utility EXE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\bcdedit.exe
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\78rfyb7z\taskdl.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp60.dll
1452C:\Windows\System32\vdsldr.exe -EmbeddingC:\Windows\System32\vdsldr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Virtual Disk Service Loader
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vdsldr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\atl.dll
1464taskdl.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\taskdl.exewannacry.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
SQL Client Configuration Utility EXE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\78rfyb7z\taskdl.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp60.dll
c:\windows\system32\msvcrt.dll
2060reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "yyibsxxiapw107" /t REG_SZ /d "\"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\tasksche.exe\"" /fC:\Windows\system32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
9 589
Read events
2 733
Write events
4 606
Delete events
2 250

Modification events

(PID) Process:(1008) trdockfw3166.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
F00300000AAC841B5B2BD601
(PID) Process:(1008) trdockfw3166.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
A5825AACCEEC34ACF0D1848F45904A07256BB69181DB23CF67A198FA68C943B8
(PID) Process:(1008) trdockfw3166.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(1008) trdockfw3166.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Users\admin\AppData\Local\Temp\TRDockfw\TRDock_FwUpdate.exe
(PID) Process:(1008) trdockfw3166.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
67785965F3B887A2F44882C7153BFB43DCAF823FFFFDB00F05C24139F95FFF34
(PID) Process:(1008) trdockfw3166.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFilesHash
Value:
67785965F3B887A2F44882C7153BFB43DCAF823FFFFDB00F05C24139F95FFF34
(PID) Process:(1008) trdockfw3166.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFiles0000
Value:
C:\Users\admin\AppData\Local\Temp\TRDockfw\TRDock_FwUpdate.exe
(PID) Process:(1008) trdockfw3166.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Sequence
Value:
1
(PID) Process:(1008) trdockfw3166.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:SessionHash
Value:
A5825AACCEEC34ACF0D1848F45904A07256BB69181DB23CF67A198FA68C943B8
(PID) Process:(1008) trdockfw3166.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Owner
Value:
F00300000AAC841B5B2BD601
Executable files
84
Suspicious files
650
Text files
645
Unknown types
58

Dropped files

PID
Process
Filename
Type
1008trdockfw3166.tmpC:\Users\admin\AppData\Local\Temp\TRDockfw\is-B2HQ6.tmp
MD5:
SHA256:
1008trdockfw3166.tmpC:\Users\admin\AppData\Local\Temp\TRDockfw\is-UBT0U.tmp
MD5:
SHA256:
1008trdockfw3166.tmpC:\Users\admin\AppData\Local\Temp\TRDockfw\Audio\is-TL92T.tmp
MD5:
SHA256:
1008trdockfw3166.tmpC:\Users\admin\AppData\Local\Temp\TRDockfw\Audio\DeviceFirmwareUpgrade.log
MD5:
SHA256:
1008trdockfw3166.tmpC:\Users\admin\AppData\Local\Temp\TRDockfw\Audio\is-CHHDV.tmp
MD5:
SHA256:
1008trdockfw3166.tmpC:\Users\admin\AppData\Local\Temp\TRDockfw\DP_HUB\is-KAVBH.tmp
MD5:
SHA256:
1008trdockfw3166.tmpC:\Users\admin\AppData\Local\Temp\TRDockfw\DP_HUB\is-SL1UH.tmp
MD5:
SHA256:
1008trdockfw3166.tmpC:\Users\admin\AppData\Local\Temp\TRDockfw\DP_HUB\is-T57PS.tmp
MD5:
SHA256:
1008trdockfw3166.tmpC:\Users\admin\AppData\Local\Temp\TRDockfw\DP_HUB\is-BF9FS.tmp
MD5:
SHA256:
1008trdockfw3166.tmpC:\Users\admin\AppData\Local\Temp\TRDockfw\DP_HUB\is-JKG03.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
174
TCP/UDP connections
108
DNS requests
38
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2564
iexplore.exe
GET
13.107.5.80:80
http://api.bing.com/qsml.aspx?query=about%3Ablan&maxwidth=32765&rowheight=20&sectionHeight=160&FORM=IE11SS&market=en-US
US
whitelisted
2564
iexplore.exe
GET
13.107.5.80:80
http://api.bing.com/qsml.aspx?query=d&maxwidth=398&rowheight=20&sectionHeight=160&FORM=IE11SS&market=en-US
US
whitelisted
2564
iexplore.exe
GET
13.107.5.80:80
http://api.bing.com/qsml.aspx?query=downlo&maxwidth=398&rowheight=20&sectionHeight=160&FORM=IE11SS&market=en-US
US
whitelisted
2564
iexplore.exe
GET
13.107.5.80:80
http://api.bing.com/qsml.aspx?query=download+wan&maxwidth=398&rowheight=20&sectionHeight=160&FORM=IE11SS&market=en-US
US
whitelisted
2564
iexplore.exe
GET
13.107.5.80:80
http://api.bing.com/qsml.aspx?query=download+wa&maxwidth=398&rowheight=20&sectionHeight=160&FORM=IE11SS&market=en-US
US
whitelisted
2564
iexplore.exe
GET
13.107.5.80:80
http://api.bing.com/qsml.aspx?query=download+wann&maxwidth=398&rowheight=20&sectionHeight=160&FORM=IE11SS&market=en-US
US
whitelisted
2564
iexplore.exe
GET
200
13.107.5.80:80
http://api.bing.com/qsml.aspx?query=do&maxwidth=398&rowheight=20&sectionHeight=160&FORM=IE11SS&market=en-US
US
xml
236 b
whitelisted
2564
iexplore.exe
GET
13.107.5.80:80
http://api.bing.com/qsml.aspx?query=dow&maxwidth=398&rowheight=20&sectionHeight=160&FORM=IE11SS&market=en-US
US
whitelisted
2564
iexplore.exe
GET
200
13.107.5.80:80
http://api.bing.com/qsml.aspx?query=about%3Ab&maxwidth=32765&rowheight=20&sectionHeight=160&FORM=IE11SS&market=en-US
US
xml
252 b
whitelisted
2564
iexplore.exe
GET
13.107.5.80:80
http://api.bing.com/qsml.aspx?query=download+wannac&maxwidth=398&rowheight=20&sectionHeight=160&FORM=IE11SS&market=en-US
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3168
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2564
iexplore.exe
13.107.5.80:80
Microsoft Corporation
US
whitelisted
2564
iexplore.exe
40.126.1.130:443
api.bing.com
Microsoft Corporation
US
malicious
2564
iexplore.exe
40.90.23.153:443
login.live.com
Microsoft Corporation
US
unknown
2564
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2564
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2564
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2564
iexplore.exe
204.79.197.222:80
4a8b00d64c9ef7b179275857353c7b0e.clo.footprintdns.com
Microsoft Corporation
US
whitelisted
2564
iexplore.exe
20.36.40.51:80
70db8e566c6869ca0dfc9de71fef2672.clo.footprintdns.com
US
unknown
2564
iexplore.exe
176.9.61.4:80
originaldll.com
Hetzner Online GmbH
DE
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
api.bing.com
  • 40.126.1.130
  • 20.190.129.2
  • 40.126.1.166
  • 20.190.129.160
  • 20.190.129.133
  • 20.190.129.130
  • 20.190.129.17
  • 20.190.129.19
whitelisted
login.microsoftonline.com
whitelisted
login.live.com
  • 40.90.23.153
  • 40.90.23.206
  • 40.90.137.120
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
70db8e566c6869ca0dfc9de71fef2672.clo.footprintdns.com
  • 20.36.40.51
unknown
www2.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
4a8b00d64c9ef7b179275857353c7b0e.clo.footprintdns.com
  • 204.79.197.222
suspicious
4c5588a5d3518c07f6bd31ede6c7bc99.clo.footprintdns.com
  • 13.107.42.10
unknown
fp.msedge.net
  • 204.79.197.222
whitelisted

Threats

PID
Process
Class
Message
2564
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2564
iexplore.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2356
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 622
2356
taskhsvc.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
2356
taskhsvc.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
2356
taskhsvc.exe
Potential Corporate Privacy Violation
POLICY [PTsecurity] TOR SSL connection
2356
taskhsvc.exe
Misc activity
ET POLICY TLS possible TOR SSL traffic
2356
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 695
2356
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 615
2356
taskhsvc.exe
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 155
Process
Message
TRDock_FwUpdate.exe
{308}
TRDock_FwUpdate.exe
{486}
TRDock_FwUpdate.exe
Dumping objects ->
TRDock_FwUpdate.exe
normal block at 0x001D40F8, 34 bytes long.
TRDock_FwUpdate.exe
c:\work\thunder bolt\firmware\fw update tool\combined\trdock_fwupdate3166_0110_via5113baseon0107\trdock_fwupdate\trdock_fwupdate\ui_mainwnd.cpp(322) :
TRDock_FwUpdate.exe
c:\work\thunder bolt\firmware\fw update tool\combined\trdock_fwupdate3166_0110_via5113baseon0107\trdock_fwupdate\trdock_fwupdate\ui_mainwnd.cpp(303) :
TRDock_FwUpdate.exe
client block at 0x001DC930, subtype c0, 8 bytes long.
TRDock_FwUpdate.exe
{304}
TRDock_FwUpdate.exe
{306}
TRDock_FwUpdate.exe
Detected memory leaks!
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
trdockfw3166.exe