File name:

INQ_001825ABCPrj.docx

Full analysis: https://app.any.run/tasks/f1bdf50e-970d-4067-be3f-cca1e2d6df36
Verdict: Malicious activity
Threats:

FormBook is a data stealer that is being distributed as a MaaS. FormBook differs from a lot of competing malware by its extreme ease of use that allows even the unexperienced threat actors to use FormBook virus.

Malware Trends Tracker     >>>
Analysis date: February 18, 2025, 15:53:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
arch-doc
exploit
cve-2017-11882
formbook
xloader
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

4D87B432D9C56C5677102264C6AEE91F

SHA1:

586C960C19829C54A92276655CF9048A31E596F3

SHA256:

95E45D55E2FC6DD48ACDDAEED3DA271D42F1422FA49F13FEEB42016A1A69816E

SSDEEP:

12288:K9cEPZ2Lxg/LdkoR40+tPOYAMQVaGjrcMh4hIYV66daE:EJ8gjdkB0OhAdVaioMh4hIW66daE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Equation Editor starts application (likely CVE-2017-11882)

      • EQNEDT32.EXE (PID: 2472)
      • EQNEDT32.EXE (PID: 3768)
      • EQNEDT32.EXE (PID: 3144)

    • Executable content was dropped or overwritten

      • WINWORD.EXE (PID: 2936)
      • WINWORD.EXE (PID: 2880)

    • Executing a file with an untrusted certificate

      • RtkAudUService64.exe (PID: 300)
      • RtkAudUService64.exe (PID: 3772)
      • RtkAudUService64.exe (PID: 1460)

    • Changes the autorun value in the registry

      • RtkAudUService64.exe (PID: 300)
      • PATHPING.EXE (PID: 340)
      • RtkAudUService64.exe (PID: 3772)
      • RtkAudUService64.exe (PID: 1460)

    • FORMBOOK has been detected (YARA)

      • PATHPING.EXE (PID: 340)

    • FORMBOOK has been detected (SURICATA)

      • explorer.exe (PID: 1916)

    • Connects to the CnC server

      • explorer.exe (PID: 1916)

    • Actions looks like stealing of personal data

      • PATHPING.EXE (PID: 340)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • WINWORD.EXE (PID: 2936)
      • cmd.exe (PID: 1556)
      • cmd.exe (PID: 4008)
      • cmd.exe (PID: 1120)

    • Starts CMD.EXE for commands execution

      • EQNEDT32.EXE (PID: 2472)
      • RtkAudUService64.exe (PID: 300)
      • EQNEDT32.EXE (PID: 3768)
      • RtkAudUService64.exe (PID: 3772)
      • EQNEDT32.EXE (PID: 3144)
      • RtkAudUService64.exe (PID: 1460)

    • The executable file from the user directory is run by the CMD process

      • RtkAudUService64.exe (PID: 300)
      • RtkAudUService64.exe (PID: 3772)
      • RtkAudUService64.exe (PID: 1460)

    • Uses RUNDLL32.EXE to load library

      • explorer.exe (PID: 1916)

    • Likely accesses (executes) a file from the Public directory

      • cmd.exe (PID: 2196)
      • cmd.exe (PID: 3580)
      • cmd.exe (PID: 3564)
      • cmd.exe (PID: 888)
      • cmd.exe (PID: 3800)
      • cmd.exe (PID: 3784)
      • cmd.exe (PID: 3416)
      • cmd.exe (PID: 3856)
      • cmd.exe (PID: 1932)
      • cmd.exe (PID: 1268)
      • cmd.exe (PID: 3332)
      • cmd.exe (PID: 1788)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 1556)
      • cmd.exe (PID: 960)
      • PATHPING.EXE (PID: 340)

    • Reads the Internet Settings

      • RtkAudUService64.exe (PID: 300)
      • RtkAudUService64.exe (PID: 3772)
      • RtkAudUService64.exe (PID: 1460)
      • PATHPING.EXE (PID: 340)

    • Reads settings of System Certificates

      • RtkAudUService64.exe (PID: 300)
      • RtkAudUService64.exe (PID: 3772)
      • RtkAudUService64.exe (PID: 1460)

    • Process drops SQLite DLL files

      • PATHPING.EXE (PID: 340)

    • Contacting a server suspected of hosting an CnC

      • explorer.exe (PID: 1916)

  • INFO

    • Reads Microsoft Office registry keys

      • explorer.exe (PID: 1916)

    • Manual execution by a user

      • WINWORD.EXE (PID: 2516)
      • rundll32.exe (PID: 3512)
      • MSOXMLED.EXE (PID: 124)
      • WINWORD.EXE (PID: 2880)

    • Reads the machine GUID from the registry

      • EQNEDT32.EXE (PID: 2472)
      • EQNEDT32.EXE (PID: 3768)
      • RtkAudUService64.exe (PID: 3772)
      • RtkAudUService64.exe (PID: 300)
      • EQNEDT32.EXE (PID: 3144)
      • RtkAudUService64.exe (PID: 1460)

    • Checks supported languages

      • EQNEDT32.EXE (PID: 2472)
      • RtkAudUService64.exe (PID: 300)
      • EQNEDT32.EXE (PID: 3768)
      • RtkAudUService64.exe (PID: 3772)
      • ImagingDevices.exe (PID: 3904)
      • ImagingDevices.exe (PID: 2728)
      • EQNEDT32.EXE (PID: 3144)
      • RtkAudUService64.exe (PID: 1460)

    • Reads the computer name

      • EQNEDT32.EXE (PID: 2472)
      • EQNEDT32.EXE (PID: 3768)
      • RtkAudUService64.exe (PID: 300)
      • RtkAudUService64.exe (PID: 3772)
      • RtkAudUService64.exe (PID: 1460)
      • EQNEDT32.EXE (PID: 3144)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 1916)
      • PATHPING.EXE (PID: 340)

    • Reads the Internet Settings

      • explorer.exe (PID: 1916)

    • Checks proxy server information

      • PATHPING.EXE (PID: 340)

    • Creates files or folders in the user directory

      • PATHPING.EXE (PID: 340)

    • The sample compiled with english language support

      • PATHPING.EXE (PID: 340)

    • Create files in a temporary directory

      • PATHPING.EXE (PID: 340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.docx | Word Microsoft Office Open XML Format document (52.2)
.zip | Open Packaging Conventions container (38.8)
.zip | ZIP compressed archive (8.8)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:02:13 16:20:38
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: _rels/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
103
Monitored processes
47
Malicious processes
14
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winword.exe eqnedt32.exe winword.exe no specs cmd.exe no specs rtkauduservice64.exe rundll32.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe cmd.exe msoxmled.exe no specs eqnedt32.exe iexplore.exe no specs cmd.exe no specs iexplore.exe rtkauduservice64.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs iexplore.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs imagingdevices.exe no specs iexplore.exe no specs imagingdevices.exe no specs pathping.exe no specs #FORMBOOK pathping.exe winword.exe eqnedt32.exe cmd.exe no specs rtkauduservice64.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs #FORMBOOK explorer.exe imagingdevices.exe no specs firefox.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
124"C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open C:\Users\admin\Desktop\document.xml.relsC:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
XML Editor
Exit code:
0
Version:
14.0.4750.1000
Modules
Images
c:\program files\common files\microsoft shared\office14\msoxmled.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
280"C:\Windows\SysWOW64\PATHPING.EXE"C:\Windows\SysWOW64\PATHPING.EXErundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP PathPing Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\pathping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
300C:\Users\admin\AppData\Local\Temp\RtkAudUService64.exe A CC:\Users\admin\AppData\Local\Temp\RtkAudUService64.exe
cmd.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rtkauduservice64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\temp\nethost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
340"C:\Windows\SysWOW64\PATHPING.EXE"C:\Windows\SysWOW64\PATHPING.EXE
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP PathPing Command
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\pathping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
404C:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
592"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3744 CREDAT:78849 /prefetch:2C:\Program Files (x86)\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
888C:\Windows\System32\cmd.exe /c copy C:\Users\Public\Downloads\RtkAudUService64.exe C:\Users\%username%\AppData\Roaming\TemplatesC:\Windows\System32\cmd.exeRtkAudUService64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
960C:\Windows\System32\cmd.exe /c copy C:\Users\%username%\AppData\Local\Temp\RtkAudUService64.exe C:\Users\%username%\AppData\Roaming\TemplatesC:\Windows\System32\cmd.exe
RtkAudUService64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1120C:\Windows\System32\cmd.exe /c copy C:\Users\%username%\AppData\Local\Temp\nethost.dll C:\Users\%username%\AppData\Roaming\TemplatesC:\Windows\System32\cmd.exeRtkAudUService64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1268C:\Windows\System32\cmd.exe /c copy C:\Users\Public\Downloads\RtkAudUService64.exe C:\Users\%username%\AppData\Roaming\TemplatesC:\Windows\System32\cmd.exeRtkAudUService64.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
34 878
Read events
33 307
Write events
734
Delete events
837

Modification events

(PID) Process:(2936) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Operation:writeName:n/8
Value:
6E2F3800780B0000010000000000000000000000
(PID) Process:(2936) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
Off
(PID) Process:(2936) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
Off
(PID) Process:(2936) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1042
Value:
Off
(PID) Process:(2936) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1046
Value:
Off
(PID) Process:(2936) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1036
Value:
Off
(PID) Process:(2936) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1031
Value:
Off
(PID) Process:(2936) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1040
Value:
Off
(PID) Process:(2936) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1049
Value:
Off
(PID) Process:(2936) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:3082
Value:
Off
Executable files
9
Suspicious files
34
Text files
14
Unknown types
0

Dropped files

PID
Process
Filename
Type
2936WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVREBAF.tmp.cvr
MD5:
SHA256:
2516WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRF767.tmp.cvr
MD5:
SHA256:
2936WINWORD.EXEC:\Users\admin\AppData\Local\Temp\RtkAudUService64.exe:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
2936WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~$Q_001825ABCPrj.docxbinary
MD5:7E46B23508AC4528D0B04CB97926E0EA
SHA256:E96CFC2B06BDB0D7D30F1EB6F3201876A29E704CC03AE5CCD02878ADC7D5D77E
300RtkAudUService64.exeC:\Users\admin\AppData\Local\Temp\wc137B.tmp
MD5:
SHA256:
3772RtkAudUService64.exeC:\Users\admin\AppData\Local\Temp\wc1B3B.tmp
MD5:
SHA256:
2936WINWORD.EXEC:\Users\admin\AppData\Local\Temp\RtkAudUService64 (2).exeexecutable
MD5:720F2634FE2E508EFE789B333E0043E8
SHA256:38502A7852B56C500CABA4CD92E15A67B745BB778FD452214BBC5599FF738C99
2936WINWORD.EXEC:\Users\admin\AppData\Local\Temp\nethost (2).dllexecutable
MD5:7326F6FA581C06AF70D264D4407EB584
SHA256:108A118D2554B11FF7A369B26E65320EFA8783DB51A35386FAAB1A0259ADC2BA
2936WINWORD.EXEC:\Users\admin\AppData\Local\Temp\nethost (2).dll:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
1916explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\Bolivia.rtf.lnkbinary
MD5:9069BC44FFEF513AB034CEF6A4C70512
SHA256:A3D04B85C0A7B975772AE531FBD59727F051EF1EA4B646BD666CDE36C55BB082
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
38
DNS requests
16
Threats
19

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1916
explorer.exe
POST
405
13.248.169.48:80
http://www.garfo.xyz/35rt/
unknown
malicious
2880
WINWORD.EXE
POST
302
92.123.18.10:80
http://go.microsoft.com/fwlink/?LinkID=120750
unknown
whitelisted
2880
WINWORD.EXE
POST
302
92.123.18.10:80
http://go.microsoft.com/fwlink/?LinkID=120751
unknown
whitelisted
2880
WINWORD.EXE
POST
302
92.123.18.10:80
http://go.microsoft.com/fwlink/?LinkID=120752
unknown
whitelisted
1916
explorer.exe
GET
404
104.21.112.1:80
http://www.tumbetgirislinki.fit/i8hk/?R9WjC=t-qzCTw8NlS50Md&bAzBpF=K+pOOopymkknXfkwRMOODRnImAE84SOFWu/9K2ORM5db05+i9FCCCEOBxkitCmszUvDEDc3uFMal6ws8EFgKUfLm96GiPiVA6tmaiLUWN0tILc0KGSLI7+KDSxTz
unknown
malicious
340
PATHPING.EXE
GET
200
45.33.6.223:80
http://www.sqlite.org/2018/sqlite-dll-win32-x86-3220000.zip
unknown
whitelisted
1916
explorer.exe
POST
405
13.248.169.48:80
http://www.garfo.xyz/35rt/
unknown
malicious
1916
explorer.exe
POST
405
13.248.169.48:80
http://www.garfo.xyz/35rt/
unknown
malicious
1916
explorer.exe
GET
200
13.248.169.48:80
http://www.garfo.xyz/35rt/?bAzBpF=bXJGOrFa4jMYz/J1RPPonv+vRvtdlVQruKbZMpq3JR37y95WDNt8nzvZ2V5ofaBeOYeERyvLhcpbbu6Cmq0iYxcHOJ+3oXbx5JLLj2xMQFKu1/X376vyLErhN2WQ&R9WjC=t-qzCTw8NlS50Md
unknown
malicious
1916
explorer.exe
POST
403
156.224.244.124:80
http://www.grcgrg.net/jxyu/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
300
RtkAudUService64.exe
104.21.96.1:443
www2.0zz0.com
CLOUDFLARENET
whitelisted
3772
RtkAudUService64.exe
104.21.96.1:443
www2.0zz0.com
CLOUDFLARENET
whitelisted
3744
iexplore.exe
152.199.21.175:443
iecvlist.microsoft.com
EDGECAST
DE
whitelisted
1460
RtkAudUService64.exe
104.21.96.1:443
www2.0zz0.com
CLOUDFLARENET
malicious
2880
WINWORD.EXE
92.123.18.10:80
go.microsoft.com
AKAMAI-AS
AT
whitelisted
2880
WINWORD.EXE
20.83.72.98:443
activation.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1916
explorer.exe
104.21.112.1:80
www2.0zz0.com
CLOUDFLARENET
malicious
340
PATHPING.EXE
45.33.6.223:80
www.sqlite.org
Linode, LLC
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.142
whitelisted
www2.0zz0.com
  • 104.21.96.1
  • 104.21.16.1
  • 104.21.32.1
  • 104.21.80.1
  • 104.21.64.1
  • 104.21.112.1
  • 104.21.48.1
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 92.123.104.4
  • 92.123.104.53
  • 92.123.104.63
  • 92.123.104.58
  • 92.123.104.59
  • 92.123.104.66
  • 92.123.104.62
  • 92.123.104.61
  • 92.123.104.65
whitelisted
iecvlist.microsoft.com
  • 152.199.21.175
whitelisted
r20swj13mr.microsoft.com
  • 152.199.21.175
whitelisted
go.microsoft.com
  • 92.123.18.10
whitelisted
activation.sls.microsoft.com
  • 20.83.72.98
whitelisted
www.tumbetgirislinki.fit
  • 104.21.112.1
  • 104.21.32.1
  • 104.21.96.1
  • 104.21.64.1
  • 104.21.80.1
  • 104.21.16.1
  • 104.21.48.1
malicious
www.sqlite.org
  • 45.33.6.223
whitelisted

Threats

PID
Process
Class
Message
1916
explorer.exe
Malware Command and Control Activity Detected
ET MALWARE FormBook CnC Checkin (GET) M5
1916
explorer.exe
A Network Trojan was detected
STEALER [ANY.RUN] Formbook HTTP Header
1916
explorer.exe
A Network Trojan was detected
STEALER [ANY.RUN] Formbook HTTP Header
1916
explorer.exe
A Network Trojan was detected
STEALER [ANY.RUN] Formbook HTTP Header
1916
explorer.exe
A Network Trojan was detected
STEALER [ANY.RUN] Formbook HTTP Header
1916
explorer.exe
A Network Trojan was detected
STEALER [ANY.RUN] Formbook HTTP Header
1916
explorer.exe
Malware Command and Control Activity Detected
ET MALWARE FormBook CnC Checkin (GET) M5
1916
explorer.exe
A Network Trojan was detected
STEALER [ANY.RUN] Formbook HTTP Header
1916
explorer.exe
A Network Trojan was detected
STEALER [ANY.RUN] Formbook HTTP Header
1916
explorer.exe
A Network Trojan was detected
STEALER [ANY.RUN] Formbook HTTP Header
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
INQ_001825ABCPrj.docx