File name:

RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe

Full analysis: https://app.any.run/tasks/1d54fb96-c744-4c8b-a702-f61bff024139
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Malware Trends Tracker     >>>
Analysis date: November 29, 2023, 16:41:14
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
backdoor
jinxv2
formbook
xloader
stealer
spyware
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5:

46CE034FF575452D1D26C2002788F403

SHA1:

17219562838EE0D7FDF7A4883ED130757DB556BB

SHA256:

B7C66440C975BED86EFE68C47C95BD1460AB8CF21BCCACFC1E80C145E7BE0F8B

SSDEEP:

1536:DD9/G1vk+GcdsgDwjPootV0qksOM58JLBA/dM9NV:uv+VgBkVn5QLe/dMzV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe (PID: 6372)

    • FORMBOOK has been detected (YARA)

      • colorcpl.exe (PID: 6980)

    • JINXV2 has been detected (SURICATA)

      • RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe (PID: 5392)

    • Connects to the CnC server

      • explorer.exe (PID: 4428)

    • FORMBOOK has been detected (SURICATA)

      • explorer.exe (PID: 4428)

    • Actions looks like stealing of personal data

      • colorcpl.exe (PID: 6980)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe (PID: 6372)

    • Application launched itself

      • RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe (PID: 6372)
      • cx5ylLPZa0WXFvQ.exe (PID: 3724)

    • Connects to the server without a host name

      • RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe (PID: 5392)

    • Checks for external IP

      • RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe (PID: 5392)

  • INFO

    • Checks proxy server information

      • RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe (PID: 6372)
      • colorcpl.exe (PID: 6980)

    • Reads the machine GUID from the registry

      • cx5ylLPZa0WXFvQ.exe (PID: 3724)
      • RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe (PID: 6372)
      • RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe (PID: 5392)

    • Create files in a temporary directory

      • RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe (PID: 6372)
      • colorcpl.exe (PID: 6980)

    • Reads Environment values

      • RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe (PID: 6372)

    • Checks supported languages

      • RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe (PID: 6372)
      • cx5ylLPZa0WXFvQ.exe (PID: 3724)
      • cx5ylLPZa0WXFvQ.exe (PID: 4464)
      • RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe (PID: 5392)

    • Reads the computer name

      • RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe (PID: 6372)
      • cx5ylLPZa0WXFvQ.exe (PID: 3724)
      • RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe (PID: 5392)

    • Reads the software policy settings

      • RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe (PID: 6372)
      • RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe (PID: 5392)

    • Process checks computer location settings

      • RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe (PID: 6372)

    • Creates files or folders in the user directory

      • RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe (PID: 6372)
      • cx5ylLPZa0WXFvQ.exe (PID: 3724)

    • Manual execution by a user

      • colorcpl.exe (PID: 6980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2023:11:28 12:37:40+01:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 8
CodeSize: 36352
InitializedDataSize: 31232
UninitializedDataSize: -
EntryPoint: 0x0000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 12.0.0.236
ProductVersionNumber: 12.0.0.236
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Adobe Fireworks CS6
CompanyName: Adobe Systems Incorporated
FileDescription: Adobe Fireworks CS6
FileVersion: 12.0.0.236
InternalName: RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe
LegalCopyright: Copyright © 1998-2012 Adobe Systems Incorporated. All rights reserved.
LegalTrademarks: -
OriginalFileName: RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe
ProductName: Fireworks
ProductVersion: 12.0.0.236
AssemblyVersion: 12.0.0.236
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
330
Monitored processes
9
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rfq for hri hor rfx204847394304893545 offshore project.exe filecoauth.exe no specs cx5yllpza0wxfvq.exe no specs #JINXV2 rfq for hri hor rfx204847394304893545 offshore project.exe cx5yllpza0wxfvq.exe no specs #FORMBOOK colorcpl.exe #FORMBOOK explorer.exe firefox.exe no specs filecoauth.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2116"C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\firefox.execolorcpl.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
111.0.1
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\program files\mozilla firefox\vcruntime140.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
3724"C:\Users\admin\AppData\Local\Temp\cx5ylLPZa0WXFvQ.exe" C:\Users\admin\AppData\Local\Temp\cx5ylLPZa0WXFvQ.exeRFQ for HRI HOR RFX204847394304893545 Offshore Project.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Performance Relogging
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\cx5yllpza0wxfvq.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4428C:\WINDOWS\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
10.0.19041.1023 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\smartscreenps.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
4464"C:\Users\admin\AppData\Local\Temp\cx5ylLPZa0WXFvQ.exe"C:\Users\admin\AppData\Local\Temp\cx5ylLPZa0WXFvQ.execx5ylLPZa0WXFvQ.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Performance Relogging
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\cx5yllpza0wxfvq.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
4924C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
5392"C:\Users\admin\Downloads\RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe"C:\Users\admin\Downloads\RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe
RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Fireworks CS6
Exit code:
0
Version:
12.0.0.236
Modules
Images
c:\users\admin\downloads\rfq for hri hor rfx204847394304893545 offshore project.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
5564C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -EmbeddingC:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft OneDriveFile Co-Authoring Executable
Exit code:
0
Version:
19.043.0304.0013
Modules
Images
c:\users\admin\appdata\local\microsoft\onedrive\19.043.0304.0013\filecoauth.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
6372"C:\Users\admin\Downloads\RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe" C:\Users\admin\Downloads\RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe
explorer.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Fireworks CS6
Exit code:
0
Version:
12.0.0.236
Modules
Images
c:\users\admin\downloads\rfq for hri hor rfx204847394304893545 offshore project.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
6980"C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Color Control Panel
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\colorcpl.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\colorui.dll
Total events
6 276
Read events
6 254
Write events
22
Delete events
0

Modification events

(PID) Process:(4428) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F006200000000000000000000000100000089D39A5B70006300
(PID) Process:(4428) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}.check.800
Operation:writeName:CheckSetting
Value:
23004100430042006C006F00620000000000000001000000800000000000000089E6124728C7D901000000007B00440045003700420032003400450041002D0037003300430038002D0034004100300039002D0039003800350044002D003500420044004100440043004600410039003000310037007D002E006E006F00740069006600690063006100740069006F006E002E003200000000F46DD3BC4F73B5050000
(PID) Process:(6372) RFQ for HRI HOR RFX204847394304893545 Offshore Project.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6372) RFQ for HRI HOR RFX204847394304893545 Offshore Project.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6372) RFQ for HRI HOR RFX204847394304893545 Offshore Project.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6372) RFQ for HRI HOR RFX204847394304893545 Offshore Project.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6980) colorcpl.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6980) colorcpl.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4428) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}.check.800
Operation:writeName:CheckSetting
Value:
23004100430042006C006F00620000000000000000000000010000000000000000000000
(PID) Process:(4428) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{DE7B24EA-73C8-4A09-985D-5BDADCFA9017}.check.800
Operation:writeName:CheckSetting
Value:
23004100430042006C006F0062000000000000000100000080000000000000005E6A2719E422DA01000000007B00440045003700420032003400450041002D0037003300430038002D0034004100300039002D0039003800350044002D003500420044004100440043004600410039003000310037007D002E006E006F00740069006600690063006100740069006F006E002E00320000000000000000000000000000
Executable files
1
Suspicious files
5
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3724cx5ylLPZa0WXFvQ.exeC:\Users\admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cx5ylLPZa0WXFvQ.exe.logtext
MD5:11ECC3D8871AD444170ECFF4967C57A3
SHA256:557E596A893A5FFF90A270851E50FF3F94021A87B493E7D5BD975FCED7699B01
5564FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2023-11-29.1654.5564.1.aodlbinary
MD5:923BF0E545D9C37CA8874C8D6C4A30E6
SHA256:AB32C675D35DDBEBFCF8B11720C3E550024E8D0DF557838F17186377E3D0FE65
4924FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2023-11-29.1644.4924.1.aodlbinary
MD5:923BF0E545D9C37CA8874C8D6C4A30E6
SHA256:AB32C675D35DDBEBFCF8B11720C3E550024E8D0DF557838F17186377E3D0FE65
6372RFQ for HRI HOR RFX204847394304893545 Offshore Project.exeC:\Users\admin\AppData\Local\Temp\cx5ylLPZa0WXFvQ.exeexecutable
MD5:7043814725252C8CACF78B12D2002B80
SHA256:EDF824F5152829EF7BE198C97A42E4ECD5AE9BE37EF57051DEDA0435CC302063
6980colorcpl.exeC:\Users\admin\AppData\Local\Temp\72-a1FI3Qbinary
MD5:DEF0831A3EBF657C17EAD677A282B855
SHA256:BACA43D995D5591730EFA286EC9CDB537AB3C12A9A58C93461DD470D128AAED0
5564FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2023-11-29.1654.5564.1.odlbinary
MD5:31E29D4B15A5139C60075B6214128388
SHA256:D7975FB5096E0331C727248ED6C1B5B64FA8C1A9D6E8FE11453A5FBD94EB3569
6372RFQ for HRI HOR RFX204847394304893545 Offshore Project.exeC:\Users\admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe.logtext
MD5:9D9B483564F1F785A4239BD80CBF82D1
SHA256:BF67584BEB20D6AF773C14A84BBDBEC8246AB2425E6345183B4A8CD748FD004B
4924FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2023-11-29.1644.4924.1.odlbinary
MD5:66DC6EC3F924F5EE93E01CCA56136281
SHA256:463F9122C8583EBD076E53267230732038631C1D462DEF1B47377463232BB189
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
127
TCP/UDP connections
134
DNS requests
45
Threats
50

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2344
svchost.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
binary
824 b
unknown
3920
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
binary
1.11 Kb
unknown
3920
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
binary
814 b
unknown
2344
svchost.exe
GET
200
23.56.202.135:80
http://x1.c.lencr.org/
unknown
binary
717 b
unknown
2540
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
binary
471 b
unknown
7156
SIHClient.exe
GET
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
7156
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
binary
418 b
unknown
6940
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
unknown
binary
471 b
unknown
GET
200
88.221.125.143:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
binary
1.05 Kb
unknown
2152
OfficeClickToRun.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
binary
471 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
6372
RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe
168.119.136.101:443
www.wgs.com.pk
Hetzner Online GmbH
DE
unknown
3764
svchost.exe
239.255.255.250:1900
whitelisted
1572
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3920
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
unknown
3920
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2344
svchost.exe
23.56.202.135:80
x1.c.lencr.org
AKAMAI-AS
GB
unknown
3920
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
488
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2540
svchost.exe
40.126.31.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
www.wgs.com.pk
  • 168.119.136.101
unknown
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
  • 2.16.164.9
  • 2.16.164.43
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 88.221.125.143
whitelisted
x1.c.lencr.org
  • 23.56.202.135
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
login.live.com
  • 40.126.31.71
  • 20.190.159.4
  • 40.126.31.67
  • 20.190.159.23
  • 20.190.159.68
  • 20.190.159.71
  • 40.126.31.73
  • 20.190.159.2
  • 40.126.31.69
  • 20.190.159.75
  • 20.190.159.73
  • 20.190.159.0
  • 40.126.32.134
  • 40.126.32.76
  • 40.126.32.140
  • 20.190.160.17
  • 20.190.160.20
  • 40.126.32.72
  • 40.126.32.138
  • 40.126.32.133
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
slscr.update.microsoft.com
  • 40.68.123.157
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.166.126.56
whitelisted

Threats

PID
Process
Class
Message
5392
RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe
Device Retrieving External IP Address Detected
ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)
5392
RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] JinxV2DEV
5392
RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] JinxV2DEV
5392
RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] JinxV2DEV
5392
RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] JinxV2DEV
2092
svchost.exe
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
4428
explorer.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
4428
explorer.exe
A Network Trojan was detected
STEALER [ANY.RUN] Formbook HTTP header
5392
RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe
A Network Trojan was detected
BACKDOOR [ANY.RUN] JinxV2DEV
4428
explorer.exe
A Network Trojan was detected
STEALER [ANY.RUN] Formbook HTTP header
31 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RFQ for HRI HOR RFX204847394304893545 Offshore Project.exe