File name:

my_attach.vbs

Full analysis: https://app.any.run/tasks/6266179b-73cf-456e-a426-bb63a60604f2
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: December 06, 2019, 20:07:05
OS: Windows 10 Professional (build: 16299, 64 bit)
Tags:
trojan
gozi
ursnif
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines, with no line terminators
MD5:

B2FA349DB7D42A0AA2FAD4FAF5E9B758

SHA1:

4B91CD990F5FE83C68C3859D2C9675EAEA71A845

SHA256:

3E37181D622725EA89A449F574D7AA680913B7D03CF1F3881C14AFF7DBCE0DA5

SSDEEP:

6144:bXuCOyk/8kohMCXvsqzpUiKMuwT1r4igOiTpSzcCOIVcyTYujPzYWGlbi6x3GGLm:bXuCX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to CnC server

      • IEXPLORE.EXE (PID: 268)
      • IEXPLORE.EXE (PID: 4528)
      • IEXPLORE.EXE (PID: 2980)
      • IEXPLORE.EXE (PID: 2312)
      • IEXPLORE.EXE (PID: 3124)
      • IEXPLORE.EXE (PID: 4412)
      • IEXPLORE.EXE (PID: 4212)
      • IEXPLORE.EXE (PID: 3872)
      • IEXPLORE.EXE (PID: 2116)
      • IEXPLORE.EXE (PID: 3496)
      • IEXPLORE.EXE (PID: 4504)
      • IEXPLORE.EXE (PID: 696)
      • IEXPLORE.EXE (PID: 4040)
      • IEXPLORE.EXE (PID: 1704)
      • IEXPLORE.EXE (PID: 4008)
      • IEXPLORE.EXE (PID: 3336)
      • IEXPLORE.EXE (PID: 2388)
      • IEXPLORE.EXE (PID: 1248)
      • IEXPLORE.EXE (PID: 756)
      • IEXPLORE.EXE (PID: 1492)

    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 1744)

    • URSNIF was detected

      • IEXPLORE.EXE (PID: 268)
      • IEXPLORE.EXE (PID: 4528)
      • IEXPLORE.EXE (PID: 2980)
      • IEXPLORE.EXE (PID: 2312)
      • IEXPLORE.EXE (PID: 3124)
      • IEXPLORE.EXE (PID: 4412)
      • IEXPLORE.EXE (PID: 4212)
      • IEXPLORE.EXE (PID: 3872)
      • IEXPLORE.EXE (PID: 2116)
      • IEXPLORE.EXE (PID: 3496)
      • IEXPLORE.EXE (PID: 4504)
      • IEXPLORE.EXE (PID: 4040)
      • IEXPLORE.EXE (PID: 696)
      • IEXPLORE.EXE (PID: 1704)
      • IEXPLORE.EXE (PID: 3336)
      • IEXPLORE.EXE (PID: 4008)
      • IEXPLORE.EXE (PID: 2388)
      • IEXPLORE.EXE (PID: 1248)
      • IEXPLORE.EXE (PID: 756)
      • IEXPLORE.EXE (PID: 1492)

  • SUSPICIOUS

    • Executed via COM

      • OpenWith.exe (PID: 4908)
      • rundll32.exe (PID: 2216)
      • ielowutil.exe (PID: 3696)
      • IEXPLORE.EXE (PID: 968)
      • IEXPLORE.EXE (PID: 1960)
      • IEXPLORE.EXE (PID: 440)
      • IEXPLORE.EXE (PID: 1288)
      • IEXPLORE.EXE (PID: 2216)
      • IEXPLORE.EXE (PID: 3108)
      • IEXPLORE.EXE (PID: 2804)
      • IEXPLORE.EXE (PID: 2636)
      • IEXPLORE.EXE (PID: 3880)
      • IEXPLORE.EXE (PID: 4732)
      • IEXPLORE.EXE (PID: 4036)
      • IEXPLORE.EXE (PID: 2184)
      • IEXPLORE.EXE (PID: 1432)
      • ielowutil.exe (PID: 4956)
      • IEXPLORE.EXE (PID: 2856)
      • IEXPLORE.EXE (PID: 2400)
      • IEXPLORE.EXE (PID: 1096)
      • IEXPLORE.EXE (PID: 824)
      • IEXPLORE.EXE (PID: 4896)
      • IEXPLORE.EXE (PID: 720)
      • IEXPLORE.EXE (PID: 2740)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 444)

    • Uses RUNDLL32.EXE to load library

      • rundll32.exe (PID: 1020)
      • WScript.exe (PID: 444)

    • Reads the machine GUID from the registry

      • WScript.exe (PID: 444)

  • INFO

    • Manual execution by user

      • WScript.exe (PID: 444)

    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 268)
      • IEXPLORE.EXE (PID: 4528)
      • IEXPLORE.EXE (PID: 2980)
      • IEXPLORE.EXE (PID: 2312)
      • IEXPLORE.EXE (PID: 3124)
      • IEXPLORE.EXE (PID: 4412)
      • IEXPLORE.EXE (PID: 2116)
      • IEXPLORE.EXE (PID: 4212)
      • IEXPLORE.EXE (PID: 3872)
      • IEXPLORE.EXE (PID: 3496)
      • IEXPLORE.EXE (PID: 4504)
      • IEXPLORE.EXE (PID: 4040)
      • IEXPLORE.EXE (PID: 696)
      • IEXPLORE.EXE (PID: 1704)
      • IEXPLORE.EXE (PID: 4008)
      • IEXPLORE.EXE (PID: 3336)
      • IEXPLORE.EXE (PID: 2388)
      • IEXPLORE.EXE (PID: 1248)
      • IEXPLORE.EXE (PID: 756)
      • IEXPLORE.EXE (PID: 1492)

    • Changes internet zones settings

      • IEXPLORE.EXE (PID: 1960)
      • IEXPLORE.EXE (PID: 968)
      • IEXPLORE.EXE (PID: 440)
      • IEXPLORE.EXE (PID: 1288)
      • IEXPLORE.EXE (PID: 2804)
      • IEXPLORE.EXE (PID: 2216)
      • IEXPLORE.EXE (PID: 3108)
      • IEXPLORE.EXE (PID: 2636)
      • IEXPLORE.EXE (PID: 3880)
      • IEXPLORE.EXE (PID: 4036)
      • IEXPLORE.EXE (PID: 4732)
      • IEXPLORE.EXE (PID: 1432)
      • IEXPLORE.EXE (PID: 2856)
      • IEXPLORE.EXE (PID: 1096)
      • IEXPLORE.EXE (PID: 2400)
      • IEXPLORE.EXE (PID: 824)
      • IEXPLORE.EXE (PID: 4896)
      • IEXPLORE.EXE (PID: 720)
      • IEXPLORE.EXE (PID: 2740)
      • IEXPLORE.EXE (PID: 2184)

    • Reads the machine GUID from the registry

      • IEXPLORE.EXE (PID: 1960)
      • IEXPLORE.EXE (PID: 268)
      • IEXPLORE.EXE (PID: 440)
      • IEXPLORE.EXE (PID: 4528)
      • IEXPLORE.EXE (PID: 968)
      • IEXPLORE.EXE (PID: 2980)
      • IEXPLORE.EXE (PID: 2312)
      • IEXPLORE.EXE (PID: 1288)
      • IEXPLORE.EXE (PID: 2804)
      • IEXPLORE.EXE (PID: 3124)
      • IEXPLORE.EXE (PID: 2216)
      • IEXPLORE.EXE (PID: 4412)
      • IEXPLORE.EXE (PID: 3108)
      • IEXPLORE.EXE (PID: 2116)
      • IEXPLORE.EXE (PID: 2636)
      • IEXPLORE.EXE (PID: 4212)
      • IEXPLORE.EXE (PID: 3880)
      • IEXPLORE.EXE (PID: 3872)
      • IEXPLORE.EXE (PID: 4732)
      • IEXPLORE.EXE (PID: 3496)
      • IEXPLORE.EXE (PID: 4036)
      • IEXPLORE.EXE (PID: 4504)
      • IEXPLORE.EXE (PID: 2184)
      • IEXPLORE.EXE (PID: 1432)
      • IEXPLORE.EXE (PID: 4040)
      • IEXPLORE.EXE (PID: 2856)
      • IEXPLORE.EXE (PID: 696)
      • IEXPLORE.EXE (PID: 1704)
      • IEXPLORE.EXE (PID: 4008)
      • IEXPLORE.EXE (PID: 1096)
      • IEXPLORE.EXE (PID: 2400)
      • IEXPLORE.EXE (PID: 3336)
      • IEXPLORE.EXE (PID: 824)
      • IEXPLORE.EXE (PID: 756)
      • IEXPLORE.EXE (PID: 4896)
      • IEXPLORE.EXE (PID: 2388)
      • IEXPLORE.EXE (PID: 720)
      • IEXPLORE.EXE (PID: 2740)
      • IEXPLORE.EXE (PID: 1492)
      • IEXPLORE.EXE (PID: 1248)

    • Reads the hosts file

      • rundll32.exe (PID: 1744)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.flm | Adobe FilmStrip (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
48
Malicious processes
41
Suspicious processes
2

Behavior graph

Click at the process to see the details
start rundll32.exe no specs openwith.exe no specs rundll32.exe no specs wscript.exe rundll32.exe no specs rundll32.exe ielowutil.exe no specs iexplore.exe #URSNIF iexplore.exe iexplore.exe no specs #URSNIF iexplore.exe iexplore.exe no specs #URSNIF iexplore.exe iexplore.exe no specs #URSNIF iexplore.exe iexplore.exe no specs #URSNIF iexplore.exe iexplore.exe no specs #URSNIF iexplore.exe iexplore.exe no specs #URSNIF iexplore.exe iexplore.exe no specs #URSNIF iexplore.exe iexplore.exe no specs #URSNIF iexplore.exe iexplore.exe no specs #URSNIF iexplore.exe iexplore.exe no specs #URSNIF iexplore.exe iexplore.exe no specs #URSNIF iexplore.exe ielowutil.exe no specs iexplore.exe no specs #URSNIF iexplore.exe iexplore.exe no specs #URSNIF iexplore.exe iexplore.exe no specs #URSNIF iexplore.exe iexplore.exe no specs #URSNIF iexplore.exe iexplore.exe no specs #URSNIF iexplore.exe iexplore.exe no specs #URSNIF iexplore.exe iexplore.exe no specs #URSNIF iexplore.exe iexplore.exe no specs #URSNIF iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
268"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:968 CREDAT:9474 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
IEXPLORE.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
440"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -EmbeddingC:\Program Files\Internet Explorer\IEXPLORE.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
444"C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\Desktop\my_attach.vbs" C:\WINDOWS\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
696"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1432 CREDAT:9474 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
IEXPLORE.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
720"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -EmbeddingC:\Program Files\Internet Explorer\IEXPLORE.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
756"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1096 CREDAT:9474 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
IEXPLORE.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\program files (x86)\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernelbase.dll
824"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -EmbeddingC:\Program Files\Internet Explorer\IEXPLORE.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
968"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -EmbeddingC:\Program Files\Internet Explorer\IEXPLORE.EXE
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1020"C:\Windows\System32\rundll32.exe" "C:\Users\admin\Music\\4923.dll",DllRegisterServerC:\Windows\System32\rundll32.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\shcore.dll
1096"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -EmbeddingC:\Program Files\Internet Explorer\IEXPLORE.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.16299.15 (WinBuild.160101.0800)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
11 810
Read events
10 897
Write events
893
Delete events
20

Modification events

(PID) Process:(2428) rundll32.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{E44E9428-BDBC-4987-A099-40DC8FD255E7} {6A283FE2-ECFA-4599-91C4-E80957137B26} 0xFFFF
Value:
01000000000000001DEE1DC570ACD501
(PID) Process:(4908) OpenWith.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\192\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(444) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(444) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(444) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(444) WScript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(968) IEXPLORE.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:L1WatermarkLowPart
Value:
0
(PID) Process:(968) IEXPLORE.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:L1WatermarkHighPart
Value:
0
(PID) Process:(968) IEXPLORE.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
0
(PID) Process:(968) IEXPLORE.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
0
Executable files
1
Suspicious files
3
Text files
162
Unknown types
0

Dropped files

PID
Process
Filename
Type
968IEXPLORE.EXEC:\Users\admin\AppData\Local\Temp\~DFA7639C1A30814CEB.TMP
MD5:
SHA256:
968IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\UrlBlock\URLD50E.tmp
MD5:
SHA256:
968IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\UrlBlock\urlblock_637112583037787270.bin
MD5:
SHA256:
968IEXPLORE.EXEC:\Users\admin\AppData\Local\Temp\~DF271A169B26DEBA6F.TMP
MD5:
SHA256:
968IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{5D19D9CC-1864-11EA-B466-5254004AAD11}.dat
MD5:
SHA256:
444WScript.exeC:\Users\admin\Music\4923.dllexecutable
MD5:
SHA256:
968IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{5D19D9CE-1864-11EA-B466-5254004AAD11}.datbinary
MD5:
SHA256:
1960IEXPLORE.EXEC:\Users\admin\AppData\Local\Temp\~DF639DB861A0DB019C.TMP
MD5:
SHA256:
1960IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{781E5975-1864-11EA-B466-5254004AAD11}.dat
MD5:
SHA256:
1960IEXPLORE.EXEC:\Users\admin\AppData\Local\Temp\~DF690088EF41AD7066.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
64
DNS requests
26
Threats
39

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2980
IEXPLORE.EXE
GET
404
8.208.24.139:80
http://w8.wensa.at/api1/7mW7lABdXR0x2N/kG9Ef_2FI9vWZr8X_2FY5/pdSuQjJden1x_2FS/zWs2TfBxs7V6sj6/uGktlXworI0Bkt34SH/e00jvZua8/Fhxesm_2F3ho2XY8QLDY/hNx3mjJlZrSe2i_2Fau/UOgUjQoRdrZPzSFNm0Zjnh/7I5vo1oy8k5az/9VEFQWph/GxbUJe8ioBGgcwI9pdEFneF/6sFQ1pT9cT/s11oYszK15l_2FboK/dDffq8wW91qO/4V56BaRffqd/3WZ2xiaybvwbuD/4a_0A_0DhYv99hKEs_2Fx/aNR7JGzmw2JU37/J
US
html
106 b
malicious
2312
IEXPLORE.EXE
GET
404
8.208.24.139:80
http://w8.wensa.at/api1/WAe5FAUpxu/_2F82FJXpNM1FiPMf/vCuxlVkNdNVx/Ni_2BB_2BlR/Siq2DAA8cbfKqG/OiUbJC5HwLkfYQLbhtquc/K_2BD2HXhG9Ec8za/Hm8MaHXyst6_2Fb/9KH3HE2hVnZD_2Fp9o/aWJUJJ74M/GJsjdPsmxTDYu3BlkeWG/zm_2Fk_2FHFF5uYYUyT/IM_2BYTpe1BwGkKvrRwFrO/_2B02VSPdXfAg/vpWKHDKO/EzhWVhLii19pAoTVKRHGLJD/WZU_2BNLDK/H7xUKYaHerwi9kMg_/0A_0DXB5lZRd/6tFIed8x1/BAa7shRY/mB
US
html
106 b
malicious
268
IEXPLORE.EXE
GET
404
8.208.24.139:80
http://w8.wensa.at/api1/tE_2FhkF/aKhZ_2F51Hk8ZVuFx736FXf/FtB7VkVBG7/sS7Txfk3p5OnmbJw3/KEadMv8lvvNS/osiUoIcG_2B/eLkrr80fphwQNq/vMkQqeVty_2BpZbBbcYZX/ocnMSKpdwtE71_2F/Q7xvPX3boVOGvLp/DdVS_2FPh42RYYCVDP/rn9PYgFWD/tZmzWanYffXz8pJWqQTt/TImG5KgQciFHSlGpO7l/kmxMa_2F_2B9tGapEVPKay/a5ZHKj15kygm2/C2oIiNLv/C71woosNF95G_0A_0D0Ygv2/wySExF1Ni6wGs_/2B5btD8c/9
US
html
106 b
malicious
3124
IEXPLORE.EXE
GET
404
8.208.24.139:80
http://w8.wensa.at/api1/0dQaqdXBauovnKTHMYt8/KSDGEYNUyqVclERiImQ/PVFaKFcS6fw5Wq78x4CvZc/qKOx_2BsFwU9S/yYfxkYBs/6V3iZQQX6IRaWcUbYaAqQNQ/yvasJlhN9T/_2BYzp2RH80XEJf_2/FC84Lmf_2Bjg/j_2BUeQEvVe/oWPYF0_2Bq1BRX/PXpqPiKLmI_2FrhgRfMho/vx8G_2FkWoSpH4ir/xCOxAvYCYW9PeCd/owrMQHEq3eo0LjBT0t/SReOwa_2B/lLFYcT05uz_2BwI95gBT/_2Fa_2BC_0A_0DebqBp/gO33ayiZIbFVk39O/SJoCi
US
html
106 b
malicious
4212
IEXPLORE.EXE
GET
404
8.208.24.139:80
http://w8.wensa.at/api1/z4Qu9nTrXP/H9_2BZEbdpvYJL8D2/clpp3wRMB61c/ioHhc3MZFhT/vsPWkDbIHmocOH/wia7WNyVIGKK5K3Fwk6xI/X440w0QocJckQDKq/Y3suDC3g4BVRUhG/txGezJkYoYxTiaIOiY/FqgCvWhqi/GAw8ZjWwB_2BNyYC2WQM/tEEZc1mMjpK26MtCcga/u9USV_2BKxPZRLHsKvyJFV/p9IB8V4bCnlu0/5ZPHPT6a/RD8Le0AjJSWvas2C4shD_2F/HGgX_2FCDv/DFy4_0A_0DOROEvyo/KzdwJ7Enbal2u/h4g7uo
US
html
106 b
malicious
3336
IEXPLORE.EXE
GET
404
8.208.24.139:80
http://w8.wensa.at/api1/Gs5rd76x_2FAtai/G4RCaeiMOqId7NO3mO/dhQAqClsk/c7OKawUKhdkwFsJAb3Rv/s2eCzrZwYRLxCo6JViQ/ByZB57zkZSuIDK25wCKzO_/2FW2zDItjKbqj/Bb5dPLHt/WRcN0l33rRefg4A_2FWFCpz/P8Lz_2BnTj/Z7R63THD4r9qfeZj3/OwEMciiZc5ry/2jRxV_2F7vY/b4g6i9BA9QN3Rq/47UgxXG2AwRZ9s5ZrQLDV/k_2BgafcXVreDfMs/C4wWoJQ_2Bkydnu/d_2BZ_0A_0DYD7sQ4t/toSKk1a70q5VHs/Ia1FY
US
html
106 b
malicious
756
IEXPLORE.EXE
GET
404
8.208.24.139:80
http://w8.wensa.at/api1/9QVKYz7ly/4OVd8InPlrWOwCvv7Mc9/dRl_2FWBdigeFoVZRed/AMuxctXwVL1GSyEMN0tYOF/dlEh1qmd8g_2F/QuI1Q0d5/biUyLtuz5tBnyS5rI8eduvh/Qe6OvQq_2B/PxumSUb8viGTGuw_2/B_2FC2Q1Xprj/2rHI_2FliDb/XAirb5_2FojzTz/D8SZv5MTDjtO6KA33M5xQ/_2B7OH87ZPLfups4/RvwqT_2F2D6wusp/GxOPbo4DMwOuFqEbgK/93qdTPAU3/8LUBy05xYSdZy_0A_0D1/5CxvVse0vHfA8kmvdFF/a3AfHn
US
html
106 b
malicious
4528
IEXPLORE.EXE
GET
404
8.208.24.139:80
http://w8.wensa.at/api1/48ag1MDSs_2FXUGb6/DbwTownfBWzb/rlv7Y79TcY7/ZDaSBziNEgsyKO/F88iktodqkL_2BXeeDY4m/IVpuYli7qZJJyqQy/xpjZG5yFthgtOoB/xmI1_2FQt6ztijOKWy/Y_2BgSZxO/C_2BcU_2B3AQKCEissr3/iiI2iA50tNDSzqKRkWc/8XQAIUKRqLXG_2B6euYmWf/WunrjZM4UG3bN/Wf5jyoTA/8Vi_2BD9ITpRae1DM2CWYxc/095yxgh3nd/iN5pGTSss1TN3z_2F/k1Ikh_0A_0DX/U86PL05MiNn/uTZquYO2SB/2C7R
US
html
106 b
malicious
1492
IEXPLORE.EXE
GET
404
8.208.24.139:80
http://w8.wensa.at/api1/0yOvEM3CS9es4KY/pPm7xUaZ20ZzocTa4a/7pxwt_2BT/84z_2BKd3URIYdFhhVfj/LPh5hvZnUiu5_2BVwoc/hte6zAAIc014wKOOyw_2Fs/ySg5ONEzGmSGO/vKuhXJvx/pHruXfKcfYGdzBAC6tuSNSR/S_2BNWVl8c/L3WSh97c9dx48gDaK/X4uwRtYZcvNw/t0sZ00I1bYG/nqss_2FrFa6bKW/BwXxJ1ftqqrdZYXdjtcFa/Wglsaxt_2FW64ct_/2BpX_2FbKNbMp1_/2F5ZEU1pn_0A_0DlQx/ZqgvONAB_/2F3uG9ieILGM/lDYs
US
html
106 b
malicious
4008
IEXPLORE.EXE
GET
404
8.208.24.139:80
http://w8.wensa.at/api1/sBzYaKwN5nV/LtFVQrJdwunI44/45S19vJKb9HPn9pczE_2F/PrvD69mFZzpuLTNE/r_2FBRMwFYR70FQ/kWK2g4_2F2Xo9owTTG/uZrl2RMTj/73QjOEGZ8mEau2j92EuU/rvOqXM6cgOOzdMyFhKs/wwKukyQWPGDwM1N5mfMbhX/9c1L5Ah3dV_2F/W_2FkC3A/VR2xdDGkUpY7Yypq1Frb73P/fYgu0Fa1ix/eu6T9AcElOaGBsxrY/_2BLvMvUT7cZ/SRHm0Y33PKI/_2BMqpH_0A_0Dt/qFTCcNhL7mLwf45akDSEP/xggv
US
html
106 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1744
rundll32.exe
193.183.98.66:53
Prometeus di Daniela Agro
IT
malicious
268
IEXPLORE.EXE
8.208.24.139:80
w8.wensa.at
Level 3 Communications, Inc.
US
malicious
968
IEXPLORE.EXE
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
968
IEXPLORE.EXE
137.117.243.30:443
c.urs.microsoft.com
Microsoft Corporation
NL
unknown
4528
IEXPLORE.EXE
8.208.24.139:80
w8.wensa.at
Level 3 Communications, Inc.
US
malicious
2980
IEXPLORE.EXE
8.208.24.139:80
w8.wensa.at
Level 3 Communications, Inc.
US
malicious
3124
IEXPLORE.EXE
8.208.24.139:80
w8.wensa.at
Level 3 Communications, Inc.
US
malicious
4412
IEXPLORE.EXE
8.208.24.139:80
w8.wensa.at
Level 3 Communications, Inc.
US
malicious
2312
IEXPLORE.EXE
8.208.24.139:80
w8.wensa.at
Level 3 Communications, Inc.
US
malicious
4212
IEXPLORE.EXE
8.208.24.139:80
w8.wensa.at
Level 3 Communications, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
self.events.data.microsoft.com
  • 52.114.132.73
whitelisted
nexusrules.officeapps.live.com
  • 52.109.8.21
whitelisted
w8.wensa.at
  • 8.208.24.139
unknown
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
c.urs.microsoft.com
  • 137.117.243.30
whitelisted

Threats

Found threats are available for the paid subscriptions
39 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
my_attach.vbs