File name:

2019-09-05-Trickbot-gtag-leo12-retreived-by-Ursnif-infected-host.exe

Full analysis: https://app.any.run/tasks/cdaa7ea3-d381-439e-9dbe-d0fae38b4a41
Verdict: Malicious activity
Threats:

TrickBot is an advanced banking trojan that attackers can use to steal payment credentials from the victims. It can redirect the victim to a fake banking cabinet and retrieve credentials typed in on the webpage.

Malware Trends Tracker     >>>
Analysis date: March 25, 2025, 07:03:58
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
trickbot
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

80A228C94846B57D85C59D4EE87053F6

SHA1:

CC9D94AA4D482B62F2543E1654F7C9E6B7A91EAF

SHA256:

430A46259E925A073CA2AB724677F1CDCFC76514F2BEBFEE92397576807C42A0

SSDEEP:

24576:ziLsKpdgLtsZhxDcH7nG++rb6wx07eo6itF+tkFCvDpikvToNcn5F/NYG5T0pO/I:ziLsKpdgLtsZhxDcH7Z+rb6A07eo6itz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • TRICKBOT mutex has been found

      • svchost.exe (PID: 3956)
      • svchost.exe (PID: 5400)

    • Known privilege escalation attack

      • dllhost.exe (PID: 6272)

    • TRICKBOT has been detected (YARA)

      • svchost.exe (PID: 5400)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • svchost.exe (PID: 3956)

    • The process executes via Task Scheduler

      • 2019-09-07-Vticmbqt-gtag-neq12-tetteived-by-Wtupif-ipfected-hqut.exe (PID: 6512)

    • Connects to unusual port

      • svchost.exe (PID: 5400)

  • INFO

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 6272)

    • The sample compiled with english language support

      • 2019-09-05-Trickbot-gtag-leo12-retreived-by-Ursnif-infected-host.exe (PID: 4424)
      • svchost.exe (PID: 3956)

    • Checks supported languages

      • 2019-09-05-Trickbot-gtag-leo12-retreived-by-Ursnif-infected-host.exe (PID: 4424)
      • 2019-09-05-Trickbot-gtag-leo12-retreived-by-Ursnif-infected-host.exe (PID: 5892)
      • 2019-09-07-Vticmbqt-gtag-neq12-tetteived-by-Wtupif-ipfected-hqut.exe (PID: 6512)

    • Reads the computer name

      • 2019-09-05-Trickbot-gtag-leo12-retreived-by-Ursnif-infected-host.exe (PID: 4424)

    • Reads the software policy settings

      • slui.exe (PID: 5304)
      • slui.exe (PID: 2392)

    • Reads the machine GUID from the registry

      • 2019-09-05-Trickbot-gtag-leo12-retreived-by-Ursnif-infected-host.exe (PID: 4424)

    • Checks proxy server information

      • slui.exe (PID: 2392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

TrickBot

(PID) Process(5400) svchost.exe
C2
srv (47)107.174.254.216:443
198.8.91.44:443
185.235.130.84:443
212.80.217.69:443
195.123.237.37:443
37.228.117.217:443
185.142.99.59:443
45.141.103.31:443
5.101.51.112:443
185.125.46.53:443
46.30.42.239:443
194.5.250.113:443
93.189.43.168:443
148.251.27.76:443
31.202.132.179:443
190.154.203.218:449
189.80.134.122:449
200.119.45.140:449
191.37.181.152:449
187.58.56.26:449
146.196.122.167:449
177.103.240.149:449
131.196.184.141:449
186.47.40.234:449
103.84.238.3:449
190.152.4.210:449
186.156.52.78:449
36.89.85.103:449
181.176.160.145:449
200.119.45.140:449
190.13.190.178:449
186.46.63.58:449
181.112.159.70:449
181.129.93.226:449
186.42.226.46:449
190.13.160.19:449
181.112.159.70:449
202.9.120.79:449
190.109.189.119:449
103.207.1.44:449
190.151.213.140:449
168.227.229.112:449
186.42.186.202:449
190.144.89.82:449
190.144.89.82:449
181.129.49.98:449
186.47.82.6:449
version1000467
Botnetleo12
KeyRUNTMzAAAADzIIbbIE3wcze1+xiwwK+Au/P78UrAO8YAHyPvHEwGVKOPphl8QVfrC7x/QaFYeXANw6E4HF7ietEp+7ZVQdWOx8c+HvO0Z2PTUPVbX9HAVrg4h9u1RNfhOHk+YysDLsg=
Autorun
module
@namesysteminfo
@ctlGetSystemInfo
@nameinjectDll
@namepwgrab
other (202)checkip.amazonaws.com
ipecho.net
ipinfo.io
api.ipify.org
icanhazip.com
myexternalip.com
wtfismyip.com
ip.anysrc.net
api.ipify.org
api.ip.sb
ident.me
www.myexternalip.com
/plain
/ip
/raw
/text
/?format=text
zen.spamhaus.org
cbl.abuseat.org
b.barracudacentral.org
dnsbl-1.uceprotect.net
spam.dnsbl.sorbs.net
\MsCloud
data\
%s%s
CI failed, 0x%x
pIT NULL
POST
%s.%s.%s.%s
info
data
%s/%s/64/%s/%s/%s/
/%s/%s/25/%s/
Data\
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3731.0 Safari/537.36
/%s/%s/23/%d/
/%s/%s/5/%s/
<moduleconfig>*</moduleconfig>
/%s/%s/1/%s/
--%s--
--%s Content-Disposition: form-data; name="%S"
Content-Type: multipart/form-data; boundary=%s Content-Length: %d
------Boundary%08X
D:(A;;GA;;;WD)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;RC)
tmp
Register u failed, 0x%x
Create xml2 failed
Register s failed, 0x%x
user
Ms Cloud Disk
Create xml failed
pIT GetFolder failed, 0x%x
pIT connect failed, 0x%x
SYSTEM
GET
SignatureLength
ECCPUBLICBLOB
ECDSA_P384
path
winsta0\default
SeTcbPrivilege
1068
not listed
listed
DNSBL
client is behind NAT
failed
NAT status
client is not behind NAT
%s%s_configs\
/%s/%s/0/%s/%s/%s/%s/%s/
%d%d%d.
ver.txt
%s %s
.tmp
fifty
cmd.exe
SINJ
S-1-5-18
Module already unloaded
working
Start failed
Process has been finished
Process was unloaded
Unable to load module from server
GetParentInfo error
Win32 error
release
start
Decode from BASE64 error
Invalid params count
No params
Microsoft Software Key Storage Provider
/%s/%s/10/%s/%s/%d/
WTSQueryUserToken
WTSGetActiveConsoleSessionId
WTSFreeMemory
WTSEnumerateSessionsA
wtsapi32
exc
E: 0x%x A: 0x%p
Control failed
spk
%s.%s
UrlEscapeW
shlwapi
svchost.exe
%s sTart
%u %u %u %u
settings.ini
Release
FreeBuffer
Control
Start
0.0.0.0
</Command> </Exec> </Actions> </Task>
</Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</Sta...
</UserId>
<UserId>
</StartBoundary> <Enabled>true</Enabled> </TimeTrigger> </Triggers> <Principals> <Principal id="Author">
%04d-%02d-%02dT%02d:%02d:%02d
<TimeTrigger> <Repetition> <Interval>PT11M</Interval> <Duration>P414DT11H23M</Duration> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <StartBoundary>
</LogonTrigger>
<LogonTrigger> <Enabled>true</Enabled>
</BootTrigger>
<BootTrigger> <Enabled>true</Enabled>
<?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Version>1.0.0</Version> <Author>AuthorName</Author> <Description>Ms Cloud Disk</Description> </RegistrationInfo> <Triggers>
<LogonType>InteractiveToken</LogonType> <RunLevel>LeastPrivilege</RunLevel>
<RunLevel>HighestAvailable</RunLevel> <GroupId>NT AUTHORITY\SYSTEM</GroupId> <LogonType>InteractiveToken</LogonType>
%02X
autorun
Windows Server 2008 R2
Windows Server 2008
Windows Server 2012 R2
Windows Server 2012
%s %s SP%d
x86
x64
Unknown
Windows 7
Windows 8.1
Windows 8
Windows XP
Windows 2000
Windows 10 Server
Windows Vista
Windows Server 2003
Windows 10
explorer.exe
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
ExitProcess
ResetEvent
CloseHandle
WaitForSingleObject
SignalObjectAndWait
kernel32.dll
LoadLibraryW
noname
%s/%s/63/%s/%s/%s/%s/
GetProcAddress
Run D failed
Create ZP failed
Load to P failed
Find P failed
Module has already been loaded
Launch USER failed
Load to M failed
Module is not valid
VERS
WantRelease
ModuleQuery
/%s/%s/14/%s/%s/0/
Global\%08lX%04lX%lu
Global\First
WS2_32.dll
IPHLPAPI.DLL
ADVAPI32.dll
WINHTTP.dll
USER32.dll
SHLWAPI.dll
USERENV.dll
ntdll.dll
ncrypt.dll
SHELL32.dll
bcrypt.dll
CRYPT32.dll
ole32.dll
OLEAUT32.dll
=
a
=
=
!
R#
Pr
B
=
@F
F
=
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:09:05 13:12:28+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 295936
InitializedDataSize: 599552
UninitializedDataSize: -
EntryPoint: 0x8f53
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 15.4.36.87
ProductVersionNumber: 15.4.36.87
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Rubfat Kitware
FileDescription: RiverLittle
FileVersion: 15.4.36.87
InternalName: RiverLittle
LegalCopyright: Copyright © 2008-2018 Rubfat Kitware
LegalTrademarks: RiverLittle
ProductVersion: 15.4.36.87
ProductName: RiverLittle
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
9
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 2019-09-05-trickbot-gtag-leo12-retreived-by-ursnif-infected-host.exe no specs sppextcomobj.exe no specs slui.exe CMSTPLUA 2019-09-05-trickbot-gtag-leo12-retreived-by-ursnif-infected-host.exe no specs slui.exe #TRICKBOT svchost.exe 2019-09-07-vticmbqt-gtag-neq12-tetteived-by-wtupif-ipfected-hqut.exe no specs #TRICKBOT svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2392C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3956C:\WINDOWS\system32\svchost.exeC:\Windows\System32\svchost.exe
2019-09-05-Trickbot-gtag-leo12-retreived-by-Ursnif-infected-host.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Host Process for Windows Services
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
4424"C:\Users\admin\AppData\Local\Temp\2019-09-05-Trickbot-gtag-leo12-retreived-by-Ursnif-infected-host.exe" C:\Users\admin\AppData\Local\Temp\2019-09-05-Trickbot-gtag-leo12-retreived-by-Ursnif-infected-host.exeexplorer.exe
User:
admin
Company:
Rubfat Kitware
Integrity Level:
MEDIUM
Description:
RiverLittle
Exit code:
0
Version:
15.4.36.87
Modules
Images
c:\users\admin\appdata\local\temp\2019-09-05-trickbot-gtag-leo12-retreived-by-ursnif-infected-host.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5304"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5400C:\WINDOWS\system32\svchost.exeC:\Windows\System32\svchost.exe
2019-09-07-Vticmbqt-gtag-neq12-tetteived-by-Wtupif-ipfected-hqut.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
TrickBot
(PID) Process(5400) svchost.exe
C2
srv (47)107.174.254.216:443
198.8.91.44:443
185.235.130.84:443
212.80.217.69:443
195.123.237.37:443
37.228.117.217:443
185.142.99.59:443
45.141.103.31:443
5.101.51.112:443
185.125.46.53:443
46.30.42.239:443
194.5.250.113:443
93.189.43.168:443
148.251.27.76:443
31.202.132.179:443
190.154.203.218:449
189.80.134.122:449
200.119.45.140:449
191.37.181.152:449
187.58.56.26:449
146.196.122.167:449
177.103.240.149:449
131.196.184.141:449
186.47.40.234:449
103.84.238.3:449
190.152.4.210:449
186.156.52.78:449
36.89.85.103:449
181.176.160.145:449
200.119.45.140:449
190.13.190.178:449
186.46.63.58:449
181.112.159.70:449
181.129.93.226:449
186.42.226.46:449
190.13.160.19:449
181.112.159.70:449
202.9.120.79:449
190.109.189.119:449
103.207.1.44:449
190.151.213.140:449
168.227.229.112:449
186.42.186.202:449
190.144.89.82:449
190.144.89.82:449
181.129.49.98:449
186.47.82.6:449
version1000467
Botnetleo12
KeyRUNTMzAAAADzIIbbIE3wcze1+xiwwK+Au/P78UrAO8YAHyPvHEwGVKOPphl8QVfrC7x/QaFYeXANw6E4HF7ietEp+7ZVQdWOx8c+HvO0Z2PTUPVbX9HAVrg4h9u1RNfhOHk+YysDLsg=
Autorun
module
@namesysteminfo
@ctlGetSystemInfo
@nameinjectDll
@namepwgrab
other (202)checkip.amazonaws.com
ipecho.net
ipinfo.io
api.ipify.org
icanhazip.com
myexternalip.com
wtfismyip.com
ip.anysrc.net
api.ipify.org
api.ip.sb
ident.me
www.myexternalip.com
/plain
/ip
/raw
/text
/?format=text
zen.spamhaus.org
cbl.abuseat.org
b.barracudacentral.org
dnsbl-1.uceprotect.net
spam.dnsbl.sorbs.net
\MsCloud
data\
%s%s
CI failed, 0x%x
pIT NULL
POST
%s.%s.%s.%s
info
data
%s/%s/64/%s/%s/%s/
/%s/%s/25/%s/
Data\
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3731.0 Safari/537.36
/%s/%s/23/%d/
/%s/%s/5/%s/
<moduleconfig>*</moduleconfig>
/%s/%s/1/%s/
--%s--
--%s Content-Disposition: form-data; name="%S"
Content-Type: multipart/form-data; boundary=%s Content-Length: %d
------Boundary%08X
D:(A;;GA;;;WD)(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;RC)
tmp
Register u failed, 0x%x
Create xml2 failed
Register s failed, 0x%x
user
Ms Cloud Disk
Create xml failed
pIT GetFolder failed, 0x%x
pIT connect failed, 0x%x
SYSTEM
GET
SignatureLength
ECCPUBLICBLOB
ECDSA_P384
path
winsta0\default
SeTcbPrivilege
1068
not listed
listed
DNSBL
client is behind NAT
failed
NAT status
client is not behind NAT
%s%s_configs\
/%s/%s/0/%s/%s/%s/%s/%s/
%d%d%d.
ver.txt
%s %s
.tmp
fifty
cmd.exe
SINJ
S-1-5-18
Module already unloaded
working
Start failed
Process has been finished
Process was unloaded
Unable to load module from server
GetParentInfo error
Win32 error
release
start
Decode from BASE64 error
Invalid params count
No params
Microsoft Software Key Storage Provider
/%s/%s/10/%s/%s/%d/
WTSQueryUserToken
WTSGetActiveConsoleSessionId
WTSFreeMemory
WTSEnumerateSessionsA
wtsapi32
exc
E: 0x%x A: 0x%p
Control failed
spk
%s.%s
UrlEscapeW
shlwapi
svchost.exe
%s sTart
%u %u %u %u
settings.ini
Release
FreeBuffer
Control
Start
0.0.0.0
</Command> </Exec> </Actions> </Task>
</Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</Sta...
</UserId>
<UserId>
</StartBoundary> <Enabled>true</Enabled> </TimeTrigger> </Triggers> <Principals> <Principal id="Author">
%04d-%02d-%02dT%02d:%02d:%02d
<TimeTrigger> <Repetition> <Interval>PT11M</Interval> <Duration>P414DT11H23M</Duration> <StopAtDurationEnd>false</StopAtDurationEnd> </Repetition> <StartBoundary>
</LogonTrigger>
<LogonTrigger> <Enabled>true</Enabled>
</BootTrigger>
<BootTrigger> <Enabled>true</Enabled>
<?xml version="1.0" encoding="UTF-16"?> <Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Version>1.0.0</Version> <Author>AuthorName</Author> <Description>Ms Cloud Disk</Description> </RegistrationInfo> <Triggers>
<LogonType>InteractiveToken</LogonType> <RunLevel>LeastPrivilege</RunLevel>
<RunLevel>HighestAvailable</RunLevel> <GroupId>NT AUTHORITY\SYSTEM</GroupId> <LogonType>InteractiveToken</LogonType>
%02X
autorun
Windows Server 2008 R2
Windows Server 2008
Windows Server 2012 R2
Windows Server 2012
%s %s SP%d
x86
x64
Unknown
Windows 7
Windows 8.1
Windows 8
Windows XP
Windows 2000
Windows 10 Server
Windows Vista
Windows Server 2003
Windows 10
explorer.exe
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
ExitProcess
ResetEvent
CloseHandle
WaitForSingleObject
SignalObjectAndWait
kernel32.dll
LoadLibraryW
noname
%s/%s/63/%s/%s/%s/%s/
GetProcAddress
Run D failed
Create ZP failed
Load to P failed
Find P failed
Module has already been loaded
Launch USER failed
Load to M failed
Module is not valid
VERS
WantRelease
ModuleQuery
/%s/%s/14/%s/%s/0/
Global\%08lX%04lX%lu
Global\First
WS2_32.dll
IPHLPAPI.DLL
ADVAPI32.dll
WINHTTP.dll
USER32.dll
SHLWAPI.dll
USERENV.dll
ntdll.dll
ncrypt.dll
SHELL32.dll
bcrypt.dll
CRYPT32.dll
ole32.dll
OLEAUT32.dll
=
a
=
=
!
R#
Pr
B
=
@F
F
=
5528C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
5892"C:\Users\admin\AppData\Local\Temp\2019-09-05-Trickbot-gtag-leo12-retreived-by-Ursnif-infected-host.exe" C:\Users\admin\AppData\Local\Temp\2019-09-05-Trickbot-gtag-leo12-retreived-by-Ursnif-infected-host.exedllhost.exe
User:
admin
Company:
Rubfat Kitware
Integrity Level:
HIGH
Description:
RiverLittle
Exit code:
0
Version:
15.4.36.87
Modules
Images
c:\users\admin\appdata\local\temp\2019-09-05-trickbot-gtag-leo12-retreived-by-ursnif-infected-host.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
6272C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}C:\Windows\SysWOW64\dllhost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
6512"C:\Users\admin\AppData\Roaming\MsCloud\2019-09-07-Vticmbqt-gtag-neq12-tetteived-by-Wtupif-ipfected-hqut.exe"C:\Users\admin\AppData\Roaming\MsCloud\2019-09-07-Vticmbqt-gtag-neq12-tetteived-by-Wtupif-ipfected-hqut.exesvchost.exe
User:
SYSTEM
Company:
Rubfat Kitware
Integrity Level:
SYSTEM
Description:
RiverLittle
Exit code:
0
Version:
15.4.36.87
Modules
Images
c:\users\admin\appdata\roaming\mscloud\2019-09-07-vticmbqt-gtag-neq12-tetteived-by-wtupif-ipfected-hqut.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
14 181
Read events
14 180
Write events
1
Delete events
0

Modification events

(PID) Process:(6272) dllhost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
3956svchost.exeC:\Users\admin\AppData\Roaming\MsCloud\2019-09-07-Vticmbqt-gtag-neq12-tetteived-by-Wtupif-ipfected-hqut.exeexecutable
MD5:80A228C94846B57D85C59D4EE87053F6
SHA256:430A46259E925A073CA2AB724677F1CDCFC76514F2BEBFEE92397576807C42A0
5400svchost.exeC:\Users\admin\AppData\Roaming\MsCloud\settings.initext
MD5:F9FA89496FCD5E4B6FE978E0EACCBF75
SHA256:C08B715F9D34C46C9D1B930EFAF792714E8566404C60CB3C5CAD561B342DA943
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
37
DNS requests
14
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
5304
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2392
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5400
svchost.exe
212.80.217.69:443
Serverius Holding B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
google.com
  • 216.58.206.46
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
dns.msftncsi.com
  • 131.107.255.255
whitelisted
self.events.data.microsoft.com
  • 20.189.173.5
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
  • 2603:1030:c02:2::284
whitelisted
171.39.242.20.in-addr.arpa
unknown
4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2019-09-05-Trickbot-gtag-leo12-retreived-by-Ursnif-infected-host.exe