General Info

File name

SN_5376824984.vbs

Full analysis
https://app.any.run/tasks/ecea8cbb-0605-4058-8e36-522a9b313164
Verdict
Malicious activity
Analysis date
5/15/2019, 00:56:36
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

danabot

trojan

stealer

Indicators:

MIME:
text/plain
File info:
ASCII text, with very long lines, with no line terminators
MD5

5ab578eacf046d349268b03f952e17a3

SHA1

14ecc9a830e801745161d477fe61b6b76c3809f0

SHA256

4e67419a3613cf102886d2a3abcb93094fe4c64f630ee2d7eaf891bee5d87893

SSDEEP

24576:EdORUu7AsIBI5oyVQ1RVjbSq/hUuAzOVo:v

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • WerFault.exe (PID: 3996)
  • RUNDLL32.EXE (PID: 3816)
  • WerFault.exe (PID: 1008)
  • rundll32.exe (PID: 936)
  • rundll32.exe (PID: 1396)
  • regsvr32.exe (PID: 2164)
DanaBot detected
  • WerFault.exe (PID: 3996)
  • WerFault.exe (PID: 1008)
  • RUNDLL32.EXE (PID: 3816)
  • rundll32.exe (PID: 936)
Stealing of credential data
  • RUNDLL32.EXE (PID: 3816)
Actions looks like stealing of personal data
  • RUNDLL32.EXE (PID: 3816)
Connects to CnC server
  • rundll32.exe (PID: 1396)
DANABOT was detected
  • rundll32.exe (PID: 1396)
Registers / Runs the DLL via REGSVR32.EXE
  • WScript.exe (PID: 3284)
Changes settings of System certificates
  • WScript.exe (PID: 3284)
Loads DLL from Mozilla Firefox
  • RUNDLL32.EXE (PID: 3816)
Reads Internet Cache Settings
  • RUNDLL32.EXE (PID: 3816)
Searches for installed software
  • RUNDLL32.EXE (PID: 3816)
Application launched itself
  • rundll32.exe (PID: 936)
  • rundll32.exe (PID: 1396)
Uses RUNDLL32.EXE to load library
  • rundll32.exe (PID: 1396)
  • rundll32.exe (PID: 936)
  • regsvr32.exe (PID: 2164)
Creates files in the program directory
  • rundll32.exe (PID: 1396)
  • rundll32.exe (PID: 936)
Executable content was dropped or overwritten
  • rundll32.exe (PID: 1396)
  • WScript.exe (PID: 3284)
Adds / modifies Windows certificates
  • WScript.exe (PID: 3284)
Application was crashed
  • RUNDLL32.EXE (PID: 3816)
  • rundll32.exe (PID: 936)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

Screenshots

Processes

Total processes
44
Monitored processes
9
Malicious processes
7
Suspicious processes
0

Behavior graph

+
start wscript.exe regsvr32.exe no specs #DANABOT rundll32.exe #DANABOT rundll32.exe #DANABOT rundll32.exe wusa.exe no specs wusa.exe #DANABOT werfault.exe no specs #DANABOT werfault.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3284
CMD
"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\SN_5376824984.vbs"
Path
C:\Windows\System32\WScript.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Microsoft ® Windows Based Script Host
Version
5.8.7600.16385
Modules
Image
c:\windows\system32\wscript.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\sxs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\msisip.dll
c:\windows\system32\wshext.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\scrobj.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\credssp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\wshom.ocx
c:\windows\system32\mpr.dll
c:\windows\system32\scrrun.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\mlang.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\regsvr32.exe

PID
2164
CMD
"C:\Windows\System32\regsvr32.exe" -s C:\Users\admin\AppData\Local\Temp\gmxo.LmnM
Path
C:\Windows\System32\regsvr32.exe
Indicators
No indicators
Parent process
WScript.exe
User
admin
Integrity Level
MEDIUM
Exit code
4
Version:
Company
Microsoft Corporation
Description
Microsoft(C) Register Server
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\regsvr32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\winmm.dll
c:\windows\system32\samcli.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\users\admin\appdata\local\temp\gmxo.lmnm
c:\windows\system32\opengl32.dll
c:\windows\system32\glu32.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\dciman32.dll
c:\windows\system32\mprapi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rundll32.exe

PID
1396
CMD
C:\Windows\system32\\rundll32.exe C:\Users\admin\AppData\Local\Temp\gmxo.LmnM,f0
Path
C:\Windows\system32\rundll32.exe
Indicators
Parent process
regsvr32.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\local\temp\gmxo.lmnm
c:\windows\system32\opengl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\glu32.dll
c:\windows\system32\ddraw.dll
c:\windows\system32\dciman32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\mprapi.dll
c:\windows\system32\version.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll

PID
936
CMD
C:\Windows\system32\\rundll32.exe C:\PROGRA~2\CD7092AF\F78E05D4.dll,f1 C:\Users\admin\AppData\Local\Temp\[email protected]
Path
C:\Windows\system32\rundll32.exe
Indicators
Parent process
rundll32.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\progra~2\cd7092af\f78e05d4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\version.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\avifil32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\msvfw32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\winsta.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\wusa.exe
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll

PID
3816
CMD
C:\Windows\system32\RUNDLL32.EXE C:\ProgramData\CD7092AF\F78E05D4.dll,f2 4B505FDA7C8060A24D406F8A34C5FCCB
Path
C:\Windows\system32\RUNDLL32.EXE
Indicators
Parent process
rundll32.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\progra~2\cd7092af\f78e05d4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\version.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\avifil32.dll
c:\windows\system32\msacm32.dll
c:\windows\system32\msvfw32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\pstorec.dll
c:\windows\system32\atl.dll
c:\windows\system32\rtutils.dll
c:\program files\mozilla firefox\nss3.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\api-ms-win-crt-runtime-l1-1-0.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\api-ms-win-core-timezone-l1-1-0.dll
c:\windows\system32\api-ms-win-core-file-l2-1-0.dll
c:\windows\system32\api-ms-win-core-localization-l1-2-0.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-core-processthreads-l1-1-1.dll
c:\windows\system32\api-ms-win-core-file-l1-2-0.dll
c:\windows\system32\api-ms-win-crt-string-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-heap-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-stdio-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-convert-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-locale-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-math-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-time-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-filesystem-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-environment-l1-1-0.dll
c:\windows\system32\api-ms-win-crt-utility-l1-1-0.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\api-ms-win-crt-multibyte-l1-1-0.dll
c:\program files\mozilla firefox\softokn3.dll
c:\program files\mozilla firefox\freebl3.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\psapi.dll
c:\windows\system32\oleacc.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\mlang.dll
c:\windows\system32\msxml6.dll

PID
3192
CMD
"C:\Windows\System32\wusa.exe" /quiet
Path
C:\Windows\System32\wusa.exe
Indicators
No indicators
Parent process
rundll32.exe
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Microsoft Corporation
Description
Windows Update Standalone Installer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wusa.exe
c:\systemroot\system32\ntdll.dll

PID
2836
CMD
"C:\Windows\System32\wusa.exe" /quiet
Path
C:\Windows\System32\wusa.exe
Indicators
Parent process
rundll32.exe
User
admin
Integrity Level
HIGH
Exit code
87
Version:
Company
Microsoft Corporation
Description
Windows Update Standalone Installer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wusa.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\dpx.dll
c:\windows\system32\wtsapi32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll

PID
1008
CMD
C:\Windows\system32\WerFault.exe -u -p 936 -s 488
Path
C:\Windows\system32\WerFault.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Problem Reporting
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\werfault.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wer.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\faultrep.dll
c:\windows\system32\psapi.dll
c:\windows\system32\version.dll
c:\windows\system32\rundll32.exe
c:\windows\system32\shell32.dll
c:\progra~2\cd7092af\f78e05d4.dll
c:\windows\system32\dbgeng.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\werui.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dui70.dll
c:\windows\system32\duser.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\xmllite.dll

PID
3996
CMD
C:\Windows\system32\WerFault.exe -u -p 3816 -s 932
Path
C:\Windows\system32\WerFault.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Problem Reporting
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\werfault.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\wer.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\faultrep.dll
c:\windows\system32\psapi.dll
c:\windows\system32\version.dll
c:\windows\system32\rundll32.exe
c:\windows\system32\shell32.dll
c:\progra~2\cd7092af\f78e05d4.dll
c:\windows\system32\dbgeng.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\werui.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\dui70.dll
c:\windows\system32\duser.dll
c:\windows\system32\riched20.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\xmllite.dll

Registry activity

Total events
348
Read events
318
Write events
28
Delete events
2

Modification events

PID
Process
Operation
Key
Name
Value
3284
WScript.exe
delete key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
3284
WScript.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\62\52C64B7E
LanguageList
en-US
3284
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Blob
0F000000010000001400000085FEF11B4F47FE3952F98301C9F98976FEFEE0CE09000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030353000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C01400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB5748501D00000001000000100000005B3B67000EEB80022E42605B6B3B72400B000000010000000E000000740068006100770074006500000003000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B812000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
3284
WScript.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81
Blob
190000000100000010000000DC73F9B71E16D51D26527D32B11A6A3D09000000010000002A000000302806082B0601050507030106082B0601050507030206082B0601050507030406082B0601050507030353000000010000002500000030233021060B6086480186F8450107300130123010060A2B0601040182373C0101030200C01400000001000000140000007B5B45CFAFCECB7AFD31921A6AB6F346EB5748501D00000001000000100000005B3B67000EEB80022E42605B6B3B72400B000000010000000E000000740068006100770074006500000003000000010000001400000091C6D6EE3E8AC86384E548C299295C756C817B812000000001000000240400003082042030820308A0030201020210344ED55720D5EDEC49F42FCE37DB2B6D300D06092A864886F70D01010505003081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F74204341301E170D3036313131373030303030305A170D3336303731363233353935395A3081A9310B300906035504061302555331153013060355040A130C7468617774652C20496E632E31283026060355040B131F43657274696669636174696F6E205365727669636573204469766973696F6E31383036060355040B132F2863292032303036207468617774652C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79311F301D06035504031316746861777465205072696D61727920526F6F7420434130820122300D06092A864886F70D01010105000382010F003082010A0282010100ACA0F0FB8059D49CC7A4CF9DA159730910450C0D2C6E68F16C5B4868495937FC0B3319C2777FCC102D95341CE6EB4D09A71CD2B8C9973602B789D4245F06C0CC4494948D02626FEB5ADD118D289A5C8490107A0DBD74662F6A38A0E2D55444EB1D079F07BA6FEEE9FD4E0B29F53E84A001F19CABF81C7E89A4E8A1D871650DA3517BEEBCD222600DB95B9DDFBAFC515B0BAF98B2E92EE904E86287DE2BC8D74EC14C641EDDCF8758BA4A4FCA68071D1C9D4AC6D52F91CC7C71721CC5C067EB32FDC9925C94DA85C09BBF537D2B09F48C9D911F976A52CBDE0936A477D87B875044D53E6E2969FB3949261E09A5807B402DEBE82785C9FE61FD7EE67C971DD59D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E041604147B5B45CFAFCECB7AFD31921A6AB6F346EB574850300D06092A864886F70D010105050003820101007911C04BB391B6FCF0E967D40D6E45BE55E893D2CE033FEDDA25B01D57CB1E3A76A04CEC5076E864720CA4A9F1B88BD6D68784BB32E54111C077D9B3609DEB1BD5D16E4444A9A601EC55621D77B85C8E48497C9C3B5711ACAD73378E2F785C906847D96060E6FC073D222017C4F716E9C4D872F9C8737CDF162F15A93EFD6A27B6A1EB5ABA981FD5E34D640A9D13C861BAF5391C87BAB8BD7B227FF6FEAC4079E5AC106F3D8F1B79768BC437B3211884E53600EB632099B9E9FE3304BB41C8C102F94463209E81CE42D3D63F2C76D3639C59DD8FA6E10EA02E41F72E9547CFBCFD33F3F60B617E7E912B8147C22730EEA7105D378F5C392BE404F07B8D568C68
3284
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3284
WScript.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
936
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
936
rundll32.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3816
RUNDLL32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RUNDLL32_RASAPI32
EnableFileTracing
0
3816
RUNDLL32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RUNDLL32_RASAPI32
EnableConsoleTracing
0
3816
RUNDLL32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RUNDLL32_RASAPI32
FileTracingMask
4294901760
3816
RUNDLL32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RUNDLL32_RASAPI32
ConsoleTracingMask
4294901760
3816
RUNDLL32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RUNDLL32_RASAPI32
MaxFileSize
1048576
3816
RUNDLL32.EXE
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RUNDLL32_RASAPI32
FileDirectory
%windir%\tracing

Files activity

Executable files
2
Suspicious files
1
Text files
2
Unknown types
4

Dropped files

PID
Process
Filename
Type
1396
rundll32.exe
C:\ProgramData\CD7092AF\F78E05D4.dll
executable
MD5: 86b54dde3b255db7c4913bacabab0c87
SHA256: 32dce57e8567611e5ed89a1b408b7342f172b9123b2e62b6502dce2fd80fd7b2
3284
WScript.exe
C:\Users\admin\AppData\Local\Temp\gmxo.LmnM
executable
MD5: 0abcc495c58957c4b7703328caa96cb7
SHA256: afa80482413d7e1fef587cdeb3c6f70089aa5acbb7af61118cebfdd1231d877e
3284
WScript.exe
C:\Users\admin\AppData\Local\Temp\mfZM.qsis
text
MD5: b9adf6e081408787c73e9af77ba38f60
SHA256: 075fa2ff786b007d7e4204530e3a8ada006af311198dea9f3afce11a51f93c79
3816
RUNDLL32.EXE
C:\Users\admin\AppData\Local\Temp\1224890.tmp
sqlite
MD5: 60b51ba20224ac3783e213ea9f55f125
SHA256: 0e305ba02985f26b29b234cd79d2c2af0a51085da2db2bed98d20f8c61b76254
936
rundll32.exe
C:\ProgramData\CD7092AF\3E73D36A
text
MD5: f25431b21dbfc65a04ae6dc3df686b67
SHA256: b184eb03c077b683ffae16b0326cebc25139899e0d2398d51928a24311d6b11b
936
rundll32.exe
C:\ProgramData\CD7092AF\6627FE4D\404F5328B4C43FE6E44DC7BA8550E1BB
binary
MD5: 5aad703c7e8213d5735cc7f4e7c39612
SHA256: db8b309e50db617570c83eb04fa028ae890130e30449413e354a2d5a95c05e25
3816
RUNDLL32.EXE
C:\Users\admin\AppData\Local\Temp\1230328.tmp
sqlite
MD5: c394a5f8dd1c20d9e22fa71c8c15cd6f
SHA256: 806949f008f012cf228bbe536809db014c0cde3c1f2a6df1558bfac19b088f22
1396
rundll32.exe
C:\ProgramData\CD7092AF\88C0025B
––
MD5:  ––
SHA256:  ––
3816
RUNDLL32.EXE
C:\Users\admin\AppData\Local\Temp\1225156.tmp
sqlite
MD5: 60b51ba20224ac3783e213ea9f55f125
SHA256: 0e305ba02985f26b29b234cd79d2c2af0a51085da2db2bed98d20f8c61b76254
3284
WScript.exe
C:\Users\admin\AppData\Local\Temp\CabF049.tmp
––
MD5:  ––
SHA256:  ––
3284
WScript.exe
C:\Users\admin\AppData\Local\Temp\Tar2B45.tmp
––
MD5:  ––
SHA256:  ––
3284
WScript.exe
C:\Users\admin\AppData\Local\Temp\Cab2B44.tmp
––
MD5:  ––
SHA256:  ––
3284
WScript.exe
C:\Users\admin\AppData\Local\Temp\Tar2B24.tmp
––
MD5:  ––
SHA256:  ––
3284
WScript.exe
C:\Users\admin\AppData\Local\Temp\Cab2B23.tmp
––
MD5:  ––
SHA256:  ––
3284
WScript.exe
C:\Users\admin\AppData\Local\Temp\TarF06B.tmp
––
MD5:  ––
SHA256:  ––
3284
WScript.exe
C:\Users\admin\AppData\Local\Temp\CabF06A.tmp
––
MD5:  ––
SHA256:  ––
3284
WScript.exe
C:\Users\admin\AppData\Local\Temp\TarF04A.tmp
––
MD5:  ––
SHA256:  ––
3816
RUNDLL32.EXE
C:\Users\admin\AppData\Local\Temp\1230343.tmp
sqlite
MD5: 7ed7e7ffe1dc4eaaee2edafdd4815a47
SHA256: bd7d82bab01903699a91783f35d7e1ebf2ba8aedc1023f09c0e6934b1b0651c3

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
1
Threats
15

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
3284 WScript.exe GET –– 93.184.221.240:80 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab US
––
––
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
3284 WScript.exe 93.184.221.240:80 MCI Communications Services, Inc. d/b/a Verizon Business US whitelisted
1396 rundll32.exe 95.179.186.57:443 Cosmoline Telecommunication Services S.A. GR malicious

DNS requests

Domain IP Reputation
www.download.windowsupdate.com 93.184.221.240
whitelisted

Threats

PID Process Class Message
1396 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I
1396 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I
1396 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I
1396 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I
1396 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I
1396 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I
1396 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I
1396 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I
1396 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I
1396 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I
1396 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I
1396 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I
1396 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I
1396 rundll32.exe A Network Trojan was detected MALWARE [PTsecurity] Win32/Spy.Danabot.I

1 ETPRO signatures available at the full report

Debug output strings

No debug info.