File name:

2019-12-19-Valak-retrieved-by-Ursnif-infected-host.exe

Full analysis: https://app.any.run/tasks/2020d9b4-f60c-408a-9033-af8077838437
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 19, 2025, 08:25:29
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
valak
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

5E520C97741F4ED6098974BF4EE6C713

SHA1:

7667047D1E7E40D1674D8DDA97A1A828DDF92111

SHA256:

5C8CCAE6678A8DE39F03796E2B260CEC1AB8650B15F886FED08BC85830762498

SSDEEP:

3072:mTWXtqBBBl/Ax6BmhGu2yZBIeRQiLuOwhLyYlSJRA00Qw12zZJByQgaUQmi/Y+yu:BtIjyse+iLOgRA0BJZzpgaFv2fRg1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Gets username (SCRIPT)

      • wscript.exe (PID: 7960)

    • Accesses environment variables (SCRIPT)

      • wscript.exe (PID: 7960)

    • VALAK has been detected (SURICATA)

      • wscript.exe (PID: 7960)

    • Uses base64 encoding (SCRIPT)

      • wscript.exe (PID: 7960)

    • Opens an HTTP connection (SCRIPT)

      • wscript.exe (PID: 7960)

    • Creates internet connection object (SCRIPT)

      • wscript.exe (PID: 7960)

    • Sends HTTP request (SCRIPT)

      • wscript.exe (PID: 7960)

    • Connects to the CnC server

      • wscript.exe (PID: 7960)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 7960)

  • SUSPICIOUS

    • The process executes JS scripts

      • 2019-12-19-Valak-retrieved-by-Ursnif-infected-host.exe (PID: 7344)

    • There is functionality for taking screenshot (YARA)

      • 2019-12-19-Valak-retrieved-by-Ursnif-infected-host.exe (PID: 7344)

    • Gets computer name (SCRIPT)

      • wscript.exe (PID: 7960)

    • Accesses computer name via WMI (SCRIPT)

      • wscript.exe (PID: 7960)

    • Accesses current user name via WMI (SCRIPT)

      • wscript.exe (PID: 7960)

    • Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)

      • wscript.exe (PID: 7960)

    • Changes charset (SCRIPT)

      • wscript.exe (PID: 7960)

    • Contacting a server suspected of hosting an CnC

      • wscript.exe (PID: 7960)

    • Writes binary data to a Stream object (SCRIPT)

      • wscript.exe (PID: 7960)

    • Creates XML DOM element (SCRIPT)

      • wscript.exe (PID: 7960)

    • Sets XML DOM element text (SCRIPT)

      • wscript.exe (PID: 7960)

    • Reads data from a binary Stream object (SCRIPT)

      • wscript.exe (PID: 7960)

    • Script creates XML DOM node (SCRIPT)

      • wscript.exe (PID: 7960)

  • INFO

    • Checks supported languages

      • 2019-12-19-Valak-retrieved-by-Ursnif-infected-host.exe (PID: 7344)

    • Create files in a temporary directory

      • 2019-12-19-Valak-retrieved-by-Ursnif-infected-host.exe (PID: 7344)

    • Checks proxy server information

      • wscript.exe (PID: 7960)
      • slui.exe (PID: 8036)

    • Reads the software policy settings

      • slui.exe (PID: 7460)
      • slui.exe (PID: 8036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2007:12:12 08:54:41+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 233472
InitializedDataSize: 61440
UninitializedDataSize: -
EntryPoint: 0xc2b2
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 0.6.12.52
ProductVersionNumber: 0.6.12.52
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: Areagreat in darkthem hole
CompanyName: www.goCahistory.com
FileDescription: Treedid Evenin
FileVersion: 0.6.12.52
InternalName: Si.exe
LegalCopyright: Copyright © 2009-2013 Ownover Loudbranch
LegalTrademarks: Treedid Evenin
OriginalFileName: Si.exe
ProductName: Treedid Evenin
ProductVersion: 0.6.12.52
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
9
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2019-12-19-valak-retrieved-by-ursnif-infected-host.exe no specs sppextcomobj.exe no specs slui.exe #VALAK wscript.exe slui.exe ucpdmgr.exe no specs conhost.exe no specs ucpdmgr.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
920"C:\WINDOWS\system32\UCPDMgr.exe"C:\Windows\System32\UCPDMgr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
User Choice Protection Manager
Exit code:
0
Version:
1.0.0.414301
Modules
Images
c:\windows\system32\ucpdmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4608\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUCPDMgr.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5072"C:\WINDOWS\system32\UCPDMgr.exe"C:\Windows\System32\UCPDMgr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
User Choice Protection Manager
Exit code:
0
Version:
1.0.0.414301
Modules
Images
c:\windows\system32\ucpdmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6388\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeUCPDMgr.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7344"C:\Users\admin\AppData\Local\Temp\2019-12-19-Valak-retrieved-by-Ursnif-infected-host.exe" C:\Users\admin\AppData\Local\Temp\2019-12-19-Valak-retrieved-by-Ursnif-infected-host.exeexplorer.exe
User:
admin
Company:
www.goCahistory.com
Integrity Level:
MEDIUM
Description:
Treedid Evenin
Version:
0.6.12.52
Modules
Images
c:\users\admin\appdata\local\temp\2019-12-19-valak-retrieved-by-ursnif-infected-host.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\gdi32.dll
7416C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7460"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7960wscript C:\Users\admin\AppData\Local\Temp\12012.jsC:\Windows\SysWOW64\wscript.exe
2019-12-19-Valak-retrieved-by-Ursnif-infected-host.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
8036C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
10 372
Read events
10 369
Write events
3
Delete events
0

Modification events

(PID) Process:(7960) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7960) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7960) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
0
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
73442019-12-19-Valak-retrieved-by-Ursnif-infected-host.exeC:\Users\admin\AppData\Local\Temp\12012.jstext
MD5:962850042E50D9F93A1F92FD67BC95F3
SHA256:BA45022CC3D3FAB92639BF49DF8B2488454ACC20D7DA9DA07B93FA49DA787AC8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
83
DNS requests
21
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7960
wscript.exe
GET
404
49.13.77.253:80
http://shiriez48.com/telemetry/77u_bm9uY2U9ZDFjMzhhMDlhY2MzNDg0NWM2/YmUzYTEyN2E1YWFjYWYmdmVyc2lvbj02Jmdp/ZD1nb2RhZDMmc29mdD1WYWxhayZ1c2VybmFt/ZT1hZG1pbiZwY25hbWU9REVTS1RPUC1KR0xM/SkxEJmRvbWFpbj1ERVNLVE9QLUpHTExKTEQm/Y29ycD1mYWxzZSZpZD1BRUQzNDZERTIxNkY5/QUM1QTRFRUNBQzNGMjM0QjI3MyZzaWc9ODI1/OGE4MTY3ZjIwYzhkZWQ0NmI4YmIxMWIzMDNi/MDY_3DF.html
unknown
malicious
7960
wscript.exe
GET
404
49.13.77.253:80
http://shiriez48.com/telemetry/77u_bm9uY2U9NzZkYzYxMWQ2ZWJhYWZjNjZjYzA4/NzljNzFiNWRiNWMmdmVyc2lvbj02JmdpZD1nb2Rh/ZDMmc29mdD1WYWxhayZ1c2VybmFtZT1hZG1pbiZw/Y25hbWU9REVTS1RPUC1KR0xMSkxEJmRvbWFpbj1E/RVNLVE9QLUpHTExKTEQmY29ycD1mYWxzZSZpZD1B/RUQzNDZERTIxNkY5QUM1QTRFRUNBQzNGMjM0QjI3/MyZzaWc9NDM0MDAzYWJkY2JlZDgwMTQ0NWQ3MWQ2/YWZhMTIxZTY_3DF.html
unknown
malicious
7960
wscript.exe
GET
404
49.13.77.253:80
http://shiriez48.com/telemetry/77u_bm9uY2U9MGNiOTI5ZWFlN2E0OT/llNTAyNDhhM2E3OGY3YWNmYzcmdmVy/c2lvbj02JmdpZD1nb2RhZDMmc29mdD/1WYWxhayZ1c2VybmFtZT1hZG1pbiZw/Y25hbWU9REVTS1RPUC1KR0xMSkxEJm/RvbWFpbj1ERVNLVE9QLUpHTExKTEQm/Y29ycD1mYWxzZSZpZD1BRUQzNDZERT/IxNkY5QUM1QTRFRUNBQzNGMjM0QjI3/MyZzaWc9MGEwOTIyYmQzMjc0MjYwNT/NlOWVlYTM0NDhlZTBhZDY_3DF.html
unknown
malicious
7960
wscript.exe
GET
404
49.13.77.253:80
http://shiriez48.com/telemetry/77u_bm9uY2U9ZTRiYjRjNTE3M2MyY2UxN2ZkOGZjZDQ/wMDQxYzA2OGYmdmVyc2lvbj02JmdpZD1nb2RhZDMmc2/9mdD1WYWxhayZ1c2VybmFtZT1hZG1pbiZwY25hbWU9R/EVTS1RPUC1KR0xMSkxEJmRvbWFpbj1ERVNLVE9QLUpH/TExKTEQmY29ycD1mYWxzZSZpZD1BRUQzNDZERTIxNkY/5QUM1QTRFRUNBQzNGMjM0QjI3MyZzaWc9MDc1ZTc4ZT/EwNmM0YzBjMmI2YWZjMjllYzVlYzdjNWQ_3DF.html
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
7836
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.142
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.31.69
  • 20.190.159.71
  • 40.126.31.129
  • 20.190.159.73
  • 20.190.159.0
  • 20.190.159.75
  • 40.126.31.0
  • 40.126.31.128
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
  • 2603:1030:7::106
whitelisted
206.23.85.13.in-addr.arpa
unknown
6.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa
unknown
shiriez48.com
  • 49.13.77.253
malicious
gmail.com
  • 142.250.185.101
whitelisted

Threats

PID
Process
Class
Message
7960
wscript.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Valak <v9 Checkin
7960
wscript.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Valak <v9 Checkin
7960
wscript.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Valak <v9 Checkin
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2019-12-19-Valak-retrieved-by-Ursnif-infected-host.exe