URL:

http://img.mailinblue.com/1571019/attachments/4367890.zip?v=1562867268773

Full analysis: https://app.any.run/tasks/3d12845f-cf03-4d57-9394-b6fa1ab852a5
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 11, 2019, 19:24:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trickbot
Indicators:
MD5:

17A9E938A3537B9FD50EEA7A5A8A7039

SHA1:

9C8F11EAE1DEE00E581E1AD92ECBC41F589A8F96

SHA256:

895FA799E7E8A4CD604EF44D58C6F60A170AF84145791BC507C3D5F748665631

SSDEEP:

3:N1KX/L5NHVJSU2EH/E4rX0XrW:CvLLHeOEAXurW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ouwrj.exe (PID: 2780)
      • JFHRсав.exe (PID: 3864)
      • ouwrj.exe (PID: 4012)
      • LFHTсав.exe (PID: 3596)
      • ouwrj.exe (PID: 2596)
      • JFHRсав.exe (PID: 308)

    • Stops/Deletes Windows Defender service via SC.exe

      • cmd.exe (PID: 3624)
      • cmd.exe (PID: 3820)
      • cmd.exe (PID: 3432)
      • cmd.exe (PID: 3612)
      • cmd.exe (PID: 3580)
      • cmd.exe (PID: 3320)

    • Executes PowerShell scripts

      • cmd.exe (PID: 1816)
      • cmd.exe (PID: 3696)
      • cmd.exe (PID: 2308)
      • cmd.exe (PID: 3600)
      • cmd.exe (PID: 2768)
      • cmd.exe (PID: 3468)
      • cmd.exe (PID: 2672)
      • cmd.exe (PID: 3236)
      • cmd.exe (PID: 3980)
      • cmd.exe (PID: 2856)
      • cmd.exe (PID: 3144)
      • cmd.exe (PID: 2416)
      • cmd.exe (PID: 940)
      • cmd.exe (PID: 3356)
      • cmd.exe (PID: 3280)
      • cmd.exe (PID: 2772)
      • cmd.exe (PID: 3984)
      • cmd.exe (PID: 476)
      • cmd.exe (PID: 2716)
      • cmd.exe (PID: 2936)
      • cmd.exe (PID: 316)
      • cmd.exe (PID: 1628)
      • cmd.exe (PID: 4064)
      • cmd.exe (PID: 1952)
      • cmd.exe (PID: 840)
      • cmd.exe (PID: 2684)
      • cmd.exe (PID: 1640)
      • cmd.exe (PID: 3616)
      • cmd.exe (PID: 3796)
      • cmd.exe (PID: 3168)

    • Loads the Task Scheduler COM API

      • JFHRсав.exe (PID: 308)
      • LFHTсав.exe (PID: 3596)

    • Disables Windows Defender

      • LFHTсав.exe (PID: 3596)
      • ouwrj.exe (PID: 2596)
      • JFHRсав.exe (PID: 308)

    • Known privilege escalation attack

      • DllHost.exe (PID: 2608)
      • DllHost.exe (PID: 3412)

    • Downloads executable files from the Internet

      • WScript.exe (PID: 3680)
      • WScript.exe (PID: 2816)

    • Trickbot detected

      • ouwrj.exe (PID: 2596)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • JFHRсав.exe (PID: 308)
      • LFHTсав.exe (PID: 3596)
      • ouwrj.exe (PID: 2596)

    • Executable content was dropped or overwritten

      • WScript.exe (PID: 2816)
      • ouwrj.exe (PID: 2780)
      • JFHRсав.exe (PID: 308)
      • WScript.exe (PID: 3680)
      • ouwrj.exe (PID: 2596)

    • Creates files in the program directory

      • ouwrj.exe (PID: 2780)
      • LFHTсав.exe (PID: 3596)

    • Executes scripts

      • WinRAR.exe (PID: 2648)

    • Starts itself from another location

      • ouwrj.exe (PID: 2780)

    • Creates files in the user directory

      • powershell.exe (PID: 2760)
      • powershell.exe (PID: 3560)
      • powershell.exe (PID: 2412)
      • powershell.exe (PID: 3768)
      • powershell.exe (PID: 4004)
      • powershell.exe (PID: 3112)
      • powershell.exe (PID: 3152)
      • powershell.exe (PID: 3928)
      • powershell.exe (PID: 3624)
      • JFHRсав.exe (PID: 308)
      • powershell.exe (PID: 3652)
      • LFHTсав.exe (PID: 3596)
      • powershell.exe (PID: 3572)
      • powershell.exe (PID: 908)
      • powershell.exe (PID: 1412)
      • powershell.exe (PID: 4044)
      • powershell.exe (PID: 3424)
      • powershell.exe (PID: 3648)
      • powershell.exe (PID: 1996)
      • powershell.exe (PID: 2084)
      • powershell.exe (PID: 3448)
      • powershell.exe (PID: 2928)
      • ouwrj.exe (PID: 2596)

    • Executed via Task Scheduler

      • LFHTсав.exe (PID: 3596)

    • Executed via COM

      • DllHost.exe (PID: 2608)
      • DllHost.exe (PID: 3412)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3136)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3136)
      • iexplore.exe (PID: 3640)

    • Changes internet zones settings

      • iexplore.exe (PID: 3136)

    • Creates files in the user directory

      • iexplore.exe (PID: 3640)

    • Manual execution by user

      • WinRAR.exe (PID: 2648)
      • WinRAR.exe (PID: 2652)
      • WScript.exe (PID: 3680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
163
Monitored processes
86
Malicious processes
36
Suspicious processes
9

Behavior graph

Click at the process to see the details
start drop and start drop and start iexplore.exe iexplore.exe winrar.exe no specs wscript.exe ouwrj.exe jfhrсав.exe no specs CMSTPLUA no specs jfhrсав.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs winrar.exe no specs wscript.exe ouwrj.exe no specs lfhtсав.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs CMSTPLUA no specs #TRICKBOT ouwrj.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs sc.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
308"C:\ProgramData\JFHRсав.exe" C:\ProgramData\JFHRсав.exe
DllHost.exe
User:
admin
Company:
Nozza Software Studios
Integrity Level:
HIGH
Description:
NS2K1
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\programdata\jfhrсав.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
316"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $trueC:\Windows\System32\cmd.exeouwrj.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
476"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -ModerateThreatDefaultAction 6C:\Windows\System32\cmd.exeLFHTсав.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
840"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIOAVProtection $trueC:\Windows\System32\cmd.exeouwrj.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
908powershell Set-MpPreference -DisableRealtimeMonitoring $trueC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
940"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBlockAtFirstSeen $trueC:\Windows\System32\cmd.exeLFHTсав.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1412powershell Set-MpPreference -DisableBehaviorMonitoring $trueC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1628"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBehaviorMonitoring $trueC:\Windows\System32\cmd.exeouwrj.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1640"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -SevereThreatDefaultAction 6C:\Windows\System32\cmd.exeouwrj.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1696powershell Set-MpPreference -DisableRealtimeMonitoring $trueC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
7 006
Read events
5 744
Write events
1 258
Delete events
4

Modification events

(PID) Process:(3136) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3136) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3136) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3136) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(3136) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3136) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000077000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(3136) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{7EED181F-A411-11E9-B506-5254004A04AF}
Value:
0
(PID) Process:(3136) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(3136) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
1
(PID) Process:(3136) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E307070004000B00130018001B008402
Executable files
5
Suspicious files
34
Text files
14
Unknown types
4

Dropped files

PID
Process
Filename
Type
3136iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico
MD5:
SHA256:
3136iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3136iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF0E9D5A01EAAB5DE5.TMP
MD5:
SHA256:
3136iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF5D7B07423717F112.TMP
MD5:
SHA256:
3136iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{7EED181F-A411-11E9-B506-5254004A04AF}.dat
MD5:
SHA256:
3640iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:
SHA256:
3136iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{7EED1820-A411-11E9-B506-5254004A04AF}.datbinary
MD5:
SHA256:
3640iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@mailinblue[1].txttext
MD5:
SHA256:
3640iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JOHYEJFE\4367890[1].zipcompressed
MD5:
SHA256:
2760powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PLZJ689PI76LNE4TJHIB.temp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
6
DNS requests
4
Threats
11

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3640
iexplore.exe
GET
200
104.27.145.180:80
http://img.mailinblue.com/1571019/attachments/4367890.zip?v=1562867268773
US
compressed
3.41 Kb
malicious
2816
WScript.exe
GET
200
67.23.226.159:80
http://bizcraftindia.com/taxReminder.php
US
executable
402 Kb
malicious
3680
WScript.exe
GET
200
67.23.226.159:80
http://altarishelect.com/product_list.php
US
executable
396 Kb
malicious
3136
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3640
iexplore.exe
104.27.145.180:80
img.mailinblue.com
Cloudflare Inc
US
shared
3136
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2816
WScript.exe
67.23.226.159:80
bizcraftindia.com
HostDime.com, Inc.
US
suspicious
3596
LFHTсав.exe
37.44.215.169:443
JSC Mediasoft ekspert
RU
unknown
3680
WScript.exe
67.23.226.159:80
bizcraftindia.com
HostDime.com, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
img.mailinblue.com
  • 104.27.145.180
  • 104.27.144.180
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
bizcraftindia.com
  • 67.23.226.159
malicious
altarishelect.com
  • 67.23.226.159
malicious

Threats

PID
Process
Class
Message
2816
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2816
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS WinHttpRequest Downloading EXE
2816
WScript.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2816
WScript.exe
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
3640
iexplore.exe
Potentially Bad Traffic
ET WEB_CLIENT Suspicious Possible Zip DL containing single VBS script
3680
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3680
WScript.exe
A Network Trojan was detected
ET CURRENT_EVENTS WinHttpRequest Downloading EXE
3680
WScript.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3680
WScript.exe
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://img.mailinblue.com/1571019/attachments/4367890.zip?v=1562867268773