File name:

ursnif.bin

Full analysis: https://app.any.run/tasks/de02616f-d912-451b-8cc2-62896e272b8a
Verdict: Malicious activity
Analysis date: October 14, 2019, 07:55:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7E72C94B81B431BEA7521322EEF4CB66

SHA1:

63DA160195231A188A0DFCC88B61D817D986CFED

SHA256:

9A20E75A6952945D97F6113AF62303B15A81D86D4FC88126AD37D859D7DAB965

SSDEEP:

3072:HnTHXRIusP5vuNUdJC2aICXOcCxqQ+jrdT:HDXGusPluNUdJC2a/XOczDVT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • ursnif.bin.exe (PID: 2368)

  • SUSPICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 2120)

    • Reads the machine GUID from the registry

      • powershell.exe (PID: 2756)
      • explorer.exe (PID: 1936)
      • csc.exe (PID: 1836)
      • csc.exe (PID: 2700)

    • Creates files in the user directory

      • powershell.exe (PID: 2756)
      • explorer.exe (PID: 1936)

    • Starts CMD.EXE for commands execution

      • explorer.exe (PID: 1936)
      • forfiles.exe (PID: 944)

    • Starts CMD.EXE for self-deleting

      • explorer.exe (PID: 1936)

    • Executed via COM

      • iexplore.exe (PID: 2864)

  • INFO

    • Reads settings of System Certificates

      • IEXPLORE.EXE (PID: 2728)
      • iexplore.exe (PID: 2864)
      • explorer.exe (PID: 1936)

    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 2728)

    • Reads the machine GUID from the registry

      • iexplore.exe (PID: 2864)

    • Changes internet zones settings

      • iexplore.exe (PID: 2864)

    • Manual execution by user

      • forfiles.exe (PID: 944)
      • cmd.exe (PID: 1048)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:05:04 22:37:35+02:00
PEType: PE32
LinkerVersion: 14
CodeSize: 28672
InitializedDataSize: 106496
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 6.0.4.2
ProductVersionNumber: 6.0.4.2
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
CompanyName: The Document Foundation
ProductName: LibreOffice
ProductVersion: 6.0.4.2
FileVersion: 6.0.4.2
OriginalFileName: javaloaderlo.dll
InternalName: javaloaderlo
LegalCopyright: Copyright © 2000-2018 by LibreOffice contributors. All rights reserved.

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 04-May-2018 20:37:35
Detected languages:
  • English - United States
CompanyName: The Document Foundation
ProductName: LibreOffice
ProductVersion: 6.0.4.2
FileVersion: 6.0.4.2
OriginalFilename: javaloaderlo.dll
InternalName: javaloaderlo
LegalCopyright: Copyright © 2000-2018 by LibreOffice contributors. All rights reserved.

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000140

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 04-May-2018 20:37:35
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000068F0
0x00007000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.83254
.rdata
0x00008000
0x00000594
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
2.36109
.data
0x00009000
0x00002500
0x00002000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.78464
.CRT
0x0000C000
0x0001402F
0x00015000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.87402
.rsrc
0x00021000
0x00000660
0x00001000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
2.30595

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.44424
772
UNKNOWN
English - United States
RT_VERSION
2
5.25203
691
UNKNOWN
English - United States
RT_MANIFEST

Imports

GDI32.dll
KERNEL32.dll
USER32.dll
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
373
Monitored processes
13
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ursnif.bin.exe iexplore.exe iexplore.exe forfiles.exe no specs cmd.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs timeout.exe no specs explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
840C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESE2BD.tmp" "c:\Users\admin\AppData\Local\Temp\CSCE2BC.tmp"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.5003 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework64\v2.0.50727\cvtres.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\msvcr80.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
916timeout /t 5 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\timeout.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
944"C:\Windows\System32\forfiles.exe" /p C:\Windows\system32 /s /c "cmd /c @file -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwASQBkAGUAbgB0AGkAdABpAGUAcwBcAHsANQAxADEAQwBBAEEAQwAwAC0AQQAxADgANQAtADAANgBFADAALQA2ADUANgBBAC0ARQBFADIAQQBEADAAQgA1AEYARABFADUAfQAnACkALgBXAA==" /m p*ll.*eC:\Windows\System32\forfiles.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
ForFiles - Executes a command on selected files
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\forfiles.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
956C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESE127.tmp" "c:\Users\admin\AppData\Local\Temp\CSCE126.tmp"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.5003 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework64\v2.0.50727\cvtres.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
1048"C:\Windows\System32\cmd.exe" /C timeout /t 5 && del "C:\Users\admin\Desktop\URSNIF.BIN.EXE"C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1836"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\h7qyxfbm.cmdline"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.5483 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework64\v2.0.50727\csc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1936C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2120/c "powershell.exe" -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwASQBkAGUAbgB0AGkAdABpAGUAcwBcAHsANQAxADEAQwBBAEEAQwAwAC0AQQAxADgANQAtADAANgBFADAALQA2ADUANgBBAC0ARQBFADIAQQBEADAAQgA1AEYARABFADUAfQAnACkALgBXAA==C:\Windows\System32\cmd.exeforfiles.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2368"C:\Users\admin\Desktop\ursnif.bin.exe" C:\Users\admin\Desktop\ursnif.bin.exe
explorer.exe
User:
admin
Company:
The Document Foundation
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.0.4.2
Modules
Images
c:\users\admin\desktop\ursnif.bin.exe
c:\systemroot\system32\ntdll.dll
c:\systemroot\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
2700"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\f44qny8l.cmdline"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.5483 (Win7SP1GDR.050727-5400)
Modules
Images
c:\windows\microsoft.net\framework64\v2.0.50727\csc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\msvcr80.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\ole32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
3 051
Read events
2 871
Write events
178
Delete events
2

Modification events

(PID) Process:(2864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
3
(PID) Process:(2864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
3612901856
(PID) Process:(2864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30769764
(PID) Process:(2864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
3913066856
(PID) Process:(2864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30769764
(PID) Process:(2864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2864) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
Executable files
0
Suspicious files
9
Text files
7
Unknown types
4

Dropped files

PID
Process
Filename
Type
2864iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFF40471363DCFC71F.TMP
MD5:
SHA256:
2864iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\favicon[1].ico
MD5:
SHA256:
2864iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2756powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ONZ873ZDJBCU8IP3W4EA.temp
MD5:
SHA256:
2700csc.exeC:\Users\admin\AppData\Local\Temp\CSCE126.tmp
MD5:
SHA256:
2700csc.exeC:\Users\admin\AppData\Local\Temp\f44qny8l.pdb
MD5:
SHA256:
956cvtres.exeC:\Users\admin\AppData\Local\Temp\RESE127.tmp
MD5:
SHA256:
2700csc.exeC:\Users\admin\AppData\Local\Temp\f44qny8l.dll
MD5:
SHA256:
2700csc.exeC:\Users\admin\AppData\Local\Temp\f44qny8l.out
MD5:
SHA256:
2756powershell.exeC:\Users\admin\AppData\Local\Temp\h7qyxfbm.0.cs
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
36
TCP/UDP connections
18
DNS requests
20
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2864
iexplore.exe
GET
304
152.199.19.161:443
https://iecvlist.microsoft.com/ie11blocklist/1401746408/versionlistWin7.xml
US
whitelisted
2864
iexplore.exe
GET
200
152.199.19.161:443
https://r20swj13mr.microsoft.com/ieblocklist/v1/urlblocklist.bin
US
whitelisted
2368
ursnif.bin.exe
POST
200
46.29.166.6:443
https://adultprizes.xyz/index.htm
RU
binary
27.0 Kb
unknown
2728
IEXPLORE.EXE
POST
200
46.29.166.6:443
https://adultprizes.xyz/index.htm
RU
text
44.4 Kb
unknown
2368
ursnif.bin.exe
POST
200
46.29.166.6:443
https://adultprizes.xyz/index.htm
RU
binary
37.7 Kb
unknown
2368
ursnif.bin.exe
POST
200
46.29.166.6:443
https://adultprizes.xyz/index.htm
RU
binary
29.4 Kb
unknown
2368
ursnif.bin.exe
POST
200
46.29.166.6:443
https://adultprizes.xyz/index.htm
RU
binary
465 b
unknown
2368
ursnif.bin.exe
POST
200
46.29.166.6:443
https://adultprizes.xyz/index.htm
RU
binary
19.8 Kb
unknown
2864
iexplore.exe
GET
200
152.199.19.161:443
https://iecvlist.microsoft.com/IE11/1479242656000/iecompatviewlist.xml
US
xml
351 Kb
whitelisted
2368
ursnif.bin.exe
POST
200
46.29.166.6:443
https://adultprizes.xyz/index.htm
RU
binary
31.1 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2728
IEXPLORE.EXE
46.29.166.6:443
adultprizes.xyz
LLC Baxet
RU
unknown
2864
iexplore.exe
46.29.166.6:443
adultprizes.xyz
LLC Baxet
RU
unknown
2864
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2368
ursnif.bin.exe
46.29.166.6:443
adultprizes.xyz
LLC Baxet
RU
unknown
2864
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1936
explorer.exe
194.147.32.248:443
carringtonit.xyz
unknown
1936
explorer.exe
77.68.17.108:80
curlmyip.net
1&1 Internet SE
GB
unknown
592
mscorsvw.exe
67.27.157.254:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
suspicious
2596
mscorsvw.exe
2.16.186.74:80
crl.microsoft.com
Akamai International B.V.
whitelisted
77.68.17.108:80
curlmyip.net
1&1 Internet SE
GB
unknown

DNS requests

Domain
IP
Reputation
adultprizes.xyz
  • 46.29.166.6
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
carringtonit.xyz
  • 194.147.32.248
unknown
curlmyip.net
  • 77.68.17.108
shared
ctldl.windowsupdate.com
  • 67.27.157.254
  • 67.26.75.254
  • 67.27.157.126
  • 67.27.158.126
  • 8.248.117.254
whitelisted
crl.microsoft.com
  • 2.16.186.74
  • 2.16.186.120
whitelisted

Threats

PID
Process
Class
Message
332
svchost.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (curlmyip .net in DNS lookup)
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (curlmyip .net in DNS lookup)
Process
Message
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\amd64fre\base\isolation\com\enumidentityattribute.cpp, line 144
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ursnif.bin