{
	"id": "46b8cf50-fb13-4d84-b512-3eee1e9d6424",
	"created_at": "2026-04-06T00:07:11.832351Z",
	"updated_at": "2026-04-10T13:11:49.887728Z",
	"deleted_at": null,
	"sha1_hash": "328113e38d996e2dd1daf37194485422676d0fb1",
	"title": "PE_URSNIF.A2 - Threat Encyclopedia | Trend Micro (US)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 213983,
	"plain_text": "PE_URSNIF.A2 - Threat Encyclopedia | Trend Micro (US)\r\nArchived: 2026-04-05 18:16:54 UTC\r\nThis is the detection for the infected .EXE and .PDF files related to the URSNIF variant that steals information.\r\nThe said information-stealing infector (detected as PE_URSNIF.A-O) has affected countries such as US and UK.\r\nTo get a one-glance comprehensive view of the behavior of this Spyware, refer to the Threat Diagram shown\r\nbelow.\r\nArrival Details\r\nThis malware arrives via the following means:\r\nMSI files infected by PE_URSNIF.A-O\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279\r\nPage 1 of 7\n\nInstallation\r\nThis spyware adds the following folders:\r\n%All Users Profile%\\Application Data\\SoftwareProtectionPlatform\r\n(Note: %All Users Profile% is the All Users folder, where it usually is C:\\Documents and Settings\\All Users on\r\nWindows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\\ProgramData on Windows Vista\r\n(32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit),\r\nWindows Server 2008, and Windows Server 2012.)\r\nIt drops the following files:\r\n%System%\\wsauth.exe - mother file detected as PE_URSNIF.A-O\r\n%Application Data%\\SoftwareProtectionPlatform\\sppc.exe - mother file detected as PE_URSNIF.A-O\r\n(Note: %System% is the Windows system folder, where it usually is C:\\Windows\\System32 on all Windows\r\noperating system versions.. %Application Data% is the Application Data folder, where it usually is C:\\Documents\r\nand Settings\\{user name}\\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and\r\n64-bit); C:\\Users\\{user name}\\AppData\\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit),\r\nWindows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)\r\nIts DLL component is injected to the following process(es):\r\nexplorer.exe\r\niexplore.exe\r\nfirefox.exe\r\nchrome.exe\r\nservices.exe\r\nAutostart Technique\r\nThis spyware registers itself as a system service to ensure its automatic execution at every system startup by\r\nadding the following registry entries:\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\\r\nServices\\wsauth\r\nImagePath = \"%System%\\wsauth.exe -s\"\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\\r\nServices\\wsauth\r\nDisplayName = \"Windows Software Protection\"\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\\r\nServices\\wsauth\r\nDescription = \"This windows service enables the download, installation and enforcement of digital licenses for\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279\r\nPage 2 of 7\n\nWindows and Windows applications. If the service is disabled, the operating system and licensed applications may\r\nrun in a notification mode. It is strongly recommended that you not disable the Software Protection Service.\"\r\nIt adds the following registry entries to enable its automatic execution at every system startup:\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\\r\nWindows\\CurrentVersion\\Run\r\ndumpnsta = \"%Application Data%\\SoftwareProtectionPlatform\\sppc.exe\"\r\nIt registers as a system service to ensure its automatic execution at every system startup by adding the following\r\nregistry keys:\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\\r\nServices\\wsauth\r\nFile Infection\r\nThis spyware infects the following files:\r\n*.pdf - detected as PE_URSNIF.A1\r\n*.msi - detected as PE_URSNIF.A2\r\nsetup.exe\r\nIt infects these files found in all removable and network drives\r\nThis is the Trend Micro detection for files infected by:\r\nPE_URSNIF.A-O\r\nPropagation\r\nThis spyware drops copies of itself in the following drives:\r\nremovable drives\r\nnetwork drives\r\nIt drops copies of itself in network drives such as the following:\r\n{drive letter}:\\Temp.exe\r\nIt drops the following copy(ies) of itself in all removable drives:\r\n{drive letter}:\\Temp.exe\r\nInformation Theft\r\nThis spyware gathers the following data:\r\nSystem Information (Please see notes for more details)\r\nRunning processes and services\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279\r\nPage 3 of 7\n\nInstalled device drivers\r\nPrograms installed\r\nScreenshots\r\nStolen Information\r\nThis spyware sends the gathered information via HTTP POST to the following URL:\r\nwhere {domain} can be any of the following:\r\ncom\r\nnet\r\norg\r\ninfo\r\nhttp://{random letters}.{domain}/pki/mscorp/crl/msiwww2.crl\r\nhttp://{random letters}.{domain}/pki/mscorp/crl/MSIT%20Machine%20Auth%20CA%202(1).crl\r\nOther Details\r\nThis spyware does the following:\r\nIt hooks the following WININET.DLL exported functions when the DLL component is loaded in\r\nIEXPLORE.EXE to monitor network traffic:\r\nHttpOpenRequestA\r\nHttpOpenRequestW\r\nHttpSendRequestA\r\nHttpSendRequestW\r\nHttpQueryInfoA\r\nHttpQueryInfoW\r\nInternetReadFile\r\nInternetReadFileExA\r\nInternetReadFileExW\r\nInternetQueryDataAvailable\r\nIt hooks the following NSS3.DLL or NSPR4.DLL exported functions when the DLL component is loaded\r\nin FIREFOX.EXE to monitor network traffic:\r\nPR_Read\r\nPR_Write\r\nPR_Close\r\nPR_Poll\r\nPR_Available\r\nIt hooks unnamed functions exported by CHROME.DLL when the DLL component is loaded in\r\nCHROME.EXE to monitor network traffic.\r\nIf CHROME.DLL is not found, it will hook the following APIs exported by KERNEL32.DLL:\r\nLoadLibraryA\r\nLoadLibraryW\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279\r\nPage 4 of 7\n\nLoadLibraryExA\r\nLoadLibraryExW\r\nIt will drop and execute a temporary file, %User Temp%\\~{random}.tmp, which is responsible in injecting\r\nits embedded DLL component to the said processes stated above. The temporary file will terminate and\r\ndelete itself, afterwards. This dropped component is detected as TSPY_URSNIF.SM3.\r\n(Note: %User Temp% is the user's temporary folder, where it usually is C:\\Documents and Settings\\{user\r\nname}\\Local Settings\\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit);\r\nC:\\Users\\{user name}\\AppData\\Local\\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit),\r\nWindows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)\r\nNOTES:\r\nIt issues the following commands in Command Prompt (cmd) to gather its stolen information:\r\nsysteminfo\r\ntasklist /SVC (enumerate processes and services)\r\ndriverquery (gather information on installed drivers)\r\nreg.exe query \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\" /s (gather installed\r\nprograms)\r\nSysteminfo will return the following system information:\r\nHost Name\r\nOS Name, Version, Manufacturer, Configuration and Build Type\r\nRegistered Owner and Organization\r\nProduct ID\r\nOriginal Install Date\r\nSystem Up Time\r\nSystem Manufacturer, Model and type\r\nProcessor(s)\r\nBIOS version\r\nWindows and System directory\r\nBoot Device\r\nSystem and Input Locale\r\nTime Zone\r\nTotal and Available Memory\r\nVirtual Memory information (Max, Available, In Use)\r\nPage file locations\r\nDomain\r\nLogon server\r\nHotfix(s)\r\nNetwork card(s)\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279\r\nPage 5 of 7\n\nThe information gathered will be saved to temporary file %User Temp%\\~{random}.tmp, which serves as its\r\nstolen information dump/log file. After the file is sent to its C\u0026C server, the malware deletes it.\r\nStep 2\r\nNote that not all files, folders, and registry keys and entries are installed on your computer during this\r\nmalware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system\r\nconditions. If you do not find the same files/folders/registry information, please proceed to the next step.\r\nStep 3\r\nRemove malware/grayware files dropped/downloaded by PE_URSNIF.A2. (Note: Please skip this step if the\r\nthreats listed below have already been removed.)\r\nPE_URSNIF.A1\r\nTSPY_URSNIF.SM3\r\nPE_URSNIF.A-O\r\nStep 4\r\nRestart in Safe Mode\r\n[ Learn More ]\r\nStep 5\r\nDelete this registry key\r\n[ Learn More ]\r\n=Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this\r\nonly if you know how to or you can seek your system administrator’s help. You may also check out this Microsoft\r\narticle first before modifying your computer's registry.\r\nIn HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\r\nwsauth\r\nStep 6\r\nDelete this registry value\r\n[ Learn More ]\r\nImportant: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this\r\nstep only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft\r\narticleopen on a new tab first before modifying your computer's registry.\r\nIn HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\ndumpnsta = \"%Application Data%\\SoftwareProtectionPlatform\\sppc.exe\"\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279\r\nPage 6 of 7\n\nStep 7\r\nSearch and delete this folder\r\n[ Learn More ]\r\nPlease make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option\r\nto include all hidden folders in the search result.\r\n%Application Data%\\SoftwareProtectionPlatform\r\nStep 8\r\nSearch and delete these files\r\n[ Learn More ]\r\nThere may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders\r\ncheckbox in the \"More advanced options\" option to include all hidden files and folders in the search result.  \r\n%User Temp%\\~{random}.tmp\r\nStep 9\r\nRestart in normal mode and scan your computer with your Trend Micro product for files detected as\r\nPE_URSNIF.A2. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro\r\nproduct, no further step is required. You may opt to simply delete the quarantined files. Please check this\r\nKnowledge Base pageopen on a new tab for more information.\r\nDid this description help? Tell us how we did.open on a new tab\r\nSource: https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-120\r\n2584019.1549394279\r\nhttps://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279"
	],
	"report_names": [
		"PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279"
	],
	"threat_actors": [],
	"ts_created_at": 1775434031,
	"ts_updated_at": 1775826709,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/328113e38d996e2dd1daf37194485422676d0fb1.pdf",
		"text": "https://archive.orkl.eu/328113e38d996e2dd1daf37194485422676d0fb1.txt",
		"img": "https://archive.orkl.eu/328113e38d996e2dd1daf37194485422676d0fb1.jpg"
	}
}