Loading ...

Analysis Report 19Update-KB5625-x86.exe

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:109777
Start date:11.02.2019
Start time:18:05:24
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 43s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:19Update-KB5625-x86.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal72.evad.winEXE@6/6@238/6
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 99.9% (good quality ratio 97.2%)
  • Quality average: 84.2%
  • Quality standard deviation: 22.9%
HCA Information:
  • Successful, ratio: 97%
  • Number of executed functions: 24
  • Number of non-executed functions: 121
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold720 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsExecution through Module Load1Registry Run Keys / Start Folder1Process Injection11Software Packing1Credential DumpingProcess Discovery1Application Deployment SoftwareData from Local SystemData CompressedStandard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesDisabling Security Tools1Network SniffingSecurity Software Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection11Input CaptureRemote System Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol11
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationSystem Information Discovery23Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Windows\tserv.exeAvira: Label: WORM/Stration.C
Antivirus detection for submitted fileShow sources
Source: 19Update-KB5625-x86.exeAvira: Label: WORM/Stration.C
Antivirus detection for unpacked fileShow sources
Source: 1.2.19Update-KB5625-x86.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 1.0.19Update-KB5625-x86.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 1.1.19Update-KB5625-x86.exe.400000.0.unpackAvira: Label: WORM/Stration.C

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,1_2_00406360
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,1_1_00406360

Networking:

barindex
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 74.6.137.63 74.6.137.63
Source: Joe Sandbox ViewIP Address: 104.47.33.33 104.47.33.33
Uses SMTP (mail sending)Show sources
Source: global trafficTCP traffic: 192.168.2.5:49797 -> 98.137.159.27:25
Source: global trafficTCP traffic: 192.168.2.5:49798 -> 67.195.229.59:25
Source: global trafficTCP traffic: 192.168.2.5:49799 -> 98.136.101.117:25
Source: global trafficTCP traffic: 192.168.2.5:49805 -> 104.47.33.33:25
Source: global trafficTCP traffic: 192.168.2.5:49806 -> 74.6.137.63:25
Source: global trafficTCP traffic: 192.168.2.5:49807 -> 74.6.137.64:25
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: yahoo.com

System Summary:

barindex
Contains functionality to communicate with device driversShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_00423D83: QueryDosDeviceA,lstrcpyA,lstrcatA,GetLastError,lstrcpyA,lstrcatA,DefineDosDeviceA,GetLastError,lstrcpyA,lstrcatA,CreateFileA,DeviceIoControl,GetLastError,GetLastError,DefineDosDeviceA,GetLastError,1_2_00423D83
Creates files inside the system directoryShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeFile created: C:\Windows\tserv.exeJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_004118001_2_00411800
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_004108D01_2_004108D0
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_0040C8E01_2_0040C8E0
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_0040F0E91_2_0040F0E9
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_004109071_2_00410907
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_004041101_2_00404110
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_004091191_2_00409119
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_0040F1C71_2_0040F1C7
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_0040C1D01_2_0040C1D0
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_004049901_2_00404990
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_004091A71_2_004091A7
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_0040E2461_2_0040E246
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_00428A081_2_00428A08
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_004252141_2_00425214
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_004102201_2_00410220
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_004053101_2_00405310
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_00408BC01_2_00408BC0
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_00415BD01_2_00415BD0
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_0041B3D01_2_0041B3D0
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_0040DBF01_2_0040DBF0
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_004094361_2_00409436
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_00409CF71_2_00409CF7
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_0041BD001_2_0041BD00
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_0040EDE01_2_0040EDE0
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_0040DE561_2_0040DE56
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_0041C6601_2_0041C660
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_004106701_2_00410670
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_0040E6761_2_0040E676
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_00409F471_2_00409F47
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_0040EF781_2_0040EF78
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_00405F301_2_00405F30
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_004118001_1_00411800
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_004108D01_1_004108D0
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_0040C8E01_1_0040C8E0
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_0040F0E91_1_0040F0E9
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_004109071_1_00410907
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_004041101_1_00404110
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_004091191_1_00409119
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_0040F1C71_1_0040F1C7
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_0040C1D01_1_0040C1D0
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_004049901_1_00404990
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_004091A71_1_004091A7
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_0040E2461_1_0040E246
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_00428A081_1_00428A08
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_004252141_1_00425214
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_004102201_1_00410220
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_004053101_1_00405310
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_00408BC01_1_00408BC0
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_00415BD01_1_00415BD0
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_0041B3D01_1_0041B3D0
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_0040DBF01_1_0040DBF0
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_004094361_1_00409436
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_00409CF71_1_00409CF7
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_0041BD001_1_0041BD00
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_0040EDE01_1_0040EDE0
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_0040DE561_1_0040DE56
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_0041C6601_1_0041C660
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_004106701_1_00410670
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_0040E6761_1_0040E676
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_00409F471_1_00409F47
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_0040EF781_1_0040EF78
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_00405F301_1_00405F30
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: String function: 0042664C appears 90 times
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: String function: 004274D6 appears 40 times
Reads the hosts fileShow sources
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeFile read: C:\Users\user\Desktop\19Update-KB5625-x86.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal72.evad.winEXE@6/6@238/6
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_004047A0 lstrcatA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,1_2_004047A0
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_004047A0 lstrcatA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,1_1_004047A0
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_00405090 GetSystemDirectoryA,lstrcatA,lstrcatA,lstrcatA,GetFileAttributesA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,1_2_00405090
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_0041E0B0 FindResourceA,LoadResource,SizeofResource,LockResource,CreateFileA,WriteFile,CloseHandle,1_2_0041E0B0
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeFile created: C:\Users\user\Desktop\8F42.tmpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: 19Update-KB5625-x86.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\19Update-KB5625-x86.exe 'C:\Users\user\Desktop\19Update-KB5625-x86.exe'
Source: unknownProcess created: C:\Windows\tserv.exe C:\Windows\tserv.exe s
Source: unknownProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\notepad.exe C:\Users\user\Desktop\8F42.tmp
Source: unknownProcess created: C:\Windows\tserv.exe 'C:\Windows\tserv.exe' s
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeProcess created: C:\Windows\tserv.exe C:\Windows\tserv.exe sJump to behavior
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\notepad.exe C:\Users\user\Desktop\8F42.tmpJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_0041F660 LoadLibraryA,GetProcAddress,SetWindowsHookExA,1_2_0041F660
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_0041E447 push ds; retf 1_2_0041E44D
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_0042647C push eax; ret 1_2_0042649A
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_004254B0 push eax; ret 1_2_004254C4
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_004254B0 push eax; ret 1_2_004254EC
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_0041E624 push ds; retf 1_2_0041E62A
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_00426687 push ecx; ret 1_2_00426697
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_0041E447 push ds; retf 1_1_0041E44D
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_0042647C push eax; ret 1_1_0042649A
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_004254B0 push eax; ret 1_1_004254C4
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_004254B0 push eax; ret 1_1_004254EC
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_0041E624 push ds; retf 1_1_0041E62A
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_00426687 push ecx; ret 1_1_00426697

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeExecutable created and started: C:\Windows\tserv.exeJump to behavior
Drops PE filesShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeFile created: C:\Windows\tserv.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeFile created: C:\Windows\tserv.exeJump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key Show sources
Source: C:\Windows\tserv.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLsJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_0041D159 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,1_2_0041D159
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_0040C1D0 rdtsc 1_2_0040C1D0
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\tserv.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\tserv.exeThread delayed: delay time: 300000Jump to behavior
Enumerates the file systemShow sources
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_1-12737
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_1-12672
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeAPI coverage: 9.8 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\tserv.exe TID: 4748Thread sleep time: -8100000s >= -30000sJump to behavior
Source: C:\Windows\tserv.exe TID: 4216Thread sleep time: -8100000s >= -30000sJump to behavior
Source: C:\Windows\tserv.exe TID: 4356Thread sleep time: -660000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\tserv.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,1_2_00406360
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,1_1_00406360
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_00429F44 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,1_2_00429F44
Program exit pointsShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeAPI call chain: ExitProcess graph end nodegraph_1-12738

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\tserv.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_0040C1D0 rdtsc 1_2_0040C1D0
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_0041F660 LoadLibraryA,GetProcAddress,SetWindowsHookExA,1_2_0041F660
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_004210D0 GetProcessHeap,GetProcessHeap,HeapAlloc,RegOpenKeyExA,GetLastError,GetProcessHeap,HeapFree,RegCloseKey,1_2_004210D0
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_0042731A SetUnhandledExceptionFilter,1_2_0042731A
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_0042732E SetUnhandledExceptionFilter,1_2_0042732E
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_0042731A SetUnhandledExceptionFilter,1_1_0042731A
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_0042732E SetUnhandledExceptionFilter,1_1_0042732E

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects files into Windows applicationShow sources
Source: C:\Windows\SysWOW64\notepad.exeInjected file: C:\Users\user\Desktop\8F42.tmp was created by C:\Users\user\Desktop\19Update-KB5625-x86.exeJump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeProcess created: C:\Windows\tserv.exe C:\Windows\tserv.exe sJump to behavior
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\notepad.exe C:\Users\user\Desktop\8F42.tmpJump to behavior
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_00423260 GetProcessHeap,HeapAlloc,HeapAlloc,HeapAlloc,HeapFree,RtlAllocateHeap,HeapFree,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapFree,RtlAllocateHeap,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,InitializeSecurityDescriptor,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetTokenInformation,GetTokenInformation,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,AllocateAndInitializeSid,GetLengthSid,AddAce,AllocateAndInitializeSid,GetLengthSid,AddAce,AllocateAndInitializeSid,GetLengthSid,AddAce,IsValidSecurityDescriptor,1_2_00423260
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: notepad.exe, 00000005.00000002.5488402777.0000000002DE0000.00000002.sdmpBinary or memory string: Program Manager
Source: notepad.exe, 00000005.00000002.5488402777.0000000002DE0000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: notepad.exe, 00000005.00000002.5488402777.0000000002DE0000.00000002.sdmpBinary or memory string: Progman
Source: notepad.exe, 00000005.00000002.5488402777.0000000002DE0000.00000002.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to inject threads in other processesShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_00404840 OpenProcess,lstrlenA,VirtualAllocEx,WriteProcessMemory,GetModuleHandleA,GetProcAddress,CreateRemoteThread,1_2_00404840
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_1_00404840 OpenProcess,lstrlenA,VirtualAllocEx,WriteProcessMemory,GetModuleHandleA,GetProcAddress,CreateRemoteThread,1_1_00404840
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: GetLocaleInfoA,1_2_0042C8B2
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: GetLocaleInfoA,1_1_0042C8B2
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\SysWOW64\notepad.exeQueries volume information: C:\Users\user\Desktop\8F42.tmp VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_00401830 ExpandEnvironmentStringsA,GetLocalTime,CreateFileA,CloseHandle,1_2_00401830
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_0040BE00 GetLocalTime,GetTimeZoneInformation,1_2_0040BE00
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\19Update-KB5625-x86.exeCode function: 1_2_00425D91 EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,GetStartupInfoA,__wincmdln,GetModuleHandleA,1_2_00425D91

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 109777 Sample: 19Update-KB5625-x86.exe Startdate: 11/02/2019 Architecture: WINDOWS Score: 72 26 www3.cedesunjerinkas.com 2->26 28 www2.cedesunjerinkas.com 2->28 42 Antivirus detection for submitted file 2->42 44 Antivirus detection for unpacked file 2->44 7 19Update-KB5625-x86.exe 3 2->7         started        11 tserv.exe 12 2->11         started        signatures3 process4 dnsIp5 20 C:\Windows\tserv.exe, PE32 7->20 dropped 22 C:\Windows\tserv.exe:Zone.Identifier, ASCII 7->22 dropped 24 C:\Users\user\Desktop\8F42.tmp, Non-ISO 7->24 dropped 46 Contains functionality to inject threads in other processes 7->46 48 Drops executables to the windows directory (C:\Windows) and starts them 7->48 14 tserv.exe 1 13 7->14         started        18 notepad.exe 7->18         started        30 74.6.137.63, 25, 49806 YAHOO-3-YahooUS United States 11->30 32 74.6.137.64, 25, 49807 YAHOO-3-YahooUS United States 11->32 34 10 other IPs or domains 11->34 file6 signatures7 process8 dnsIp9 36 mta7.am0.yahoodns.net 98.137.159.27, 25, 49797 YAHOO-NE1-YahooUS United States 14->36 38 mta5.am0.yahoodns.net 67.195.229.59, 25, 49798 YAHOO-GQ1-YahooUS United States 14->38 40 8 other IPs or domains 14->40 50 Antivirus detection for dropped file 14->50 52 Creates an undocumented autostart registry key 14->52 54 Injects files into Windows application 18->54 signatures10

Simulations

Behavior and APIs

TimeTypeDescription
18:06:55API Interceptor212x Sleep call for process: tserv.exe modified
18:06:58AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run tserv C:\Windows\tserv.exe s

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
19Update-KB5625-x86.exe100%AviraWORM/Stration.C

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\tserv.exe100%AviraWORM/Stration.C

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
1.2.19Update-KB5625-x86.exe.400000.0.unpack100%AviraWORM/Stration.CDownload File
1.0.19Update-KB5625-x86.exe.400000.0.unpack100%AviraWORM/Stration.CDownload File
1.1.19Update-KB5625-x86.exe.400000.0.unpack100%AviraWORM/Stration.CDownload File

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
74.6.137.6321doc.el.exeGet hashmaliciousBrowse
    35Update-KB5111-x86.exeGet hashmaliciousBrowse
      7Update-KB8734-x86.exeGet hashmaliciousBrowse
        15test.tx.exeGet hashmaliciousBrowse
          22file.txt.exeGet hashmaliciousBrowse
            17Update-KB2218-x86.exeGet hashmaliciousBrowse
              15Update-KB7250-x86.exeGet hashmaliciousBrowse
                27data.elm.exeGet hashmaliciousBrowse
                  23Update-KB4750-x86.exeGet hashmaliciousBrowse
                    1Update-KB2640-x86.exeGet hashmaliciousBrowse
                      3document.log.exeGet hashmaliciousBrowse
                        19docs.el.exeGet hashmaliciousBrowse
                          25Update-KB6546-x86.exeGet hashmaliciousBrowse
                            17doc.da.exeGet hashmaliciousBrowse
                              5docs.msg.exeGet hashmaliciousBrowse
                                27docs.el.exeGet hashmaliciousBrowse
                                  13Update-KB8500-x86.exeGet hashmaliciousBrowse
                                    23Update-KB2843-x86.exeGet hashmaliciousBrowse
                                      5Update-KB3968-x86.exeGet hashmaliciousBrowse
                                        1text.elm.exeGet hashmaliciousBrowse
                                          104.47.33.3317Update-KB2218-x86.exeGet hashmaliciousBrowse
                                            3document.log.exeGet hashmaliciousBrowse
                                              7body.lo.exeGet hashmaliciousBrowse
                                                5test.tx.exeGet hashmaliciousBrowse
                                                  13message.lo.exeGet hashmaliciousBrowse
                                                    25file.dat.exeGet hashmaliciousBrowse
                                                      5Update-KB5937-x86.exeGet hashmaliciousBrowse
                                                        21Update-KB3468-x86.exeGet hashmaliciousBrowse
                                                          27Update-KB7000-x86.exeGet hashmaliciousBrowse
                                                            5Update-KB7796-x86.exeGet hashmaliciousBrowse
                                                              61Update-KB8921-x86.exeGet hashmaliciousBrowse
                                                                13Update-KB156-x86.exeGet hashmaliciousBrowse
                                                                  7Update-KB5140-x86.exeGet hashmaliciousBrowse
                                                                    18readme.tx.exeGet hashmaliciousBrowse
                                                                      7document.da.exeGet hashmaliciousBrowse
                                                                        22data.el.exeGet hashmaliciousBrowse
                                                                          16docs.txt.exeGet hashmaliciousBrowse
                                                                            23Update-KB1890-x86.exeGet hashmaliciousBrowse
                                                                              11Update-KB453-x86.exeGet hashmaliciousBrowse
                                                                                5readme.da.exeGet hashmaliciousBrowse

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  mta7.am0.yahoodns.net21doc.el.exeGet hashmaliciousBrowse
                                                                                  • 74.6.137.63
                                                                                  .exeGet hashmaliciousBrowse
                                                                                  • 98.136.102.54
                                                                                  29Update-KB1750-x86.exeGet hashmaliciousBrowse
                                                                                  • 98.136.102.54
                                                                                  51Update-KB8281-x86.exeGet hashmaliciousBrowse
                                                                                  • 98.136.102.54
                                                                                  78doc.msg.exeGet hashmaliciousBrowse
                                                                                  • 98.137.159.28
                                                                                  23Update-KB3830-x86.exeGet hashmaliciousBrowse
                                                                                  • 98.137.159.28
                                                                                  35Update-KB5111-x86.exeGet hashmaliciousBrowse
                                                                                  • 98.137.159.27
                                                                                  23Update-KB3956-x86.exeGet hashmaliciousBrowse
                                                                                  • 98.136.102.55
                                                                                  20Update-KB7452-x86.exeGet hashmaliciousBrowse
                                                                                  • 98.137.159.25
                                                                                  19docs.tx.exeGet hashmaliciousBrowse
                                                                                  • 98.136.102.55
                                                                                  55.x.exeGet hashmaliciousBrowse
                                                                                  • 74.6.137.65
                                                                                  3Update-KB2248-x86.exeGet hashmaliciousBrowse
                                                                                  • 98.137.159.24
                                                                                  30Update-KB5046-x86.exeGet hashmaliciousBrowse
                                                                                  • 74.6.137.65
                                                                                  56file.txt.exeGet hashmaliciousBrowse
                                                                                  • 67.195.229.58
                                                                                  63test.log.exeGet hashmaliciousBrowse
                                                                                  • 98.137.159.25
                                                                                  5body.ms.exeGet hashmaliciousBrowse
                                                                                  • 98.137.159.28
                                                                                  4test.log.exeGet hashmaliciousBrowse
                                                                                  • 98.137.159.26
                                                                                  1Update-KB8062-x86.exeGet hashmaliciousBrowse
                                                                                  • 66.218.85.52
                                                                                  17Update-KB2684-x86.exeGet hashmaliciousBrowse
                                                                                  • 98.137.159.25
                                                                                  7Update-KB8734-x86.exeGet hashmaliciousBrowse
                                                                                  • 74.6.137.63
                                                                                  mta6.am0.yahoodns.net21doc.el.exeGet hashmaliciousBrowse
                                                                                  • 98.137.159.26
                                                                                  29Update-KB1750-x86.exeGet hashmaliciousBrowse
                                                                                  • 67.195.229.58
                                                                                  51Update-KB8281-x86.exeGet hashmaliciousBrowse
                                                                                  • 98.136.102.55
                                                                                  78doc.msg.exeGet hashmaliciousBrowse
                                                                                  • 74.6.137.64
                                                                                  23Update-KB3830-x86.exeGet hashmaliciousBrowse
                                                                                  • 98.136.102.54
                                                                                  35Update-KB5111-x86.exeGet hashmaliciousBrowse
                                                                                  • 67.195.229.59
                                                                                  23Update-KB3956-x86.exeGet hashmaliciousBrowse
                                                                                  • 98.136.101.117
                                                                                  20Update-KB7452-x86.exeGet hashmaliciousBrowse
                                                                                  • 67.195.229.58
                                                                                  19docs.tx.exeGet hashmaliciousBrowse
                                                                                  • 98.136.102.54
                                                                                  55.x.exeGet hashmaliciousBrowse
                                                                                  • 98.137.159.28
                                                                                  3Update-KB2248-x86.exeGet hashmaliciousBrowse
                                                                                  • 98.137.159.24
                                                                                  30Update-KB5046-x86.exeGet hashmaliciousBrowse
                                                                                  • 98.136.102.54
                                                                                  56file.txt.exeGet hashmaliciousBrowse
                                                                                  • 98.136.102.54
                                                                                  63test.log.exeGet hashmaliciousBrowse
                                                                                  • 74.6.137.64
                                                                                  5body.ms.exeGet hashmaliciousBrowse
                                                                                  • 67.195.228.141
                                                                                  4test.log.exeGet hashmaliciousBrowse
                                                                                  • 98.136.101.117
                                                                                  1Update-KB8062-x86.exeGet hashmaliciousBrowse
                                                                                  • 98.137.159.26
                                                                                  70creditcar.exeGet hashmaliciousBrowse
                                                                                  • 98.137.159.24
                                                                                  17Update-KB2684-x86.exeGet hashmaliciousBrowse
                                                                                  • 67.195.228.141
                                                                                  7Update-KB8734-x86.exeGet hashmaliciousBrowse
                                                                                  • 74.6.137.64

                                                                                  ASN

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS53Cheque10741.pdf.z.exeGet hashmaliciousBrowse
                                                                                  • 40.97.128.226
                                                                                  8b9eaeff00382210a583a0b5611c1d3f_976b00382cbb63c03e8fcd6677e4f973_Kovter.exeGet hashmaliciousBrowse
                                                                                  • 20.183.103.250
                                                                                  https://www.radioz.es/wp-includes/Text/ble/index.php?userid=billy.bubba@bubba.comGet hashmaliciousBrowse
                                                                                  • 104.210.48.9
                                                                                  https://portalclient.echo-cloud.com/98059portal/echoapps/resetpassword.aspx?TOKEN=9A41646238CF73E33CAD1901574A1D6E6B846397B865375351414660CEB4725887E40D94F8324B21D450AC456109B9B1Get hashmaliciousBrowse
                                                                                  • 52.184.196.2
                                                                                  http://imprismail.com/affiliate/referral.asp?site=rea&url=pop/en/ukc/1&aff_id=5843_27027_19234_535127_1_357_Get hashmaliciousBrowse
                                                                                  • 104.41.152.17
                                                                                  https://buildingservices.lk/commonlogin/office/Get hashmaliciousBrowse
                                                                                  • 104.40.240.49
                                                                                  http://newsletter.promostelefoniica.com/t/j-l-ohddhhl-yhdkkudtit-r/Get hashmaliciousBrowse
                                                                                  • 40.101.49.98
                                                                                  Fax message.jsGet hashmaliciousBrowse
                                                                                  • 13.107.6.151
                                                                                  VOvcoUgiuE.exeGet hashmaliciousBrowse
                                                                                  • 204.95.99.26
                                                                                  https://lojassantoantonio.com.br/reuin.htmGet hashmaliciousBrowse
                                                                                  • 40.101.52.146
                                                                                  https://hpe-my.sharepoint.com/personal/gregory_park_hpe_com/_layouts/15/acceptinvite.aspx?invitation=%7B28F341CB%2DC685%2D4C81%2DA431%2D3DCFD62ACA39%7D&listId=f6f66c8c%2Decde%2D4889%2D9db0%2Dc07836c6c461&itemId=5d52ebe1%2Dbf49%2D49d3%2D8d0c%2Dd5ae9a222bafGet hashmaliciousBrowse
                                                                                  • 207.46.194.14
                                                                                  http://swoba.org/den/lion/office/Get hashmaliciousBrowse
                                                                                  • 104.40.240.50
                                                                                  https://gihi.mx/secure/index.htmGet hashmaliciousBrowse
                                                                                  • 13.107.18.11
                                                                                  https://myfrenchclub.in/includes/hospital/office/index.htmlGet hashmaliciousBrowse
                                                                                  • 104.45.0.18
                                                                                  http://360cdlsolutions.com/olopa/drama/day/office/index.htmlGet hashmaliciousBrowse
                                                                                  • 104.42.72.16
                                                                                  DSC07654.pdfGet hashmaliciousBrowse
                                                                                  • 204.79.197.213
                                                                                  4b6FzLDmnD.exeGet hashmaliciousBrowse
                                                                                  • 52.175.226.120
                                                                                  Dear Account Owner.pdfGet hashmaliciousBrowse
                                                                                  • 65.54.226.141
                                                                                  MLmYmJFbrS.exeGet hashmaliciousBrowse
                                                                                  • 52.175.226.120
                                                                                  http://dn.bytefence.com/rtop_setup.exeGet hashmaliciousBrowse
                                                                                  • 191.237.32.214
                                                                                  YAHOO-3-YahooUS19Fk42jFQUOd.exeGet hashmaliciousBrowse
                                                                                  • 98.139.135.128
                                                                                  https://bitly.com/2ADBPisGet hashmaliciousBrowse
                                                                                  • 66.6.32.34
                                                                                  37Gmhqgmhb5K.exeGet hashmaliciousBrowse
                                                                                  • 63.250.200.63
                                                                                  41tex.exeGet hashmaliciousBrowse
                                                                                  • 63.250.200.63
                                                                                  13VJqrYOV9R1.exeGet hashmaliciousBrowse
                                                                                  • 63.250.200.63
                                                                                  78ag5NU9TYw.exeGet hashmaliciousBrowse
                                                                                  • 63.250.200.63
                                                                                  63Tex.exeGet hashmaliciousBrowse
                                                                                  • 63.250.200.63
                                                                                  68documen.exeGet hashmaliciousBrowse
                                                                                  • 63.250.200.63
                                                                                  24noemai.exeGet hashmaliciousBrowse
                                                                                  • 66.218.84.137
                                                                                  .exeGet hashmaliciousBrowse
                                                                                  • 66.218.84.137
                                                                                  39p6DsbcFX97.exeGet hashmaliciousBrowse
                                                                                  • 66.218.84.137
                                                                                  53iiBKykijsJ.exeGet hashmaliciousBrowse
                                                                                  • 74.6.141.40
                                                                                  63document.exeGet hashmaliciousBrowse
                                                                                  • 66.218.87.12
                                                                                  3messag.exeGet hashmaliciousBrowse
                                                                                  • 66.218.87.12
                                                                                  21doc.el.exeGet hashmaliciousBrowse
                                                                                  • 66.218.85.139
                                                                                  25messag.exeGet hashmaliciousBrowse
                                                                                  • 66.218.87.12
                                                                                  kir.exeGet hashmaliciousBrowse
                                                                                  • 98.139.175.225
                                                                                  1cwy@cmmai.exeGet hashmaliciousBrowse
                                                                                  • 66.218.85.151
                                                                                  .exeGet hashmaliciousBrowse
                                                                                  • 66.218.85.139
                                                                                  78doc.msg.exeGet hashmaliciousBrowse
                                                                                  • 74.6.137.64

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Screenshots

                                                                                  Thumbnails

                                                                                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.