Loading ...

Play interactive tourEdit tour

Analysis Report 31doc.msg.scr

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:163025
Start date:14.08.2019
Start time:05:34:25
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 54s
Hypervisor based Inspection enabled:false
Report type:light
Sample file name:31doc.msg.scr (renamed file extension from scr to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:11
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal64.evad.winEXE@4/5@171/8
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 99.9% (good quality ratio 97%)
  • Quality average: 84.2%
  • Quality standard deviation: 23%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, sc.exe, dllhost.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted): 13.107.3.128, 13.107.5.88, 74.125.133.26, 74.125.204.26, 74.125.28.26, 172.217.194.26, 108.177.14.26, 74.125.133.27, 93.184.221.240, 8.253.208.121, 67.24.27.254, 8.248.3.254, 67.27.153.126, 8.247.210.254, 205.185.216.10, 205.185.216.42, 67.26.111.254, 8.247.211.254, 67.27.154.254
  • Excluded domains from analysis (whitelisted): client-office365-tas.msedge.net, afdo-tas-offload.trafficmanager.net, alt3.gmail-smtp-in.l.google.com, wu.ec.azureedge.net, s-0001.s-msedge.net, ctldl.windowsupdate.com, e-0009.e-msedge.net, cds.d2s7q6s2.hwcdn.net, alt2.gmail-smtp-in.l.google.com, wu.azureedge.net, alt4.gmail-smtp-in.l.google.com, gmail-smtp-in.l.google.com, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, au.download.windowsupdate.com.hwcdn.net, hlb.apr-52dd2-0.edgecastdns.net, alt1.gmail-smtp-in.l.google.com, auto.au.download.windowsupdate.com.c.footprint.net, wu.wpc.apr-52dd2.edgecastdns.net, config.edge.skype.com
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold640 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsExecution through API1Registry Run Keys / Startup Folder1Access Token Manipulation1Masquerading2Input Capture1System Time Discovery2Application Deployment SoftwareInput Capture1Data Encrypted1Standard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsProcess Injection1Software Packing1Network SniffingProcess Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionAccess Token Manipulation1Input CaptureSecurity Software Discovery3Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol11
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection1Credentials in FilesRemote System Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessDeobfuscate/Decode Files or Information1Account ManipulationFile and Directory Discovery11Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information2Brute ForceSystem Information Discovery13Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskDLL Side-Loading1Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\Windows\tserv.exeAvira: Label: WORM/Stration.C
Source: C:\Windows\tserv.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for sampleShow sources
Source: 31doc.msg.exeAvira: Label: WORM/Stration.C
Source: 31doc.msg.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.2.31doc.msg.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 0.0.31doc.msg.exe.400000.0.unpackAvira: Label: WORM/Stration.C

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,

Networking:

barindex
Domain name seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDomain Name: mta6.am0.yahoodns.net mta6.am0.yahoodns.net
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 66.218.85.52 66.218.85.52
Uses SMTP (mail sending)Show sources
Source: global trafficTCP traffic: 192.168.2.5:49715 -> 98.137.159.28:25
Source: global trafficTCP traffic: 192.168.2.5:49716 -> 67.195.204.77:25
Source: global trafficTCP traffic: 192.168.2.5:49717 -> 67.195.228.111:25
Source: global trafficTCP traffic: 192.168.2.5:49723 -> 104.47.1.33:25
Source: global trafficTCP traffic: 192.168.2.5:49724 -> 66.218.85.52:25
Source: global trafficTCP traffic: 192.168.2.5:49725 -> 74.6.137.63:25
Source: global trafficTCP traffic: 192.168.2.5:49726 -> 67.195.228.109:25
Source: global trafficTCP traffic: 192.168.2.5:49732 -> 104.47.40.33:25
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: yahoo.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: 31doc.msg.exe, 00000000.00000002.20193176771.0000000000840000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Contains functionality to communicate with device driversShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_00423D83: QueryDosDeviceA,lstrcpyA,lstrcatA,GetLastError,lstrcpyA,lstrcatA,DefineDosDeviceA,GetLastError,lstrcpyA,lstrcatA,CreateFileA,DeviceIoControl,GetLastError,GetLastError,DefineDosDeviceA,GetLastError,
Creates files inside the system directoryShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeFile created: C:\Windows\tserv.exeJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_00411800
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_004108D0
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_0040C8E0
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_0040F0E9
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_00410907
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_00404110
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_00409119
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_0040F1C7
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_0040C1D0
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_00404990
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_004091A7
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_0040E246
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_00428A08
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_00425214
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_00410220
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_00405310
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_00408BC0
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_00415BD0
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_0041B3D0
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_0040DBF0
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_00409436
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_00409CF7
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_0041BD00
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_0040EDE0
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_0040DE56
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_0041C660
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_00410670
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_0040E676
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_00409F47
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_0040EF78
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_00405F30
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: String function: 0042664C appears 45 times
Reads the hosts fileShow sources
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeFile read: C:\Users\user\Desktop\31doc.msg.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeSection loaded: wow64log.dll
Source: C:\Users\user\Desktop\31doc.msg.exeSection loaded: cmut449c14b7.dll
Source: C:\Windows\tserv.exeSection loaded: wow64log.dll
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dll
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dll
Source: C:\Windows\tserv.exeSection loaded: wow64log.dll
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dll
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dll
Classification labelShow sources
Source: classification engineClassification label: mal64.evad.winEXE@4/5@171/8
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_004047A0 lstrcatA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_00405090 GetSystemDirectoryA,lstrcatA,lstrcatA,lstrcatA,GetFileAttributesA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_0041E0B0 FindResourceA,LoadResource,SizeofResource,LockResource,CreateFileA,WriteFile,CloseHandle,
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeFile created: C:\Users\user\Desktop\902E.tmpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: 31doc.msg.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\31doc.msg.exe 'C:\Users\user\Desktop\31doc.msg.exe'
Source: unknownProcess created: C:\Windows\tserv.exe C:\Windows\tserv.exe s
Source: unknownProcess created: C:\Windows\tserv.exe 'C:\Windows\tserv.exe' s
Source: C:\Users\user\Desktop\31doc.msg.exeProcess created: C:\Windows\tserv.exe C:\Windows\tserv.exe s

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_0041F660 LoadLibraryA,GetProcAddress,SetWindowsHookExA,
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_0041E447 push ds; retf
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_0042647C push eax; ret
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_004254B0 push eax; ret
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_004254B0 push eax; ret
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_0041E624 push ds; retf
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_00426687 push ecx; ret

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeExecutable created and started: C:\Windows\tserv.exe
Drops PE filesShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeFile created: C:\Windows\tserv.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\31doc.msg.exeFile created: C:\Windows\tserv.exeJump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key Show sources
Source: C:\Windows\tserv.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLsJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_0041D159 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeRDTSC instruction interceptor: First address: 40c1e0 second address: 40c1ee instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+04h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [767F17DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F86408AA212h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+08h], eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\31doc.msg.exeRDTSC instruction interceptor: First address: 40c1ee second address: 40c1fc instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+08h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [767F17DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F86408AA142h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+0Ch], eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\31doc.msg.exeRDTSC instruction interceptor: First address: 40c1fc second address: 40c20a instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+0Ch], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [767F17DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F86408A77F2h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+10h], eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\31doc.msg.exeRDTSC instruction interceptor: First address: 40c1e0 second address: 40c1ee instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+04h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [767F17DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F86408A08A2h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+08h], eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\31doc.msg.exeRDTSC instruction interceptor: First address: 40c1ee second address: 40c1fc instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+08h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [767F17DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F86408A77F2h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+0Ch], eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\31doc.msg.exeRDTSC instruction interceptor: First address: 40c1fc second address: 40c20a instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+0Ch], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [767F17DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F86408A08A2h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+10h], eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\31doc.msg.exeRDTSC instruction interceptor: First address: 40c1e0 second address: 40c1ee instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+04h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [767F17DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F86408A77F2h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+08h], eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\31doc.msg.exeRDTSC instruction interceptor: First address: 40c1ee second address: 40c1fc instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+08h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [767F17DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F86408A08A2h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+0Ch], eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\31doc.msg.exeRDTSC instruction interceptor: First address: 40c1e0 second address: 40c1ee instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+04h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [767F17DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F86408AA142h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+08h], eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\31doc.msg.exeRDTSC instruction interceptor: First address: 40c1ee second address: 40c1fc instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+08h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [767F17DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F86408AA212h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+0Ch], eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\31doc.msg.exeRDTSC instruction interceptor: First address: 40c1fc second address: 40c20a instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+0Ch], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [767F17DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F86408AA142h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+10h], eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\31doc.msg.exeRDTSC instruction interceptor: First address: 40c1fc second address: 40c20a instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+0Ch], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [767F17DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F86408AA212h 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+10h], eax 0x00000046 rdtsc
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_0040C1D0 rdtsc
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\tserv.exeThread delayed: delay time: 300000
Source: C:\Windows\tserv.exeThread delayed: delay time: 300000
Enumerates the file systemShow sources
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\31doc.msg.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeAPI coverage: 9.2 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\tserv.exe TID: 3408Thread sleep time: -5100000s >= -30000s
Source: C:\Windows\tserv.exe TID: 4208Thread sleep time: -4200000s >= -30000s
Source: C:\Windows\tserv.exe TID: 3320Thread sleep time: -180000s >= -30000s
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_00429F44 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,
Program exit pointsShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeAPI call chain: ExitProcess graph end node

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\tserv.exeSystem information queried: KernelDebuggerInformation
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_0040C1D0 rdtsc
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_0041F660 LoadLibraryA,GetProcAddress,SetWindowsHookExA,
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_004210D0 GetProcessHeap,GetProcessHeap,HeapAlloc,RegOpenKeyExA,GetLastError,GetProcessHeap,HeapFree,RegCloseKey,
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_0042731A SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_0042732E SetUnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

barindex
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_00423260 GetProcessHeap,HeapAlloc,HeapAlloc,HeapAlloc,HeapFree,RtlAllocateHeap,HeapFree,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapFree,RtlAllocateHeap,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,InitializeSecurityDescriptor,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetTokenInformation,GetTokenInformation,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,AllocateAndInitializeSid,GetLengthSid,AddAce,AllocateAndInitializeSid,GetLengthSid,AddAce,AllocateAndInitializeSid,GetLengthSid,AddAce,IsValidSecurityDescriptor,
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: 31doc.msg.exe, 00000000.00000002.20193226308.0000000000CD0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: 31doc.msg.exe, 00000000.00000002.20193226308.0000000000CD0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: 31doc.msg.exe, 00000000.00000002.20193226308.0000000000CD0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to inject threads in other processesShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_00404840 OpenProcess,lstrlenA,VirtualAllocEx,WriteProcessMemory,GetModuleHandleA,GetProcAddress,CreateRemoteThread,
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: GetLocaleInfoA,
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_00401830 ExpandEnvironmentStringsA,GetLocalTime,CreateFileA,CloseHandle,
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_0040BE00 GetLocalTime,GetTimeZoneInformation,
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\31doc.msg.exeCode function: 0_2_00425D91 EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,GetStartupInfoA,__wincmdln,GetModuleHandleA,

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 163025 Sample: 31doc.msg.scr Startdate: 14/08/2019 Architecture: WINDOWS Score: 64 22 www2.cedesunjerinkas.com 2->22 36 Antivirus or Machine Learning detection for sample 2->36 7 31doc.msg.exe 3 2->7         started        11 tserv.exe 12 2->11         started        signatures3 process4 dnsIp5 18 C:\Windows\tserv.exe, PE32 7->18 dropped 20 C:\Windows\tserv.exe:Zone.Identifier, ASCII 7->20 dropped 38 Contains functionality to inject threads in other processes 7->38 40 Drops executables to the windows directory (C:\Windows) and starts them 7->40 42 Tries to detect virtualization through RDTSC time measurements 7->42 14 tserv.exe 1 13 7->14         started        24 104.47.40.33, 25, 49732 unknown United States 11->24 26 66.218.85.52, 25, 49724 unknown United States 11->26 28 12 other IPs or domains 11->28 file6 signatures7 process8 dnsIp9 30 hotmail-com.olc.protection.outlook.com 104.47.1.33, 25, 49723 unknown United States 14->30 32 mta5.am0.yahoodns.net 67.195.204.77, 25, 49716 unknown United States 14->32 34 7 other IPs or domains 14->34 44 Antivirus or Machine Learning detection for dropped file 14->44 46 Creates an undocumented autostart registry key 14->46 signatures10

Simulations

Behavior and APIs

TimeTypeDescription
05:35:38API Interceptor3x Sleep call for process: 31doc.msg.exe modified
05:35:48API Interceptor152x Sleep call for process: tserv.exe modified
05:35:49AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run tserv C:\Windows\tserv.exe s

Antivirus and Machine Learning Detection

Initial Sample

SourceDetectionScannerLabelLink
31doc.msg.exe100%AviraWORM/Stration.C
31doc.msg.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\tserv.exe100%AviraWORM/Stration.C
C:\Windows\tserv.exe100%Joe Sandbox ML

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2.31doc.msg.exe.400000.0.unpack100%AviraWORM/Stration.CDownload File
0.0.31doc.msg.exe.400000.0.unpack100%AviraWORM/Stration.CDownload File

Domains

SourceDetectionScannerLabelLink
mta6.am0.yahoodns.net0%virustotalBrowse
mta7.am0.yahoodns.net0%virustotalBrowse
mta5.am0.yahoodns.net0%virustotalBrowse
www3.cedesunjerinkas.com0%virustotalBrowse
www4.cedesunjerinkas.com0%virustotalBrowse
www2.cedesunjerinkas.com0%virustotalBrowse

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
66.218.85.5255.x.exeGet hashmaliciousBrowse
    1Update-KB8062-x86.exeGet hashmaliciousBrowse
      7Update-KB6468-x86.exeGet hashmaliciousBrowse
        20test.lo.exeGet hashmaliciousBrowse
          15data.tx.exeGet hashmaliciousBrowse
            22file.txt.exeGet hashmaliciousBrowse
              16Update-KB1390-x86.exeGet hashmaliciousBrowse
                21Update-KB3546-x86.exeGet hashmaliciousBrowse
                  15message.da.exeGet hashmaliciousBrowse
                    15Update-KB7250-x86.exeGet hashmaliciousBrowse
                      13body.ms.exeGet hashmaliciousBrowse
                        6Update-KB1546-x86.exeGet hashmaliciousBrowse
                          5docs.el.exeGet hashmaliciousBrowse
                            19docs.el.exeGet hashmaliciousBrowse
                              27docs.el.exeGet hashmaliciousBrowse
                                22text.ms.exeGet hashmaliciousBrowse
                                  3Update-KB3718-x86.exeGet hashmaliciousBrowse
                                    5Update-KB3968-x86.exeGet hashmaliciousBrowse
                                      45data.tx.exeGet hashmaliciousBrowse
                                        27Update-KB3921-x86.exeGet hashmaliciousBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          mta6.am0.yahoodns.net21doc.el.exeGet hashmaliciousBrowse
                                          • 98.137.159.26
                                          29Update-KB1750-x86.exeGet hashmaliciousBrowse
                                          • 67.195.229.58
                                          51Update-KB8281-x86.exeGet hashmaliciousBrowse
                                          • 98.136.102.55
                                          78doc.msg.exeGet hashmaliciousBrowse
                                          • 74.6.137.64
                                          23Update-KB3830-x86.exeGet hashmaliciousBrowse
                                          • 98.136.102.54
                                          35Update-KB5111-x86.exeGet hashmaliciousBrowse
                                          • 67.195.229.59
                                          23Update-KB3956-x86.exeGet hashmaliciousBrowse
                                          • 98.136.101.117
                                          20Update-KB7452-x86.exeGet hashmaliciousBrowse
                                          • 67.195.229.58
                                          19docs.tx.exeGet hashmaliciousBrowse
                                          • 98.136.102.54
                                          55.x.exeGet hashmaliciousBrowse
                                          • 98.137.159.28
                                          3Update-KB2248-x86.exeGet hashmaliciousBrowse
                                          • 98.137.159.24
                                          30Update-KB5046-x86.exeGet hashmaliciousBrowse
                                          • 98.136.102.54
                                          56file.txt.exeGet hashmaliciousBrowse
                                          • 98.136.102.54
                                          63test.log.exeGet hashmaliciousBrowse
                                          • 74.6.137.64
                                          5body.ms.exeGet hashmaliciousBrowse
                                          • 67.195.228.141
                                          4test.log.exeGet hashmaliciousBrowse
                                          • 98.136.101.117
                                          1Update-KB8062-x86.exeGet hashmaliciousBrowse
                                          • 98.137.159.26
                                          70creditcar.exeGet hashmaliciousBrowse
                                          • 98.137.159.24
                                          17Update-KB2684-x86.exeGet hashmaliciousBrowse
                                          • 67.195.228.141
                                          7Update-KB8734-x86.exeGet hashmaliciousBrowse
                                          • 74.6.137.64

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          unknownrequest.docGet hashmaliciousBrowse
                                          • 192.168.0.44
                                          FERK444259.docGet hashmaliciousBrowse
                                          • 192.168.0.44
                                          b392e93a5753601db564e6f2dc6a945aac3861bc31e2c1e5e7f3cd4e5bb150a4.jsGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          Setup.exeGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          base64.pdfGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          file.pdfGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          Spread sheet 2.pdfGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          request_08.30.docGet hashmaliciousBrowse
                                          • 192.168.0.44
                                          P_2038402.xlsxGet hashmaliciousBrowse
                                          • 192.168.0.44
                                          48b1cf747a678641566cd1778777ca72.apkGet hashmaliciousBrowse
                                          • 192.168.0.22
                                          seu nome na lista de favorecidos.exeGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          Adm_Boleto.via2.comGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          QuitacaoVotorantim345309.exeGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          pptxb.pdfGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          unknownrequest.docGet hashmaliciousBrowse
                                          • 192.168.0.44
                                          FERK444259.docGet hashmaliciousBrowse
                                          • 192.168.0.44
                                          b392e93a5753601db564e6f2dc6a945aac3861bc31e2c1e5e7f3cd4e5bb150a4.jsGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          Setup.exeGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          base64.pdfGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          file.pdfGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          Spread sheet 2.pdfGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          request_08.30.docGet hashmaliciousBrowse
                                          • 192.168.0.44
                                          P_2038402.xlsxGet hashmaliciousBrowse
                                          • 192.168.0.44
                                          48b1cf747a678641566cd1778777ca72.apkGet hashmaliciousBrowse
                                          • 192.168.0.22
                                          seu nome na lista de favorecidos.exeGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          Adm_Boleto.via2.comGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          QuitacaoVotorantim345309.exeGet hashmaliciousBrowse
                                          • 192.168.0.40
                                          pptxb.pdfGet hashmaliciousBrowse
                                          • 192.168.0.40

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Screenshots

                                          Thumbnails

                                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.