Loading ...

Analysis Report 9Update-KB3734-x86.exe

Overview

General Information

Joe Sandbox Version:24.0.0 Fire Opal
Analysis ID:96285
Start date:06.12.2018
Start time:22:42:57
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 9m 32s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:9Update-KB3734-x86.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171
Number of analysed new started processes analysed:15
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal88.evad.winEXE@12/8@384/6
EGA Information:
  • Successful, ratio: 66.7%
HDC Information:
  • Successful, ratio: 99.9% (good quality ratio 97.1%)
  • Quality average: 84.2%
  • Quality standard deviation: 23%
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 93
  • Number of non-executed functions: 123
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Execution Graph export aborted for target tserv.exe, PID 4604 because there are no executed function
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingDetection
Threshold880 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsExecution through Module Load1Registry Run Keys / Start Folder1Process Injection211Software Packing1Credential DumpingProcess Discovery1Application Deployment SoftwareData from Local SystemData CompressedStandard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesDisabling Security Tools1Network SniffingSecurity Software Discovery41Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection211Input CaptureRemote System Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol1
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationSystem Information Discovery23Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Windows\tserv.exeAvira: Label: WORM/Stration.C
Antivirus detection for submitted fileShow sources
Source: 9Update-KB3734-x86.exeAvira: Label: WORM/Stration.C
Antivirus detection for unpacked fileShow sources
Source: 0.1.9Update-KB3734-x86.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 5.0.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 15.0.tserv.exe.400000.1.unpackAvira: Label: WORM/Stration.C
Source: 15.2.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 0.0.9Update-KB3734-x86.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 15.1.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 5.2.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 2.0.tserv.exe.400000.1.unpackAvira: Label: WORM/Stration.C
Source: 2.0.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 2.0.tserv.exe.400000.3.unpackAvira: Label: WORM/Stration.C
Source: 10.0.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 10.2.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 0.2.9Update-KB3734-x86.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 15.0.tserv.exe.400000.2.unpackAvira: Label: WORM/Stration.C
Source: 2.1.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 5.1.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 15.0.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 2.0.tserv.exe.400000.2.unpackAvira: Label: WORM/Stration.C
Source: 15.0.tserv.exe.400000.3.unpackAvira: Label: WORM/Stration.C
Source: 2.2.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,0_2_00406360
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,0_1_00406360
Source: C:\Windows\tserv.exeCode function: 2_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,2_2_00406360

Networking:

barindex
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 104.47.9.33 104.47.9.33
Source: Joe Sandbox ViewIP Address: 104.47.0.33 104.47.0.33
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\tserv.exeCode function: 2_2_00401960 GetProcessHeap,RtlAllocateHeap,CloseHandle,Sleep,Sleep,InternetGetConnectedState,Sleep,InternetGetConnectedState,InternetOpenA,InternetOpenUrlA,InternetCloseHandle,InternetReadFile,InternetCloseHandle,InternetCloseHandle,GetTempPathA,GetTempFileNameA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,DeleteFileA,InternetCloseHandle,InternetCloseHandle,GetProcessHeap,RtlFreeHeap,2_2_00401960
Found strings which match to known social media urlsShow sources
Source: svchost.exe, 0000000D.00000000.3698734752.000001A8EC200000.00000004.sdmpString found in binary or memory: .hotmail.com1&0 equals www.hotmail.com (Hotmail)
Source: svchost.exe, 0000000D.00000000.3698734752.000001A8EC200000.00000004.sdmpString found in binary or memory: hotmail.co.uk1 equals www.hotmail.com (Hotmail)
Source: svchost.exe, 0000000D.00000000.3698734752.000001A8EC200000.00000004.sdmpString found in binary or memory: hotmail.com1 equals www.hotmail.com (Hotmail)
Source: tserv.exe, 00000002.00000002.3594768696.0000000000830000.00000004.sdmpString found in binary or memory: yahoo.com equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: yahoo.com
Urls found in memory or binary dataShow sources
Source: consent.exe, 0000000B.00000002.3739310970.000001BB99E7B000.00000004.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000000D.00000002.3976751856.000001A8EB849000.00000004.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: svchost.exe, 0000000D.00000002.3976751856.000001A8EB849000.00000004.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 0000000D.00000000.3725524585.000001A8F16B0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/07/am_base_acd8007dbe3781fd
Source: svchost.exe, 0000000D.00000000.3725524585.000001A8F16B0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/07/am_base_patch1_9318b0429
Source: svchost.exe, 0000000D.00000000.3725587666.000001A8F16B4000.00000008.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/07/am_delta_1b45d79b6f282b2
Source: svchost.exe, 0000000D.00000000.3725524585.000001A8F16B0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/07/am_delta_24b68721eaa8685
Source: svchost.exe, 0000000D.00000000.3725587666.000001A8F16B4000.00000008.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/07/am_delta_2600c1a3b00c4fd
Source: svchost.exe, 0000000D.00000000.3725524585.000001A8F16B0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/07/am_engine_53e243622a8b00
Source: svchost.exe, 0000000D.00000000.3725524585.000001A8F16B0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/07/am_engine_patch_1.1.1490
Source: svchost.exe, 0000000D.00000000.3725524585.000001A8F16B0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/07/mpsigstub_f803292685aff7
Source: svchost.exe, 0000000D.00000000.3698583755.000001A8EC1DE000.00000004.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delch.2100.0_7839d1c5
Source: svchost.exe, 0000000D.00000000.3725524585.000001A8F16B0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_2ab5d141b47cf9e
Source: svchost.exe, 0000000D.00000000.3725587666.000001A8F16B4000.00000008.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_76e885a60e46f95
Source: svchost.exe, 0000000D.00000000.3725587666.000001A8F16B4000.00000008.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_7d8c7a293002823
Source: svchost.exe, 0000000D.00000000.3725524585.000001A8F16B0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.103
Source: svchost.exe, 0000000D.00000000.3725524585.000001A8F16B0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.104
Source: svchost.exe, 0000000D.00000000.3725524585.000001A8F16B0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.105
Source: svchost.exe, 0000000D.00000000.3725524585.000001A8F16B0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.106
Source: svchost.exe, 0000000D.00000000.3725524585.000001A8F16B0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.107
Source: svchost.exe, 0000000D.00000000.3725524585.000001A8F16B0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.108
Source: svchost.exe, 0000000D.00000000.3725524585.000001A8F16B0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.109
Source: svchost.exe, 0000000D.00000000.3725524585.000001A8F16B0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.110
Source: svchost.exe, 0000000D.00000002.3976751856.000001A8EB849000.00000004.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 0000000D.00000000.3683047379.000001A8EB7D0000.00000004.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
Source: svchost.exe, 0000000D.00000002.3994870842.000001A8EC242000.00000004.sdmpString found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 0000000D.00000000.3684946295.000001A8EB8BA000.00000004.sdmpString found in binary or memory: http://passport.net/tb
Source: tserv.exe, 00000002.00000002.3594768696.0000000000830000.00000004.sdmpString found in binary or memory: http://www4.cedesunjerinkas.com/chr/wtb/lt.exe
Source: svchost.exe, 0000000D.00000000.3709565938.000001A8EDF43000.00000004.sdmpString found in binary or memory: https:///WAB-23B4D62B-952A-47E7-969C-B95DBF145D3D.local
Source: svchost.exe, 0000000D.00000000.3691273882.000001A8EBC6B000.00000004.sdmpString found in binary or memory: https:///live.com
Source: svchost.exe, 0000000D.00000000.3691273882.000001A8EBC6B000.00000004.sdmpString found in binary or memory: https:///windows.net
Source: svchost.exe, 0000000D.00000000.3684946295.000001A8EB8BA000.00000004.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502ssuer
Source: svchost.exe, 0000000D.00000000.3684946295.000001A8EB8BA000.00000004.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 0000000D.00000000.3684946295.000001A8EB8BA000.00000004.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600ng
Source: svchost.exe, 0000000D.00000000.3684946295.000001A8EB8BA000.00000004.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601ssuerP
Source: svchost.exe, 0000000D.00000000.3684946295.000001A8EB8BA000.00000004.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 0000000D.00000000.3684946295.000001A8EB8BA000.00000004.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 0000000D.00000000.3684946295.000001A8EB8BA000.00000004.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 0000000D.00000002.3983021879.000001A8EBC00000.00000004.sdmpString found in binary or memory: https://account.live.com/msangcwam
Source: svchost.exe, 0000000D.00000000.3691273882.000001A8EBC6B000.00000004.sdmpString found in binary or memory: https://login.live.com
Source: svchost.exe, 0000000D.00000000.3691273882.000001A8EBC6B000.00000004.sdmpString found in binary or memory: https://login.live.com/
Source: svchost.exe, 0000000D.00000002.3974900962.000001A8EB785000.00000004.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 0000000D.00000002.3974900962.000001A8EB785000.00000004.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 0000000D.00000002.3974900962.000001A8EB785000.00000004.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 0000000D.00000002.3974900962.000001A8EB785000.00000004.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 0000000D.00000002.3983021879.000001A8EBC00000.00000004.sdmpString found in binary or memory: https://login.live.com/ListSessions.srfw
Source: svchost.exe, 0000000D.00000002.3974900962.000001A8EB785000.00000004.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 0000000D.00000002.3974900962.000001A8EB785000.00000004.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 0000000D.00000000.3676788153.000001A8EA956000.00000004.sdmp, svchost.exe, 0000000D.00000002.3976751856.000001A8EB849000.00000004.sdmp, svchost.exe, 0000000D.00000000.3683047379.000001A8EB7D0000.00000004.sdmpString found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 0000000D.00000002.3987705212.000001A8EBDC9000.00000004.sdmpString found in binary or memory: https://login.live.com/RST2.srfll
Source: svchost.exe, 0000000D.00000000.3676788153.000001A8EA956000.00000004.sdmp, svchost.exe, 0000000D.00000002.3983021879.000001A8EBC00000.00000004.sdmpString found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 0000000D.00000002.3983021879.000001A8EBC00000.00000004.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 0000000D.00000002.3983021879.000001A8EBC00000.00000004.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 0000000D.00000000.3676788153.000001A8EA956000.00000004.sdmp, svchost.exe, 0000000D.00000002.3983021879.000001A8EBC00000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 0000000D.00000002.3974900962.000001A8EB785000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf%
Source: svchost.exe, 0000000D.00000000.3676788153.000001A8EA956000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate
Source: svchost.exe, 0000000D.00000002.3974900962.000001A8EB785000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srfuer
Source: svchost.exe, 0000000D.00000002.3974900962.000001A8EB785000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 0000000D.00000002.3974900962.000001A8EB785000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srfnfig.xmle
Source: svchost.exe, 0000000D.00000002.3974900962.000001A8EB785000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfssuer
Source: svchost.exe, 0000000D.00000002.3974900962.000001A8EB785000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 0000000D.00000002.3991702735.000001A8EC14B000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cplive.com
Source: svchost.exe, 0000000D.00000002.3974900962.000001A8EB785000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srfD05
Source: svchost.exe, 0000000D.00000002.3974900962.000001A8EB785000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf05R_
Source: svchost.exe, 0000000D.00000000.3684946295.000001A8EB8BA000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 0000000D.00000000.3684946295.000001A8EB8BA000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 0000000D.00000000.3684946295.000001A8EB8BA000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 0000000D.00000000.3684946295.000001A8EB8BA000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 0000000D.00000002.3974900962.000001A8EB785000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf622
Source: svchost.exe, 0000000D.00000000.3684946295.000001A8EB8BA000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 0000000D.00000000.3684946295.000001A8EB8BA000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 0000000D.00000000.3684946295.000001A8EB8BA000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601an
Source: svchost.exe, 0000000D.00000000.3684946295.000001A8EB8BA000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 0000000D.00000000.3684946295.000001A8EB8BA000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 0000000D.00000000.3684946295.000001A8EB8BA000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 0000000D.00000000.3684946295.000001A8EB8BA000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 0000000D.00000000.3684946295.000001A8EB8BA000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 0000000D.00000000.3684946295.000001A8EB8BA000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 0000000D.00000000.3683047379.000001A8EB7D0000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cplStores
Source: svchost.exe, 0000000D.00000000.3684946295.000001A8EB8BA000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 0000000D.00000002.3974900962.000001A8EB785000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 0000000D.00000000.3676788153.000001A8EA956000.00000004.sdmp, svchost.exe, 0000000D.00000002.3974900962.000001A8EB785000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 0000000D.00000000.3676788153.000001A8EA956000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: svchost.exe, 0000000D.00000002.3974900962.000001A8EB785000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srfer
Source: svchost.exe, 0000000D.00000000.3676788153.000001A8EA956000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 0000000D.00000000.3684946295.000001A8EB8BA000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srfsuer
Source: svchost.exe, 0000000D.00000000.3676788153.000001A8EA956000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 0000000D.00000000.3684946295.000001A8EB8BA000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfsuer
Source: svchost.exe, 0000000D.00000000.3676788153.000001A8EA956000.00000004.sdmp, svchost.exe, 0000000D.00000002.3983021879.000001A8EBC00000.00000004.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 0000000D.00000002.3983021879.000001A8EBC00000.00000004.sdmpString found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 0000000D.00000002.4001769591.000001A8EDF58000.00000004.sdmpString found in binary or memory: https://login.windows.net
Source: svchost.exe, 0000000D.00000000.3691351740.000001A8EBC7C000.00000004.sdmp, svchost.exe, 0000000D.00000002.4001769591.000001A8EDF58000.00000004.sdmpString found in binary or memory: https://login.windows.net/
Source: svchost.exe, 0000000D.00000002.4001769591.000001A8EDF58000.00000004.sdmpString found in binary or memory: https://login.windows.net/6EDF
Source: svchost.exe, 0000000D.00000002.4001769591.000001A8EDF58000.00000004.sdmpString found in binary or memory: https://login.windows.net/839
Source: svchost.exe, 0000000D.00000002.4001769591.000001A8EDF58000.00000004.sdmpString found in binary or memory: https://login.windows.netB6EDF
Source: svchost.exe, 0000000D.00000002.3983021879.000001A8EBC00000.00000004.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
Source: svchost.exe, 0000000D.00000002.3976751856.000001A8EB849000.00000004.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: svchost.exe, 0000000D.00000002.4001769591.000001A8EDF58000.00000004.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com
Source: svchost.exe, 0000000D.00000002.4001769591.000001A8EDF58000.00000004.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com/

System Summary:

barindex
Abnormal high CPU UsageShow sources
Source: C:\Windows\tserv.exeProcess Stats: CPU usage > 98%
Contains functionality to communicate with device driversShow sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_00423D83: QueryDosDeviceA,lstrcpyA,lstrcatA,GetLastError,lstrcpyA,lstrcatA,DefineDosDeviceA,GetLastError,lstrcpyA,lstrcatA,CreateFileA,DeviceIoControl,GetLastError,GetLastError,DefineDosDeviceA,GetLastError,0_2_00423D83
Creates files inside the system directoryShow sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeFile created: C:\Windows\tserv.exeJump to behavior
Deletes files inside the Windows folderShow sources
Source: C:\Windows\tserv.exeFile deleted: C:\Windows\tserv.waxJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_004118000_2_00411800
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_004108D00_2_004108D0
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_0040C8E00_2_0040C8E0
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_0040F0E90_2_0040F0E9
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_004109070_2_00410907
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_004041100_2_00404110
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_004091190_2_00409119
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_0040F1C70_2_0040F1C7
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_0040C1D00_2_0040C1D0
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_004049900_2_00404990
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_004091A70_2_004091A7
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_0040E2460_2_0040E246
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_00428A080_2_00428A08
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_004252140_2_00425214
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_004053100_2_00405310
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_00408BC00_2_00408BC0
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_00415BD00_2_00415BD0
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_0041B3D00_2_0041B3D0
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_0040DBF00_2_0040DBF0
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_0041E3A00_2_0041E3A0
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_004094360_2_00409436
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_00409CF70_2_00409CF7
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_0041BD000_2_0041BD00
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_0040EDE00_2_0040EDE0
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_0040DE560_2_0040DE56
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_0041C6600_2_0041C660
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_004106700_2_00410670
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_0040E6760_2_0040E676
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_00409F470_2_00409F47
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_0040EF780_2_0040EF78
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_0040FF300_2_0040FF30
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_00405F300_2_00405F30
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_004118000_1_00411800
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_004108D00_1_004108D0
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_0040C8E00_1_0040C8E0
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_0040F0E90_1_0040F0E9
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_004109070_1_00410907
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_004041100_1_00404110
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_004091190_1_00409119
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_0040F1C70_1_0040F1C7
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_0040C1D00_1_0040C1D0
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_004049900_1_00404990
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_004091A70_1_004091A7
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_0040E2460_1_0040E246
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_00428A080_1_00428A08
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_004252140_1_00425214
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_004053100_1_00405310
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_00408BC00_1_00408BC0
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_00415BD00_1_00415BD0
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_0041B3D00_1_0041B3D0
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_0040DBF00_1_0040DBF0
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_0041E3A00_1_0041E3A0
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_004094360_1_00409436
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_00409CF70_1_00409CF7
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_0041BD000_1_0041BD00
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_0040EDE00_1_0040EDE0
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_0040DE560_1_0040DE56
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_0041C6600_1_0041C660
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_004106700_1_00410670
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_0040E6760_1_0040E676
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_00409F470_1_00409F47
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_0040EF780_1_0040EF78
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_0040FF300_1_0040FF30
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_00405F300_1_00405F30
Source: C:\Windows\tserv.exeCode function: 2_2_004041102_2_00404110
Source: C:\Windows\tserv.exeCode function: 2_2_00415BD02_2_00415BD0
Source: C:\Windows\tserv.exeCode function: 2_2_0041BD002_2_0041BD00
Source: C:\Windows\tserv.exeCode function: 2_2_0041C6602_2_0041C660
Source: C:\Windows\tserv.exeCode function: 2_2_00405F302_2_00405F30
Source: C:\Windows\tserv.exeCode function: 2_2_004118002_2_00411800
Source: C:\Windows\tserv.exeCode function: 2_2_004108D02_2_004108D0
Source: C:\Windows\tserv.exeCode function: 2_2_0040C8E02_2_0040C8E0
Source: C:\Windows\tserv.exeCode function: 2_2_0040F0E92_2_0040F0E9
Source: C:\Windows\tserv.exeCode function: 2_2_004109072_2_00410907
Source: C:\Windows\tserv.exeCode function: 2_2_004091192_2_00409119
Source: C:\Windows\tserv.exeCode function: 2_2_0040F1C72_2_0040F1C7
Source: C:\Windows\tserv.exeCode function: 2_2_0040C1D02_2_0040C1D0
Source: C:\Windows\tserv.exeCode function: 2_2_004049902_2_00404990
Source: C:\Windows\tserv.exeCode function: 2_2_004091A72_2_004091A7
Source: C:\Windows\tserv.exeCode function: 2_2_0040E2462_2_0040E246
Source: C:\Windows\tserv.exeCode function: 2_2_00428A082_2_00428A08
Source: C:\Windows\tserv.exeCode function: 2_2_004252142_2_00425214
Source: C:\Windows\tserv.exeCode function: 2_2_004053102_2_00405310
Source: C:\Windows\tserv.exeCode function: 2_2_00408BC02_2_00408BC0
Source: C:\Windows\tserv.exeCode function: 2_2_0041B3D02_2_0041B3D0
Source: C:\Windows\tserv.exeCode function: 2_2_0040DBF02_2_0040DBF0
Source: C:\Windows\tserv.exeCode function: 2_2_004094362_2_00409436
Source: C:\Windows\tserv.exeCode function: 2_2_00409CF72_2_00409CF7
Source: C:\Windows\tserv.exeCode function: 2_2_0040EDE02_2_0040EDE0
Source: C:\Windows\tserv.exeCode function: 2_2_0040DE562_2_0040DE56
Source: C:\Windows\tserv.exeCode function: 2_2_004106702_2_00410670
Source: C:\Windows\tserv.exeCode function: 2_2_0040E6762_2_0040E676
Source: C:\Windows\tserv.exeCode function: 2_2_00409F472_2_00409F47
Source: C:\Windows\tserv.exeCode function: 2_2_0040EF782_2_0040EF78
Source: C:\Windows\tserv.exeCode function: 2_2_0040FF302_2_0040FF30
Source: C:\Windows\tserv.exeCode function: 5_3_006E4E385_3_006E4E38
Source: C:\Windows\tserv.exeCode function: 5_3_006ECB0F5_3_006ECB0F
Source: C:\Windows\tserv.exeCode function: 5_3_006ECB0F5_3_006ECB0F
Source: C:\Windows\tserv.exeCode function: 5_3_006E4BAC5_3_006E4BAC
Source: C:\Windows\tserv.exeCode function: 5_3_006E4BAC5_3_006E4BAC
Source: C:\Windows\tserv.exeCode function: 5_3_006ECB0F5_3_006ECB0F
Source: C:\Windows\tserv.exeCode function: 5_3_006ECB0F5_3_006ECB0F
Source: C:\Windows\tserv.exeCode function: 5_3_006E4BAC5_3_006E4BAC
Source: C:\Windows\tserv.exeCode function: 5_3_006E4BAC5_3_006E4BAC
Found potential string decryption / allocating functionsShow sources
Source: C:\Windows\tserv.exeCode function: String function: 0042664C appears 45 times
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: String function: 0042664C appears 90 times
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: String function: 004274D6 appears 40 times
Reads the hosts fileShow sources
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeFile read: C:\Users\user\Desktop\9Update-KB3734-x86.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: wow64log.dll
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dll
Classification labelShow sources
Source: classification engineClassification label: mal88.evad.winEXE@12/8@384/6
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_004047A0 lstrcatA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,0_2_004047A0
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_004047A0 lstrcatA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,0_1_004047A0
Source: C:\Windows\tserv.exeCode function: 2_2_004047A0 lstrcatA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,2_2_004047A0
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_00405090 GetSystemDirectoryA,lstrcatA,lstrcatA,lstrcatA,GetFileAttributesA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00405090
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_0041E0B0 FindResourceA,LoadResource,SizeofResource,LockResource,CreateFileA,WriteFile,CloseHandle,0_2_0041E0B0
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeFile created: C:\Users\user\Desktop\1EB0.tmpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: 9Update-KB3734-x86.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Windows\System32\pcalua.exeFile read: C:\Users\user\Desktop\desktop.ini
Reads software policiesShow sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\9Update-KB3734-x86.exe 'C:\Users\user\Desktop\9Update-KB3734-x86.exe'
Source: unknownProcess created: C:\Windows\tserv.exe C:\Windows\tserv.exe s
Source: unknownProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\notepad.exe C:\Users\user\Desktop\1EB0.tmp
Source: unknownProcess created: C:\Windows\tserv.exe 'C:\Windows\tserv.exe' s
Source: unknownProcess created: C:\Windows\System32\pcalua.exe C:\Windows\system32\pcalua.exe -a C:\Windows\tserv.exe -d C:\Windows -c s
Source: unknownProcess created: C:\Windows\tserv.exe unknown
Source: unknownProcess created: C:\Windows\System32\consent.exe consent.exe 1016 248 000001A8EC14EA40
Source: unknownProcess created: C:\Windows\tserv.exe 'C:\Windows\tserv.exe' s
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeProcess created: C:\Windows\tserv.exe C:\Windows\tserv.exe sJump to behavior
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\notepad.exe C:\Users\user\Desktop\1EB0.tmpJump to behavior
Source: C:\Windows\System32\pcalua.exeProcess created: C:\Windows\tserv.exe unknown
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\tserv.exe 'C:\Windows\tserv.exe' s
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_0041F660 LoadLibraryA,GetProcAddress,SetWindowsHookExA,0_2_0041F660
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_0042647C push eax; ret 0_2_0042649A
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_004254B0 push eax; ret 0_2_004254C4
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_004254B0 push eax; ret 0_2_004254EC
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_00426687 push ecx; ret 0_2_00426697
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_0042647C push eax; ret 0_1_0042649A
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_004254B0 push eax; ret 0_1_004254C4
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_004254B0 push eax; ret 0_1_004254EC
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_00426687 push ecx; ret 0_1_00426697
Source: C:\Windows\tserv.exeCode function: 2_2_0041E447 push ds; retf 2_2_0041E44D
Source: C:\Windows\tserv.exeCode function: 2_2_0042647C push eax; ret 2_2_0042649A
Source: C:\Windows\tserv.exeCode function: 2_2_004254B0 push eax; ret 2_2_004254C4
Source: C:\Windows\tserv.exeCode function: 2_2_004254B0 push eax; ret 2_2_004254EC
Source: C:\Windows\tserv.exeCode function: 2_2_0041E624 push ds; retf 2_2_0041E62A
Source: C:\Windows\tserv.exeCode function: 2_2_00426687 push ecx; ret 2_2_00426697
Source: C:\Windows\tserv.exeCode function: 5_3_006DA849 pushad ; iretd 5_3_006DA84A
Source: C:\Windows\tserv.exeCode function: 5_3_006DD950 push ecx; iretd 5_3_006DD982

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\System32\svchost.exeExecutable created and started: C:\Windows\tserv.exe
Drops PE filesShow sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeFile created: C:\Windows\tserv.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeFile created: C:\Windows\tserv.exeJump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key Show sources
Source: C:\Windows\tserv.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLsJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_0041D159 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,0_2_0041D159
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\pcalua.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\pcalua.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\pcalua.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\pcalua.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\pcalua.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\pcalua.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\pcalua.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\consent.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\consent.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_0040C1D0 rdtsc 0_2_0040C1D0
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\tserv.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\tserv.exeThread delayed: delay time: 300000Jump to behavior
Enumerates the file systemShow sources
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-12752
Source: C:\Windows\tserv.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_2-15630
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-12686
Source: C:\Windows\tserv.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_2-13334
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeAPI coverage: 9.9 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\tserv.exe TID: 3988Thread sleep time: -300000s >= -30000sJump to behavior
Source: C:\Windows\tserv.exe TID: 3456Thread sleep count: 32 > 30Jump to behavior
Source: C:\Windows\tserv.exe TID: 3456Thread sleep time: -960000s >= -30000sJump to behavior
Source: C:\Windows\tserv.exe TID: 4968Thread sleep time: -3600000s >= -30000sJump to behavior
Source: C:\Windows\tserv.exe TID: 2968Thread sleep count: 45 > 30Jump to behavior
Source: C:\Windows\tserv.exe TID: 2968Thread sleep time: -1350000s >= -30000sJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,0_2_00406360
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,0_1_00406360
Source: C:\Windows\tserv.exeCode function: 2_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,2_2_00406360
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_00429F44 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,0_2_00429F44
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: tserv.exe, 00000005.00000003.3280440470.00000000006E4000.00000004.sdmpBinary or memory string: \??\c:\Windows\System32\WindowsPowerShell\v1.0\Modules\Hyper-V\2.0.0.0\*.*
Source: svchost.exe, 0000000D.00000000.3676100972.000001A8EA8B9000.00000004.sdmpBinary or memory string: Hyper-V RAW`"
Source: svchost.exe, 0000000D.00000000.3684946295.000001A8EB8BA000.00000004.sdmpBinary or memory string: "@Hyper-V RAW
Source: svchost.exe, 0000000D.00000000.3694918883.000001A8EBF50000.00000002.sdmpBinary or memory string: Windows isn't running on a supported Microsoft Hyper-V virtualization platform.
Source: svchost.exe, 0000000D.00000000.3713030343.000001A8EE600000.00000002.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 0000000D.00000002.3985984932.000001A8EBD43000.00000004.sdmpBinary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000D.00000000.3713030343.000001A8EE600000.00000002.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 0000000D.00000000.3713030343.000001A8EE600000.00000002.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: tserv.exe, 00000002.00000002.3594768696.0000000000830000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 0000000D.00000000.3713030343.000001A8EE600000.00000002.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Program exit pointsShow sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeAPI call chain: ExitProcess graph end nodegraph_0-12753

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Windows\System32\pcalua.exeFile opened: C:\Windows\WinSxS\FileMaps\$$.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\tserv.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_0040C1D0 rdtsc 0_2_0040C1D0
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_0041F660 LoadLibraryA,GetProcAddress,SetWindowsHookExA,0_2_0041F660
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_004210D0 GetProcessHeap,GetProcessHeap,HeapAlloc,RegOpenKeyExA,GetLastError,GetProcessHeap,HeapFree,RegCloseKey,0_2_004210D0
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_0042731A SetUnhandledExceptionFilter,0_2_0042731A
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_0042732E SetUnhandledExceptionFilter,0_2_0042732E
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_0042731A SetUnhandledExceptionFilter,0_1_0042731A
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_0042732E SetUnhandledExceptionFilter,0_1_0042732E
Source: C:\Windows\tserv.exeCode function: 2_2_0042731A SetUnhandledExceptionFilter,2_2_0042731A
Source: C:\Windows\tserv.exeCode function: 2_2_0042732E SetUnhandledExceptionFilter,2_2_0042732E

HIPS / PFW / Operating System Protection Evasion:

barindex
Early bird code injection technique detectedShow sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeProcess created / APC Queued / Resumed: C:\Windows\tserv.exeJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created / APC Queued / Resumed: C:\Windows\tserv.exe
Allocates memory in foreign processesShow sources
Source: C:\Windows\System32\svchost.exeMemory allocated: C:\Windows\tserv.exe base: 1B0000 protect: page read and write
Injects files into Windows applicationShow sources
Source: C:\Windows\SysWOW64\notepad.exeInjected file: C:\Users\user\Desktop\1EB0.tmp was created by C:\Users\user\Desktop\9Update-KB3734-x86.exeJump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Windows\System32\consent.exeMemory written: C:\Windows\System32\svchost.exe base: 61CF07ED38
Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\tserv.exe base: 1B0000
Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\tserv.exe base: 2682D8
Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\tserv.exe base: 2691E8
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeProcess created: C:\Windows\tserv.exe C:\Windows\tserv.exe sJump to behavior
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\notepad.exe C:\Users\user\Desktop\1EB0.tmpJump to behavior
Source: C:\Windows\System32\pcalua.exeProcess created: C:\Windows\tserv.exe unknown
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\tserv.exe 'C:\Windows\tserv.exe' s
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_00423260 GetProcessHeap,HeapAlloc,HeapAlloc,HeapAlloc,HeapFree,RtlAllocateHeap,HeapFree,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapFree,RtlAllocateHeap,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,InitializeSecurityDescriptor,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetTokenInformation,GetTokenInformation,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,AllocateAndInitializeSid,GetLengthSid,AddAce,AllocateAndInitializeSid,GetLengthSid,AddAce,AllocateAndInitializeSid,GetLengthSid,AddAce,IsValidSecurityDescriptor,0_2_00423260
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: notepad.exe, 00000003.00000002.3881821650.0000000003A50000.00000002.sdmpBinary or memory string: Program Manager
Source: notepad.exe, 00000003.00000002.3881821650.0000000003A50000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: notepad.exe, 00000003.00000002.3881821650.0000000003A50000.00000002.sdmpBinary or memory string: Progman
Source: notepad.exe, 00000003.00000002.3881821650.0000000003A50000.00000002.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to inject threads in other processesShow sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_00404840 OpenProcess,lstrlenA,VirtualAllocEx,WriteProcessMemory,GetModuleHandleA,GetProcAddress,CreateRemoteThread,0_2_00404840
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_1_00404840 OpenProcess,lstrlenA,VirtualAllocEx,WriteProcessMemory,GetModuleHandleA,GetProcAddress,CreateRemoteThread,0_1_00404840
Source: C:\Windows\tserv.exeCode function: 2_2_00404840 OpenProcess,lstrlenA,VirtualAllocEx,WriteProcessMemory,GetModuleHandleA,GetProcAddress,CreateRemoteThread,2_2_00404840
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: GetLocaleInfoA,0_2_0042C8B2
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: GetLocaleInfoA,0_1_0042C8B2
Source: C:\Windows\tserv.exeCode function: GetLocaleInfoA,2_2_0042C8B2
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\tserv.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeQueries volume information: C:\Users\user\Desktop\1EB0.tmp VolumeInformationJump to behavior
Source: C:\Windows\tserv.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_00401830 ExpandEnvironmentStringsA,GetLocalTime,CreateFileA,CloseHandle,0_2_00401830
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_0040BE00 lstrlenA,GetLocalTime,GetTimeZoneInformation,lstrlenA,0_2_0040BE00
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\9Update-KB3734-x86.exeCode function: 0_2_00425D91 EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,GetStartupInfoA,__wincmdln,GetModuleHandleA,0_2_00425D91
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\consent.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)Show sources
Source: tserv.exeBinary or memory string: MSASCui.exe
Source: tserv.exeBinary or memory string: MsMpEng.exe

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 96285 Sample: 9Update-KB3734-x86.exe Startdate: 06/12/2018 Architecture: WINDOWS Score: 88 47 Antivirus detection for submitted file 2->47 49 Antivirus detection for unpacked file 2->49 6 9Update-KB3734-x86.exe 3 2->6         started        10 consent.exe 2->10         started        12 tserv.exe 14 2->12         started        15 pcalua.exe 2->15         started        process3 dnsIp4 29 C:\Windows\tserv.exe, PE32 6->29 dropped 31 C:\Windows\tserv.exe:Zone.Identifier, ASCII 6->31 dropped 33 C:\Users\user\Desktop\1EB0.tmp, data 6->33 dropped 67 Contains functionality to inject threads in other processes 6->67 69 Early bird code injection technique detected 6->69 17 tserv.exe 2 15 6->17         started        21 notepad.exe 6->21         started        71 Writes to foreign memory regions 10->71 23 svchost.exe 10->23 injected 41 74.6.137.65, 25, 49803 YAHOO-3-YahooUS United States 12->41 43 104.47.9.33, 25, 49810 MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS United States 12->43 45 10 other IPs or domains 12->45 25 tserv.exe 15->25         started        27 tserv.exe 15->27         started        file5 signatures6 process7 dnsIp8 35 mta6.am0.yahoodns.net 67.195.229.59, 25, 49793 YAHOO-GQ1-YahooUS United States 17->35 37 mta7.am0.yahoodns.net 66.218.85.139, 25, 49795, 49804 YAHOO-3-YahooUS United States 17->37 39 8 other IPs or domains 17->39 51 Contains functionality to inject threads in other processes 17->51 53 Antivirus detection for dropped file 17->53 55 Creates an undocumented autostart registry key 17->55 57 Injects files into Windows application 21->57 59 Early bird code injection technique detected 23->59 61 Drops executables to the windows directory (C:\Windows) and starts them 23->61 63 Writes to foreign memory regions 23->63 65 Allocates memory in foreign processes 23->65 signatures9

Simulations

Behavior and APIs

TimeTypeDescription
22:43:44API Interceptor1250x Sleep call for process: 9Update-KB3734-x86.exe modified
22:43:50API Interceptor365x Sleep call for process: tserv.exe modified
22:44:04AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run tserv C:\Windows\tserv.exe s

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
9Update-KB3734-x86.exe100%AviraWORM/Stration.C

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\tserv.exe100%AviraWORM/Stration.C

Unpacked PE Files

SourceDetectionScannerLabelLink
0.1.9Update-KB3734-x86.exe.400000.0.unpack100%AviraWORM/Stration.C
5.0.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
15.0.tserv.exe.400000.1.unpack100%AviraWORM/Stration.C
15.2.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
0.0.9Update-KB3734-x86.exe.400000.0.unpack100%AviraWORM/Stration.C
15.1.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
5.2.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
2.0.tserv.exe.400000.1.unpack100%AviraWORM/Stration.C
2.0.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
2.0.tserv.exe.400000.3.unpack100%AviraWORM/Stration.C
10.0.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
10.2.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
0.2.9Update-KB3734-x86.exe.400000.0.unpack100%AviraWORM/Stration.C
15.0.tserv.exe.400000.2.unpack100%AviraWORM/Stration.C
2.1.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
5.1.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
15.0.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
2.0.tserv.exe.400000.2.unpack100%AviraWORM/Stration.C
15.0.tserv.exe.400000.3.unpack100%AviraWORM/Stration.C
2.2.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
104.47.0.3325messag.execdcdeab0cbd6e4b0a58a972d9847ba4b773777a69b4a96e07ca2a7504030a653maliciousBrowse
    63test.log.exeb228e316c1f41106e9101372474563afb2e17a4c95b567cc5d25e88127593191maliciousBrowse
      13body.ms.exe64768055ecc1ff32ee0c48cfc2acd15e7c6f1b11ebf8e8ec1349e48d6f480b19maliciousBrowse
        6Update-KB1546-x86.exe8cfca488b7e970275cd1418041be6663f05fbad0690f268ab71a9068a751d08cmaliciousBrowse
          1Update-KB2640-x86.exe18b6cbce630200a40e4a7453a4bd0cae10a40dc79f391c5e402a9fc2cc8821d5maliciousBrowse
            5docs.el.exe52e7bc4a8fe360d2b84d6b9c1d2d91b954b14e83c207682381765fb30ee50ee9maliciousBrowse
              1Update-KB6609-x86.exefeefe615e6e1d2af2b09d918c4c5d78a47ee9e4a41547ef69a97056da9238350maliciousBrowse
                5Update-KB1734-x86.exe8cec251527332c9a233c622a49a3b238d23c70e136e659cf7557fce9a0820e10maliciousBrowse
                  1readme.da.exeb6e25ff1d8cb1adf7f346204ecacb2e4a6a36807f40aa4a4fdd11e240bc37dd9maliciousBrowse
                    7text.elm.exe97f13db4d0e487357942d44fde87e0fbae72dd56cf0a1ecc687068f16b2c7085maliciousBrowse
                      15Update-KB7234-x86.exeecf1e8f51cf07a0583ce166df8a1e54b88ef65eddd05866db6582aea2af310f7maliciousBrowse
                        13Update-KB6000-x86.exeaeae7f1ad1ebf1164858b0e5df62f5fa96898cc4d8b031b16359a96331d3abdemaliciousBrowse
                          18body.da.exe767e21b41cc5fbfb011b9d73ff64989460898863b302f98e3c99a42693ed70e1maliciousBrowse
                            20Update-KB5598-x86.exee13e7299c21ed9ed34894a993464f6b911fef2b53242e498841a6eace81d628fmaliciousBrowse
                              16Update-KB7062-x86.exe158583c7bb95641864ef5df56403e36c577bf095daf6d83f6413a9421ca465f8maliciousBrowse
                                11Update-KB1140-x86.exe89628a43d9b3d9fd2876cc1fca0a218d25567da0b8bca26e5533e592d53f7c1dmaliciousBrowse
                                  68Update-KB6312-x86.exe49db4af0a837ac8b60868977275189d3f492dc30c805e7ab87d485ade438e6fbmaliciousBrowse
                                    33Update-KB4031-x86.exee7964fd360bd2d34fd4e28375bc1d74dd4f082fcd84480d3a478dd888634a896maliciousBrowse
                                      .exed798bec236c012cf69aea2b4b0219aa8101c7938932da3cd14bb451d0f495417maliciousBrowse
                                        20mai.exe052fb67a4256373dcffdf029ae5c8e2c9ab091db0d695a74f4d4012ffd303c72maliciousBrowse
                                          104.47.9.3335Update-KB5111-x86.exe28239e44b20ebafd365c5ca95896ffee9d9443fb237f015af01aa411096e741fmaliciousBrowse
                                            55.x.exed7826837a61f95c583459402ea0e7ad39013c92abea85a8ec81ba518a222116bmaliciousBrowse
                                              4test.log.exe4fe82253159922959725fffc4d3660a50697c9b29a8f778c18d305d24209cdfamaliciousBrowse
                                                17Update-KB5906-x86.exe49924968f0cea26e7692425e08b08aa5dd163f1914b372cfddaaef97813e2589maliciousBrowse
                                                  19docs.el.exe1f3ad42d2f051ae8a7130c123f59fe087462e2a5f4f834239e12b638b580de44maliciousBrowse
                                                    25Update-KB6546-x86.exe1ba6174b5780bad0e7284db6acc6e0f7c43c8cc8d4662d44a68ca1f1e51857c4maliciousBrowse
                                                      1readme.txt.exeb4520d904b09acc77e64a712d78075f5b7b8e67cba123ecea4e6a0ecf9edef9fmaliciousBrowse
                                                        6Update-KB906-x86.exe0cbeb9dfc765dd944fed9c216de952a7e07621cba4f1f6e5968753ca58ad6457maliciousBrowse
                                                          16Update-KB7062-x86.exe158583c7bb95641864ef5df56403e36c577bf095daf6d83f6413a9421ca465f8maliciousBrowse
                                                            35body.lo.exeebb78749338f2983a16079314af54ff18e9ea14ecdc55ad6e89bcc3675b13a0fmaliciousBrowse
                                                              11Update-KB4828-x86.exe86772befebf2604ff48893d0adad0af8e7ac9566403dbab49a2c2bddac2e119bmaliciousBrowse
                                                                19Update-KB5812-x86.exe01478ef4169657e0d74f399209cbebf57a2e65f68ff13d5f937d9c1f3cae5700maliciousBrowse
                                                                  31test.el.exe689bcd5cbb83e596440557168dd8df9e010684038153e533884fbf36f0290985maliciousBrowse
                                                                    21Update-KB4265-x86.exeb6b073a677d02cddf90992159ec3dcc6bd084e2179aae3d1d14dcc1c4461e026maliciousBrowse
                                                                      11Update-KB9046-x86.exe0e307da55a3cfadb0b51bbe7760e591dcc2042e93d011a08f365fc9e41aaa346maliciousBrowse
                                                                        7Update-KB3312-x86.exe6034f7908a7f9ef081ac2490b79a9667dff0133b32c21d67931c3804373969demaliciousBrowse
                                                                          9Update-KB9296-x86.exe1ec3b70f4a83211ebac402f4730b1824da62ed74974bd4dd4f089c7a4519a862maliciousBrowse
                                                                            7Update-KB7796-x86.exe59e2f509a10f58c688d3d8ff2c4860a317b2481a04f6f8428d20c6e209592c67maliciousBrowse
                                                                              9docs.lo.exec92897ba2134f3dffc0056ab77b38640a9e151f6b22cb7f661bc0691413d34e7maliciousBrowse
                                                                                11Update-KB9281-x86.exe6f104dafcb6962b6b626d83c7489e8d853c521441b09be17ffa6abed111cb80amaliciousBrowse

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  mta7.am0.yahoodns.net21doc.el.exe7573ca4746b37ef2420967e1cade1bc5f9a1bae0218f0b61e486ca5574b86976maliciousBrowse
                                                                                  • 74.6.137.63
                                                                                  .exedb6369568b7de81e617bbe390490dc88ccd862e9e5bfcf117a522daeb0ccb156maliciousBrowse
                                                                                  • 98.136.102.54
                                                                                  29Update-KB1750-x86.exe655ea4f24da22ac5572edec7f64bf74e0b48f24ba102cc3edb2f6db675251d1bmaliciousBrowse
                                                                                  • 98.136.102.54
                                                                                  51Update-KB8281-x86.exef491c4a1e4ac2cb4dbc22e07af95b5630ab837263f4dc3ee1414fd7503a6404cmaliciousBrowse
                                                                                  • 98.136.102.54
                                                                                  78doc.msg.exec577b6b3fadc5bed74eba616f7d7a55aa1308cd94709f7529046383d53784128maliciousBrowse
                                                                                  • 98.137.159.28
                                                                                  23Update-KB3830-x86.exe8e96230adbb28f480a8478962b2ffebac366fa5d08aa3c2cf90e70103cd91392maliciousBrowse
                                                                                  • 98.137.159.28
                                                                                  35Update-KB5111-x86.exe28239e44b20ebafd365c5ca95896ffee9d9443fb237f015af01aa411096e741fmaliciousBrowse
                                                                                  • 98.137.159.27
                                                                                  23Update-KB3956-x86.exe2fba3d6f375b7b0c31f3329d158dde2bceb69f6da6af19d0fe01c4cf8a48ef9fmaliciousBrowse
                                                                                  • 98.136.102.55
                                                                                  20Update-KB7452-x86.exefd74a860dca67bbc2b1f4490ae42e6b5764241cfb3ec619399706ae158461789maliciousBrowse
                                                                                  • 98.137.159.25
                                                                                  19docs.tx.exe60682db3158fe13f7eacd23a088fc71ab479d726769837fd39e8ed3bb5389ab0maliciousBrowse
                                                                                  • 98.136.102.55
                                                                                  55.x.exed7826837a61f95c583459402ea0e7ad39013c92abea85a8ec81ba518a222116bmaliciousBrowse
                                                                                  • 74.6.137.65
                                                                                  3Update-KB2248-x86.exee8deb13dba3ad1149414c2278b5552c42ae85b0c87bbe05f6065c1b279ecf5f2maliciousBrowse
                                                                                  • 98.137.159.24
                                                                                  30Update-KB5046-x86.exef092fcfabfaa449ce7086c7aa2ae877594bc63bac2d41013aadeeb51386335d7maliciousBrowse
                                                                                  • 74.6.137.65
                                                                                  56file.txt.exe0364075aa6ef1cb7b43634ff3a54386687fe3e3d11d5b9a38b764c1d3895b71emaliciousBrowse
                                                                                  • 67.195.229.58
                                                                                  63test.log.exeb228e316c1f41106e9101372474563afb2e17a4c95b567cc5d25e88127593191maliciousBrowse
                                                                                  • 98.137.159.25
                                                                                  5body.ms.exed490923e6b4b7ad9d5cffd25daf6c9fb0fcddc0eb1809747c0126471901475c3maliciousBrowse
                                                                                  • 98.137.159.28
                                                                                  4test.log.exe4fe82253159922959725fffc4d3660a50697c9b29a8f778c18d305d24209cdfamaliciousBrowse
                                                                                  • 98.137.159.26
                                                                                  1Update-KB8062-x86.exec719e8677693ee14c834ade4be2c48cff932ccb1a6301b33c80746e2d98d4314maliciousBrowse
                                                                                  • 66.218.85.52
                                                                                  17Update-KB2684-x86.exe4fe94d2df46f088396c4467c905d5eb1c86443eb1b1e5b43462477ad075b0103maliciousBrowse
                                                                                  • 98.137.159.25
                                                                                  7Update-KB8734-x86.exeed7fa49063d2462bb1939f5d7ba3260ae481bfe7227113f2706be12aced4e5b1maliciousBrowse
                                                                                  • 74.6.137.63
                                                                                  mta6.am0.yahoodns.net21doc.el.exe7573ca4746b37ef2420967e1cade1bc5f9a1bae0218f0b61e486ca5574b86976maliciousBrowse
                                                                                  • 98.137.159.26
                                                                                  29Update-KB1750-x86.exe655ea4f24da22ac5572edec7f64bf74e0b48f24ba102cc3edb2f6db675251d1bmaliciousBrowse
                                                                                  • 67.195.229.58
                                                                                  51Update-KB8281-x86.exef491c4a1e4ac2cb4dbc22e07af95b5630ab837263f4dc3ee1414fd7503a6404cmaliciousBrowse
                                                                                  • 98.136.102.55
                                                                                  78doc.msg.exec577b6b3fadc5bed74eba616f7d7a55aa1308cd94709f7529046383d53784128maliciousBrowse
                                                                                  • 74.6.137.64
                                                                                  23Update-KB3830-x86.exe8e96230adbb28f480a8478962b2ffebac366fa5d08aa3c2cf90e70103cd91392maliciousBrowse
                                                                                  • 98.136.102.54
                                                                                  35Update-KB5111-x86.exe28239e44b20ebafd365c5ca95896ffee9d9443fb237f015af01aa411096e741fmaliciousBrowse
                                                                                  • 67.195.229.59
                                                                                  23Update-KB3956-x86.exe2fba3d6f375b7b0c31f3329d158dde2bceb69f6da6af19d0fe01c4cf8a48ef9fmaliciousBrowse
                                                                                  • 98.136.101.117
                                                                                  20Update-KB7452-x86.exefd74a860dca67bbc2b1f4490ae42e6b5764241cfb3ec619399706ae158461789maliciousBrowse
                                                                                  • 67.195.229.58
                                                                                  19docs.tx.exe60682db3158fe13f7eacd23a088fc71ab479d726769837fd39e8ed3bb5389ab0maliciousBrowse
                                                                                  • 98.136.102.54
                                                                                  55.x.exed7826837a61f95c583459402ea0e7ad39013c92abea85a8ec81ba518a222116bmaliciousBrowse
                                                                                  • 98.137.159.28
                                                                                  3Update-KB2248-x86.exee8deb13dba3ad1149414c2278b5552c42ae85b0c87bbe05f6065c1b279ecf5f2maliciousBrowse
                                                                                  • 98.137.159.24
                                                                                  30Update-KB5046-x86.exef092fcfabfaa449ce7086c7aa2ae877594bc63bac2d41013aadeeb51386335d7maliciousBrowse
                                                                                  • 98.136.102.54
                                                                                  56file.txt.exe0364075aa6ef1cb7b43634ff3a54386687fe3e3d11d5b9a38b764c1d3895b71emaliciousBrowse
                                                                                  • 98.136.102.54
                                                                                  63test.log.exeb228e316c1f41106e9101372474563afb2e17a4c95b567cc5d25e88127593191maliciousBrowse
                                                                                  • 74.6.137.64
                                                                                  5body.ms.exed490923e6b4b7ad9d5cffd25daf6c9fb0fcddc0eb1809747c0126471901475c3maliciousBrowse
                                                                                  • 67.195.228.141
                                                                                  4test.log.exe4fe82253159922959725fffc4d3660a50697c9b29a8f778c18d305d24209cdfamaliciousBrowse
                                                                                  • 98.136.101.117
                                                                                  1Update-KB8062-x86.exec719e8677693ee14c834ade4be2c48cff932ccb1a6301b33c80746e2d98d4314maliciousBrowse
                                                                                  • 98.137.159.26
                                                                                  70creditcar.exec7eebcfa941dfe6298e89b8353adfece14f4e54f8119956d8ab5cba75cdee8bbmaliciousBrowse
                                                                                  • 98.137.159.24
                                                                                  17Update-KB2684-x86.exe4fe94d2df46f088396c4467c905d5eb1c86443eb1b1e5b43462477ad075b0103maliciousBrowse
                                                                                  • 67.195.228.141
                                                                                  7Update-KB8734-x86.exeed7fa49063d2462bb1939f5d7ba3260ae481bfe7227113f2706be12aced4e5b1maliciousBrowse
                                                                                  • 74.6.137.64

                                                                                  ASN

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                  MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS53Cheque10741.pdf.z.exe454678e7cd95477d250dad1e987c1201f4e969d6bc20c3d987bcf75ddf1ff1eemaliciousBrowse
                                                                                  • 40.97.128.226
                                                                                  8b9eaeff00382210a583a0b5611c1d3f_976b00382cbb63c03e8fcd6677e4f973_Kovter.exe6a6b401888ec7f1f7b07cd714980f18e4b5afd456162e5061887b8255ea02e4amaliciousBrowse
                                                                                  • 20.183.103.250
                                                                                  https://www.radioz.es/wp-includes/Text/ble/index.php?userid=billy.bubba@bubba.commaliciousBrowse
                                                                                  • 104.210.48.9
                                                                                  https://portalclient.echo-cloud.com/98059portal/echoapps/resetpassword.aspx?TOKEN=9A41646238CF73E33CAD1901574A1D6E6B846397B865375351414660CEB4725887E40D94F8324B21D450AC456109B9B1maliciousBrowse
                                                                                  • 52.184.196.2
                                                                                  http://imprismail.com/affiliate/referral.asp?site=rea&url=pop/en/ukc/1&aff_id=5843_27027_19234_535127_1_357_maliciousBrowse
                                                                                  • 104.41.152.17
                                                                                  https://buildingservices.lk/commonlogin/office/maliciousBrowse
                                                                                  • 104.40.240.49
                                                                                  http://newsletter.promostelefoniica.com/t/j-l-ohddhhl-yhdkkudtit-r/maliciousBrowse
                                                                                  • 40.101.49.98
                                                                                  Fax message.js1d50065b9cfcd52d914bd2bb6d1dcd3d1c71369fa5fc1a159048286e2e587061maliciousBrowse
                                                                                  • 13.107.6.151
                                                                                  VOvcoUgiuE.exebeacce69d92bb6616e7595f10227f435ae6cf790fbb08a5498c4e6e55d34faacmaliciousBrowse
                                                                                  • 204.95.99.26
                                                                                  https://lojassantoantonio.com.br/reuin.htmmaliciousBrowse
                                                                                  • 40.101.52.146
                                                                                  https://hpe-my.sharepoint.com/personal/gregory_park_hpe_com/_layouts/15/acceptinvite.aspx?invitation=%7B28F341CB%2DC685%2D4C81%2DA431%2D3DCFD62ACA39%7D&listId=f6f66c8c%2Decde%2D4889%2D9db0%2Dc07836c6c461&itemId=5d52ebe1%2Dbf49%2D49d3%2D8d0c%2Dd5ae9a222bafmaliciousBrowse
                                                                                  • 207.46.194.14
                                                                                  http://swoba.org/den/lion/office/maliciousBrowse
                                                                                  • 104.40.240.50
                                                                                  https://gihi.mx/secure/index.htmmaliciousBrowse
                                                                                  • 13.107.18.11
                                                                                  https://myfrenchclub.in/includes/hospital/office/index.htmlmaliciousBrowse
                                                                                  • 104.45.0.18
                                                                                  http://360cdlsolutions.com/olopa/drama/day/office/index.htmlmaliciousBrowse
                                                                                  • 104.42.72.16
                                                                                  DSC07654.pdf01d72ab31167612ed4fa12232a37cf68fd5a8f7b5a3633407e7597f1d4e7e012maliciousBrowse
                                                                                  • 204.79.197.213
                                                                                  4b6FzLDmnD.exe5b4f0bf0c96806c6dd41a7e4b3f5660fad6bf1cd6e9df40982df614ba3fe68c5maliciousBrowse
                                                                                  • 52.175.226.120
                                                                                  Dear Account Owner.pdf209e4819fd4c3c02e99eed15d06ca91f3d11100a304b31694e9c11c76298502emaliciousBrowse
                                                                                  • 65.54.226.141
                                                                                  MLmYmJFbrS.exe40b70f320bb31220d559f4f06410b91048e8d92911f28f4d6c51cd9f582ce081maliciousBrowse
                                                                                  • 52.175.226.120
                                                                                  http://dn.bytefence.com/rtop_setup.exemaliciousBrowse
                                                                                  • 191.237.32.214
                                                                                  MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS53Cheque10741.pdf.z.exe454678e7cd95477d250dad1e987c1201f4e969d6bc20c3d987bcf75ddf1ff1eemaliciousBrowse
                                                                                  • 40.97.128.226
                                                                                  8b9eaeff00382210a583a0b5611c1d3f_976b00382cbb63c03e8fcd6677e4f973_Kovter.exe6a6b401888ec7f1f7b07cd714980f18e4b5afd456162e5061887b8255ea02e4amaliciousBrowse
                                                                                  • 20.183.103.250
                                                                                  https://www.radioz.es/wp-includes/Text/ble/index.php?userid=billy.bubba@bubba.commaliciousBrowse
                                                                                  • 104.210.48.9
                                                                                  https://portalclient.echo-cloud.com/98059portal/echoapps/resetpassword.aspx?TOKEN=9A41646238CF73E33CAD1901574A1D6E6B846397B865375351414660CEB4725887E40D94F8324B21D450AC456109B9B1maliciousBrowse
                                                                                  • 52.184.196.2
                                                                                  http://imprismail.com/affiliate/referral.asp?site=rea&url=pop/en/ukc/1&aff_id=5843_27027_19234_535127_1_357_maliciousBrowse
                                                                                  • 104.41.152.17
                                                                                  https://buildingservices.lk/commonlogin/office/maliciousBrowse
                                                                                  • 104.40.240.49
                                                                                  http://newsletter.promostelefoniica.com/t/j-l-ohddhhl-yhdkkudtit-r/maliciousBrowse
                                                                                  • 40.101.49.98
                                                                                  Fax message.js1d50065b9cfcd52d914bd2bb6d1dcd3d1c71369fa5fc1a159048286e2e587061maliciousBrowse
                                                                                  • 13.107.6.151
                                                                                  VOvcoUgiuE.exebeacce69d92bb6616e7595f10227f435ae6cf790fbb08a5498c4e6e55d34faacmaliciousBrowse
                                                                                  • 204.95.99.26
                                                                                  https://lojassantoantonio.com.br/reuin.htmmaliciousBrowse
                                                                                  • 40.101.52.146
                                                                                  https://hpe-my.sharepoint.com/personal/gregory_park_hpe_com/_layouts/15/acceptinvite.aspx?invitation=%7B28F341CB%2DC685%2D4C81%2DA431%2D3DCFD62ACA39%7D&listId=f6f66c8c%2Decde%2D4889%2D9db0%2Dc07836c6c461&itemId=5d52ebe1%2Dbf49%2D49d3%2D8d0c%2Dd5ae9a222bafmaliciousBrowse
                                                                                  • 207.46.194.14
                                                                                  http://swoba.org/den/lion/office/maliciousBrowse
                                                                                  • 104.40.240.50
                                                                                  https://gihi.mx/secure/index.htmmaliciousBrowse
                                                                                  • 13.107.18.11
                                                                                  https://myfrenchclub.in/includes/hospital/office/index.htmlmaliciousBrowse
                                                                                  • 104.45.0.18
                                                                                  http://360cdlsolutions.com/olopa/drama/day/office/index.htmlmaliciousBrowse
                                                                                  • 104.42.72.16
                                                                                  DSC07654.pdf01d72ab31167612ed4fa12232a37cf68fd5a8f7b5a3633407e7597f1d4e7e012maliciousBrowse
                                                                                  • 204.79.197.213
                                                                                  4b6FzLDmnD.exe5b4f0bf0c96806c6dd41a7e4b3f5660fad6bf1cd6e9df40982df614ba3fe68c5maliciousBrowse
                                                                                  • 52.175.226.120
                                                                                  Dear Account Owner.pdf209e4819fd4c3c02e99eed15d06ca91f3d11100a304b31694e9c11c76298502emaliciousBrowse
                                                                                  • 65.54.226.141
                                                                                  MLmYmJFbrS.exe40b70f320bb31220d559f4f06410b91048e8d92911f28f4d6c51cd9f582ce081maliciousBrowse
                                                                                  • 52.175.226.120
                                                                                  http://dn.bytefence.com/rtop_setup.exemaliciousBrowse
                                                                                  • 191.237.32.214

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Screenshots

                                                                                  Thumbnails

                                                                                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.