Loading ...

Analysis Report 23file.log.scr

Overview

General Information

Joe Sandbox Version:24.0.0 Fire Opal
Analysis ID:96291
Start date:06.12.2018
Start time:23:02:08
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 10m 52s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:23file.log.scr (renamed file extension from scr to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30
Number of analysed new started processes analysed:16
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal92.evad.winEXE@12/8@427/13
EGA Information:
  • Successful, ratio: 50%
HDC Information:
  • Successful, ratio: 99.9% (good quality ratio 97.1%)
  • Quality average: 84.2%
  • Quality standard deviation: 23%
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 93
  • Number of non-executed functions: 122
Cookbook Comments:
  • Adjust boot time
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, dllhost.exe, RuntimeBroker.exe, conhost.exe, CompatTelRunner.exe
  • Execution Graph export aborted for target tserv.exe, PID 3808 because there are no executed function
  • Execution Graph export aborted for target tserv.exe, PID 4204 because there are no executed function
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingDetection
Threshold920 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsExecution through Module Load1Registry Run Keys / Start Folder1Process Injection211Masquerading1Input Capture1Process Discovery1Application Deployment SoftwareInput Capture1Data CompressedStandard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesSoftware Packing1Network SniffingSecurity Software Discovery31Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionDisabling Security Tools1Input CaptureRemote System Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol1
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection211Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information2Account ManipulationSystem Information Discovery23Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Windows\tserv.exeAvira: Label: WORM/Stration.C
Antivirus detection for submitted fileShow sources
Source: 23file.lo.exeAvira: Label: WORM/Stration.C
Antivirus detection for unpacked fileShow sources
Source: 11.0.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 3.0.tserv.exe.400000.1.unpackAvira: Label: WORM/Stration.C
Source: 16.2.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 1.0.23file.log.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 3.0.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 3.2.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 16.0.tserv.exe.400000.2.unpackAvira: Label: WORM/Stration.C
Source: 1.2.23file.log.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 11.2.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 1.1.23file.log.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 16.0.tserv.exe.400000.1.unpackAvira: Label: WORM/Stration.C
Source: 16.0.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 16.0.tserv.exe.400000.3.unpackAvira: Label: WORM/Stration.C
Source: 3.0.tserv.exe.400000.3.unpackAvira: Label: WORM/Stration.C
Source: 6.2.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 3.1.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 16.1.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 6.1.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 6.0.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 3.0.tserv.exe.400000.2.unpackAvira: Label: WORM/Stration.C

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,1_2_00406360
Source: C:\Windows\tserv.exeCode function: 6_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,6_2_00406360
Source: C:\Windows\tserv.exeCode function: 11_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,11_2_00406360

Networking:

barindex
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 67.27.233.126
Source: unknownTCP traffic detected without corresponding DNS query: 67.27.233.126
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 74.6.137.63 74.6.137.63
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\tserv.exeCode function: 6_2_00401960 GetProcessHeap,RtlAllocateHeap,CloseHandle,Sleep,Sleep,InternetGetConnectedState,Sleep,InternetGetConnectedState,InternetOpenA,InternetOpenUrlA,InternetCloseHandle,InternetReadFile,InternetCloseHandle,InternetCloseHandle,GetTempPathA,GetTempFileNameA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,DeleteFileA,InternetCloseHandle,InternetCloseHandle,GetProcessHeap,RtlFreeHeap,6_2_00401960
Found strings which match to known social media urlsShow sources
Source: svchost.exe, 0000000E.00000002.4478651096.000002D31D724000.00000004.sdmpString found in binary or memory: @Outlook.com, Hotmail, Live.com, MSN equals www.hotmail.com (Hotmail)
Source: svchost.exe, 0000000E.00000000.3975290513.000002D31C97D000.00000004.sdmpString found in binary or memory: .hotmail.com1&0 equals www.hotmail.com (Hotmail)
Source: tserv.exe, 00000006.00000003.3862413493.0000000002158000.00000004.sdmpString found in binary or memory: facebook.com equals www.facebook.com (Facebook)
Source: svchost.exe, 0000000E.00000000.3975290513.000002D31C97D000.00000004.sdmpString found in binary or memory: hotmail.co.uk1 equals www.hotmail.com (Hotmail)
Source: tserv.exe, 00000006.00000003.3862729745.00000000022C6000.00000004.sdmp, tserv.exe, 00000010.00000002.4529323910.0000000002205000.00000004.sdmpString found in binary or memory: hotmail.com equals www.hotmail.com (Hotmail)
Source: svchost.exe, 0000000E.00000000.3975290513.000002D31C97D000.00000004.sdmpString found in binary or memory: hotmail.com1 equals www.hotmail.com (Hotmail)
Source: tserv.exe, 00000006.00000003.3862729745.00000000022C6000.00000004.sdmp, tserv.exe, 00000010.00000002.4529323910.0000000002205000.00000004.sdmpString found in binary or memory: yahoo.com equals www.yahoo.com (Yahoo)
Source: tserv.exe, 00000006.00000003.3862729745.00000000022C6000.00000004.sdmp, tserv.exe, 00000010.00000002.4529323910.0000000002205000.00000004.sdmpString found in binary or memory: yahoo.com equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: yahoo.com
Urls found in memory or binary dataShow sources
Source: svchost.exe, 0000000E.00000002.4499645382.000002D320F00000.00000002.sdmpString found in binary or memory: http://blogs.technet.com/b/ime/
Source: consent.exe, 0000000C.00000003.4042522807.000001C3F26A5000.00000004.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000000E.00000000.3976816836.000002D31CA3A000.00000004.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: svchost.exe, 0000000E.00000002.4491877495.000002D320C40000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2014/10/imjpzp_7735dba7ac13b0023
Source: svchost.exe, 0000000E.00000002.4491877495.000002D320C40000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/01/mpsigstub_a92fa1376c528b
Source: svchost.exe, 0000000E.00000002.4491877495.000002D320C40000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/06/updateplatform_b64be2e15
Source: svchost.exe, 0000000E.00000002.4514535480.000002D3213C0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/07/am_base_acd8007dbe3781fd
Source: svchost.exe, 0000000E.00000002.4514535480.000002D3213C0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/07/am_base_patch1_9318b0429
Source: svchost.exe, 0000000E.00000000.4033214386.000002D321454000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/07/am_delta_1b45d79b6f282b2
Source: svchost.exe, 0000000E.00000002.4514535480.000002D3213C0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/07/am_delta_24b68721eaa8685
Source: svchost.exe, 0000000E.00000000.4033214386.000002D321454000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/07/am_delta_2600c1a3b00c4fd
Source: svchost.exe, 0000000E.00000002.4514535480.000002D3213C0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/07/am_engine_53e243622a8b00
Source: svchost.exe, 0000000E.00000002.4514535480.000002D3213C0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/07/am_engine_patch_1.1.1490
Source: svchost.exe, 0000000E.00000002.4514535480.000002D3213C0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/defu/2018/07/mpsigstub_f803292685aff7
Source: svchost.exe, 0000000E.00000002.4491877495.000002D320C40000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/secu/2018/05/windows10.0-kb4103729-x6
Source: svchost.exe, 0000000E.00000002.4491877495.000002D320C40000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/uprl/2018/04/windows-kb890830-x64-v5.
Source: svchost.exe, 0000000E.00000002.4491877495.000002D320C40000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/uprl/2018/05/windows-kb890830-x64-v5.
Source: svchost.exe, 0000000E.00000002.4491877495.000002D320C40000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/uprl/2018/06/windows-kb890830-x64-v5.
Source: svchost.exe, 0000000E.00000002.4491877495.000002D320C40000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/uprl/2018/07/windows-kb890830-x64-v5.
Source: svchost.exe, 0000000E.00000000.4033214386.000002D321454000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/uprl/2018/08/windows-kb890830-x64-v5.
Source: svchost.exe, 0000000E.00000000.4033214386.000002D321454000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/uprl/2018/10/windows-kb890830-x64-v5.
Source: svchost.exe, 0000000E.00000000.4033214386.000002D321454000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/c/msdownload/update/software/uprl/2018/11/windows-kb890830-x64-v5.
Source: svchost.exe, 0000000E.00000002.4491877495.000002D320C40000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2015/09/imjpnw_1b6f125e7c114cbd1
Source: svchost.exe, 0000000E.00000002.4491877495.000002D320C40000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2015/09/imjpst_edf0c36b1f1ddd3d3
Source: svchost.exe, 0000000E.00000002.4514535480.000002D3213C0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_2ab5d141b47cf9e
Source: svchost.exe, 0000000E.00000002.4491877495.000002D320C40000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_34bdba467ce02c0
Source: svchost.exe, 0000000E.00000000.4033214386.000002D321454000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_76e885a60e46f95
Source: svchost.exe, 0000000E.00000000.4033214386.000002D321454000.00000002.sdmp, svchost.exe, 0000000E.00000000.4026316279.000002D32126C000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_7d8c7a293002823
Source: svchost.exe, 0000000E.00000002.4514535480.000002D3213C0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.103
Source: svchost.exe, 0000000E.00000002.4514535480.000002D3213C0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.104
Source: svchost.exe, 0000000E.00000002.4514535480.000002D3213C0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.105
Source: svchost.exe, 0000000E.00000002.4514535480.000002D3213C0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.106
Source: svchost.exe, 0000000E.00000002.4514535480.000002D3213C0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.107
Source: svchost.exe, 0000000E.00000002.4514535480.000002D3213C0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.108
Source: svchost.exe, 0000000E.00000002.4514535480.000002D3213C0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.109
Source: svchost.exe, 0000000E.00000002.4514535480.000002D3213C0000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.110
Source: svchost.exe, 0000000E.00000002.4491877495.000002D320C40000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.800
Source: svchost.exe, 0000000E.00000002.4491877495.000002D320C40000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.804
Source: svchost.exe, 0000000E.00000002.4491877495.000002D320C40000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.811
Source: svchost.exe, 0000000E.00000002.4491877495.000002D320C40000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.824
Source: svchost.exe, 0000000E.00000002.4491877495.000002D320C40000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.849
Source: svchost.exe, 0000000E.00000002.4491877495.000002D320C40000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.859
Source: svchost.exe, 0000000E.00000002.4491877495.000002D320C40000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.864
Source: svchost.exe, 0000000E.00000002.4491877495.000002D320C40000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/defu/2018/07/am_delta_patch_1.271.870
Source: svchost.exe, 0000000E.00000002.4491877495.000002D320C40000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/dflt/2018/07/am_base_patch1_d3a98250a
Source: svchost.exe, 0000000E.00000002.4491877495.000002D320C40000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/dflt/2018/07/am_engine_6f532ea78f37c9
Source: svchost.exe, 0000000E.00000002.4491877495.000002D320C40000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/06/windows10.0-kb4287903-x6
Source: svchost.exe, 0000000E.00000002.4491877495.000002D320C40000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/secu/2018/06/windows10.0-kb4338832-x6
Source: svchost.exe, 0000000E.00000000.4033214386.000002D321454000.00000002.sdmpString found in binary or memory: http://download.windowsupdate.com/d/msdownload/update/software/uprl/2018/09/windows-kb890830-x64-v5.
Source: svchost.exe, 0000000E.00000000.3976816836.000002D31CA3A000.00000004.sdmpString found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 0000000E.00000000.3961031860.000002D31BD6A000.00000004.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
Source: svchost.exe, 0000000E.00000000.3976816836.000002D31CA3A000.00000004.sdmpString found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 0000000E.00000000.3961031860.000002D31BD6A000.00000004.sdmpString found in binary or memory: http://passport.net/tb
Source: tserv.exe, 00000003.00000003.3729230954.0000000000723000.00000004.sdmpString found in binary or memory: http://www4.F
Source: tserv.exe, 00000003.00000003.3340318466.000000000071E000.00000004.sdmpString found in binary or memory: http://www4.cede
Source: tserv.exe, 00000003.00000003.3340318466.000000000071E000.00000004.sdmpString found in binary or memory: http://www4.cedesunjerin
Source: tserv.exe, 00000003.00000003.3340318466.000000000071E000.00000004.sdmpString found in binary or memory: http://www4.cedesunjerinkas.
Source: tserv.exeString found in binary or memory: http://www4.cedesunjerinkas.com/chr/wtb/lt.exe
Source: tserv.exe, 00000003.00000003.3340151763.000000000072A000.00000004.sdmpString found in binary or memory: http://www4.cedesunjerinkas.com/chr/wtb/lt.exe1
Source: tserv.exe, 00000003.00000003.3340318466.000000000071E000.00000004.sdmpString found in binary or memory: http://www4.cedesunjerinkas.com/chr/wtb/lt.exec
Source: tserv.exe, 00000006.00000003.3491335487.000000000068B000.00000004.sdmpString found in binary or memory: http://wwwsvchost.exe
Source: svchost.exe, 0000000E.00000002.4463431674.000002D31C400000.00000004.sdmpString found in binary or memory: https:///WAB-23B4D62B-952A-47E7-969C-B95DBF145D3D.local
Source: svchost.exe, 0000000E.00000000.3990454679.000002D31D713000.00000004.sdmpString found in binary or memory: https:///live.com
Source: svchost.exe, 0000000E.00000000.3990454679.000002D31D713000.00000004.sdmpString found in binary or memory: https:///windows.net
Source: svchost.exe, 0000000E.00000000.3990454679.000002D31D713000.00000004.sdmpString found in binary or memory: https:///xboxlive.com
Source: svchost.exe, 0000000E.00000002.4456776453.000002D31BE84000.00000004.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 0000000E.00000002.4456776453.000002D31BE84000.00000004.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 0000000E.00000002.4456776453.000002D31BE84000.00000004.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600ssuer
Source: svchost.exe, 0000000E.00000002.4456776453.000002D31BE84000.00000004.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 0000000E.00000002.4456776453.000002D31BE84000.00000004.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 0000000E.00000002.4456776453.000002D31BE84000.00000004.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 0000000E.00000002.4456776453.000002D31BE84000.00000004.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 0000000E.00000000.3960461511.000002D31BD00000.00000004.sdmpString found in binary or memory: https://account.live.com/msangcwam
Source: svchost.exe, 0000000E.00000000.3990454679.000002D31D713000.00000004.sdmpString found in binary or memory: https://login.live.com
Source: svchost.exe, 0000000E.00000000.3990454679.000002D31D713000.00000004.sdmp, svchost.exe, 0000000E.00000002.4478651096.000002D31D724000.00000004.sdmpString found in binary or memory: https://login.live.com/
Source: svchost.exe, 0000000E.00000002.4465168939.000002D31C475000.00000004.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srfsionp
Source: svchost.exe, 0000000E.00000000.3975709343.000002D31C9DB000.00000004.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502ys
Source: svchost.exe, 0000000E.00000000.3975709343.000002D31C9DB000.00000004.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 0000000E.00000000.3975709343.000002D31C9DB000.00000004.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601er
Source: svchost.exe, 0000000E.00000000.3960461511.000002D31BD00000.00000004.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 0000000E.00000000.3961031860.000002D31BD6A000.00000004.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 0000000E.00000002.4465168939.000002D31C475000.00000004.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srfp32
Source: svchost.exe, 0000000E.00000000.3991212506.000002D31D7B6000.00000004.sdmp, svchost.exe, 0000000E.00000002.4445238753.000002D31AEA2000.00000004.sdmpString found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 0000000E.00000002.4454593154.000002D31BD4B000.00000004.sdmpString found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 0000000E.00000000.3960461511.000002D31BD00000.00000004.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 0000000E.00000000.3960461511.000002D31BD00000.00000004.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 0000000E.00000002.4454593154.000002D31BD4B000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 0000000E.00000000.3975709343.000002D31C9DB000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srfIssuer
Source: svchost.exe, 0000000E.00000000.3975709343.000002D31C9DB000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srfl
Source: svchost.exe, 0000000E.00000000.3961031860.000002D31BD6A000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 0000000E.00000000.3975709343.000002D31C9DB000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srfmeters
Source: svchost.exe, 0000000E.00000000.3975709343.000002D31C9DB000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 0000000E.00000000.3997892477.000002D31EF19000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 0000000E.00000002.4465168939.000002D31C475000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfP
Source: svchost.exe, 0000000E.00000002.4469402326.000002D31C94C000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cplive.com
Source: svchost.exe, 0000000E.00000000.3975709343.000002D31C9DB000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srfion.exe
Source: svchost.exe, 0000000E.00000000.3975709343.000002D31C9DB000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 0000000E.00000002.4456776453.000002D31BE84000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600suer
Source: svchost.exe, 0000000E.00000002.4456776453.000002D31BE84000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 0000000E.00000002.4456776453.000002D31BE84000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 0000000E.00000002.4456776453.000002D31BE84000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 0000000E.00000000.3975709343.000002D31C9DB000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srffig.xmlue
Source: svchost.exe, 0000000E.00000002.4456776453.000002D31BE84000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502Issuer
Source: svchost.exe, 0000000E.00000002.4456776453.000002D31BE84000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600Issuer
Source: svchost.exe, 0000000E.00000002.4456776453.000002D31BE84000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 0000000E.00000002.4456776453.000002D31BE84000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 0000000E.00000002.4456776453.000002D31BE84000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 0000000E.00000002.4456776453.000002D31BE84000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 0000000E.00000002.4456776453.000002D31BE84000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 0000000E.00000002.4456776453.000002D31BE84000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 0000000E.00000002.4456776453.000002D31BE84000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 0000000E.00000000.3961031860.000002D31BD6A000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 0000000E.00000002.4456776453.000002D31BE84000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 0000000E.00000000.3961031860.000002D31BD6A000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 0000000E.00000000.3961031860.000002D31BD6A000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 0000000E.00000000.3975709343.000002D31C9DB000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srfer
Source: svchost.exe, 0000000E.00000002.4456776453.000002D31BE84000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 0000000E.00000002.4456776453.000002D31BE84000.00000004.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfdFrom
Source: svchost.exe, 0000000E.00000002.4454593154.000002D31BD4B000.00000004.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 0000000E.00000000.3960461511.000002D31BD00000.00000004.sdmpString found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 0000000E.00000002.4478651096.000002D31D724000.00000004.sdmpString found in binary or memory: https://login.windows.net
Source: svchost.exe, 0000000E.00000002.4478651096.000002D31D724000.00000004.sdmpString found in binary or memory: https://login.windows.net/
Source: svchost.exe, 0000000E.00000002.4478651096.000002D31D724000.00000004.sdmpString found in binary or memory: https://login.windows.net592B4
Source: svchost.exe, 0000000E.00000000.3960461511.000002D31BD00000.00000004.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
Source: svchost.exe, 0000000E.00000000.3976816836.000002D31CA3A000.00000004.sdmpString found in binary or memory: https://www.digicert.com/CPS0
Source: svchost.exe, 0000000E.00000002.4478651096.000002D31D724000.00000004.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com
Source: svchost.exe, 0000000E.00000002.4478651096.000002D31D724000.00000004.sdmpString found in binary or memory: https://xsts.auth.xboxlive.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: 23file.log.exe, 00000001.00000002.3199928438.00000000006CA000.00000004.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Contains functionality to communicate with device driversShow sources
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_00423D83: QueryDosDeviceA,lstrcpyA,lstrcatA,GetLastError,lstrcpyA,lstrcatA,DefineDosDeviceA,GetLastError,lstrcpyA,lstrcatA,CreateFileA,DeviceIoControl,GetLastError,GetLastError,DefineDosDeviceA,GetLastError,1_2_00423D83
Creates files inside the system directoryShow sources
Source: C:\Users\user\Desktop\23file.log.exeFile created: C:\Windows\tserv.exeJump to behavior
Deletes files inside the Windows folderShow sources
Source: C:\Windows\tserv.exeFile deleted: C:\Windows\tserv.waxJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_004118001_2_00411800
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_004108D01_2_004108D0
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_0040C8E01_2_0040C8E0
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_0040F0E91_2_0040F0E9
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_004109071_2_00410907
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_004041101_2_00404110
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_004091191_2_00409119
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_0040F1C71_2_0040F1C7
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_0040C1D01_2_0040C1D0
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_004049901_2_00404990
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_004091A71_2_004091A7
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_0040E2461_2_0040E246
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_00428A081_2_00428A08
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_004252141_2_00425214
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_004053101_2_00405310
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_00408BC01_2_00408BC0
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_00415BD01_2_00415BD0
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_0041B3D01_2_0041B3D0
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_0040DBF01_2_0040DBF0
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_0041E3A01_2_0041E3A0
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_004094361_2_00409436
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_00409CF71_2_00409CF7
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_0041BD001_2_0041BD00
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_0040EDE01_2_0040EDE0
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_0040DE561_2_0040DE56
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_0041C6601_2_0041C660
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_004106701_2_00410670
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_0040E6761_2_0040E676
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_00409F471_2_00409F47
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_0040EF781_2_0040EF78
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_0040FF301_2_0040FF30
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_00405F301_2_00405F30
Source: C:\Windows\tserv.exeCode function: 6_2_004041106_2_00404110
Source: C:\Windows\tserv.exeCode function: 6_2_00415BD06_2_00415BD0
Source: C:\Windows\tserv.exeCode function: 6_2_0041BD006_2_0041BD00
Source: C:\Windows\tserv.exeCode function: 6_2_0041C6606_2_0041C660
Source: C:\Windows\tserv.exeCode function: 6_2_00405F306_2_00405F30
Source: C:\Windows\tserv.exeCode function: 6_2_004118006_2_00411800
Source: C:\Windows\tserv.exeCode function: 6_2_004108D06_2_004108D0
Source: C:\Windows\tserv.exeCode function: 6_2_0040C8E06_2_0040C8E0
Source: C:\Windows\tserv.exeCode function: 6_2_0040F0E96_2_0040F0E9
Source: C:\Windows\tserv.exeCode function: 6_2_004109076_2_00410907
Source: C:\Windows\tserv.exeCode function: 6_2_004091196_2_00409119
Source: C:\Windows\tserv.exeCode function: 6_2_0040F1C76_2_0040F1C7
Source: C:\Windows\tserv.exeCode function: 6_2_0040C1D06_2_0040C1D0
Source: C:\Windows\tserv.exeCode function: 6_2_004049906_2_00404990
Source: C:\Windows\tserv.exeCode function: 6_2_004091A76_2_004091A7
Source: C:\Windows\tserv.exeCode function: 6_2_0040E2466_2_0040E246
Source: C:\Windows\tserv.exeCode function: 6_2_00428A086_2_00428A08
Source: C:\Windows\tserv.exeCode function: 6_2_004252146_2_00425214
Source: C:\Windows\tserv.exeCode function: 6_2_004053106_2_00405310
Source: C:\Windows\tserv.exeCode function: 6_2_00408BC06_2_00408BC0
Source: C:\Windows\tserv.exeCode function: 6_2_0041B3D06_2_0041B3D0
Source: C:\Windows\tserv.exeCode function: 6_2_0040DBF06_2_0040DBF0
Source: C:\Windows\tserv.exeCode function: 6_2_0041E3A06_2_0041E3A0
Source: C:\Windows\tserv.exeCode function: 6_2_004094366_2_00409436
Source: C:\Windows\tserv.exeCode function: 6_2_00409CF76_2_00409CF7
Source: C:\Windows\tserv.exeCode function: 6_2_0040EDE06_2_0040EDE0
Source: C:\Windows\tserv.exeCode function: 6_2_0040DE566_2_0040DE56
Source: C:\Windows\tserv.exeCode function: 6_2_004106706_2_00410670
Source: C:\Windows\tserv.exeCode function: 6_2_0040E6766_2_0040E676
Source: C:\Windows\tserv.exeCode function: 6_2_00409F476_2_00409F47
Source: C:\Windows\tserv.exeCode function: 6_2_0040EF786_2_0040EF78
Source: C:\Windows\tserv.exeCode function: 6_2_0040FF306_2_0040FF30
Source: C:\Windows\tserv.exeCode function: 11_2_0041180011_2_00411800
Source: C:\Windows\tserv.exeCode function: 11_2_004108D011_2_004108D0
Source: C:\Windows\tserv.exeCode function: 11_2_0040C8E011_2_0040C8E0
Source: C:\Windows\tserv.exeCode function: 11_2_0040F0E911_2_0040F0E9
Source: C:\Windows\tserv.exeCode function: 11_2_0041090711_2_00410907
Source: C:\Windows\tserv.exeCode function: 11_2_0040411011_2_00404110
Source: C:\Windows\tserv.exeCode function: 11_2_0040911911_2_00409119
Source: C:\Windows\tserv.exeCode function: 11_2_0040F1C711_2_0040F1C7
Source: C:\Windows\tserv.exeCode function: 11_2_0040C1D011_2_0040C1D0
Source: C:\Windows\tserv.exeCode function: 11_2_0040499011_2_00404990
Source: C:\Windows\tserv.exeCode function: 11_2_004091A711_2_004091A7
Source: C:\Windows\tserv.exeCode function: 11_2_0040E24611_2_0040E246
Source: C:\Windows\tserv.exeCode function: 11_2_00428A0811_2_00428A08
Source: C:\Windows\tserv.exeCode function: 11_2_0042521411_2_00425214
Source: C:\Windows\tserv.exeCode function: 11_2_0040531011_2_00405310
Source: C:\Windows\tserv.exeCode function: 11_2_00408BC011_2_00408BC0
Source: C:\Windows\tserv.exeCode function: 11_2_00415BD011_2_00415BD0
Source: C:\Windows\tserv.exeCode function: 11_2_0041B3D011_2_0041B3D0
Source: C:\Windows\tserv.exeCode function: 11_2_0040DBF011_2_0040DBF0
Source: C:\Windows\tserv.exeCode function: 11_2_0041E3A011_2_0041E3A0
Source: C:\Windows\tserv.exeCode function: 11_2_0040943611_2_00409436
Source: C:\Windows\tserv.exeCode function: 11_2_00409CF711_2_00409CF7
Source: C:\Windows\tserv.exeCode function: 11_2_0041BD0011_2_0041BD00
Source: C:\Windows\tserv.exeCode function: 11_2_0040EDE011_2_0040EDE0
Source: C:\Windows\tserv.exeCode function: 11_2_0040DE5611_2_0040DE56
Source: C:\Windows\tserv.exeCode function: 11_2_0041C66011_2_0041C660
Source: C:\Windows\tserv.exeCode function: 11_2_0041067011_2_00410670
Source: C:\Windows\tserv.exeCode function: 11_2_0040E67611_2_0040E676
Source: C:\Windows\tserv.exeCode function: 11_2_00409F4711_2_00409F47
Source: C:\Windows\tserv.exeCode function: 11_2_0040EF7811_2_0040EF78
Source: C:\Windows\tserv.exeCode function: 11_2_0040FF3011_2_0040FF30
Source: C:\Windows\tserv.exeCode function: 11_2_00405F3011_2_00405F30
Found potential string decryption / allocating functionsShow sources
Source: C:\Windows\tserv.exeCode function: String function: 0042664C appears 90 times
Source: C:\Windows\tserv.exeCode function: String function: 004274D6 appears 40 times
Source: C:\Users\user\Desktop\23file.log.exeCode function: String function: 0042664C appears 45 times
Reads the hosts fileShow sources
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hosts
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\23file.log.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\Desktop\23file.log.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: wow64log.dll
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dll
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dll
Classification labelShow sources
Source: classification engineClassification label: mal92.evad.winEXE@12/8@427/13
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_004047A0 lstrcatA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,1_2_004047A0
Source: C:\Windows\tserv.exeCode function: 6_2_004047A0 lstrcatA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,6_2_004047A0
Source: C:\Windows\tserv.exeCode function: 11_2_004047A0 lstrcatA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,11_2_004047A0
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_00405090 GetSystemDirectoryA,lstrcatA,lstrcatA,lstrcatA,GetFileAttributesA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,1_2_00405090
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_0041E0B0 FindResourceA,LoadResource,SizeofResource,LockResource,CreateFileA,WriteFile,CloseHandle,1_2_0041E0B0
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\23file.log.exeFile created: C:\Users\user\Desktop\DE46.tmpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: 23file.lo.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Windows\System32\pcalua.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\23file.log.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample might require command line arguments (.Net)Show sources
Source: tserv.exeString found in binary or memory: \??\c:\Windows\WinSxS\x86_netfx4-installsqlstate_sql_b03f5f7f11d50a3a_4.0.15671.0_none_5ca0896abf3a8f2d\*.*
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\23file.log.exe 'C:\Users\user\Desktop\23file.log.exe'
Source: unknownProcess created: C:\Windows\tserv.exe C:\Windows\tserv.exe s
Source: unknownProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\notepad.exe C:\Users\user\Desktop\DE46.tmp
Source: unknownProcess created: C:\Windows\tserv.exe 'C:\Windows\tserv.exe' s
Source: unknownProcess created: C:\Windows\System32\pcalua.exe C:\Windows\system32\pcalua.exe -a C:\Windows\tserv.exe -d C:\Windows -c s
Source: unknownProcess created: C:\Windows\tserv.exe unknown
Source: unknownProcess created: C:\Windows\System32\consent.exe consent.exe 1012 248 000002D31C955D20
Source: unknownProcess created: C:\Windows\tserv.exe 'C:\Windows\tserv.exe' s
Source: C:\Users\user\Desktop\23file.log.exeProcess created: C:\Windows\tserv.exe C:\Windows\tserv.exe sJump to behavior
Source: C:\Users\user\Desktop\23file.log.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\notepad.exe C:\Users\user\Desktop\DE46.tmpJump to behavior
Source: C:\Windows\System32\pcalua.exeProcess created: C:\Windows\tserv.exe unknownJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\tserv.exe 'C:\Windows\tserv.exe' s
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_0041F660 LoadLibraryA,GetProcAddress,SetWindowsHookExA,1_2_0041F660
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_0042647C push eax; ret 1_2_0042649A
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_004254B0 push eax; ret 1_2_004254C4
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_004254B0 push eax; ret 1_2_004254EC
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_00426687 push ecx; ret 1_2_00426697
Source: C:\Windows\tserv.exeCode function: 3_2_006A4D09 push eax; iretd 3_2_006A4D11
Source: C:\Windows\tserv.exeCode function: 3_2_006A0C90 pushad ; retn 006Bh3_2_006A0C91
Source: C:\Windows\tserv.exeCode function: 6_2_0042647C push eax; ret 6_2_0042649A
Source: C:\Windows\tserv.exeCode function: 6_2_004254B0 push eax; ret 6_2_004254C4
Source: C:\Windows\tserv.exeCode function: 6_2_004254B0 push eax; ret 6_2_004254EC
Source: C:\Windows\tserv.exeCode function: 6_2_00426687 push ecx; ret 6_2_00426697
Source: C:\Windows\tserv.exeCode function: 11_2_0042647C push eax; ret 11_2_0042649A
Source: C:\Windows\tserv.exeCode function: 11_2_004254B0 push eax; ret 11_2_004254C4
Source: C:\Windows\tserv.exeCode function: 11_2_004254B0 push eax; ret 11_2_004254EC
Source: C:\Windows\tserv.exeCode function: 11_2_00426687 push ecx; ret 11_2_00426697

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\System32\svchost.exeExecutable created and started: C:\Windows\tserv.exe
Drops PE filesShow sources
Source: C:\Users\user\Desktop\23file.log.exeFile created: C:\Windows\tserv.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\23file.log.exeFile created: C:\Windows\tserv.exeJump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key Show sources
Source: C:\Windows\tserv.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLsJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Uses an obfuscated file name to hide its real file extension (double extension)Show sources
Source: Possible double extension: lo.exeStatic PE information: 23file.lo.exe
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_0041D159 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,1_2_0041D159
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\pcalua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\pcalua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\pcalua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\pcalua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\pcalua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\pcalua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\pcalua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\consent.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\consent.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_0040C1D0 rdtsc 1_2_0040C1D0
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\tserv.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\tserv.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\tserv.exeThread delayed: delay time: 300000
Enumerates the file systemShow sources
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\23file.log.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_1-12752
Source: C:\Windows\tserv.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_6-15403
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\23file.log.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_1-12686
Source: C:\Windows\tserv.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_6-12933
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\23file.log.exeAPI coverage: 9.3 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\tserv.exe TID: 4328Thread sleep time: -300000s >= -30000sJump to behavior
Source: C:\Windows\tserv.exe TID: 64Thread sleep time: -900000s >= -30000sJump to behavior
Source: C:\Windows\tserv.exe TID: 1328Thread sleep time: -600000s >= -30000sJump to behavior
Source: C:\Windows\tserv.exe TID: 3832Thread sleep count: 39 > 30Jump to behavior
Source: C:\Windows\tserv.exe TID: 3832Thread sleep time: -1170000s >= -30000sJump to behavior
Source: C:\Windows\tserv.exe TID: 2472Thread sleep time: -3000000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\tserv.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,1_2_00406360
Source: C:\Windows\tserv.exeCode function: 6_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,6_2_00406360
Source: C:\Windows\tserv.exeCode function: 11_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,11_2_00406360
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_00429F44 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,1_2_00429F44
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: tserv.exeBinary or memory string: c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Hyper-V\*.*
Source: svchost.exe, 0000000E.00000000.3995876603.000002D31EB60000.00000002.sdmpBinary or memory string: Windows isn't running on a supported Microsoft Hyper-V virtualization platform.
Source: svchost.exe, 0000000E.00000002.4482963954.000002D31EA00000.00000002.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: tserv.exe, svchost.exe, 0000000E.00000002.4445134925.000002D31AE8B000.00000004.sdmpBinary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000E.00000002.4482963954.000002D31EA00000.00000002.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 0000000E.00000002.4482963954.000002D31EA00000.00000002.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 0000000E.00000000.3965741193.000002D31BF17000.00000004.sdmpBinary or memory string: Hyper-V RAW @a
Source: svchost.exe, 0000000E.00000002.4482963954.000002D31EA00000.00000002.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Program exit pointsShow sources
Source: C:\Users\user\Desktop\23file.log.exeAPI call chain: ExitProcess graph end nodegraph_1-12753

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Windows\System32\pcalua.exeFile opened: C:\Windows\WinSxS\FileMaps\$$.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\tserv.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_0040C1D0 rdtsc 1_2_0040C1D0
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_0041F660 LoadLibraryA,GetProcAddress,SetWindowsHookExA,1_2_0041F660
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_004210D0 GetProcessHeap,GetProcessHeap,HeapAlloc,RegOpenKeyExA,GetLastError,GetProcessHeap,HeapFree,RegCloseKey,1_2_004210D0
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_0042731A SetUnhandledExceptionFilter,1_2_0042731A
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_0042732E SetUnhandledExceptionFilter,1_2_0042732E
Source: C:\Windows\tserv.exeCode function: 6_2_0042731A SetUnhandledExceptionFilter,6_2_0042731A
Source: C:\Windows\tserv.exeCode function: 6_2_0042732E SetUnhandledExceptionFilter,6_2_0042732E
Source: C:\Windows\tserv.exeCode function: 11_2_0042731A SetUnhandledExceptionFilter,11_2_0042731A
Source: C:\Windows\tserv.exeCode function: 11_2_0042732E SetUnhandledExceptionFilter,11_2_0042732E

HIPS / PFW / Operating System Protection Evasion:

barindex
Early bird code injection technique detectedShow sources
Source: C:\Users\user\Desktop\23file.log.exeProcess created / APC Queued / Resumed: C:\Windows\tserv.exeJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created / APC Queued / Resumed: C:\Windows\tserv.exe
Allocates memory in foreign processesShow sources
Source: C:\Windows\System32\svchost.exeMemory allocated: C:\Windows\tserv.exe base: 1B0000 protect: page read and write
Injects files into Windows applicationShow sources
Source: C:\Windows\SysWOW64\notepad.exeInjected file: C:\Users\user\Desktop\DE46.tmp was created by C:\Users\user\Desktop\23file.log.exeJump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Windows\System32\consent.exeMemory written: C:\Windows\System32\svchost.exe base: E6B0AFE608
Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\tserv.exe base: 1B0000
Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\tserv.exe base: 3132D8
Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\tserv.exe base: 3141E8
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\23file.log.exeProcess created: C:\Windows\tserv.exe C:\Windows\tserv.exe sJump to behavior
Source: C:\Users\user\Desktop\23file.log.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\notepad.exe C:\Users\user\Desktop\DE46.tmpJump to behavior
Source: C:\Windows\System32\pcalua.exeProcess created: C:\Windows\tserv.exe unknownJump to behavior
Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\tserv.exe 'C:\Windows\tserv.exe' s
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_00423260 GetProcessHeap,HeapAlloc,HeapAlloc,RtlAllocateHeap,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,RtlAllocateHeap,HeapFree,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,InitializeSecurityDescriptor,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetTokenInformation,GetTokenInformation,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,AllocateAndInitializeSid,GetLengthSid,AddAce,AllocateAndInitializeSid,GetLengthSid,AddAce,AllocateAndInitializeSid,GetLengthSid,AddAce,IsValidSecurityDescriptor,1_2_00423260
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: notepad.exe, 00000004.00000002.4373586122.0000000003AF0000.00000002.sdmp, tserv.exe, 00000010.00000002.4528754255.0000000000C80000.00000002.sdmpBinary or memory string: Program Managere
Source: notepad.exe, 00000004.00000002.4373586122.0000000003AF0000.00000002.sdmp, tserv.exe, 00000010.00000002.4528754255.0000000000C80000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: notepad.exe, 00000004.00000002.4373586122.0000000003AF0000.00000002.sdmp, tserv.exe, 00000010.00000002.4528754255.0000000000C80000.00000002.sdmpBinary or memory string: Progman
Source: notepad.exe, 00000004.00000002.4373586122.0000000003AF0000.00000002.sdmp, tserv.exe, 00000010.00000002.4528754255.0000000000C80000.00000002.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to inject threads in other processesShow sources
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_00404840 OpenProcess,lstrlenA,VirtualAllocEx,WriteProcessMemory,GetModuleHandleA,GetProcAddress,CreateRemoteThread,1_2_00404840
Source: C:\Windows\tserv.exeCode function: 6_2_00404840 OpenProcess,lstrlenA,VirtualAllocEx,WriteProcessMemory,GetModuleHandleA,GetProcAddress,CreateRemoteThread,6_2_00404840
Source: C:\Windows\tserv.exeCode function: 11_2_00404840 OpenProcess,lstrlenA,VirtualAllocEx,WriteProcessMemory,GetModuleHandleA,GetProcAddress,CreateRemoteThread,11_2_00404840
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\23file.log.exeCode function: GetLocaleInfoA,1_2_0042C8B2
Source: C:\Windows\tserv.exeCode function: GetLocaleInfoA,6_2_0042C8B2
Source: C:\Windows\tserv.exeCode function: GetLocaleInfoA,11_2_0042C8B2
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\tserv.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeQueries volume information: C:\Users\user\Desktop\DE46.tmp VolumeInformationJump to behavior
Source: C:\Windows\tserv.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\tserv.exeQueries volume information: C:\ VolumeInformation
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_00401830 ExpandEnvironmentStringsA,GetLocalTime,CreateFileA,CloseHandle,1_2_00401830
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_0040BE00 lstrlenA,GetLocalTime,GetTimeZoneInformation,lstrlenA,1_2_0040BE00
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\23file.log.exeCode function: 1_2_00425D91 EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,GetStartupInfoA,__wincmdln,GetModuleHandleA,1_2_00425D91
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\consent.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 96291 Sample: 23file.log.scr Startdate: 06/12/2018 Architecture: WINDOWS Score: 92 36 www3.cedesunjerinkas.com 2->36 38 www2.cedesunjerinkas.com 2->38 60 Antivirus detection for submitted file 2->60 62 Uses an obfuscated file name to hide its real file extension (double extension) 2->62 64 Antivirus detection for unpacked file 2->64 7 23file.log.exe 3 2->7         started        11 consent.exe 2->11         started        13 pcalua.exe 1 2->13         started        15 tserv.exe 14 2->15         started        signatures3 process4 dnsIp5 30 C:\Windows\tserv.exe, PE32 7->30 dropped 32 C:\Windows\tserv.exe:Zone.Identifier, ASCII 7->32 dropped 34 C:\Users\user\Desktop\DE46.tmp, data 7->34 dropped 82 Contains functionality to inject threads in other processes 7->82 84 Early bird code injection technique detected 7->84 18 tserv.exe 2 15 7->18         started        22 notepad.exe 7->22         started        86 Writes to foreign memory regions 11->86 24 svchost.exe 11->24 injected 26 tserv.exe 13->26         started        28 tserv.exe 13->28         started        54 98.137.159.24, 25, 49790 YAHOO-NE1-YahooUS United States 15->54 56 98.137.159.25, 25, 49791 YAHOO-NE1-YahooUS United States 15->56 58 12 other IPs or domains 15->58 file6 signatures7 process8 dnsIp9 40 mta7.am0.yahoodns.net 98.137.159.28, 25, 49781 YAHOO-NE1-YahooUS United States 18->40 42 mta5.am0.yahoodns.net 98.136.101.117, 25, 49783 YAHOO-GQ1-YahooUS United States 18->42 50 8 other IPs or domains 18->50 66 Contains functionality to inject threads in other processes 18->66 68 Antivirus detection for dropped file 18->68 70 Creates an undocumented autostart registry key 18->70 72 Injects files into Windows application 22->72 44 67.27.233.126, 49774, 80 LEVEL3COMMUNICATIONSFR United States 24->44 74 Early bird code injection technique detected 24->74 76 Drops executables to the windows directory (C:\Windows) and starts them 24->76 78 Writes to foreign memory regions 24->78 80 Allocates memory in foreign processes 24->80 46 67.195.229.58, 25, 49801 YAHOO-GQ1-YahooUS United States 26->46 48 67.195.229.59, 25, 49802 YAHOO-GQ1-YahooUS United States 26->48 52 7 other IPs or domains 26->52 signatures10

Simulations

Behavior and APIs

TimeTypeDescription
23:03:16API Interceptor395x Sleep call for process: tserv.exe modified
23:03:22AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run tserv C:\Windows\tserv.exe s

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
23file.lo.exe100%AviraWORM/Stration.C

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\tserv.exe100%AviraWORM/Stration.C

Unpacked PE Files

SourceDetectionScannerLabelLink
11.0.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
3.0.tserv.exe.400000.1.unpack100%AviraWORM/Stration.C
16.2.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
1.0.23file.log.exe.400000.0.unpack100%AviraWORM/Stration.C
3.0.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
3.2.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
16.0.tserv.exe.400000.2.unpack100%AviraWORM/Stration.C
1.2.23file.log.exe.400000.0.unpack100%AviraWORM/Stration.C
11.2.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
1.1.23file.log.exe.400000.0.unpack100%AviraWORM/Stration.C
16.0.tserv.exe.400000.1.unpack100%AviraWORM/Stration.C
16.0.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
16.0.tserv.exe.400000.3.unpack100%AviraWORM/Stration.C
3.0.tserv.exe.400000.3.unpack100%AviraWORM/Stration.C
6.2.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
3.1.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
16.1.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
6.1.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
6.0.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
3.0.tserv.exe.400000.2.unpack100%AviraWORM/Stration.C

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www4.cedesunjerinkas.0%Avira URL Cloudsafe
http://www4.F0%Avira URL Cloudsafe
http://www4.cedesunjerin0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
74.6.137.6321doc.el.exe7573ca4746b37ef2420967e1cade1bc5f9a1bae0218f0b61e486ca5574b86976maliciousBrowse
    35Update-KB5111-x86.exe28239e44b20ebafd365c5ca95896ffee9d9443fb237f015af01aa411096e741fmaliciousBrowse
      7Update-KB8734-x86.exeed7fa49063d2462bb1939f5d7ba3260ae481bfe7227113f2706be12aced4e5b1maliciousBrowse
        15test.tx.exebfa7233d740e09256b015727ec0d338465825c17968c83642e30b29138ced5f6maliciousBrowse
          22file.txt.exe6e7aac4b5a8bcdece13a70ef2d84d4f8be5f5c7c276f45273a627d010020b720maliciousBrowse
            17Update-KB2218-x86.exeed637e3f1b1918596f3681d7b5955f3fe8220376a4b8dc559b0442e52440e561maliciousBrowse
              15Update-KB7250-x86.exebd243041899e74b194a45f76063cdaed96fbfc606ce6c6cef247c74eb6d44cd1maliciousBrowse
                27data.elm.exea1a6333985c3eb341eccd98f0f20bfc1886e410bf9ef78d07097755d54216b98maliciousBrowse
                  23Update-KB4750-x86.exe239943d7184bcb33745e86b09f646593e69e5f77284702414a99dc9b388a2d4bmaliciousBrowse
                    1Update-KB2640-x86.exe18b6cbce630200a40e4a7453a4bd0cae10a40dc79f391c5e402a9fc2cc8821d5maliciousBrowse
                      3document.log.exeb62a35104d330b701c6886d52fb3f329e2ebad50828f0c8271aaad01417c312dmaliciousBrowse
                        19docs.el.exe1f3ad42d2f051ae8a7130c123f59fe087462e2a5f4f834239e12b638b580de44maliciousBrowse
                          25Update-KB6546-x86.exe1ba6174b5780bad0e7284db6acc6e0f7c43c8cc8d4662d44a68ca1f1e51857c4maliciousBrowse
                            17doc.da.exe1568fee61b10fb2592c472f5a32e3d14c245f694bd7f6b61a44b84df98ed082emaliciousBrowse
                              5docs.msg.exe74c086d4162a7b6bb61f542ea161e6ac8e5979bf9742c9d1e48581c7cc354499maliciousBrowse
                                27docs.el.exeba82a391c43442109b9fdb8cf55f6ded1235fc86fad670fe9ad7ffb3ba61d6d4maliciousBrowse
                                  13Update-KB8500-x86.exe634fd7a4db8d57ea34349d3d963487261821a8274551e3281bc46307adb0c097maliciousBrowse
                                    23Update-KB2843-x86.exec300b473b979638a56f2487848403bf11b884ebd434f59a04235091f2b4d40a1maliciousBrowse
                                      5Update-KB3968-x86.exe4547d5f1667b810cb1c529a8e504fa2d6af8b9fc71261947ddb033ba35529c03maliciousBrowse
                                        1text.elm.exe684de352ce37239d865235f418567e55c909019c11e67aee033b0ad2c07d0560maliciousBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          mta7.am0.yahoodns.net21doc.el.exe7573ca4746b37ef2420967e1cade1bc5f9a1bae0218f0b61e486ca5574b86976maliciousBrowse
                                          • 74.6.137.63
                                          .exedb6369568b7de81e617bbe390490dc88ccd862e9e5bfcf117a522daeb0ccb156maliciousBrowse
                                          • 98.136.102.54
                                          29Update-KB1750-x86.exe655ea4f24da22ac5572edec7f64bf74e0b48f24ba102cc3edb2f6db675251d1bmaliciousBrowse
                                          • 98.136.102.54
                                          51Update-KB8281-x86.exef491c4a1e4ac2cb4dbc22e07af95b5630ab837263f4dc3ee1414fd7503a6404cmaliciousBrowse
                                          • 98.136.102.54
                                          78doc.msg.exec577b6b3fadc5bed74eba616f7d7a55aa1308cd94709f7529046383d53784128maliciousBrowse
                                          • 98.137.159.28
                                          23Update-KB3830-x86.exe8e96230adbb28f480a8478962b2ffebac366fa5d08aa3c2cf90e70103cd91392maliciousBrowse
                                          • 98.137.159.28
                                          35Update-KB5111-x86.exe28239e44b20ebafd365c5ca95896ffee9d9443fb237f015af01aa411096e741fmaliciousBrowse
                                          • 98.137.159.27
                                          23Update-KB3956-x86.exe2fba3d6f375b7b0c31f3329d158dde2bceb69f6da6af19d0fe01c4cf8a48ef9fmaliciousBrowse
                                          • 98.136.102.55
                                          20Update-KB7452-x86.exefd74a860dca67bbc2b1f4490ae42e6b5764241cfb3ec619399706ae158461789maliciousBrowse
                                          • 98.137.159.25
                                          19docs.tx.exe60682db3158fe13f7eacd23a088fc71ab479d726769837fd39e8ed3bb5389ab0maliciousBrowse
                                          • 98.136.102.55
                                          55.x.exed7826837a61f95c583459402ea0e7ad39013c92abea85a8ec81ba518a222116bmaliciousBrowse
                                          • 74.6.137.65
                                          3Update-KB2248-x86.exee8deb13dba3ad1149414c2278b5552c42ae85b0c87bbe05f6065c1b279ecf5f2maliciousBrowse
                                          • 98.137.159.24
                                          30Update-KB5046-x86.exef092fcfabfaa449ce7086c7aa2ae877594bc63bac2d41013aadeeb51386335d7maliciousBrowse
                                          • 74.6.137.65
                                          56file.txt.exe0364075aa6ef1cb7b43634ff3a54386687fe3e3d11d5b9a38b764c1d3895b71emaliciousBrowse
                                          • 67.195.229.58
                                          63test.log.exeb228e316c1f41106e9101372474563afb2e17a4c95b567cc5d25e88127593191maliciousBrowse
                                          • 98.137.159.25
                                          5body.ms.exed490923e6b4b7ad9d5cffd25daf6c9fb0fcddc0eb1809747c0126471901475c3maliciousBrowse
                                          • 98.137.159.28
                                          4test.log.exe4fe82253159922959725fffc4d3660a50697c9b29a8f778c18d305d24209cdfamaliciousBrowse
                                          • 98.137.159.26
                                          1Update-KB8062-x86.exec719e8677693ee14c834ade4be2c48cff932ccb1a6301b33c80746e2d98d4314maliciousBrowse
                                          • 66.218.85.52
                                          17Update-KB2684-x86.exe4fe94d2df46f088396c4467c905d5eb1c86443eb1b1e5b43462477ad075b0103maliciousBrowse
                                          • 98.137.159.25
                                          7Update-KB8734-x86.exeed7fa49063d2462bb1939f5d7ba3260ae481bfe7227113f2706be12aced4e5b1maliciousBrowse
                                          • 74.6.137.63
                                          mta6.am0.yahoodns.net21doc.el.exe7573ca4746b37ef2420967e1cade1bc5f9a1bae0218f0b61e486ca5574b86976maliciousBrowse
                                          • 98.137.159.26
                                          29Update-KB1750-x86.exe655ea4f24da22ac5572edec7f64bf74e0b48f24ba102cc3edb2f6db675251d1bmaliciousBrowse
                                          • 67.195.229.58
                                          51Update-KB8281-x86.exef491c4a1e4ac2cb4dbc22e07af95b5630ab837263f4dc3ee1414fd7503a6404cmaliciousBrowse
                                          • 98.136.102.55
                                          78doc.msg.exec577b6b3fadc5bed74eba616f7d7a55aa1308cd94709f7529046383d53784128maliciousBrowse
                                          • 74.6.137.64
                                          23Update-KB3830-x86.exe8e96230adbb28f480a8478962b2ffebac366fa5d08aa3c2cf90e70103cd91392maliciousBrowse
                                          • 98.136.102.54
                                          35Update-KB5111-x86.exe28239e44b20ebafd365c5ca95896ffee9d9443fb237f015af01aa411096e741fmaliciousBrowse
                                          • 67.195.229.59
                                          23Update-KB3956-x86.exe2fba3d6f375b7b0c31f3329d158dde2bceb69f6da6af19d0fe01c4cf8a48ef9fmaliciousBrowse
                                          • 98.136.101.117
                                          20Update-KB7452-x86.exefd74a860dca67bbc2b1f4490ae42e6b5764241cfb3ec619399706ae158461789maliciousBrowse
                                          • 67.195.229.58
                                          19docs.tx.exe60682db3158fe13f7eacd23a088fc71ab479d726769837fd39e8ed3bb5389ab0maliciousBrowse
                                          • 98.136.102.54
                                          55.x.exed7826837a61f95c583459402ea0e7ad39013c92abea85a8ec81ba518a222116bmaliciousBrowse
                                          • 98.137.159.28
                                          3Update-KB2248-x86.exee8deb13dba3ad1149414c2278b5552c42ae85b0c87bbe05f6065c1b279ecf5f2maliciousBrowse
                                          • 98.137.159.24
                                          30Update-KB5046-x86.exef092fcfabfaa449ce7086c7aa2ae877594bc63bac2d41013aadeeb51386335d7maliciousBrowse
                                          • 98.136.102.54
                                          56file.txt.exe0364075aa6ef1cb7b43634ff3a54386687fe3e3d11d5b9a38b764c1d3895b71emaliciousBrowse
                                          • 98.136.102.54
                                          63test.log.exeb228e316c1f41106e9101372474563afb2e17a4c95b567cc5d25e88127593191maliciousBrowse
                                          • 74.6.137.64
                                          5body.ms.exed490923e6b4b7ad9d5cffd25daf6c9fb0fcddc0eb1809747c0126471901475c3maliciousBrowse
                                          • 67.195.228.141
                                          4test.log.exe4fe82253159922959725fffc4d3660a50697c9b29a8f778c18d305d24209cdfamaliciousBrowse
                                          • 98.136.101.117
                                          1Update-KB8062-x86.exec719e8677693ee14c834ade4be2c48cff932ccb1a6301b33c80746e2d98d4314maliciousBrowse
                                          • 98.137.159.26
                                          70creditcar.exec7eebcfa941dfe6298e89b8353adfece14f4e54f8119956d8ab5cba75cdee8bbmaliciousBrowse
                                          • 98.137.159.24
                                          17Update-KB2684-x86.exe4fe94d2df46f088396c4467c905d5eb1c86443eb1b1e5b43462477ad075b0103maliciousBrowse
                                          • 67.195.228.141
                                          7Update-KB8734-x86.exeed7fa49063d2462bb1939f5d7ba3260ae481bfe7227113f2706be12aced4e5b1maliciousBrowse
                                          • 74.6.137.64

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS53Cheque10741.pdf.z.exe454678e7cd95477d250dad1e987c1201f4e969d6bc20c3d987bcf75ddf1ff1eemaliciousBrowse
                                          • 40.97.128.226
                                          8b9eaeff00382210a583a0b5611c1d3f_976b00382cbb63c03e8fcd6677e4f973_Kovter.exe6a6b401888ec7f1f7b07cd714980f18e4b5afd456162e5061887b8255ea02e4amaliciousBrowse
                                          • 20.183.103.250
                                          https://www.radioz.es/wp-includes/Text/ble/index.php?userid=billy.bubba@bubba.commaliciousBrowse
                                          • 104.210.48.9
                                          https://portalclient.echo-cloud.com/98059portal/echoapps/resetpassword.aspx?TOKEN=9A41646238CF73E33CAD1901574A1D6E6B846397B865375351414660CEB4725887E40D94F8324B21D450AC456109B9B1maliciousBrowse
                                          • 52.184.196.2
                                          http://imprismail.com/affiliate/referral.asp?site=rea&url=pop/en/ukc/1&aff_id=5843_27027_19234_535127_1_357_maliciousBrowse
                                          • 104.41.152.17
                                          https://buildingservices.lk/commonlogin/office/maliciousBrowse
                                          • 104.40.240.49
                                          http://newsletter.promostelefoniica.com/t/j-l-ohddhhl-yhdkkudtit-r/maliciousBrowse
                                          • 40.101.49.98
                                          Fax message.js1d50065b9cfcd52d914bd2bb6d1dcd3d1c71369fa5fc1a159048286e2e587061maliciousBrowse
                                          • 13.107.6.151
                                          VOvcoUgiuE.exebeacce69d92bb6616e7595f10227f435ae6cf790fbb08a5498c4e6e55d34faacmaliciousBrowse
                                          • 204.95.99.26
                                          https://lojassantoantonio.com.br/reuin.htmmaliciousBrowse
                                          • 40.101.52.146
                                          https://hpe-my.sharepoint.com/personal/gregory_park_hpe_com/_layouts/15/acceptinvite.aspx?invitation=%7B28F341CB%2DC685%2D4C81%2DA431%2D3DCFD62ACA39%7D&listId=f6f66c8c%2Decde%2D4889%2D9db0%2Dc07836c6c461&itemId=5d52ebe1%2Dbf49%2D49d3%2D8d0c%2Dd5ae9a222bafmaliciousBrowse
                                          • 207.46.194.14
                                          http://swoba.org/den/lion/office/maliciousBrowse
                                          • 104.40.240.50
                                          https://gihi.mx/secure/index.htmmaliciousBrowse
                                          • 13.107.18.11
                                          https://myfrenchclub.in/includes/hospital/office/index.htmlmaliciousBrowse
                                          • 104.45.0.18
                                          http://360cdlsolutions.com/olopa/drama/day/office/index.htmlmaliciousBrowse
                                          • 104.42.72.16
                                          DSC07654.pdf01d72ab31167612ed4fa12232a37cf68fd5a8f7b5a3633407e7597f1d4e7e012maliciousBrowse
                                          • 204.79.197.213
                                          4b6FzLDmnD.exe5b4f0bf0c96806c6dd41a7e4b3f5660fad6bf1cd6e9df40982df614ba3fe68c5maliciousBrowse
                                          • 52.175.226.120
                                          Dear Account Owner.pdf209e4819fd4c3c02e99eed15d06ca91f3d11100a304b31694e9c11c76298502emaliciousBrowse
                                          • 65.54.226.141
                                          MLmYmJFbrS.exe40b70f320bb31220d559f4f06410b91048e8d92911f28f4d6c51cd9f582ce081maliciousBrowse
                                          • 52.175.226.120
                                          http://dn.bytefence.com/rtop_setup.exemaliciousBrowse
                                          • 191.237.32.214
                                          YAHOO-3-YahooUS19Fk42jFQUOd.exeef1aac04640547783a113e1dff809694e51f2b4a2f64047db3a187f0c7d65192maliciousBrowse
                                          • 98.139.135.128
                                          https://bitly.com/2ADBPismaliciousBrowse
                                          • 66.6.32.34
                                          37Gmhqgmhb5K.exec5e749d027812dfe8b075916c9f5b0be5557ce0e32de0b953b0b7f48238d5bfamaliciousBrowse
                                          • 63.250.200.63
                                          41tex.exea197e22f1fb732f13d97b39607549f154bb13cfb9d7181485730d7bcd7942cb1maliciousBrowse
                                          • 63.250.200.63
                                          13VJqrYOV9R1.exe6928db283a008edd34d375eb279c4141aeadbfd0e584dc154d892f4640b0dfa5maliciousBrowse
                                          • 63.250.200.63
                                          78ag5NU9TYw.exe6928fe29e34505b9c6a2c8d82baec4965c8260c6e4aeb5d43a7ec3e1856d1f24maliciousBrowse
                                          • 63.250.200.63
                                          63Tex.exee999a96b96eec4a42195c3a239030c24c9c589ff72341c98b00a90a5aa54ded7maliciousBrowse
                                          • 63.250.200.63
                                          68documen.exeb283d7b81213fa081e6e28c9607d8b57d1e2ae1e0361f26f1e61694cb2961819maliciousBrowse
                                          • 63.250.200.63
                                          24noemai.exe830af35abdff2b1eb28890814117b36e931fafd9b6b789a73b30aa4d7b93a07emaliciousBrowse
                                          • 66.218.84.137
                                          .exe98e359238bc7c0b0ff43b5e4e75694f6fb5e6e8b49ec39f0005cb167f73853e4maliciousBrowse
                                          • 66.218.84.137
                                          39p6DsbcFX97.exeda0ad5ce8b9a706f5c65073d908c418a434316866e8f66a0d417cf75d5be15e7maliciousBrowse
                                          • 66.218.84.137
                                          53iiBKykijsJ.exef8ee0c27176fee4940b56246e0c1a879438cea0710d84302522eb1b87e26ace3maliciousBrowse
                                          • 74.6.141.40
                                          63document.exea49fb7827643752502825d141e7b09c19518b759b758d52c0a1cca3a11750376maliciousBrowse
                                          • 66.218.87.12
                                          3messag.exee34cdf0801fa5f37d271b312e75b0f57e5d5f889a48e11dd3e458e5a2b0cb9f8maliciousBrowse
                                          • 66.218.87.12
                                          21doc.el.exe7573ca4746b37ef2420967e1cade1bc5f9a1bae0218f0b61e486ca5574b86976maliciousBrowse
                                          • 66.218.85.139
                                          25messag.execdcdeab0cbd6e4b0a58a972d9847ba4b773777a69b4a96e07ca2a7504030a653maliciousBrowse
                                          • 66.218.87.12
                                          kir.exe6e2f27c5ab2e27aacd3bbe8c17a8ac7f3a39c3e2e9a1935513d3ca16a3a6c2c9maliciousBrowse
                                          • 98.139.175.225
                                          1cwy@cmmai.exe8c2c439a21a26f9c0b4156c4ae0325f600fc345d6f1004690f2d319532ce2537maliciousBrowse
                                          • 66.218.85.151
                                          .exedb6369568b7de81e617bbe390490dc88ccd862e9e5bfcf117a522daeb0ccb156maliciousBrowse
                                          • 66.218.85.139
                                          78doc.msg.exec577b6b3fadc5bed74eba616f7d7a55aa1308cd94709f7529046383d53784128maliciousBrowse
                                          • 74.6.137.64

                                          Dropped Files

                                          No context

                                          Screenshots

                                          Thumbnails

                                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.