Loading ...

Analysis Report 65readme.dat.bat

Overview

General Information

Joe Sandbox Version:24.0.0 Fire Opal
Analysis ID:96300
Start date:06.12.2018
Start time:23:33:10
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 8m 1s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:65readme.dat.bat (renamed file extension from bat to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30
Number of analysed new started processes analysed:11
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal84.evad.winEXE@6/8@384/6
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 99.9% (good quality ratio 97.1%)
  • Quality average: 84.3%
  • Quality standard deviation: 23%
HCA Information:
  • Successful, ratio: 99%
  • Number of executed functions: 93
  • Number of non-executed functions: 122
Cookbook Comments:
  • Adjust boot time
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, dllhost.exe, RuntimeBroker.exe, conhost.exe, CompatTelRunner.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingDetection
Threshold840 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Contains functionality to modify the execution of threads in other processes
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsExecution through Module Load1Registry Run Keys / Start Folder1Process Injection11Masquerading1Input Capture1Process Discovery1Application Deployment SoftwareInput Capture1Data CompressedStandard Cryptographic Protocol1
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesSoftware Packing1Network SniffingSecurity Software Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionDisabling Security Tools1Input CaptureRemote System Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol1
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection11Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information2Account ManipulationSystem Information Discovery23Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: C:\Windows\tserv.exeAvira: Label: WORM/Stration.C
Antivirus detection for submitted fileShow sources
Source: 65readme.da.exeAvira: Label: WORM/Stration.C
Antivirus detection for unpacked fileShow sources
Source: 4.1.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 4.0.tserv.exe.400000.2.unpackAvira: Label: WORM/Stration.C
Source: 4.0.tserv.exe.400000.3.unpackAvira: Label: WORM/Stration.C
Source: 4.0.tserv.exe.400000.1.unpackAvira: Label: WORM/Stration.C
Source: 9.0.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 4.0.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 2.1.65readme.dat.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 2.0.65readme.dat.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 9.2.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 4.2.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 2.2.65readme.dat.exe.400000.0.unpackAvira: Label: WORM/Stration.C
Source: 9.1.tserv.exe.400000.0.unpackAvira: Label: WORM/Stration.C

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\Jump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,2_2_00406360
Source: C:\Windows\tserv.exeCode function: 9_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,9_2_00406360

Networking:

barindex
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 66.218.85.52 66.218.85.52
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\tserv.exeCode function: 9_2_00401960 GetProcessHeap,RtlAllocateHeap,CloseHandle,Sleep,Sleep,InternetGetConnectedState,Sleep,InternetGetConnectedState,InternetOpenA,InternetOpenUrlA,InternetCloseHandle,InternetReadFile,InternetCloseHandle,InternetCloseHandle,GetTempPathA,GetTempFileNameA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,DeleteFileA,InternetCloseHandle,InternetCloseHandle,GetProcessHeap,RtlFreeHeap,9_2_00401960
Found strings which match to known social media urlsShow sources
Source: tserv.exe, 00000009.00000003.3953659410.0000000001FD6000.00000004.sdmpString found in binary or memory: hotmail.com equals www.hotmail.com (Hotmail)
Source: tserv.exe, 00000009.00000003.3953659410.0000000001FD6000.00000004.sdmpString found in binary or memory: yahoo.com equals www.yahoo.com (Yahoo)
Source: tserv.exe, 00000009.00000003.3953659410.0000000001FD6000.00000004.sdmpString found in binary or memory: yahoo.com equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: yahoo.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: 65readme.dat.exe, 00000002.00000002.3215611503.00000000007CA000.00000004.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Contains functionality to communicate with device driversShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_00423D83: QueryDosDeviceA,lstrcpyA,lstrcatA,GetLastError,lstrcpyA,lstrcatA,DefineDosDeviceA,GetLastError,lstrcpyA,lstrcatA,CreateFileA,DeviceIoControl,GetLastError,GetLastError,DefineDosDeviceA,GetLastError,2_2_00423D83
Creates files inside the system directoryShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeFile created: C:\Windows\tserv.exeJump to behavior
Deletes files inside the Windows folderShow sources
Source: C:\Windows\tserv.exeFile deleted: C:\Windows\tserv.waxJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_004118002_2_00411800
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_004108D02_2_004108D0
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_0040C8E02_2_0040C8E0
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_0040F0E92_2_0040F0E9
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_004109072_2_00410907
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_004041102_2_00404110
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_004091192_2_00409119
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_0040F1C72_2_0040F1C7
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_0040C1D02_2_0040C1D0
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_004049902_2_00404990
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_004091A72_2_004091A7
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_0040E2462_2_0040E246
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_00428A082_2_00428A08
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_004252142_2_00425214
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_004053102_2_00405310
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_00408BC02_2_00408BC0
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_00415BD02_2_00415BD0
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_0041B3D02_2_0041B3D0
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_0040DBF02_2_0040DBF0
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_0041E3A02_2_0041E3A0
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_004094362_2_00409436
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_00409CF72_2_00409CF7
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_0041BD002_2_0041BD00
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_0040EDE02_2_0040EDE0
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_0040DE562_2_0040DE56
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_0041C6602_2_0041C660
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_004106702_2_00410670
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_0040E6762_2_0040E676
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_00409F472_2_00409F47
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_0040EF782_2_0040EF78
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_0040FF302_2_0040FF30
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_00405F302_2_00405F30
Source: C:\Windows\tserv.exeCode function: 9_2_004041109_2_00404110
Source: C:\Windows\tserv.exeCode function: 9_2_00415BD09_2_00415BD0
Source: C:\Windows\tserv.exeCode function: 9_2_0041BD009_2_0041BD00
Source: C:\Windows\tserv.exeCode function: 9_2_0041C6609_2_0041C660
Source: C:\Windows\tserv.exeCode function: 9_2_00405F309_2_00405F30
Source: C:\Windows\tserv.exeCode function: 9_2_004118009_2_00411800
Source: C:\Windows\tserv.exeCode function: 9_2_004108D09_2_004108D0
Source: C:\Windows\tserv.exeCode function: 9_2_0040C8E09_2_0040C8E0
Source: C:\Windows\tserv.exeCode function: 9_2_0040F0E99_2_0040F0E9
Source: C:\Windows\tserv.exeCode function: 9_2_004109079_2_00410907
Source: C:\Windows\tserv.exeCode function: 9_2_004091199_2_00409119
Source: C:\Windows\tserv.exeCode function: 9_2_0040F1C79_2_0040F1C7
Source: C:\Windows\tserv.exeCode function: 9_2_0040C1D09_2_0040C1D0
Source: C:\Windows\tserv.exeCode function: 9_2_004049909_2_00404990
Source: C:\Windows\tserv.exeCode function: 9_2_004091A79_2_004091A7
Source: C:\Windows\tserv.exeCode function: 9_2_0040E2469_2_0040E246
Source: C:\Windows\tserv.exeCode function: 9_2_00428A089_2_00428A08
Source: C:\Windows\tserv.exeCode function: 9_2_004252149_2_00425214
Source: C:\Windows\tserv.exeCode function: 9_2_004053109_2_00405310
Source: C:\Windows\tserv.exeCode function: 9_2_00408BC09_2_00408BC0
Source: C:\Windows\tserv.exeCode function: 9_2_0041B3D09_2_0041B3D0
Source: C:\Windows\tserv.exeCode function: 9_2_0040DBF09_2_0040DBF0
Source: C:\Windows\tserv.exeCode function: 9_2_0041E3A09_2_0041E3A0
Source: C:\Windows\tserv.exeCode function: 9_2_004094369_2_00409436
Source: C:\Windows\tserv.exeCode function: 9_2_00409CF79_2_00409CF7
Source: C:\Windows\tserv.exeCode function: 9_2_0040EDE09_2_0040EDE0
Source: C:\Windows\tserv.exeCode function: 9_2_0040DE569_2_0040DE56
Source: C:\Windows\tserv.exeCode function: 9_2_004106709_2_00410670
Source: C:\Windows\tserv.exeCode function: 9_2_0040E6769_2_0040E676
Source: C:\Windows\tserv.exeCode function: 9_2_00409F479_2_00409F47
Source: C:\Windows\tserv.exeCode function: 9_2_0040EF789_2_0040EF78
Source: C:\Windows\tserv.exeCode function: 9_2_0040FF309_2_0040FF30
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: String function: 0042664C appears 45 times
Source: C:\Windows\tserv.exeCode function: String function: 0042664C appears 45 times
Reads the hosts fileShow sources
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\tserv.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\Desktop\65readme.dat.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dllJump to behavior
Source: C:\Windows\tserv.exeSection loaded: cmut449c14b7.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal84.evad.winEXE@6/8@384/6
Contains functionality to adjust token privileges (e.g. debug / backup)Show sources
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_004047A0 lstrcatA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,2_2_004047A0
Source: C:\Windows\tserv.exeCode function: 9_2_004047A0 lstrcatA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,9_2_004047A0
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_00405090 GetSystemDirectoryA,lstrcatA,lstrcatA,lstrcatA,GetFileAttributesA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,2_2_00405090
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_0041E0B0 FindResourceA,LoadResource,SizeofResource,LockResource,CreateFileA,WriteFile,CloseHandle,2_2_0041E0B0
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeFile created: C:\Users\user\Desktop\E403.tmpJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: 65readme.da.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads software policiesShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\65readme.dat.exe 'C:\Users\user\Desktop\65readme.dat.exe'
Source: unknownProcess created: C:\Windows\tserv.exe C:\Windows\tserv.exe s
Source: unknownProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\notepad.exe C:\Users\user\Desktop\E403.tmp
Source: unknownProcess created: C:\Windows\tserv.exe 'C:\Windows\tserv.exe' s
Source: C:\Users\user\Desktop\65readme.dat.exeProcess created: C:\Windows\tserv.exe C:\Windows\tserv.exe sJump to behavior
Source: C:\Users\user\Desktop\65readme.dat.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\notepad.exe C:\Users\user\Desktop\E403.tmpJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\notepad.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11659a23-5884-4d1b-9cf6-67d6f4f90b36}\InProcServer32Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_0041F660 LoadLibraryA,GetProcAddress,SetWindowsHookExA,2_2_0041F660
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_0042647C push eax; ret 2_2_0042649A
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_004254B0 push eax; ret 2_2_004254C4
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_004254B0 push eax; ret 2_2_004254EC
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_00426687 push ecx; ret 2_2_00426697
Source: C:\Windows\tserv.exeCode function: 9_2_0042647C push eax; ret 9_2_0042649A
Source: C:\Windows\tserv.exeCode function: 9_2_004254B0 push eax; ret 9_2_004254C4
Source: C:\Windows\tserv.exeCode function: 9_2_004254B0 push eax; ret 9_2_004254EC
Source: C:\Windows\tserv.exeCode function: 9_2_00426687 push ecx; ret 9_2_00426697

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeExecutable created and started: C:\Windows\tserv.exeJump to behavior
Drops PE filesShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeFile created: C:\Windows\tserv.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\Desktop\65readme.dat.exeFile created: C:\Windows\tserv.exeJump to dropped file

Boot Survival:

barindex
Creates an undocumented autostart registry key Show sources
Source: C:\Windows\tserv.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLsJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Uses an obfuscated file name to hide its real file extension (double extension)Show sources
Source: Possible double extension: da.exeStatic PE information: 65readme.da.exe
Extensive use of GetProcAddress (often used to hide API calls)Show sources
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_0041D159 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,2_2_0041D159

Malware Analysis System Evasion:

barindex
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_0040C1D0 rdtsc 2_2_0040C1D0
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\tserv.exeThread delayed: delay time: 300000Jump to behavior
Source: C:\Windows\tserv.exeThread delayed: delay time: 300000Jump to behavior
Enumerates the file systemShow sources
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Jump to behavior
Source: C:\Windows\tserv.exeFile opened: c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\65readme.dat.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_2-12752
Source: C:\Windows\tserv.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_9-15403
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_2-12686
Source: C:\Windows\tserv.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_9-12933
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeAPI coverage: 9.3 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\tserv.exe TID: 376Thread sleep time: -3900000s >= -30000sJump to behavior
Source: C:\Windows\tserv.exe TID: 3396Thread sleep count: 31 > 30Jump to behavior
Source: C:\Windows\tserv.exe TID: 3396Thread sleep time: -930000s >= -30000sJump to behavior
Source: C:\Windows\tserv.exe TID: 4128Thread sleep time: -900000s >= -30000sJump to behavior
Source: C:\Windows\tserv.exe TID: 1320Thread sleep count: 38 > 30Jump to behavior
Source: C:\Windows\tserv.exe TID: 1320Thread sleep time: -1140000s >= -30000sJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,2_2_00406360
Source: C:\Windows\tserv.exeCode function: 9_2_00406360 GetFileAttributesA,lstrcpyA,lstrcatA,lstrcatA,FindFirstFileA,GetLastError,lstrcmpA,lstrcmpA,lstrcmpA,lstrcpyA,lstrcatA,lstrcatA,lstrcpyA,lstrcatA,FindNextFileA,FindClose,9_2_00406360
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_00429F44 VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,2_2_00429F44
Program exit pointsShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeAPI call chain: ExitProcess graph end nodegraph_2-12753

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\tserv.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_0040C1D0 rdtsc 2_2_0040C1D0
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_0041F660 LoadLibraryA,GetProcAddress,SetWindowsHookExA,2_2_0041F660
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_004210D0 GetProcessHeap,GetProcessHeap,HeapAlloc,RegOpenKeyExA,GetLastError,GetProcessHeap,HeapFree,RegCloseKey,2_2_004210D0
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_0042731A SetUnhandledExceptionFilter,2_2_0042731A
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_0042732E SetUnhandledExceptionFilter,2_2_0042732E
Source: C:\Windows\tserv.exeCode function: 9_2_0042731A SetUnhandledExceptionFilter,9_2_0042731A
Source: C:\Windows\tserv.exeCode function: 9_2_0042732E SetUnhandledExceptionFilter,9_2_0042732E

HIPS / PFW / Operating System Protection Evasion:

barindex
Early bird code injection technique detectedShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeProcess created / APC Queued / Resumed: C:\Windows\tserv.exeJump to behavior
Injects files into Windows applicationShow sources
Source: C:\Windows\SysWOW64\notepad.exeInjected file: C:\Users\user\Desktop\E403.tmp was created by C:\Users\user\Desktop\65readme.dat.exeJump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\65readme.dat.exeProcess created: C:\Windows\tserv.exe C:\Windows\tserv.exe sJump to behavior
Source: C:\Users\user\Desktop\65readme.dat.exeProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\notepad.exe C:\Users\user\Desktop\E403.tmpJump to behavior
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_00423260 GetProcessHeap,HeapAlloc,HeapAlloc,RtlAllocateHeap,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,RtlAllocateHeap,HeapFree,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,InitializeSecurityDescriptor,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetTokenInformation,GetTokenInformation,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,AllocateAndInitializeSid,GetLengthSid,AddAce,AllocateAndInitializeSid,GetLengthSid,AddAce,AllocateAndInitializeSid,GetLengthSid,AddAce,IsValidSecurityDescriptor,2_2_00423260
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: notepad.exe, 00000005.00000002.4392825496.00000000031C0000.00000002.sdmpBinary or memory string: Program Managere
Source: notepad.exe, 00000005.00000002.4392825496.00000000031C0000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: notepad.exe, 00000005.00000002.4392825496.00000000031C0000.00000002.sdmpBinary or memory string: Progman
Source: notepad.exe, 00000005.00000002.4392825496.00000000031C0000.00000002.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to inject threads in other processesShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_00404840 OpenProcess,lstrlenA,VirtualAllocEx,WriteProcessMemory,GetModuleHandleA,GetProcAddress,CreateRemoteThread,2_2_00404840
Source: C:\Windows\tserv.exeCode function: 9_2_00404840 OpenProcess,lstrlenA,VirtualAllocEx,WriteProcessMemory,GetModuleHandleA,GetProcAddress,CreateRemoteThread,9_2_00404840
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: GetLocaleInfoA,2_2_0042C8B2
Source: C:\Windows\tserv.exeCode function: GetLocaleInfoA,9_2_0042C8B2
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\tserv.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\notepad.exeQueries volume information: C:\Users\user\Desktop\E403.tmp VolumeInformationJump to behavior
Source: C:\Windows\tserv.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_00401830 ExpandEnvironmentStringsA,GetLocalTime,CreateFileA,CloseHandle,2_2_00401830
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_0040BE00 lstrlenA,GetLocalTime,GetTimeZoneInformation,lstrlenA,2_2_0040BE00
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\65readme.dat.exeCode function: 2_2_00425D91 EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,_fast_error_exit,_fast_error_exit,GetCommandLineA,GetStartupInfoA,__wincmdln,GetModuleHandleA,2_2_00425D91

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 96300 Sample: 65readme.dat.bat Startdate: 06/12/2018 Architecture: WINDOWS Score: 84 37 Antivirus detection for submitted file 2->37 39 Uses an obfuscated file name to hide its real file extension (double extension) 2->39 41 Antivirus detection for unpacked file 2->41 6 65readme.dat.exe 3 2->6         started        10 tserv.exe 14 2->10         started        process3 dnsIp4 19 C:\Windows\tserv.exe, PE32 6->19 dropped 21 C:\Windows\tserv.exe:Zone.Identifier, ASCII 6->21 dropped 23 C:\Users\user\Desktop403.tmp, data 6->23 dropped 43 Contains functionality to inject threads in other processes 6->43 45 Early bird code injection technique detected 6->45 47 Drops executables to the windows directory (C:\Windows) and starts them 6->47 13 tserv.exe 2 15 6->13         started        17 notepad.exe 6->17         started        25 66.218.85.52, 25, 49788 YAHOO-3-YahooUS United States 10->25 27 104.47.124.33, 25, 49796 MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS United States 10->27 29 10 other IPs or domains 10->29 file5 signatures6 process7 dnsIp8 31 mta5.am0.yahoodns.net 67.195.228.141, 25, 49781, 49790 YAHOO-GQ1-YahooUS United States 13->31 33 mta7.am0.yahoodns.net 98.136.101.117, 25, 49780 YAHOO-GQ1-YahooUS United States 13->33 35 8 other IPs or domains 13->35 49 Contains functionality to inject threads in other processes 13->49 51 Antivirus detection for dropped file 13->51 53 Creates an undocumented autostart registry key 13->53 55 Injects files into Windows application 17->55 signatures9

Simulations

Behavior and APIs

TimeTypeDescription
23:34:04API Interceptor1x Sleep call for process: 65readme.dat.exe modified
23:34:10API Interceptor364x Sleep call for process: tserv.exe modified
23:34:26AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run tserv C:\Windows\tserv.exe s

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
65readme.da.exe100%AviraWORM/Stration.C

Dropped Files

SourceDetectionScannerLabelLink
C:\Windows\tserv.exe100%AviraWORM/Stration.C

Unpacked PE Files

SourceDetectionScannerLabelLink
4.1.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
4.0.tserv.exe.400000.2.unpack100%AviraWORM/Stration.C
4.0.tserv.exe.400000.3.unpack100%AviraWORM/Stration.C
4.0.tserv.exe.400000.1.unpack100%AviraWORM/Stration.C
9.0.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
4.0.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
2.1.65readme.dat.exe.400000.0.unpack100%AviraWORM/Stration.C
2.0.65readme.dat.exe.400000.0.unpack100%AviraWORM/Stration.C
9.2.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
4.2.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C
2.2.65readme.dat.exe.400000.0.unpack100%AviraWORM/Stration.C
9.1.tserv.exe.400000.0.unpack100%AviraWORM/Stration.C

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
66.218.85.5255.x.exed7826837a61f95c583459402ea0e7ad39013c92abea85a8ec81ba518a222116bmaliciousBrowse
    1Update-KB8062-x86.exec719e8677693ee14c834ade4be2c48cff932ccb1a6301b33c80746e2d98d4314maliciousBrowse
      7Update-KB6468-x86.exeb0b52e23c51ec81bad1fabd13718b3b7e74fd96dec96c9196a301ed196d8bf3amaliciousBrowse
        20test.lo.exe4fd1ce1b59c0bf0fa96012d96131f7c0dabe0dd9a1961becf10f6788b105b938maliciousBrowse
          15data.tx.exe50491e27c4a3524f157f610bd37bc22da1656702d7ab8eb24f5a65f22a1c7d4fmaliciousBrowse
            22file.txt.exe6e7aac4b5a8bcdece13a70ef2d84d4f8be5f5c7c276f45273a627d010020b720maliciousBrowse
              16Update-KB1390-x86.exe507a273b75e4910aabcf0fe1b6cd070fa5da0ab43b82368098224ed87b95086cmaliciousBrowse
                21Update-KB3546-x86.exe06a5587448fa5410dddc3546ee978b1f574a49a3730518e49c648e5756f6d5b6maliciousBrowse
                  15message.da.exe1f00d6c3212086256ab6648766c50fc80a65196999ee5ce79667fbbcb6811affmaliciousBrowse
                    15Update-KB7250-x86.exebd243041899e74b194a45f76063cdaed96fbfc606ce6c6cef247c74eb6d44cd1maliciousBrowse
                      13body.ms.exe64768055ecc1ff32ee0c48cfc2acd15e7c6f1b11ebf8e8ec1349e48d6f480b19maliciousBrowse
                        6Update-KB1546-x86.exe8cfca488b7e970275cd1418041be6663f05fbad0690f268ab71a9068a751d08cmaliciousBrowse
                          5docs.el.exe52e7bc4a8fe360d2b84d6b9c1d2d91b954b14e83c207682381765fb30ee50ee9maliciousBrowse
                            19docs.el.exe1f3ad42d2f051ae8a7130c123f59fe087462e2a5f4f834239e12b638b580de44maliciousBrowse
                              27docs.el.exeba82a391c43442109b9fdb8cf55f6ded1235fc86fad670fe9ad7ffb3ba61d6d4maliciousBrowse
                                22text.ms.exedbf75228f73a13d3e9cb0bb75180a797d813940c08c55092dc85d9495336d491maliciousBrowse
                                  3Update-KB3718-x86.exeec614047312332518f6543ae1e84e1b4d44aabbeb0dc6430f7832d7f67b1694bmaliciousBrowse
                                    5Update-KB3968-x86.exe4547d5f1667b810cb1c529a8e504fa2d6af8b9fc71261947ddb033ba35529c03maliciousBrowse
                                      45data.tx.exef7e2a46f813be5ded929f738fda51173ff9390ff8a40d42be790f9f9b1a372d9maliciousBrowse
                                        27Update-KB3921-x86.exe2e9b1244611818a4b07b9cf3a1fea7d3f3b2c1fbe591615748be08123e6340d3maliciousBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          mta7.am0.yahoodns.net21doc.el.exe7573ca4746b37ef2420967e1cade1bc5f9a1bae0218f0b61e486ca5574b86976maliciousBrowse
                                          • 74.6.137.63
                                          .exedb6369568b7de81e617bbe390490dc88ccd862e9e5bfcf117a522daeb0ccb156maliciousBrowse
                                          • 98.136.102.54
                                          29Update-KB1750-x86.exe655ea4f24da22ac5572edec7f64bf74e0b48f24ba102cc3edb2f6db675251d1bmaliciousBrowse
                                          • 98.136.102.54
                                          51Update-KB8281-x86.exef491c4a1e4ac2cb4dbc22e07af95b5630ab837263f4dc3ee1414fd7503a6404cmaliciousBrowse
                                          • 98.136.102.54
                                          78doc.msg.exec577b6b3fadc5bed74eba616f7d7a55aa1308cd94709f7529046383d53784128maliciousBrowse
                                          • 98.137.159.28
                                          23Update-KB3830-x86.exe8e96230adbb28f480a8478962b2ffebac366fa5d08aa3c2cf90e70103cd91392maliciousBrowse
                                          • 98.137.159.28
                                          35Update-KB5111-x86.exe28239e44b20ebafd365c5ca95896ffee9d9443fb237f015af01aa411096e741fmaliciousBrowse
                                          • 98.137.159.27
                                          23Update-KB3956-x86.exe2fba3d6f375b7b0c31f3329d158dde2bceb69f6da6af19d0fe01c4cf8a48ef9fmaliciousBrowse
                                          • 98.136.102.55
                                          20Update-KB7452-x86.exefd74a860dca67bbc2b1f4490ae42e6b5764241cfb3ec619399706ae158461789maliciousBrowse
                                          • 98.137.159.25
                                          19docs.tx.exe60682db3158fe13f7eacd23a088fc71ab479d726769837fd39e8ed3bb5389ab0maliciousBrowse
                                          • 98.136.102.55
                                          55.x.exed7826837a61f95c583459402ea0e7ad39013c92abea85a8ec81ba518a222116bmaliciousBrowse
                                          • 74.6.137.65
                                          3Update-KB2248-x86.exee8deb13dba3ad1149414c2278b5552c42ae85b0c87bbe05f6065c1b279ecf5f2maliciousBrowse
                                          • 98.137.159.24
                                          30Update-KB5046-x86.exef092fcfabfaa449ce7086c7aa2ae877594bc63bac2d41013aadeeb51386335d7maliciousBrowse
                                          • 74.6.137.65
                                          56file.txt.exe0364075aa6ef1cb7b43634ff3a54386687fe3e3d11d5b9a38b764c1d3895b71emaliciousBrowse
                                          • 67.195.229.58
                                          63test.log.exeb228e316c1f41106e9101372474563afb2e17a4c95b567cc5d25e88127593191maliciousBrowse
                                          • 98.137.159.25
                                          5body.ms.exed490923e6b4b7ad9d5cffd25daf6c9fb0fcddc0eb1809747c0126471901475c3maliciousBrowse
                                          • 98.137.159.28
                                          4test.log.exe4fe82253159922959725fffc4d3660a50697c9b29a8f778c18d305d24209cdfamaliciousBrowse
                                          • 98.137.159.26
                                          1Update-KB8062-x86.exec719e8677693ee14c834ade4be2c48cff932ccb1a6301b33c80746e2d98d4314maliciousBrowse
                                          • 66.218.85.52
                                          17Update-KB2684-x86.exe4fe94d2df46f088396c4467c905d5eb1c86443eb1b1e5b43462477ad075b0103maliciousBrowse
                                          • 98.137.159.25
                                          7Update-KB8734-x86.exeed7fa49063d2462bb1939f5d7ba3260ae481bfe7227113f2706be12aced4e5b1maliciousBrowse
                                          • 74.6.137.63
                                          mta6.am0.yahoodns.net21doc.el.exe7573ca4746b37ef2420967e1cade1bc5f9a1bae0218f0b61e486ca5574b86976maliciousBrowse
                                          • 98.137.159.26
                                          29Update-KB1750-x86.exe655ea4f24da22ac5572edec7f64bf74e0b48f24ba102cc3edb2f6db675251d1bmaliciousBrowse
                                          • 67.195.229.58
                                          51Update-KB8281-x86.exef491c4a1e4ac2cb4dbc22e07af95b5630ab837263f4dc3ee1414fd7503a6404cmaliciousBrowse
                                          • 98.136.102.55
                                          78doc.msg.exec577b6b3fadc5bed74eba616f7d7a55aa1308cd94709f7529046383d53784128maliciousBrowse
                                          • 74.6.137.64
                                          23Update-KB3830-x86.exe8e96230adbb28f480a8478962b2ffebac366fa5d08aa3c2cf90e70103cd91392maliciousBrowse
                                          • 98.136.102.54
                                          35Update-KB5111-x86.exe28239e44b20ebafd365c5ca95896ffee9d9443fb237f015af01aa411096e741fmaliciousBrowse
                                          • 67.195.229.59
                                          23Update-KB3956-x86.exe2fba3d6f375b7b0c31f3329d158dde2bceb69f6da6af19d0fe01c4cf8a48ef9fmaliciousBrowse
                                          • 98.136.101.117
                                          20Update-KB7452-x86.exefd74a860dca67bbc2b1f4490ae42e6b5764241cfb3ec619399706ae158461789maliciousBrowse
                                          • 67.195.229.58
                                          19docs.tx.exe60682db3158fe13f7eacd23a088fc71ab479d726769837fd39e8ed3bb5389ab0maliciousBrowse
                                          • 98.136.102.54
                                          55.x.exed7826837a61f95c583459402ea0e7ad39013c92abea85a8ec81ba518a222116bmaliciousBrowse
                                          • 98.137.159.28
                                          3Update-KB2248-x86.exee8deb13dba3ad1149414c2278b5552c42ae85b0c87bbe05f6065c1b279ecf5f2maliciousBrowse
                                          • 98.137.159.24
                                          30Update-KB5046-x86.exef092fcfabfaa449ce7086c7aa2ae877594bc63bac2d41013aadeeb51386335d7maliciousBrowse
                                          • 98.136.102.54
                                          56file.txt.exe0364075aa6ef1cb7b43634ff3a54386687fe3e3d11d5b9a38b764c1d3895b71emaliciousBrowse
                                          • 98.136.102.54
                                          63test.log.exeb228e316c1f41106e9101372474563afb2e17a4c95b567cc5d25e88127593191maliciousBrowse
                                          • 74.6.137.64
                                          5body.ms.exed490923e6b4b7ad9d5cffd25daf6c9fb0fcddc0eb1809747c0126471901475c3maliciousBrowse
                                          • 67.195.228.141
                                          4test.log.exe4fe82253159922959725fffc4d3660a50697c9b29a8f778c18d305d24209cdfamaliciousBrowse
                                          • 98.136.101.117
                                          1Update-KB8062-x86.exec719e8677693ee14c834ade4be2c48cff932ccb1a6301b33c80746e2d98d4314maliciousBrowse
                                          • 98.137.159.26
                                          70creditcar.exec7eebcfa941dfe6298e89b8353adfece14f4e54f8119956d8ab5cba75cdee8bbmaliciousBrowse
                                          • 98.137.159.24
                                          17Update-KB2684-x86.exe4fe94d2df46f088396c4467c905d5eb1c86443eb1b1e5b43462477ad075b0103maliciousBrowse
                                          • 67.195.228.141
                                          7Update-KB8734-x86.exeed7fa49063d2462bb1939f5d7ba3260ae481bfe7227113f2706be12aced4e5b1maliciousBrowse
                                          • 74.6.137.64

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          YAHOO-3-YahooUS19Fk42jFQUOd.exeef1aac04640547783a113e1dff809694e51f2b4a2f64047db3a187f0c7d65192maliciousBrowse
                                          • 98.139.135.128
                                          https://bitly.com/2ADBPismaliciousBrowse
                                          • 66.6.32.34
                                          37Gmhqgmhb5K.exec5e749d027812dfe8b075916c9f5b0be5557ce0e32de0b953b0b7f48238d5bfamaliciousBrowse
                                          • 63.250.200.63
                                          41tex.exea197e22f1fb732f13d97b39607549f154bb13cfb9d7181485730d7bcd7942cb1maliciousBrowse
                                          • 63.250.200.63
                                          13VJqrYOV9R1.exe6928db283a008edd34d375eb279c4141aeadbfd0e584dc154d892f4640b0dfa5maliciousBrowse
                                          • 63.250.200.63
                                          78ag5NU9TYw.exe6928fe29e34505b9c6a2c8d82baec4965c8260c6e4aeb5d43a7ec3e1856d1f24maliciousBrowse
                                          • 63.250.200.63
                                          63Tex.exee999a96b96eec4a42195c3a239030c24c9c589ff72341c98b00a90a5aa54ded7maliciousBrowse
                                          • 63.250.200.63
                                          68documen.exeb283d7b81213fa081e6e28c9607d8b57d1e2ae1e0361f26f1e61694cb2961819maliciousBrowse
                                          • 63.250.200.63
                                          24noemai.exe830af35abdff2b1eb28890814117b36e931fafd9b6b789a73b30aa4d7b93a07emaliciousBrowse
                                          • 66.218.84.137
                                          .exe98e359238bc7c0b0ff43b5e4e75694f6fb5e6e8b49ec39f0005cb167f73853e4maliciousBrowse
                                          • 66.218.84.137
                                          39p6DsbcFX97.exeda0ad5ce8b9a706f5c65073d908c418a434316866e8f66a0d417cf75d5be15e7maliciousBrowse
                                          • 66.218.84.137
                                          53iiBKykijsJ.exef8ee0c27176fee4940b56246e0c1a879438cea0710d84302522eb1b87e26ace3maliciousBrowse
                                          • 74.6.141.40
                                          63document.exea49fb7827643752502825d141e7b09c19518b759b758d52c0a1cca3a11750376maliciousBrowse
                                          • 66.218.87.12
                                          3messag.exee34cdf0801fa5f37d271b312e75b0f57e5d5f889a48e11dd3e458e5a2b0cb9f8maliciousBrowse
                                          • 66.218.87.12
                                          21doc.el.exe7573ca4746b37ef2420967e1cade1bc5f9a1bae0218f0b61e486ca5574b86976maliciousBrowse
                                          • 66.218.85.139
                                          25messag.execdcdeab0cbd6e4b0a58a972d9847ba4b773777a69b4a96e07ca2a7504030a653maliciousBrowse
                                          • 66.218.87.12
                                          kir.exe6e2f27c5ab2e27aacd3bbe8c17a8ac7f3a39c3e2e9a1935513d3ca16a3a6c2c9maliciousBrowse
                                          • 98.139.175.225
                                          1cwy@cmmai.exe8c2c439a21a26f9c0b4156c4ae0325f600fc345d6f1004690f2d319532ce2537maliciousBrowse
                                          • 66.218.85.151
                                          .exedb6369568b7de81e617bbe390490dc88ccd862e9e5bfcf117a522daeb0ccb156maliciousBrowse
                                          • 66.218.85.139
                                          78doc.msg.exec577b6b3fadc5bed74eba616f7d7a55aa1308cd94709f7529046383d53784128maliciousBrowse
                                          • 74.6.137.64
                                          YAHOO-GQ1-YahooUS39transcrip.exe752923505b46d88f13c2bee952851153aa1ef9414f2e2390bb61cbdd3bb35799maliciousBrowse
                                          • 208.71.45.11
                                          17yeH6QNgQKp.exe5f050a73c2a21bbaefb28b6584945864c36ac8c29e52092813edec305dcb9553maliciousBrowse
                                          • 208.71.45.11
                                          https://bitly.com/2ADBPismaliciousBrowse
                                          • 208.71.44.31
                                          53README.EXE107b7598049b5fbafcfe721e7caf27a0410a4d3ed027a92b5bf4a1c8e78ab160maliciousBrowse
                                          • 208.71.45.11
                                          gescanntes-Dokument-39759521822.docdc39a7c3de4a13ca1ddd43b16f161430a017d82d347bb06e622ac246d301ff78maliciousBrowse
                                          • 67.195.61.46
                                          26uBsya2ooof.exe43219e0766b8d29ac766bec695c0f4c75ce93993936cbfddf5cabfa104bdbe47maliciousBrowse
                                          • 208.71.45.11
                                          777SqyBFAEcE.exe02400dcc633b5541cf9ce6aef93cc45464dcac2faf432cf4fe8eab892fe2af09maliciousBrowse
                                          • 208.71.45.11
                                          .exe720450804b1899a581eb974f9aae66fd9185826f229fb9b9745cf00adcd5d6afmaliciousBrowse
                                          • 98.136.144.138
                                          3tex.exe302fede01da1fced3645239a43436304aa56d10badd33378d4ab76ecbe8afac7maliciousBrowse
                                          • 98.136.144.138
                                          23On8YogEnJM.exeb28183e8623c4d0536745d0250bc2b7bee1a9d2c4ace248101f970bc83772686maliciousBrowse
                                          • 98.136.144.138
                                          65hrD9XUCkn8.exe1a452ba33ee454c5b0ea016751e420673f8de03aedfdff0c8fac486d2f1be9f1maliciousBrowse
                                          • 98.136.144.138
                                          59documen.exec919e05003c9691532aa95510fc095e84fc91cfa20ceeca210962ca1c52edf2cmaliciousBrowse
                                          • 98.136.144.138
                                          5mai.exe3a70c854f8fa149ffb459b325c5378f880adb3c311ddd04292dc3aeabea5ced3maliciousBrowse
                                          • 98.136.144.138
                                          41instructio.exee050b5220ef6e3c9b2615a9d132be118d557e509f121867460f9a53a417888d9maliciousBrowse
                                          • 98.136.144.138
                                          13attachment.doc .exeb4ed93eb6cb4c26bad0d4ccd85a78768ba6b8e0b0a710722f1aef72514e060d3maliciousBrowse
                                          • 98.136.144.138
                                          69mai.exe6b0169937e5ea4d7193baad8d63717677c93287cc322d29e044d0960e9eac03amaliciousBrowse
                                          • 98.136.103.26
                                          72ine.exe2f5d5628565b7fb96d79e4aea9309b0a616e4d35ae9e3e29b87d29fa2f3d48d0maliciousBrowse
                                          • 98.136.144.138
                                          17LETTE.exe0aa40af96285e988536ede2c150f31aefb7a653dee7b22b289b95716445538fdmaliciousBrowse
                                          • 98.136.144.138
                                          http://churchofchristintheglade.com/resume.phpmaliciousBrowse
                                          • 67.195.61.46
                                          11readm.exef2014ef3490e471a54c7400cfc8f96047a0d3a06f0278fde6be433538e019eadmaliciousBrowse
                                          • 98.136.144.138

                                          Dropped Files

                                          No context

                                          Screenshots

                                          Thumbnails

                                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.