Files
File Path
|
Type
|
Category
|
Malicious
|
|
---|---|---|---|---|
Update-KB6125-x86.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
initial sample
|
||
C:\Windows\tserv.exe
|
PE32 executable (GUI) Intel 80386, for MS Windows
|
dropped
|
||
C:\Windows\tserv.exe:Zone.Identifier
|
ASCII text, with CRLF line terminators
|
modified
|
Processes
Path
|
Cmdline
|
Malicious
|
|
---|---|---|---|
C:\Users\user\Desktop\Update-KB6125-x86.exe
|
"C:\Users\user\Desktop\Update-KB6125-x86.exe"
|
||
C:\Windows\tserv.exe
|
C:\Windows\tserv.exe s
|
||
C:\Windows\tserv.exe
|
"C:\Windows\tserv.exe" s
|
Domains
Name
|
IP
|
Malicious
|
|
---|---|---|---|
mta6.am0.yahoodns.net
|
67.195.204.73
|
||
alt3.gmail-smtp-in.l.google.com
|
142.250.141.26
|
||
alt4.gmail-smtp-in.l.google.com
|
192.178.128.26
|
||
mta7.am0.yahoodns.net
|
67.195.228.110
|
||
gmail-smtp-in.l.google.com
|
209.85.233.26
|
||
mta5.am0.yahoodns.net
|
67.195.204.72
|
||
www4.cedesunjerinkas.com
|
193.166.255.171
|
||
alt1.gmail-smtp-in.l.google.com
|
142.250.157.26
|
||
alt2.gmail-smtp-in.l.google.com
|
173.194.202.27
|
||
hotmail-com.olc.protection.outlook.com
|
52.101.73.23
|
||
hotmail.com
|
unknown
|
||
gmail.com
|
unknown
|
||
yahoo.com
|
unknown
|
There are 3 hidden domains, click here to show them.
IPs
IP
|
Domain
|
Country
|
Malicious
|
|
---|---|---|---|---|
142.250.141.26
|
alt3.gmail-smtp-in.l.google.com
|
United States
|
||
193.166.255.171
|
www4.cedesunjerinkas.com
|
Finland
|
||
142.250.157.26
|
alt1.gmail-smtp-in.l.google.com
|
United States
|
||
173.194.202.27
|
alt2.gmail-smtp-in.l.google.com
|
United States
|
||
67.195.204.72
|
mta5.am0.yahoodns.net
|
United States
|
||
67.195.228.110
|
mta7.am0.yahoodns.net
|
United States
|
||
209.85.233.26
|
gmail-smtp-in.l.google.com
|
United States
|
||
192.178.128.26
|
alt4.gmail-smtp-in.l.google.com
|
United States
|
||
67.195.204.73
|
mta6.am0.yahoodns.net
|
United States
|
Registry
Path
|
Value
|
Malicious
|
|
---|---|---|---|
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows
|
AppInit_DLLs
|
||
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
|
tserv
|
Memdumps
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
---|---|---|---|---|
68C000
|
heap
|
page read and write
|
||
63B000
|
heap
|
page read and write
|
||
67F000
|
heap
|
page read and write
|
||
610000
|
heap
|
page read and write
|
||
446000
|
unkown
|
page readonly
|
||
9A000
|
stack
|
page read and write
|
||
699000
|
heap
|
page read and write
|
||
400000
|
unkown
|
page readonly
|
||
3D80000
|
trusted library allocation
|
page read and write
|
||
64D000
|
heap
|
page read and write
|
||
575000
|
heap
|
page read and write
|
||
630000
|
heap
|
page read and write
|
||
1F0000
|
heap
|
page read and write
|
||
67F000
|
heap
|
page read and write
|
||
446000
|
unkown
|
page readonly
|
||
400000
|
unkown
|
page readonly
|
||
677000
|
heap
|
page read and write
|
||
67A000
|
heap
|
page read and write
|
||
66B000
|
heap
|
page read and write
|
||
42E000
|
unkown
|
page readonly
|
||
600000
|
heap
|
page read and write
|
||
434000
|
unkown
|
page readonly
|
||
1FA0000
|
heap
|
page read and write
|
||
431000
|
unkown
|
page write copy
|
||
1FA4000
|
heap
|
page read and write
|
||
1F8E000
|
stack
|
page read and write
|
||
664000
|
heap
|
page read and write
|
||
67F000
|
heap
|
page read and write
|
||
431000
|
unkown
|
page read and write
|
||
464000
|
unkown
|
page readonly
|
||
676000
|
heap
|
page read and write
|
||
677000
|
heap
|
page read and write
|
||
677000
|
heap
|
page read and write
|
||
677000
|
heap
|
page read and write
|
||
676000
|
heap
|
page read and write
|
||
42E000
|
unkown
|
page readonly
|
||
3A3F000
|
stack
|
page read and write
|
||
464000
|
unkown
|
page readonly
|
||
5BE000
|
stack
|
page read and write
|
||
20E0000
|
heap
|
page read and write
|
||
694000
|
heap
|
page read and write
|
||
68C000
|
heap
|
page read and write
|
||
676000
|
heap
|
page read and write
|
||
570000
|
heap
|
page read and write
|
||
673000
|
heap
|
page read and write
|
||
434000
|
unkown
|
page readonly
|
||
540000
|
heap
|
page read and write
|
||
19C000
|
stack
|
page read and write
|
||
401000
|
unkown
|
page execute read
|
||
66E000
|
heap
|
page read and write
|
||
550000
|
heap
|
page read and write
|
||
57A000
|
heap
|
page read and write
|
||
690000
|
heap
|
page read and write
|
||
401000
|
unkown
|
page execute read
|
||
20AF000
|
stack
|
page read and write
|
There are 45 hidden memdumps, click here to show them.