Windows Analysis Report
file.msg.scr.exe

Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: 0_2_00413040	0_2_00413040
Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: 0_2_0040C070	0_2_0040C070
Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: 0_2_00412800	0_2_00412800
Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: 0_2_004188E0	0_2_004188E0
Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: 0_2_0040D1C0	0_2_0040D1C0
Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: 0_2_00408980	0_2_00408980
Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: 0_2_0040F990	0_2_0040F990
Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: 0_2_00424278	0_2_00424278
Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: 0_2_0042C297	0_2_0042C297
Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: 0_2_00413350	0_2_00413350
Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: 0_2_00414310	0_2_00414310
Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: 0_2_0042C39F	0_2_0042C39F
Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: 0_2_00424C0E	0_2_00424C0E
Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: 0_2_004184D0	0_2_004184D0
Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: 0_2_00410680	0_2_00410680
Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: 0_2_00413770	0_2_00413770
Source: C:\Windows\serv.exe	Code function: 2_2_00414310	2_2_00414310
Source: C:\Windows\serv.exe	Code function: 2_2_00413040	2_2_00413040
Source: C:\Windows\serv.exe	Code function: 2_2_0040C070	2_2_0040C070
Source: C:\Windows\serv.exe	Code function: 2_2_00412800	2_2_00412800
Source: C:\Windows\serv.exe	Code function: 2_2_004188E0	2_2_004188E0
Source: C:\Windows\serv.exe	Code function: 2_2_0040D1C0	2_2_0040D1C0
Source: C:\Windows\serv.exe	Code function: 2_2_00408980	2_2_00408980
Source: C:\Windows\serv.exe	Code function: 2_2_0040F990	2_2_0040F990
Source: C:\Windows\serv.exe	Code function: 2_2_00424278	2_2_00424278
Source: C:\Windows\serv.exe	Code function: 2_2_0042C297	2_2_0042C297
Source: C:\Windows\serv.exe	Code function: 2_2_00413350	2_2_00413350
Source: C:\Windows\serv.exe	Code function: 2_2_0042C39F	2_2_0042C39F
Source: C:\Windows\serv.exe	Code function: 2_2_00424C0E	2_2_00424C0E
Source: C:\Windows\serv.exe	Code function: 2_2_004184D0	2_2_004184D0
Source: C:\Windows\serv.exe	Code function: 2_2_00410680	2_2_00410680
Source: C:\Windows\serv.exe	Code function: 2_2_00413770	2_2_00413770
Source: C:\Windows\serv.exe	Code function: 2_2_10001470	2_2_10001470

Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: String function: 0042422C appears 46 times
Source: C:\Windows\serv.exe	Code function: String function: 0042422C appears 46 times

Source: C:\Windows\serv.exe

Code function: 2_2_0056184A NtQuerySystemInformation,

2_2_0056184A

Source: C:\Windows\serv.exe

Code function: 2_2_0041C400: DeviceIoControl,DeviceIoControl,

2_2_0041C400

Source: file.msg.scr.exe	ReversingLabs: Detection: 86%
Source: file.msg.scr.exe	Virustotal: Detection: 83%

Source: C:\Users\user\Desktop\file.msg.scr.exe

File read: C:\Users\user\Desktop\file.msg.scr.exe

Source: C:\Users\user\Desktop\file.msg.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\file.msg.scr.exe C:\Users\user\Desktop\file.msg.scr.exe
Source: C:\Users\user\Desktop\file.msg.scr.exe	Process created: C:\Windows\serv.exe C:\Windows\serv.exe s
Source: C:\Users\user\Desktop\file.msg.scr.exe	Process created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\notepad.exe C:\Users\user\Desktop\19F3.tmp
Source: C:\Windows\explorer.exe	Process created: C:\Windows\serv.exe "C:\Windows\serv.exe" s
Source: C:\Windows\serv.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 1420
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 1556
Source: C:\Windows\serv.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5796 -s 1284
Source: C:\Users\user\Desktop\file.msg.scr.exe	Process created: C:\Windows\serv.exe C:\Windows\serv.exe s	Jump to behavior
Source: C:\Users\user\Desktop\file.msg.scr.exe	Process created: C:\Windows\SysWOW64\notepad.exe C:\Windows\System32\notepad.exe C:\Users\user\Desktop\19F3.tmp	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\serv.exe "C:\Windows\serv.exe" s	Jump to behavior

Source: C:\Windows\serv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: C:\Windows\serv.exe

Code function: 2_2_0041CB80 AdjustTokenPrivileges,AdjustTokenPrivileges,

2_2_0041CB80

Source: C:\Users\user\Desktop\file.msg.scr.exe

File created: C:\Users\user\Desktop\19F3.tmp

Source: C:\Windows\serv.exe

File created: C:\Users\user\AppData\Local\Temp\~28C3.tmp

Drops executables to the windows directory (C:\Windows) and starts them

Source: classification engine

Classification label: mal100.evad.winEXE@10/20@40/5

Source: C:\Windows\serv.exe

Code function: 2_2_0041B4F0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,

2_2_0041B4F0

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2748
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7028
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5796

Source: C:\Windows\serv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\serv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\serv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\serv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\serv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\serv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\serv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\serv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source:	Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdbeex.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: explorer.exe, 00000004.00000000.598856572.00007FF883751000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdb source: explorer.exe, 00000004.00000000.598856572.00007FF883751000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: eex.pdb source: explorer.exe, 00000004.00000000.598856572.00007FF883751000.00000020.00000001.01000000.0000000B.sdmp

Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: 0_2_00422920 push eax; ret	0_2_00422934
Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: 0_2_00422920 push eax; ret	0_2_0042295C
Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: 0_2_00424267 push ecx; ret	0_2_00424277
Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: 0_2_004232F0 push eax; ret	0_2_0042330E
Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: 0_2_00434285 pushad ; ret	0_2_0043428B
Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: 0_2_00434D58 push ds; ret	0_2_00434D6A
Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: 0_2_00434614 push es; ret	0_2_0043461A
Source: C:\Windows\serv.exe	Code function: 2_2_00422920 push eax; ret	2_2_00422934
Source: C:\Windows\serv.exe	Code function: 2_2_00422920 push eax; ret	2_2_0042295C
Source: C:\Windows\serv.exe	Code function: 2_2_00424267 push ecx; ret	2_2_00424277
Source: C:\Windows\serv.exe	Code function: 2_2_004232F0 push eax; ret	2_2_0042330E
Source: C:\Windows\serv.exe	Code function: 2_2_00434285 pushad ; ret	2_2_0043428B
Source: C:\Windows\serv.exe	Code function: 2_2_00434D58 push ds; ret	2_2_00434D6A
Source: C:\Windows\serv.exe	Code function: 2_2_00434614 push es; ret	2_2_0043461A

Source: file.msg.scr.exe	Static PE information: section name: .Upack
Source: serv.exe.0.dr	Static PE information: section name: .Upack

Source: C:\Users\user\Desktop\file.msg.scr.exe

Code function: 0_2_0041F2B0 LoadLibraryA,GetProcAddress,

0_2_0041F2B0

Source: initial sample

Static PE information: section where entry point is pointing to: .Upack

Persistence and Installation Behavior

Source: C:\Windows\explorer.exe

Executable created and started: C:\Windows\serv.exe

Creates an undocumented autostart registry key

Source: C:\Windows\serv.exe	File created: C:\Windows\serv.dll	Jump to dropped file
Source: C:\Windows\serv.exe	File created: C:\Windows\SysWOW64\e1.dll	Jump to dropped file
Source: C:\Windows\serv.exe	File created: C:\Windows\SysWOW64\blacusrv.dll	Jump to dropped file
Source: C:\Windows\serv.exe	File created: C:\Windows\SysWOW64\nwprmp4s.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.msg.scr.exe	File created: C:\Windows\serv.exe	Jump to dropped file
Source: C:\Windows\serv.exe	File created: C:\Windows\SysWOW64\atmlmcia.dll	Jump to dropped file

Source: C:\Windows\serv.exe	File created: C:\Windows\serv.dll	Jump to dropped file
Source: C:\Windows\serv.exe	File created: C:\Windows\SysWOW64\e1.dll	Jump to dropped file
Source: C:\Windows\serv.exe	File created: C:\Windows\SysWOW64\blacusrv.dll	Jump to dropped file
Source: C:\Windows\serv.exe	File created: C:\Windows\SysWOW64\nwprmp4s.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.msg.scr.exe	File created: C:\Windows\serv.exe	Jump to dropped file
Source: C:\Windows\serv.exe	File created: C:\Windows\SysWOW64\atmlmcia.dll	Jump to dropped file

Boot Survival

Source: C:\Windows\serv.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows AppInit_DLLs

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\file.msg.scr.exe	RDTSC instruction interceptor: First address: 000000000040D1D0 second address: 000000000040D1DE instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+04h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [747817DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F166CBE1B3Eh 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+08h], eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.msg.scr.exe	RDTSC instruction interceptor: First address: 000000000040D1DE second address: 000000000040D1EC instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+08h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [747817DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F166CC3E24Eh 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+0Ch], eax 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.msg.scr.exe	RDTSC instruction interceptor: First address: 000000000040D1EC second address: 000000000040D1FA instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+0Ch], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [747817DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F166CBE1B3Eh 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+10h], eax 0x00000046 rdtsc
Source: C:\Windows\serv.exe	RDTSC instruction interceptor: First address: 000000000040D1D0 second address: 000000000040D1DE instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+04h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [747817DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F166CC3E24Eh 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+08h], eax 0x00000046 rdtsc
Source: C:\Windows\serv.exe	RDTSC instruction interceptor: First address: 000000000040D1DE second address: 000000000040D1EC instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+08h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [747817DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F166CBE1B3Eh 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+0Ch], eax 0x00000046 rdtsc
Source: C:\Windows\serv.exe	RDTSC instruction interceptor: First address: 000000000040D1EC second address: 000000000040D1FA instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+0Ch], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [747817DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F166CC3E24Eh 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+10h], eax 0x00000046 rdtsc
Source: C:\Windows\serv.exe	RDTSC instruction interceptor: First address: 000000000040D1D0 second address: 000000000040D1DE instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+04h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [747817DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F166CBE1B3Eh 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+08h], eax 0x00000046 rdtsc
Source: C:\Windows\serv.exe	RDTSC instruction interceptor: First address: 000000000040D1DE second address: 000000000040D1EC instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+08h], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [747817DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F166CC3E24Eh 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+0Ch], eax 0x00000046 rdtsc
Source: C:\Windows\serv.exe	RDTSC instruction interceptor: First address: 000000000040D1EC second address: 000000000040D1FA instructions: 0x00000000 rdtsc 0x00000002 xor eax, edx 0x00000004 xor dword ptr [esp+0Ch], eax 0x00000008 call esi 0x0000000a push ecx 0x0000000b call dword ptr [747817DCh] 0x00000011 mov edi, edi 0x00000013 push ebp 0x00000014 mov ebp, esp 0x00000016 push ecx 0x00000017 mov ecx, dword ptr [7FFE0004h] 0x0000001d mov dword ptr [ebp-04h], ecx 0x00000020 cmp ecx, 01000000h 0x00000026 jc 00007F166CBE1B3Eh 0x0000002c mov eax, 7FFE0320h 0x00000031 mov eax, dword ptr [eax] 0x00000033 mul ecx 0x00000035 shrd eax, edx, 00000018h 0x00000039 shr edx, 18h 0x0000003c mov esp, ebp 0x0000003e pop ebp 0x0000003f ret 0x00000040 pop ecx 0x00000041 ret 0x00000042 mov dword ptr [esp+10h], eax 0x00000046 rdtsc

Source: C:\Windows\serv.exe TID: 3248	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Windows\serv.exe TID: 3248	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\serv.exe TID: 6312	Thread sleep time: -1500000s >= -30000s	Jump to behavior
Source: C:\Windows\serv.exe TID: 6312	Thread sleep time: -300000s >= -30000s	Jump to behavior

Source: C:\Windows\serv.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\e1.dll	Jump to dropped file
Source: C:\Windows\serv.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\nwprmp4s.exe	Jump to dropped file
Source: C:\Windows\serv.exe	Dropped PE file which has not been started: C:\Windows\SysWOW64\atmlmcia.dll	Jump to dropped file

Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: 0_2_0040B470 GetLocalTime followed by cmp: cmp word ptr [esp+000000a6h], ax and CTI: jbe 0040B8ECh		0_2_0040B470
Source: C:\Windows\serv.exe	Code function: 2_2_0040B470 GetLocalTime followed by cmp: cmp word ptr [esp+000000a6h], ax and CTI: jbe 0040B8ECh		2_2_0040B470

Source: C:\Users\user\Desktop\file.msg.scr.exe

Code function: 0_2_0040D1C0 rdtsc

0_2_0040D1C0

Source: C:\Windows\serv.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\serv.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\serv.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\serv.exe	Thread delayed: delay time: 300000	Jump to behavior

Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 808			Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 789			Jump to behavior

Source: C:\Windows\serv.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_2-17917
Source: C:\Users\user\Desktop\file.msg.scr.exe	Check user administrative privileges: GetTokenInformation,DecisionNodes			graph_0-17263

Source: C:\Windows\serv.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\file.msg.scr.exe

Code function: 0_2_00429AAE VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,

0_2_00429AAE

Source: C:\Windows\serv.exe

Code function: 2_2_0041BF10 FindFirstFileA,FindFirstFileA,

2_2_0041BF10

Source: C:\Windows\serv.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\serv.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\serv.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\serv.exe	Thread delayed: delay time: 300000	Jump to behavior

Source: C:\Windows\serv.exe

API call chain: ExitProcess graph end node

graph_2-17716

Source: serv.exe, 00000002.00000002.619386525.0000000003960000.00000004.00000020.00020000.00000000.sdmp, serv.exe, 00000005.00000002.632674724.00000000039C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: j0VPxfzBfBRCCNCxQY+G18LPut61YEnGroLkFwV2l+2uW9zoLcpZoVQbA7ubv05ht51fghGFSY95
Source: explorer.exe, 00000004.00000000.590359778.000000000834F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000006
Source: explorer.exe, 00000004.00000000.590359778.000000000830B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000002.817185523.00000000059F0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b
Source: explorer.exe, 00000004.00000000.590359778.0000000008394000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: serv.exe, 00000005.00000002.632910417.0000000003B07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FVod6AupIN+wL5mA0eLpKSVu5uNLKojhOjEY/AoxaOlRZnHgTyrYX4D9PlWlJmvQ2vmcID9mVYbo
Source: explorer.exe, 00000004.00000003.804541404.000000000CDEC000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#5&
Source: serv.exe, 00000002.00000002.619843375.0000000003BD0000.00000004.00000020.00020000.00000000.sdmp, serv.exe, 00000005.00000002.632674724.00000000039C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: t51fghGFSY95FvQE0CpakBsxrc9hAQNL/xRPDsUTza1t2FWY59JmD2nD5vC8VK8eSKdIslASec8B
Source: explorer.exe, 00000004.00000000.590359778.000000000830B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000000
Source: serv.exe, 00000002.00000002.614445263.0000000000636000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.msg.scr.exe

Code function: 0_2_0041F2B0 LoadLibraryA,GetProcAddress,

0_2_0041F2B0

Source: C:\Users\user\Desktop\file.msg.scr.exe

Code function: 0_2_0041AC50 GetProcessHeap,

0_2_0041AC50

Source: C:\Users\user\Desktop\file.msg.scr.exe

Code function: 0_2_0040D1C0 rdtsc

0_2_0040D1C0

Source: C:\Windows\serv.exe

Process token adjusted: Debug

Source: C:\Windows\serv.exe

System information queried: KernelDebuggerInformation

Injects files into Windows application

Source: C:\Windows\SysWOW64\WerFault.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: 0_2_00423F8A SetUnhandledExceptionFilter,	0_2_00423F8A
Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: 0_2_00423F9E SetUnhandledExceptionFilter,	0_2_00423F9E
Source: C:\Windows\serv.exe	Code function: 2_2_00423F8A SetUnhandledExceptionFilter,	2_2_00423F8A
Source: C:\Windows\serv.exe	Code function: 2_2_00423F9E SetUnhandledExceptionFilter,	2_2_00423F9E

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\notepad.exe

Injected file: C:\Users\user\Desktop\19F3.tmp was created by C:\Users\user\Desktop\file.msg.scr.exe

Writes to foreign memory regions

Source: C:\Windows\serv.exe

Memory written: C:\Windows\explorer.exe base: 2A90000

Allocates memory in foreign processes

Source: C:\Windows\serv.exe

Memory allocated: C:\Windows\explorer.exe base: 2A90000 protect: page read and write

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\serv.exe

Memory written: PID: 3528 base: 2A90000 value: 65

Source: C:\Users\user\Desktop\file.msg.scr.exe

Code function: 0_2_004215C0 AllocateAndInitializeSid,AllocateAndInitializeSid,AllocateAndInitializeSid,

0_2_004215C0

Source: explorer.exe, 00000004.00000002.810138099.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.578801665.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: EProgram Managerzx
Source: explorer.exe, 00000004.00000002.835566370.000000000834F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.676330356.000000000834F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.590359778.000000000834F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000002.810138099.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.578801665.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.578659152.00000000009C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.809652496.00000000009C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progmanath
Source: explorer.exe, 00000004.00000002.810138099.0000000000E50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.578801665.0000000000E50000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\serv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\notepad.exe	Queries volume information: C:\Users\user\Desktop\19F3.tmp VolumeInformation	Jump to behavior
Source: C:\Windows\serv.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.msg.scr.exe	Code function: GetLocaleInfoA,		0_2_004298A2
Source: C:\Windows\serv.exe	Code function: GetLocaleInfoA,		2_2_004298A2

Source: C:\Users\user\Desktop\file.msg.scr.exe

Code function: 0_2_004122F0 GetLocalTime,

0_2_004122F0

Source: C:\Users\user\Desktop\file.msg.scr.exe

Code function: 0_2_0040B470 GetLocalTime,GetTimeZoneInformation,

0_2_0040B470

Source: C:\Users\user\Desktop\file.msg.scr.exe

Code function: 0_2_0041B250 GetVersionExA,

0_2_0041B250

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	121 Masquerading	1 Input Capture	12 System Time Discovery	Remote Services	1 Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	42 Process Injection	41 Virtualization/Sandbox Evasion	LSASS Memory	241 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	11 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	42 Process Injection	NTDS	3 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	124 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.msg.scr.exe	86%	ReversingLabs	Win32.Worm.Stration
file.msg.scr.exe	83%	Virustotal		Browse
file.msg.scr.exe	100%	Avira	WORM/Stration.C
file.msg.scr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\SysWOW64\e1.dll	100%	Avira	TR/Crypt.XPACK.Gen
C:\Windows\SysWOW64\nwprmp4s.exe	100%	Avira	TR/Crypt.XPACK.Gen
C:\Windows\SysWOW64\blacusrv.dll	100%	Avira	TR/PWS.Sinowal.Gen5
C:\Windows\serv.exe	100%	Avira	WORM/Stration.C
C:\Windows\SysWOW64\atmlmcia.dll	100%	Avira	WORM/Stration.Gen
C:\Windows\serv.dll	100%	Avira	TR/Crypt.XPACK.Gen
C:\Users\user\AppData\Local\Temp\~E54A.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\~BD02.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\~E5B8.tmp	100%	Joe Sandbox ML
C:\Windows\SysWOW64\nwprmp4s.exe	100%	Joe Sandbox ML
C:\Windows\serv.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\~28C3.tmp	100%	Joe Sandbox ML
C:\Windows\SysWOW64\atmlmcia.dll	83%	ReversingLabs	Win32.Worm.Stration
C:\Windows\SysWOW64\blacusrv.dll	68%	ReversingLabs	Win32.Worm.Stration
C:\Windows\SysWOW64\e1.dll	76%	ReversingLabs	Win32.Worm.Stration
C:\Windows\SysWOW64\nwprmp4s.exe	78%	ReversingLabs	Win32.Worm.Warezov
C:\Windows\serv.dll	84%	ReversingLabs	Win32.Worm.Stration
C:\Windows\serv.exe	86%	ReversingLabs	Win32.Worm.Stration

Domains

Source	Detection	Scanner	Label	Link
mta6.am0.yahoodns.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.gro	0%	URL Reputation	safe
http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groov	0%	URL Reputation	safe
http://www4.ertinmdesachlion.com/chr/tdg/lt.exe)	0%	Avira URL Cloud	safe
http://www6.ertinmdesachlion.com/chr/tdg/nt.exeT	0%	Avira URL Cloud	safe
http://www4.ertinmdesachlion.com/chr/tdg/lt.exe7	0%	Avira URL Cloud	safe
http://www4.ertinmdesachlion.com/chr/tdg/lt.exen	0%	Avira URL Cloud	safe
http://www6.ertinmdesachlion.com/	0%	Avira URL Cloud	safe
http://www4.ertinmdesa-k	0%	Avira URL Cloud	safe
http://www4.ertinmdesachlion.com/chr/tdg/lt.exea	0%	Avira URL Cloud	safe
http://www4.ertinmdesachlion.com/chr/tdg/lt.exeX	0%	Avira URL Cloud	safe
http://www6.ertinmdesachlion.com/chr/tdg/nt.exe	0%	Avira URL Cloud	safe
http://www4.ertinmdesachlion.com/chr/tdg/lt.exeg	0%	Avira URL Cloud	safe
http://www4.ertinmdesachlion.com/chr/tdg/lt.exe	0%	Avira URL Cloud	safe
http://www4.ertinmdesachlionY	0%	Avira URL Cloud	safe
http://www6.ertinmdesachlion.com/r	0%	Avira URL Cloud	safe
http://www4.ertinmdesachlion.com/chr/tdg/lt.exe=	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mta6.am0.yahoodns.net	67.195.228.106	true	false	0%, Virustotal, Browse	unknown
alt4.gmail-smtp-in.l.google.com	142.250.157.27	true	false		high
alt3.gmail-smtp-in.l.google.com	74.125.200.27	true	false		high
mta7.am0.yahoodns.net	67.195.204.79	true	false		unknown
gmail-smtp-in.l.google.com	142.250.27.26	true	false		high
mta5.am0.yahoodns.net	67.195.228.110	true	false		unknown
alt1.gmail-smtp-in.l.google.com	142.251.9.27	true	false		high
alt2.gmail-smtp-in.l.google.com	142.250.150.26	true	false		high
hotmail-com.olc.protection.outlook.com	104.47.18.161	true	false		high
hotmail.com	unknown	unknown	false		high
www4.ertinmdesachlion.com	unknown	unknown	false		unknown
gmail.com	unknown	unknown	false		high
www6.ertinmdesachlion.com	unknown	unknown	false		unknown
www3.ertinmdesachlion.com	unknown	unknown	false		unknown
yahoo.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www4.ertinmdesachlion.com/chr/tdg/lt.exe)	serv.exe, 00000002.00000002.614445263.0000000000636000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www4.ertinmdesachlion.com/chr/tdg/lt.exeg	serv.exe, 00000002.00000002.614445263.0000000000636000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www4.ertinmdesa-k	serv.exe, 00000002.00000003.602430085.00000000006C5000.00000004.00000020.00020000.00000000.sdmp, serv.exe, 00000002.00000002.614445263.00000000006C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www6.ertinmdesachlion.com/chr/tdg/nt.exeT	serv.exe, 00000002.00000002.614445263.0000000000636000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.gro	explorer.exe, 00000004.00000000.599025218.00007FF883839000.00000002.00000001.01000000.0000000B.sdmp	false	URL Reputation: safe	unknown
http://www4.ertinmdesachlion.com/chr/tdg/lt.exen	serv.exe, 00000005.00000002.631240133.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www6.ertinmdesachlion.com/	serv.exe, 00000002.00000002.614445263.0000000000636000.00000004.00000020.00020000.00000000.sdmp, serv.exe, 00000005.00000002.631240133.00000000006D9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groov	explorer.exe, 00000004.00000000.599025218.00007FF883839000.00000002.00000001.01000000.0000000B.sdmp	false	URL Reputation: safe	unknown
http://www4.ertinmdesachlion.com/chr/tdg/lt.exeX	serv.exe, 00000005.00000002.631240133.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www4.ertinmdesachlion.com/chr/tdg/lt.exe7	serv.exe, 00000002.00000002.614445263.0000000000636000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www6.ertinmdesachlion.com/chr/tdg/nt.exe	serv.exe, 00000002.00000002.614445263.0000000000636000.00000004.00000020.00020000.00000000.sdmp, serv.exe, 00000005.00000002.631240133.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www4.ertinmdesachlion.com/chr/tdg/lt.exea	serv.exe, 00000005.00000002.631240133.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www4.ertinmdesachlionY	serv.exe, 00000005.00000002.631240133.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www4.ertinmdesachlion.com/chr/tdg/lt.exe=	serv.exe, 00000002.00000002.614445263.0000000000636000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www6.ertinmdesachlion.com/r	serv.exe, 00000005.00000002.631240133.00000000006D9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www4.ertinmdesachlion.com/chr/tdg/lt.exe	serv.exe, 00000005.00000002.631240133.00000000006BE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.47.18.161	hotmail-com.olc.protection.outlook.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.150.26	alt2.gmail-smtp-in.l.google.com	United States	15169	GOOGLEUS	false
67.195.204.79	mta7.am0.yahoodns.net	United States	26101	YAHOO-3US	false
142.250.27.26	gmail-smtp-in.l.google.com	United States	15169	GOOGLEUS	false
67.195.204.74	unknown	United States	26101	YAHOO-3US	false

General Information

Joe Sandbox Version:	37.1.0 Beryl
Analysis ID:	877404
Start date and time:	2023-05-29 12:07:32 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	file.msg.scr.exe
Detection:	MAL
Classification:	mal100.evad.winEXE@10/20@40/5
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 50.3% (good quality ratio 49.5%) Quality average: 80.9% Quality standard deviation: 25.4%
HCA Information:	Successful, ratio: 98% Number of executed functions: 95 Number of non-executed functions: 110
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): audiodg.exe, WerFault.exe, svchost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:08:47	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run serv C:\Windows\serv.exe s
12:08:56	API Interceptor	12x Sleep call for process: serv.exe modified
12:09:00	API Interceptor	657x Sleep call for process: explorer.exe modified

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\Temp\WER74D4.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon May 29 10:08:59 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	141644
Entropy (8bit):	1.9457814315262165
Encrypted:	false
SSDEEP:	384:bKr9RMa6C1zmmI00Gl7G2NwSpYOvFWx+KA9gXzukEG58sTZFkC:bq6C1zmjOI2jNnzYEG58UQC
MD5:	8D4F1D767429957FC73BA90097181CE1
SHA1:	A2DA38628B970DCEB6F36051453BB54723C6065E
SHA-256:	965ED945CB3453F87CC5BCEAD91877910E45B0291653E4521F94E559FB0625B6
SHA-512:	D53FD13A9D9B7DDB341BF0CC540B95179CD64B5795399ED85A74CF40CC6B98C01092F30996D35D24CF92379DC8943A07688606E11A277DA165064556EAB3B867
Malicious:	false
Reputation:	low
Preview:	MDMP....... ........ytd.........................................W..........T.......8...........T...........P8...........................!...................................................................U...........B......."......GenuineIntelW...........T.......t....ytd.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7794.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6258
Entropy (8bit):	3.7167755787887926
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiek6E8YgIStwI+pDZ89bawsfw+m:RrlsNiV6E8YgISNaDfQ
MD5:	E54ECD38EFC0DA31845DC748690C64D2
SHA1:	E60450FE873CD3A20E0333E3592A5783F5C97E44
SHA-256:	048DE83F1AC551059FAE2218C3BA9AC622B40EE8C97A9FAC746967ADDB30C1B6
SHA-512:	9FB781AF6CCCAE0E29342D75CF1683EAEB80855CD3338787E3B5D2CDB484CBFA841C52174C90BA0A758D4F2107DFDFA42E7D45120C648D7B7EF115CCF84A548B
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.2.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7A43.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon May 29 10:09:00 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	326836
Entropy (8bit):	1.5174235239024396
Encrypted:	false
SSDEEP:	768:FrwUIQvB6BDpeAsX3tl/EAPZSf5YpHP4u7dlukj:zImIBD7sXr/EAcfepv4uDtj
MD5:	66F5EC7AF7AB83225F1FE41DDC72EC32
SHA1:	6337BF2D63D3F3002E178E91DF309F936D5DE06B
SHA-256:	6FECE78AF9792211FB04B9403BB1A3DCD2D68A62D30AE467B1349A99084B82DB
SHA-512:	F161BE210EA21FCD4759FCF59A7214DAEE3D6D58F2FD06189A03E2A3C36EAEC7D60780BAEAB49E3A4325F5BCD2D29DF0D2BE57AFE97FD5013B95F0B0F7935F14
Malicious:	false
Preview:	MDMP....... ........ytd....................................................P>..........`.......8...........T............=...............!...........#...................................................................U...........B......4$......GenuineIntelW...........T............ytd.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7DBE.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8372
Entropy (8bit):	3.6949145472657356
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiCB6Gg6Y+26ccgmf+5ASlO+pDB89bvJsfVsFm:RrlsNi06Gg6Yn6ccgmf+6SmvifVj
MD5:	5E2E31121CB671D58B7E8B0D10B028CE
SHA1:	9BB3F10E89943CF30D942F2E4164380711B01BEB
SHA-256:	2BCC303EB7F28ACDDB7634B41753FD25994B4C8C2DEF12A5B735016644E3A89A
SHA-512:	0FA94886D71B216525D62E198799B5A58B8E8A638ACB67F3BE47028BB42310F810EC1A4F2239DFCFCDDF2A7F285DF9BB01B6D5362A6793D9FC1FA6EAC9A9EFEB
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.7.4.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9B67.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon May 29 10:09:09 2023, 0x1205a4 type
Category:	dropped
Size (bytes):	129382
Entropy (8bit):	1.8442376646649499
Encrypted:	false
SSDEEP:	384:ClCJzSV8WRkzwPsawwF4qYjq+JZNvI/U3i/iYoml:aChWRkzys5J9lZN5eDl
MD5:	7ED40E1C406653AD1606CF7575D863F8
SHA1:	C7B1E0F197E6C8AF9B8B6EB6CD728C6E0CBA3743
SHA-256:	EBCC9AC4238E25FD43C98D85F2708375BF1B726219ADC1F13134F36977B15FC3
SHA-512:	2E46CC64964164690392890FED455AFAFD4564B65BEA2D1C935BA0D77608666ECF27C557A907B2E03FF535AA0464831C68588BBC4AC895E84F9F5C5882B1BB01
Malicious:	false
Preview:	MDMP....... ........ytd.........................................V..........T.......8...........T............5..............(............!...................................................................U...........B.......!......GenuineIntelW...........T............ytd............................. ..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E56.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8278
Entropy (8bit):	3.6938876891401122
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiWB6IS6YeZSUjgmfgISAB3Dh+pDw89bevO3sf5Hqm:RrlsNio6X6YQSUjgmfgISqMe1fV
MD5:	067E371E1835B896EE1C3315A06A3772
SHA1:	C9AC7165DB1F7B88E11228D90BE96FF0074DB139
SHA-256:	52B58007F989C9B94541C77B48FAEE9502074CCAA528219C3F786598864643F1
SHA-512:	0FD5D231720BA21EF24340A4C550663101BBA5D377020C29CB516CEF8E5B3E5557D9114FE636CB581C44AEFBA75434A2FA7B64A92D755B479812A63EBE84AA19
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.7.9.6.<./.P.i.d.>.......

C:\Users\user\AppData\Local\Temp\~28C3.tmp

Process:	C:\Windows\serv.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	276498
Entropy (8bit):	7.9975652725042785
Encrypted:	true
SSDEEP:	6144:GHBMAf/u4bsMrM85vTtcK79Ibuwf8twej93OIXumeBi:GHOQu4ntvT579Nwf8tLJ3OIX2Bi
MD5:	8C3F3B9C4DC0ACB40834A23BBEAA359D
SHA1:	E0499EEFDF5428AB47A9A644B6BCF4D5A7E762B6
SHA-256:	9FD510468E5382EE45DCA9E7A75B25BCC4A84FA3C832E236B71DDF62085053D5
SHA-512:	6B197BA92213AB55688BBF5D7B18CB011DA6E59A03418C5BFA477A7765F98EF3856C3A803CCD9EFBBB4074AE7693761783FE5C26FB30940AC7F52356805C2515
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	PK............4j...7..........docs.elm.pif..x...?............Y5...D..j.$D......I.@..&......fs....j.Vk?..U....I..A..h...@@...Q...f.Mv..i...^.{.&...g...:s...7M.....<~\zv...}.-....&..7.v....&.Wv{y..p`.M}...K_\|..w..;.q.....o....?.p....I..=..6>..CL>....ACK...?..P..A.5...>..\|N.e.. "..W_..-..R$..Ke(..R..`.?....6..Fi..v.)....~..{.\|O..).=..........S.{.\|O..).=...O....Q......t.......Z...}....;mU.gU....T.5=aw`.........1>......?.c^..._...-..sp...c.\...N.(7..l+RL......_.....t..]..4{..?F.J.o.[..ZQ3..#F.6..hm..M.]....w....2..G...._y.....O....(.[..ET{.w...8.....eux.E.6m.3I.sr..}S..e..f....1x..&M.....&......C0...M5...J........f...GJO.J.F......G..Z...t.....8.W.wp.3U<...h6i......Z...($..S.-........,..H..Dw.SkT........i0..@.....X....`..X....L\.+..fc...m.......(.......$........(... g.Ak...g...+.R....4.0O\|.b....I%m.q9.f9.r..\|...7.gQaAr.....&..C..js.fmsB.w.6...h{F.......w..F../.g..Z.<o.J#./.z....\|NK../..^....<.m.;0..D}..5<..R..g....6Bl...}......}....}3.

C:\Users\user\AppData\Local\Temp\~BD02.tmp

Process:	C:\Windows\serv.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	276516
Entropy (8bit):	7.997566441979322
Encrypted:	true
SSDEEP:	6144:dHBMAf/u4bsMrM85vTtcK79Ibuwf8twej93OIXumeBt:dHOQu4ntvT579Nwf8tLJ3OIX2Bt
MD5:	0E49465623E5E4A2A26AD0FEC568E0A9
SHA1:	09C97E6B700CA11FFCD634C491D291E066714094
SHA-256:	BB9C12E885EA9A0ACA1A936D00DCD9872AF00071069318A443A5865C2F175E78
SHA-512:	E846871BF44DEE4142E3E1E4CA2A0CBAC694293C4FCFC7E7A83F391858DF1746AC203A3AF7EC79FCCF83C805C828A7DF21B2593C41A5549A0CCA6558812DBA5F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	PK............k..u.7..........Update-KB1015-x86.exe..x...?............Y5...D..j.$D......I.@..&......fs....j.Vk?..U....I..A..h...@@...Q...f.Mv..i...^.{.&...g...:s...7M.....<~\zv...}.-....&..7.v....&.Wv{y..p`.M}...K_\|..w..;.q.....o....?.p....I..=..6>..CL>....ACK...?..P..A.5...>..\|N.e.. "..W_..-..R$..Ke(..R..`.?....6..Fi..v.)....~..{.\|O..).=..........S.{.\|O..).=...O....Q......t.......Z...}....;mU.gU....T.5=aw`.........1>......?.c^..._...-..sp...c.\...N.(7..l+RL......_.....t..]..4{..?F.J.o.[..ZQ3..#F.6..hm..M.]....w....2..G...._y.....O....(.[..ET{.w...8.....eux.E.6m.3I.sr..}S..e..f....1x..&M.....&......C0...M5...J........f...GJO.J.F......G..Z...t.....8.W.wp.3U<...h6i......Z...($..S.-........,..H..Dw.SkT........i0..@.....X....`..X....L\.+..fc...m.......(.......$........(... g.Ak...g...+.R....4.0O\|.b....I%m.q9.f9.r..\|...7.gQaAr.....&..C..js.fmsB.w.6...h{F.......w..F../.g..Z.<o.J#./.z....\|NK../..^....<.m.;0..D}..5<..R..g....6Bl...}.....

C:\Users\user\AppData\Local\Temp\~E54A.tmp

Process:	C:\Windows\serv.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	276498
Entropy (8bit):	7.997564568005335
Encrypted:	true
SSDEEP:	6144:9HBMAf/u4bsMrM85vTtcK79Ibuwf8twej93OIXumeBD:9HOQu4ntvT579Nwf8tLJ3OIX2BD
MD5:	532C7902F31D9896DF376634B616E627
SHA1:	8DE7CBEEFB0F8C9EA0A5ACFAE832ACBFCBBAE556
SHA-256:	0D0148245E80C77869B19A9F0F4E8960267D7FC0936EC1160B70C583126D2F08
SHA-512:	6AE828D74CA9995054497CA377D1724B57CB5CEF7EB6D8C764ECBAAAF69D1B9CED8E7E94CB0D725FC9E22C29F1305D76776F0660D17A2B82F80B65015CE457A1
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	PK............4j...7..........docs.txt.scr..x...?............Y5...D..j.$D......I.@..&......fs....j.Vk?..U....I..A..h...@@...Q...f.Mv..i...^.{.&...g...:s...7M.....<~\zv...}.-....&..7.v....&.Wv{y..p`.M}...K_\|..w..;.q.....o....?.p....I..=..6>..CL>....ACK...?..P..A.5...>..\|N.e.. "..W_..-..R$..Ke(..R..`.?....6..Fi..v.)....~..{.\|O..).=..........S.{.\|O..).=...O....Q......t.......Z...}....;mU.gU....T.5=aw`.........1>......?.c^..._...-..sp...c.\...N.(7..l+RL......_.....t..]..4{..?F.J.o.[..ZQ3..#F.6..hm..M.]....w....2..G...._y.....O....(.[..ET{.w...8.....eux.E.6m.3I.sr..}S..e..f....1x..&M.....&......C0...M5...J........f...GJO.J.F......G..Z...t.....8.W.wp.3U<...h6i......Z...($..S.-........,..H..Dw.SkT........i0..@.....X....`..X....L\.+..fc...m.......(.......$........(... g.Ak...g...+.R....4.0O\|.b....I%m.q9.f9.r..\|...7.gQaAr.....&..C..js.fmsB.w.6...h{F.......w..F../.g..Z.<o.J#./.z....\|NK../..^....<.m.;0..D}..5<..R..g....6Bl...}......}....}3.

C:\Users\user\AppData\Local\Temp\~E5B8.tmp

Process:	C:\Windows\serv.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	modified
Size (bytes):	276516
Entropy (8bit):	7.997566274861564
Encrypted:	true
SSDEEP:	6144:8HBMAf/u4bsMrM85vTtcK79Ibuwf8twej93OIXumeBe:8HOQu4ntvT579Nwf8tLJ3OIX2Be
MD5:	83D439D405946C51436F969E8FFB2240
SHA1:	02F6F05A69D25EBB9998969434719306727C3EE8
SHA-256:	6A34AEE57AE1A06A14D7D1E1D5659983A33CF859C80202CC31FAF24E38DF3ABB
SHA-512:	78CF1736188DCEC0211B285FBBD84FB619DC1CF043D5CAD151A629B6624EACBF3FB1E4C91D0871D5AFB167B4C7B11EBFC0AAB4D2F922F025ABC8FAEDB5950F1C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	PK............k..u.7..........Update-KB1500-x86.exe..x...?............Y5...D..j.$D......I.@..&......fs....j.Vk?..U....I..A..h...@@...Q...f.Mv..i...^.{.&...g...:s...7M.....<~\zv...}.-....&..7.v....&.Wv{y..p`.M}...K_\|..w..;.q.....o....?.p....I..=..6>..CL>....ACK...?..P..A.5...>..\|N.e.. "..W_..-..R$..Ke(..R..`.?....6..Fi..v.)....~..{.\|O..).=..........S.{.\|O..).=...O....Q......t.......Z...}....;mU.gU....T.5=aw`.........1>......?.c^..._...-..sp...c.\...N.(7..l+RL......_.....t..]..4{..?F.J.o.[..ZQ3..#F.6..hm..M.]....w....2..G...._y.....O....(.[..ET{.w...8.....eux.E.6m.3I.sr..}S..e..f....1x..&M.....&......C0...M5...J........f...GJO.J.F......G..Z...t.....8.W.wp.3U<...h6i......Z...($..S.-........,..H..Dw.SkT........i0..@.....X....`..X....L\.+..fc...m.......(.......$........(... g.Ak...g...+.R....4.0O\|.b....I%m.q9.f9.r..\|...7.gQaAr.....&..C..js.fmsB.w.6...h{F.......w..F../.g..Z.<o.J#./.z....\|NK../..^....<.m.;0..D}..5<..R..g....6Bl...}.....

C:\Users\user\AppData\Local\VirtualStore\Windows\serv.wax

Process:	C:\Windows\serv.exe
File Type:	data
Category:	dropped
Size (bytes):	1720
Entropy (8bit):	2.9443214183274753
Encrypted:	false
SSDEEP:	24:PEAoPiVaynbXzfwGDmRfN44EKtZHtvApY4msstHt5hstMDMH:L1xmEKbCsheX
MD5:	DAF6904E09A281426953488E6F928E38
SHA1:	F7393E365155A5766387CE4C001853705597B41D
SHA-256:	571779D9E292690080C85B71DBCE49ADF705F4365B633A310470DE39B5DD3EC5
SHA-512:	B2F2B42A0A85C2BC268A139E841842C93E7EE23F9576D41E91C87AD496BB7049A206DCFFBDB37AE989EA60622491C4314DBCD937CBBDF748EFEB4C1A57958FEF
Malicious:	false
Preview:	m@msn.com...............................a_e@msn.com.............................1@msn.com...............................q@msn.com...............................b_xyz@msn.com...........................cq_yoyo@msn.com.........................mak@aol.com.............................wagnerkd@wxyz.com.......................z_y@quatro.br...........................fa@animo.br.............................e_p@pirajui.br..........................y_karaoke@musical.com.br................pedro_xy@contoso.com.br.................will_k@xyz.com..........................an@xyz.com.br...........................ruy@contoso.com.pt......................y_z@x.com.pt............................katy_x@contoso.com.pt...................kelly@contoso.com.pt....................m_kywx@kywx.com.pt......................malgosia_lv4@aaw.pl.....................adad_1976@griepp.pl.....................vojtek_657@oopp.pl......................aqv_968@wewew.pl........................adavex_467@riekk.pl.....................

C:\Users\user\Desktop\19F3.tmp

Process:	C:\Users\user\Desktop\file.msg.scr.exe
File Type:	data
Category:	dropped
Size (bytes):	63069
Entropy (8bit):	6.642470375761558
Encrypted:	false
SSDEEP:	1536:36xA6fx7GwbzrhAF9NuCPusA5n5/lt/9/Y06l+veW5NK:n6VGwbzrU/uCPolNP/9C+veWrK
MD5:	815DF5397E724F17E251D3C5D9B59F34
SHA1:	D26AB6063CAEA15050CFBF618109873854847118
SHA-256:	B0B3D443D410716CBFA04AC65106CE8377B56B1B01391396B1D41B54FA72ECD3
SHA-512:	75C9D32F9E952FF806E5C789A12EF3E8B6E252FDB6499AAAED8C5F1968E2D24CBA5FF1DDE81EFFC94E5F2A50B877941675DED86556EC5E61323B66A0902357F0
Malicious:	true
Preview:	.skMha~D>C2C }K}!3&]/..86)=XZS~h6fshg.ik\|`X)TZxN#WOOz@?wo!:gzKgt71kT@B=HupM9+4V9Kad2Wl(W6Zc2qRjr?ku1A`.6,<aPlRSNzr11NE3JfnGI7Jo\|nPy3kt^`..slRcp.JW-rlolBS/[z>V8viFU64\$Q?,b84hj;(C..Bn^B.>o,lZRr3oh#3i~..Dg3@#`}uuzXINumg>D.2!)(B~_q.QCiUfu=.jgECfEK]=5e3Yu.BT. ._#&K&x"+4_D2SFH++FnOTFBc>zhT0jGySUp.D\.g9~gwhdp3V/-ns{y$LRY.Wulya))u96(U"AkK[.[6jEb!ZHtU%1LprD6]gG;5.ur.&zp-.UA9H)p;8w!pxa).EIj(+%#PH}.6.yB49{S=#a\|T.f3v=.a0;E$p<Xn7p+?LS%V[>"39.~M'.,R/B,8`mi_g,wec,-0VO- HU8\TQA={)Pp=d0<+O.?-iM4L%%Y&Y{X#}XcE}Vm}5iq]H1D_S^YE9IY-<[I^.8ng0@!OC\en~ ?H4yULR(M.GX.l.L)w1+~-oxPr0bM>n4(PT'qj\O}7wbJA0dBb_=,ME)RlUWn03r.jI,l`B1?fqb^7\|q..{a_vYQ^00l{U3$9FePH`L1q.z^$,>TO:15,#Tuo51.+N=Thxg1EAE2,1;ED2K'h+.Gn{}dV3-/Ic~d$].kNn"N4=E>pzVM{$z`\|HhJ=L\vJ+.\|n`FM ba-.:dFzWK`ZPHtBEfRz5[S8odPMO4zaPYl<cPzHkscWM!`h,!MzE`UM\P#mN#e[1+:vE1DJk.Ty?U7f. {H#yO_h9%NYY(i)3.X9fs)cDz.fDCMr&1pQ<I;0.PGZQ71LD.Cd)W$ iKtf(5U$@ep]NAhv)Nfc\|Yr;C{^YQdn0}]"/@}t.{HCnQ"fu&;bU6FNc:d'dx`"3-8ZCHnE3(lf_4?.G.E>poF_:PajP~[C2z<KB>hWqHLJ\|I^>.+"o^9g/q(jf)<.3

C:\Windows\SysWOW64\atmlmcia.dll

Process:	C:\Windows\serv.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	3.954945363563141
Encrypted:	false
SSDEEP:	384:6cUYkTFUBS5rCyg4XnAeeyi+XwdeZgSIANmvsV:6rJTR5RXAn+Xwde2SgS
MD5:	7D405426D1269886B6E5A9C2F5AB3D0D
SHA1:	E08EB10BA21788339C29012B8BCDCDE19ADA9C36
SHA-256:	EF7E96EF6888779E7933A50634EF3A549551B169A47D2BE349BC51C42AA20D89
SHA-512:	950E49DD3696C3D16F4F64DD8716C24837EC2B7DB4A4BF6E76AC640193E4C748EE4153F692D9AE6C4FF55B433EAFC7A3870A385C191518147926370A94BEFCA5
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 83%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q..0...0...0...8.0..*8.0...0...0...<.0...<..0...<...0..Rich.0..........................PE..L....D E...........!.....@... ...............P...............................p...............................................D..(............................`..(....................................................................................text... 5.......@.................. ..`.data........P.......P..............@....reloc..L....`.......`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\blacusrv.dll

Process:	C:\Windows\serv.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	4.228079937892066
Encrypted:	false
SSDEEP:	192:Fl3ZPq9/F2YvlLnXDYN11YytrfBtZiJEb2O+uXZzoe6oEQ:b1qFFBbTSYy5RiJkWwZzo5
MD5:	B24AB6D11D6C5EDF242C8448B2E6054A
SHA1:	CE74EB0F0B5A6BC02EE40E40CA366D522B950DE4
SHA-256:	E1DE14BDCCCD532FB682AD253151021E56615CC86FD716F638CB6A3F4164F3EC
SHA-512:	72BBBE1BA406B4371D3291907B17228CAC42DCC1EBAC00BDD84C04E66482AB5E33D5146FE211AD58310DFA4FA343F9518F43EE65F9ECAC2CC6D6B80CB031BD60
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................n..............................................Rich....................PE..L....D E...........!.....0... ......`........@...............................`.......................................8..i....8..(............................P.......................................................................................text...Y).......0.................. ..`.data...]....@......................@....reloc.......P.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\e1.dll

Process:	C:\Windows\serv.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	5.606307481561592
Encrypted:	false
SSDEEP:	192:Q8mKp+1Rn9Gy25CdalzqKRfPy1dW93ne:QhR1XG/5CwzCS8
MD5:	53D0FF71BEC705351C27389F2A867843
SHA1:	9F92B05AE22F3148E67639BEC3AA7F15BA61E495
SHA-256:	E02CB24FBB6CDF0F7181D0071A1FE06A95B924469F44C6ECD67D26097408D0B9
SHA-512:	FAA5D93D77964BA16421BDAFD2B45925B9A6DC557CA04437EB42B2EE01AD5399DF2370DD1900A2BC3383FF3DA908D2861D29E3748342B7AB5C004534D2C8935F
Malicious:	true
Yara Hits:	Rule: SUSP_Imphash_Mar23_3, Description: Detects imphash often found in malware samples (Maximum 0,25% hits with search for \'imphash:x p:0\' on Virustotal) = 99,75% hits, Source: C:\Windows\SysWOW64\e1.dll, Author: Arnim Rupp (https://github.com/ruppde)
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%.E.a.+.a.+.a.+...v.b.+.a.*.c.+.d.K.`.+.d.t.c.+.d.q.`.+.Richa.+.................PE..L...}D E...........!................U........0...............................P...............................................&..(............................@.......................................................................................text............................... ..`.data........0......................@....reloc..H....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\SysWOW64\nwprmp4s.exe

Process:	C:\Windows\serv.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	4.945864297139177
Encrypted:	false
SSDEEP:	96:fpLp7x39pA7kJpQwea/cXMZnvUhvcu9fPciarvscBITvTmO111tjc1xoEhqhNJLX:fyWpQw2qv0BfP+Bi111taoUsL+ud81I
MD5:	02DDF51A3CDE4BADE470C7C03C4545E7
SHA1:	C53BD0A77C3A572CF6E9E99F08F919A640299593
SHA-256:	9389FCFAB988A15FCD18D1ABCBBEA5E7EC4DA47E273E21EA1D41818C64B94F2C
SHA-512:	48B4E6C21313222B1E6011A8F05935DC1C1E3721317F8073565FE769EB0B1F9CE1A5A327D51856F6FAEF72787B27DB9CCC83A6A634727EAF238245D3B1214D87
Malicious:	true
Yara Hits:	Rule: SUSP_Imphash_Mar23_3, Description: Detects imphash often found in malware samples (Maximum 0,25% hits with search for \'imphash:x p:0\' on Virustotal) = 99,75% hits, Source: C:\Windows\SysWOW64\nwprmp4s.exe, Author: Arnim Rupp (https://github.com/ruppde)
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............n...n...n...3...n...o...n...1...n.......n...4...n.Rich..n.................PE..L....D E................. ...................0....@..........................@..................................................(....................................................................................................................text...T........ .................. ..`.data...r....0......................@...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.3139108916920295
Encrypted:	false
SSDEEP:	12288:Ar5H8WUzIaQhLjDQyd9E9lyH4rWG8GD4NE4U62ul43VScahZ2S:05H8WUzIaQ1jDQpq4H
MD5:	094521B951B122AE766D0A3D6F0848B9
SHA1:	9F9BF28FCDD4554DD3FA8B20A3683B55FCD9F30B
SHA-256:	07CFA4DC5FA715A284B6F66B8AD40A09D6CAE30B231E0E20AAE04A6B328686A5
SHA-512:	A863E50A7038BE338E1043C7E6805A8CC89CBB647D18EB3CE54D849DEFCDE22F888B5D3AFDE8582149088FC1C2807C469AD1D2F4743EC3DA6C3381999088ABC9
Malicious:	false
Preview:	regfQ...Q...p.\..,.................. .... ......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..?...................................................................................................................................................................................................................................................................................................................................................6.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	4.2101840580013
Encrypted:	false
SSDEEP:	768:pHl/bCQiFUz/XgAeeDzegNYtj/HaIsoSw8aMiyqf+WwsfWkchNYd+S:LMyxhDqdY
MD5:	63A062AD0E5A8DD12E8B33D6F124321B
SHA1:	7B928FB2F2272D16713E850AFA159F83BBD83AD2
SHA-256:	FD69C1A2652F2A60E052BAB6227657EB72F878F7D013DFD8B19A2813B7ABA78F
SHA-512:	6837EC0FC79EAE6BF2298FF6675F75E44D120E1B8B88EFD6A6B3806147303EC2776B48B1543215D466B99BF04150C1D8A182FA0DE3C58DDAD46750003975F0F9
Malicious:	false
Preview:	regfP...P...p.\..,.................. .... ......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm..?...................................................................................................................................................................................................................................................................................................................................................6.HvLE.~......P.... ......u.gP..A]Y.....7............................................. ..hbin................p.\..,..........nk,.q>B..................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .q>B......... ........................... .......Z.......................Root........lf......Root....nk .q>B..................................... ...............*...............DeviceCensus.......................vk..................WritePer

C:\Windows\serv.dll

Process:	C:\Windows\serv.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7680
Entropy (8bit):	5.07828909596086
Encrypted:	false
SSDEEP:	192:VgDu7Z9QTHreZfUFmxhErERC/b9xIyZt:Vgi7ITU2msCCRbZ
MD5:	8F1E54E6F9B12FF41298FA92C33F4F02
SHA1:	0C028668D744664F50F3AD38112FD5337F9921A4
SHA-256:	543BB9C3EC687F4D391CE9C179B92510FCAADADFE03C809D0D6DFEC387753569
SHA-512:	8FC0B79526AFC8CE1B4572F1C908FAE3BAD16D8EC06660C9996D02E33925DA58CDF77742A3F3731564AED9731B23EDB4751C9001BA7E27104EC58545259EF404
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I...(...(...(..n ..(...(...(...$..(...$..(...$..(..Rich.(..................PE..L...zD E...........!.........................0...............................P..........................................;...X...(............................@.......................................................................................text............................... ..`.data........0......................@....reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\serv.exe

Process:	C:\Users\user\Desktop\file.msg.scr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	520196
Entropy (8bit):	6.561025946535229
Encrypted:	false
SSDEEP:	12288:gYQZsuW9geRWQmkt5nZsCRUTV5nhsf8r1J3OIh8W:gYQZsuW9geETkPZstTV5na8RJ3zhx
MD5:	6B7ED3ABDD8484B313948BA83FDE717F
SHA1:	2318E1D65CEF538F1CF88E2235A5DD350FF40449
SHA-256:	EEE33ED66C2E88E414A5887043DB18EDAFA2FEF889882D751F0448ED360EFC44
SHA-512:	A8C063F22768BDE6E0CF6C510867C6EB3B3ADD47AC57B920D44F94485B830089F5318D31D960239C5F5F7F963496D5481F7C1EF4B2291C01ED01D20A86F24C18
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 86%
Preview:	MZKERNEL32.DLL..LoadLibraryA....GetProcAddress...Z..ByDwing@...PE..L......................).....0......o,............@.............................................................................<....@...]...........................................................................................................Upack...0.......0..................`....rsrc........@.......@..............`...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

MapViewOfFile, lstrcmpA, GetLastError, lstrcatA, lstrcpyA, GetTickCount, lstrcmpiA, GetLocalTime, Sleep, WaitForSingleObject, ReleaseMutex, LoadLibraryA, GetSystemDirectoryA, lstrlenA, GetTimeZoneInformation, GetProcAddress, RtlUnwind, RaiseException, HeapFree, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersionExA, HeapAlloc, TlsAlloc, SetLastError, GetCurrentThreadId, TlsFree, TlsSetValue, TlsGetValue, SetUnhandledExceptionFilter, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, HeapReAlloc, IsBadWritePtr, ExitProcess, TerminateProcess, GetCurrentProcess, HeapSize, ReadFile, CloseHandle, WriteFile, GetStdHandle, GetModuleFileNameA, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, IsBadReadPtr, IsBadCodePtr, GetACP, GetOEMCP, GetCPInfo, InitializeCriticalSection, InterlockedExchange, VirtualQuery, GetStringTypeA, MultiByteToWideChar, GetStringTypeW, GetLocaleInfoA, SetFilePointer, SetStdHandle, FlushFileBuffers, CreateFileA, LCMapStringA, LCMapStringW, VirtualProtect, GetSystemInfo, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, SetEndOfFile

ADVAPI32.DLL

AllocateAndInitializeSid

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 29, 2023 12:08:56.577280998 CEST	49694	25	192.168.2.4	67.195.204.79
May 29, 2023 12:08:56.688435078 CEST	25	49694	67.195.204.79	192.168.2.4
May 29, 2023 12:08:56.691210985 CEST	49694	25	192.168.2.4	67.195.204.79
May 29, 2023 12:08:56.701294899 CEST	49694	25	192.168.2.4	67.195.204.79
May 29, 2023 12:08:56.814280987 CEST	25	49694	67.195.204.79	192.168.2.4
May 29, 2023 12:08:56.892046928 CEST	25	49694	67.195.204.79	192.168.2.4
May 29, 2023 12:08:56.892127991 CEST	25	49694	67.195.204.79	192.168.2.4
May 29, 2023 12:08:56.892271996 CEST	49694	25	192.168.2.4	67.195.204.79
May 29, 2023 12:08:56.892271996 CEST	49694	25	192.168.2.4	67.195.204.79
May 29, 2023 12:08:57.027018070 CEST	49695	25	192.168.2.4	142.250.27.26
May 29, 2023 12:08:57.055668116 CEST	25	49695	142.250.27.26	192.168.2.4
May 29, 2023 12:08:57.055819035 CEST	49695	25	192.168.2.4	142.250.27.26
May 29, 2023 12:08:57.056052923 CEST	49695	25	192.168.2.4	142.250.27.26
May 29, 2023 12:08:57.085932970 CEST	25	49695	142.250.27.26	192.168.2.4
May 29, 2023 12:08:57.097206116 CEST	25	49695	142.250.27.26	192.168.2.4
May 29, 2023 12:08:57.100042105 CEST	49695	25	192.168.2.4	142.250.27.26
May 29, 2023 12:08:57.134284019 CEST	49696	25	192.168.2.4	104.47.18.161
May 29, 2023 12:08:57.160191059 CEST	25	49696	104.47.18.161	192.168.2.4
May 29, 2023 12:08:57.160345078 CEST	49696	25	192.168.2.4	104.47.18.161
May 29, 2023 12:08:57.166348934 CEST	49696	25	192.168.2.4	104.47.18.161
May 29, 2023 12:08:57.187882900 CEST	25	49696	104.47.18.161	192.168.2.4
May 29, 2023 12:08:57.187975883 CEST	49696	25	192.168.2.4	104.47.18.161
May 29, 2023 12:08:57.192054033 CEST	25	49696	104.47.18.161	192.168.2.4
May 29, 2023 12:08:57.192157984 CEST	49696	25	192.168.2.4	104.47.18.161
May 29, 2023 12:08:57.192643881 CEST	25	49696	104.47.18.161	192.168.2.4
May 29, 2023 12:08:57.192696095 CEST	49696	25	192.168.2.4	104.47.18.161
May 29, 2023 12:09:07.120112896 CEST	49697	25	192.168.2.4	67.195.204.74
May 29, 2023 12:09:07.231141090 CEST	25	49697	67.195.204.74	192.168.2.4
May 29, 2023 12:09:07.234003067 CEST	49697	25	192.168.2.4	67.195.204.74
May 29, 2023 12:09:07.235549927 CEST	49697	25	192.168.2.4	67.195.204.74
May 29, 2023 12:09:07.348445892 CEST	25	49697	67.195.204.74	192.168.2.4
May 29, 2023 12:09:07.530505896 CEST	49698	25	192.168.2.4	142.250.150.26
May 29, 2023 12:09:07.537208080 CEST	25	49697	67.195.204.74	192.168.2.4
May 29, 2023 12:09:07.537247896 CEST	25	49697	67.195.204.74	192.168.2.4
May 29, 2023 12:09:07.537481070 CEST	49697	25	192.168.2.4	67.195.204.74
May 29, 2023 12:09:07.537858963 CEST	49697	25	192.168.2.4	67.195.204.74
May 29, 2023 12:09:07.580784082 CEST	25	49698	142.250.150.26	192.168.2.4
May 29, 2023 12:09:07.581012964 CEST	49698	25	192.168.2.4	142.250.150.26
May 29, 2023 12:09:07.581238985 CEST	49698	25	192.168.2.4	142.250.150.26
May 29, 2023 12:09:07.631963015 CEST	25	49698	142.250.150.26	192.168.2.4
May 29, 2023 12:09:07.632051945 CEST	49698	25	192.168.2.4	142.250.150.26
May 29, 2023 12:09:07.632909060 CEST	49699	25	192.168.2.4	104.47.18.161
May 29, 2023 12:09:07.658512115 CEST	25	49699	104.47.18.161	192.168.2.4
May 29, 2023 12:09:07.658665895 CEST	49699	25	192.168.2.4	104.47.18.161
May 29, 2023 12:09:07.662638903 CEST	49699	25	192.168.2.4	104.47.18.161
May 29, 2023 12:09:07.685729980 CEST	25	49699	104.47.18.161	192.168.2.4
May 29, 2023 12:09:07.685832024 CEST	49699	25	192.168.2.4	104.47.18.161
May 29, 2023 12:09:07.688389063 CEST	25	49699	104.47.18.161	192.168.2.4
May 29, 2023 12:09:07.688512087 CEST	49699	25	192.168.2.4	104.47.18.161
May 29, 2023 12:09:07.688798904 CEST	25	49699	104.47.18.161	192.168.2.4
May 29, 2023 12:09:07.688863039 CEST	49699	25	192.168.2.4	104.47.18.161

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 29, 2023 12:08:56.446839094 CEST	59683	53	192.168.2.4	8.8.8.8
May 29, 2023 12:08:56.469856024 CEST	53	59683	8.8.8.8	192.168.2.4
May 29, 2023 12:08:56.488616943 CEST	64167	53	192.168.2.4	8.8.8.8
May 29, 2023 12:08:56.517162085 CEST	53	64167	8.8.8.8	192.168.2.4
May 29, 2023 12:08:56.530642986 CEST	58565	53	192.168.2.4	8.8.8.8
May 29, 2023 12:08:56.545115948 CEST	53	58565	8.8.8.8	192.168.2.4
May 29, 2023 12:08:56.558708906 CEST	52239	53	192.168.2.4	8.8.8.8
May 29, 2023 12:08:56.565623999 CEST	56807	53	192.168.2.4	8.8.8.8
May 29, 2023 12:08:56.573407888 CEST	53	52239	8.8.8.8	192.168.2.4
May 29, 2023 12:08:56.595958948 CEST	53	56807	8.8.8.8	192.168.2.4
May 29, 2023 12:08:56.704440117 CEST	61007	53	192.168.2.4	8.8.8.8
May 29, 2023 12:08:56.719270945 CEST	53	61007	8.8.8.8	192.168.2.4
May 29, 2023 12:08:56.770046949 CEST	60686	53	192.168.2.4	8.8.8.8
May 29, 2023 12:08:56.772181988 CEST	61124	53	192.168.2.4	8.8.8.8
May 29, 2023 12:08:56.813844919 CEST	53	61124	8.8.8.8	192.168.2.4
May 29, 2023 12:08:56.818828106 CEST	53	60686	8.8.8.8	192.168.2.4
May 29, 2023 12:08:56.819009066 CEST	59444	53	192.168.2.4	8.8.8.8
May 29, 2023 12:08:56.851736069 CEST	53	59444	8.8.8.8	192.168.2.4
May 29, 2023 12:08:56.858681917 CEST	55570	53	192.168.2.4	8.8.8.8
May 29, 2023 12:08:56.891666889 CEST	53	55570	8.8.8.8	192.168.2.4
May 29, 2023 12:08:56.895817995 CEST	64906	53	192.168.2.4	8.8.8.8
May 29, 2023 12:08:56.936825991 CEST	53	64906	8.8.8.8	192.168.2.4
May 29, 2023 12:08:56.991333008 CEST	59446	53	192.168.2.4	8.8.8.8
May 29, 2023 12:08:56.991942883 CEST	50861	53	192.168.2.4	8.8.8.8
May 29, 2023 12:08:57.024194002 CEST	53	50861	8.8.8.8	192.168.2.4
May 29, 2023 12:08:57.027148008 CEST	53	59446	8.8.8.8	192.168.2.4
May 29, 2023 12:08:57.058486938 CEST	61088	53	192.168.2.4	8.8.8.8
May 29, 2023 12:08:57.072884083 CEST	53	61088	8.8.8.8	192.168.2.4
May 29, 2023 12:08:57.099978924 CEST	58729	53	192.168.2.4	8.8.8.8
May 29, 2023 12:08:57.131136894 CEST	53	58729	8.8.8.8	192.168.2.4
May 29, 2023 12:08:57.207417011 CEST	64700	53	192.168.2.4	8.8.8.8
May 29, 2023 12:08:57.209470987 CEST	56022	53	192.168.2.4	8.8.8.8
May 29, 2023 12:08:57.216517925 CEST	60822	53	192.168.2.4	8.8.8.8
May 29, 2023 12:08:57.234597921 CEST	53	64700	8.8.8.8	192.168.2.4
May 29, 2023 12:08:57.236496925 CEST	53	56022	8.8.8.8	192.168.2.4
May 29, 2023 12:08:57.266289949 CEST	53	60822	8.8.8.8	192.168.2.4
May 29, 2023 12:08:57.545277119 CEST	49750	53	192.168.2.4	8.8.8.8
May 29, 2023 12:08:57.567842007 CEST	53	49750	8.8.8.8	192.168.2.4
May 29, 2023 12:08:57.737387896 CEST	60550	53	192.168.2.4	8.8.8.8
May 29, 2023 12:08:57.764712095 CEST	53	60550	8.8.8.8	192.168.2.4
May 29, 2023 12:09:06.883358955 CEST	54851	53	192.168.2.4	8.8.8.8
May 29, 2023 12:09:06.906258106 CEST	53	54851	8.8.8.8	192.168.2.4
May 29, 2023 12:09:06.936913013 CEST	57300	53	192.168.2.4	8.8.8.8
May 29, 2023 12:09:06.951689959 CEST	53	57300	8.8.8.8	192.168.2.4
May 29, 2023 12:09:06.994626999 CEST	54521	53	192.168.2.4	8.8.8.8
May 29, 2023 12:09:07.014516115 CEST	53	54521	8.8.8.8	192.168.2.4
May 29, 2023 12:09:07.025388956 CEST	58914	53	192.168.2.4	8.8.8.8
May 29, 2023 12:09:07.048424006 CEST	53	58914	8.8.8.8	192.168.2.4
May 29, 2023 12:09:07.115349054 CEST	51419	53	192.168.2.4	8.8.8.8
May 29, 2023 12:09:07.146219969 CEST	53	51419	8.8.8.8	192.168.2.4
May 29, 2023 12:09:07.238343954 CEST	51054	53	192.168.2.4	8.8.8.8
May 29, 2023 12:09:07.261553049 CEST	53	51054	8.8.8.8	192.168.2.4
May 29, 2023 12:09:07.287853956 CEST	55673	53	192.168.2.4	8.8.8.8
May 29, 2023 12:09:07.294683933 CEST	49735	53	192.168.2.4	8.8.8.8
May 29, 2023 12:09:07.317189932 CEST	53	55673	8.8.8.8	192.168.2.4
May 29, 2023 12:09:07.325964928 CEST	53	49735	8.8.8.8	192.168.2.4
May 29, 2023 12:09:07.326173067 CEST	52437	53	192.168.2.4	8.8.8.8
May 29, 2023 12:09:07.354629040 CEST	53	52437	8.8.8.8	192.168.2.4
May 29, 2023 12:09:07.383367062 CEST	52825	53	192.168.2.4	8.8.8.8
May 29, 2023 12:09:07.416253090 CEST	53	52825	8.8.8.8	192.168.2.4
May 29, 2023 12:09:07.445856094 CEST	58530	53	192.168.2.4	8.8.8.8
May 29, 2023 12:09:07.474673033 CEST	64959	53	192.168.2.4	8.8.8.8
May 29, 2023 12:09:07.487732887 CEST	53	58530	8.8.8.8	192.168.2.4
May 29, 2023 12:09:07.495090008 CEST	63093	53	192.168.2.4	8.8.8.8
May 29, 2023 12:09:07.509610891 CEST	53	64959	8.8.8.8	192.168.2.4
May 29, 2023 12:09:07.528597116 CEST	53	63093	8.8.8.8	192.168.2.4
May 29, 2023 12:09:07.583739996 CEST	50433	53	192.168.2.4	8.8.8.8
May 29, 2023 12:09:07.606775045 CEST	53	50433	8.8.8.8	192.168.2.4
May 29, 2023 12:09:07.610234976 CEST	53498	53	192.168.2.4	8.8.8.8
May 29, 2023 12:09:07.630606890 CEST	53	53498	8.8.8.8	192.168.2.4
May 29, 2023 12:09:07.678050995 CEST	61460	53	192.168.2.4	8.8.8.8
May 29, 2023 12:09:07.683275938 CEST	63001	53	192.168.2.4	8.8.8.8
May 29, 2023 12:09:07.696145058 CEST	65133	53	192.168.2.4	8.8.8.8
May 29, 2023 12:09:07.708158016 CEST	53	61460	8.8.8.8	192.168.2.4
May 29, 2023 12:09:07.723443985 CEST	53	65133	8.8.8.8	192.168.2.4
May 29, 2023 12:09:07.725240946 CEST	53	63001	8.8.8.8	192.168.2.4
May 29, 2023 12:09:07.914297104 CEST	60998	53	192.168.2.4	8.8.8.8
May 29, 2023 12:09:07.944766998 CEST	53	60998	8.8.8.8	192.168.2.4
May 29, 2023 12:09:08.182660103 CEST	61733	53	192.168.2.4	8.8.8.8
May 29, 2023 12:09:08.217622995 CEST	53	61733	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 29, 2023 12:08:56.446839094 CEST	192.168.2.4	8.8.8.8	0x8db	Standard query (0)	yahoo.com	MX (Mail exchange)	IN (0x0001)	false
May 29, 2023 12:08:56.488616943 CEST	192.168.2.4	8.8.8.8	0x80d4	Standard query (0)	mta5.am0.yahoodns.net	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.530642986 CEST	192.168.2.4	8.8.8.8	0x5569	Standard query (0)	mta6.am0.yahoodns.net	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.558708906 CEST	192.168.2.4	8.8.8.8	0x5e33	Standard query (0)	mta7.am0.yahoodns.net	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.565623999 CEST	192.168.2.4	8.8.8.8	0x8b5	Standard query (0)	www4.ertinmdesachlion.com	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.704440117 CEST	192.168.2.4	8.8.8.8	0x7087	Standard query (0)	gmail.com	MX (Mail exchange)	IN (0x0001)	false
May 29, 2023 12:08:56.770046949 CEST	192.168.2.4	8.8.8.8	0xc867	Standard query (0)	www4.ertinmdesachlion.com	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.772181988 CEST	192.168.2.4	8.8.8.8	0xede6	Standard query (0)	alt4.gmail-smtp-in.l.google.com	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.819009066 CEST	192.168.2.4	8.8.8.8	0x2573	Standard query (0)	alt1.gmail-smtp-in.l.google.com	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.858681917 CEST	192.168.2.4	8.8.8.8	0x65ad	Standard query (0)	gmail-smtp-in.l.google.com	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.895817995 CEST	192.168.2.4	8.8.8.8	0xc828	Standard query (0)	alt3.gmail-smtp-in.l.google.com	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.991333008 CEST	192.168.2.4	8.8.8.8	0x538a	Standard query (0)	www4.ertinmdesachlion.com	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.991942883 CEST	192.168.2.4	8.8.8.8	0xc5c7	Standard query (0)	alt2.gmail-smtp-in.l.google.com	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:57.058486938 CEST	192.168.2.4	8.8.8.8	0x7849	Standard query (0)	hotmail.com	MX (Mail exchange)	IN (0x0001)	false
May 29, 2023 12:08:57.099978924 CEST	192.168.2.4	8.8.8.8	0x61	Standard query (0)	hotmail-com.olc.protection.outlook.com	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:57.207417011 CEST	192.168.2.4	8.8.8.8	0x1bcd	Standard query (0)	www4.ertinmdesachlion.com	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:57.209470987 CEST	192.168.2.4	8.8.8.8	0x1206	Standard query (0)	www3.ertinmdesachlion.com	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:57.216517925 CEST	192.168.2.4	8.8.8.8	0x65b3	Standard query (0)	www6.ertinmdesachlion.com	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:57.545277119 CEST	192.168.2.4	8.8.8.8	0x2846	Standard query (0)	www4.ertinmdesachlion.com	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:57.737387896 CEST	192.168.2.4	8.8.8.8	0x95bf	Standard query (0)	www4.ertinmdesachlion.com	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:06.883358955 CEST	192.168.2.4	8.8.8.8	0x8b19	Standard query (0)	yahoo.com	MX (Mail exchange)	IN (0x0001)	false
May 29, 2023 12:09:06.936913013 CEST	192.168.2.4	8.8.8.8	0x864a	Standard query (0)	mta5.am0.yahoodns.net	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:06.994626999 CEST	192.168.2.4	8.8.8.8	0x24ab	Standard query (0)	mta6.am0.yahoodns.net	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.025388956 CEST	192.168.2.4	8.8.8.8	0x1f7f	Standard query (0)	mta7.am0.yahoodns.net	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.115349054 CEST	192.168.2.4	8.8.8.8	0x1cd2	Standard query (0)	www4.ertinmdesachlion.com	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.238343954 CEST	192.168.2.4	8.8.8.8	0x4113	Standard query (0)	gmail.com	MX (Mail exchange)	IN (0x0001)	false
May 29, 2023 12:09:07.287853956 CEST	192.168.2.4	8.8.8.8	0xa6a1	Standard query (0)	alt4.gmail-smtp-in.l.google.com	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.294683933 CEST	192.168.2.4	8.8.8.8	0x26e6	Standard query (0)	www4.ertinmdesachlion.com	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.326173067 CEST	192.168.2.4	8.8.8.8	0x5db0	Standard query (0)	alt1.gmail-smtp-in.l.google.com	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.383367062 CEST	192.168.2.4	8.8.8.8	0xe333	Standard query (0)	gmail-smtp-in.l.google.com	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.445856094 CEST	192.168.2.4	8.8.8.8	0x81f2	Standard query (0)	alt3.gmail-smtp-in.l.google.com	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.474673033 CEST	192.168.2.4	8.8.8.8	0x1872	Standard query (0)	www4.ertinmdesachlion.com	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.495090008 CEST	192.168.2.4	8.8.8.8	0x2b70	Standard query (0)	alt2.gmail-smtp-in.l.google.com	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.583739996 CEST	192.168.2.4	8.8.8.8	0xef9f	Standard query (0)	hotmail.com	MX (Mail exchange)	IN (0x0001)	false
May 29, 2023 12:09:07.610234976 CEST	192.168.2.4	8.8.8.8	0xf139	Standard query (0)	hotmail-com.olc.protection.outlook.com	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.678050995 CEST	192.168.2.4	8.8.8.8	0xb3e	Standard query (0)	www4.ertinmdesachlion.com	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.683275938 CEST	192.168.2.4	8.8.8.8	0x9015	Standard query (0)	www3.ertinmdesachlion.com	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.696145058 CEST	192.168.2.4	8.8.8.8	0x196e	Standard query (0)	www6.ertinmdesachlion.com	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.914297104 CEST	192.168.2.4	8.8.8.8	0x2e11	Standard query (0)	www4.ertinmdesachlion.com	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:08.182660103 CEST	192.168.2.4	8.8.8.8	0x89b2	Standard query (0)	www4.ertinmdesachlion.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 29, 2023 12:08:56.469856024 CEST	8.8.8.8	192.168.2.4	0x8db	No error (0)	yahoo.com			MX (Mail exchange)	IN (0x0001)	false
May 29, 2023 12:08:56.469856024 CEST	8.8.8.8	192.168.2.4	0x8db	No error (0)	yahoo.com			MX (Mail exchange)	IN (0x0001)	false
May 29, 2023 12:08:56.469856024 CEST	8.8.8.8	192.168.2.4	0x8db	No error (0)	yahoo.com			MX (Mail exchange)	IN (0x0001)	false
May 29, 2023 12:08:56.517162085 CEST	8.8.8.8	192.168.2.4	0x80d4	No error (0)	mta5.am0.yahoodns.net		67.195.228.110	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.517162085 CEST	8.8.8.8	192.168.2.4	0x80d4	No error (0)	mta5.am0.yahoodns.net		67.195.228.94	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.517162085 CEST	8.8.8.8	192.168.2.4	0x80d4	No error (0)	mta5.am0.yahoodns.net		67.195.228.109	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.517162085 CEST	8.8.8.8	192.168.2.4	0x80d4	No error (0)	mta5.am0.yahoodns.net		67.195.204.74	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.517162085 CEST	8.8.8.8	192.168.2.4	0x80d4	No error (0)	mta5.am0.yahoodns.net		67.195.204.72	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.517162085 CEST	8.8.8.8	192.168.2.4	0x80d4	No error (0)	mta5.am0.yahoodns.net		67.195.228.111	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.517162085 CEST	8.8.8.8	192.168.2.4	0x80d4	No error (0)	mta5.am0.yahoodns.net		98.136.96.77	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.517162085 CEST	8.8.8.8	192.168.2.4	0x80d4	No error (0)	mta5.am0.yahoodns.net		67.195.204.73	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.545115948 CEST	8.8.8.8	192.168.2.4	0x5569	No error (0)	mta6.am0.yahoodns.net		67.195.228.106	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.545115948 CEST	8.8.8.8	192.168.2.4	0x5569	No error (0)	mta6.am0.yahoodns.net		67.195.204.73	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.545115948 CEST	8.8.8.8	192.168.2.4	0x5569	No error (0)	mta6.am0.yahoodns.net		67.195.228.110	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.545115948 CEST	8.8.8.8	192.168.2.4	0x5569	No error (0)	mta6.am0.yahoodns.net		67.195.204.79	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.545115948 CEST	8.8.8.8	192.168.2.4	0x5569	No error (0)	mta6.am0.yahoodns.net		67.195.204.77	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.545115948 CEST	8.8.8.8	192.168.2.4	0x5569	No error (0)	mta6.am0.yahoodns.net		98.136.96.74	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.545115948 CEST	8.8.8.8	192.168.2.4	0x5569	No error (0)	mta6.am0.yahoodns.net		67.195.204.72	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.545115948 CEST	8.8.8.8	192.168.2.4	0x5569	No error (0)	mta6.am0.yahoodns.net		67.195.228.109	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.573407888 CEST	8.8.8.8	192.168.2.4	0x5e33	No error (0)	mta7.am0.yahoodns.net		67.195.204.79	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.573407888 CEST	8.8.8.8	192.168.2.4	0x5e33	No error (0)	mta7.am0.yahoodns.net		98.136.96.91	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.573407888 CEST	8.8.8.8	192.168.2.4	0x5e33	No error (0)	mta7.am0.yahoodns.net		98.136.96.74	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.573407888 CEST	8.8.8.8	192.168.2.4	0x5e33	No error (0)	mta7.am0.yahoodns.net		67.195.228.111	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.573407888 CEST	8.8.8.8	192.168.2.4	0x5e33	No error (0)	mta7.am0.yahoodns.net		98.136.96.76	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.573407888 CEST	8.8.8.8	192.168.2.4	0x5e33	No error (0)	mta7.am0.yahoodns.net		67.195.228.106	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.573407888 CEST	8.8.8.8	192.168.2.4	0x5e33	No error (0)	mta7.am0.yahoodns.net		67.195.228.94	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.573407888 CEST	8.8.8.8	192.168.2.4	0x5e33	No error (0)	mta7.am0.yahoodns.net		67.195.228.110	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.595958948 CEST	8.8.8.8	192.168.2.4	0x8b5	Name error (3)	www4.ertinmdesachlion.com	none	none	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.719270945 CEST	8.8.8.8	192.168.2.4	0x7087	No error (0)	gmail.com			MX (Mail exchange)	IN (0x0001)	false
May 29, 2023 12:08:56.719270945 CEST	8.8.8.8	192.168.2.4	0x7087	No error (0)	gmail.com			MX (Mail exchange)	IN (0x0001)	false
May 29, 2023 12:08:56.719270945 CEST	8.8.8.8	192.168.2.4	0x7087	No error (0)	gmail.com			MX (Mail exchange)	IN (0x0001)	false
May 29, 2023 12:08:56.719270945 CEST	8.8.8.8	192.168.2.4	0x7087	No error (0)	gmail.com			MX (Mail exchange)	IN (0x0001)	false
May 29, 2023 12:08:56.719270945 CEST	8.8.8.8	192.168.2.4	0x7087	No error (0)	gmail.com			MX (Mail exchange)	IN (0x0001)	false
May 29, 2023 12:08:56.813844919 CEST	8.8.8.8	192.168.2.4	0xede6	No error (0)	alt4.gmail-smtp-in.l.google.com		142.250.157.27	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.818828106 CEST	8.8.8.8	192.168.2.4	0xc867	Name error (3)	www4.ertinmdesachlion.com	none	none	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.851736069 CEST	8.8.8.8	192.168.2.4	0x2573	No error (0)	alt1.gmail-smtp-in.l.google.com		142.251.9.27	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.891666889 CEST	8.8.8.8	192.168.2.4	0x65ad	No error (0)	gmail-smtp-in.l.google.com		142.250.27.26	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:56.936825991 CEST	8.8.8.8	192.168.2.4	0xc828	No error (0)	alt3.gmail-smtp-in.l.google.com		74.125.200.27	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:57.024194002 CEST	8.8.8.8	192.168.2.4	0xc5c7	No error (0)	alt2.gmail-smtp-in.l.google.com		142.250.150.26	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:57.027148008 CEST	8.8.8.8	192.168.2.4	0x538a	Name error (3)	www4.ertinmdesachlion.com	none	none	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:57.072884083 CEST	8.8.8.8	192.168.2.4	0x7849	No error (0)	hotmail.com			MX (Mail exchange)	IN (0x0001)	false
May 29, 2023 12:08:57.131136894 CEST	8.8.8.8	192.168.2.4	0x61	No error (0)	hotmail-com.olc.protection.outlook.com		104.47.18.161	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:57.131136894 CEST	8.8.8.8	192.168.2.4	0x61	No error (0)	hotmail-com.olc.protection.outlook.com		104.47.18.225	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:57.234597921 CEST	8.8.8.8	192.168.2.4	0x1bcd	Name error (3)	www4.ertinmdesachlion.com	none	none	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:57.236496925 CEST	8.8.8.8	192.168.2.4	0x1206	Name error (3)	www3.ertinmdesachlion.com	none	none	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:57.266289949 CEST	8.8.8.8	192.168.2.4	0x65b3	Name error (3)	www6.ertinmdesachlion.com	none	none	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:57.567842007 CEST	8.8.8.8	192.168.2.4	0x2846	Name error (3)	www4.ertinmdesachlion.com	none	none	A (IP address)	IN (0x0001)	false
May 29, 2023 12:08:57.764712095 CEST	8.8.8.8	192.168.2.4	0x95bf	Name error (3)	www4.ertinmdesachlion.com	none	none	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:06.906258106 CEST	8.8.8.8	192.168.2.4	0x8b19	No error (0)	yahoo.com			MX (Mail exchange)	IN (0x0001)	false
May 29, 2023 12:09:06.906258106 CEST	8.8.8.8	192.168.2.4	0x8b19	No error (0)	yahoo.com			MX (Mail exchange)	IN (0x0001)	false
May 29, 2023 12:09:06.906258106 CEST	8.8.8.8	192.168.2.4	0x8b19	No error (0)	yahoo.com			MX (Mail exchange)	IN (0x0001)	false
May 29, 2023 12:09:06.951689959 CEST	8.8.8.8	192.168.2.4	0x864a	No error (0)	mta5.am0.yahoodns.net		67.195.228.111	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:06.951689959 CEST	8.8.8.8	192.168.2.4	0x864a	No error (0)	mta5.am0.yahoodns.net		98.136.96.77	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:06.951689959 CEST	8.8.8.8	192.168.2.4	0x864a	No error (0)	mta5.am0.yahoodns.net		98.136.96.74	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:06.951689959 CEST	8.8.8.8	192.168.2.4	0x864a	No error (0)	mta5.am0.yahoodns.net		67.195.228.109	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:06.951689959 CEST	8.8.8.8	192.168.2.4	0x864a	No error (0)	mta5.am0.yahoodns.net		98.136.96.75	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:06.951689959 CEST	8.8.8.8	192.168.2.4	0x864a	No error (0)	mta5.am0.yahoodns.net		67.195.228.106	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:06.951689959 CEST	8.8.8.8	192.168.2.4	0x864a	No error (0)	mta5.am0.yahoodns.net		67.195.228.94	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:06.951689959 CEST	8.8.8.8	192.168.2.4	0x864a	No error (0)	mta5.am0.yahoodns.net		98.136.96.91	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.014516115 CEST	8.8.8.8	192.168.2.4	0x24ab	No error (0)	mta6.am0.yahoodns.net		67.195.204.74	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.014516115 CEST	8.8.8.8	192.168.2.4	0x24ab	No error (0)	mta6.am0.yahoodns.net		67.195.204.73	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.014516115 CEST	8.8.8.8	192.168.2.4	0x24ab	No error (0)	mta6.am0.yahoodns.net		98.136.96.77	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.014516115 CEST	8.8.8.8	192.168.2.4	0x24ab	No error (0)	mta6.am0.yahoodns.net		67.195.228.110	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.014516115 CEST	8.8.8.8	192.168.2.4	0x24ab	No error (0)	mta6.am0.yahoodns.net		98.136.96.76	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.014516115 CEST	8.8.8.8	192.168.2.4	0x24ab	No error (0)	mta6.am0.yahoodns.net		98.136.96.75	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.014516115 CEST	8.8.8.8	192.168.2.4	0x24ab	No error (0)	mta6.am0.yahoodns.net		67.195.228.111	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.014516115 CEST	8.8.8.8	192.168.2.4	0x24ab	No error (0)	mta6.am0.yahoodns.net		67.195.204.79	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.048424006 CEST	8.8.8.8	192.168.2.4	0x1f7f	No error (0)	mta7.am0.yahoodns.net		67.195.228.94	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.048424006 CEST	8.8.8.8	192.168.2.4	0x1f7f	No error (0)	mta7.am0.yahoodns.net		67.195.228.111	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.048424006 CEST	8.8.8.8	192.168.2.4	0x1f7f	No error (0)	mta7.am0.yahoodns.net		67.195.204.79	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.048424006 CEST	8.8.8.8	192.168.2.4	0x1f7f	No error (0)	mta7.am0.yahoodns.net		67.195.204.73	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.048424006 CEST	8.8.8.8	192.168.2.4	0x1f7f	No error (0)	mta7.am0.yahoodns.net		98.136.96.77	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.048424006 CEST	8.8.8.8	192.168.2.4	0x1f7f	No error (0)	mta7.am0.yahoodns.net		67.195.204.77	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.048424006 CEST	8.8.8.8	192.168.2.4	0x1f7f	No error (0)	mta7.am0.yahoodns.net		98.136.96.74	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.048424006 CEST	8.8.8.8	192.168.2.4	0x1f7f	No error (0)	mta7.am0.yahoodns.net		67.195.228.110	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.146219969 CEST	8.8.8.8	192.168.2.4	0x1cd2	Name error (3)	www4.ertinmdesachlion.com	none	none	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.261553049 CEST	8.8.8.8	192.168.2.4	0x4113	No error (0)	gmail.com			MX (Mail exchange)	IN (0x0001)	false
May 29, 2023 12:09:07.261553049 CEST	8.8.8.8	192.168.2.4	0x4113	No error (0)	gmail.com			MX (Mail exchange)	IN (0x0001)	false
May 29, 2023 12:09:07.261553049 CEST	8.8.8.8	192.168.2.4	0x4113	No error (0)	gmail.com			MX (Mail exchange)	IN (0x0001)	false
May 29, 2023 12:09:07.261553049 CEST	8.8.8.8	192.168.2.4	0x4113	No error (0)	gmail.com			MX (Mail exchange)	IN (0x0001)	false
May 29, 2023 12:09:07.261553049 CEST	8.8.8.8	192.168.2.4	0x4113	No error (0)	gmail.com			MX (Mail exchange)	IN (0x0001)	false
May 29, 2023 12:09:07.317189932 CEST	8.8.8.8	192.168.2.4	0xa6a1	No error (0)	alt4.gmail-smtp-in.l.google.com		142.250.157.27	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.325964928 CEST	8.8.8.8	192.168.2.4	0x26e6	Name error (3)	www4.ertinmdesachlion.com	none	none	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.354629040 CEST	8.8.8.8	192.168.2.4	0x5db0	No error (0)	alt1.gmail-smtp-in.l.google.com		142.251.9.27	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.416253090 CEST	8.8.8.8	192.168.2.4	0xe333	No error (0)	gmail-smtp-in.l.google.com		142.250.27.27	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.487732887 CEST	8.8.8.8	192.168.2.4	0x81f2	No error (0)	alt3.gmail-smtp-in.l.google.com		74.125.200.26	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.509610891 CEST	8.8.8.8	192.168.2.4	0x1872	Name error (3)	www4.ertinmdesachlion.com	none	none	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.528597116 CEST	8.8.8.8	192.168.2.4	0x2b70	No error (0)	alt2.gmail-smtp-in.l.google.com		142.250.150.26	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.606775045 CEST	8.8.8.8	192.168.2.4	0xef9f	No error (0)	hotmail.com			MX (Mail exchange)	IN (0x0001)	false
May 29, 2023 12:09:07.630606890 CEST	8.8.8.8	192.168.2.4	0xf139	No error (0)	hotmail-com.olc.protection.outlook.com		104.47.18.161	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.630606890 CEST	8.8.8.8	192.168.2.4	0xf139	No error (0)	hotmail-com.olc.protection.outlook.com		104.47.18.225	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.708158016 CEST	8.8.8.8	192.168.2.4	0xb3e	Name error (3)	www4.ertinmdesachlion.com	none	none	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.723443985 CEST	8.8.8.8	192.168.2.4	0x196e	Name error (3)	www6.ertinmdesachlion.com	none	none	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.725240946 CEST	8.8.8.8	192.168.2.4	0x9015	Name error (3)	www3.ertinmdesachlion.com	none	none	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:07.944766998 CEST	8.8.8.8	192.168.2.4	0x2e11	Name error (3)	www4.ertinmdesachlion.com	none	none	A (IP address)	IN (0x0001)	false
May 29, 2023 12:09:08.217622995 CEST	8.8.8.8	192.168.2.4	0x89b2	Name error (3)	www4.ertinmdesachlion.com	none	none	A (IP address)	IN (0x0001)	false

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
May 29, 2023 12:08:56.892046928 CEST	25	49694	67.195.204.79	192.168.2.4	220 mtaproxy212.free.mail.bf1.yahoo.com ESMTP ready
May 29, 2023 12:08:57.187882900 CEST	25	49696	104.47.18.161	192.168.2.4	220 AM7EUR06FT057.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 29 May 2023 10:08:56 +0000
May 29, 2023 12:09:07.537208080 CEST	25	49697	67.195.204.74	192.168.2.4	220 mtaproxy512.free.mail.bf1.yahoo.com ESMTP ready
May 29, 2023 12:09:07.685729980 CEST	25	49699	104.47.18.161	192.168.2.4	220 AM7EUR06FT036.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Mon, 29 May 2023 10:09:07 +0000

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: file.msg.scr.exePID: 5668, Parent PID: 3528

General

Target ID:	0
Start time:	12:08:29
Start date:	29/05/2023
Path:	C:\Users\user\Desktop\file.msg.scr.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.msg.scr.exe
Imagebase:	0x400000
File size:	520196 bytes
MD5 hash:	6B7ED3ABDD8484B313948BA83FDE717F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: serv.exePID: 7028, Parent PID: 5668

General

Target ID:	2
Start time:	12:08:35
Start date:	29/05/2023
Path:	C:\Windows\serv.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\serv.exe s
Imagebase:	0x400000
File size:	520196 bytes
MD5 hash:	6B7ED3ABDD8484B313948BA83FDE717F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 86%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: notepad.exePID: 5492, Parent PID: 5668

General

Target ID:	3
Start time:	12:08:35
Start date:	29/05/2023
Path:	C:\Windows\SysWOW64\notepad.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\notepad.exe C:\Users\user\Desktop\19F3.tmp
Imagebase:	0xa90000
File size:	236032 bytes
MD5 hash:	D693F13FE3AA2010B854C4C60671B8E2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: explorer.exePID: 3528, Parent PID: 7028

General

Target ID:	4
Start time:	12:08:45
Start date:	29/05/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff618f60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: serv.exePID: 5796, Parent PID: 3528

General

Target ID:	5
Start time:	12:08:55
Start date:	29/05/2023
Path:	C:\Windows\serv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\serv.exe" s
Imagebase:	0x400000
File size:	520196 bytes
MD5 hash:	6B7ED3ABDD8484B313948BA83FDE717F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: WerFault.exePID: 2748, Parent PID: 7028

General

Target ID:	8
Start time:	12:08:57
Start date:	29/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7028 -s 1420
Imagebase:	0xe50000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exePID: 5220, Parent PID: 2748

General

Target ID:	10
Start time:	12:08:59
Start date:	29/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 1556
Imagebase:	0xe50000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exePID: 808, Parent PID: 5796

General

Target ID:	13
Start time:	12:09:08
Start date:	29/05/2023
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5796 -s 1284
Imagebase:	0xe50000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high