Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:23.0.0
Analysis ID:56388
Start time:13:59:12
Joe Sandbox Product:Cloud
Start date:04.07.2018
Overall analysis duration:0h 14m 7s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:csshead.exe
Cookbook file name:default.jbs
Analysis system description:W10 Native physical Machine for testing VM-aware malware (Office 2010, Java 1.8.0_91, Flash 22.0.0.192, Acrobat Reader DC 15.016.20039, Internet Explorer 11, Chrome 55, Firefox 50)
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.evad.spyw.troj.winEXE@3/14@37/4
HCA Information:
  • Successful, ratio: 61%
  • Number of executed functions: 112
  • Number of non-executed functions: 234
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 33% (good quality ratio 29.4%)
  • Quality average: 80.6%
  • Quality standard deviation: 32.6%
Cookbook Comments:
  • Adjust boot time
  • Correcting counters for adjusted boot time
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: csshead.exeAvira: Label: TR/Spy.Bebloh.ymgcn
Multi AV Scanner detection for submitted fileShow sources
Source: csshead.exevirustotal: Detection: 46%Perma Link
Antivirus detection for unpacked fileShow sources
Source: 0.2.csshead.exe.50000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 1.2.explorer.exe.490000.5.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 1.2.explorer.exe.7c0000.6.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 0.2.csshead.exe.400000.1.unpackAvira: Label: HEUR/AGEN.1023574
Source: 0.0.csshead.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Source: 0.1.csshead.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen
Yara signature matchShow sources
Source: 00000001.00000002.28504861757.007C0000.00000040.sdmp, type: MEMORYMatched rule: IMPLANT_4_v10 author = US CERT, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, description = BlackEnergy / Voodoo Bear Implant by APT28, date = 2017-02-10, score =
Source: 00000000.00000002.27490223943.00050000.00000004.sdmp, type: MEMORYMatched rule: IMPLANT_4_v10 author = US CERT, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, description = BlackEnergy / Voodoo Bear Implant by APT28, date = 2017-02-10, score =
Source: 0.2.csshead.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: IMPLANT_4_v10 author = US CERT, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, description = BlackEnergy / Voodoo Bear Implant by APT28, date = 2017-02-10, score =
Source: 0.2.csshead.exe.50000.0.unpack, type: UNPACKEDPEMatched rule: IMPLANT_4_v10 author = US CERT, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, description = BlackEnergy / Voodoo Bear Implant by APT28, date = 2017-02-10, score =
Source: 1.2.explorer.exe.7c0000.6.unpack, type: UNPACKEDPEMatched rule: IMPLANT_4_v10 author = US CERT, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, description = BlackEnergy / Voodoo Bear Implant by APT28, date = 2017-02-10, score =
Source: 1.2.explorer.exe.7c0000.6.raw.unpack, type: UNPACKEDPEMatched rule: IMPLANT_4_v10 author = US CERT, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, description = BlackEnergy / Voodoo Bear Implant by APT28, date = 2017-02-10, score =
Source: 0.2.csshead.exe.50000.0.raw.unpack, type: UNPACKEDPEMatched rule: IMPLANT_4_v10 author = US CERT, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, description = BlackEnergy / Voodoo Bear Implant by APT28, date = 2017-02-10, score =

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004017A2 CryptDecrypt,CryptDecrypt,0_2_004017A2
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0040153C CryptGenRandom,CryptGenRandom,0_2_0040153C
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401402 CryptHashData,CryptHashData,0_2_00401402
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004017A4 CryptDecrypt,CryptDecrypt,0_2_004017A4
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401AAE CryptEncrypt,CryptEncrypt,0_2_00401AAE
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004017E8 CryptAcquireContextA,CryptAcquireContextA,0_2_004017E8
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401574 CryptSetKeyParam,CryptSetKeyParam,0_2_00401574
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401AB0 CryptEncrypt,CryptEncrypt,0_2_00401AB0
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401374 CryptCreateHash,CryptCreateHash,0_2_00401374
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004018A0 CryptImportKey,CryptImportKey,0_2_004018A0
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004014D0 CryptDestroyHash,CryptDestroyHash,0_2_004014D0
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401490 CryptGetHashParam,CryptGetHashParam,0_2_00401490
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401404 CryptHashData,CryptHashData,0_2_00401404
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401AF8 CryptDestroyKey,CryptDestroyKey,0_2_00401AF8
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401B20 CryptReleaseContext,CryptReleaseContext,0_2_00401B20
Source: C:\Windows\explorer.exeCode function: 1_2_007C17E8 CryptAcquireContextA,CryptAcquireContextA,1_2_007C17E8
Source: C:\Windows\explorer.exeCode function: 1_2_007C18A0 CryptImportKey,CryptImportKey,1_2_007C18A0
Source: C:\Windows\explorer.exeCode function: 1_2_007C153C CryptGenRandom,CryptGenRandom,1_2_007C153C
Source: C:\Windows\explorer.exeCode function: 1_2_007C17A4 CryptDecrypt,CryptDecrypt,1_2_007C17A4
Source: C:\Windows\explorer.exeCode function: 1_2_007C1574 CryptSetKeyParam,CryptSetKeyParam,1_2_007C1574
Source: C:\Windows\explorer.exeCode function: 1_2_007C1AB0 CryptEncrypt,CryptEncrypt,1_2_007C1AB0
Source: C:\Windows\explorer.exeCode function: 1_2_007C1404 CryptHashData,CryptHashData,1_2_007C1404
Source: C:\Windows\explorer.exeCode function: 1_2_007C1374 CryptCreateHash,CryptCreateHash,1_2_007C1374
Source: C:\Windows\explorer.exeCode function: 1_2_007C17A2 CryptDecrypt,CryptDecrypt,1_2_007C17A2
Source: C:\Windows\explorer.exeCode function: 1_2_007C1B20 CryptReleaseContext,CryptReleaseContext,1_2_007C1B20
Source: C:\Windows\explorer.exeCode function: 1_2_007C1402 CryptHashData,CryptHashData,1_2_007C1402
Source: C:\Windows\explorer.exeCode function: 1_2_007C1AAE CryptEncrypt,CryptEncrypt,1_2_007C1AAE
Source: C:\Windows\explorer.exeCode function: 1_2_007C1490 CryptGetHashParam,CryptGetHashParam,1_2_007C1490
Source: C:\Windows\explorer.exeCode function: 1_2_007C1AF8 CryptDestroyKey,CryptDestroyKey,1_2_007C1AF8
Source: C:\Windows\explorer.exeCode function: 1_2_007C14D0 CryptDestroyHash,CryptDestroyHash,1_2_007C14D0

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004018A0 CryptImportKey,CryptImportKey,0_2_004018A0
Source: C:\Windows\explorer.exeCode function: 1_2_007C18A0 CryptImportKey,CryptImportKey,1_2_007C18A0

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: csshead.exe, 00000000.00000002.27490890262.00599000.00000004.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Drops certificate files (DER)Show sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_FDB452422670E72EDD3FB3D65568F821Jump to dropped file
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F5F320A94D4D2B4465D8F17E2BB2D351_0BA94B3A3CB67F245E2A70E0B581D64BJump to dropped file
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08Jump to dropped file
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A9311CC87BA03C7CB180095ACB967E37Jump to dropped file

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 4x nop then pop ecx0_2_00409178
Source: C:\Users\user\Desktop\csshead.exeCode function: 4x nop then pop ecx0_2_00409147
Source: C:\Windows\explorer.exeCode function: 4x nop then pop ecx1_2_007C9178
Source: C:\Windows\explorer.exeCode function: 4x nop then pop ecx1_2_007C9147

Networking:

barindex
Queries random domain names (often used to prevent blacklisting and sinkholes)Show sources
Source: unknownDNS traffic detected: English language letter occurancy does not match the domain names
Tries to resolve many domain names, but no domain seems validShow sources
Source: unknownDNS traffic detected: query: nvxij5qutl.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: rmqgc5frw3.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: zqvdnvokoq.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: pmtz1iirvr.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: tdgku3qbl1r.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: ktchyigkk2iwi3.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gdelzlc224n5q9.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: s4v3xhn3swcbmbc.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: phyrnfojfwiyuz.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: hdylvm3db3ixvi.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: e45cukuntbcou.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: r5hfff2lnn9mn.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: titz9qqc5szt.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: fcs1fscxh2oa.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gj2pexhfy95v.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: hp1sofo5bnc.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: tmmq5lcauha.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: hvzaduc42t2o.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: gvyn4bo2n3qq.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: hs1agojraguo.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: erz5yxeblneu.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: zo4q11gk3iyjgw.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 5v95xlfdzrj1de.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 4yony3itl9losv.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: tyou23hsrm.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: j4rjf2dtjl.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: n5k2ekq2ro.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: jdf2xx9wetn.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: 5julzwwlbkrgvm.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: b1l41m3rggg5nz.com replaycode: Name error (3)
Source: unknownDNS traffic detected: query: cwug3djg3reoa9.net replaycode: Name error (3)
Source: unknownDNS traffic detected: query: ushy2wtgwvny.com replaycode: Name error (3)
Connects to many different domainsShow sources
Source: unknownNetwork traffic detected: DNS query count 36
Contains functionality to upload files via FTPShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00419D20 CoInitialize,NtdllDefWindowProc_A,GetCommandLineA,CreateMenu,LoadMenuA,LoadMenuA,LoadBitmapA,AppendMenuA,LoadMenuA,BeginDeferWindowPos,CreateMetaFileA,SetBrushOrgEx,LoadImageA,FtpPutFileEx,GetSysColorBrush,FrameRect,GlobalAlloc,GetLastError,GetIconInfo,GetIconInfo,GetDIBits,GetDIBits,GetDIBits,GetDIBits,GetDIBits,SetWindowContextHelpId,GetDlgItem,GetDlgItem,SetWindowContextHelpId,mmioSetInfo,mmioAscend,GetSystemInfo,CloseHandle,GetSystemTimeAsFileTime,SetConsoleCtrlHandler,CreateFileA,CreateIoCompletionPort,CopyImage,DrawMenuBar,FindResourceA,VirtualAlloc,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIco0_2_00419D20
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 23.10.249.152 23.10.249.152
Source: Joe Sandbox ViewIP Address: 23.10.249.152 23.10.249.152
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\explorer.exeCode function: 1_2_007C15B0 InternetReadFile,1_2_007C15B0
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: ocsp.pki.goog
Source: global trafficHTTP traffic detected: GET /GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCCCIrzM%2FKFFw%2B HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: ocsp.pki.goog
Source: global trafficHTTP traffic detected: GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgO54qVnGaYpxjBEoQUm57uvQQ%3D%3D HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Microsoft-CryptoAPI/10.0Host: ocsp.int-x3.letsencrypt.org
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.google.com
Urls found in memory or binary dataShow sources
Source: E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08.1.drString found in binary or memory: http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUx
Source: F5F320A94D4D2B4465D8F17E2BB2D351_0BA94B3A3CB67F245E2A70E0B581D64B.1.drString found in binary or memory: http://ocsp.pki.goog/GTSGIAG3/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndn
Source: CFE86DBBE02D859DC92F1E17E0574EE8_FDB452422670E72EDD3FB3D65568F821.1.drString found in binary or memory: http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBq
Source: csshead.exe, explorer.exeString found in binary or memory: https://
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
Source: unknownNetwork traffic detected: HTTP traffic on port 49684 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49684

Stealing of Sensitive Information:

barindex
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\p61isjuj.default\prefs.jsJump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401928 LoadLibraryA,GetProcAddress,0_2_00401928
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0040949C push 004094C8h; ret 0_2_004094C0
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004094E0 push 00409506h; ret 0_2_004094FE
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0040103C push 00401068h; ret 0_2_00401060
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0040107C push 004010A8h; ret 0_2_004010A0
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00429267 push ebx; ret 0_2_00429268
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00434271 push eax; retf 0_2_00434272
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00429F35 push ecx; ret 0_2_00429F48
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00434F2B pushad ; iretd 0_2_00434F2C
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00432D21 pushfd ; retf 0043h0_2_00432D22
Source: C:\Windows\explorer.exeCode function: 1_2_007C949C push 007C94C8h; ret 1_2_007C94C0
Source: C:\Windows\explorer.exeCode function: 1_2_007C103C push 007C1068h; ret 1_2_007C1060
Source: C:\Windows\explorer.exeCode function: 1_2_007C107C push 007C10A8h; ret 1_2_007C10A0
Source: C:\Windows\explorer.exeCode function: 1_2_007C94E0 push 007C9506h; ret 1_2_007C94FE
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00403988 FindFirstFileA,FindClose,0_2_00403988
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00405640 SHGetSpecialFolderPathA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405640
Source: C:\Windows\explorer.exeCode function: 1_2_007C5640 SHGetSpecialFolderPathA,FindFirstFileA,FindNextFileA,FindClose,1_2_007C5640
Source: C:\Windows\explorer.exeCode function: 1_2_007C3988 FindFirstFileA,FindClose,1_2_007C3988

System Summary:

barindex
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00404E94 NtQueryInformationProcess,ReadProcessMemory,0_2_00404E94
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00408A48 PostQuitMessage,NtdllDefWindowProc_A,0_2_00408A48
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00404DE0 NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,0_2_00404DE0
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00408A44 NtdllDefWindowProc_A,0_2_00408A44
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00419D20 CoInitialize,NtdllDefWindowProc_A,GetCommandLineA,CreateMenu,LoadMenuA,LoadMenuA,LoadBitmapA,AppendMenuA,LoadMenuA,BeginDeferWindowPos,CreateMetaFileA,SetBrushOrgEx,LoadImageA,FtpPutFileEx,GetSysColorBrush,FrameRect,GlobalAlloc,GetLastError,GetIconInfo,GetIconInfo,GetDIBits,GetDIBits,GetDIBits,GetDIBits,GetDIBits,SetWindowContextHelpId,GetDlgItem,GetDlgItem,SetWindowContextHelpId,mmioSetInfo,mmioAscend,GetSystemInfo,CloseHandle,GetSystemTimeAsFileTime,SetConsoleCtrlHandler,CreateFileA,CreateIoCompletionPort,CopyImage,DrawMenuBar,FindResourceA,VirtualAlloc,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIco0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00410210 NtdllDefWindowProc_A,0_2_00410210
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00421360 NtdllDefWindowProc_A,0_2_00421360
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00410190 IsWindow,GetWindowLongA,SetWindowLongA,NtdllDefWindowProc_A,0_2_00410190
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00417E60 GetWindowLongA,GetWindowLongA,GetWindowLongA,SetWindowLongA,NtdllDefWindowProc_A,0_2_00417E60
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0041E9C0 SendMessageA,IsWindow,IsWindow,IsWindow,GetWindowLongA,SetWindowLongA,NtdllDefWindowProc_A,0_2_0041E9C0
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00417ED0 GetWindowLongA,GetWindowLongA,GetWindowLongA,SetWindowLongA,GetWindowLongA,OleUninitialize,OleInitialize,GetWindowTextLengthA,GetWindowTextA,SetWindowTextA,GlobalAlloc,GlobalFix,GlobalUnWire,lstrlen,SetWindowLongA,NtdllDefWindowProc_A,0_2_00417ED0
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00418620 NtdllDefWindowProc_A,0_2_00418620
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00410810 NtdllDefWindowProc_A,0_2_00410810
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00421620 NtdllDefWindowProc_A,0_2_00421620
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00418190 GetWindowLongA,GetWindowLongA,GetWindowLongA,SetWindowLongA,GetWindowLongA,OleUninitialize,OleInitialize,GetWindowTextLengthA,GetWindowTextA,SetWindowTextA,GlobalAlloc,GlobalFix,GlobalUnWire,SysFreeString,lstrlen,SysFreeString,SetWindowLongA,SysFreeString,NtdllDefWindowProc_A,0_2_00418190
Source: C:\Windows\explorer.exeCode function: 1_2_007C8A48 PostQuitMessage,NtdllDefWindowProc_A,1_2_007C8A48
Source: C:\Windows\explorer.exeCode function: 1_2_007C4E94 NtQueryInformationProcess,ReadProcessMemory,1_2_007C4E94
Source: C:\Windows\explorer.exeCode function: 1_2_007C4DE0 NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,1_2_007C4DE0
Source: C:\Windows\explorer.exeCode function: 1_2_007C8A44 NtdllDefWindowProc_A,1_2_007C8A44
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00405D200_2_00405D20
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00419D200_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0041C95B0_2_0041C95B
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0043256D0_2_0043256D
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00430D580_2_00430D58
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00423AD00_2_00423AD0
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004308070_2_00430807
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004302B60_2_004302B6
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0042E76B0_2_0042E76B
Source: C:\Windows\explorer.exeCode function: 1_2_007C5D201_2_007C5D20
PE file contains strange resourcesShow sources
Source: csshead.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample file is different than original file name gathered from version infoShow sources
Source: csshead.exe, 00000000.00000001.27391130383.00456000.00000008.sdmpBinary or memory string: OriginalFilenametemplate.exeJ vs csshead.exe
Source: csshead.exeBinary or memory string: OriginalFilenametemplate.exeJ vs csshead.exe
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\csshead.exeFile read: C:\Users\user\Desktop\csshead.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Source: C:\Users\user\Desktop\csshead.exeSection loaded: open.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal100.evad.spyw.troj.winEXE@3/14@37/4
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00419D20 CoInitialize,NtdllDefWindowProc_A,GetCommandLineA,CreateMenu,LoadMenuA,LoadMenuA,LoadBitmapA,AppendMenuA,LoadMenuA,BeginDeferWindowPos,CreateMetaFileA,SetBrushOrgEx,LoadImageA,FtpPutFileEx,GetSysColorBrush,FrameRect,GlobalAlloc,GetLastError,GetIconInfo,GetIconInfo,GetDIBits,GetDIBits,GetDIBits,GetDIBits,GetDIBits,SetWindowContextHelpId,GetDlgItem,GetDlgItem,SetWindowContextHelpId,mmioSetInfo,mmioAscend,GetSystemInfo,CloseHandle,GetSystemTimeAsFileTime,SetConsoleCtrlHandler,CreateFileA,CreateIoCompletionPort,CopyImage,DrawMenuBar,FindResourceA,VirtualAlloc,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIco0_2_00419D20
Creates files inside the user directoryShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_FDB452422670E72EDD3FB3D65568F821Jump to behavior
Launches a second explorer.exe instanceShow sources
Source: unknownProcess created: C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\csshead.exeProcess created: C:\Windows\explorer.exeJump to behavior
Might use command line argumentsShow sources
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Menu0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Bitmap0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Edit0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: WAV0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: Profile0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: .icm0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: open0_2_00419D20
Source: C:\Users\user\Desktop\csshead.exeCommand line argument: @G@0_2_00419D20
Reads software policiesShow sources
Source: C:\Users\user\Desktop\csshead.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: csshead.exevirustotal: Detection: 46%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\csshead.exe 'C:\Users\user\Desktop\csshead.exe'
Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Users\user\Desktop\csshead.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: Ihs.pdb source: csshead.exe
Source: Binary string: C:\As\Release\2000s.pdb source: csshead.exe

HIPS / PFW / Operating System Protection Evasion:

barindex
Injects code into the Windows Explorer (explorer.exe)Show sources
Source: C:\Users\user\Desktop\csshead.exeMemory written: PID: 3160 base: B0000 value: 43Jump to behavior
Source: C:\Users\user\Desktop\csshead.exeMemory written: PID: 3160 base: 3D81E8 value: 00Jump to behavior
Source: C:\Users\user\Desktop\csshead.exeMemory written: PID: 3160 base: EC46B0 value: 55Jump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Users\user\Desktop\csshead.exeMemory written: C:\Windows\explorer.exe base: EC46B0Jump to behavior
Contains functionality to add an ACL to a security descriptorShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00404406 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,ConvertStringSecurityDescriptorToSecurityDescriptorA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,LocalFree,0_2_00404406
Contains functionality to create a new security descriptorShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004041C8 GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,CloseHandle,AllocateAndInitializeSid,EqualSid,FreeSid,0_2_004041C8

Anti Debugging:

barindex
Found API chain indicative of debugger detectionShow sources
Source: C:\Users\user\Desktop\csshead.exeDebugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleepgraph_0-19518
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004010B4 rdtsc 0_2_004010B4
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00406D40 IsDebuggerPresent,0_2_00406D40
Contains functionality to create guard pages, often used to hinder reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004239DD VirtualProtect ?,-00000001,00000104,?0_2_004239DD
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401928 LoadLibraryA,GetProcAddress,0_2_00401928
Contains functionality to read the PEBShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004024F8 mov eax, dword ptr fs:[00000030h]0_2_004024F8
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_01821560 mov eax, dword ptr fs:[00000030h]0_2_01821560
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_01823134 mov eax, dword ptr fs:[00000030h]0_2_01823134
Source: C:\Windows\explorer.exeCode function: 1_2_007C24F8 mov eax, dword ptr fs:[00000030h]1_2_007C24F8
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00401460 GetProcessHeap,RtlReAllocateHeap,0_2_00401460
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0042CA48 SetUnhandledExceptionFilter,0_2_0042CA48
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00424FEB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00424FEB
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00429814 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00429814

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00406B18 0_2_00406B18
Source: C:\Windows\explorer.exeCode function: 1_2_007C6B18 1_2_007C6B18
Contains functionality to detect sleep reduction / modificationsShow sources
Source: C:\Windows\explorer.exeCode function: 1_2_007C6DB0 GetTickCount,Sleep,GetTickCount,1_2_007C6DB0
Source: C:\Windows\explorer.exeCode function: 1_2_007C6DC8 GetTickCount,Sleep,GetTickCount,1_2_007C6DC8
Found evasive API chain (may execute only at specific dates)Show sources
Source: C:\Windows\explorer.exeEvasive API call chain: GetSystemTime,DecisionNodes,Sleepgraph_1-4722
Contains capabilities to detect virtual machinesShow sources
Source: C:\Users\user\Desktop\csshead.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004010B4 rdtsc 0_2_004010B4
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\explorer.exeThread delayed: delay time: 300000Jump to behavior
Found evasive API chain (date check)Show sources
Source: C:\Windows\explorer.exeEvasive API call chain: GetSystemTime,DecisionNodesgraph_1-4722
Found evasive API chain (may stop execution after accessing registry keys)Show sources
Source: C:\Windows\explorer.exeEvasive API call chain: RegOpenKey,DecisionNodes,Sleepgraph_1-4666
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\Desktop\csshead.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-18509
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\Desktop\csshead.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-18759
Source: C:\Windows\explorer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_1-4553
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\explorer.exe TID: 3080Thread sleep count: 297 > 30Jump to behavior
Source: C:\Windows\explorer.exe TID: 3080Thread sleep time: -297000s >= -60000sJump to behavior
Source: C:\Windows\explorer.exe TID: 3080Thread sleep time: -300000s >= -60000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\explorer.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00403988 FindFirstFileA,FindClose,0_2_00403988
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00405640 SHGetSpecialFolderPathA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405640
Source: C:\Windows\explorer.exeCode function: 1_2_007C5640 SHGetSpecialFolderPathA,FindFirstFileA,FindNextFileA,FindClose,1_2_007C5640
Source: C:\Windows\explorer.exeCode function: 1_2_007C3988 FindFirstFileA,FindClose,1_2_007C3988
Contains functionality to query system informationShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00419D20 CoInitialize,NtdllDefWindowProc_A,GetCommandLineA,CreateMenu,LoadMenuA,LoadMenuA,LoadBitmapA,AppendMenuA,LoadMenuA,BeginDeferWindowPos,CreateMetaFileA,SetBrushOrgEx,LoadImageA,FtpPutFileEx,GetSysColorBrush,FrameRect,GlobalAlloc,GetLastError,GetIconInfo,GetIconInfo,GetDIBits,GetDIBits,GetDIBits,GetDIBits,GetDIBits,SetWindowContextHelpId,GetDlgItem,GetDlgItem,SetWindowContextHelpId,mmioSetInfo,mmioAscend,GetSystemInfo,CloseHandle,GetSystemTimeAsFileTime,SetConsoleCtrlHandler,CreateFileA,CreateIoCompletionPort,CopyImage,DrawMenuBar,FindResourceA,VirtualAlloc,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,LoadLibraryA,LoadLibraryA,LoadIconA,LoadIco0_2_00419D20
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: csshead.exe, 00000000.00000002.27490890262.00599000.00000004.sdmpBinary or memory string: vmware
Program exit pointsShow sources
Source: C:\Users\user\Desktop\csshead.exeAPI call chain: ExitProcess graph end nodegraph_0-18510
Source: C:\Users\user\Desktop\csshead.exeAPI call chain: ExitProcess graph end nodegraph_0-19555

Hooking and other Techniques for Hiding and Protection:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\explorer.exeNetwork Connect: 212.92.98.68 187Jump to behavior
Source: C:\Windows\explorer.exeNetwork Connect: 23.10.249.152 80Jump to behavior
Source: C:\Windows\explorer.exeNetwork Connect: 216.58.210.14 80Jump to behavior
Source: C:\Windows\explorer.exeNetwork Connect: 216.58.210.4 187Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00420B80 GetWindowLongA,SendMessageA,SendMessageA,GetWindowLongA,IsWindowVisible,IsIconic,ShowWindow,SendMessageA,GetWindowLongA,SendMessageA,SendMessageA,SendMessageA,GetParent,SendMessageA,0_2_00420B80

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
May initialize a security null descriptorShow sources
Source: csshead.exeBinary or memory string: S:(ML;;NRNWNX;;;LW)

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00406C6C cpuid 0_2_00406C6C
Queries device information via Setup APIShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00406EEC LoadLibraryA,SetupDiGetClassDevsA,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyA,CharLowerBuffA,SetupDiDestroyDeviceInfoList,SetupDiGetClassDevsA,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyA,CharLowerBuffA,SetupDiDestroyDeviceInfoList,0_2_00406EEC
Queries the installation date of WindowsShow sources
Source: C:\Users\user\Desktop\csshead.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Queries the product ID of WindowsShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductIDJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_00405468 GetSystemTime,0_2_00405468
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_0041C95B LoadLibraryA,LoadIconA,LoadIconA,OleCreatePictureIndirect,OleCreatePictureIndirect,LoadLibraryA,LoadIconA,OleCreatePictureIndirect,CreateEventA,GetClassLongA,SetClassLongA,GetCursorPos,GetCursorPos,WaitForSingleObject,WaitNamedPipeA,CreateFileA,WaitNamedPipeA,CreateFileA,SetNamedPipeHandleState,CloseHandle,CloseHandle,WriteFile,ReadFile,WriteFile,CloseHandle,ReadFile,CloseHandle,LookupAccountNameA,LookupAccountNameA,GetLastError,GetLastError,GetLastError,GetLastError,LocalAlloc,LocalAlloc,GetLastError,LocalAlloc,GetLastError,LookupAccountNameA,GetLastError,LocalFree,SetStretchBltMode,SetStretchBltMode,SetAbortProc,DrawFrameControl,LoadImageA,SetWindowLongA,SetWindowLongA,CreateEventA,GetCursorPos,GetCursorPos,DragQueryFile,CreateRectRgnIndirect,WaitForSingleObject,EnableMenuItem,GetDlgItem,OleInitialize,RegisterDragDrop,GetTopWindow,RevokeDragDrop,OleUninitialize,SetMenuItemInfoA,GetLastError,DrawMenuBar,GetMenuItemInfoA,BeginPaint,EndPaint,GetClientRect,EnumDateFormatsA,lstrcmpi,lstrcmpi,lstrcmpi0_2_0041C95B
Contains functionality to query windows versionShow sources
Source: C:\Users\user\Desktop\csshead.exeCode function: 0_2_004064BC GetVersionExA,0_2_004064BC
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Simulations

Behavior and APIs

TimeTypeDescription
14:00:01API Interceptor95x Sleep call for process: csshead.exe modified
14:05:55API Interceptor1x Sleep call for process: explorer.exe modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
csshead.exe47%virustotalBrowse
csshead.exe100%AviraTR/Spy.Bebloh.ymgcn

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLink
0.2.csshead.exe.50000.0.unpack100%AviraTR/Crypt.XPACK.Gen
1.2.explorer.exe.490000.5.unpack100%AviraTR/Crypt.XPACK.Gen
1.2.explorer.exe.7c0000.6.unpack100%AviraTR/Crypt.XPACK.Gen
0.2.csshead.exe.400000.1.unpack100%AviraHEUR/AGEN.1023574
0.0.csshead.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen
0.1.csshead.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.Gen

Domains

SourceDetectionScannerLabelLink
a771.dscq.akamai.net0%virustotalBrowse
wigermexir.com1%virustotalBrowse
a279.dscq.akamai.net0%virustotalBrowse
www.google.com1%virustotalBrowse

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthor
00000001.00000002.28504861757.007C0000.00000040.sdmpIMPLANT_4_v10BlackEnergy / Voodoo Bear Implant by APT28US CERT
00000000.00000002.27490223943.00050000.00000004.sdmpIMPLANT_4_v10BlackEnergy / Voodoo Bear Implant by APT28US CERT

Unpacked PEs

SourceRuleDescriptionAuthor
0.2.csshead.exe.400000.1.unpackIMPLANT_4_v10BlackEnergy / Voodoo Bear Implant by APT28US CERT
0.2.csshead.exe.50000.0.unpackIMPLANT_4_v10BlackEnergy / Voodoo Bear Implant by APT28US CERT
1.2.explorer.exe.7c0000.6.unpackIMPLANT_4_v10BlackEnergy / Voodoo Bear Implant by APT28US CERT
1.2.explorer.exe.7c0000.6.raw.unpackIMPLANT_4_v10BlackEnergy / Voodoo Bear Implant by APT28US CERT
0.2.csshead.exe.50000.0.raw.unpackIMPLANT_4_v10BlackEnergy / Voodoo Bear Implant by APT28US CERT

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
23.10.249.152https://t.co/mX5kIyjXWjmaliciousBrowse
  • ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgRB5GP6xrDWM%2FfqtbTzJGhD1w%3D%3D
http://tiny.ie/sweetpromingsmaliciousBrowse
  • ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgMe4TxJPXSOfP%2BiFxDSo%2F8npA%3D%3D
https://anthonyandebony.com/wordonline/authredirect/file.php?login=mnichols@rksolutions.commaliciousBrowse
  • ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgMF%2Bk32tvikCVu1JuLOF6zwag%3D%3D
http://alpineinternet.com.aumaliciousBrowse
  • ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgSJHUHuSc0DYAMw4lciTWik9Q%3D%3D
Palomar Health Secured Doc..pdfe525aefada56291068e0d1c4b60a64a2d4b33b0e1b8a5597fe8bdd32264d3ba8maliciousBrowse
  • ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgPTURsDs2g8rqllx9GwQvyPdQ%3D%3D
https://alumni.uigm.ac.id/?path=barry.maxer@us.tel.commaliciousBrowse
  • ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgOWfUS7LvWMXy3myg%2BE7JDIgQ%3D%3D
AnalyticsEdgeBasicInstaller.execc72c28b826cc388cdea083ad75787249bbcaeb9f1c6c11477b8e9eaf3178878maliciousBrowse
  • ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgPls2JO%2FK9sRfq%2FXlNl5hxS%2FA%3D%3D

Domains

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
a771.dscq.akamai.netsample.exe574ea6b2d1e07fe7d7005b413bef53c86a0fbf6539b942e5108ac33b931c446amaliciousBrowse
  • 23.10.249.171
Account_Verificatlon_Form.pdf843c8cbc0898b9b6ba2811a078a5a7ecc123e75e50f52e33c7e710ee64e28326maliciousBrowse
  • 95.100.96.232
NEURILINK DOCUMENT. 20062018.pdf83d50d985b290c661318c7d2bce9793ae753efb54ac69730aa35e7be145dfc98maliciousBrowse
  • 23.10.249.171
http://trip-suggest.com/fiji/northern/urata/maliciousBrowse
  • 23.10.249.171
https://t.co/mX5kIyjXWjmaliciousBrowse
  • 23.10.249.152
http://tiny.ie/sweetpromingsmaliciousBrowse
  • 23.10.249.152
https://tiny.ie/zrswjNGmaliciousBrowse
  • 23.10.249.171
https://anthonyandebony.com/wordonline/authredirect/file.php?login=mnichols@rksolutions.commaliciousBrowse
  • 23.10.249.152
Qg1yzWjpc7.doc51e94976e2c22b08ee1c875499e7113cf08f5b558e16e199689ed9bd536dd99cmaliciousBrowse
  • 23.10.249.171
https://tiny.cc/t8j3uymaliciousBrowse
  • 2.18.212.56
http://wasosamydinag.tk/index/?1631501756857maliciousBrowse
  • 23.10.249.171
http://rgho.st/7jXZr4XY6maliciousBrowse
  • 23.10.249.171
http://sampleforms.org/maliciousBrowse
  • 23.10.249.171
Palomar Health Secured Doc..pdfe525aefada56291068e0d1c4b60a64a2d4b33b0e1b8a5597fe8bdd32264d3ba8maliciousBrowse
  • 23.10.249.171
http://partypoker.commaliciousBrowse
  • 23.10.249.152
http://ak.imgfarm.com/images/nocache/vicinio/installers/v2/226354149.TTAB02.1/nsis/866200-TTAB02.1/180517175322204/msniDirectionsAce/DirectionsAce.7c07b714bb0641cf955969e805020843.exemaliciousBrowse
  • 95.100.96.226
https://alumni.uigm.ac.id/?path=barry.maxer@us.tel.commaliciousBrowse
  • 23.10.249.152
AnalyticsEdgeBasicInstaller.execc72c28b826cc388cdea083ad75787249bbcaeb9f1c6c11477b8e9eaf3178878maliciousBrowse
  • 23.10.249.152
http://civiljour.tkmaliciousBrowse
  • 2.18.212.33
a1621.g.akamai.netprice_list.exe6f11c4bd4bef91e441b05ed7e3062a7abc88e5185b3da54bfbe022aa3ff4b24dmaliciousBrowse
  • 95.100.248.144
EMS Tracking Digit.exe6759fb8bb59194d261f57492d12f8c6ddb679870ca324a4c73640d0c605d3848maliciousBrowse
  • 95.100.248.144
SAMPLES.exeb3aac810dc97b2ed6a957294e1112e8e2b54993615ecbbb5d38b115af6591cbcmaliciousBrowse
  • 2.21.246.16
EMS Tracking Digit.exe6759fb8bb59194d261f57492d12f8c6ddb679870ca324a4c73640d0c605d3848maliciousBrowse
  • 95.100.248.144
EMS Tracking Digit.exe6759fb8bb59194d261f57492d12f8c6ddb679870ca324a4c73640d0c605d3848maliciousBrowse
  • 88.221.112.145
new document.pdf...exe92dc2219857df05bcf531f922c66cb423b731f67e078a98b0895d0bb7d85e9damaliciousBrowse
  • 88.221.112.203
SHIPPING-DOCUMENTS.DHL.989.exe7bb12d910328c52da8d3f235f2481d99e8c0be6675e9f3d1652595178337227cmaliciousBrowse
  • 95.100.248.144
EMS Tracking Digit.exe6759fb8bb59194d261f57492d12f8c6ddb679870ca324a4c73640d0c605d3848maliciousBrowse
  • 2.16.4.178
EMS Tracking Digit.exe6759fb8bb59194d261f57492d12f8c6ddb679870ca324a4c73640d0c605d3848maliciousBrowse
  • 95.100.248.144
EMS Tracking Digit.exe6759fb8bb59194d261f57492d12f8c6ddb679870ca324a4c73640d0c605d3848maliciousBrowse
  • 2.21.246.18
SHIPPING-DOCUMENTS.DHL.989.exe7bb12d910328c52da8d3f235f2481d99e8c0be6675e9f3d1652595178337227cmaliciousBrowse
  • 95.100.248.144
Invoice-45504-Apr-25-2017-US-071058.pdf7a9ddae5279e0692bb58e7a5afd9be97800a92004d99af03f910ea5a4dbebe29maliciousBrowse
  • 2.21.246.18
a279.dscq.akamai.netsample.exe574ea6b2d1e07fe7d7005b413bef53c86a0fbf6539b942e5108ac33b931c446amaliciousBrowse
  • 23.10.249.146
Account_Verificatlon_Form.pdf843c8cbc0898b9b6ba2811a078a5a7ecc123e75e50f52e33c7e710ee64e28326maliciousBrowse
  • 23.10.249.146
Docusign.pdfea6a61e73f613bcd95f2785457887519dce565c294358f765f2ad6b05f3dff20maliciousBrowse
  • 23.10.249.146
https://download.filezilla-project.org/client/FileZilla_3.34.0_win64-setup_bundled.exemaliciousBrowse
  • 23.10.249.146
NEURILINK DOCUMENT. 20062018.pdf83d50d985b290c661318c7d2bce9793ae753efb54ac69730aa35e7be145dfc98maliciousBrowse
  • 23.10.249.146
http://trip-suggest.com/fiji/northern/urata/maliciousBrowse
  • 23.10.249.168
https://t.co/mX5kIyjXWjmaliciousBrowse
  • 23.10.249.168
http://forfat4burns.world/nose.php?a=415853&c=wl_con&s=10051maliciousBrowse
  • 23.10.249.146
Scan0011.pdf98f9a18c61696ca54ff78ed287b814fbf23327689afd950ad4a90f833b8ee6aamaliciousBrowse
  • 23.10.249.146
https://bataviasecurity.co.id/encoreurology/RRSalypsopoAmazonas001share/index.phpmaliciousBrowse
  • 23.10.249.146
GestVision, Inc..pdf563189ad7e01d1ccbe2d66db83b23ddb40581c7e893d638cd16a69ae7a8d0e6cmaliciousBrowse
  • 23.10.249.168
FileZilla_3.34.0_win64-setup_bundled.exe3129fd5421c1a71c0673f4cae5349b4a98d4e93da9c41ace1bcacdc9ebf9c0ffmaliciousBrowse
  • 23.10.249.168
http://tiny.ie/sweetpromingsmaliciousBrowse
  • 23.10.249.168
https://bmordi.es/cgi-ssl/storage/e-faxed-scan/access/draw9901/8269380-attachment-microsoftonline.office365286r7429428outlook-sharepoint_document.psf/maliciousBrowse
  • 23.10.249.146
https://tiny.ie/zrswjNGmaliciousBrowse
  • 23.10.249.168
https://anthonyandebony.com/wordonline/authredirect/file.php?login=mnichols@rksolutions.commaliciousBrowse
  • 23.10.249.146
Qg1yzWjpc7.doc51e94976e2c22b08ee1c875499e7113cf08f5b558e16e199689ed9bd536dd99cmaliciousBrowse
  • 23.10.249.146
https://tiny.cc/t8j3uymaliciousBrowse
  • 23.10.249.146
http://wasosamydinag.tk/index/?1631501756857maliciousBrowse
  • 23.10.249.168
http://rgho.st/7jXZr4XY6maliciousBrowse
  • 2.18.212.17

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
CEA-ASRUinvoice.doc99e5d62bf30a17c4ce8ba5720573338a4cb26863d17a0f61e370618fc5e75adfmaliciousBrowse
  • 212.92.98.189
03290.exea93182cdcde8030cac64378da0406c7f628486ec1cf41b6e49cf5a551c0ab837maliciousBrowse
  • 212.92.98.175
Feb-21774.pdf4aee5f0682a53fd87d05adb69c3d34ede3cbd5251de59e25b140afd247e35b01maliciousBrowse
  • 212.92.98.171
AKAMAI-ASN1USdownload.cnet.com//g00/2_d3d3LmJvc3Rvbi5jb20%3D_/TU9SRVBIRVVTOCRodHRwOi8vY3AtaW4ubmFub3Zpc29yLmlvL2NsaWVudHByb2ZpbGVyL2FkYj9pMTBjLm1hcmsuc2NyaXB0LnR5cGU%3D_$/$/$maliciousBrowse
  • 88.221.15.8
57xibanfkphz.exeb9951284e71c0af5e0d9662c0dfea3db8afcb3e065cb5a3704c91eac5da74e98maliciousBrowse
  • 2.16.4.184
https://webmail.austin-ind.com/owa/redir.aspx?C=o-FsLU9CW6VrWF7lu2ahdpXnscSALx8HSZz0KrgnTo4FYDyZYyjVCA..&URL=https%3a%2f%2fdegusteja.com.br%2fadm%2fadminmaliciousBrowse
  • 23.35.105.9
Sonic_Academy_-_KICK_2_v304_macOS_R2R.app.zip1d3d80fde7efc252a0858e82b5aa0f80e1b8656330a5669827edec5353b8f7c3maliciousBrowse
  • 23.50.8.64
https://agetechpma.com/commonlogin/office/maliciousBrowse
  • 104.94.166.136
PO#170814.html51346c893a034e771e91765d079e9f0b970a5cef26ae057a0520b0660f433399maliciousBrowse
  • 2.16.4.162
a009dce0-5469-415c-8adb-28850befd97.exe6e30aec30e0260eb32e073a600128fe8c5fe42be8b9380d14824ba1fc6c54631maliciousBrowse
  • 2.22.22.98
https://web1.zixmail.net/s/e?b=discoverybenefits&m=ABACkYvodRhNiM5Iddcl8B7p&em=nicole%2esmith%40tasconline%2ecommaliciousBrowse
  • 23.6.101.231
http://leemitchell.com/?reqp=1&reqr=maliciousBrowse
  • 23.6.98.69
https://asenac.com.mx/po213741/?userid=avroman@ccsprojects.commaliciousBrowse
  • 92.122.87.97
https://exchangemailservice01.nut.cc/sso/account/$$$25252520%2525252525%2525252525ZW1haWxfdmVyaWZpY2F0aW9uX5HiMcTyHCi0cQNwykSO0GaIUcXojjpK%25252525252525252525252FJ6qaBdJYLZIucCyKwvDLLvIb92elO8XUs7jVor%25252525252525252525252FUo5t%25252525252525252525252BnIM%2523%2523%2525%2525%2525%2525%2525@$%2523$$/index.php?maliciousBrowse
  • 2.20.240.161
Feedback1492612493425.apk2a36acf075bafa30f87ece74b972bd184443f5dab0fd3b26bca31be270f0d816maliciousBrowse
  • 23.74.12.52
https://signup.live.com/signupmaliciousBrowse
  • 104.80.253.131
YTk8XiSTBu.exedba2740c74863e25f67820cfed201406d2ebad93fa36c7f0f31cdb8252954a75maliciousBrowse
  • 23.223.73.88
Z6irjgNTws.exeb917462a022554aed44b817c3e4b5449a58db12a412aad86c6d84884af30be0cmaliciousBrowse
  • 2.16.4.194
WIRELESS.html18e3aa13e670bf8385d8dfdc975bd2e8b7f2b899a44997b1ee5c1de192ce3579maliciousBrowse
  • 92.122.87.97
http://helpdesk.ovanet.cz/pay/incoming-wire-payment-from-CZ-in-USD-accepted-method-direct-deposit/maliciousBrowse
  • 23.43.140.49
http://yobit.com/maliciousBrowse
  • 2.20.208.194
http://aww.su/KMamfmaliciousBrowse
  • 23.59.191.98
Invoice Due - tb.pdfca3ef0863c4c995d299f0ed841260e15e6ea38f8f01081a724adacf247b3d278maliciousBrowse
  • 72.246.43.34

Dropped Files

No context

Screenshots