Windows Analysis Report
svchost.exe

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 147.185.221.23 ports 1,4,6,8,9,49681

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 147.185.221.23:49681

Source: Joe Sandbox View

IP Address: 147.185.221.23 147.185.221.23

Source: Joe Sandbox View

ASN Name: SALSGIVERUS SALSGIVERUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: women-forms.gl.at.ply.gg
Source: global traffic	DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa

Source: svchost.exe, 00000000.00000002.1927066101.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net

System Summary

Drops large PE files

Source: C:\Users\user\Desktop\svchost.exe

File dump: xdwdMicrosoft SharePoint.exe.0.dr 766863872

Jump to dropped file

Source: C:\Users\user\Desktop\svchost.exe

Code function: 0_2_00007FFD9B810F3D NtProtectVirtualMemory,

0_2_00007FFD9B810F3D

Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_00007FFD9B80EBF9	0_2_00007FFD9B80EBF9
Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_00007FFD9B808362	0_2_00007FFD9B808362
Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_00007FFD9B80977D	0_2_00007FFD9B80977D
Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_00007FFD9B8027A6	0_2_00007FFD9B8027A6
Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_00007FFD9B8112DE	0_2_00007FFD9B8112DE
Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_00007FFD9B808AE0	0_2_00007FFD9B808AE0
Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_00007FFD9B803217	0_2_00007FFD9B803217
Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_00007FFD9B80EE27	0_2_00007FFD9B80EE27
Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_00007FFD9B802968	0_2_00007FFD9B802968
Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_00007FFD9B801578	0_2_00007FFD9B801578
Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_00007FFD9B8075B6	0_2_00007FFD9B8075B6
Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_00007FFD9B80F02F	0_2_00007FFD9B80F02F
Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_00007FFD9B80036D	0_2_00007FFD9B80036D
Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_00007FFD9B808AC0	0_2_00007FFD9B808AC0
Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_00007FFD9B80F0E0	0_2_00007FFD9B80F0E0
Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_00007FFD9B80F10D	0_2_00007FFD9B80F10D
Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_00007FFD9B80F115	0_2_00007FFD9B80F115
Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_00007FFD9B80F14D	0_2_00007FFD9B80F14D
Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_00007FFD9B801460	0_2_00007FFD9B801460

Source: C:\Users\user\Desktop\svchost.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7088 -s 2128

Source: svchost.exe, 00000000.00000002.1934464644.0000000012EF8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUnreal Engine.exe8 vs svchost.exe
Source: svchost.exe, 00000000.00000000.1694888101.00000000009E2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUnreal Engine.exe8 vs svchost.exe
Source: svchost.exe, 00000000.00000002.1938423533.000000001E400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs svchost.exe
Source: svchost.exe	Binary or memory string: OriginalFilenameUnreal Engine.exe8 vs svchost.exe

Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, fbFHEYCEDRNgHA.cs	Security API names: File.GetAccessControl
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, fbFHEYCEDRNgHA.cs	Security API names: File.SetAccessControl
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, fbFHEYCEDRNgHA.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: svchost.exe, fbFHEYCEDRNgHA.cs	Security API names: File.GetAccessControl
Source: svchost.exe, fbFHEYCEDRNgHA.cs	Security API names: File.SetAccessControl
Source: svchost.exe, fbFHEYCEDRNgHA.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, xWIYubYFaftLdVv.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, NWNTgUnAeUAOz.cs	Security API names: Directory.GetAccessControl
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, NWNTgUnAeUAOz.cs	Security API names: Directory.SetAccessControl
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, NWNTgUnAeUAOz.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: svchost.exe, xWIYubYFaftLdVv.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: svchost.exe, BtEmTHoUPITCcg.cs	Security API names: File.GetAccessControl
Source: svchost.exe, BtEmTHoUPITCcg.cs	Security API names: File.SetAccessControl
Source: svchost.exe, NeqMcrOVI.cs	Security API names: Directory.GetAccessControl
Source: svchost.exe, NeqMcrOVI.cs	Security API names: Directory.SetAccessControl
Source: svchost.exe, NWNTgUnAeUAOz.cs	Security API names: Directory.GetAccessControl
Source: svchost.exe, NWNTgUnAeUAOz.cs	Security API names: Directory.SetAccessControl
Source: svchost.exe, NWNTgUnAeUAOz.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, BtEmTHoUPITCcg.cs	Security API names: File.GetAccessControl
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, BtEmTHoUPITCcg.cs	Security API names: File.SetAccessControl
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, NeqMcrOVI.cs	Security API names: Directory.GetAccessControl
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, NeqMcrOVI.cs	Security API names: Directory.SetAccessControl

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/6@2/1

Source: C:\Users\user\Desktop\svchost.exe

File created: C:\Users\user\Videos\xdwdMicrosoft SharePoint.exe

Source: C:\Users\user\Desktop\svchost.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7088
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6456:120:WilError_03
Source: C:\Users\user\Desktop\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Sheet_jxexktatjcxiuck

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\f6f5af73-bf1d-4adc-8024-400b2da66492

Source: svchost.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: svchost.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\svchost.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\svchost.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: svchost.exe

ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\svchost.exe

File read: C:\Users\user\Desktop\svchost.exe

Source: unknown	Process created: C:\Users\user\Desktop\svchost.exe "C:\Users\user\Desktop\svchost.exe"
Source: C:\Users\user\Desktop\svchost.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\svchost.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft SharePoint.exe" & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft SharePoint.exe"
Source: C:\Users\user\Desktop\svchost.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7088 -s 2128
Source: C:\Users\user\Desktop\svchost.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft SharePoint.exe" & exit	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft SharePoint.exe"	Jump to behavior

Source: C:\Users\user\Desktop\svchost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: netfxperf.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: esentprf.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: perfts.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: utildll.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: msdtcuiu.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: msdtcprx.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: mtxclu.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: clusapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: resutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior

Source: C:\Users\user\Desktop\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

.NET source code contains potential unpacker

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: svchost.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: svchost.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: System.Xml.ni.pdb source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdbRSDS source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: mscorlib.pdbXwN source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: System.Drawing.ni.pdb source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: System.Configuration.ni.pdb source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: System.Configuration.pdb source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: System.Xml.pdb source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: System.pdb source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: System.Xml.ni.pdbRSDS# source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: System.Core.ni.pdb source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: mscorlib.pdb source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: System.Management.ni.pdbRSDSJ< source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: System.Management.pdb source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: System.Drawing.pdb source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: Microsoft.VisualBasic.pdbP source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: mscorlib.ni.pdb source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: System.Management.ni.pdb source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: System.Core.pdb source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: System.Configuration.ni.pdbRSDScUN source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: System.ni.pdb source: WERD1D.tmp.dmp.8.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERD1D.tmp.dmp.8.dr

Data Obfuscation

Source: svchost.exe, UHtEybKDZ.cs	.Net Code: uJQFfbgPB
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, UHtEybKDZ.cs	.Net Code: uJQFfbgPB

Source: svchost.exe

Static PE information: 0xF5FE416F [Wed Oct 13 03:20:15 2100 UTC]

Source: C:\Users\user\Desktop\svchost.exe

Code function: 0_2_00007FFD9B8000AD pushad ; iretd

0_2_00007FFD9B8000C1

Source: svchost.exe, gQmHzzrCY.cs	High entropy of concatenated method names: 'DPlEiknPasMgLiC', 'UlKUxGYsPfZLF', 'aXLOEXbpMngOE', 'zzFDEPfFsEy', 'qsoCKcJsSoVxefI', 'ZWniCBsPaVGq', 'UfHPIgjB', 'cEFMFKeIZ', 'HAgVQPupzYc', 'VTpxJNhVzYdQtj'
Source: svchost.exe, AHWNPswt.cs	High entropy of concatenated method names: 'yGqdETmOWRuuM', 'AOfLvAGPS', 'KUGoxrpgzgCD', 'baXOaOsKJozV', 'khAtainKTkNxQec', 'vfGxjDlYlg', 'aVBgGSyH', 'fGFTQUHqJ', 'JkQwOItYPg', 'cHuiMpSDHeSXTio'
Source: svchost.exe, qBKeyeYJq.cs	High entropy of concatenated method names: 'jEFtdokfENpBu', 'rIzRnLiD', 'hbHQgxVaUUBeTw', 'XepbnoXoHEnpfGV', 'AfLXSVYDiimU', 'saYMzuIWGPEKm', 'LtHqTypA', 'IYhBGltFBDGOeOc', 'MNHtPGNfVNKa', 'SVrrcPoRsCkNKD'
Source: svchost.exe, UHtEybKDZ.cs	High entropy of concatenated method names: 'IsKsYXxPCTQEZuD', 'fGtlEVgtBCCO', 'hELArHJq', 'TeMsmarQiyBV', 'EKoomLRrWUjMVOE', 'imtmAmPY', 'iGBlUEMhl', 'AMCVxYow', 'dfRLmLzMH', 'vRvPcDFQFBQWf'
Source: svchost.exe, NeqMcrOVI.cs	High entropy of concatenated method names: 'CAekpWYv', 'XDVDIIiccq', 'mIeQRhRcE', 'EWQvnWtUlEQkvFH', 'biDuPleCQtWOTI', 'vqTTgEHV', 'pHrlqCNZIYFjZ', 'jSsOetzeA', 'AUtblbnTNQEH', 'sLOgwGuDUWgkAoq'
Source: svchost.exe, csktEuDZ.cs	High entropy of concatenated method names: 'rskADhbnmV', 'wrTClakkjVPIa', 'nBZERkgoRCVVOY', 'gOcWvDlZhIeKS', 'xckKMPgBjUkEHa', 'hQLLBCHmmf', 'CcrwnaOzUZlLC', 'DfeIlqwKI', 'sSyRmpqy', 'bMEKnhKqIFqv'
Source: svchost.exe, iNpJrQadM.cs	High entropy of concatenated method names: 'JLUlAIMHE', 'XUTlAvuNuBNjN', 'RSoenJVL', 'EvVlNquXQa', 'nOuDIwWNjK', 'aySUhThUuQLHPpf', 'hWzdxJAPC', 'lVrnIcCHVXT', 'JbqvfwbHeNdmoq', 'gARxDRIhLdGIj'
Source: svchost.exe, dGvnHSGeq.cs	High entropy of concatenated method names: 'JOMUvENQFtGHcpO', 'teLkMHRkjfxl', 'ChdxtsmrCzXl', 'uwFWdGZcYb', 'FkBxclPHcm', 'LcKjxbnq', 'nzzMUeNCrLBd', 'KrIqpPRjQ', 'arlcLuIxo', 'wfFlpcxXNPRkZ'
Source: svchost.exe, kJfIcKLimPN.cs	High entropy of concatenated method names: '_003CScreenShot_003Eb__16_0', 'NbDQVVfdoQdsMoM', 'VAnCWBHPyuCey', 'BrSmPTenf', 'IUkTfmvnyZN', 'cKYLTnRaTAedO', 'aaZsIhVRuCRnj', 'yPgZxPOIO', 'zqVECHqG', 'uMVNFQfR'
Source: svchost.exe, IlzIzIMeuEVy.cs	High entropy of concatenated method names: 'fisxClBKBpQHrQ', 'qVRDgFrHuF', 'DdjeoaXCWrGN', 'ZOPGviBIs', 'oZnSSlnbxsYiYbW', 'qjoubkHK', 'SpkMLDVLjuFB', 'FRiQIUirp', 'kusRUxRDRdozvC', 'loCXogRzie'
Source: svchost.exe, JcYvQYnSVlQsc.cs	High entropy of concatenated method names: 'CZesbWDCbM', 'VjtbyMnqk', 'DAXpdBKr', 'wHuVjakBkj', 'HALnuotrXZcBr', 'yZGDyVtKJ', 'AbNKBOKDHC', 'CojuoHTUsTGCJkB', 'xlOowrvnTajp', 'OZupRvkXI'
Source: svchost.exe, rWPiXWRl.cs	High entropy of concatenated method names: 'cqIUuCsUwoSrSbZ', 'btStXIbpUnVt', 'iQCgqlATgxuUBJI', 'JZuqEvcyr', 'UPSzGhyXOXQ', 'bqYKvvYZW', 'TfLOaDtmoDoRQlA', 'rMWevkuyxERtA', 'aSCVwnnrHudbj', 'WKZnKOELD'
Source: svchost.exe, FdzMqySHmS.cs	High entropy of concatenated method names: 'EvxGnyRlFFVPJ', 'fmbZxyBKbMuPS', 'uVsvPmTtA', 'gIXrRNjNpd', 'MqipTguUk', 'XgIqjNZzX', 'lmJtoaJsNc', 'apxieJGvFZZPG', 'cPAiAKORO', 'ahpBtXBGHex'
Source: svchost.exe, BtEmTHoUPITCcg.cs	High entropy of concatenated method names: 'GgHxJCVEaUQrgzG', 'oUeczvTGsOGuvKm', 'jeBmmWalfpeRCP', 'VIMfiyDwK', 'AEuvaJQidI', 'yTJRtswK', 'CDdGllieEp', 'irZmRfqEgOjZ', 'FXpDNoFHl', 'KwboJpalencUGt'
Source: svchost.exe, HpRVhADmuhZYJvv.cs	High entropy of concatenated method names: 'CreateClassEnumerator', 'Read', 'Write', '_003CGetFiltes_003Eb__0', 'RbtGsbiVXpVBxFM', 'yqnzoQkO', 'sIwkrESWlYysvH', 'HwysfBopUVaS', 'vIBrfQASm', 'flCeMgOLDjHsr'
Source: svchost.exe, oxhJCEhMAubqY.cs	High entropy of concatenated method names: '_003CStart_003Eb__1_0', '_003CUninstall_003Eb__2_0', '_003CLoopInstall_003Eb__7_0', '_003CStartAsBypass_003Eb__10_0', 'AhKppaBJbLPbdg', 'iVYGOMGBfYbum', 'AjtsHZaTLJW', 'fWVtbbAeRYCkJ', 'ugfRNgPlacVi', 'GIPKPjhhjfl'
Source: svchost.exe, pQeeSmtZjfgM.cs	High entropy of concatenated method names: 'uGUEbRFKJBoS', 'hVBOkzuKzwDfJos', 'HbUAgoyD', 'yQySgOpMYFYXVu', 'SPvJQYRdNGBaU', 'NsWyVljvsS', 'OTliTfmgoiQso', 'UhmlLeoUuKNBZ', 'JxWWdcCEgvtaPug', 'wziMAEwKgottZ'
Source: svchost.exe, hbBVDpTqLs.cs	High entropy of concatenated method names: 'rGoWJsiVRHKoA', 'iMjwANJKBaibr', 'BKdiRFySVE', 'JFemKWnAkV', 'juLeagFNniBS', 'GdcWvlQrfiq', 'eYqEvaGvZ', 'jXneSMHQeImK', 'huQEyElELUWv', 'PJsHuXufu'
Source: svchost.exe, fbFHEYCEDRNgHA.cs	High entropy of concatenated method names: 'NvKxsoSaef', 'CUSPlrZhwLtmsQ', 'oJHqaXyaCeUx', 'BNBbbQVhlo', 'VGZDETIRhQzJ', 'nFQEtQkRuI', 'jKSKcuuCUcVT', 'vViVDQBBDioWzRo', 'DNaytTuBypm', 'woqRlTJXiOO'
Source: svchost.exe, NWNTgUnAeUAOz.cs	High entropy of concatenated method names: 'ERuWGdybA', 'kIRpzJkJE', 'whEXPVyPXdASSjZ', 'lAOSjlVFjYCxAV', 'qJEMXNWGkeiDX', 'RqiPGXkvm', 'KLzoqTAPC', 'JJNWCgOtdnBiyx', 'iTitxzvWtC', 'NiQReSAex'
Source: svchost.exe, RtHdNrBnwvHMUx.cs	High entropy of concatenated method names: '_003CPatchMem_003Eb__0', 'lawnyVekQX', 'iNXxXsafCAiLmG', 'QBUegTOTv', 'uXEUmIrFWI', 'PzXOmouPDOKglF', 'PlqYUubicUVK', 'sqGQyYABwQ', 'fUDsAkrTPIsFOxo', 'oRvuQddXMHtiNE'
Source: svchost.exe, jlbeQXxcqjEQ.cs	High entropy of concatenated method names: 'VyLwfAQGqTgj', 'yoSDzsoXTv', 'WJuSHWjilxrU', 'SnXMWsRuuDZ', 'KnjLbGCDj', 'VFyyUkxxPGUt', 'MVcAbdhbFUIxj', 'WKqpQpsRROYXhww', 'SpQCXqzGbZBzQl', 'AkkanYRDEsuDOb'
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, gQmHzzrCY.cs	High entropy of concatenated method names: 'DPlEiknPasMgLiC', 'UlKUxGYsPfZLF', 'aXLOEXbpMngOE', 'zzFDEPfFsEy', 'qsoCKcJsSoVxefI', 'ZWniCBsPaVGq', 'UfHPIgjB', 'cEFMFKeIZ', 'HAgVQPupzYc', 'VTpxJNhVzYdQtj'
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, AHWNPswt.cs	High entropy of concatenated method names: 'yGqdETmOWRuuM', 'AOfLvAGPS', 'KUGoxrpgzgCD', 'baXOaOsKJozV', 'khAtainKTkNxQec', 'vfGxjDlYlg', 'aVBgGSyH', 'fGFTQUHqJ', 'JkQwOItYPg', 'cHuiMpSDHeSXTio'
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, qBKeyeYJq.cs	High entropy of concatenated method names: 'jEFtdokfENpBu', 'rIzRnLiD', 'hbHQgxVaUUBeTw', 'XepbnoXoHEnpfGV', 'AfLXSVYDiimU', 'saYMzuIWGPEKm', 'LtHqTypA', 'IYhBGltFBDGOeOc', 'MNHtPGNfVNKa', 'SVrrcPoRsCkNKD'
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, UHtEybKDZ.cs	High entropy of concatenated method names: 'IsKsYXxPCTQEZuD', 'fGtlEVgtBCCO', 'hELArHJq', 'TeMsmarQiyBV', 'EKoomLRrWUjMVOE', 'imtmAmPY', 'iGBlUEMhl', 'AMCVxYow', 'dfRLmLzMH', 'vRvPcDFQFBQWf'
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, NeqMcrOVI.cs	High entropy of concatenated method names: 'CAekpWYv', 'XDVDIIiccq', 'mIeQRhRcE', 'EWQvnWtUlEQkvFH', 'biDuPleCQtWOTI', 'vqTTgEHV', 'pHrlqCNZIYFjZ', 'jSsOetzeA', 'AUtblbnTNQEH', 'sLOgwGuDUWgkAoq'
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, csktEuDZ.cs	High entropy of concatenated method names: 'rskADhbnmV', 'wrTClakkjVPIa', 'nBZERkgoRCVVOY', 'gOcWvDlZhIeKS', 'xckKMPgBjUkEHa', 'hQLLBCHmmf', 'CcrwnaOzUZlLC', 'DfeIlqwKI', 'sSyRmpqy', 'bMEKnhKqIFqv'
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, iNpJrQadM.cs	High entropy of concatenated method names: 'JLUlAIMHE', 'XUTlAvuNuBNjN', 'RSoenJVL', 'EvVlNquXQa', 'nOuDIwWNjK', 'aySUhThUuQLHPpf', 'hWzdxJAPC', 'lVrnIcCHVXT', 'JbqvfwbHeNdmoq', 'gARxDRIhLdGIj'
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, dGvnHSGeq.cs	High entropy of concatenated method names: 'JOMUvENQFtGHcpO', 'teLkMHRkjfxl', 'ChdxtsmrCzXl', 'uwFWdGZcYb', 'FkBxclPHcm', 'LcKjxbnq', 'nzzMUeNCrLBd', 'KrIqpPRjQ', 'arlcLuIxo', 'wfFlpcxXNPRkZ'
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, kJfIcKLimPN.cs	High entropy of concatenated method names: '_003CScreenShot_003Eb__16_0', 'NbDQVVfdoQdsMoM', 'VAnCWBHPyuCey', 'BrSmPTenf', 'IUkTfmvnyZN', 'cKYLTnRaTAedO', 'aaZsIhVRuCRnj', 'yPgZxPOIO', 'zqVECHqG', 'uMVNFQfR'
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, IlzIzIMeuEVy.cs	High entropy of concatenated method names: 'fisxClBKBpQHrQ', 'qVRDgFrHuF', 'DdjeoaXCWrGN', 'ZOPGviBIs', 'oZnSSlnbxsYiYbW', 'qjoubkHK', 'SpkMLDVLjuFB', 'FRiQIUirp', 'kusRUxRDRdozvC', 'loCXogRzie'
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, JcYvQYnSVlQsc.cs	High entropy of concatenated method names: 'CZesbWDCbM', 'VjtbyMnqk', 'DAXpdBKr', 'wHuVjakBkj', 'HALnuotrXZcBr', 'yZGDyVtKJ', 'AbNKBOKDHC', 'CojuoHTUsTGCJkB', 'xlOowrvnTajp', 'OZupRvkXI'
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, rWPiXWRl.cs	High entropy of concatenated method names: 'cqIUuCsUwoSrSbZ', 'btStXIbpUnVt', 'iQCgqlATgxuUBJI', 'JZuqEvcyr', 'UPSzGhyXOXQ', 'bqYKvvYZW', 'TfLOaDtmoDoRQlA', 'rMWevkuyxERtA', 'aSCVwnnrHudbj', 'WKZnKOELD'
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, FdzMqySHmS.cs	High entropy of concatenated method names: 'EvxGnyRlFFVPJ', 'fmbZxyBKbMuPS', 'uVsvPmTtA', 'gIXrRNjNpd', 'MqipTguUk', 'XgIqjNZzX', 'lmJtoaJsNc', 'apxieJGvFZZPG', 'cPAiAKORO', 'ahpBtXBGHex'
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, BtEmTHoUPITCcg.cs	High entropy of concatenated method names: 'GgHxJCVEaUQrgzG', 'oUeczvTGsOGuvKm', 'jeBmmWalfpeRCP', 'VIMfiyDwK', 'AEuvaJQidI', 'yTJRtswK', 'CDdGllieEp', 'irZmRfqEgOjZ', 'FXpDNoFHl', 'KwboJpalencUGt'
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, HpRVhADmuhZYJvv.cs	High entropy of concatenated method names: 'CreateClassEnumerator', 'Read', 'Write', '_003CGetFiltes_003Eb__0', 'RbtGsbiVXpVBxFM', 'yqnzoQkO', 'sIwkrESWlYysvH', 'HwysfBopUVaS', 'vIBrfQASm', 'flCeMgOLDjHsr'
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, oxhJCEhMAubqY.cs	High entropy of concatenated method names: '_003CStart_003Eb__1_0', '_003CUninstall_003Eb__2_0', '_003CLoopInstall_003Eb__7_0', '_003CStartAsBypass_003Eb__10_0', 'AhKppaBJbLPbdg', 'iVYGOMGBfYbum', 'AjtsHZaTLJW', 'fWVtbbAeRYCkJ', 'ugfRNgPlacVi', 'GIPKPjhhjfl'
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, pQeeSmtZjfgM.cs	High entropy of concatenated method names: 'uGUEbRFKJBoS', 'hVBOkzuKzwDfJos', 'HbUAgoyD', 'yQySgOpMYFYXVu', 'SPvJQYRdNGBaU', 'NsWyVljvsS', 'OTliTfmgoiQso', 'UhmlLeoUuKNBZ', 'JxWWdcCEgvtaPug', 'wziMAEwKgottZ'
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, hbBVDpTqLs.cs	High entropy of concatenated method names: 'rGoWJsiVRHKoA', 'iMjwANJKBaibr', 'BKdiRFySVE', 'JFemKWnAkV', 'juLeagFNniBS', 'GdcWvlQrfiq', 'eYqEvaGvZ', 'jXneSMHQeImK', 'huQEyElELUWv', 'PJsHuXufu'
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, fbFHEYCEDRNgHA.cs	High entropy of concatenated method names: 'NvKxsoSaef', 'CUSPlrZhwLtmsQ', 'oJHqaXyaCeUx', 'BNBbbQVhlo', 'VGZDETIRhQzJ', 'nFQEtQkRuI', 'jKSKcuuCUcVT', 'vViVDQBBDioWzRo', 'DNaytTuBypm', 'woqRlTJXiOO'
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, NWNTgUnAeUAOz.cs	High entropy of concatenated method names: 'ERuWGdybA', 'kIRpzJkJE', 'whEXPVyPXdASSjZ', 'lAOSjlVFjYCxAV', 'qJEMXNWGkeiDX', 'RqiPGXkvm', 'KLzoqTAPC', 'JJNWCgOtdnBiyx', 'iTitxzvWtC', 'NiQReSAex'
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, RtHdNrBnwvHMUx.cs	High entropy of concatenated method names: '_003CPatchMem_003Eb__0', 'lawnyVekQX', 'iNXxXsafCAiLmG', 'QBUegTOTv', 'uXEUmIrFWI', 'PzXOmouPDOKglF', 'PlqYUubicUVK', 'sqGQyYABwQ', 'fUDsAkrTPIsFOxo', 'oRvuQddXMHtiNE'
Source: 0.2.svchost.exe.12ef9ac0.1.raw.unpack, jlbeQXxcqjEQ.cs	High entropy of concatenated method names: 'VyLwfAQGqTgj', 'yoSDzsoXTv', 'WJuSHWjilxrU', 'SnXMWsRuuDZ', 'KnjLbGCDj', 'VFyyUkxxPGUt', 'MVcAbdhbFUIxj', 'WKqpQpsRROYXhww', 'SpQCXqzGbZBzQl', 'AkkanYRDEsuDOb'

Source: C:\Users\user\Desktop\svchost.exe

File created: C:\Users\user\Videos\xdwdMicrosoft SharePoint.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft SharePoint.exe"

Source: C:\Users\user\Desktop\svchost.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 3.0.0.0\Linkage

Source: C:\Users\user\Desktop\svchost.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET Memory Cache 4.0\Linkage

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\svchost.exe	Memory allocated: 2EF0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Memory allocated: 1AEF0000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\svchost.exe

Dropped PE file which has not been started: C:\Users\user\Videos\xdwdMicrosoft SharePoint.exe

Jump to dropped file

Source: C:\Users\user\Desktop\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\Desktop\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT UserName FROM Win32_ComputerSystem

Source: C:\Users\user\Desktop\svchost.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: svchost.exe, 00000000.00000002.1935240757.000000001BA27000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: svchost.exe, 00000000.00000002.1935482077.000000001BA85000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V omkwbtbwipchcil Bus
Source: svchost.exe, 00000000.00000002.1935482077.000000001BA85000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V omkwbtbwipchcil Bus Pipes
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: svchost.exe, 00000000.00000002.1927066101.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 6C:\Users\user\AppData\Local\xdwdMicrosoft Hyper-V.exe
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: svchost.exe, 00000000.00000002.1927066101.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: 0%LocalApplicationData%\xdwdMicrosoft Hyper-V.exe
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: svchost.exe, 00000000.00000002.1927066101.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .%LocalApplicationData%\xdwdMicrosoft Hyper-V.e
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: svchost.exe, 00000000.00000002.1935883812.000000001BAAF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: svchost.exe, 00000000.00000002.1927066101.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ,%LocalApplicationData%\xdwdMicrosoft Hyper-V
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: svchost.exe, 00000000.00000002.1927066101.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: xdwdMicrosoft Hyper-V.exe
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: svchost.exe, 00000000.00000002.1927066101.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: /%LocalApplicationData%\xdwdMicrosoft Hyper-V.ex
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: svchost.exe, 00000000.00000002.1927066101.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: -%LocalApplicationData%\xdwdMicrosoft Hyper-V.
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\svchost.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\svchost.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\svchost.exe

Memory allocated: page read and write | page guard

System process connects to network (likely due to code injection or exploit)

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\svchost.exe

Network Connect: 147.185.221.23 49681

Source: C:\Users\user\Desktop\svchost.exe	Process created: C:\Windows\System32\cmd.exe "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft SharePoint.exe" & exit			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft SharePoint.exe"			Jump to behavior

Source: C:\Users\user\Desktop\svchost.exe

Queries volume information: C:\Users\user\Desktop\svchost.exe VolumeInformation

Source: C:\Users\user\Desktop\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation Bias

Source: C:\Users\user\Desktop\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.exe, 00000000.00000002.1935197695.000000001BA00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1935240757.000000001BA27000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1926406389.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	2 Windows Service	2 Windows Service	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	23 Virtualization/Sandbox Evasion	LSASS Memory	241 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Scheduled Task/Job	1 Disable or Modify Tools	Security Account Manager	23 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	111 Process Injection	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	123 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
svchost.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
svchost.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Videos\xdwdMicrosoft SharePoint.exe	100%	Avira	TR/Crypt.OPACK.Gen

Name	IP	Active	Malicious	Antivirus Detection	Reputation
women-forms.gl.at.ply.gg	147.185.221.23	true	true		unknown
18.31.95.13.in-addr.arpa	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.8.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	svchost.exe, 00000000.00000002.1927066101.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.185.221.23	women-forms.gl.at.ply.gg	United States		12087	SALSGIVERUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1556741
Start date and time:	2024-11-15 22:12:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	svchost.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/6@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 19 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Excluded IPs from analysis (whitelisted): 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
VT rate limit hit for: svchost.exe

Simulations

Behavior and APIs

Time	Type	Description
16:13:00	API Interceptor	1x Sleep call for process: svchost.exe modified
16:13:22	API Interceptor	1x Sleep call for process: WerFault.exe modified
21:13:02	Task Scheduler	Run new task: Microsoft Azure DevOps path: C:\Users\user\Videos\xdwdMicrosoft s>SharePoint.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.185.221.23	msedge_visual_render.exe	Get hash	malicious	XWorm	Browse
	exe030.exe	Get hash	malicious	XWorm	Browse
	pQm8Ci3Dov.exe	Get hash	malicious	XWorm	Browse
	jkL96SLfWS.exe	Get hash	malicious	XWorm	Browse
	xtrSvgqQEW.exe	Get hash	malicious	XWorm	Browse
	7PRbdkCn03.exe	Get hash	malicious	XWorm	Browse
	8Hd0ZExgJz.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse
	6qwSgLbPO9.exe	Get hash	malicious	XWorm	Browse
	RLesaPFXew.exe	Get hash	malicious	SilverRat	Browse
	rboancbWce.exe	Get hash	malicious	XWorm	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SALSGIVERUS	msedge_visual_render.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	exe030.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	pQm8Ci3Dov.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	jkL96SLfWS.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	xtrSvgqQEW.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	7PRbdkCn03.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	8Hd0ZExgJz.exe	Get hash	malicious	Blank Grabber, Umbral Stealer, XWorm	Browse	147.185.221.23
	6qwSgLbPO9.exe	Get hash	malicious	XWorm	Browse	147.185.221.23
	RLesaPFXew.exe	Get hash	malicious	SilverRat	Browse	147.185.221.23
	mips.elf	Get hash	malicious	Mirai, Moobot	Browse	147.176.207.108

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_8d47929f559f461bc752f2bb57f8a1617ea99f7_81b4446f_0ef665aa-2bb3-4042-8221-e347bbc53ff3\Report.wer

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.4364575356172418
Encrypted:	false
SSDEEP:	192:/exOqJUNoWJF0TNT+aWB2GZHOclJXZFjhzuiFrZ24lO8oS:UmTJmTNT+am2GAiJhzuiFrY4lO8l
MD5:	BB4116765382FB57995E2BE81A1E1CE2
SHA1:	1BB53FFC0BEA2A6EC1B4604596A493147C534A2F
SHA-256:	80C70E78D2ADF3F0377B36A848F121BB9F36BC0B2CD8AA77C96176D70AFBC6BF
SHA-512:	22E10A349ED31A48BE824D1CCEC466449A0AC01C1B970180785AB38F62AD33E7799A4B3163532F884FE56050EBADADE5325398F6D24F735604081FA5C48F3BF8
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.1.7.8.7.8.7.5.4.0.5.7.0.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.1.7.8.7.8.8.3.0.6.2.1.6.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.e.f.6.6.5.a.a.-.2.b.b.3.-.4.0.4.2.-.8.2.2.1.-.e.3.4.7.b.b.c.5.3.f.f.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.5.f.a.a.a.f.2.-.e.6.f.1.-.4.f.9.4.-.9.6.4.3.-.6.5.1.c.8.0.4.3.3.5.4.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.s.v.c.h.o.s.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.U.n.r.e.a.l. .E.n.g.i.n.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.b.0.-.0.0.0.1.-.0.0.1.4.-.1.9.e.6.-.0.6.2.6.a.3.3.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.3.a.d.f.9.c.4.2.f.9.6.f.3.2.0.1.6.c.3.b.3.9.c.8.7.1.a.a.b.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.3.6.f.9.1.0.d.b.2.8.9.4.7.5.f.0.e.1.4.0.4.b.a.d.3.4.6.1.c.6.b.c.1.e.3.c.3.b.7.!.s.v.c.h.o.s.t...e.x.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1D.tmp.dmp

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Fri Nov 15 21:13:07 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	538774
Entropy (8bit):	3.402081091986007
Encrypted:	false
SSDEEP:	3072:aMSaPL2/4+S8s3+vBPVoQpMnISxdrF74prDBFPIROTcSwknlha1CCqvbtdQ:5SII4+S8s3QBd7SIWdZ4vBFqOnRsqnQ
MD5:	6C03973F099D847085E36598906D1698
SHA1:	FABA692DDA6F469D75C0EC118A9D9C4D0B030EC1
SHA-256:	AA1B9CE5C44C9F5FF4025C5F4B1C7B89F5F584C45FF1E69D9512CEC39D9D66FF
SHA-512:	AAD277CF79757052CB161742258A527EFE2C21F9E6B902B20F514000E1653C7A81AB72F5922E6C9FF81F5BB0A5206626639924510AE9D57910276E7C4CB0D22C
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......c.7g........................x+..........$...l5...........5......tS..\...........l.......8...........T...........XS..>...........\L..........HN..............................................................................eJ.......N......Lw......................T...........[.7g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF31.tmp.WERInternalMetadata.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9080
Entropy (8bit):	3.698730197408707
Encrypted:	false
SSDEEP:	192:R6l7wVeJIXY6Y9/EKTgmfuCSc2pDj89bL7IfnSZm:R6lXJQY6Y1EKTgmfuCSc/LEfl
MD5:	E0A3181B6C9C17BFE23FBC336C7BD0B1
SHA1:	070426B8CCC7EB6CA434878CF17024923105483A
SHA-256:	B7ED10E4E27D202DC5F5F5BBEFEB039B53F995C234980ECE395CE167E4B70240
SHA-512:	F91311A0A15C7B77A88A922E1925090CA710AA69A78E68B27A3D975D58E83C53B68E985B631AF92EBA853E26D397DF2D56AEE63BFD06148A4C2D120E9670DD79
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.8.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF70.tmp.xml

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4824
Entropy (8bit):	4.437949238868471
Encrypted:	false
SSDEEP:	48:cvIwWl8zs4NJg771I9HjwWpW8VY9Ym8M4JCH+F3YCyq8vvBRkGn42d:uIjf4nI7UjJ7VVJCEWzXnDd
MD5:	43601A7B229C649227C359D05C210AA5
SHA1:	6585BB16D1A065E1E4390721A5C09664F71A5E0D
SHA-256:	243534EEDC0367A4669F7B01234248761988E5726F66C4DB64B5596ACDB4C900
SHA-512:	04306CF3E61D0B0C7B849941C2FF36B8792C2B9C76206FFBB9A668930218A624EF48F22397C058BAD8A1CC7E2FDD424F07AC7D9A6E3608D34ECCC8302CAEBF9F
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="589695" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\Videos\xdwdMicrosoft SharePoint.exe

Process:	C:\Users\user\Desktop\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	modified
Size (bytes):	766863872
Entropy (8bit):	0.006470151901896372
Encrypted:	false
SSDEEP:
MD5:	126C1C239056805069E95913562996BA
SHA1:	EDD9484F1DEB4DDED6889A815DF2A0260EF89F44
SHA-256:	E9A2F57C7B9516F31089ED62C9B36D150D5032C48DFB2B198EA4A584D0EB2AAD
SHA-512:	54C5A47E5D68456FEE8D708E2AD262F4B9A93F33BF3089BDD3BBDC5314281A7DF9BFC258C2CA375D72144C02787846A4AE349FA7C2E37844417CF608B7CB9CDB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...oA............"...0..^...........\|... ........@.. ....................................@.................................8\|..S.................................................................................... ............... ..H............text....\... ...^.................. ..`.rsrc................`..............@..@.reloc...............h..............@..B................p\|......H...........\...........p...i............................................W......H3.......W......3.........(....b.{.....oM...(N....oO....(....(....sQ........(....(....sQ........( ...(....sQ........J.s....}.....(.......$....s.....%....(......o.....(.....s.... .:.. 0u..o....(....~=...(....&.s..........j(1...(....~/...(h....-...V(i....Y...(j....Z...".(........7....#...".,..#..@.:..Y(.....8...!..IC.....9.....:.....;.....0..........r...p...0..........r...p*...0..

C:\Windows\appcompat\Programs\Amcache.hve

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465971743306785
Encrypted:	false
SSDEEP:	6144:gIXfpi67eLPU9skLmb0b4LWSPKaJG8nAgejZMMhA2gX4WABl0uNYdwBCswSbt:lXD94LWlLZMM6YFHy+t
MD5:	B48EE8CE1BFB14B23944EEFB651B12F0
SHA1:	2815E45386DE06C6C0B3F4136650A566E29D13F2
SHA-256:	95F3B63649F2E78DF7B16FAE2A345972C0A34FAB6DEFA37314D99D3F503D330F
SHA-512:	25DD02067F1ED76C2F0E4BF377BAFA7A6A2148B66A46CAC952C74ECA112BF750DA0999DD75525834973D04D3187E526AB6AA81C02B944FD51031F06AD24FD748
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmZ..*.7.............................................................................................................................................................................................................................................................................................................................................._R..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.946073688162085
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	svchost.exe
File size:	354'816 bytes
MD5:	fb9c21a9cc24889784f8f943dd558f70
SHA1:	836f910db289475f0e1404bad3461c6bc1e3c3b7
SHA256:	151943288a689ed0ed49c715efd9df77c7e4c7f838e56bed0573de3b62a1f639
SHA512:	ac2dbb3ef927d8ba6e13102c9c193156cd3e19b53d797ef009eb0ccdad74313cd76e0f4ece13096cc4d075962e1bdc6db4a1b90c10d4d09c520c1e018a2ef8e1
SSDEEP:	6144:+CjwZuxYoa6PTe6VlWT8b9MM2MNuTDbNSRuW:EZuXPTPVle8KM2TlSR
TLSH:	A274B20CFE91F805DE1E3D77CBE614108B7125C26E229242364A6FFD8B9637658E61BC
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...oA............"...0..^...........\|... ........@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x457c8e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xF5FE416F [Wed Oct 13 03:20:15 2100 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x57c38	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x58000	0x610	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5a000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x55c94	0x55e00	6b632e935f25b7909acaa13c0756abd2	False	0.5049041348253275	data	5.955047134539161	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x58000	0x610	0x800	01e5f8106bf195e7f33f8e4135b8bea7	False	0.36083984375	data	4.699312058362884	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5a000	0xc	0x200	f4268297d75c0fc31ca98fbe92a87f0c	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x580a0	0x384	data			0.4622222222222222
RT_MANIFEST	0x58424	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 15, 2024 22:13:02.868872881 CET	49730	49681	192.168.2.4	147.185.221.23
Nov 15, 2024 22:13:02.874043941 CET	49681	49730	147.185.221.23	192.168.2.4
Nov 15, 2024 22:13:02.874119997 CET	49730	49681	192.168.2.4	147.185.221.23
Nov 15, 2024 22:13:11.348587990 CET	49681	49730	147.185.221.23	192.168.2.4
Nov 15, 2024 22:13:11.349255085 CET	49730	49681	192.168.2.4	147.185.221.23
Nov 15, 2024 22:13:25.053004980 CET	49730	49681	192.168.2.4	147.185.221.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 15, 2024 22:13:02.829982042 CET	63460	53	192.168.2.4	1.1.1.1
Nov 15, 2024 22:13:02.862556934 CET	53	63460	1.1.1.1	192.168.2.4
Nov 15, 2024 22:13:32.592494011 CET	53	59706	162.159.36.2	192.168.2.4
Nov 15, 2024 22:13:33.209841967 CET	51273	53	192.168.2.4	1.1.1.1
Nov 15, 2024 22:13:33.217173100 CET	53	51273	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 15, 2024 22:13:02.829982042 CET	192.168.2.4	1.1.1.1	0x7970	Standard query (0)	women-forms.gl.at.ply.gg	A (IP address)	IN (0x0001)	false
Nov 15, 2024 22:13:33.209841967 CET	192.168.2.4	1.1.1.1	0x848b	Standard query (0)	18.31.95.13.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 15, 2024 22:13:02.862556934 CET	1.1.1.1	192.168.2.4	0x7970	No error (0)	women-forms.gl.at.ply.gg		147.185.221.23	A (IP address)	IN (0x0001)	false
Nov 15, 2024 22:13:33.217173100 CET	1.1.1.1	192.168.2.4	0x848b	Name error (3)	18.31.95.13.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	16:12:59
Start date:	15/11/2024
Path:	C:\Users\user\Desktop\svchost.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\svchost.exe"
Imagebase:	0x9e0000
File size:	354'816 bytes
MD5 hash:	FB9C21A9CC24889784F8F943DD558F70
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	16:13:00
Start date:	15/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	2
Start time:	16:13:00
Start date:	15/11/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft SharePoint.exe" & exit
Imagebase:	0x7ff696370000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	16:13:00
Start date:	15/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	16:13:00
Start date:	15/11/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Azure DevOps" /tr "C:\Users\user\Videos\xdwdMicrosoft SharePoint.exe"
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	16:13:07
Start date:	15/11/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 7088 -s 2128
Imagebase:	0x7ff764560000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true