Joe Sandbox Cloud Basic Analysis Report
Create Interactive Tour

Analysis Report smss.exe

Overview

General Information

Sample Name:smss.exe
Analysis ID:337700
MD5:df850a023c4594ece918855a62d1b842
SHA1:e9e00340024404118479012e0d4584119afa9d5b
SHA256:70bdecf71010c5daefda7581c8126f12340bdc82c1705711bc8fb3c33031d668
Tags:exe

Most interesting Screenshot:

Errors
  • Sigma syntax error: Has an empty selector, Rule: Abusing Azure Browser SSO

Detection

Mimikatz
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Mimikatz
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files with benign system names
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has nameless sections
Sample is not signed and drops a device driver
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables driver privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Spawns drivers
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Startup

  • System is w10x64
  • smss.exe (PID: 6088 cmdline: 'C:\Users\user\Desktop\smss.exe' MD5: DF850A023C4594ECE918855A62D1B842)
    • cmd.exe (PID: 5552 cmdline: C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\smss.exe > nul MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • PING.EXE (PID: 2100 cmdline: ping -n 2 127.0.0.1 MD5: 70C24A306F768936563ABDADB9CA9108)
  • svchost.exe (PID: 2024 cmdline: C:\ProgramData\svchost.exe -auto MD5: DF850A023C4594ECE918855A62D1B842)
    • svchost.exe (PID: 5492 cmdline: C:\ProgramData\svchost.exe -acsi MD5: DF850A023C4594ECE918855A62D1B842)
  • svchost.exe (PID: 6508 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6572 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6732 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6816 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6856 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6896 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6988 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 7072 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 7140 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 7160 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 7092 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 4272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 7088 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
smss.exeSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x15ab56:$s1: \x09\x15\x15\x11[NN
  • 0x15d326:$s1: http://
  • 0x15d363:$s1: http://
  • 0x15d707:$s1: http://
  • 0x15d733:$s1: http://
  • 0x15d771:$s1: http://
  • 0x15dc3a:$s1: http://
  • 0x15dcea:$s1: http://
  • 0x15dd0b:$s1: http://
  • 0x15e25b:$s1: http://
  • 0x15e291:$s1: http://
  • 0x15e2d2:$s1: http://
  • 0x15ec88:$s1: http://
  • 0x15ed38:$s1: http://
  • 0x15ed59:$s1: http://
  • 0x15f1af:$s1: http://
  • 0x15f200:$s1: http://
  • 0x15f22a:$s1: http://
  • 0x15f257:$s1: http://
  • 0x15f9d9:$s1: http://
  • 0x15fa05:$s1: http://

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\svchost.exeSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
  • 0x15ab56:$s1: \x09\x15\x15\x11[NN
  • 0x15d326:$s1: http://
  • 0x15d363:$s1: http://
  • 0x15d707:$s1: http://
  • 0x15d733:$s1: http://
  • 0x15d771:$s1: http://
  • 0x15dc3a:$s1: http://
  • 0x15dcea:$s1: http://
  • 0x15dd0b:$s1: http://
  • 0x15e25b:$s1: http://
  • 0x15e291:$s1: http://
  • 0x15e2d2:$s1: http://
  • 0x15ec88:$s1: http://
  • 0x15ed38:$s1: http://
  • 0x15ed59:$s1: http://
  • 0x15f1af:$s1: http://
  • 0x15f200:$s1: http://
  • 0x15f22a:$s1: http://
  • 0x15f257:$s1: http://
  • 0x15f9d9:$s1: http://
  • 0x15fa05:$s1: http://

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmpJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
    00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpJoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
      Process Memory Space: smss.exe PID: 6088JoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
        Process Memory Space: smss.exe PID: 6088JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          Process Memory Space: svchost.exe PID: 2024JoeSecurity_Mimikatz_1Yara detected MimikatzJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.smss.exe.400000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
            • 0x15ab56:$s1: \x09\x15\x15\x11[NN
            3.0.svchost.exe.400000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
            • 0x15ab56:$s1: \x09\x15\x15\x11[NN
            1.0.svchost.exe.400000.0.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
            • 0x15ab56:$s1: \x09\x15\x15\x11[NN

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: System File Execution Location Anomaly
            Source: Process startedAuthor: Florian Roth, Patrick Bareiss: Data: Command: C:\ProgramData\svchost.exe -acsi, CommandLine: C:\ProgramData\svchost.exe -acsi, CommandLine|base64offset|contains: ,, Image: C:\ProgramData\svchost.exe, NewProcessName: C:\ProgramData\svchost.exe, OriginalFileName: C:\ProgramData\svchost.exe, ParentCommandLine: C:\ProgramData\svchost.exe -auto, ParentImage: C:\ProgramData\svchost.exe, ParentProcessId: 2024, ProcessCommandLine: C:\ProgramData\svchost.exe -acsi, ProcessId: 5492
            Sigma detected: Failed Code Integrity Checks
            Source: Event LogsAuthor: Thomas Patzke: Data: EventID: 5038, Source: Microsoft-Windows-Security-Auditing, data 0: \Device\HarddiskVolume4\Windows\System32\drivers\QAssist.sys
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: C:\ProgramData\svchost.exe -acsi, CommandLine: C:\ProgramData\svchost.exe -acsi, CommandLine|base64offset|contains: ,, Image: C:\ProgramData\svchost.exe, NewProcessName: C:\ProgramData\svchost.exe, OriginalFileName: C:\ProgramData\svchost.exe, ParentCommandLine: C:\ProgramData\svchost.exe -auto, ParentImage: C:\ProgramData\svchost.exe, ParentProcessId: 2024, ProcessCommandLine: C:\ProgramData\svchost.exe -acsi, ProcessId: 5492

            Signature Overview

            • AV Detection
            • Compliance
            • Networking
            • Key, Mouse, Clipboard, Microphone and Screen Capturing
            • System Summary
            • Data Obfuscation
            • Persistence and Installation Behavior
            • Boot Survival
            • Hooking and other Techniques for Hiding and Protection
            • Malware Analysis System Evasion
            • Anti Debugging
            • HIPS / PFW / Operating System Protection Evasion
            • Language, Device and Operating System Detection
            • Lowering of HIPS / PFW / Operating System Security Settings
            • Stealing of Sensitive Information

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for dropped file
            Source: C:\ProgramData\svchost.exeReversingLabs: Detection: 34%
            Source: C:\Windows\System32\drivers\QAssist.sysReversingLabs: Detection: 39%
            Multi AV Scanner detection for submitted file
            Source: smss.exeVirustotal: Detection: 39%Perma Link
            Source: smss.exeReversingLabs: Detection: 34%
            Machine Learning detection for dropped file
            Source: C:\ProgramData\svchost.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: smss.exeJoe Sandbox ML: detected
            Source: smss.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: Binary string: F:\hidden-master\Release\QAssist.pdb` source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmp
            Source: Binary string: F:\hidden-master\x64\Release\QAssist.pdb source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmp, QAssist.sys.3.dr
            Source: Binary string: F:\hidden-master\Release\QAssist.pdb source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmp

            Networking:

            barindex
            Uses ping.exe to check the status of other devices and networks
            Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1
            Source: global trafficTCP traffic: 192.168.2.3:49727 -> 124.132.153.147:888
            Source: Joe Sandbox ViewASN Name: CHINA169-BACKBONECHINAUNICOMChina169BackboneCN CHINA169-BACKBONECHINAUNICOMChina169BackboneCN
            Source: unknownTCP traffic detected without corresponding DNS query: 124.132.153.147
            Source: unknownTCP traffic detected without corresponding DNS query: 124.132.153.147
            Source: unknownTCP traffic detected without corresponding DNS query: 124.132.153.147
            Source: unknownTCP traffic detected without corresponding DNS query: 124.132.153.147
            Source: unknownTCP traffic detected without corresponding DNS query: 124.132.153.147
            Source: unknownTCP traffic detected without corresponding DNS query: 124.132.153.147
            Source: unknownTCP traffic detected without corresponding DNS query: 124.132.153.147
            Source: unknownTCP traffic detected without corresponding DNS query: 124.132.153.147
            Source: unknownTCP traffic detected without corresponding DNS query: 124.132.153.147
            Source: unknownTCP traffic detected without corresponding DNS query: 124.132.153.147
            Source: unknownTCP traffic detected without corresponding DNS query: 124.132.153.147
            Source: unknownTCP traffic detected without corresponding DNS query: 124.132.153.147
            Source: svchost.exe, 0000001F.00000003.581980417.000002EDDD76A000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.facebook.com (Facebook)
            Source: svchost.exe, 0000001F.00000003.581980417.000002EDDD76A000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.twitter.com (Twitter)
            Source: svchost.exe, 0000001F.00000003.572303204.000002EDDD75D000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
            Source: svchost.exe, 0000001F.00000003.572303204.000002EDDD75D000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
            Source: svchost.exe, 0000001F.00000003.572303204.000002EDDD75D000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
            Source: svchost.exe, 0000001F.00000003.572303204.000002EDDD75D000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":374031458,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.38.3802.0_neutral_~_ytsefhwckbdv6","PackageId":"a6dc1cf8-bc09-462b-7e62-6a662d08d291-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.38.3802.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.38.3802.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
            Source: svchost.exe, 0000001F.00000003.572303204.000002EDDD75D000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":374031458,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.38.3802.0_neutral_~_ytsefhwckbdv6","PackageId":"a6dc1cf8-bc09-462b-7e62-6a662d08d291-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.38.3802.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.38.3802.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
            Source: svchost.exe, 0000001F.00000003.572303204.000002EDDD75D000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":374031458,"PackageFormat":"AppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.38.3802.0_neutral_~_ytsefhwckbdv6","PackageId":"a6dc1cf8-bc09-462b-7e62-6a662d08d291-X86","PackageRank":30001,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Universal"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.38.3802.0_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.38.3802.0_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"plat
            Source: svchost.exe, 0000001F.00000003.572357231.000002EDDD7DA000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
            Source: svchost.exe, 0000001F.00000003.572357231.000002EDDD7DA000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
            Source: svchost.exe, 0000001F.00000003.572357231.000002EDDD7DA000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
            Source: svchost.exe, 0000001F.00000003.580848464.000002EDDD751000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
            Source: smss.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
            Source: svchost.exe, 0000001F.00000003.580848464.000002EDDD751000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
            Source: svchost.exe, 0000001F.00000003.580848464.000002EDDD751000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
            Source: svchost.exe, 0000001F.00000003.580848464.000002EDDD751000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: smss.exeString found in binary or memory: http://ocsp.thawte.com0
            Source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpString found in binary or memory: http://ptlogin2.qun.qq.com%s
            Source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpString found in binary or memory: http://qun.qq.com%s
            Source: smss.exeString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
            Source: smss.exeString found in binary or memory: http://s2.symcb.com0
            Source: smss.exeString found in binary or memory: http://sf.symcb.com/sf.crl0a
            Source: smss.exeString found in binary or memory: http://sf.symcb.com/sf.crt0
            Source: smss.exeString found in binary or memory: http://sf.symcd.com0&
            Source: smss.exeString found in binary or memory: http://sv.symcb.com/sv.crl0a
            Source: smss.exeString found in binary or memory: http://sv.symcb.com/sv.crt0
            Source: smss.exeString found in binary or memory: http://sv.symcd.com0&
            Source: smss.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
            Source: smss.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0
            Source: smss.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
            Source: smss.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
            Source: svchost.exe, 0000000E.00000002.311872932.0000025547213000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
            Source: svchost.exe, svchost.exe, 00000001.00000002.222564463.00000000005C0000.00000040.00020000.sdmpString found in binary or memory: http://www.enigmaprotector.com/
            Source: svchost.exe, 0000001F.00000003.572303204.000002EDDD75D000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.572357231.000002EDDD7DA000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
            Source: svchost.exe, 0000001F.00000003.572303204.000002EDDD75D000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.572357231.000002EDDD7DA000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
            Source: svchost.exe, 0000001F.00000003.570927798.000002EDDD758000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/privacy
            Source: svchost.exe, 0000001F.00000003.570927798.000002EDDD758000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/terms
            Source: smss.exeString found in binary or memory: http://www.symauth.com/cps0(
            Source: smss.exeString found in binary or memory: http://www.symauth.com/rpa00
            Source: svchost.exe, 0000000E.00000003.311598725.0000025547261000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
            Source: svchost.exe, 0000001F.00000003.580739860.000002EDDD76A000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.580569301.000002EDDD775000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/contact/
            Source: svchost.exe, 0000001F.00000003.580739860.000002EDDD76A000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.580569301.000002EDDD775000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/parents/
            Source: smss.exeString found in binary or memory: https://d.symcb.com/cps0%
            Source: smss.exeString found in binary or memory: https://d.symcb.com/rpa0
            Source: svchost.exe, 0000000E.00000003.311613549.000002554725A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
            Source: svchost.exe, 0000000E.00000002.311936927.000002554725C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
            Source: svchost.exe, 0000000E.00000003.311598725.0000025547261000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
            Source: svchost.exe, 0000000E.00000002.311900199.000002554723D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
            Source: svchost.exe, 0000000E.00000002.311936927.000002554725C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
            Source: svchost.exe, 0000000E.00000003.311598725.0000025547261000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
            Source: svchost.exe, 0000000E.00000003.311590275.0000025547248000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
            Source: svchost.exe, 0000000E.00000002.311936927.000002554725C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
            Source: svchost.exe, 0000000E.00000003.311598725.0000025547261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
            Source: svchost.exe, 0000000E.00000002.311900199.000002554723D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
            Source: svchost.exe, 0000000E.00000003.311598725.0000025547261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
            Source: svchost.exe, 0000000E.00000003.311598725.0000025547261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
            Source: svchost.exe, 0000000E.00000003.311598725.0000025547261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
            Source: svchost.exe, 0000000E.00000002.311904788.0000025547242000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
            Source: svchost.exe, 0000000E.00000002.311904788.0000025547242000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
            Source: svchost.exe, 0000000E.00000003.311598725.0000025547261000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
            Source: svchost.exe, 0000000E.00000003.311627593.0000025547240000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
            Source: svchost.exe, 0000000E.00000003.311613549.000002554725A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
            Source: svchost.exe, 0000000E.00000002.311936927.000002554725C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
            Source: svchost.exe, 0000000E.00000002.311936927.000002554725C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
            Source: svchost.exe, 0000000E.00000003.311598725.0000025547261000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
            Source: svchost.exe, 0000000E.00000003.311598725.0000025547261000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
            Source: svchost.exe, 0000000E.00000002.311900199.000002554723D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
            Source: svchost.exe, 0000000E.00000003.289950751.0000025547231000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
            Source: svchost.exe, 0000001F.00000003.580739860.000002EDDD76A000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.580569301.000002EDDD775000.00000004.00000001.sdmpString found in binary or memory: https://en.help.roblox.com/hc/en-us
            Source: svchost.exe, 0000001F.00000003.572303204.000002EDDD75D000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.572357231.000002EDDD7DA000.00000004.00000001.sdmpString found in binary or memory: https://instagram.com/hiddencity_
            Source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpString found in binary or memory: https://localhost.ptlogin2.qq.com:4301%s
            Source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpString found in binary or memory: https://ssl.ptlogin2.qq.com%s
            Source: svchost.exe, 0000000E.00000002.311900199.000002554723D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
            Source: svchost.exe, 0000000E.00000002.311900199.000002554723D000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.311872932.0000025547213000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
            Source: svchost.exe, 0000000E.00000003.289950751.0000025547231000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
            Source: svchost.exe, 0000000E.00000003.311627593.0000025547240000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
            Source: svchost.exe, 0000000E.00000003.289950751.0000025547231000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
            Source: svchost.exe, 0000000E.00000002.311895814.000002554723A000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
            Source: svchost.exe, 0000000E.00000003.311590275.0000025547248000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
            Source: svchost.exe, 0000001F.00000003.570927798.000002EDDD758000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/ca-privacy-rights
            Source: svchost.exe, 0000001F.00000003.570927798.000002EDDD758000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/do-not-sell-my-info
            Source: svchost.exe, 0000001F.00000003.580739860.000002EDDD76A000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.580569301.000002EDDD775000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/develop
            Source: svchost.exe, 0000001F.00000003.580739860.000002EDDD76A000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.580569301.000002EDDD775000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/info/privacy
            Source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpString found in binary or memory: https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_
            Source: Yara matchFile source: Process Memory Space: smss.exe PID: 6088, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2024, type: MEMORY

            System Summary:

            barindex
            PE file has nameless sections
            Source: smss.exeStatic PE information: section name:
            Source: smss.exeStatic PE information: section name:
            Source: smss.exeStatic PE information: section name:
            Source: smss.exeStatic PE information: section name:
            Source: svchost.exe.0.drStatic PE information: section name:
            Source: svchost.exe.0.drStatic PE information: section name:
            Source: svchost.exe.0.drStatic PE information: section name:
            Source: svchost.exe.0.drStatic PE information: section name:
            Source: C:\ProgramData\svchost.exeFile created: C:\Windows\system32\drivers\QAssist.sysJump to behavior
            Source: C:\ProgramData\svchost.exeFile created: C:\Windows\system32\drivers\QAssist.sysJump to behavior
            Source: C:\ProgramData\svchost.exeFile created: C:\Windows\system32\drivers\QAssist.sysJump to behavior
            Source: C:\ProgramData\svchost.exeProcess token adjusted: Load DriverJump to behavior
            Source: C:\Users\user\Desktop\smss.exeCode function: String function: 00463288 appears 59 times
            Source: C:\Users\user\Desktop\smss.exeCode function: String function: 00462758 appears 53 times
            Source: C:\Users\user\Desktop\smss.exeCode function: String function: 00463980 appears 37 times
            Source: C:\Users\user\Desktop\smss.exeCode function: String function: 00470F60 appears 69 times
            Source: C:\Users\user\Desktop\smss.exeCode function: String function: 0046238C appears 33 times
            Source: C:\Users\user\Desktop\smss.exeCode function: String function: 00465818 appears 44 times
            Source: C:\Users\user\Desktop\smss.exeCode function: String function: 0046FD1C appears 42 times
            Source: C:\Users\user\Desktop\smss.exeCode function: String function: 00463264 appears 187 times
            Source: C:\ProgramData\svchost.exeCode function: String function: 00463288 appears 76 times
            Source: C:\ProgramData\svchost.exeCode function: String function: 00462758 appears 65 times
            Source: C:\ProgramData\svchost.exeCode function: String function: 00463980 appears 45 times
            Source: C:\ProgramData\svchost.exeCode function: String function: 00470F60 appears 88 times
            Source: C:\ProgramData\svchost.exeCode function: String function: 0046238C appears 37 times
            Source: C:\ProgramData\svchost.exeCode function: String function: 00465D9C appears 32 times
            Source: C:\ProgramData\svchost.exeCode function: String function: 00465818 appears 48 times
            Source: C:\ProgramData\svchost.exeCode function: String function: 0046FD1C appears 42 times
            Source: C:\ProgramData\svchost.exeCode function: String function: 00463264 appears 220 times
            Source: smss.exeStatic PE information: invalid certificate
            Source: C:\ProgramData\svchost.exeDriver loaded: \Registry\Machine\System\CurrentControlSet\Services\QAssistJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
            Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
            Source: smss.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
            Source: smss.exe, type: SAMPLEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
            Source: C:\ProgramData\svchost.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
            Source: 0.0.smss.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
            Source: 3.0.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
            Source: 1.0.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
            Source: smss.exeStatic PE information: Section: ZLIB complexity 1.00032687154
            Source: smss.exeStatic PE information: Section: ZLIB complexity 1.021484375
            Source: smss.exeStatic PE information: Section: .dataTh ZLIB complexity 0.996595135648
            Source: svchost.exe.0.drStatic PE information: Section: ZLIB complexity 1.00032687154
            Source: svchost.exe.0.drStatic PE information: Section: ZLIB complexity 1.021484375
            Source: svchost.exe.0.drStatic PE information: Section: .dataTh ZLIB complexity 0.996595135648
            Source: QAssist.sys.3.drBinary string: \Device\QAssist\DosDevices\QAssist
            Source: QAssist.sys.3.drBinary string: \Device\
            Source: classification engineClassification label: mal100.troj.evad.winEXE@22/11@0/2
            Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etlJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:748:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4272:120:WilError_01
            Source: C:\ProgramData\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\Global\tbS60LWztNC1ubPQtbq3pg==
            Source: C:\Users\user\Desktop\smss.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\smss.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\ProgramData\svchost.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\ProgramData\svchost.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\ProgramData\svchost.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\ProgramData\svchost.exeKey opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\smss.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: smss.exeVirustotal: Detection: 39%
            Source: smss.exeReversingLabs: Detection: 34%
            Source: smss.exeString found in binary or memory: -Install.exeK
            Source: C:\Users\user\Desktop\smss.exeFile read: C:\Users\user\Desktop\smss.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\smss.exe 'C:\Users\user\Desktop\smss.exe'
            Source: unknownProcess created: C:\ProgramData\svchost.exe C:\ProgramData\svchost.exe -auto
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\smss.exe > nul
            Source: unknownProcess created: C:\ProgramData\svchost.exe C:\ProgramData\svchost.exe -acsi
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
            Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
            Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
            Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
            Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
            Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
            Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
            Source: C:\Users\user\Desktop\smss.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\smss.exe > nulJump to behavior
            Source: C:\ProgramData\svchost.exeProcess created: C:\ProgramData\svchost.exe C:\ProgramData\svchost.exe -acsiJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1 Jump to behavior
            Source: smss.exeStatic file information: File size 1443008 > 1048576
            Source: Binary string: F:\hidden-master\Release\QAssist.pdb` source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmp
            Source: Binary string: F:\hidden-master\x64\Release\QAssist.pdb source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmp, QAssist.sys.3.dr
            Source: Binary string: F:\hidden-master\Release\QAssist.pdb source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmp

            Data Obfuscation:

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\smss.exeUnpacked PE file: 0.2.smss.exe.400000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.rsrc:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:W;Unknown_Section2:R;.rsrc:EW;Unknown_Section4:EW;.data:EW;
            Source: C:\ProgramData\svchost.exeUnpacked PE file: 1.2.svchost.exe.400000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;.rsrc:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:W;Unknown_Section2:R;.rsrc:EW;Unknown_Section4:EW;.data:EW;
            Source: initial sampleStatic PE information: section where entry point is pointing to: .dataTh
            Source: smss.exeStatic PE information: real checksum: 0x5ec70 should be: 0x1615c4
            Source: svchost.exe.0.drStatic PE information: real checksum: 0x5ec70 should be: 0x1615c4
            Source: smss.exeStatic PE information: section name:
            Source: smss.exeStatic PE information: section name:
            Source: smss.exeStatic PE information: section name:
            Source: smss.exeStatic PE information: section name:
            Source: smss.exeStatic PE information: section name: .dataTh
            Source: svchost.exe.0.drStatic PE information: section name:
            Source: svchost.exe.0.drStatic PE information: section name:
            Source: svchost.exe.0.drStatic PE information: section name:
            Source: svchost.exe.0.drStatic PE information: section name:
            Source: svchost.exe.0.drStatic PE information: section name: .dataTh
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_0047B104 push ecx; mov dword ptr [esp], edx0_2_0047B109
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_0047B104 push ecx; mov dword ptr [esp], edx0_2_0047B109
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_0047F19C push ecx; mov dword ptr [esp], edx0_2_0047F19E
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_0047F19C push ecx; mov dword ptr [esp], edx0_2_0047F19E
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_0046F28C push 0046F6D8h; ret 0_2_0046F6D0
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_0046F28C push 0046F6D8h; ret 0_2_0046F6D0
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_0047B32C push ecx; mov dword ptr [esp], edx0_2_0047B331
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_0047B32C push ecx; mov dword ptr [esp], edx0_2_0047B331
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_004673EA push 00467418h; ret 0_2_00467410
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_004673EA push 00467418h; ret 0_2_00467410
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_004783A0 push 00478400h; ret 0_2_004783F8
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_004783A0 push 00478400h; ret 0_2_004783F8
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_0047B448 push ecx; mov dword ptr [esp], edx0_2_0047B44D
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_0047B448 push ecx; mov dword ptr [esp], edx0_2_0047B44D
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_00478456 push 004785A4h; ret 0_2_0047859C
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_00478456 push 004785A4h; ret 0_2_0047859C
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_00479454 push 004794A1h; ret 0_2_00479499
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_00479454 push 004794A1h; ret 0_2_00479499
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_0046745C push 00467488h; ret 0_2_00467480
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_0046745C push 00467488h; ret 0_2_00467480
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_0048540C push ecx; mov dword ptr [esp], edx0_2_00485411
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_0048540C push ecx; mov dword ptr [esp], edx0_2_00485411
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_00467424 push 00467450h; ret 0_2_00467448
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_00467424 push 00467450h; ret 0_2_00467448
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_0047B48C push ecx; mov dword ptr [esp], edx0_2_0047B491
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_0047B48C push ecx; mov dword ptr [esp], edx0_2_0047B491
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_00467494 push 004674C0h; ret 0_2_004674B8
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_00467494 push 004674C0h; ret 0_2_004674B8
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_0047D54C push ecx; mov dword ptr [esp], edx0_2_0047D54D
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_0047D54C push ecx; mov dword ptr [esp], edx0_2_0047D54D
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_00467500 push 0046752Ch; ret 0_2_00467524
            Source: initial sampleStatic PE information: section name: entropy: 7.99946689797
            Source: initial sampleStatic PE information: section name: entropy: 7.48670182273
            Source: initial sampleStatic PE information: section name: .dataTh entropy: 7.98056600583
            Source: initial sampleStatic PE information: section name: entropy: 7.99946689797
            Source: initial sampleStatic PE information: section name: entropy: 7.48670182273
            Source: initial sampleStatic PE information: section name: .dataTh entropy: 7.98056600583

            Persistence and Installation Behavior:

            barindex
            Drops PE files with benign system names
            Source: C:\Users\user\Desktop\smss.exeFile created: C:\ProgramData\svchost.exeJump to dropped file
            Sample is not signed and drops a device driver
            Source: C:\ProgramData\svchost.exeFile created: C:\Windows\system32\drivers\QAssist.sysJump to behavior
            Source: C:\Users\user\Desktop\smss.exeFile created: C:\ProgramData\svchost.exeJump to dropped file
            Source: C:\ProgramData\svchost.exeFile created: C:\Windows\System32\drivers\QAssist.sysJump to dropped file
            Source: C:\Users\user\Desktop\smss.exeFile created: C:\ProgramData\svchost.exeJump to dropped file
            Source: C:\ProgramData\svchost.exeFile created: C:\Windows\System32\drivers\QAssist.sysJump to dropped file
            Source: C:\ProgramData\svchost.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssistJump to behavior
            Source: C:\Users\user\Desktop\smss.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\ProgramData\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Uses ping.exe to sleep
            Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1 Jump to behavior
            Source: C:\Users\user\Desktop\smss.exeWindow / User API: threadDelayed 771Jump to behavior
            Source: C:\ProgramData\svchost.exeWindow / User API: threadDelayed 1014Jump to behavior
            Source: C:\ProgramData\svchost.exeWindow / User API: threadDelayed 383Jump to behavior
            Source: C:\ProgramData\svchost.exeWindow / User API: threadDelayed 399Jump to behavior
            Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Windows\System32\drivers\QAssist.sysJump to dropped file
            Source: C:\Users\user\Desktop\smss.exe TID: 5836Thread sleep count: 771 > 30Jump to behavior
            Source: C:\ProgramData\svchost.exe TID: 5968Thread sleep count: 1014 > 30Jump to behavior
            Source: C:\ProgramData\svchost.exe TID: 2796Thread sleep count: 383 > 30Jump to behavior
            Source: C:\ProgramData\svchost.exe TID: 2996Thread sleep count: 37 > 30Jump to behavior
            Source: C:\ProgramData\svchost.exe TID: 2996Thread sleep time: -37000s >= -30000sJump to behavior
            Source: C:\ProgramData\svchost.exe TID: 4812Thread sleep count: 37 > 30Jump to behavior
            Source: C:\ProgramData\svchost.exe TID: 4812Thread sleep time: -37000s >= -30000sJump to behavior
            Source: C:\ProgramData\svchost.exe TID: 6232Thread sleep count: 277 > 30Jump to behavior
            Source: C:\ProgramData\svchost.exe TID: 6232Thread sleep time: -16620000s >= -30000sJump to behavior
            Source: C:\ProgramData\svchost.exe TID: 2796Thread sleep count: 399 > 30Jump to behavior
            Source: C:\ProgramData\svchost.exe TID: 6232Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Windows\System32\svchost.exe TID: 6660Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\System32\svchost.exe TID: 3776Thread sleep time: -150000s >= -30000sJump to behavior
            Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
            Source: C:\ProgramData\svchost.exeLast function: Thread delayed
            Source: C:\ProgramData\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: svchost.exeBinary or memory string: VBoxService.exe
            Source: svchost.exe, 00000007.00000002.270364632.00000236DBE60000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.285873823.0000013251740000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: smss.exe, svchost.exeBinary or memory string: ~VirtualMachineTypes
            Source: smss.exe, svchost.exeBinary or memory string: ]DLL_Loader_VirtualMachine
            Source: svchost.exeBinary or memory string: VMWare
            Source: smss.exe, 00000000.00000002.221346346.00000000005A5000.00000040.00020000.sdmp, svchost.exe, 00000001.00000002.222498479.00000000005A5000.00000040.00020000.sdmpBinary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
            Source: svchost.exe, 00000007.00000002.270364632.00000236DBE60000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.285873823.0000013251740000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: svchost.exe, 00000007.00000002.270364632.00000236DBE60000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.285873823.0000013251740000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: svchost.exe, 00000007.00000002.270364632.00000236DBE60000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.285873823.0000013251740000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

            Anti Debugging:

            barindex
            Hides threads from debuggers
            Source: C:\Users\user\Desktop\smss.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\Desktop\smss.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\ProgramData\svchost.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\ProgramData\svchost.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\ProgramData\svchost.exeThread information set: HideFromDebuggerJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (window names)
            Source: C:\ProgramData\svchost.exeOpen window title or class name: ollydbg
            Source: C:\ProgramData\svchost.exeFile opened: SIWDEBUG
            Source: C:\ProgramData\svchost.exeFile opened: NTICE
            Source: C:\ProgramData\svchost.exeFile opened: SICE

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\ProgramData\svchost.exeNetwork Connect: 124.132.153.147 888Jump to behavior
            Source: C:\Users\user\Desktop\smss.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\smss.exe > nulJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 2 127.0.0.1 Jump to behavior
            Source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpBinary or memory string: Progman
            Source: svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndProgman%s.exeexplorer.exeSeDebugPrivilegerunasDwmapi.dllDwmIsCompositionEnabledDwmEnableCompositiondwmapi.dllBITS -inst.sys\system32\drivers\\sysnative\drivers\SYSTEM\CurrentControlSet\Services\BITSSYSTEM\SelectMarkTimeSYSTEM\CurrentControlSet\Services\\Registry\Machine\System\CurrentControlSet\Services\%SZwUnloadDriverNTDLL.DLLRtlInitUnicodeStringSeLoadDriverPrivilegeCreateEventACloseHandleWaitForSingleObject
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
            Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\smss.exeCode function: 0_2_006C99C0 GetVersion,0_2_006C99C0

            Lowering of HIPS / PFW / Operating System Security Settings:

            barindex
            Changes security center settings (notifications, updates, antivirus, firewall)
            Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
            Source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpBinary or memory string: acs.exe
            Source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpBinary or memory string: vsserv.exe
            Source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpBinary or memory string: avcenter.exe
            Source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpBinary or memory string: kxetray.exe
            Source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpBinary or memory string: avp.exe
            Source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpBinary or memory string: cfp.exe
            Source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpBinary or memory string: KSafeTray.exe
            Source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpBinary or memory string: rtvscan.exe
            Source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpBinary or memory string: 360tray.exe
            Source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpBinary or memory string: ashDisp.exe
            Source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpBinary or memory string: TMBMSRV.exe
            Source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpBinary or memory string: avgwdsvc.exe
            Source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpBinary or memory string: AYAgent.aye
            Source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpBinary or memory string: QUHLPSVC.EXE
            Source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpBinary or memory string: RavMonD.exe
            Source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpBinary or memory string: Mcshield.exe
            Source: smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpBinary or memory string: K7TSecurity.exe
            Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
            Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
            Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
            Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

            Stealing of Sensitive Information:

            barindex
            Yara detected Mimikatz
            Source: Yara matchFile source: 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: smss.exe PID: 6088, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2024, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation1Windows Service2Windows Service2Masquerading131OS Credential DumpingSecurity Software Discovery341Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Standard Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsCommand and Scripting Interpreter2LSASS Driver2Process Injection112Disable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion23Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)DLL Side-Loading1LSASS Driver2Virtualization/Sandbox Evasion23Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)DLL Side-Loading1Process Injection112NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery11SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Network Configuration Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncSystem Information Discovery22Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDLL Side-Loading1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 337700 Sample: smss.exe Startdate: 09/01/2021 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for dropped file 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected Mimikatz 2->46 48 5 other signatures 2->48 7 svchost.exe 2->7         started        10 smss.exe 1 2 2->10         started        13 svchost.exe 2->13         started        15 10 other processes 2->15 process3 file4 58 Multi AV Scanner detection for dropped file 7->58 60 Detected unpacking (changes PE section rights) 7->60 62 Tries to detect sandboxes and other dynamic analysis tools (window names) 7->62 64 Machine Learning detection for dropped file 7->64 17 svchost.exe 13 1 7->17         started        34 C:\ProgramData\svchost.exe, PE32 10->34 dropped 36 C:\ProgramData\svchost.exe:Zone.Identifier, ASCII 10->36 dropped 66 Hides threads from debuggers 10->66 68 Drops PE files with benign system names 10->68 22 cmd.exe 1 10->22         started        70 Changes security center settings (notifications, updates, antivirus, firewall) 13->70 24 MpCmdRun.exe 1 13->24         started        signatures5 process6 dnsIp7 38 124.132.153.147, 888 CHINA169-BACKBONECHINAUNICOMChina169BackboneCN China 17->38 32 C:\Windows\System32\drivers\QAssist.sys, PE32+ 17->32 dropped 50 System process connects to network (likely due to code injection or exploit) 17->50 52 Sample is not signed and drops a device driver 17->52 54 Hides threads from debuggers 17->54 40 127.0.0.1 unknown unknown 22->40 56 Uses ping.exe to sleep 22->56 26 conhost.exe 22->26         started        28 PING.EXE 1 22->28         started        30 conhost.exe 24->30         started        file8 signatures9 process10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            smss.exe40%VirustotalBrowse
            smss.exe35%ReversingLabsWin32.Backdoor.Zegost
            smss.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\ProgramData\svchost.exe100%Joe Sandbox ML
            C:\ProgramData\svchost.exe35%ReversingLabsWin32.Backdoor.Zegost
            C:\Windows\System32\drivers\QAssist.sys5%MetadefenderBrowse
            C:\Windows\System32\drivers\QAssist.sys39%ReversingLabsWin64.Trojan.Johnnie

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://qun.qq.com%s0%Avira URL Cloudsafe
            http://ocsp.thawte.com00%URL Reputationsafe
            http://ocsp.thawte.com00%URL Reputationsafe
            http://ocsp.thawte.com00%URL Reputationsafe
            http://ocsp.thawte.com00%URL Reputationsafe
            https://dynamic.t0%URL Reputationsafe
            https://dynamic.t0%URL Reputationsafe
            https://dynamic.t0%URL Reputationsafe
            https://dynamic.t0%URL Reputationsafe
            https://ssl.ptlogin2.qq.com%s0%Avira URL Cloudsafe
            http://www.enigmaprotector.com/1%VirustotalBrowse
            http://www.enigmaprotector.com/0%Avira URL Cloudsafe
            http://ptlogin2.qun.qq.com%s0%Avira URL Cloudsafe

            Domains and IPs

            Download Network PCAP: filteredfull

            Contacted Domains

            No contacted domains info
            NameSourceMaliciousAntivirus DetectionReputation
            https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000E.00000002.311900199.000002554723D000.00000004.00000001.sdmpfalse
              		high
              https://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=715030901&daid=73&hide_close_icon=1&pt_no_auth=1&s_smss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpfalse
                		high
                https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000E.00000003.311598725.0000025547261000.00000004.00000001.sdmpfalse
                  		high
                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000E.00000002.311900199.000002554723D000.00000004.00000001.sdmpfalse
                    		high
                    https://corp.roblox.com/contact/svchost.exe, 0000001F.00000003.580739860.000002EDDD76A000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.580569301.000002EDDD775000.00000004.00000001.sdmpfalse
                      		high
                      https://dev.ditu.live.com/REST/v1/Traffic/Incidents/svchost.exe, 0000000E.00000002.311936927.000002554725C000.00000004.00000001.sdmpfalse
                        		high
                        https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 0000000E.00000003.311590275.0000025547248000.00000004.00000001.sdmpfalse
                          		high
                          https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000E.00000003.311598725.0000025547261000.00000004.00000001.sdmpfalse
                            		high
                            https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000E.00000002.311904788.0000025547242000.00000004.00000001.sdmpfalse
                              		high
                              http://qun.qq.com%ssmss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		low
                              https://www.hulu.com/ca-privacy-rightssvchost.exe, 0000001F.00000003.570927798.000002EDDD758000.00000004.00000001.sdmpfalse
                                		high
                                https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000E.00000003.311598725.0000025547261000.00000004.00000001.sdmpfalse
                                  		high
                                  https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000E.00000003.311613549.000002554725A000.00000004.00000001.sdmpfalse
                                    		high
                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000E.00000003.289950751.0000025547231000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.g5e.com/G5_End_User_License_Supplemental_Termssvchost.exe, 0000001F.00000003.572303204.000002EDDD75D000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.572357231.000002EDDD7DA000.00000004.00000001.sdmpfalse
                                        		high
                                        https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000E.00000002.311904788.0000025547242000.00000004.00000001.sdmpfalse
                                          		high
                                          http://crl.thawte.com/ThawteTimestampingCA.crl0smss.exefalse
                                            		high
                                            http://www.hulu.com/termssvchost.exe, 0000001F.00000003.570927798.000002EDDD758000.00000004.00000001.sdmpfalse
                                              		high
                                              https://appexmapsappupdate.blob.core.windows.netsvchost.exe, 0000000E.00000003.311598725.0000025547261000.00000004.00000001.sdmpfalse
                                                		high
                                                https://en.help.roblox.com/hc/en-ussvchost.exe, 0000001F.00000003.580739860.000002EDDD76A000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.580569301.000002EDDD775000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.bingmapsportal.comsvchost.exe, 0000000E.00000002.311872932.0000025547213000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000E.00000002.311900199.000002554723D000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000E.00000003.311598725.0000025547261000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://www.hulu.com/do-not-sell-my-infosvchost.exe, 0000001F.00000003.570927798.000002EDDD758000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000E.00000003.311627593.0000025547240000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://ocsp.thawte.com0smss.exefalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000E.00000002.311900199.000002554723D000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://www.roblox.com/developsvchost.exe, 0000001F.00000003.580739860.000002EDDD76A000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.580569301.000002EDDD775000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://instagram.com/hiddencity_svchost.exe, 0000001F.00000003.572303204.000002EDDD75D000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.572357231.000002EDDD7DA000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000E.00000003.289950751.0000025547231000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000E.00000003.311627593.0000025547240000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://corp.roblox.com/parents/svchost.exe, 0000001F.00000003.580739860.000002EDDD76A000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.580569301.000002EDDD775000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000E.00000002.311900199.000002554723D000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.311872932.0000025547213000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.symauth.com/cps0(smss.exefalse
                                                                            		high
                                                                            https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000E.00000003.311590275.0000025547248000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 0000000E.00000003.311598725.0000025547261000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000E.00000003.289950751.0000025547231000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000E.00000003.311598725.0000025547261000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://www.hulu.com/privacysvchost.exe, 0000001F.00000003.570927798.000002EDDD758000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000E.00000002.311936927.000002554725C000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000E.00000002.311936927.000002554725C000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://dynamic.tsvchost.exe, 0000000E.00000003.311598725.0000025547261000.00000004.00000001.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://www.symauth.com/rpa00smss.exefalse
                                                                                            		high
                                                                                            https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000E.00000003.311598725.0000025547261000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000E.00000002.311895814.000002554723A000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://ssl.ptlogin2.qq.com%ssmss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		low
                                                                                                https://www.roblox.com/info/privacysvchost.exe, 0000001F.00000003.580739860.000002EDDD76A000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.580569301.000002EDDD775000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.g5e.com/termsofservicesvchost.exe, 0000001F.00000003.572303204.000002EDDD75D000.00000004.00000001.sdmp, svchost.exe, 0000001F.00000003.572357231.000002EDDD7DA000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000E.00000002.311936927.000002554725C000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.enigmaprotector.com/svchost.exe, svchost.exe, 00000001.00000002.222564463.00000000005C0000.00000040.00020000.sdmpfalse
                                                                                                      • 1%, Virustotal, Browse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://ptlogin2.qun.qq.com%ssmss.exe, 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		low
                                                                                                      https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000E.00000003.311598725.0000025547261000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000E.00000002.311936927.000002554725C000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000E.00000003.311613549.000002554725A000.00000004.00000001.sdmpfalse
                                                                                                            		high

                                                                                                            Contacted IPs

                                                                                                            • No. of IPs < 25%
                                                                                                            • 25% < No. of IPs < 50%
                                                                                                            • 50% < No. of IPs < 75%
                                                                                                            • 75% < No. of IPs

                                                                                                            Public

                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                            124.132.153.147
                                                                                                            		unknownChina
                                                                                                            		4837CHINA169-BACKBONECHINAUNICOMChina169BackboneCNtrue

                                                                                                            Private

                                                                                                            IP
                                                                                                            127.0.0.1

                                                                                                            General Information

                                                                                                            Joe Sandbox Version:31.0.0 Red Diamond
                                                                                                            Analysis ID:337700
                                                                                                            Start date:09.01.2021
                                                                                                            Start time:14:37:14
                                                                                                            Joe Sandbox Product:CloudBasic
                                                                                                            Overall analysis duration:0h 10m 20s
                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                            Report type:full
                                                                                                            Sample file name:smss.exe
                                                                                                            Cookbook file name:default.jbs
                                                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                            Number of analysed new started processes analysed:34
                                                                                                            Number of new started drivers analysed:0
                                                                                                            Number of existing processes analysed:0
                                                                                                            Number of existing drivers analysed:0
                                                                                                            Number of injected processes analysed:0
                                                                                                            Technologies:
                                                                                                            • HCA enabled
                                                                                                            • EGA enabled
                                                                                                            • HDC enabled
                                                                                                            • AMSI enabled
                                                                                                            Analysis Mode:default
                                                                                                            Analysis stop reason:Timeout
                                                                                                            Detection:MAL
                                                                                                            Classification:mal100.troj.evad.winEXE@22/11@0/2
                                                                                                            EGA Information:Failed
                                                                                                            HDC Information:
                                                                                                            • Successful, ratio: 4.4% (good quality ratio 4.3%)
                                                                                                            • Quality average: 74.6%
                                                                                                            • Quality standard deviation: 23.3%
                                                                                                            HCA Information:Failed
                                                                                                            Cookbook Comments:
                                                                                                            • Adjust boot time
                                                                                                            • Enable AMSI
                                                                                                            • Found application associated with file extension: .exe
                                                                                                            Warnings:
                                                                                                            • Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, UsoClient.exe, wuapihost.exe
                                                                                                            • Excluded IPs from analysis (whitelisted): 13.64.90.137, 104.42.151.234, 40.88.32.150, 51.11.168.160, 104.79.90.110, 20.54.26.129, 2.20.142.209, 2.20.142.210, 92.122.213.194, 92.122.213.247, 52.155.217.156
                                                                                                            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net
                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                            Errors:
                                                                                                            • Sigma syntax error: Has an empty selector, Rule: Abusing Azure Browser SSO

                                                                                                            Simulations

                                                                                                            TimeTypeDescription
                                                                                                            14:38:13API Interceptor1510x Sleep call for process: svchost.exe modified
                                                                                                            14:39:44API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                                                                                            Joe Sandbox View / Context

                                                                                                            IPs

                                                                                                            No context

                                                                                                            Domains

                                                                                                            No context

                                                                                                            ASN

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                            CHINA169-BACKBONECHINAUNICOMChina169BackboneCNhttp://down10d.zol.com.cn/zoldownload/fangsong_GB231 2@81_432727.exeGet hashmaliciousBrowse
                                                                                                            • 221.0.88.151
                                                                                                            iGet hashmaliciousBrowse
                                                                                                            • 180.130.76.228
                                                                                                            Mozi.mGet hashmaliciousBrowse
                                                                                                            • 171.119.52.25
                                                                                                            SecuriteInfo.com.Trojan.GenericKD.35624799.30696.exeGet hashmaliciousBrowse
                                                                                                            • 153.35.175.1
                                                                                                            svchost.exeGet hashmaliciousBrowse
                                                                                                            • 101.31.254.101
                                                                                                            SecuriteInfo.com.Trojan.DownLoader36.27091.1131.exeGet hashmaliciousBrowse
                                                                                                            • 218.12.76.163
                                                                                                            SecuriteInfo.com.Gen.Variant.Zusy.356533.25108.exeGet hashmaliciousBrowse
                                                                                                            • 60.10.7.133
                                                                                                            NormhjTcQb.exeGet hashmaliciousBrowse
                                                                                                            • 60.5.218.234
                                                                                                            fdwv4hWF1M.exeGet hashmaliciousBrowse
                                                                                                            • 111.164.127.230
                                                                                                            xJbFpiVs1lGet hashmaliciousBrowse
                                                                                                            • 113.9.149.180
                                                                                                            bdOPjE89ck.dllGet hashmaliciousBrowse
                                                                                                            • 123.134.70.222
                                                                                                            M9SEr6SviKGet hashmaliciousBrowse
                                                                                                            • 124.160.127.220
                                                                                                            SecuriteInfo.com.Trojan.BtcMine.3311.17146.exeGet hashmaliciousBrowse
                                                                                                            • 119.180.203.26
                                                                                                            Astra.x86Get hashmaliciousBrowse
                                                                                                            • 112.226.92.192
                                                                                                            feJbFA6woA.exeGet hashmaliciousBrowse
                                                                                                            • 122.114.18.47
                                                                                                            mssecsvc.exeGet hashmaliciousBrowse
                                                                                                            • 60.214.82.98
                                                                                                            rJz6SePuqu.dllGet hashmaliciousBrowse
                                                                                                            • 112.226.72.76
                                                                                                            QQPCDOWNLOAD140102.EXEGet hashmaliciousBrowse
                                                                                                            • 125.39.120.82
                                                                                                            Zdbxmzb1CG.exeGet hashmaliciousBrowse
                                                                                                            • 101.69.182.187
                                                                                                            order.exeGet hashmaliciousBrowse
                                                                                                            • 116.255.246.111

                                                                                                            JA3 Fingerprints

                                                                                                            No context

                                                                                                            Dropped Files

                                                                                                            No context

                                                                                                            Created / dropped Files

                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):4096
                                                                                                            Entropy (8bit):0.5955373750455086
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:bKFlEk1GaD0JOCEfMuaaD0JOCEfMKQmDU7yjAl/gz2cE0fMbhEZolrRSQ2hyYIIT:bKFNGaD0JcaaD0JwQQU7yjAg/0bjSQJ
                                                                                                            MD5:B860AAD7D6FAF075FA24DAE817FCA518
                                                                                                            SHA1:A6B556327BBDAF60F8D3794F172A6EA5113C5850
                                                                                                            SHA-256:15179E4064838CC55FCC025380DF9BCC58942CAFF3600195D27F4AD3DB111905
                                                                                                            SHA-512:5393314C5E962F464DD9BFE754B0DE70AE4DDB720F29D3543A3AEC0C78BAC27A6591A403E41141F0CBB78246ABEC8FDF3DCE431A64D975C71F939567EBB0C9ED
                                                                                                            Malicious:false
                                                                                                            Preview: ....E..h..(......&...y%.............. ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................&...y%...........&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................
                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:Extensible storage engine DataBase, version 0x620, checksum 0x83a82015, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                            Category:dropped
                                                                                                            Size (bytes):32768
                                                                                                            Entropy (8bit):0.09527093040794261
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:nA0+73iO4bly5qyyFqKJA0+73iO4bly5qyyFqK:PST4tST4
                                                                                                            MD5:87C3E11012C7E5324C7BE7AFBF2DC81C
                                                                                                            SHA1:33E33038167D96FA0B8C4AE5A85A36E9CC1DC48E
                                                                                                            SHA-256:0D9F4F82D7990771B3CD81F886BADB945AFFC6272E30232DD8615559CCDAEE4B
                                                                                                            SHA-512:BFEB8CECC7F1D26DA3AEE93566A785EC9DB12D642F66A80F384667C85A42205FC5147E0E912CC8786FCAB2D2D8B30F5425B654F67CECEC76955AB2345249C185
                                                                                                            Malicious:false
                                                                                                            Preview: .. .... ................e.f.3...w........................&..........w...&...y%.h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w.......................................................................................................................................................................................................................................6M..&...y%k.................BB..&...y%.........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):8192
                                                                                                            Entropy (8bit):0.11033188993541983
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:YoLEv+DBxmljXl/bJdAtiyi39/llall:I+fml7t4HyFlA
                                                                                                            MD5:31CEAFD7FA68704256056A5CD8D6AAB1
                                                                                                            SHA1:A3C2A01ABBA4B75B9D646EDA82C5A908E40C7419
                                                                                                            SHA-256:8B77986D4B087B6C91839D90009ADEE1BBBD9FD7F74CFBE96D33C84AEF4CEFBF
                                                                                                            SHA-512:9082CBDD0B663299A17EF50615FE54DEAA46F43845F2F62FD1B2A2779702B692A59D97F025EB96E62D8E1C0BA97F3E59357DCD50A5CA2BC93165E97CB16851F2
                                                                                                            Malicious:false
                                                                                                            Preview: /.4\.....................................3...w...&...y%......w...............w.......w....:O.....w...................BB..&...y%.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\ProgramData\svchost.exe
                                                                                                            Process:C:\Users\user\Desktop\smss.exe
                                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1443008
                                                                                                            Entropy (8bit):7.992175676415288
                                                                                                            Encrypted:true
                                                                                                            SSDEEP:24576:ym6sKjYZqb1ycImmvJFSYRkuK/zy2pNkFcpExvLyPl34HGh:xHKSqbHqJKpzkFcK9A6mh
                                                                                                            MD5:DF850A023C4594ECE918855A62D1B842
                                                                                                            SHA1:E9E00340024404118479012E0D4584119AFA9D5B
                                                                                                            SHA-256:70BDECF71010C5DAEFDA7581C8126F12340BDC82C1705711BC8FB3C33031D668
                                                                                                            SHA-512:AB24489455FACE230D960ABB1972BF0743CA16A6C61BDBCD1CD8E38EB50D07D51490D1078E3793E7AF37A5E8239B14E9C93859C33C186B3E38AC91B26AB6710C
                                                                                                            Malicious:true
                                                                                                            Yara Hits:
                                                                                                            • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\ProgramData\svchost.exe, Author: Florian Roth
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                            • Antivirus: ReversingLabs, Detection: 35%
                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3p.f]#.f]#.f]#.@V#.f]#|zS#.f]#.@W#.f]#|n.#.f]#.f\#.f]#.El#.f]#8`[#.f]#.FY#.f]#Rich.f]#........................PE..L.....]..............................;...... ....@..........................@;.....p.................................-.G...H.-..........................4..............................................................................................................................@................ ......................@.......................................@....rsrc...............................@.............'.........................@....data.Th.p....-..d...l..............@...................................................................................................................................................................................................................................................................................
                                                                                                            C:\ProgramData\svchost.exe:Zone.Identifier
                                                                                                            Process:C:\Users\user\Desktop\smss.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:modified
                                                                                                            Size (bytes):26
                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                            Malicious:true
                                                                                                            Preview: [ZoneTransfer]....ZoneId=0
                                                                                                            C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):65536
                                                                                                            Entropy (8bit):0.10970277140896126
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:26yDcjXm/Ey6q9995P8Xdq3qQ10nMCldimE8eawHjcAPll6f:26yD5l689LyMCldzE9BHjcAP/q
                                                                                                            MD5:CC6006D0175CE6727A74A7BA5F231638
                                                                                                            SHA1:93CDF545C29D8E36A8E1A7C3014819BFFAE87796
                                                                                                            SHA-256:0DE05E6048F51DE95322F986BF4148707E7E0F6CAB7410F885D2F12072144B07
                                                                                                            SHA-512:89B2103FE2377D7CE03130959A8C872EFF680A96491C77A95880F0DC98E9259BFD4C54C404F8F365C21102CE8CC2C77B739C60EF7D522A7A4F2F28A69AD76F4D
                                                                                                            Malicious:false
                                                                                                            Preview: .........................................................................................{&......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...............................................................1..... .....L..-............S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.........U.&.....................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):65536
                                                                                                            Entropy (8bit):0.11232151223040432
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:2QjXm/Ey6q9995PfX71miM3qQ10nMCldimE8eawHza1miIDFEP:2ll68VL1tMLyMCldzE9BHza1tIDF0
                                                                                                            MD5:7B2B794AADCACD5A45A2F5C59FF6BCFD
                                                                                                            SHA1:D0A161C47BA49C0630A9952E3F2B5673A48C17AC
                                                                                                            SHA-256:7A08B647CA565E4E37F1485F401C89E2B7B204616DFAD125434250F091C93702
                                                                                                            SHA-512:65C4511071BDAB4E86148ABCE1648E49D0869E2E8AF646258BA3BBBB92F96451FD9795CB2287E31D678AE23C97B1270C1D9117AB284FD93C30934029DA6CDE21
                                                                                                            Malicious:false
                                                                                                            Preview: ........................................................................................?_#......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...............................................................1..... ......~.-............U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.........ff#.....................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl
                                                                                                            Process:C:\Windows\System32\svchost.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):65536
                                                                                                            Entropy (8bit):0.11214913245396602
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:2ZEjXm/Ey6q9995Pv971mK2P3qQ10nMCldimE8eawHza1mKuUsP:2Dl68z1iPLyMCldzE9BHza1Sf
                                                                                                            MD5:1C3A9C7BC008E01C53BB8723845C5180
                                                                                                            SHA1:82C4D978E71DF91D34CD619AA4F24C401855161D
                                                                                                            SHA-256:FE249F694E840A657BE40BAA1479EA9C66FB26DB0870347069C9C2C86DF03CBB
                                                                                                            SHA-512:D7D5B558532BC74A3D6D02CD00923FBF7B7E73250D0E769360A23E530AE62231D15A099AE0BE75A59E0E447F58DA2F974205BAB857FE7305D719AFABCC64819E
                                                                                                            Malicious:false
                                                                                                            Preview: ........................................................................................n........................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1...............................................................1..... ........-............U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                            C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
                                                                                                            Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                            File Type:data
                                                                                                            Category:modified
                                                                                                            Size (bytes):906
                                                                                                            Entropy (8bit):3.1535624359570296
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:12:58KRBubdpkoF1AG3rZ5Mk9+MlWlLehB4yAq7ejC45V:OaqdmuF3rf+kWReH4yJ7Mt
                                                                                                            MD5:8A02A8DF626145CAF2ECB3E47D624F4A
                                                                                                            SHA1:DD69B75482B3C4C837372F1AD356ED8B033C1404
                                                                                                            SHA-256:11B48D02D659AD01A476EA734C7CA59A48A230F153B6BA09394DF6BFB62346EE
                                                                                                            SHA-512:BDD5F0252863AE6DC5F95FBC3D163571E1BA25085CB6921C59FDAEF9AA5F6B6E03B5FDAA8FEC6CE11AA4C93536F9021292A561088663CE937E41CC0AC8382948
                                                                                                            Malicious:false
                                                                                                            Preview: ........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. S.a.t. .. J.a.n. .. 0.9. .. 2.0.2.1. .1.4.:.3.9.:.4.4.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. S.a.t. .. J.a.n. .. 0.9. .. 2.0.2.1. .1.4.:.3.9.:.4.4.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....
                                                                                                            C:\Windows\System32\drivers\QAssist.sys
                                                                                                            Process:C:\ProgramData\svchost.exe
                                                                                                            File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                            Category:dropped
                                                                                                            Size (bytes):32768
                                                                                                            Entropy (8bit):5.851534258141303
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:768:KCMmfcFk05bmho2A0C+XrOy2KQb8RDknOYrHpWqRc:7K9aepdgSX0IpWq
                                                                                                            MD5:D773675A2D9DAF5110251355AC75D1A1
                                                                                                            SHA1:110EB24442FEA5A674FFA5618984632A3BF620FC
                                                                                                            SHA-256:94D4843E465DBC3848E41EB8C35FD838918AB11C44F5C87138222E07A7E31C62
                                                                                                            SHA-512:5BD6A780874C8B6232683C293637E3564C944D948C55743E8BFD0189D2E8F9FAB083A7CD2E14F0F53925C168170C50EC55E2F92F0FF0D78B1DBDEE524D7FAC62
                                                                                                            Malicious:true
                                                                                                            Antivirus:
                                                                                                            • Antivirus: Metadefender, Detection: 5%, Browse
                                                                                                            • Antivirus: ReversingLabs, Detection: 39%
                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*}.cn..0n..0n..0gd\0o..0gdJ0l..0...0j..0...0o..0gdL0k..0n..0U..0.?0d..0..0o..0Richn..0................PE..d....E\.........."......^...".................@.....................................h..........................................................<....................................q..............................pw...............p...............................text....R.......T.................. ..h.rdata.......p.......X..............@..H.data...0............h..............@....pdata...............j..............@..HINIT....>............p.............. ..b.reloc...............z..............@..B.rsrc................|..............@..@................................................................................................................................................................................................................................
                                                                                                            \Device\Null
                                                                                                            Process:C:\Windows\SysWOW64\PING.EXE
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):331
                                                                                                            Entropy (8bit):4.92149009030101
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:6:PzLSLzMRfmWxHLThx2LThx0sW26VY7FwAFeMmvVOIHJFxMVlmJHaVFEG1vv:PKMRJpTeT0sBSAFSkIrxMVlmJHaVzvv
                                                                                                            MD5:2E512EE24AAB186D09E9A1F9B72A0569
                                                                                                            SHA1:C5BA2E0C0338FFEE13ED1FB6DA0CC9C000824B0B
                                                                                                            SHA-256:DB41050CA723A06D95B73FFBE40B32DE941F5EE474F129B2B33E91C67B72674F
                                                                                                            SHA-512:6B4487A088155E34FE5C642E1C3D46F63CB2DDD9E4092809CE6F3BEEFDEF0D1F8AA67F8E733EDE70B07F467ED5BB6F07104EEA4C1E7AC7E1A502A772F56F7DE9
                                                                                                            Malicious:false
                                                                                                            Preview: ..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                            Entropy (8bit):7.992175676415288
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                            File name:smss.exe
                                                                                                            File size:1443008
                                                                                                            MD5:df850a023c4594ece918855a62d1b842
                                                                                                            SHA1:e9e00340024404118479012e0d4584119afa9d5b
                                                                                                            SHA256:70bdecf71010c5daefda7581c8126f12340bdc82c1705711bc8fb3c33031d668
                                                                                                            SHA512:ab24489455face230d960abb1972bf0743ca16a6c61bdbcd1cd8e38eb50d07d51490d1078e3793e7af37a5e8239b14e9c93859c33c186b3e38ac91b26ab6710c
                                                                                                            SSDEEP:24576:ym6sKjYZqb1ycImmvJFSYRkuK/zy2pNkFcpExvLyPl34HGh:xHKSqbHqJKpzkFcK9A6mh
                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3p.f]#.f]#.f]#.@V#.f]#|zS#.f]#.@W#.f]#|n.#.f]#.f\#.f]#.El#.f]#8`[#.f]#.FY#.f]#Rich.f]#........................PE..L......]...

                                                                                                            File Icon

                                                                                                            Icon Hash:00828e8e8686b000

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x7b09e8
                                                                                                            Entrypoint Section:.dataTh
                                                                                                            Digitally signed:true
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                                            DLL Characteristics:
                                                                                                            Time Stamp:0x5DBDA3D5 [Sat Nov 2 15:42:13 2019 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:4
                                                                                                            OS Version Minor:0
                                                                                                            File Version Major:4
                                                                                                            File Version Minor:0
                                                                                                            Subsystem Version Major:4
                                                                                                            Subsystem Version Minor:0
                                                                                                            Import Hash:5e5ac8ab7be27ac2d1c548e5589378b6

                                                                                                            Authenticode Signature

                                                                                                            Signature Valid:false
                                                                                                            Signature Issuer:CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
                                                                                                            Signature Validation Error:The digital signature of the object did not verify
                                                                                                            Error Number:-2146869232
                                                                                                            Not Before, Not After
                                                                                                            • 2/3/2016 4:00:00 PM 3/28/2019 4:59:59 PM
                                                                                                            Subject Chain
                                                                                                            • CN=Tencent Technology(Shenzhen) Company Limited, OU=&#231;&#160;&#148;&#229;&#143;&#145;&#231;&#174;&#161;&#231;&#144;&#134;&#233;&#131;&#168;, O=Tencent Technology(Shenzhen) Company Limited, L=Shenzhen, S=Guangdong, C=CN
                                                                                                            Version:3
                                                                                                            Thumbprint MD5:C3644DEB9EC2DCAE0E543057192B0C40
                                                                                                            Thumbprint SHA-1:C57B841B09620EA6278E62AF20963FAEC8F9E03D
                                                                                                            Thumbprint SHA-256:B20E25527D3929213673D0443AFA395B57A6788AD1D2E88059E87003539B1C05
                                                                                                            Serial:52048B9C8A67E28F0CC8CC75813DDC5A
                                                                                                            Instruction
                                                                                                            pushad
                                                                                                            call 00007F0688C15535h
                                                                                                            pop ebp
                                                                                                            sub ebp, 00000006h
                                                                                                            sub ebp, 003B09E8h
                                                                                                            jmp 00007F0688C15581h
                                                                                                            inc ebp
                                                                                                            dec esi
                                                                                                            dec ecx
                                                                                                            inc edi
                                                                                                            dec ebp
                                                                                                            inc ecx
                                                                                                            add al, 00h
                                                                                                            in al, 07h
                                                                                                            or al, 00h
                                                                                                            adc eax, 30000C00h
                                                                                                            add byte ptr [edi], al
                                                                                                            add dl, cl
                                                                                                            stosd
                                                                                                            sbb al, 0Ch
                                                                                                            stosb
                                                                                                            test al, 1Bh
                                                                                                            cli
                                                                                                            inc edi
                                                                                                            xchg dword ptr [eax+4Ah], ecx
                                                                                                            aam 36h
                                                                                                            cmp bl, byte ptr [ecx]
                                                                                                            push esi
                                                                                                            cmp eax, 00006E7Bh
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            jmp 00007F0688C15539h
                                                                                                            fsubr st(0), st(0)
                                                                                                            sbb dword ptr [ebp+3B09E8B8h], 81C50300h
                                                                                                            rcl byte ptr [ebx-47000000h], FFFFFFD1h
                                                                                                            add eax, 9ABA0000h
                                                                                                            add dword ptr [ebx], ecx
                                                                                                            jo 00007F0688C15562h
                                                                                                            adc byte ptr [eax+49h], al
                                                                                                            jne 00007F0688C1552Ch
                                                                                                            jmp 00007F0688C15539h
                                                                                                            retf
                                                                                                            retn 60F9h
                                                                                                            adc dword ptr [edi+11h], edx
                                                                                                            adc esp, dword ptr [esi+1B9A9A9Ah]
                                                                                                            pop ebx
                                                                                                            bound ebx, dword ptr [edx+57999A9Ah]
                                                                                                            and bl, byte ptr [esi+209A9A9Ah]
                                                                                                            mov dl, 9Ah
                                                                                                            call far 1152h : 99786D9Ah
                                                                                                            sbb edx, dword ptr [esi-66656566h]
                                                                                                            pop edi
                                                                                                            retf F2CAh
                                                                                                            fisubr dword ptr [ecx+32F29A97h]
                                                                                                            dec esp
                                                                                                            Programming Language:
                                                                                                            • [C++] VS98 (6.0) SP6 build 8804
                                                                                                            • [EXP] VC++ 6.0 SP5 build 8804
                                                                                                            • [ C ] VS98 (6.0) SP6 build 8804
                                                                                                            • [LNK] VC++ 6.0 SP5 build 8804
                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x2dd0000x47.dataTh
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x2dd0480x1dc.dataTh
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x5e0000x29c.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x15d0000x34c0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            0x10000x10000x200False0.65625data5.31996313426IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                            0x20000x5b0000x5a600False1.00032687154Dyalog APL version 245.197.99946689797IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                            0x5d0000x10000x200False1.021484375data7.48670182273IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                            .rsrc0x5e0000x10000x400False0.30859375data3.95308418701IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                            0x5f0000x27e0000x2ba00unknownunknownunknownunknownIMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                            .dataTh0x2dd0000xd70000xd6400False0.996595135648data7.98056600583IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                            NameRVASizeTypeLanguageCountry
                                                                                                            RT_MANIFEST0x5e0580x244XML 1.0 document, ASCII text, with CRLF line terminatorsChineseChina
                                                                                                            DLLImport
                                                                                                            kernel32.dllGetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
                                                                                                            user32.dllMessageBoxA
                                                                                                            advapi32.dllRegCloseKey
                                                                                                            oleaut32.dllSysFreeString
                                                                                                            gdi32.dllCreateFontA
                                                                                                            shell32.dllShellExecuteA
                                                                                                            version.dllGetFileVersionInfoA
                                                                                                            NameOrdinalAddress
                                                                                                            Loader10x40114b

                                                                                                            Possible Origin

                                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                                            ChineseChina

                                                                                                            Network Behavior

                                                                                                            Download Network PCAP: filteredfull

                                                                                                            Network Port Distribution

                                                                                                            • Total Packets: 43
                                                                                                            • 888 undefined
                                                                                                            • 53 (DNS)
                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Jan 9, 2021 14:38:13.931664944 CET49727888192.168.2.3124.132.153.147
                                                                                                            Jan 9, 2021 14:38:16.938658953 CET49727888192.168.2.3124.132.153.147
                                                                                                            Jan 9, 2021 14:38:22.939191103 CET49727888192.168.2.3124.132.153.147
                                                                                                            Jan 9, 2021 14:39:07.997128010 CET49746888192.168.2.3124.132.153.147
                                                                                                            Jan 9, 2021 14:39:11.006268978 CET49746888192.168.2.3124.132.153.147
                                                                                                            Jan 9, 2021 14:39:17.006247997 CET49746888192.168.2.3124.132.153.147
                                                                                                            Jan 9, 2021 14:40:00.481281042 CET49749888192.168.2.3124.132.153.147
                                                                                                            Jan 9, 2021 14:40:03.494539976 CET49749888192.168.2.3124.132.153.147
                                                                                                            Jan 9, 2021 14:40:09.494960070 CET49749888192.168.2.3124.132.153.147
                                                                                                            Jan 9, 2021 14:40:55.723081112 CET49756888192.168.2.3124.132.153.147
                                                                                                            Jan 9, 2021 14:40:58.790002108 CET49756888192.168.2.3124.132.153.147
                                                                                                            Jan 9, 2021 14:41:04.800551891 CET49756888192.168.2.3124.132.153.147
                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Jan 9, 2021 14:37:59.120393038 CET5302353192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:37:59.168272972 CET53530238.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:38:00.347073078 CET4956353192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:38:00.394975901 CET53495638.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:38:01.657751083 CET5135253192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:38:01.705540895 CET53513528.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:38:03.487595081 CET5934953192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:38:03.546211958 CET53593498.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:38:04.668616056 CET5708453192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:38:04.716547012 CET53570848.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:38:05.961991072 CET5882353192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:38:06.027576923 CET53588238.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:38:07.445311069 CET5756853192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:38:07.493261099 CET53575688.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:38:08.715217113 CET5054053192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:38:08.766752958 CET53505408.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:38:09.983952999 CET5436653192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:38:10.032911062 CET53543668.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:38:11.530838013 CET5303453192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:38:11.578974962 CET53530348.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:38:12.803641081 CET5776253192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:38:12.851546049 CET53577628.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:38:14.033206940 CET5543553192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:38:14.081302881 CET53554358.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:38:15.231518984 CET5071353192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:38:15.282253027 CET53507138.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:38:26.019182920 CET5613253192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:38:26.069967031 CET53561328.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:38:30.922941923 CET5898753192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:38:30.980566025 CET53589878.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:38:45.127001047 CET5657953192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:38:45.191255093 CET53565798.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:38:49.435957909 CET6063353192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:38:49.493674040 CET53606338.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:39:02.024178028 CET6129253192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:39:02.072309017 CET53612928.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:39:06.280092955 CET6361953192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:39:06.337985039 CET53636198.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:39:36.294195890 CET6493853192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:39:36.342184067 CET53649388.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:39:38.433955908 CET6194653192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:39:38.501200914 CET53619468.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:40:51.346055031 CET6491053192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:40:51.436402082 CET53649108.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:40:52.174190998 CET5212353192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:40:52.304322004 CET53521238.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:40:53.123425961 CET5613053192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:40:53.182483912 CET53561308.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:40:53.683505058 CET5633853192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:40:53.731868029 CET53563388.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:40:54.199632883 CET5942053192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:40:54.256406069 CET53594208.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:40:54.939003944 CET5878453192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:40:54.995558977 CET53587848.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:40:55.677249908 CET6397853192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:40:55.733449936 CET53639788.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:40:56.872222900 CET6293853192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:40:56.931740046 CET53629388.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:40:58.157398939 CET5570853192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:40:58.213661909 CET53557088.8.8.8192.168.2.3
                                                                                                            Jan 9, 2021 14:40:58.840112925 CET5680353192.168.2.38.8.8.8
                                                                                                            Jan 9, 2021 14:40:58.896404028 CET53568038.8.8.8192.168.2.3

                                                                                                            Code Manipulations

                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            • File
                                                                                                            • Registry
                                                                                                            • Network

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            Analysis Process: smss.exe PID: 6088 Parent PID: 5764

                                                                                                            Function Logs

                                                                                                            General

                                                                                                            Start time:14:38:03
                                                                                                            Start date:09/01/2021
                                                                                                            Path:C:\Users\user\Desktop\smss.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:'C:\Users\user\Desktop\smss.exe'
                                                                                                            Imagebase:0x400000
                                                                                                            File size:1443008 bytes
                                                                                                            MD5 hash:DF850A023C4594ECE918855A62D1B842
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:Borland Delphi
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000000.00000002.223551567.0000000010100000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            Reputation:low
                                                                                                            Show Windows behavior

                                                                                                            File Activities

                                                                                                            Show Windows behavior

                                                                                                            Section Activities

                                                                                                            Show Windows behavior

                                                                                                            Registry Activities

                                                                                                            Show Windows behavior

                                                                                                            Mutex Activities

                                                                                                            Show Windows behavior

                                                                                                            Process Activities

                                                                                                            Show Windows behavior

                                                                                                            Thread Activities

                                                                                                            Show Windows behavior

                                                                                                            Memory Activities

                                                                                                            Show Windows behavior

                                                                                                            System Activities

                                                                                                            Show Windows behavior

                                                                                                            Timing Activities

                                                                                                            Show Windows behavior

                                                                                                            Windows UI Activities

                                                                                                            Show Windows behavior

                                                                                                            Process Token Activities

                                                                                                            Show Windows behavior

                                                                                                            LPC Port Activities

                                                                                                            Analysis Process: svchost.exe PID: 2024 Parent PID: 568

                                                                                                            Function Logs

                                                                                                            General

                                                                                                            Start time:14:38:07
                                                                                                            Start date:09/01/2021
                                                                                                            Path:C:\ProgramData\svchost.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\ProgramData\svchost.exe -auto
                                                                                                            Imagebase:0x400000
                                                                                                            File size:1443008 bytes
                                                                                                            MD5 hash:DF850A023C4594ECE918855A62D1B842
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:Borland Delphi
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_Mimikatz_1, Description: Yara detected Mimikatz, Source: 00000001.00000002.226685664.0000000010100000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                            • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: C:\ProgramData\svchost.exe, Author: Florian Roth
                                                                                                            Antivirus matches:
                                                                                                            • Detection: 100%, Joe Sandbox ML
                                                                                                            • Detection: 35%, ReversingLabs
                                                                                                            Reputation:low
                                                                                                            Show Windows behavior

                                                                                                            File Activities

                                                                                                            Show Windows behavior

                                                                                                            Section Activities

                                                                                                            Show Windows behavior

                                                                                                            Registry Activities

                                                                                                            Show Windows behavior

                                                                                                            Mutex Activities

                                                                                                            Show Windows behavior

                                                                                                            Process Activities

                                                                                                            Show Windows behavior

                                                                                                            Thread Activities

                                                                                                            Show Windows behavior

                                                                                                            Memory Activities

                                                                                                            Show Windows behavior

                                                                                                            System Activities

                                                                                                            Show Windows behavior

                                                                                                            Timing Activities

                                                                                                            Show Windows behavior

                                                                                                            Windows UI Activities

                                                                                                            Show Windows behavior

                                                                                                            LPC Port Activities

                                                                                                            Analysis Process: cmd.exe PID: 5552 Parent PID: 6088

                                                                                                            Function Logs

                                                                                                            General

                                                                                                            Start time:14:38:09
                                                                                                            Start date:09/01/2021
                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\user\Desktop\smss.exe > nul
                                                                                                            Imagebase:0xbd0000
                                                                                                            File size:232960 bytes
                                                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Show Windows behavior

                                                                                                            File Activities

                                                                                                            Show Windows behavior

                                                                                                            Section Activities

                                                                                                            Show Windows behavior

                                                                                                            Process Activities

                                                                                                            Show Windows behavior

                                                                                                            Thread Activities

                                                                                                            Show Windows behavior

                                                                                                            Memory Activities

                                                                                                            Show Windows behavior

                                                                                                            System Activities

                                                                                                            Show Windows behavior

                                                                                                            LPC Port Activities

                                                                                                            Analysis Process: svchost.exe PID: 5492 Parent PID: 2024

                                                                                                            Function Logs

                                                                                                            General

                                                                                                            Start time:14:38:10
                                                                                                            Start date:09/01/2021
                                                                                                            Path:C:\ProgramData\svchost.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:C:\ProgramData\svchost.exe -acsi
                                                                                                            Imagebase:0x400000
                                                                                                            File size:1443008 bytes
                                                                                                            MD5 hash:DF850A023C4594ECE918855A62D1B842
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:Borland Delphi
                                                                                                            Reputation:low
                                                                                                            Show Windows behavior

                                                                                                            File Activities

                                                                                                            Show Windows behavior

                                                                                                            Section Activities

                                                                                                            Show Windows behavior

                                                                                                            Registry Activities

                                                                                                            Show Windows behavior

                                                                                                            Mutex Activities

                                                                                                            Show Windows behavior

                                                                                                            Process Activities

                                                                                                            Show Windows behavior

                                                                                                            Thread Activities

                                                                                                            Show Windows behavior

                                                                                                            Memory Activities

                                                                                                            Show Windows behavior

                                                                                                            Driver Activities

                                                                                                            Show Windows behavior

                                                                                                            System Activities

                                                                                                            Show Windows behavior

                                                                                                            Timing Activities

                                                                                                            Show Windows behavior

                                                                                                            Windows UI Activities

                                                                                                            Show Windows behavior

                                                                                                            Network Activities

                                                                                                            Show Windows behavior

                                                                                                            Process Token Activities

                                                                                                            Show Windows behavior

                                                                                                            LPC Port Activities

                                                                                                            Analysis Process: conhost.exe PID: 748 Parent PID: 5552

                                                                                                            Function Logs

                                                                                                            General

                                                                                                            Start time:14:38:10
                                                                                                            Start date:09/01/2021
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff6b2800000
                                                                                                            File size:625664 bytes
                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Show Windows behavior

                                                                                                            File Activities

                                                                                                            Show Windows behavior

                                                                                                            Section Activities

                                                                                                            Show Windows behavior

                                                                                                            Registry Activities

                                                                                                            Show Windows behavior

                                                                                                            Mutex Activities

                                                                                                            Show Windows behavior

                                                                                                            Process Activities

                                                                                                            Show Windows behavior

                                                                                                            Thread Activities

                                                                                                            Show Windows behavior

                                                                                                            Memory Activities

                                                                                                            Show Windows behavior

                                                                                                            System Activities

                                                                                                            Show Windows behavior

                                                                                                            Windows UI Activities

                                                                                                            Show Windows behavior

                                                                                                            LPC Port Activities

                                                                                                            Analysis Process: PING.EXE PID: 2100 Parent PID: 5552

                                                                                                            Function Logs

                                                                                                            General

                                                                                                            Start time:14:38:10
                                                                                                            Start date:09/01/2021
                                                                                                            Path:C:\Windows\SysWOW64\PING.EXE
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:ping -n 2 127.0.0.1
                                                                                                            Imagebase:0x320000
                                                                                                            File size:18944 bytes
                                                                                                            MD5 hash:70C24A306F768936563ABDADB9CA9108
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:moderate
                                                                                                            Show Windows behavior

                                                                                                            File Activities

                                                                                                            Show Windows behavior

                                                                                                            Section Activities

                                                                                                            Show Windows behavior

                                                                                                            Registry Activities

                                                                                                            Show Windows behavior

                                                                                                            Process Activities

                                                                                                            Show Windows behavior

                                                                                                            Thread Activities

                                                                                                            Show Windows behavior

                                                                                                            Memory Activities

                                                                                                            Show Windows behavior

                                                                                                            System Activities

                                                                                                            Analysis Process: svchost.exe PID: 6508 Parent PID: 568

                                                                                                            Function Logs

                                                                                                            General

                                                                                                            Start time:14:38:25
                                                                                                            Start date:09/01/2021
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                            Imagebase:0x7ff7488e0000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Show Windows behavior

                                                                                                            File Activities

                                                                                                            Show Windows behavior

                                                                                                            Section Activities

                                                                                                            Show Windows behavior

                                                                                                            Registry Activities

                                                                                                            Show Windows behavior

                                                                                                            Mutex Activities

                                                                                                            Show Windows behavior

                                                                                                            Process Activities

                                                                                                            Show Windows behavior

                                                                                                            Thread Activities

                                                                                                            Show Windows behavior

                                                                                                            Memory Activities

                                                                                                            Show Windows behavior

                                                                                                            System Activities

                                                                                                            Show Windows behavior

                                                                                                            Timing Activities

                                                                                                            Show Windows behavior

                                                                                                            LPC Port Activities

                                                                                                            Analysis Process: svchost.exe PID: 6572 Parent PID: 568

                                                                                                            Function Logs

                                                                                                            General

                                                                                                            Start time:14:38:27
                                                                                                            Start date:09/01/2021
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                            Imagebase:0x7ff7488e0000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Show Windows behavior

                                                                                                            File Activities

                                                                                                            Show Windows behavior

                                                                                                            Section Activities

                                                                                                            Show Windows behavior

                                                                                                            Registry Activities

                                                                                                            Show Windows behavior

                                                                                                            Mutex Activities

                                                                                                            Show Windows behavior

                                                                                                            Process Activities

                                                                                                            Show Windows behavior

                                                                                                            Thread Activities

                                                                                                            Show Windows behavior

                                                                                                            Memory Activities

                                                                                                            Show Windows behavior

                                                                                                            System Activities

                                                                                                            Show Windows behavior

                                                                                                            Timing Activities

                                                                                                            Show Windows behavior

                                                                                                            Windows UI Activities

                                                                                                            Show Windows behavior

                                                                                                            LPC Port Activities

                                                                                                            Analysis Process: svchost.exe PID: 6732 Parent PID: 568

                                                                                                            Function Logs

                                                                                                            General

                                                                                                            Start time:14:38:34
                                                                                                            Start date:09/01/2021
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                            Imagebase:0x7ff7488e0000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Show Windows behavior

                                                                                                            File Activities

                                                                                                            Show Windows behavior

                                                                                                            Section Activities

                                                                                                            Show Windows behavior

                                                                                                            Registry Activities

                                                                                                            Show Windows behavior

                                                                                                            Mutex Activities

                                                                                                            Show Windows behavior

                                                                                                            Process Activities

                                                                                                            Show Windows behavior

                                                                                                            Thread Activities

                                                                                                            Show Windows behavior

                                                                                                            Memory Activities

                                                                                                            Show Windows behavior

                                                                                                            System Activities

                                                                                                            Show Windows behavior

                                                                                                            Timing Activities

                                                                                                            Show Windows behavior

                                                                                                            LPC Port Activities

                                                                                                            Analysis Process: svchost.exe PID: 6816 Parent PID: 568

                                                                                                            Function Logs

                                                                                                            General

                                                                                                            Start time:14:38:39
                                                                                                            Start date:09/01/2021
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                            Imagebase:0x7ff7488e0000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Show Windows behavior

                                                                                                            Memory Activities

                                                                                                            Analysis Process: svchost.exe PID: 6856 Parent PID: 568

                                                                                                            Function Logs

                                                                                                            General

                                                                                                            Start time:14:38:39
                                                                                                            Start date:09/01/2021
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:c:\windows\system32\svchost.exe -k unistacksvcgroup
                                                                                                            Imagebase:0x7ff7488e0000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Show Windows behavior

                                                                                                            File Activities

                                                                                                            Show Windows behavior

                                                                                                            Section Activities

                                                                                                            Show Windows behavior

                                                                                                            Registry Activities

                                                                                                            Show Windows behavior

                                                                                                            Mutex Activities

                                                                                                            Show Windows behavior

                                                                                                            Process Activities

                                                                                                            Show Windows behavior

                                                                                                            Thread Activities

                                                                                                            Show Windows behavior

                                                                                                            Memory Activities

                                                                                                            Show Windows behavior

                                                                                                            System Activities

                                                                                                            Show Windows behavior

                                                                                                            LPC Port Activities

                                                                                                            Analysis Process: svchost.exe PID: 6896 Parent PID: 568

                                                                                                            Function Logs

                                                                                                            General

                                                                                                            Start time:14:38:40
                                                                                                            Start date:09/01/2021
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                            Imagebase:0x7ff7488e0000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Show Windows behavior

                                                                                                            File Activities

                                                                                                            Show Windows behavior

                                                                                                            Section Activities

                                                                                                            Show Windows behavior

                                                                                                            Registry Activities

                                                                                                            Show Windows behavior

                                                                                                            Mutex Activities

                                                                                                            Show Windows behavior

                                                                                                            Process Activities

                                                                                                            Show Windows behavior

                                                                                                            Thread Activities

                                                                                                            Show Windows behavior

                                                                                                            Memory Activities

                                                                                                            Show Windows behavior

                                                                                                            System Activities

                                                                                                            Show Windows behavior

                                                                                                            Timing Activities

                                                                                                            Show Windows behavior

                                                                                                            LPC Port Activities

                                                                                                            Analysis Process: svchost.exe PID: 6988 Parent PID: 568

                                                                                                            Function Logs

                                                                                                            General

                                                                                                            Start time:14:38:41
                                                                                                            Start date:09/01/2021
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                            Imagebase:0x7ff7488e0000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Show Windows behavior

                                                                                                            File Activities

                                                                                                            Show Windows behavior

                                                                                                            Section Activities

                                                                                                            Show Windows behavior

                                                                                                            Registry Activities

                                                                                                            Show Windows behavior

                                                                                                            Mutex Activities

                                                                                                            Show Windows behavior

                                                                                                            Process Activities

                                                                                                            Show Windows behavior

                                                                                                            Thread Activities

                                                                                                            Show Windows behavior

                                                                                                            Memory Activities

                                                                                                            Show Windows behavior

                                                                                                            System Activities

                                                                                                            Show Windows behavior

                                                                                                            Timing Activities

                                                                                                            Show Windows behavior

                                                                                                            LPC Port Activities

                                                                                                            Analysis Process: svchost.exe PID: 7072 Parent PID: 568

                                                                                                            Function Logs

                                                                                                            General

                                                                                                            Start time:14:38:41
                                                                                                            Start date:09/01/2021
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                            Imagebase:0x7ff7488e0000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Show Windows behavior

                                                                                                            File Activities

                                                                                                            Show Windows behavior

                                                                                                            Section Activities

                                                                                                            Show Windows behavior

                                                                                                            Registry Activities

                                                                                                            Show Windows behavior

                                                                                                            Mutex Activities

                                                                                                            Show Windows behavior

                                                                                                            Process Activities

                                                                                                            Show Windows behavior

                                                                                                            Thread Activities

                                                                                                            Show Windows behavior

                                                                                                            Memory Activities

                                                                                                            Show Windows behavior

                                                                                                            System Activities

                                                                                                            Show Windows behavior

                                                                                                            Timing Activities

                                                                                                            Show Windows behavior

                                                                                                            LPC Port Activities

                                                                                                            Analysis Process: SgrmBroker.exe PID: 7140 Parent PID: 568

                                                                                                            Function Logs

                                                                                                            General

                                                                                                            Start time:14:38:42
                                                                                                            Start date:09/01/2021
                                                                                                            Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                            Imagebase:0x7ff6e0fb0000
                                                                                                            File size:163336 bytes
                                                                                                            MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Show Windows behavior

                                                                                                            Memory Activities

                                                                                                            Analysis Process: svchost.exe PID: 7160 Parent PID: 568

                                                                                                            Function Logs

                                                                                                            General

                                                                                                            Start time:14:38:42
                                                                                                            Start date:09/01/2021
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                            Imagebase:0x7ff7488e0000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Show Windows behavior

                                                                                                            File Activities

                                                                                                            Show Windows behavior

                                                                                                            Section Activities

                                                                                                            Show Windows behavior

                                                                                                            Registry Activities

                                                                                                            Show Windows behavior

                                                                                                            COM Activities

                                                                                                            Show Windows behavior

                                                                                                            Mutex Activities

                                                                                                            Show Windows behavior

                                                                                                            Process Activities

                                                                                                            Show Windows behavior

                                                                                                            Thread Activities

                                                                                                            Show Windows behavior

                                                                                                            Memory Activities

                                                                                                            Show Windows behavior

                                                                                                            System Activities

                                                                                                            Show Windows behavior

                                                                                                            Timing Activities

                                                                                                            Show Windows behavior

                                                                                                            LPC Port Activities

                                                                                                            Analysis Process: MpCmdRun.exe PID: 7092 Parent PID: 7160

                                                                                                            Function Logs

                                                                                                            General

                                                                                                            Start time:14:39:43
                                                                                                            Start date:09/01/2021
                                                                                                            Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                                                                                                            Imagebase:0x7ff7488a0000
                                                                                                            File size:455656 bytes
                                                                                                            MD5 hash:A267555174BFA53844371226F482B86B
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Show Windows behavior

                                                                                                            File Activities

                                                                                                            Show Windows behavior

                                                                                                            Section Activities

                                                                                                            Show Windows behavior

                                                                                                            Registry Activities

                                                                                                            Show Windows behavior

                                                                                                            Mutex Activities

                                                                                                            Show Windows behavior

                                                                                                            Process Activities

                                                                                                            Show Windows behavior

                                                                                                            Thread Activities

                                                                                                            Show Windows behavior

                                                                                                            Memory Activities

                                                                                                            Show Windows behavior

                                                                                                            System Activities

                                                                                                            Show Windows behavior

                                                                                                            Timing Activities

                                                                                                            Show Windows behavior

                                                                                                            Windows UI Activities

                                                                                                            Show Windows behavior

                                                                                                            LPC Port Activities

                                                                                                            Analysis Process: conhost.exe PID: 4272 Parent PID: 7092

                                                                                                            Function Logs

                                                                                                            General

                                                                                                            Start time:14:39:44
                                                                                                            Start date:09/01/2021
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff6b2800000
                                                                                                            File size:625664 bytes
                                                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Show Windows behavior

                                                                                                            File Activities

                                                                                                            Show Windows behavior

                                                                                                            Section Activities

                                                                                                            Show Windows behavior

                                                                                                            Registry Activities

                                                                                                            Show Windows behavior

                                                                                                            Mutex Activities

                                                                                                            Show Windows behavior

                                                                                                            Process Activities

                                                                                                            Show Windows behavior

                                                                                                            Thread Activities

                                                                                                            Show Windows behavior

                                                                                                            System Activities

                                                                                                            Show Windows behavior

                                                                                                            Windows UI Activities

                                                                                                            Show Windows behavior

                                                                                                            LPC Port Activities

                                                                                                            Analysis Process: svchost.exe PID: 7088 Parent PID: 568

                                                                                                            Function Logs

                                                                                                            General

                                                                                                            Start time:14:40:46
                                                                                                            Start date:09/01/2021
                                                                                                            Path:C:\Windows\System32\svchost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                            Imagebase:0x7ff7488e0000
                                                                                                            File size:51288 bytes
                                                                                                            MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Show Windows behavior

                                                                                                            File Activities

                                                                                                            Show Windows behavior

                                                                                                            Section Activities

                                                                                                            Show Windows behavior

                                                                                                            Registry Activities

                                                                                                            Show Windows behavior

                                                                                                            Mutex Activities

                                                                                                            Show Windows behavior

                                                                                                            Process Activities

                                                                                                            Show Windows behavior

                                                                                                            Thread Activities

                                                                                                            Show Windows behavior

                                                                                                            Memory Activities

                                                                                                            Show Windows behavior

                                                                                                            System Activities

                                                                                                            Show Windows behavior

                                                                                                            Timing Activities

                                                                                                            Show Windows behavior

                                                                                                            LPC Port Activities

                                                                                                            Disassembly

                                                                                                            Code Analysis

                                                                                                            Analysis Process: smss.exe PID: 6088 Parent PID: 5764 smss.exeCOMMON

                                                                                                            Executed Functions

                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualAlloc.KERNELBASE(?,?,00002000,00000004), ref: 004561D3
                                                                                                            • VirtualAlloc.KERNELBASE(?,?,00001000,00000004), ref: 0045621E
                                                                                                            • VirtualAlloc.KERNELBASE(?,?,00001000,00000004), ref: 0045622A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.221216434.0000000000455000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.221182691.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221185769.0000000000401000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221222730.000000000045D000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221225769.000000000045E000.00000080.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221229052.000000000045F000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221336513.0000000000593000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221343238.00000000005A0000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221346346.00000000005A5000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221357426.00000000005C0000.00000040.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID: A$A$G$H$H$KERNEL32.dll$P$V$a$a$a$c$c$c$e$e$e$e$i$l$l$l$l$l$o$o$o$p$p$r$r$s$s$t$t$u
                                                                                                            • API String ID: 4275171209-3282530655
                                                                                                            • Opcode ID: 0958f9433de06e33e40c09ba07c452d5116af34e93ce5c3ec0760e9687fe8255
                                                                                                            • Instruction ID: a52139ac0111a93651b47bf1b4577cb966a1e75d32e6224bcf224a769b57c34e
                                                                                                            • Opcode Fuzzy Hash: 0958f9433de06e33e40c09ba07c452d5116af34e93ce5c3ec0760e9687fe8255
                                                                                                            • Instruction Fuzzy Hash: 31815171D082889EEB11DBA8C888BDEBFF55F15708F084099E9807B282C7FE5549C779
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000056), ref: 00456547
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.221216434.0000000000455000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.221182691.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221185769.0000000000401000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221222730.000000000045D000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221225769.000000000045E000.00000080.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221229052.000000000045F000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221336513.0000000000593000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221343238.00000000005A0000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221346346.00000000005A5000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221357426.00000000005C0000.00000040.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: ProtectVirtual
                                                                                                            • String ID: @$F$KERNEL32.dll$P$V$V$a$a$c$e$e$e$i$i$l$l$o$r$r$r$r$t$t$t$t$u$u
                                                                                                            • API String ID: 544645111-1530852760
                                                                                                            • Opcode ID: a5edb8722193bfc0baf7c041bb5117e5f89eac7cb1b5b33301de721bf43ca3bf
                                                                                                            • Instruction ID: c122966ed33f1a00fc6a1fc389a6debfe0d41a5c8060db0f5f86d4ecfdc9a4c1
                                                                                                            • Opcode Fuzzy Hash: a5edb8722193bfc0baf7c041bb5117e5f89eac7cb1b5b33301de721bf43ca3bf
                                                                                                            • Instruction Fuzzy Hash: DD515070D082CCEEDB01CBA8D5887DEBFB56F16309F584099D5843B292D3BA5A09C775
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualAlloc.KERNELBASE(00000056,00000075,00001000,00000004,?,?,00000056), ref: 0045637D
                                                                                                            • VirtualAlloc.KERNELBASE(00000056,?,00001000,00000004,?,?,00000056), ref: 004563AA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.221216434.0000000000455000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.221182691.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221185769.0000000000401000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221222730.000000000045D000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221225769.000000000045E000.00000080.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221229052.000000000045F000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221336513.0000000000593000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221343238.00000000005A0000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221346346.00000000005A5000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221357426.00000000005C0000.00000040.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID: .$2$3$A$E$E$K$L$N$R$V$a$c$d$i$l$l$l$l$l$o$r$t$u
                                                                                                            • API String ID: 4275171209-1410553462
                                                                                                            • Opcode ID: cee62c2c2e02034db9a7d3d6f0dd992017c7a7937f367cdb5946251bef5349b9
                                                                                                            • Instruction ID: 3063fc0940a8d122e4183765a910ac729fce492610511f2ecc92da4b4c90d44e
                                                                                                            • Opcode Fuzzy Hash: cee62c2c2e02034db9a7d3d6f0dd992017c7a7937f367cdb5946251bef5349b9
                                                                                                            • Instruction Fuzzy Hash: 4B415171D04288DBEB01CBA8C448BDEBFF59F55704F084099D985BB382C2BA5A58C779
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNELBASE(003B0598,000D3340,A21ADA01,002DD6A8,000D3340,?,?), ref: 007B0E5F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.221357426.00000000005C0000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.221182691.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221185769.0000000000401000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221216434.0000000000455000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221222730.000000000045D000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221225769.000000000045E000.00000080.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221229052.000000000045F000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221336513.0000000000593000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221343238.00000000005A0000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221346346.00000000005A5000.00000040.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: HandleModule
                                                                                                            • String ID: +pu<$;$;$;
                                                                                                            • API String ID: 4139908857-4045756845
                                                                                                            • Opcode ID: 59d7a0642b018f71b3a653fd537da6f477fb11254a86d28aa0719d70605063f7
                                                                                                            • Instruction ID: 1500ecf7d91bd1422ec33c9f75f40962a297a6b7c418f35b9e99d4b408b9e388
                                                                                                            • Opcode Fuzzy Hash: 59d7a0642b018f71b3a653fd537da6f477fb11254a86d28aa0719d70605063f7
                                                                                                            • Instruction Fuzzy Hash: 525124333046199BE7565A18CC09BFB7359FB90718F59852AE106CB692DBBCEC46C7C0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 00401091
                                                                                                              • Part of subcall function 00456E43: KiUserExceptionDispatcher.NTDLL(?,?,?,00000038), ref: 00456E71
                                                                                                              • Part of subcall function 00401000: __EH_prolog.LIBCMT ref: 00401005
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.221185769.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.221182691.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221216434.0000000000455000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221222730.000000000045D000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221225769.000000000045E000.00000080.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221229052.000000000045F000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221336513.0000000000593000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221343238.00000000005A0000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221346346.00000000005A5000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221357426.00000000005C0000.00000040.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: H_prolog$DispatcherExceptionUser
                                                                                                            • String ID: L$R
                                                                                                            • API String ID: 1370957130-4065098952
                                                                                                            • Opcode ID: 384e6ade814516cf4592d649d9e1f1c70fff3341865b63b5b9b120b3609eda83
                                                                                                            • Instruction ID: 1573a7fc1b32049b9b73682f0005f0b5c159eb986acb1ddc1566b4e3a6cd19b7
                                                                                                            • Opcode Fuzzy Hash: 384e6ade814516cf4592d649d9e1f1c70fff3341865b63b5b9b120b3609eda83
                                                                                                            • Instruction Fuzzy Hash: 0CF0BB60C0024999CB00A7E98C067AFBA789F11315F40426AF564761D2D378070887BA
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • KiUserExceptionDispatcher.NTDLL(?,?,?,00000038), ref: 00456E71
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.221216434.0000000000455000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.221182691.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221185769.0000000000401000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221222730.000000000045D000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221225769.000000000045E000.00000080.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221229052.000000000045F000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221336513.0000000000593000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221343238.00000000005A0000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221346346.00000000005A5000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221357426.00000000005C0000.00000040.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: DispatcherExceptionUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 6842923-0
                                                                                                            • Opcode ID: 7a44f65243eca41fa08746042960c200f54dc9b409b6d0b91ea155adc9229576
                                                                                                            • Instruction ID: 27a66cd9ebed49b235a02825e09a5e34010a989a2f7ef9394013997a3360f010
                                                                                                            • Opcode Fuzzy Hash: 7a44f65243eca41fa08746042960c200f54dc9b409b6d0b91ea155adc9229576
                                                                                                            • Instruction Fuzzy Hash: 7BE0E536D0011CABCF11DF99DC449EFBBB9FB48310F008026F914A7150D774AA54DBA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Download Yara Rule
                                                                                                            C-Code - Quality: 100%
                                                                                                            			E005CC598(void* _a4, long _a8, long _a12, long _a16) {
				long _t5;
				void* _t9;
				long _t10;

				_t10 = _a16;
				_t5 = _t10;
				if(_t10 != 2) {
					if(_t10 == 4) {
						_t5 = 0x40;
					}
				} else {
					_t5 = 0x20;
				}
				_t9 = VirtualAlloc(_a4, _a8, _a12, _t5); // executed
				return _t9;
			}






                                                                                                            0x005cc59b
                                                                                                            0x005cc59e
                                                                                                            0x005cc5a3
                                                                                                            0x005cc5af
                                                                                                            0x005cc5b1
                                                                                                            0x005cc5b1
                                                                                                            0x005cc5a5
                                                                                                            0x005cc5a5
                                                                                                            0x005cc5a5
                                                                                                            0x005cc5c3
                                                                                                            0x005cc5ca

                                                                                                            APIs
                                                                                                            • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 005CC5C3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.221357426.00000000005C0000.00000040.00020000.sdmp, Offset: 0045F000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.221229052.000000000045F000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221336513.0000000000593000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221343238.00000000005A0000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221346346.00000000005A5000.00000040.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4275171209-0
                                                                                                            • Opcode ID: dff4aba883b4ca99330c6428765ce446c90c838a4a3cbf8156f8ef29b06ab7a4
                                                                                                            • Instruction ID: 87a07ef733739d2ecbca67b961a2098cd0cb7fc7025c346d18f6259452849e79
                                                                                                            • Opcode Fuzzy Hash: dff4aba883b4ca99330c6428765ce446c90c838a4a3cbf8156f8ef29b06ab7a4
                                                                                                            • Instruction Fuzzy Hash: E5E0E2B6700208AFDB10CE8CD984FAA3BDDB799710F108816FA09D7380C674FC109B69
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Non-executed Functions

                                                                                                            Download Yara Rule
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000000.00000002.221357426.00000000005C0000.00000040.00020000.sdmp, Offset: 0045F000, based on PE: true
                                                                                                            • Associated: 00000000.00000002.221229052.000000000045F000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221336513.0000000000593000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221343238.00000000005A0000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000000.00000002.221346346.00000000005A5000.00000040.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID:
                                                                                                            • String ID:
                                                                                                            • API String ID:
                                                                                                            • Opcode ID: da1d6a27886553fca05af519fca04ac56c51a6077069b6fb13a1bf79f0c134b0
                                                                                                            • Instruction ID: f0af5264348463a4854a16cd104108c09e39647270c7a564518a3df71b5b6575
                                                                                                            • Opcode Fuzzy Hash: da1d6a27886553fca05af519fca04ac56c51a6077069b6fb13a1bf79f0c134b0
                                                                                                            • Instruction Fuzzy Hash:
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Analysis Process: svchost.exe PID: 2024 Parent PID: 568 svchost.exeCOMMON

                                                                                                            Executed Functions

                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualAlloc.KERNELBASE(?,?,00002000,00000004), ref: 004561D3
                                                                                                            • VirtualAlloc.KERNELBASE(?,?,00001000,00000004), ref: 0045621E
                                                                                                            • VirtualAlloc.KERNELBASE(?,?,00001000,00000004), ref: 0045622A
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.221976112.0000000000455000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.221917304.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.221930387.0000000000401000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.221983256.000000000045D000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.221989519.000000000045E000.00000080.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222004204.000000000045F000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222474473.0000000000593000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222490232.00000000005A0000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222498479.00000000005A5000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222564463.00000000005C0000.00000040.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID: A$A$G$H$H$KERNEL32.dll$P$V$a$a$a$c$c$c$e$e$e$e$i$l$l$l$l$l$o$o$o$p$p$r$r$s$s$t$t$u
                                                                                                            • API String ID: 4275171209-3282530655
                                                                                                            • Opcode ID: 0958f9433de06e33e40c09ba07c452d5116af34e93ce5c3ec0760e9687fe8255
                                                                                                            • Instruction ID: a52139ac0111a93651b47bf1b4577cb966a1e75d32e6224bcf224a769b57c34e
                                                                                                            • Opcode Fuzzy Hash: 0958f9433de06e33e40c09ba07c452d5116af34e93ce5c3ec0760e9687fe8255
                                                                                                            • Instruction Fuzzy Hash: 31815171D082889EEB11DBA8C888BDEBFF55F15708F084099E9807B282C7FE5549C779
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000056), ref: 00456547
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.221976112.0000000000455000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.221917304.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.221930387.0000000000401000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.221983256.000000000045D000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.221989519.000000000045E000.00000080.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222004204.000000000045F000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222474473.0000000000593000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222490232.00000000005A0000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222498479.00000000005A5000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222564463.00000000005C0000.00000040.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: ProtectVirtual
                                                                                                            • String ID: @$F$KERNEL32.dll$P$V$V$a$a$c$e$e$e$i$i$l$l$o$r$r$r$r$t$t$t$t$u$u
                                                                                                            • API String ID: 544645111-1530852760
                                                                                                            • Opcode ID: a5edb8722193bfc0baf7c041bb5117e5f89eac7cb1b5b33301de721bf43ca3bf
                                                                                                            • Instruction ID: c122966ed33f1a00fc6a1fc389a6debfe0d41a5c8060db0f5f86d4ecfdc9a4c1
                                                                                                            • Opcode Fuzzy Hash: a5edb8722193bfc0baf7c041bb5117e5f89eac7cb1b5b33301de721bf43ca3bf
                                                                                                            • Instruction Fuzzy Hash: DD515070D082CCEEDB01CBA8D5887DEBFB56F16309F584099D5843B292D3BA5A09C775
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualAlloc.KERNELBASE(00000056,00000075,00001000,00000004,?,?,00000056), ref: 0045637D
                                                                                                            • VirtualAlloc.KERNELBASE(00000056,?,00001000,00000004,?,?,00000056), ref: 004563AA
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.221976112.0000000000455000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.221917304.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.221930387.0000000000401000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.221983256.000000000045D000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.221989519.000000000045E000.00000080.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222004204.000000000045F000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222474473.0000000000593000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222490232.00000000005A0000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222498479.00000000005A5000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222564463.00000000005C0000.00000040.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID: .$2$3$A$E$E$K$L$N$R$V$a$c$d$i$l$l$l$l$l$o$r$t$u
                                                                                                            • API String ID: 4275171209-1410553462
                                                                                                            • Opcode ID: cee62c2c2e02034db9a7d3d6f0dd992017c7a7937f367cdb5946251bef5349b9
                                                                                                            • Instruction ID: 3063fc0940a8d122e4183765a910ac729fce492610511f2ecc92da4b4c90d44e
                                                                                                            • Opcode Fuzzy Hash: cee62c2c2e02034db9a7d3d6f0dd992017c7a7937f367cdb5946251bef5349b9
                                                                                                            • Instruction Fuzzy Hash: 4B415171D04288DBEB01CBA8C448BDEBFF59F55704F084099D985BB382C2BA5A58C779
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • GetModuleHandleA.KERNELBASE(003B0598,000D3340,A21ADA01,002DD6A8,000D3340,?,?), ref: 007B0E5F
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.222564463.00000000005C0000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.221917304.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.221930387.0000000000401000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.221976112.0000000000455000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.221983256.000000000045D000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.221989519.000000000045E000.00000080.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222004204.000000000045F000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222474473.0000000000593000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222490232.00000000005A0000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222498479.00000000005A5000.00000040.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: HandleModule
                                                                                                            • String ID: +pu<$;$;$;
                                                                                                            • API String ID: 4139908857-4045756845
                                                                                                            • Opcode ID: 59d7a0642b018f71b3a653fd537da6f477fb11254a86d28aa0719d70605063f7
                                                                                                            • Instruction ID: 1500ecf7d91bd1422ec33c9f75f40962a297a6b7c418f35b9e99d4b408b9e388
                                                                                                            • Opcode Fuzzy Hash: 59d7a0642b018f71b3a653fd537da6f477fb11254a86d28aa0719d70605063f7
                                                                                                            • Instruction Fuzzy Hash: 525124333046199BE7565A18CC09BFB7359FB90718F59852AE106CB692DBBCEC46C7C0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • __EH_prolog.LIBCMT ref: 00401091
                                                                                                              • Part of subcall function 00456E43: KiUserExceptionDispatcher.NTDLL(?,?,?,00000038), ref: 00456E71
                                                                                                              • Part of subcall function 00401000: __EH_prolog.LIBCMT ref: 00401005
                                                                                                            Strings
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.221930387.0000000000401000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.221917304.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.221976112.0000000000455000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.221983256.000000000045D000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.221989519.000000000045E000.00000080.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222004204.000000000045F000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222474473.0000000000593000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222490232.00000000005A0000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222498479.00000000005A5000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222564463.00000000005C0000.00000040.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: H_prolog$DispatcherExceptionUser
                                                                                                            • String ID: L$R
                                                                                                            • API String ID: 1370957130-4065098952
                                                                                                            • Opcode ID: 384e6ade814516cf4592d649d9e1f1c70fff3341865b63b5b9b120b3609eda83
                                                                                                            • Instruction ID: 1573a7fc1b32049b9b73682f0005f0b5c159eb986acb1ddc1566b4e3a6cd19b7
                                                                                                            • Opcode Fuzzy Hash: 384e6ade814516cf4592d649d9e1f1c70fff3341865b63b5b9b120b3609eda83
                                                                                                            • Instruction Fuzzy Hash: 0CF0BB60C0024999CB00A7E98C067AFBA789F11315F40426AF564761D2D378070887BA
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • KiUserExceptionDispatcher.NTDLL(?,?,?,00000038), ref: 00456E71
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.221976112.0000000000455000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.221917304.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.221930387.0000000000401000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.221983256.000000000045D000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.221989519.000000000045E000.00000080.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222004204.000000000045F000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222474473.0000000000593000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222490232.00000000005A0000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222498479.00000000005A5000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222564463.00000000005C0000.00000040.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: DispatcherExceptionUser
                                                                                                            • String ID:
                                                                                                            • API String ID: 6842923-0
                                                                                                            • Opcode ID: 8e1dd060d93d3d98b8137749d511a7a470a5faa0a7250677c3d475753cc7b397
                                                                                                            • Instruction ID: dd9a758196c9957e0010cc9faa123db03e7f5253ab542ccae83d50dbb452a10b
                                                                                                            • Opcode Fuzzy Hash: 8e1dd060d93d3d98b8137749d511a7a470a5faa0a7250677c3d475753cc7b397
                                                                                                            • Instruction Fuzzy Hash: 29E0C276D00118ABCF11DE99E8448EEBBB9FB48320F008026FA14A7250D674AA58DBA0
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Download Yara Rule
                                                                                                            APIs
                                                                                                            • VirtualAlloc.KERNELBASE(?,?,?,?), ref: 005CC5C3
                                                                                                            Memory Dump Source
                                                                                                            • Source File: 00000001.00000002.222564463.00000000005C0000.00000040.00020000.sdmp, Offset: 0045F000, based on PE: true
                                                                                                            • Associated: 00000001.00000002.222004204.000000000045F000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222474473.0000000000593000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222490232.00000000005A0000.00000040.00020000.sdmp Download File
                                                                                                            • Associated: 00000001.00000002.222498479.00000000005A5000.00000040.00020000.sdmp Download File
                                                                                                            Similarity
                                                                                                            • API ID: AllocVirtual
                                                                                                            • String ID:
                                                                                                            • API String ID: 4275171209-0
                                                                                                            • Opcode ID: dff4aba883b4ca99330c6428765ce446c90c838a4a3cbf8156f8ef29b06ab7a4
                                                                                                            • Instruction ID: 87a07ef733739d2ecbca67b961a2098cd0cb7fc7025c346d18f6259452849e79
                                                                                                            • Opcode Fuzzy Hash: dff4aba883b4ca99330c6428765ce446c90c838a4a3cbf8156f8ef29b06ab7a4
                                                                                                            • Instruction Fuzzy Hash: E5E0E2B6700208AFDB10CE8CD984FAA3BDDB799710F108816FA09D7380C674FC109B69
                                                                                                            Uniqueness

                                                                                                            Uniqueness Score: -1.00%

                                                                                                            Non-executed Functions