Play interactive tour

Edit tour

Analysis Report svchost.exe

Overview

General Information

Sample Name:	svchost.exe
Analysis ID:	391310
MD5:	275d9f11168d6b0a8369dc5a9ff0f7ea
SHA1:	ab18df17e0e0b234730cf1c9119268f49923c8bb
SHA256:	b3d9c42ce3abed0eea37473f512e3a573a2f7e29f3eaa203dcc1572d733ff898
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

Quasar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected Quasar RAT

.NET source code references suspicious native API functions

Changes security center settings (notifications, updates, antivirus, firewall)

Drops PE files with benign system names

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

svchost.exe (PID: 3008 cmdline: 'C:\Users\user\Desktop\svchost.exe' MD5: 275D9F11168D6B0A8369DC5A9FF0F7EA)

svchost.exe (PID: 4884 cmdline: C:\Users\user\AppData\Roaming\SubDir\svchost.exe MD5: 275D9F11168D6B0A8369DC5A9FF0F7EA)

svchost.exe (PID: 3260 cmdline: 'C:\Users\user\AppData\Roaming\SubDir\svchost.exe' MD5: 275D9F11168D6B0A8369DC5A9FF0F7EA)

svchost.exe (PID: 3440 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5344 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 672 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1656 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5304 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 3808 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5380 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 1348 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 6596 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 6584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 6540 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6944 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5064 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
svchost.exe	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x37946:$x3: GetKeyloggerLogsResponse 0x31c77:$x4: GetKeyloggerLogs 0x378d6:$s1: <RunHidden>k__BackingField 0x2dee9:$s2: set_SystemInfos 0x3790c:$s3: set_RunHidden 0x2ecfa:$s4: set_RemotePath 0x304ec:$s7: xClient.Core.ReverseProxy.Packets
svchost.exe	xRAT_1	Detects Patchwork malware	Florian Roth	0x251c2:$x4: xClient.Properties.Resources.resources 0x250b1:$s4: Client.exe 0x3790c:$s7: set_RunHidden
svchost.exe	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x378a9:$s1: DoUploadAndExecute 0x37dfb:$s2: DoDownloadAndExecute 0x36b29:$s3: DoShellExecute 0x372db:$s4: set_Processname 0x360:$op1: 04 1E FE 02 04 16 FE 01 60 0x284:$op2: 00 17 03 1F 20 17 19 15 28 0xcf1:$op3: 00 04 03 69 91 1B 40 0x1550:$op3: 00 04 03 69 91 1B 40
svchost.exe	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x37946:$x1: GetKeyloggerLogsResponse 0x31c88:$s1: DoShellExecuteResponse 0x368ab:$s2: GetPasswordsResponse 0x2ed1f:$s3: GetStartupItemsResponse 0x35776:$s4: <GetGenReader>b__7 0x378d7:$s5: RunHidden 0x37902:$s5: RunHidden 0x37910:$s5: RunHidden 0x3792d:$s5: RunHidden
svchost.exe	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x29f1a:$x4: get_encryptedPassword 0x37dfb:$x5: DoDownloadAndExecute
svchost.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 1 entries

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x37946:$x3: GetKeyloggerLogsResponse 0x31c77:$x4: GetKeyloggerLogs 0x378d6:$s1: <RunHidden>k__BackingField 0x2dee9:$s2: set_SystemInfos 0x3790c:$s3: set_RunHidden 0x2ecfa:$s4: set_RemotePath 0x304ec:$s7: xClient.Core.ReverseProxy.Packets
C:\Users\user\AppData\Roaming\SubDir\svchost.exe	xRAT_1	Detects Patchwork malware	Florian Roth	0x251c2:$x4: xClient.Properties.Resources.resources 0x250b1:$s4: Client.exe 0x3790c:$s7: set_RunHidden
C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x378a9:$s1: DoUploadAndExecute 0x37dfb:$s2: DoDownloadAndExecute 0x36b29:$s3: DoShellExecute 0x372db:$s4: set_Processname 0x360:$op1: 04 1E FE 02 04 16 FE 01 60 0x284:$op2: 00 17 03 1F 20 17 19 15 28 0xcf1:$op3: 00 04 03 69 91 1B 40 0x1550:$op3: 00 04 03 69 91 1B 40
C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x37946:$x1: GetKeyloggerLogsResponse 0x31c88:$s1: DoShellExecuteResponse 0x368ab:$s2: GetPasswordsResponse 0x2ed1f:$s3: GetStartupItemsResponse 0x35776:$s4: <GetGenReader>b__7 0x378d7:$s5: RunHidden 0x37902:$s5: RunHidden 0x37910:$s5: RunHidden 0x3792d:$s5: RunHidden
C:\Users\user\AppData\Roaming\SubDir\svchost.exe	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x29f1a:$x4: get_encryptedPassword 0x37dfb:$x5: DoDownloadAndExecute
C:\Users\user\AppData\Roaming\SubDir\svchost.exe	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.263919430.0000000000B42000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x376a9:$s1: DoUploadAndExecute 0x37bfb:$s2: DoDownloadAndExecute 0x36929:$s3: DoShellExecute 0x370db:$s4: set_Processname 0x160:$op1: 04 1E FE 02 04 16 FE 01 60 0x84:$op2: 00 17 03 1F 20 17 19 15 28 0xaf1:$op3: 00 04 03 69 91 1B 40 0x1350:$op3: 00 04 03 69 91 1B 40
00000006.00000002.263919430.0000000000B42000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000006.00000000.259204194.0000000000B42000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x376a9:$s1: DoUploadAndExecute 0x37bfb:$s2: DoDownloadAndExecute 0x36929:$s3: DoShellExecute 0x370db:$s4: set_Processname 0x160:$op1: 04 1E FE 02 04 16 FE 01 60 0x84:$op2: 00 17 03 1F 20 17 19 15 28 0xaf1:$op3: 00 04 03 69 91 1B 40 0x1350:$op3: 00 04 03 69 91 1B 40
00000006.00000000.259204194.0000000000B42000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000003.233358475.0000000007201000.00000004.00000001.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000000.227665901.0000000000F82000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x376a9:$s1: DoUploadAndExecute 0x37bfb:$s2: DoDownloadAndExecute 0x36929:$s3: DoShellExecute 0x370db:$s4: set_Processname 0x160:$op1: 04 1E FE 02 04 16 FE 01 60 0x84:$op2: 00 17 03 1F 20 17 19 15 28 0xaf1:$op3: 00 04 03 69 91 1B 40 0x1350:$op3: 00 04 03 69 91 1B 40
00000000.00000000.227665901.0000000000F82000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000001.00000002.494084624.0000000000122000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x376a9:$s1: DoUploadAndExecute 0x37bfb:$s2: DoDownloadAndExecute 0x36929:$s3: DoShellExecute 0x370db:$s4: set_Processname 0x160:$op1: 04 1E FE 02 04 16 FE 01 60 0x84:$op2: 00 17 03 1F 20 17 19 15 28 0xaf1:$op3: 00 04 03 69 91 1B 40 0x1350:$op3: 00 04 03 69 91 1B 40
00000001.00000002.494084624.0000000000122000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000001.00000000.234021337.0000000000122000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x376a9:$s1: DoUploadAndExecute 0x37bfb:$s2: DoDownloadAndExecute 0x36929:$s3: DoShellExecute 0x370db:$s4: set_Processname 0x160:$op1: 04 1E FE 02 04 16 FE 01 60 0x84:$op2: 00 17 03 1F 20 17 19 15 28 0xaf1:$op3: 00 04 03 69 91 1B 40 0x1350:$op3: 00 04 03 69 91 1B 40
00000001.00000000.234021337.0000000000122000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
00000000.00000002.234340681.0000000000F82000.00000002.00020000.sdmp	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x376a9:$s1: DoUploadAndExecute 0x37bfb:$s2: DoDownloadAndExecute 0x36929:$s3: DoShellExecute 0x370db:$s4: set_Processname 0x160:$op1: 04 1E FE 02 04 16 FE 01 60 0x84:$op2: 00 17 03 1F 20 17 19 15 28 0xaf1:$op3: 00 04 03 69 91 1B 40 0x1350:$op3: 00 04 03 69 91 1B 40
00000000.00000002.234340681.0000000000F82000.00000002.00020000.sdmp	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: svchost.exe PID: 3008	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: svchost.exe PID: 3260	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Process Memory Space: svchost.exe PID: 4884	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.svchost.exe.f80000.0.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x37946:$x3: GetKeyloggerLogsResponse 0x31c77:$x4: GetKeyloggerLogs 0x378d6:$s1: <RunHidden>k__BackingField 0x2dee9:$s2: set_SystemInfos 0x3790c:$s3: set_RunHidden 0x2ecfa:$s4: set_RemotePath 0x304ec:$s7: xClient.Core.ReverseProxy.Packets
0.0.svchost.exe.f80000.0.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x251c2:$x4: xClient.Properties.Resources.resources 0x250b1:$s4: Client.exe 0x3790c:$s7: set_RunHidden
0.0.svchost.exe.f80000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x378a9:$s1: DoUploadAndExecute 0x37dfb:$s2: DoDownloadAndExecute 0x36b29:$s3: DoShellExecute 0x372db:$s4: set_Processname 0x360:$op1: 04 1E FE 02 04 16 FE 01 60 0x284:$op2: 00 17 03 1F 20 17 19 15 28 0xcf1:$op3: 00 04 03 69 91 1B 40 0x1550:$op3: 00 04 03 69 91 1B 40
0.0.svchost.exe.f80000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x37946:$x1: GetKeyloggerLogsResponse 0x31c88:$s1: DoShellExecuteResponse 0x368ab:$s2: GetPasswordsResponse 0x2ed1f:$s3: GetStartupItemsResponse 0x35776:$s4: <GetGenReader>b__7 0x378d7:$s5: RunHidden 0x37902:$s5: RunHidden 0x37910:$s5: RunHidden 0x3792d:$s5: RunHidden
0.0.svchost.exe.f80000.0.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x29f1a:$x4: get_encryptedPassword 0x37dfb:$x5: DoDownloadAndExecute
0.0.svchost.exe.f80000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
6.0.svchost.exe.b40000.0.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x37946:$x3: GetKeyloggerLogsResponse 0x31c77:$x4: GetKeyloggerLogs 0x378d6:$s1: <RunHidden>k__BackingField 0x2dee9:$s2: set_SystemInfos 0x3790c:$s3: set_RunHidden 0x2ecfa:$s4: set_RemotePath 0x304ec:$s7: xClient.Core.ReverseProxy.Packets
6.0.svchost.exe.b40000.0.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x251c2:$x4: xClient.Properties.Resources.resources 0x250b1:$s4: Client.exe 0x3790c:$s7: set_RunHidden
6.0.svchost.exe.b40000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x378a9:$s1: DoUploadAndExecute 0x37dfb:$s2: DoDownloadAndExecute 0x36b29:$s3: DoShellExecute 0x372db:$s4: set_Processname 0x360:$op1: 04 1E FE 02 04 16 FE 01 60 0x284:$op2: 00 17 03 1F 20 17 19 15 28 0xcf1:$op3: 00 04 03 69 91 1B 40 0x1550:$op3: 00 04 03 69 91 1B 40
6.0.svchost.exe.b40000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x37946:$x1: GetKeyloggerLogsResponse 0x31c88:$s1: DoShellExecuteResponse 0x368ab:$s2: GetPasswordsResponse 0x2ed1f:$s3: GetStartupItemsResponse 0x35776:$s4: <GetGenReader>b__7 0x378d7:$s5: RunHidden 0x37902:$s5: RunHidden 0x37910:$s5: RunHidden 0x3792d:$s5: RunHidden
6.0.svchost.exe.b40000.0.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x29f1a:$x4: get_encryptedPassword 0x37dfb:$x5: DoDownloadAndExecute
6.0.svchost.exe.b40000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
6.2.svchost.exe.b40000.0.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x37946:$x3: GetKeyloggerLogsResponse 0x31c77:$x4: GetKeyloggerLogs 0x378d6:$s1: <RunHidden>k__BackingField 0x2dee9:$s2: set_SystemInfos 0x3790c:$s3: set_RunHidden 0x2ecfa:$s4: set_RemotePath 0x304ec:$s7: xClient.Core.ReverseProxy.Packets
6.2.svchost.exe.b40000.0.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x251c2:$x4: xClient.Properties.Resources.resources 0x250b1:$s4: Client.exe 0x3790c:$s7: set_RunHidden
6.2.svchost.exe.b40000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x378a9:$s1: DoUploadAndExecute 0x37dfb:$s2: DoDownloadAndExecute 0x36b29:$s3: DoShellExecute 0x372db:$s4: set_Processname 0x360:$op1: 04 1E FE 02 04 16 FE 01 60 0x284:$op2: 00 17 03 1F 20 17 19 15 28 0xcf1:$op3: 00 04 03 69 91 1B 40 0x1550:$op3: 00 04 03 69 91 1B 40
6.2.svchost.exe.b40000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x37946:$x1: GetKeyloggerLogsResponse 0x31c88:$s1: DoShellExecuteResponse 0x368ab:$s2: GetPasswordsResponse 0x2ed1f:$s3: GetStartupItemsResponse 0x35776:$s4: <GetGenReader>b__7 0x378d7:$s5: RunHidden 0x37902:$s5: RunHidden 0x37910:$s5: RunHidden 0x3792d:$s5: RunHidden
6.2.svchost.exe.b40000.0.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x29f1a:$x4: get_encryptedPassword 0x37dfb:$x5: DoDownloadAndExecute
6.2.svchost.exe.b40000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
1.2.svchost.exe.120000.0.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x37946:$x3: GetKeyloggerLogsResponse 0x31c77:$x4: GetKeyloggerLogs 0x378d6:$s1: <RunHidden>k__BackingField 0x2dee9:$s2: set_SystemInfos 0x3790c:$s3: set_RunHidden 0x2ecfa:$s4: set_RemotePath 0x304ec:$s7: xClient.Core.ReverseProxy.Packets
1.2.svchost.exe.120000.0.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x251c2:$x4: xClient.Properties.Resources.resources 0x250b1:$s4: Client.exe 0x3790c:$s7: set_RunHidden
1.2.svchost.exe.120000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x378a9:$s1: DoUploadAndExecute 0x37dfb:$s2: DoDownloadAndExecute 0x36b29:$s3: DoShellExecute 0x372db:$s4: set_Processname 0x360:$op1: 04 1E FE 02 04 16 FE 01 60 0x284:$op2: 00 17 03 1F 20 17 19 15 28 0xcf1:$op3: 00 04 03 69 91 1B 40 0x1550:$op3: 00 04 03 69 91 1B 40
1.2.svchost.exe.120000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x37946:$x1: GetKeyloggerLogsResponse 0x31c88:$s1: DoShellExecuteResponse 0x368ab:$s2: GetPasswordsResponse 0x2ed1f:$s3: GetStartupItemsResponse 0x35776:$s4: <GetGenReader>b__7 0x378d7:$s5: RunHidden 0x37902:$s5: RunHidden 0x37910:$s5: RunHidden 0x3792d:$s5: RunHidden
1.2.svchost.exe.120000.0.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x29f1a:$x4: get_encryptedPassword 0x37dfb:$x5: DoDownloadAndExecute
1.2.svchost.exe.120000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.svchost.exe.f80000.0.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x37946:$x3: GetKeyloggerLogsResponse 0x31c77:$x4: GetKeyloggerLogs 0x378d6:$s1: <RunHidden>k__BackingField 0x2dee9:$s2: set_SystemInfos 0x3790c:$s3: set_RunHidden 0x2ecfa:$s4: set_RemotePath 0x304ec:$s7: xClient.Core.ReverseProxy.Packets
1.0.svchost.exe.120000.0.unpack	Vermin_Keylogger_Jan18_1	Detects Vermin Keylogger	Florian Roth	0x37946:$x3: GetKeyloggerLogsResponse 0x31c77:$x4: GetKeyloggerLogs 0x378d6:$s1: <RunHidden>k__BackingField 0x2dee9:$s2: set_SystemInfos 0x3790c:$s3: set_RunHidden 0x2ecfa:$s4: set_RemotePath 0x304ec:$s7: xClient.Core.ReverseProxy.Packets
0.2.svchost.exe.f80000.0.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x251c2:$x4: xClient.Properties.Resources.resources 0x250b1:$s4: Client.exe 0x3790c:$s7: set_RunHidden
0.2.svchost.exe.f80000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x378a9:$s1: DoUploadAndExecute 0x37dfb:$s2: DoDownloadAndExecute 0x36b29:$s3: DoShellExecute 0x372db:$s4: set_Processname 0x360:$op1: 04 1E FE 02 04 16 FE 01 60 0x284:$op2: 00 17 03 1F 20 17 19 15 28 0xcf1:$op3: 00 04 03 69 91 1B 40 0x1550:$op3: 00 04 03 69 91 1B 40
0.2.svchost.exe.f80000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x37946:$x1: GetKeyloggerLogsResponse 0x31c88:$s1: DoShellExecuteResponse 0x368ab:$s2: GetPasswordsResponse 0x2ed1f:$s3: GetStartupItemsResponse 0x35776:$s4: <GetGenReader>b__7 0x378d7:$s5: RunHidden 0x37902:$s5: RunHidden 0x37910:$s5: RunHidden 0x3792d:$s5: RunHidden
0.2.svchost.exe.f80000.0.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x29f1a:$x4: get_encryptedPassword 0x37dfb:$x5: DoDownloadAndExecute
1.0.svchost.exe.120000.0.unpack	xRAT_1	Detects Patchwork malware	Florian Roth	0x251c2:$x4: xClient.Properties.Resources.resources 0x250b1:$s4: Client.exe 0x3790c:$s7: set_RunHidden
1.0.svchost.exe.120000.0.unpack	Quasar_RAT_1	Detects Quasar RAT	Florian Roth	0x378a9:$s1: DoUploadAndExecute 0x37dfb:$s2: DoDownloadAndExecute 0x36b29:$s3: DoShellExecute 0x372db:$s4: set_Processname 0x360:$op1: 04 1E FE 02 04 16 FE 01 60 0x284:$op2: 00 17 03 1F 20 17 19 15 28 0xcf1:$op3: 00 04 03 69 91 1B 40 0x1550:$op3: 00 04 03 69 91 1B 40
1.0.svchost.exe.120000.0.unpack	Quasar_RAT_2	Detects Quasar RAT	Florian Roth	0x37946:$x1: GetKeyloggerLogsResponse 0x31c88:$s1: DoShellExecuteResponse 0x368ab:$s2: GetPasswordsResponse 0x2ed1f:$s3: GetStartupItemsResponse 0x35776:$s4: <GetGenReader>b__7 0x378d7:$s5: RunHidden 0x37902:$s5: RunHidden 0x37910:$s5: RunHidden 0x3792d:$s5: RunHidden
1.0.svchost.exe.120000.0.unpack	CN_disclosed_20180208_KeyLogger_1	Detects malware from disclosed CN malware set	Florian Roth	0x29f1a:$x4: get_encryptedPassword 0x37dfb:$x5: DoDownloadAndExecute
1.0.svchost.exe.120000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
0.2.svchost.exe.f80000.0.unpack	JoeSecurity_Quasar	Yara detected Quasar RAT	Joe Security
Click to see the 31 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: svchost.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe

Avira: detection malicious, Label: HEUR/AGEN.1135947

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe

ReversingLabs: Detection: 79%

Multi AV Scanner detection for submitted file

Show sources

Source: svchost.exe	Virustotal: Detection: 58%			Perma Link
Source: svchost.exe	ReversingLabs: Detection: 79%

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: svchost.exe, type: SAMPLE
Source: Yara match	File source: 00000006.00000002.263919430.0000000000B42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.259204194.0000000000B42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.233358475.0000000007201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.227665901.0000000000F82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.494084624.0000000000122000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.234021337.0000000000122000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.234340681.0000000000F82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3008, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3260, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4884, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe, type: DROPPED
Source: Yara match	File source: 0.0.svchost.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.svchost.exe.b40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.svchost.exe.b40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.svchost.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.svchost.exe.f80000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: svchost.exe

Joe Sandbox ML: detected

Source: svchost.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: svchost.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

May check the online IP address of the machine

Show sources

Source: C:\Users\user\Desktop\svchost.exe	DNS query: name: freegeoip.net
Source: C:\Users\user\Desktop\svchost.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\svchost.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\svchost.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\svchost.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\svchost.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\Desktop\svchost.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	DNS query: name: freegeoip.net
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	DNS query: name: api.ipify.org
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	DNS query: name: api.ipify.org

Source: global traffic

TCP traffic: 192.168.2.7:49715 -> 139.196.56.98:47822

Source: Joe Sandbox View

IP Address: 104.26.14.73 104.26.14.73

Source: Joe Sandbox View	ASN Name: CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shutdown HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.net
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shutdown HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.net
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98
Source: unknown	TCP traffic detected without corresponding DNS query: 139.196.56.98

Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shutdown HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.net
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: www.telize.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /shutdown HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: freegeoip.net
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0Host: api.ipify.orgConnection: Keep-Alive

Source: svchost.exe, 00000018.00000003.374682797.000001AB9515F000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
Source: svchost.exe, 00000018.00000003.374682797.000001AB9515F000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
Source: svchost.exe, 00000018.00000003.374656288.000001AB9516F000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-16T07:48:47.6488280Z\|\|.\|\|cd319275-8495-4f62-8b53-01d767c80df8\|\|1152921505693392363\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000018.00000003.374656288.000001AB9516F000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-16T07:48:47.6488280Z\|\|.\|\|cd319275-8495-4f62-8b53-01d767c80df8\|\|1152921505693392363\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000018.00000003.374682797.000001AB9515F000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI",^ equals www.facebook.com (Facebook)
Source: svchost.exe, 00000018.00000003.374682797.000001AB9515F000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI",^ equals www.twitter.com (Twitter)
Source: svchost.exe, 00000018.00000003.374682797.000001AB9515F000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.facebook.com (Facebook)
Source: svchost.exe, 00000018.00000003.374682797.000001AB9515F000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE equals www.twitter.com (Twitter)
Source: svchost.exe, 00000018.00000003.366583622.000001AB9518E000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-06T17:58:28.3925008Z\|\|.\|\|9f1af5de-a917-4d59-b623-fd59991517bf\|\|1152921505693355901\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-04-06T17:57:25.3126054Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 00000018.00000003.362877803.000001AB95145000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000018.00000003.362877803.000001AB95145000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000018.00000003.362877803.000001AB95145000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
Source: svchost.exe, 00000018.00000003.362803767.000001AB95166000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 00000018.00000003.362803767.000001AB95166000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 00000018.00000003.362803767.000001AB95166000.00000004.00000001.sdmp	String found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":507060394,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6","PackageId":"448e913e-e6bd-69c2-2c7f-25b80795f801-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.40.4001.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
Source: svchost.exe, 00000018.00000003.362894178.000001AB95602000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000018.00000003.362894178.000001AB95602000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000018.00000003.362894178.000001AB95602000.00000004.00000001.sdmp	String found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
Source: svchost.exe, 00000018.00000003.365452615.000001AB9514F000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-06T17:58:28.3925008Z\|\|.\|\|9f1af5de-a917-4d59-b623-fd59991517bf\|\|1152921505693355901\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-04-06T17:57:25.3126054Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 00000018.00000003.365452615.000001AB9514F000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-06T17:58:28.3925008Z\|\|.\|\|9f1af5de-a917-4d59-b623-fd59991517bf\|\|1152921505693355901\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-04-06T17:57:25.3126054Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 00000018.00000003.365424897.000001AB9515C000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-04-06T17:58:28.3925008Z\|\|.\|\|9f1af5de-a917-4d59-b623-fd59991517bf\|\|1152921505693355901\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2021-04-06T17:57:25.3126054Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 00000018.00000003.365452615.000001AB9514F000.00000004.00000001.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\n*Calls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","SkuTitle":"Messenger","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9WZDNCRF0083","Properties":{"FulfillmentData":{"ProductId":"9WZDNCRF0083","WuCategoryId":"c6a9fa5c-20a2-4e12-904d-edd408657dc8","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","SkuId":"0010"},"FulfillmentType":"WindowsUpdate","FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x64"],"Capabilities":["runFullTrust","internetClient","Microsoft.storeFilter.core.notSupported_8wekyb3d8bbwe"],"ExperienceIds":[],"MaxDownloadSizeInBytes":137845484,"PackageFormat":"Appx","PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","MainPackageFamilyNameForDlc":null,"PackageFullName":"FACEBOOK.317180B0BB486_950.7.118.0_x64__8xx8rvfyw5nnt","PackageId":"9f0b5036-3839-33f0-1d64-45190b6cc3d7-X64","PackageRank":30002,"PlatformDependencies":[{"MaxTested":2814750970478592,"MinVersion":2814750438195200,"PlatformName":"Windows.Desktop"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.isMain\":false,\"content.packageId\":\"FACEBOOK.317180B0BB486_950.7.118.0_x64__8xx8rvfyw5nnt\",\"content.productId\":\"3219d30d-4a23-4f58-a91c-c44b04e6a0c7\",\"content.targetPlatforms\":[{\"platform.maxVersionTested\":2814750970478592,\"platform.minVersion\":2814750438195200,\"platform.target\":3}],\"content.type\":7,\"policy\":{\"category.first\":\"app\",\"category.second\":\"Social\",\"optOut.backu

Source: unknown

DNS traffic detected: queries for: telize.com

Source: svchost.exe, 00000000.00000002.235087909.0000000003783000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.497986587.0000000002923000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.org
Source: svchost.exe	String found in binary or memory: http://api.ipify.org/
Source: svchost.exe, 00000000.00000002.235087909.0000000003783000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.org4Ok
Source: svchost.exe, 00000001.00000002.497702778.00000000028E0000.00000004.00000001.sdmp	String found in binary or memory: http://api.ipify.org4Okp%
Source: svchost.exe, 00000018.00000003.369642759.000001AB95127000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: svchost.exe, 00000018.00000003.369642759.000001AB95127000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: svchost.exe, 00000007.00000002.500103793.0000017EF4211000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000018.00000003.369642759.000001AB95127000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: svchost.exe, 00000000.00000002.235087909.0000000003783000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.497986587.0000000002923000.00000004.00000001.sdmp	String found in binary or memory: http://elb097307-934924932.us-east-1.elb.amazonaws.com
Source: svchost.exe, 00000000.00000002.235087909.0000000003783000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.497986587.0000000002923000.00000004.00000001.sdmp	String found in binary or memory: http://freegeoip.net
Source: svchost.exe, 00000000.00000002.235087909.0000000003783000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.497986587.0000000002923000.00000004.00000001.sdmp	String found in binary or memory: http://freegeoip.net/shutdown
Source: svchost.exe	String found in binary or memory: http://freegeoip.net/xml/
Source: svchost.exe, 00000000.00000002.235087909.0000000003783000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.497667619.00000000028DC000.00000004.00000001.sdmp	String found in binary or memory: http://freegeoip.net4Ok
Source: svchost.exe, 00000018.00000003.369642759.000001AB95127000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: svchost.exe, 00000007.00000002.500103793.0000017EF4211000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000007.00000002.495237848.0000017EEEC29000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000007.00000002.501216432.0000017EF4570000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000000.00000002.235060012.000000000375A000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.497462469.0000000002891000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: svchost.exe, 00000000.00000002.235080172.000000000376D000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.497462469.0000000002891000.00000004.00000001.sdmp	String found in binary or memory: http://telize.com
Source: svchost.exe	String found in binary or memory: http://telize.com/geoip
Source: svchost.exe, 00000000.00000002.235060012.000000000375A000.00000004.00000001.sdmp	String found in binary or memory: http://telize.com4Okt
Source: svchost.exe, 0000000D.00000002.306870361.000001B499413000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000018.00000003.362894178.000001AB95602000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.362877803.000001AB95145000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.362803767.000001AB95166000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
Source: svchost.exe, 00000018.00000003.362894178.000001AB95602000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.362877803.000001AB95145000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.362803767.000001AB95166000.00000004.00000001.sdmp	String found in binary or memory: http://www.g5e.com/termsofservice
Source: svchost.exe, 00000000.00000002.235080172.000000000376D000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.497631080.00000000028C9000.00000004.00000001.sdmp	String found in binary or memory: http://www.telize.com
Source: svchost.exe, 00000001.00000002.497631080.00000000028C9000.00000004.00000001.sdmp	String found in binary or memory: http://www.telize.com/geoip
Source: svchost.exe, 00000000.00000002.235080172.000000000376D000.00000004.00000001.sdmp	String found in binary or memory: http://www.telize.com4Ok
Source: svchost.exe, 00000001.00000002.497986587.0000000002923000.00000004.00000001.sdmp	String found in binary or memory: http://www.telize.comL
Source: svchost.exe, 0000000A.00000002.494956224.0000023C5083E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000A.00000002.494956224.0000023C5083E000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000A.00000002.494956224.0000023C5083E000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000A.00000002.494956224.0000023C5083E000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.comr
Source: svchost.exe, 0000000D.00000003.306562616.000001B499460000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000A.00000002.494956224.0000023C5083E000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 0000000A.00000002.494956224.0000023C5083E000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000018.00000003.373074547.000001AB95181000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.373306355.000001AB951A2000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/contact/
Source: svchost.exe, 00000018.00000003.373074547.000001AB95181000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.373306355.000001AB951A2000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.373496835.000001AB9515F000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.373417252.000001AB9516F000.00000004.00000001.sdmp	String found in binary or memory: https://corp.roblox.com/parents/
Source: svchost.exe, 0000000D.00000003.306595113.000001B499449000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000D.00000003.306562616.000001B499460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000D.00000002.306906520.000001B49943D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000D.00000003.306562616.000001B499460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000D.00000003.306572922.000001B49944C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000D.00000002.306906520.000001B49943D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000D.00000003.306562616.000001B499460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000D.00000003.306562616.000001B499460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000D.00000003.306562616.000001B499460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000D.00000002.306913950.000001B499442000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000D.00000002.306913950.000001B499442000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000D.00000003.306562616.000001B499460000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000D.00000003.306619889.000001B499440000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.306938432.000001B49945C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000D.00000003.306595113.000001B499449000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000D.00000002.306938432.000001B49945C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000D.00000002.306938432.000001B49945C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000D.00000003.306550429.000001B499463000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.306619889.000001B499440000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000D.00000003.306562616.000001B499460000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000D.00000002.306906520.000001B49943D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000D.00000003.284768033.000001B499431000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000018.00000003.373074547.000001AB95181000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.373306355.000001AB951A2000.00000004.00000001.sdmp	String found in binary or memory: https://en.help.roblox.com/hc/en-us
Source: svchost.exe, 00000007.00000002.500411007.0000017EF4261000.00000004.00000001.sdmp	String found in binary or memory: https://fs.micro
Source: svchost.exe, 00000018.00000003.362894178.000001AB95602000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.362877803.000001AB95145000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.362803767.000001AB95166000.00000004.00000001.sdmp	String found in binary or memory: https://instagram.com/hiddencity_
Source: svchost.exe, 0000000D.00000002.306906520.000001B49943D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000D.00000002.306870361.000001B499413000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.306906520.000001B49943D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000D.00000003.306619889.000001B499440000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000D.00000003.306619889.000001B499440000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000D.00000003.284768033.000001B499431000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000D.00000002.306898914.000001B49943A000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000018.00000003.373074547.000001AB95181000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.373306355.000001AB951A2000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/develop
Source: svchost.exe, 00000018.00000003.373074547.000001AB95181000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.373306355.000001AB951A2000.00000004.00000001.sdmp	String found in binary or memory: https://www.roblox.com/info/privacy

E-Banking Fraud:

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: svchost.exe, type: SAMPLE
Source: Yara match	File source: 00000006.00000002.263919430.0000000000B42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.259204194.0000000000B42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.233358475.0000000007201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.227665901.0000000000F82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.494084624.0000000000122000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.234021337.0000000000122000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.234340681.0000000000F82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3008, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3260, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4884, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe, type: DROPPED
Source: Yara match	File source: 0.0.svchost.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.svchost.exe.b40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.svchost.exe.b40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.svchost.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.svchost.exe.f80000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: svchost.exe, type: SAMPLE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: svchost.exe, type: SAMPLE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: svchost.exe, type: SAMPLE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: svchost.exe, type: SAMPLE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: svchost.exe, type: SAMPLE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 00000006.00000002.263919430.0000000000B42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000006.00000000.259204194.0000000000B42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000000.00000000.227665901.0000000000F82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000001.00000002.494084624.0000000000122000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000001.00000000.234021337.0000000000122000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 00000000.00000002.234340681.0000000000F82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe, type: DROPPED	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe, type: DROPPED	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe, type: DROPPED	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe, type: DROPPED	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe, type: DROPPED	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.0.svchost.exe.f80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 0.0.svchost.exe.f80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 0.0.svchost.exe.f80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.0.svchost.exe.f80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.0.svchost.exe.f80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 6.0.svchost.exe.b40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 6.0.svchost.exe.b40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 6.0.svchost.exe.b40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 6.0.svchost.exe.b40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 6.0.svchost.exe.b40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 6.2.svchost.exe.b40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 6.2.svchost.exe.b40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 6.2.svchost.exe.b40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 6.2.svchost.exe.b40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 6.2.svchost.exe.b40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 1.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.svchost.exe.f80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 1.0.svchost.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Vermin Keylogger Author: Florian Roth
Source: 0.2.svchost.exe.f80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 0.2.svchost.exe.f80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.2.svchost.exe.f80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 0.2.svchost.exe.f80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 1.0.svchost.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Patchwork malware Author: Florian Roth
Source: 1.0.svchost.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.0.svchost.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Quasar RAT Author: Florian Roth
Source: 1.0.svchost.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_00F89322	0_2_00F89322
Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_05C3EDD0	0_2_05C3EDD0
Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_05C3F6A0	0_2_05C3F6A0
Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_05C3A987	0_2_05C3A987
Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_05C3A90A	0_2_05C3A90A
Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_05C3EA88	0_2_05C3EA88
Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_05DF0DB8	0_2_05DF0DB8
Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_05DF7840	0_2_05DF7840
Source: C:\Users\user\Desktop\svchost.exe	Code function: 0_2_05DF7830	0_2_05DF7830
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Code function: 1_2_00129322	1_2_00129322
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Code function: 1_2_04DDEDD0	1_2_04DDEDD0
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Code function: 1_2_04DDF6A0	1_2_04DDF6A0
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Code function: 1_2_04DDEA88	1_2_04DDEA88
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Code function: 1_2_054F0DB8	1_2_054F0DB8
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Code function: 1_2_0626A610	1_2_0626A610
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Code function: 1_2_062645A8	1_2_062645A8
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Code function: 1_2_062612B4	1_2_062612B4
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Code function: 6_2_00B49322	6_2_00B49322
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Code function: 6_2_057FEDD0	6_2_057FEDD0
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Code function: 6_2_057FF6A0	6_2_057FF6A0
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Code function: 6_2_057FEA88	6_2_057FEA88
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Code function: 6_2_06610DB8	6_2_06610DB8
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Code function: 6_2_06614EC8	6_2_06614EC8
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Code function: 6_2_06614EB8	6_2_06614EB8

Source: svchost.exe	Binary or memory string: OriginalFilename vs svchost.exe
Source: svchost.exe, 00000000.00000002.236169049.0000000006D20000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs svchost.exe
Source: svchost.exe, 00000000.00000003.233358475.0000000007201000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename4 vs svchost.exe
Source: svchost.exe	Binary or memory string: OriginalFilename vs svchost.exe
Source: svchost.exe, 00000001.00000002.501634922.0000000005D80000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs svchost.exe
Source: svchost.exe, 00000001.00000002.494084624.0000000000122000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename4 vs svchost.exe
Source: svchost.exe, 00000001.00000002.494820962.00000000004F9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs svchost.exe
Source: svchost.exe	Binary or memory string: OriginalFilename vs svchost.exe
Source: svchost.exe, 00000006.00000002.263919430.0000000000B42000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename4 vs svchost.exe
Source: svchost.exe, 00000007.00000002.501586202.0000017EF4610000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamednsapij% vs svchost.exe
Source: svchost.exe, 00000007.00000002.499852524.0000017EF4060000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameesent.dll.muij% vs svchost.exe
Source: svchost.exe, 00000007.00000002.501559255.0000017EF45F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamevsstrace.dll.muij% vs svchost.exe
Source: svchost.exe, 00000007.00000002.501095972.0000017EF4510000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs svchost.exe
Source: svchost.exe, 00000007.00000002.501172748.0000017EF4560000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs svchost.exe
Source: svchost.exe, 00000007.00000002.501639517.0000017EF4630000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs svchost.exe
Source: svchost.exe, 00000007.00000002.501137915.0000017EF4550000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs svchost.exe
Source: svchost.exe, 00000007.00000002.501216432.0000017EF4570000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameWsmRes.dll.muij% vs svchost.exe
Source: svchost.exe, 00000008.00000002.286064497.000002CB53290000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs svchost.exe
Source: svchost.exe, 0000000A.00000002.496884193.0000023C50F80000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs svchost.exe
Source: svchost.exe, 0000000A.00000002.500143932.0000023C51540000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs svchost.exe
Source: svchost.exe, 0000000B.00000002.496142124.000001DA09350000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamedosvc.dll.muij% vs svchost.exe
Source: svchost.exe, 0000000C.00000002.495154417.000002E2D9BF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamePhoneUtilRes.dllj% vs svchost.exe
Source: svchost.exe, 0000000C.00000002.495828403.000002E2DB5E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameSyncRes.dllj% vs svchost.exe
Source: svchost.exe, 00000012.00000002.322977881.0000020579460000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs svchost.exe
Source: svchost.exe, 00000016.00000002.346043547.00000285B7660000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs svchost.exe
Source: svchost.exe, 00000018.00000002.386543156.000001AB94F80000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs svchost.exe
Source: svchost.exe, 00000018.00000002.387110380.000001AB95800000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs svchost.exe
Source: svchost.exe, 00000018.00000002.386561121.000001AB94F90000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs svchost.exe
Source: svchost.exe, 00000018.00000002.385926382.000001AB947F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs svchost.exe
Source: svchost.exe, 00000018.00000002.386583100.000001AB94FB0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs svchost.exe
Source: svchost.exe	Binary or memory string: OriginalFilename4 vs svchost.exe

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll			Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll			Jump to behavior

Source: svchost.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: svchost.exe, type: SAMPLE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: svchost.exe, type: SAMPLE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: svchost.exe, type: SAMPLE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: svchost.exe, type: SAMPLE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: svchost.exe, type: SAMPLE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.263919430.0000000000B42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000000.259204194.0000000000B42000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000000.227665901.0000000000F82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000002.494084624.0000000000122000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000001.00000000.234021337.0000000000122000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.234340681.0000000000F82000.00000002.00020000.sdmp, type: MEMORY	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe, type: DROPPED	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe, type: DROPPED	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe, type: DROPPED	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe, type: DROPPED	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe, type: DROPPED	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.svchost.exe.f80000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.svchost.exe.f80000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.svchost.exe.f80000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.0.svchost.exe.f80000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 0.0.svchost.exe.f80000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.0.svchost.exe.b40000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.0.svchost.exe.b40000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.0.svchost.exe.b40000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.0.svchost.exe.b40000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 6.0.svchost.exe.b40000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.svchost.exe.b40000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.svchost.exe.b40000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.svchost.exe.b40000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.svchost.exe.b40000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 6.2.svchost.exe.b40000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.svchost.exe.f80000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.0.svchost.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: Vermin_Keylogger_Jan18_1 date = 2018-01-29, hash5 = 24956d8edcf2a1fd26805ec58cfd1ee7498e1a59af8cc2f4b832a7ab34948c18, hash4 = 4c5e019e0e55a3fe378aa339d52c235c06ecc5053625a5d54d65c4ae38c6e3da, hash3 = 0157b43eb3c20928b77f8700ad8eb279a0aa348921df074cd22ebaff01edaae6, hash2 = e1d917769267302d58a2fd00bc49d4aee5a472227a75f9366b46ce243e9cbef7, hash1 = 74ba162eef84bf13d1d79cb26192a4692c09fed57f321230ddb7668a88e3935d, author = Florian Roth, description = Detects Vermin Keylogger, hash6 = 2963c5eacaad13ace807edd634a4a5896cb5536f961f43afcf8c1f25c08a5eef, reference = https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.svchost.exe.f80000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.svchost.exe.f80000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.svchost.exe.f80000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 0.2.svchost.exe.f80000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.0.svchost.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: xRAT_1 date = 2017-12-11, hash2 = f1a45adcf907e660ec848c6086e28c9863b7b70d0d38417dd05a4261973c955a, hash1 = 92be93ec4cbe76182404af0b180871fbbfa3c7b34e4df6745dbcde480b8b4b3b, author = Florian Roth, description = Detects Patchwork malware, reference = https://goo.gl/Pg3P4W, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.0.svchost.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_1 date = 2017-04-07, hash4 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash3 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, hash2 = 1ce40a89ef9d56fd32c00db729beecc17d54f4f7c27ff22f708a957cd3f9a4ec, hash1 = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 1.0.svchost.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: Quasar_RAT_2 date = 2017-04-07, hash3 = f08db220df716de3d4f63f3007a03f902601b9b32099d6a882da87312f263f34, hash2 = 515c1a68995557035af11d818192f7866ef6a2018aa13112fefbe08395732e89, author = Florian Roth, description = Detects Quasar RAT, reference = https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, license = https://creativecommons.org/licenses/by-nc/4.0/, super_rule = 0774d25e33ca2b1e2ee2fafe3fdbebecefbf1d4dd99e6460f0bc8713dd0fd740
Source: 1.0.svchost.exe.120000.0.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_KeyLogger_1 date = 2018-02-08, hash1 = c492889e1d271a98e15264acbb21bfca9795466882520d55dc714c4899ed2fcf, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://www.virustotal.com/graph/#/selected/n120z79z208z189/drawer/graph-details, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: svchost.exe, ??????u32ba????ufffdue434??ufb29????.cs	Base64 encoded string: 'sCHFCqYToLhDREH8ZMy1i4nvv5I/9VVL3pUGOMOJBiw0tbpRd4kJFnJSNQBzb287', 'GRI+aJ18Ym0HIkSxogTwBLjUpRdA/AQI9HtJ0cpxSgkSDipBSZjDsCx9kL2qo3rr'
Source: svchost.exe.0.dr, ??????u32ba????ufffdue434??ufb29????.cs	Base64 encoded string: 'sCHFCqYToLhDREH8ZMy1i4nvv5I/9VVL3pUGOMOJBiw0tbpRd4kJFnJSNQBzb287', 'GRI+aJ18Ym0HIkSxogTwBLjUpRdA/AQI9HtJ0cpxSgkSDipBSZjDsCx9kL2qo3rr'
Source: 0.0.svchost.exe.f80000.0.unpack, ??????u32ba????ufffdue434??ufb29????.cs	Base64 encoded string: 'sCHFCqYToLhDREH8ZMy1i4nvv5I/9VVL3pUGOMOJBiw0tbpRd4kJFnJSNQBzb287', 'GRI+aJ18Ym0HIkSxogTwBLjUpRdA/AQI9HtJ0cpxSgkSDipBSZjDsCx9kL2qo3rr'
Source: 0.2.svchost.exe.f80000.0.unpack, ??????u32ba????ufffdue434??ufb29????.cs	Base64 encoded string: 'sCHFCqYToLhDREH8ZMy1i4nvv5I/9VVL3pUGOMOJBiw0tbpRd4kJFnJSNQBzb287', 'GRI+aJ18Ym0HIkSxogTwBLjUpRdA/AQI9HtJ0cpxSgkSDipBSZjDsCx9kL2qo3rr'
Source: 1.2.svchost.exe.120000.0.unpack, ??????u32ba????ufffdue434??ufb29????.cs	Base64 encoded string: 'sCHFCqYToLhDREH8ZMy1i4nvv5I/9VVL3pUGOMOJBiw0tbpRd4kJFnJSNQBzb287', 'GRI+aJ18Ym0HIkSxogTwBLjUpRdA/AQI9HtJ0cpxSgkSDipBSZjDsCx9kL2qo3rr'
Source: 1.0.svchost.exe.120000.0.unpack, ??????u32ba????ufffdue434??ufb29????.cs	Base64 encoded string: 'sCHFCqYToLhDREH8ZMy1i4nvv5I/9VVL3pUGOMOJBiw0tbpRd4kJFnJSNQBzb287', 'GRI+aJ18Ym0HIkSxogTwBLjUpRdA/AQI9HtJ0cpxSgkSDipBSZjDsCx9kL2qo3rr'
Source: 6.0.svchost.exe.b40000.0.unpack, ??????u32ba????ufffdue434??ufb29????.cs	Base64 encoded string: 'sCHFCqYToLhDREH8ZMy1i4nvv5I/9VVL3pUGOMOJBiw0tbpRd4kJFnJSNQBzb287', 'GRI+aJ18Ym0HIkSxogTwBLjUpRdA/AQI9HtJ0cpxSgkSDipBSZjDsCx9kL2qo3rr'
Source: 6.2.svchost.exe.b40000.0.unpack, ??????u32ba????ufffdue434??ufb29????.cs	Base64 encoded string: 'sCHFCqYToLhDREH8ZMy1i4nvv5I/9VVL3pUGOMOJBiw0tbpRd4kJFnJSNQBzb287', 'GRI+aJ18Ym0HIkSxogTwBLjUpRdA/AQI9HtJ0cpxSgkSDipBSZjDsCx9kL2qo3rr'

Source: 1.2.svchost.exe.120000.0.unpack, ue85b?????u2150u2fcc??uf086?ueae8???u28fe?ufffdu0082.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.2.svchost.exe.120000.0.unpack, ue85b?????u2150u2fcc??uf086?ueae8???u28fe?ufffdu0082.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.0.svchost.exe.f80000.0.unpack, ue85b?????u2150u2fcc??uf086?ueae8???u28fe?ufffdu0082.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.svchost.exe.f80000.0.unpack, ue85b?????u2150u2fcc??uf086?ueae8???u28fe?ufffdu0082.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: svchost.exe, ue85b?????u2150u2fcc??uf086?ueae8???u28fe?ufffdu0082.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: svchost.exe, ue85b?????u2150u2fcc??uf086?ueae8???u28fe?ufffdu0082.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.svchost.exe.f80000.0.unpack, ue85b?????u2150u2fcc??uf086?ueae8???u28fe?ufffdu0082.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.2.svchost.exe.f80000.0.unpack, ue85b?????u2150u2fcc??uf086?ueae8???u28fe?ufffdu0082.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.0.svchost.exe.120000.0.unpack, ue85b?????u2150u2fcc??uf086?ueae8???u28fe?ufffdu0082.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 1.0.svchost.exe.120000.0.unpack, ue85b?????u2150u2fcc??uf086?ueae8???u28fe?ufffdu0082.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.2.svchost.exe.b40000.0.unpack, ue85b?????u2150u2fcc??uf086?ueae8???u28fe?ufffdu0082.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.2.svchost.exe.b40000.0.unpack, ue85b?????u2150u2fcc??uf086?ueae8???u28fe?ufffdu0082.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 6.0.svchost.exe.b40000.0.unpack, ue85b?????u2150u2fcc??uf086?ueae8???u28fe?ufffdu0082.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 6.0.svchost.exe.b40000.0.unpack, ue85b?????u2150u2fcc??uf086?ueae8???u28fe?ufffdu0082.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: svchost.exe.0.dr, ue85b?????u2150u2fcc??uf086?ueae8???u28fe?ufffdu0082.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: svchost.exe.0.dr, ue85b?????u2150u2fcc??uf086?ueae8???u28fe?ufffdu0082.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@18/10@10/6

Source: C:\Users\user\Desktop\svchost.exe

File created: C:\Users\user\AppData\Roaming\SubDir

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6584:120:WilError_01
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\QSR_MUTEX_jIqYxwTlRgIWNgFg10

Source: svchost.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: C:\Users\user\Desktop\svchost.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: svchost.exe	Virustotal: Detection: 58%
Source: svchost.exe	ReversingLabs: Detection: 79%

Source: C:\Users\user\Desktop\svchost.exe

File read: C:\Users\user\Desktop\svchost.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\svchost.exe 'C:\Users\user\Desktop\svchost.exe'
Source: C:\Users\user\Desktop\svchost.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\svchost.exe C:\Users\user\AppData\Roaming\SubDir\svchost.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\SubDir\svchost.exe 'C:\Users\user\AppData\Roaming\SubDir\svchost.exe'
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\svchost.exe	Process created: C:\Users\user\AppData\Roaming\SubDir\svchost.exe C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable	Jump to behavior

Source: C:\Users\user\Desktop\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: svchost.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: svchost.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe

Code function: 1_2_04DD8DEF push E801035Eh; retf

1_2_04DD8E01

Persistence and Installation Behavior:

Drops PE files with benign system names

Show sources

Source: C:\Users\user\Desktop\svchost.exe

File created: C:\Users\user\AppData\Roaming\SubDir\svchost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\svchost.exe

File created: C:\Users\user\AppData\Roaming\SubDir\svchost.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\svchost.exe	File opened: C:\Users\user\Desktop\svchost.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\svchost.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	File opened: C:\Users\user\AppData\Roaming\SubDir\svchost.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\svchost.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\svchost.exe TID: 5304	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe TID: 5956	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe TID: 4636	Thread sleep time: -45000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe TID: 3820	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1892	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6212	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\svchost.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: svchost.exe, 00000000.00000002.236169049.0000000006D20000.00000002.00000001.sdmp, svchost.exe, 00000001.00000002.501634922.0000000005D80000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.286064497.000002CB53290000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.500143932.0000023C51540000.00000002.00000001.sdmp, svchost.exe, 00000012.00000002.322977881.0000020579460000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.346043547.00000285B7660000.00000002.00000001.sdmp, svchost.exe, 00000018.00000002.387110380.000001AB95800000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000007.00000002.495237848.0000017EEEC29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW@P&
Source: svchost.exe, 00000007.00000002.500411007.0000017EF4261000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.386274421.000001AB948D7000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000009.00000002.494537364.000002A989C02000.00000004.00000001.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
Source: svchost.exe, 00000000.00000002.236169049.0000000006D20000.00000002.00000001.sdmp, svchost.exe, 00000001.00000002.501634922.0000000005D80000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.286064497.000002CB53290000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.500143932.0000023C51540000.00000002.00000001.sdmp, svchost.exe, 00000012.00000002.322977881.0000020579460000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.346043547.00000285B7660000.00000002.00000001.sdmp, svchost.exe, 00000018.00000002.387110380.000001AB95800000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000000.00000002.236169049.0000000006D20000.00000002.00000001.sdmp, svchost.exe, 00000001.00000002.501634922.0000000005D80000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.286064497.000002CB53290000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.500143932.0000023C51540000.00000002.00000001.sdmp, svchost.exe, 00000012.00000002.322977881.0000020579460000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.346043547.00000285B7660000.00000002.00000001.sdmp, svchost.exe, 00000018.00000002.387110380.000001AB95800000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000018.00000002.386127860.000001AB94883000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW"
Source: svchost.exe, 00000009.00000002.494830309.000002A989C3E000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.495170437.0000023C50867000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.494893672.000001DA08C29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000000.00000002.236169049.0000000006D20000.00000002.00000001.sdmp, svchost.exe, 00000001.00000002.501634922.0000000005D80000.00000002.00000001.sdmp, svchost.exe, 00000008.00000002.286064497.000002CB53290000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.500143932.0000023C51540000.00000002.00000001.sdmp, svchost.exe, 00000012.00000002.322977881.0000020579460000.00000002.00000001.sdmp, svchost.exe, 00000016.00000002.346043547.00000285B7660000.00000002.00000001.sdmp, svchost.exe, 00000018.00000002.387110380.000001AB95800000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\svchost.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\svchost.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Network Connect: 88.198.193.213 80	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Domain query: telize.com
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Network Connect: 139.196.56.98 47822	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Domain query: www.telize.com
Source: C:\Users\user\Desktop\svchost.exe	Network Connect: 104.26.14.73 80	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Domain query: api.ipify.org
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Network Connect: 54.225.144.221 80	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Network Connect: 104.26.15.73 80	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Domain query: freegeoip.net

.NET source code references suspicious native API functions

Show sources

Source: svchost.exe, uab4e??uf1c5????ufffd????????u25feue700?.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: svchost.exe, u2065u1c88??ua62e????ueea3????????u21ee?.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: svchost.exe.0.dr, u2065u1c88??ua62e????ueea3????????u21ee?.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: svchost.exe.0.dr, uab4e??uf1c5????ufffd????????u25feue700?.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 0.0.svchost.exe.f80000.0.unpack, uab4e??uf1c5????ufffd????????u25feue700?.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 0.0.svchost.exe.f80000.0.unpack, u2065u1c88??ua62e????ueea3????????u21ee?.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 0.2.svchost.exe.f80000.0.unpack, uab4e??uf1c5????ufffd????????u25feue700?.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 0.2.svchost.exe.f80000.0.unpack, u2065u1c88??ua62e????ueea3????????u21ee?.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 1.2.svchost.exe.120000.0.unpack, uab4e??uf1c5????ufffd????????u25feue700?.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 1.2.svchost.exe.120000.0.unpack, u2065u1c88??ua62e????ueea3????????u21ee?.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 1.0.svchost.exe.120000.0.unpack, uab4e??uf1c5????ufffd????????u25feue700?.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 1.0.svchost.exe.120000.0.unpack, u2065u1c88??ua62e????ueea3????????u21ee?.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 6.0.svchost.exe.b40000.0.unpack, uab4e??uf1c5????ufffd????????u25feue700?.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 6.0.svchost.exe.b40000.0.unpack, u2065u1c88??ua62e????ueea3????????u21ee?.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')
Source: 6.2.svchost.exe.b40000.0.unpack, uab4e??uf1c5????ufffd????????u25feue700?.cs	Reference to suspicious API methods: ('????????????????????', 'LoadLibrary@kernel32.dll'), ('????????????????????', 'GetProcAddress@kernel32.dll')
Source: 6.2.svchost.exe.b40000.0.unpack, u2065u1c88??ua62e????ueea3????????u21ee?.cs	Reference to suspicious API methods: ('????????????????????', 'MapVirtualKeyEx@user32.dll')

Source: C:\Users\user\Desktop\svchost.exe

Process created: C:\Users\user\AppData\Roaming\SubDir\svchost.exe C:\Users\user\AppData\Roaming\SubDir\svchost.exe

Jump to behavior

Source: svchost.exe, 00000001.00000002.496782098.00000000012D0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.495721679.000002E2DA190000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: svchost.exe, 00000001.00000002.496782098.00000000012D0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.495721679.000002E2DA190000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 00000001.00000002.496782098.00000000012D0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.495721679.000002E2DA190000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: svchost.exe, 00000001.00000002.496782098.00000000012D0000.00000002.00000001.sdmp, svchost.exe, 0000000C.00000002.495721679.000002E2DA190000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\svchost.exe	Queries volume information: C:\Users\user\Desktop\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\SubDir\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\svchost.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: svchost.exe, 0000000F.00000002.496011875.0000020A03C40000.00000004.00000001.sdmp	Binary or memory string: ,@V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 0000000F.00000002.495963187.0000020A03C29000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: svchost.exe, type: SAMPLE
Source: Yara match	File source: 00000006.00000002.263919430.0000000000B42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.259204194.0000000000B42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.233358475.0000000007201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.227665901.0000000000F82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.494084624.0000000000122000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.234021337.0000000000122000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.234340681.0000000000F82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3008, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3260, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4884, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe, type: DROPPED
Source: Yara match	File source: 0.0.svchost.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.svchost.exe.b40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.svchost.exe.b40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.svchost.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.svchost.exe.f80000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Quasar RAT

Show sources

Source: Yara match	File source: svchost.exe, type: SAMPLE
Source: Yara match	File source: 00000006.00000002.263919430.0000000000B42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.259204194.0000000000B42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.233358475.0000000007201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.227665901.0000000000F82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.494084624.0000000000122000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.234021337.0000000000122000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.234340681.0000000000F82000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3008, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 3260, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4884, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe, type: DROPPED
Source: Yara match	File source: 0.0.svchost.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.0.svchost.exe.b40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.svchost.exe.b40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.svchost.exe.120000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.svchost.exe.f80000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	DLL Side-Loading1	Process Injection112	Masquerading111	OS Credential Dumping	Security Software Discovery131	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	DLL Side-Loading1	Disable or Modify Tools11	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Hidden Files and Directories1	LSA Secrets	System Network Configuration Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol12	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information11	Cached Domain Credentials	System Information Discovery22	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
svchost.exe	59%	Virustotal		Browse
svchost.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.Quasar
svchost.exe	100%	Avira	HEUR/AGEN.1135947
svchost.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Roaming\SubDir\svchost.exe	100%	Avira	HEUR/AGEN.1135947
C:\Users\user\AppData\Roaming\SubDir\svchost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\SubDir\svchost.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.Quasar

Unpacked PE Files

Source	Detection	Scanner	Label	Download
6.0.svchost.exe.b40000.0.unpack	100%	Avira	HEUR/AGEN.1135947	Download File
6.2.svchost.exe.b40000.0.unpack	100%	Avira	HEUR/AGEN.1135947	Download File
0.0.svchost.exe.f80000.0.unpack	100%	Avira	HEUR/AGEN.1135947	Download File
1.2.svchost.exe.120000.0.unpack	100%	Avira	HEUR/AGEN.1135947	Download File
1.0.svchost.exe.120000.0.unpack	100%	Avira	HEUR/AGEN.1135947	Download File
0.2.svchost.exe.f80000.0.unpack	100%	Avira	HEUR/AGEN.1135947	Download File

Domains

Source	Detection	Scanner	Label	Link
telize.com	0%	Virustotal		Browse
www.telize.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.telize.com/geoip	1%	Virustotal		Browse
http://www.telize.com/geoip	0%	Avira URL Cloud	safe
http://freegeoip.net4Ok	0%	Avira URL Cloud	safe
http://telize.com	0%	Virustotal		Browse
http://telize.com	0%	Avira URL Cloud	safe
http://www.telize.comL	0%	Avira URL Cloud	safe
http://telize.com4Okt	0%	Avira URL Cloud	safe
http://www.telize.com4Ok	0%	Avira URL Cloud	safe
http://api.ipify.org4Okp%	0%	Avira URL Cloud	safe
http://telize.com/geoip	0%	Avira URL Cloud	safe
https://fs.micro	0%	Avira URL Cloud	safe
https://activity.windows.comr	0%	URL Reputation	safe
https://activity.windows.comr	0%	URL Reputation	safe
https://activity.windows.comr	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
https://dynamic.t	0%	URL Reputation	safe
http://www.telize.com	0%	Avira URL Cloud	safe
http://api.ipify.org4Ok	0%	Avira URL Cloud	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe
https://%s.dnet.xboxlive.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
elb097307-934924932.us-east-1.elb.amazonaws.com	54.225.144.221	true	false		high
telize.com	88.198.193.213	true	true	0%, Virustotal, Browse	unknown
www.telize.com	88.198.193.213	true	true	0%, Virustotal, Browse	unknown
freegeoip.net	104.26.14.73	true	false		high
api.ipify.org	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.telize.com/geoip	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://api.ipify.org/	false		high
http://freegeoip.net/xml/	false		high
http://telize.com/geoip	true	Avira URL Cloud: safe	unknown
http://freegeoip.net/shutdown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000000D.00000002.306906520.000001B49943D000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000000D.00000003.306562616.000001B499460000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 0000000D.00000002.306906520.000001B49943D000.00000004.00000001.sdmp	false		high
http://freegeoip.net4Ok	svchost.exe, 00000000.00000002.235087909.0000000003783000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.497667619.00000000028DC000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://corp.roblox.com/contact/	svchost.exe, 00000018.00000003.373074547.000001AB95181000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.373306355.000001AB951A2000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000000D.00000003.306562616.000001B499460000.00000004.00000001.sdmp	false		high
http://elb097307-934924932.us-east-1.elb.amazonaws.com	svchost.exe, 00000000.00000002.235087909.0000000003783000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.497986587.0000000002923000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 0000000D.00000002.306913950.000001B499442000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 0000000D.00000003.306562616.000001B499460000.00000004.00000001.sdmp	false		high
http://telize.com	svchost.exe, 00000000.00000002.235080172.000000000376D000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.497462469.0000000002891000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000000D.00000003.306595113.000001B499449000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 0000000D.00000003.284768033.000001B499431000.00000004.00000001.sdmp	false		high
http://www.g5e.com/G5_End_User_License_Supplemental_Terms	svchost.exe, 00000018.00000003.362894178.000001AB95602000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.362877803.000001AB95145000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.362803767.000001AB95166000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000000D.00000002.306913950.000001B499442000.00000004.00000001.sdmp	false		high
http://www.telize.comL	svchost.exe, 00000001.00000002.497986587.0000000002923000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://appexmapsappupdate.blob.core.windows.net	svchost.exe, 0000000D.00000003.306562616.000001B499460000.00000004.00000001.sdmp	false		high
https://en.help.roblox.com/hc/en-us	svchost.exe, 00000018.00000003.373074547.000001AB95181000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.373306355.000001AB951A2000.00000004.00000001.sdmp	false		high
http://freegeoip.net	svchost.exe, 00000000.00000002.235087909.0000000003783000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.497986587.0000000002923000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	svchost.exe, 00000000.00000002.235060012.000000000375A000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.497462469.0000000002891000.00000004.00000001.sdmp	false		high
http://www.bingmapsportal.com	svchost.exe, 0000000D.00000002.306870361.000001B499413000.00000004.00000001.sdmp	false		high
http://telize.com4Okt	svchost.exe, 00000000.00000002.235060012.000000000375A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 0000000D.00000002.306906520.000001B49943D000.00000004.00000001.sdmp	false		high
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 0000000D.00000003.306562616.000001B499460000.00000004.00000001.sdmp	false		high
http://www.telize.com4Ok	svchost.exe, 00000000.00000002.235080172.000000000376D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://api.ipify.org4Okp%	svchost.exe, 00000001.00000002.497702778.00000000028E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 0000000D.00000003.306619889.000001B499440000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000000D.00000002.306906520.000001B49943D000.00000004.00000001.sdmp	false		high
https://www.roblox.com/develop	svchost.exe, 00000018.00000003.373074547.000001AB95181000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.373306355.000001AB951A2000.00000004.00000001.sdmp	false		high
https://fs.micro	svchost.exe, 00000007.00000002.500411007.0000017EF4261000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://instagram.com/hiddencity_	svchost.exe, 00000018.00000003.362894178.000001AB95602000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.362877803.000001AB95145000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.362803767.000001AB95166000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 0000000D.00000003.306619889.000001B499440000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 0000000D.00000003.306619889.000001B499440000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.306938432.000001B49945C000.00000004.00000001.sdmp	false		high
https://activity.windows.comr	svchost.exe, 0000000A.00000002.494956224.0000023C5083E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://corp.roblox.com/parents/	svchost.exe, 00000018.00000003.373074547.000001AB95181000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.373306355.000001AB951A2000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.373496835.000001AB9515F000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.373417252.000001AB9516F000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000000D.00000002.306870361.000001B499413000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000002.306906520.000001B49943D000.00000004.00000001.sdmp	false		high
https://%s.xboxlive.com	svchost.exe, 0000000A.00000002.494956224.0000023C5083E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000D.00000003.306572922.000001B49944C000.00000004.00000001.sdmp	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000D.00000003.284768033.000001B499431000.00000004.00000001.sdmp	false		high
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 0000000D.00000003.306562616.000001B499460000.00000004.00000001.sdmp	false		high
http://api.ipify.org	svchost.exe, 00000000.00000002.235087909.0000000003783000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.497986587.0000000002923000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 0000000D.00000002.306938432.000001B49945C000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	svchost.exe, 00000007.00000002.501216432.0000017EF4570000.00000002.00000001.sdmp	false		high
https://dynamic.t	svchost.exe, 0000000D.00000003.306550429.000001B499463000.00000004.00000001.sdmp, svchost.exe, 0000000D.00000003.306619889.000001B499440000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000000D.00000003.306562616.000001B499460000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 0000000D.00000002.306898914.000001B49943A000.00000004.00000001.sdmp	false		high
https://www.roblox.com/info/privacy	svchost.exe, 00000018.00000003.373074547.000001AB95181000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.373306355.000001AB951A2000.00000004.00000001.sdmp	false		high
http://www.g5e.com/termsofservice	svchost.exe, 00000018.00000003.362894178.000001AB95602000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.362877803.000001AB95145000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.362803767.000001AB95166000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000000D.00000002.306938432.000001B49945C000.00000004.00000001.sdmp	false		high
http://www.telize.com	svchost.exe, 00000000.00000002.235080172.000000000376D000.00000004.00000001.sdmp, svchost.exe, 00000001.00000002.497631080.00000000028C9000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com	svchost.exe, 0000000A.00000002.494956224.0000023C5083E000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 0000000D.00000003.306562616.000001B499460000.00000004.00000001.sdmp	false		high
http://api.ipify.org4Ok	svchost.exe, 00000000.00000002.235087909.0000000003783000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://%s.dnet.xboxlive.com	svchost.exe, 0000000A.00000002.494956224.0000023C5083E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000000D.00000003.306595113.000001B499449000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
139.196.56.98	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	true
88.198.193.213	telize.com	Germany	24940	HETZNER-ASDE	true
104.26.14.73	freegeoip.net	United States	13335	CLOUDFLARENETUS	false
54.225.144.221	elb097307-934924932.us-east-1.elb.amazonaws.com	United States	14618	AMAZON-AESUS	false
104.26.15.73	unknown	United States	13335	CLOUDFLARENETUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	391310
Start date:	18.04.2021
Start time:	11:05:28
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	svchost.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@18/10@10/6
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 52 Number of non-executed functions: 6
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.88.21.125, 204.79.197.200, 13.107.21.200, 20.82.210.154, 92.122.145.220, 52.255.188.83, 52.147.198.201, 13.64.90.137, 184.30.20.56, 92.122.213.194, 92.122.213.247, 2.20.142.210, 2.20.142.209, 52.155.217.156, 20.54.26.129, 20.50.102.62 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:06:22	API Interceptor	13x Sleep call for process: svchost.exe modified
11:06:25	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run svchost.exe "C:\Users\user\AppData\Roaming\SubDir\svchost.exe"
11:07:49	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
139.196.56.98	conn.exe	Get hash	malicious	Browse
88.198.193.213	conn.exe	Get hash	malicious	Browse	www.telize.com/geoip
	JwzZ6mkzIG.exe	Get hash	malicious	Browse	www.telize.com/geoip
	DRAFT-COPY-0409484-BILLLADING.exe	Get hash	malicious	Browse	www.telize.com/geoip
	SecuriteInfo.com.BackDoor.QuasarNET.1.21320.exe	Get hash	malicious	Browse	www.telize.com/geoip
104.26.14.73	NOVEMBER 2020 SALES TARGET.pdf.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	http://orfanatorenascer.com.br/techs/no.php	Get hash	malicious	Browse	freegeoip.net/shutdown
	Pos withdrawal reduced to 0.5%.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	53Glo Special Incentive.pdf.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	1SIM Serial File Upload on TPP.pdf.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	1HIGLIGHTS OF THE PAWAKAD AGENT CONFERENCE.pdf.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	25INVITATION TO QUICKTELLER NATIONAL AGENT FORUM.pdf.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	53ORSC Payment Adjustment.pd.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	7MTN Cards.pdf.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	53Channel List - Update Dec 2018.pdf.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	33NEW PRICE LIST- QT Paypoint.xlsx.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	7Channel List - Update Dec 2018.pd.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	62Nov 2018 New Festive Season Promo.xlsx.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	25SALES_SIMREG_INCENTIVE_OCTOBER_2018.xlsx.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	3OCTOBER COMMISSION.PD.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	24BVN Commision split.xlsx.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	66November Target Communication.pdf.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	53New Doc 2018-10-25 09.58.23.xls.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	66Agent Reg Form - standard Agent.pdf.exe	Get hash	malicious	Browse	freegeoip.net/shutdown
	9Incentives Business Rules as at September_2018.rtf.exe	Get hash	malicious	Browse	freegeoip.net/shutdown

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
freegeoip.net	conn.exe	Get hash	malicious	Browse	104.26.15.73
	FMAudit.Installer_2172_511315624.exe	Get hash	malicious	Browse	104.26.15.73
	NOVEMBER 2020 SALES TARGET.pdf.exe	Get hash	malicious	Browse	104.26.14.73
	JwzZ6mkzIG.exe	Get hash	malicious	Browse	104.26.15.73
	Partner Letter- DStv and GOtv Price Adjustment October 2020.pdf.exe	Get hash	malicious	Browse	104.26.15.73
	DRAFT-COPY-0409484-BILLLADING.exe	Get hash	malicious	Browse	104.26.15.73
	SecuriteInfo.com.BackDoor.QuasarNET.1.21320.exe	Get hash	malicious	Browse	172.67.75.176
	http://orfanatorenascer.com.br/techs/no.php	Get hash	malicious	Browse	104.26.14.73
	Pos withdrawal reduced to 0.5%.exe	Get hash	malicious	Browse	104.26.14.73
	ppp.exe	Get hash	malicious	Browse	172.67.75.176
	Paga Overview (Training Slide).pdf.exe	Get hash	malicious	Browse	172.67.75.176
	82019- DSTV SUBSCRIPTION RENEWAL.xlsx.exe	Get hash	malicious	Browse	104.26.15.73
	53Glo Special Incentive.pdf.exe	Get hash	malicious	Browse	104.26.14.73
	13PREPAID DEALER CREDIT NOTE.PDF.exe	Get hash	malicious	Browse	104.26.15.73
	1SIM Serial File Upload on TPP.pdf.exe	Get hash	malicious	Browse	104.26.14.73
	1HIGLIGHTS OF THE PAWAKAD AGENT CONFERENCE.pdf.exe	Get hash	malicious	Browse	104.26.14.73
	57NOVEMBER PAY OUT.pdf.exe	Get hash	malicious	Browse	104.26.15.73
	25INVITATION TO QUICKTELLER NATIONAL AGENT FORUM.pdf.exe	Get hash	malicious	Browse	104.26.14.73
	20New Price on Quickteller Paypoint.pdf.exe	Get hash	malicious	Browse	104.26.15.73
	53ORSC Payment Adjustment.pd.exe	Get hash	malicious	Browse	104.26.14.73
telize.com	conn.exe	Get hash	malicious	Browse	88.198.193.213
	JwzZ6mkzIG.exe	Get hash	malicious	Browse	88.198.193.213
	DRAFT-COPY-0409484-BILLLADING.exe	Get hash	malicious	Browse	88.198.193.213
	SecuriteInfo.com.BackDoor.QuasarNET.1.21320.exe	Get hash	malicious	Browse	88.198.193.213
	pKzpc3T89w.exe	Get hash	malicious	Browse	159.203.157.217
elb097307-934924932.us-east-1.elb.amazonaws.com	Ficker.exe	Get hash	malicious	Browse	54.225.222.160
	H7YgdxkWKW.exe	Get hash	malicious	Browse	107.22.233.72
	JSChk2v3o9.exe	Get hash	malicious	Browse	54.225.144.221
	K7is14GW1m.exe	Get hash	malicious	Browse	54.235.83.248
	EARTH SUMMT#U2013MAR21-V01VC.exe	Get hash	malicious	Browse	54.243.121.36
	EARTH SUMMTMAR21-V01VC.exe	Get hash	malicious	Browse	54.225.144.221
	wermgr.dll	Get hash	malicious	Browse	54.225.157.230
	0413_7089427210993.doc	Get hash	malicious	Browse	50.19.96.218
	plumbus.rik.dll	Get hash	malicious	Browse	54.225.157.230
	Quot_466378-09.exe	Get hash	malicious	Browse	54.225.165.85
	MTCC169.DLL	Get hash	malicious	Browse	54.225.222.160
	yHm3PFVYHK.exe	Get hash	malicious	Browse	54.221.253.252
	C++ Dropper.exe	Get hash	malicious	Browse	50.19.96.218
	IntegraL.exe	Get hash	malicious	Browse	23.21.252.4
	UbhjHs1ak0.exe	Get hash	malicious	Browse	50.19.252.36
	wininit.dll	Get hash	malicious	Browse	50.19.252.36
	0408_391585988029.doc	Get hash	malicious	Browse	54.221.253.252
	msals.pumpl.dll	Get hash	malicious	Browse	54.235.83.248
	frox0cheats.exe	Get hash	malicious	Browse	54.225.222.160
	Lucky_Execute.exe	Get hash	malicious	Browse	23.21.140.41
www.telize.com	conn.exe	Get hash	malicious	Browse	88.198.193.213
	JwzZ6mkzIG.exe	Get hash	malicious	Browse	88.198.193.213
	DRAFT-COPY-0409484-BILLLADING.exe	Get hash	malicious	Browse	88.198.193.213
	SecuriteInfo.com.BackDoor.QuasarNET.1.21320.exe	Get hash	malicious	Browse	88.198.193.213
	pKzpc3T89w.exe	Get hash	malicious	Browse	159.203.157.217

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	plugin.exe	Get hash	malicious	Browse	1.15.178.39
	plugin.exe	Get hash	malicious	Browse	1.15.178.39
	spjYwLgrAT.exe	Get hash	malicious	Browse	172.67.197.238
	g1pr13E0Pl.exe	Get hash	malicious	Browse	104.21.18.24
	spjYwLgrAT.exe	Get hash	malicious	Browse	104.21.21.100
	tOoumozZw6.exe	Get hash	malicious	Browse	104.22.19.188
	jugOYmJLWt.exe	Get hash	malicious	Browse	104.26.9.187
	JSChk2v3o9.exe	Get hash	malicious	Browse	162.159.137.232
	K7is14GW1m.exe	Get hash	malicious	Browse	162.159.128.233
	02ca4397da55b3175aaa1ad2c99981e792f66151.exe	Get hash	malicious	Browse	1.2.3.1
	02ca4397da55b3175aaa1ad2c99981e792f66151.exe	Get hash	malicious	Browse	1.2.3.1
	SecuriteInfo.com.Trojan.GenericKD.36723138.25861.exe	Get hash	malicious	Browse	172.67.188.154
	KdLJVb0Aoi.dll	Get hash	malicious	Browse	104.20.185.68
	Jpsq8xSzdT.dll	Get hash	malicious	Browse	104.20.184.68
	riqZtDR8j7.exe	Get hash	malicious	Browse	104.22.18.188
	iIEubyMSNa.exe	Get hash	malicious	Browse	104.22.19.188
	7yZsRpugG2.exe	Get hash	malicious	Browse	104.17.62.50
	R31iR6jQNF.exe	Get hash	malicious	Browse	104.21.9.70
	New Purchase Order - VINEY2104A.exe	Get hash	malicious	Browse	104.21.19.200
	36n6PEjkoB.dll	Get hash	malicious	Browse	104.20.185.68
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	Fax scanned 14-04-2021.exe	Get hash	malicious	Browse	106.14.204.254
	RFQ-14042021 Guangzhou Haotian Equipment Technology Co., Ltd,pdf.exe	Get hash	malicious	Browse	39.97.111.87
	Design Template.exe	Get hash	malicious	Browse	47.105.113.141
	#U5927#U5b66#U5b9e#U4e60#U8bc1#U660e#U6a21#U677f_25247474.exe	Get hash	malicious	Browse	60.205.177.239
	0BAdCQQVtP.exe	Get hash	malicious	Browse	101.200.46.73
	invoice.xlsx	Get hash	malicious	Browse	101.200.46.73
	RFQ # 1014397402856.pdf.exe	Get hash	malicious	Browse	47.108.93.46
	flashplayerpp_install_cn_fc.exe	Get hash	malicious	Browse	8.140.42.191
	flashplayerpp_install_cn_fc.exe	Get hash	malicious	Browse	8.140.42.191
	#U957f#U6c5f#U73af#U4fdd#U751f#U6001#U7cfb#U7edf-#U80e1#U7433#U7433-#U4e2a#U4eba#U7b80#U5386.exe	Get hash	malicious	Browse	8.140.42.191
	sminer-release.apk	Get hash	malicious	Browse	47.110.72.33
	sminer-release.apk	Get hash	malicious	Browse	115.29.224.218
	bcex.apk.1	Get hash	malicious	Browse	47.110.54.228
	SecuriteInfo.com.Trojan.DownLoader33.21549.24434.exe	Get hash	malicious	Browse	47.103.219.77
	1.sh	Get hash	malicious	Browse	182.94.163.240
	conn.exe	Get hash	malicious	Browse	139.196.56.98
	qzinl7qkwD.exe	Get hash	malicious	Browse	101.200.185.27
	z2xQEFs54b.exe	Get hash	malicious	Browse	101.200.0.178
	qzinl7qkwD.exe	Get hash	malicious	Browse	101.200.185.27
	xGUWss9eaF.exe	Get hash	malicious	Browse	203.107.32.162
HETZNER-ASDE	SecuriteInfo.com.Dropped.Trojan.GenericKD.46121735.25361.exe	Get hash	malicious	Browse	88.99.66.31
	filename.exe	Get hash	malicious	Browse	195.201.225.248
	2JyYZqEgJL.dll	Get hash	malicious	Browse	188.40.137.206
	TmoXDQEE5J.dll	Get hash	malicious	Browse	188.40.137.206
	Bmo71Io2bR.dll	Get hash	malicious	Browse	188.40.137.206
	zYylSBvwcZ.dll	Get hash	malicious	Browse	188.40.137.206
	xuXIetZvv6.exe	Get hash	malicious	Browse	144.76.38.100
	l5PW2UKLkw.dll	Get hash	malicious	Browse	188.40.137.206
	igMZrCyt4Q.dll	Get hash	malicious	Browse	188.40.137.206
	PU59F5roaG.dll	Get hash	malicious	Browse	188.40.137.206
	Q3KMmBoCpD.dll	Get hash	malicious	Browse	188.40.137.206
	exiMrBQk6v.dll	Get hash	malicious	Browse	188.40.137.206
	uS03ag763u.dll	Get hash	malicious	Browse	188.40.137.206
	TNA8CwIp4C.dll	Get hash	malicious	Browse	188.40.137.206
	8251Q778r4.dll	Get hash	malicious	Browse	188.40.137.206
	5NSbI8GXVU.dll	Get hash	malicious	Browse	188.40.137.206
	WI5pvc2Fqv.dll	Get hash	malicious	Browse	188.40.137.206
	kokvQi6t3N.exe	Get hash	malicious	Browse	195.201.225.248
	WjWbIV3832.dll	Get hash	malicious	Browse	188.40.137.206
	JKqDs8A3zR.dll	Get hash	malicious	Browse	188.40.137.206

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.5985616952512959
Encrypted:	false
SSDEEP:	6:bbq4/Mk1GaD0JOCEfMuaaD0JOCEfMKQmD24b+1Al/gz2cE0fMbhEZolrRSQ2hyYp:bb57GaD0JcaaD0JwQQdb+1Ag/0bjSQJ
MD5:	4429205BEBF71211FC8D6B75C2C44679
SHA1:	A639A62FA690457E850E86064FB46FD1062C7450
SHA-256:	9BF33E2B2E5A916CBC5489E7EEB37F88D93026119E043A9F69DC3BB81E65754D
SHA-512:	DB522F82F0539CCB690DC1A159252B7EB86472934FC206A3AD141373576E9571F6BB1EB452A1A6E63C2DA6AF693BE9EC68038C63436D1642E2BB12BB278566B8
Malicious:	false
Preview:	....E..h..(....."....y5.............. ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..................."....y5...........&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xc7ca7639, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.09607086613855902
Encrypted:	false
SSDEEP:	6:XFGzwl/+q3KKn8RIE11Y8TRXVK3lkK5FGzwl/+q3KKn8RIE11Y8TRXVK3lkK:w0+0n8O4bloVkKS0+0n8O4bloVkK
MD5:	68873EFB457E2C02A980708662AEB0D1
SHA1:	3746A17F74A9A7EEB7DA41E592AC0CE702D7535B
SHA-256:	3F778185CFE0AF5C6693B88509EF1D8D936AAC6F0CB26D4A5202087F17D9BAD2
SHA-512:	A5E90602ECF4119F6BA7689BDA8FA12C1C46B191C2F179371060D8D2CB38B23C5E8C1B716B61E44917CA0A804D1C8043EC40C137F333AB3E76AB134C55776A4C
Malicious:	false
Preview:	..v9... ................e.f.3...w........................&..........w.."....y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w........................................................................................................................................................................................................................................."....y..................(..."....y..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.11069716750089711
Encrypted:	false
SSDEEP:	3:Lk/TEvHLrjSXl/bJdAtiN9v4ll:o/aHj8t4r
MD5:	75AA7B3E3C74668583B462915CB785F6
SHA1:	A43A60E0DFFA7E8CA456118B82BCC9F29532842E
SHA-256:	D991B555EB94E78E23C4DE959676140B086C3FBE6809D55F4A5649E63AD9239B
SHA-512:	E2EA87A1E33D9CF1C29A1F9E21906637794283EB55AAC3A582CE187726C736D2802774D757685CA0C780F6BB47EF4A95DA3302602660CBB9D2EC1480451B34EE
Malicious:	false
Preview:	.........................................3...w.."....y.......w...............w.......w....:O.....w..................(..."....y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log Download File
Process:	C:\Users\user\Desktop\svchost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1453
Entropy (8bit):	5.358969169113039
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhmsXE4qtE4KBLbE4KnKIE4oKFKHKoZAn:MIHK5HKXE1qHiYHKhQnoNHmHKBfHKntj
MD5:	FA0295B064840088BD670D47F29F47C7
SHA1:	284A654DD42003068680A8864ECCE202BBA81335
SHA-256:	541442AC84E58ABC2D2075BA43AA46F9223A21596D26E79257D6F70A97B0A235
SHA-512:	D517E3B3CDD3EB8CC36E3E4810B8AAF2E81082BB5505DC0C22D965A754ABD12A9F49FE427C948409162D52B84D698CF31559A57B105C42017D9144059B84392E
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\34957343ad5d84daee97a1affda91665\System.Runtime.Serialization.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, Publi

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\SyncVerbose.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11134717673944829
Encrypted:	false
SSDEEP:	12:ddXjXm/Ey6q9995g7hekXg1Q10nMCldimE8eawHjcV6XX:fKl68i7EcyMCldzE9BHjcV6H
MD5:	BD97AB73F32082DB49CC1DDB986F1269
SHA1:	C10B42C4D09BA460959C80425C592BC15102BABD
SHA-256:	C98B113E618E6887F2261353B660749EFED91936EDD6AFCBE73076F96AD8F754
SHA-512:	2A89F53F7FAEA66BFA6CC51AEF3E35925F0018BD4BC479D0F1AFA73F0069EE6985139863179D848FAFC66F782AFD55991036380C39343EB698FB9183789617CA
Malicious:	false
Preview:	................................................................................$.......F........................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1..............................................................0..... .........}4..........S.y.n.c.V.e.r.b.o.s.e...C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.S.y.n.c.V.e.r.b.o.s.e...e.t.l...........P.P.$.......................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCircular.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11390049877033066
Encrypted:	false
SSDEEP:	12:OCgXjXm/Ey6q9995g7O1miUkXg1Q10nMCldimE8eawHza1miIasXH:OCgKl68i7O1tUcyMCldzE9BHza1tI93
MD5:	EDDA2D58DDF3638637EBD43BA1FAC563
SHA1:	492466FC2EB2CEE2B4C3F0641ADF37B98280367A
SHA-256:	BEBECEC42B46EF8FA677BFA330D77363AD4D8773497E2DC08A2302188AAAB214
SHA-512:	E1ADD4AAF10F2850C4B6FE23B91D0330942B1C1B867F894F6BF786DC508A584FFBC3D5977B7E28EEAF6B848F1A0335AE71509143CB77A17688D2D93FDCDFE4F4
Malicious:	false
Preview:	............................................................................ ...$................................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1..............................................................0..... .....~...}4..........U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.i.r.c.u.l.a.r...e.t.l.......P.P.$.......................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.11363151078101033
Encrypted:	false
SSDEEP:	24:OCnt+lKl68i7U1i1cyMCldzE9BHza180l3:Ht+eu7U1i1cyXETHza11F
MD5:	AAF14E8C7E5D2095FCF50DE8CF750647
SHA1:	FD2C1486908A83D5D09E59C0D9EB516DBA928BD6
SHA-256:	341B990B57B0431B1FD86D9591F6343AD370E3C800084FA3D8C3E5AA5EE20BC5
SHA-512:	6EBFABC104067647916E954ACA3C16CE16516B3839BE5010824CD039010798E202F103369BB6224E1F74F7390A3D37731173566AD8C27D18D25CF542F45748C8
Malicious:	false
Preview:	............................................................................ ...$.......x1.......................B..............Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1..............................................................0..... .....p5..}4..........U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...C.:.\.U.s.e.r.s.\.f.r.o.n.t.d.e.s.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.p.a.c.k.a.g.e.s.\.A.c.t.i.v.e.S.y.n.c.\.L.o.c.a.l.S.t.a.t.e.\.D.i.a.g.O.u.t.p.u.t.D.i.r.\.U.n.i.s.t.a.c.k.C.r.i.t.i.c.a.l...e.t.l.......P.P.$........D..............................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\SubDir\svchost.exe Download File
Process:	C:\Users\user\Desktop\svchost.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	273920
Entropy (8bit):	6.412206183721352
Encrypted:	false
SSDEEP:	6144:aVMGrLEjbxEyMnQMvJ5BAMbj08IQGQefOX:fahJ/l0VVa
MD5:	275D9F11168D6B0A8369DC5A9FF0F7EA
SHA1:	AB18DF17E0E0B234730CF1C9119268F49923C8BB
SHA-256:	B3D9C42CE3ABED0EEA37473F512E3A573A2F7E29F3EAA203DCC1572D733FF898
SHA-512:	6FB49E6E56F5387CA510FD93FF7336A218452917129A8E1602975A08556980004B2B13A57EEE039EFF5F77103EE2350ADB366988ED414021E7BC3F9935C3A297
Malicious:	true
Yara Hits:	Rule: Vermin_Keylogger_Jan18_1, Description: Detects Vermin Keylogger, Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe, Author: Florian Roth Rule: xRAT_1, Description: Detects Patchwork malware, Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe, Author: Florian Roth Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe, Author: Florian Roth Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe, Author: Florian Roth Rule: CN_disclosed_20180208_KeyLogger_1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L[`................. ...........?... ........@.. ....................................@.................................L?..O....@.......................`....................................................... ............... ..H............text........ ... .................. ..`.rsrc........@......."..............@..@.reloc.......`.......,..............@..B.................?......H........Z..`.......K....U..H............................................0..................%.....(....}.....(.....(....9....... ...(.....(....i(.........j.(................(.....(.....o....}....(.....{.......o....r...po....,.r!..ps....z.{.....4.,.rg..ps....z.....(.....}.......8.(....}.....{....s.....s....(....-...j}......dj(.....0..3...............`,..j.j...Y...+...b.{......X.n`...X...1....0............X...........Y............`,..j..3....{........_...(....*...3........

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	data
Category:	modified
Size (bytes):	906
Entropy (8bit):	3.1516038956581127
Encrypted:	false
SSDEEP:	12:58KRBubdpkoF1AG3rZEugCDk9+MlWlLehB4yAq7ejC4EugCO:OaqdmuF3r4CY+kWReH4yJ7MgCO
MD5:	A9312B1A24D59BE6DAC4F9CFBC81B486
SHA1:	747B7B4DABD8325B31592BE9BE56718C64E314D4
SHA-256:	ADBB3AC8F9037EF8EA4B389B39BA488C17B32EB68B28029228294B95FF5B9432
SHA-512:	80A7EFEBEA9E8190AC5633B430EF14926ADA27FE3CEA7E824AE7472B333B6CE74316E8F4875ECDDD577F4D564A9CAC16D948F96F4E7F93A53C961EFF38ACB392
Malicious:	false
Preview:	........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. S.u.n. .. A.p.r. .. 1.8. .. 2.0.2.1. .1.1.:.0.7.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. S.u.n. .. A.p.r. .. 1.8. .. 2.0.2.1. .1.1.:.0.7.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.412206183721352
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	svchost.exe
File size:	273920
MD5:	275d9f11168d6b0a8369dc5a9ff0f7ea
SHA1:	ab18df17e0e0b234730cf1c9119268f49923c8bb
SHA256:	b3d9c42ce3abed0eea37473f512e3a573a2f7e29f3eaa203dcc1572d733ff898
SHA512:	6fb49e6e56f5387ca510fd93ff7336a218452917129a8e1602975a08556980004b2b13a57eee039eff5f77103ee2350adb366988ed414021e7bc3f9935c3a297
SSDEEP:	6144:aVMGrLEjbxEyMnQMvJ5BAMbj08IQGQefOX:fahJ/l0VVa
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L[`................. ...........?... ........@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x443f9e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x605B4CB7 [Wed Mar 24 14:29:11 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add al, byte ptr [eax]
adc byte ptr [eax], al
add byte ptr [eax], al
and byte ptr [eax], al
add byte ptr [eax+00000018h], al
cmp byte ptr [eax], al
add byte ptr [eax+00000000h], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add dword ptr [eax], eax
add byte ptr [eax], al
push eax
add byte ptr [eax], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add dword ptr [eax], eax
add byte ptr [eax], al
push 00800000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x43f4c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x44000	0x8a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x46000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x41fa4	0x42000	False	0.522142814867	data	6.42081279008	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x44000	0x8a4	0xa00	False	0.385546875	data	5.23637925711	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x46000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x440a0	0x2bc	data
RT_MANIFEST	0x4435c	0x545	XML 1.0 document, UTF-8 Unicode (with BOM) text

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright
Assembly Version	1.2.2.2
InternalName
FileVersion	1.2.2.2
CompanyName
LegalTrademarks
ProductName	svchost.exe
ProductVersion	1.2.2.2
FileDescription	Windows
OriginalFilename

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2021 11:06:21.494362116 CEST	49702	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:21.562732935 CEST	80	49702	88.198.193.213	192.168.2.7
Apr 18, 2021 11:06:21.563342094 CEST	49702	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:21.563847065 CEST	49702	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:21.633807898 CEST	80	49702	88.198.193.213	192.168.2.7
Apr 18, 2021 11:06:21.633836031 CEST	80	49702	88.198.193.213	192.168.2.7
Apr 18, 2021 11:06:21.706736088 CEST	49703	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:21.753843069 CEST	49702	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:21.774101973 CEST	80	49703	88.198.193.213	192.168.2.7
Apr 18, 2021 11:06:21.774317026 CEST	49703	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:21.774736881 CEST	49703	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:21.843945980 CEST	80	49703	88.198.193.213	192.168.2.7
Apr 18, 2021 11:06:21.843978882 CEST	80	49703	88.198.193.213	192.168.2.7
Apr 18, 2021 11:06:21.844142914 CEST	49703	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:21.851537943 CEST	49703	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:21.852590084 CEST	49704	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:21.918982029 CEST	80	49703	88.198.193.213	192.168.2.7
Apr 18, 2021 11:06:21.919126034 CEST	80	49704	88.198.193.213	192.168.2.7
Apr 18, 2021 11:06:21.919190884 CEST	49704	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:21.919517994 CEST	49704	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:21.986080885 CEST	80	49704	88.198.193.213	192.168.2.7
Apr 18, 2021 11:06:21.986165047 CEST	80	49704	88.198.193.213	192.168.2.7
Apr 18, 2021 11:06:21.986295938 CEST	49704	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:21.986437082 CEST	49704	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:22.055157900 CEST	80	49704	88.198.193.213	192.168.2.7
Apr 18, 2021 11:06:22.074378014 CEST	49705	80	192.168.2.7	104.26.14.73
Apr 18, 2021 11:06:22.115134954 CEST	80	49705	104.26.14.73	192.168.2.7
Apr 18, 2021 11:06:22.115433931 CEST	49705	80	192.168.2.7	104.26.14.73
Apr 18, 2021 11:06:22.115767956 CEST	49705	80	192.168.2.7	104.26.14.73
Apr 18, 2021 11:06:22.156495094 CEST	80	49705	104.26.14.73	192.168.2.7
Apr 18, 2021 11:06:22.163099051 CEST	80	49705	104.26.14.73	192.168.2.7
Apr 18, 2021 11:06:22.169833899 CEST	49705	80	192.168.2.7	104.26.14.73
Apr 18, 2021 11:06:22.210572004 CEST	80	49705	104.26.14.73	192.168.2.7
Apr 18, 2021 11:06:22.215786934 CEST	80	49705	104.26.14.73	192.168.2.7
Apr 18, 2021 11:06:22.215821981 CEST	80	49705	104.26.14.73	192.168.2.7
Apr 18, 2021 11:06:22.215838909 CEST	80	49705	104.26.14.73	192.168.2.7
Apr 18, 2021 11:06:22.215900898 CEST	49705	80	192.168.2.7	104.26.14.73
Apr 18, 2021 11:06:22.384795904 CEST	49707	80	192.168.2.7	54.225.144.221
Apr 18, 2021 11:06:22.512598038 CEST	80	49707	54.225.144.221	192.168.2.7
Apr 18, 2021 11:06:22.512748957 CEST	49707	80	192.168.2.7	54.225.144.221
Apr 18, 2021 11:06:22.513216019 CEST	49707	80	192.168.2.7	54.225.144.221
Apr 18, 2021 11:06:22.640191078 CEST	80	49707	54.225.144.221	192.168.2.7
Apr 18, 2021 11:06:22.652966976 CEST	80	49707	54.225.144.221	192.168.2.7
Apr 18, 2021 11:06:22.753966093 CEST	49707	80	192.168.2.7	54.225.144.221
Apr 18, 2021 11:06:23.057065010 CEST	49702	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:23.057877064 CEST	49705	80	192.168.2.7	104.26.14.73
Apr 18, 2021 11:06:23.059627056 CEST	49707	80	192.168.2.7	54.225.144.221
Apr 18, 2021 11:06:24.326458931 CEST	49709	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:24.401720047 CEST	80	49709	88.198.193.213	192.168.2.7
Apr 18, 2021 11:06:24.401988029 CEST	49709	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:24.402847052 CEST	49709	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:24.471071959 CEST	80	49709	88.198.193.213	192.168.2.7
Apr 18, 2021 11:06:24.471179008 CEST	80	49709	88.198.193.213	192.168.2.7
Apr 18, 2021 11:06:24.528491974 CEST	49710	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:24.566617012 CEST	49709	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:24.596116066 CEST	80	49710	88.198.193.213	192.168.2.7
Apr 18, 2021 11:06:24.596602917 CEST	49710	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:24.596831083 CEST	49710	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:24.666589022 CEST	80	49710	88.198.193.213	192.168.2.7
Apr 18, 2021 11:06:24.666655064 CEST	80	49710	88.198.193.213	192.168.2.7
Apr 18, 2021 11:06:24.666919947 CEST	49710	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:24.667495012 CEST	49710	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:24.668540955 CEST	49711	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:24.735028028 CEST	80	49710	88.198.193.213	192.168.2.7
Apr 18, 2021 11:06:24.737020016 CEST	80	49711	88.198.193.213	192.168.2.7
Apr 18, 2021 11:06:24.737220049 CEST	49711	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:24.738730907 CEST	49711	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:24.807096004 CEST	80	49711	88.198.193.213	192.168.2.7
Apr 18, 2021 11:06:24.807137966 CEST	80	49711	88.198.193.213	192.168.2.7
Apr 18, 2021 11:06:24.807266951 CEST	49711	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:24.807527065 CEST	49711	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:06:24.875746012 CEST	80	49711	88.198.193.213	192.168.2.7
Apr 18, 2021 11:06:24.962908030 CEST	49712	80	192.168.2.7	104.26.15.73
Apr 18, 2021 11:06:25.003844976 CEST	80	49712	104.26.15.73	192.168.2.7
Apr 18, 2021 11:06:25.004276037 CEST	49712	80	192.168.2.7	104.26.15.73
Apr 18, 2021 11:06:25.004817009 CEST	49712	80	192.168.2.7	104.26.15.73
Apr 18, 2021 11:06:25.046899080 CEST	80	49712	104.26.15.73	192.168.2.7
Apr 18, 2021 11:06:25.051582098 CEST	80	49712	104.26.15.73	192.168.2.7
Apr 18, 2021 11:06:25.053112030 CEST	49712	80	192.168.2.7	104.26.15.73
Apr 18, 2021 11:06:25.096122980 CEST	80	49712	104.26.15.73	192.168.2.7
Apr 18, 2021 11:06:25.103585005 CEST	80	49712	104.26.15.73	192.168.2.7
Apr 18, 2021 11:06:25.103619099 CEST	80	49712	104.26.15.73	192.168.2.7
Apr 18, 2021 11:06:25.103635073 CEST	80	49712	104.26.15.73	192.168.2.7
Apr 18, 2021 11:06:25.103861094 CEST	49712	80	192.168.2.7	104.26.15.73
Apr 18, 2021 11:06:25.225686073 CEST	49714	80	192.168.2.7	54.225.144.221
Apr 18, 2021 11:06:25.353169918 CEST	80	49714	54.225.144.221	192.168.2.7
Apr 18, 2021 11:06:25.353331089 CEST	49714	80	192.168.2.7	54.225.144.221
Apr 18, 2021 11:06:25.354588985 CEST	49714	80	192.168.2.7	54.225.144.221
Apr 18, 2021 11:06:25.481961966 CEST	80	49714	54.225.144.221	192.168.2.7
Apr 18, 2021 11:06:25.484994888 CEST	80	49714	54.225.144.221	192.168.2.7
Apr 18, 2021 11:06:25.660418034 CEST	49714	80	192.168.2.7	54.225.144.221
Apr 18, 2021 11:06:25.782814980 CEST	49715	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:06:26.032743931 CEST	47822	49715	139.196.56.98	192.168.2.7
Apr 18, 2021 11:06:26.644915104 CEST	49715	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:06:26.894496918 CEST	47822	49715	139.196.56.98	192.168.2.7
Apr 18, 2021 11:06:27.457436085 CEST	49715	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:06:27.705235004 CEST	47822	49715	139.196.56.98	192.168.2.7
Apr 18, 2021 11:06:32.349697113 CEST	49722	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:06:32.602838993 CEST	47822	49722	139.196.56.98	192.168.2.7
Apr 18, 2021 11:06:33.161092043 CEST	49722	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:06:33.414061069 CEST	47822	49722	139.196.56.98	192.168.2.7
Apr 18, 2021 11:06:34.067401886 CEST	49722	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:06:34.320441008 CEST	47822	49722	139.196.56.98	192.168.2.7
Apr 18, 2021 11:06:38.539330959 CEST	49729	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:06:38.789248943 CEST	47822	49729	139.196.56.98	192.168.2.7
Apr 18, 2021 11:06:39.458509922 CEST	49729	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:06:39.705805063 CEST	47822	49729	139.196.56.98	192.168.2.7
Apr 18, 2021 11:06:40.255388975 CEST	49729	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:06:40.502846003 CEST	47822	49729	139.196.56.98	192.168.2.7
Apr 18, 2021 11:06:44.585345030 CEST	49733	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:06:44.850260019 CEST	47822	49733	139.196.56.98	192.168.2.7
Apr 18, 2021 11:06:45.365231037 CEST	49733	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:06:45.628422022 CEST	47822	49733	139.196.56.98	192.168.2.7
Apr 18, 2021 11:06:46.130948067 CEST	49733	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:06:46.395518064 CEST	47822	49733	139.196.56.98	192.168.2.7
Apr 18, 2021 11:06:50.269411087 CEST	49734	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:06:50.528352022 CEST	47822	49734	139.196.56.98	192.168.2.7
Apr 18, 2021 11:06:51.034316063 CEST	49734	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:06:51.293200016 CEST	47822	49734	139.196.56.98	192.168.2.7
Apr 18, 2021 11:06:51.800004005 CEST	49734	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:06:52.058810949 CEST	47822	49734	139.196.56.98	192.168.2.7
Apr 18, 2021 11:06:56.350718975 CEST	49737	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:06:56.603456974 CEST	47822	49737	139.196.56.98	192.168.2.7
Apr 18, 2021 11:06:57.191076994 CEST	49737	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:06:57.444276094 CEST	47822	49737	139.196.56.98	192.168.2.7
Apr 18, 2021 11:06:58.003623009 CEST	49737	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:06:58.256409883 CEST	47822	49737	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:02.411403894 CEST	49738	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:02.674776077 CEST	47822	49738	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:03.191546917 CEST	49738	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:03.455013037 CEST	47822	49738	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:04.004137039 CEST	49738	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:04.267760992 CEST	47822	49738	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:08.177468061 CEST	49741	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:08.424694061 CEST	47822	49741	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:08.926386118 CEST	49741	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:09.175192118 CEST	47822	49741	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:09.676479101 CEST	49741	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:09.924395084 CEST	47822	49741	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:14.037775993 CEST	49742	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:14.288084030 CEST	47822	49742	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:14.801980972 CEST	49742	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:15.053222895 CEST	47822	49742	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:15.567636013 CEST	49742	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:15.815392971 CEST	47822	49742	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:19.914993048 CEST	49743	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:20.163125038 CEST	47822	49743	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:20.668658972 CEST	49743	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:20.918535948 CEST	47822	49743	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:21.427484035 CEST	49743	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:21.676372051 CEST	47822	49743	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:24.541115999 CEST	80	49714	54.225.144.221	192.168.2.7
Apr 18, 2021 11:07:24.541707039 CEST	49714	80	192.168.2.7	54.225.144.221
Apr 18, 2021 11:07:25.709933043 CEST	49752	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:25.963542938 CEST	47822	49752	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:26.474791050 CEST	49752	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:26.728488922 CEST	47822	49752	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:27.240415096 CEST	49752	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:27.493999958 CEST	47822	49752	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:31.710537910 CEST	49756	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:31.957691908 CEST	47822	49756	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:32.459625959 CEST	49756	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:32.706891060 CEST	47822	49756	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:33.209676027 CEST	49756	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:33.456968069 CEST	47822	49756	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:37.539378881 CEST	49762	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:37.786066055 CEST	47822	49762	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:38.288212061 CEST	49762	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:38.534704924 CEST	47822	49762	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:39.038259983 CEST	49762	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:39.284953117 CEST	47822	49762	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:39.469115019 CEST	80	49709	88.198.193.213	192.168.2.7
Apr 18, 2021 11:07:39.469202042 CEST	49709	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:07:43.102751017 CEST	49763	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:43.351824999 CEST	47822	49763	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:43.866846085 CEST	49763	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:44.116519928 CEST	47822	49763	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:44.616899014 CEST	49763	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:44.868508101 CEST	47822	49763	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:49.399924040 CEST	49764	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:49.654978037 CEST	47822	49764	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:50.164195061 CEST	49764	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:50.420929909 CEST	47822	49764	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:50.930085897 CEST	49764	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:51.185475111 CEST	47822	49764	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:54.994868040 CEST	49765	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:55.244865894 CEST	47822	49765	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:55.758466005 CEST	49765	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:56.009545088 CEST	47822	49765	139.196.56.98	192.168.2.7
Apr 18, 2021 11:07:56.524174929 CEST	49765	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:07:56.773257971 CEST	47822	49765	139.196.56.98	192.168.2.7
Apr 18, 2021 11:08:00.932163954 CEST	49766	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:08:01.187998056 CEST	47822	49766	139.196.56.98	192.168.2.7
Apr 18, 2021 11:08:01.696456909 CEST	49766	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:08:01.950126886 CEST	47822	49766	139.196.56.98	192.168.2.7
Apr 18, 2021 11:08:02.462126017 CEST	49766	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:08:02.717281103 CEST	47822	49766	139.196.56.98	192.168.2.7
Apr 18, 2021 11:08:04.496778011 CEST	49709	80	192.168.2.7	88.198.193.213
Apr 18, 2021 11:08:04.564858913 CEST	80	49709	88.198.193.213	192.168.2.7
Apr 18, 2021 11:08:05.150374889 CEST	49712	80	192.168.2.7	104.26.15.73
Apr 18, 2021 11:08:05.191466093 CEST	80	49712	104.26.15.73	192.168.2.7
Apr 18, 2021 11:08:05.192910910 CEST	49712	80	192.168.2.7	104.26.15.73
Apr 18, 2021 11:08:05.462794065 CEST	49714	80	192.168.2.7	54.225.144.221
Apr 18, 2021 11:08:05.590483904 CEST	80	49714	54.225.144.221	192.168.2.7
Apr 18, 2021 11:08:06.768659115 CEST	49768	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:08:07.035305977 CEST	47822	49768	139.196.56.98	192.168.2.7
Apr 18, 2021 11:08:07.540676117 CEST	49768	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:08:07.805144072 CEST	47822	49768	139.196.56.98	192.168.2.7
Apr 18, 2021 11:08:08.306369066 CEST	49768	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:08:08.571161985 CEST	47822	49768	139.196.56.98	192.168.2.7
Apr 18, 2021 11:08:12.777981997 CEST	49770	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:08:13.028480053 CEST	47822	49770	139.196.56.98	192.168.2.7
Apr 18, 2021 11:08:13.541197062 CEST	49770	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:08:13.789690971 CEST	47822	49770	139.196.56.98	192.168.2.7
Apr 18, 2021 11:08:14.291248083 CEST	49770	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:08:14.540647030 CEST	47822	49770	139.196.56.98	192.168.2.7
Apr 18, 2021 11:08:18.638125896 CEST	49771	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:08:18.908061028 CEST	47822	49771	139.196.56.98	192.168.2.7
Apr 18, 2021 11:08:19.416651964 CEST	49771	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:08:19.686547041 CEST	47822	49771	139.196.56.98	192.168.2.7
Apr 18, 2021 11:08:20.198029041 CEST	49771	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:08:20.468029976 CEST	47822	49771	139.196.56.98	192.168.2.7
Apr 18, 2021 11:08:24.574124098 CEST	49772	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:08:24.827941895 CEST	47822	49772	139.196.56.98	192.168.2.7
Apr 18, 2021 11:08:25.339106083 CEST	49772	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:08:25.593023062 CEST	47822	49772	139.196.56.98	192.168.2.7
Apr 18, 2021 11:08:26.104902029 CEST	49772	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:08:26.358911037 CEST	47822	49772	139.196.56.98	192.168.2.7
Apr 18, 2021 11:08:30.284722090 CEST	49773	47822	192.168.2.7	139.196.56.98
Apr 18, 2021 11:08:30.533406973 CEST	47822	49773	139.196.56.98	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 18, 2021 11:06:11.814841032 CEST	62452	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:11.869658947 CEST	53	62452	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:12.713027954 CEST	57820	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:12.770174980 CEST	53	57820	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:12.824645996 CEST	50848	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:12.873300076 CEST	53	50848	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:13.115824938 CEST	61242	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:13.164463997 CEST	53	61242	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:14.213234901 CEST	58562	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:14.266730070 CEST	53	58562	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:15.562263012 CEST	56590	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:15.622020006 CEST	53	56590	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:16.998147011 CEST	60501	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:17.046978951 CEST	53	60501	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:18.696362972 CEST	53775	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:18.745126009 CEST	53	53775	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:19.533318996 CEST	51837	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:19.585906982 CEST	53	51837	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:20.889254093 CEST	55411	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:20.939359903 CEST	53	55411	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:21.287205935 CEST	63668	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:21.466551065 CEST	53	63668	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:21.656793118 CEST	54640	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:21.705435991 CEST	53	54640	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:22.010683060 CEST	58739	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:22.067981005 CEST	60338	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:22.072565079 CEST	53	58739	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:22.119529009 CEST	53	60338	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:22.271526098 CEST	58717	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:22.323796034 CEST	53	58717	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:22.334103107 CEST	59762	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:22.383488894 CEST	53	59762	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:24.180213928 CEST	54329	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:24.228873014 CEST	53	54329	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:24.242127895 CEST	58052	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:24.299067020 CEST	53	58052	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:24.478154898 CEST	54008	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:24.526839972 CEST	53	54008	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:24.899523973 CEST	59451	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:24.961105108 CEST	53	59451	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:25.051409006 CEST	52914	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:25.113876104 CEST	64569	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:25.114044905 CEST	53	52914	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:25.166945934 CEST	53	64569	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:25.174091101 CEST	52816	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:25.222827911 CEST	53	52816	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:26.788196087 CEST	50781	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:26.836918116 CEST	53	50781	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:27.701639891 CEST	54230	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:27.750289917 CEST	53	54230	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:28.822141886 CEST	54911	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:28.870763063 CEST	53	54911	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:29.654670000 CEST	49958	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:29.703332901 CEST	53	49958	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:30.863683939 CEST	50860	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:30.914313078 CEST	53	50860	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:31.965459108 CEST	50452	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:32.014213085 CEST	53	50452	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:33.143385887 CEST	59730	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:33.200344086 CEST	53	59730	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:35.730523109 CEST	59310	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:35.781279087 CEST	53	59310	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:37.469710112 CEST	51919	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:37.523643017 CEST	53	51919	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:38.204469919 CEST	64296	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:38.292412043 CEST	53	64296	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:38.765930891 CEST	56680	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:38.817363024 CEST	53	56680	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:39.930253029 CEST	58820	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:39.978981972 CEST	53	58820	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:40.965157032 CEST	60983	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:41.017698050 CEST	53	60983	8.8.8.8	192.168.2.7
Apr 18, 2021 11:06:51.994281054 CEST	49247	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:06:52.042989969 CEST	53	49247	8.8.8.8	192.168.2.7
Apr 18, 2021 11:07:04.931982040 CEST	52286	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:07:05.001601934 CEST	53	52286	8.8.8.8	192.168.2.7
Apr 18, 2021 11:07:07.927110910 CEST	56064	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:07:07.990833044 CEST	53	56064	8.8.8.8	192.168.2.7
Apr 18, 2021 11:07:20.765336037 CEST	63744	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:07:20.822886944 CEST	53	63744	8.8.8.8	192.168.2.7
Apr 18, 2021 11:07:21.408083916 CEST	61457	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:07:21.466909885 CEST	53	61457	8.8.8.8	192.168.2.7
Apr 18, 2021 11:07:21.902149916 CEST	58367	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:07:21.959013939 CEST	53	58367	8.8.8.8	192.168.2.7
Apr 18, 2021 11:07:22.059086084 CEST	60599	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:07:22.118999958 CEST	53	60599	8.8.8.8	192.168.2.7
Apr 18, 2021 11:07:22.594736099 CEST	59571	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:07:22.654048920 CEST	53	59571	8.8.8.8	192.168.2.7
Apr 18, 2021 11:07:23.222193003 CEST	52689	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:07:23.279529095 CEST	53	52689	8.8.8.8	192.168.2.7
Apr 18, 2021 11:07:23.877644062 CEST	50290	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:07:23.934741020 CEST	53	50290	8.8.8.8	192.168.2.7
Apr 18, 2021 11:07:24.877662897 CEST	60427	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:07:24.937658072 CEST	53	60427	8.8.8.8	192.168.2.7
Apr 18, 2021 11:07:26.545903921 CEST	56209	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:07:26.602670908 CEST	53	56209	8.8.8.8	192.168.2.7
Apr 18, 2021 11:07:27.471949100 CEST	59582	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:07:27.529036999 CEST	53	59582	8.8.8.8	192.168.2.7
Apr 18, 2021 11:07:28.180499077 CEST	60949	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:07:28.232075930 CEST	53	60949	8.8.8.8	192.168.2.7
Apr 18, 2021 11:07:33.616816998 CEST	58542	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:07:33.680224895 CEST	53	58542	8.8.8.8	192.168.2.7
Apr 18, 2021 11:08:06.565124035 CEST	59179	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:08:06.613732100 CEST	53	59179	8.8.8.8	192.168.2.7
Apr 18, 2021 11:08:08.937618971 CEST	60927	53	192.168.2.7	8.8.8.8
Apr 18, 2021 11:08:09.012366056 CEST	53	60927	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 18, 2021 11:06:21.287205935 CEST	192.168.2.7	8.8.8.8	0xf38c	Standard query (0)	telize.com	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:21.656793118 CEST	192.168.2.7	8.8.8.8	0x7937	Standard query (0)	www.telize.com	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:22.010683060 CEST	192.168.2.7	8.8.8.8	0x9a6d	Standard query (0)	freegeoip.net	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:22.271526098 CEST	192.168.2.7	8.8.8.8	0x2961	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:22.334103107 CEST	192.168.2.7	8.8.8.8	0xe8b1	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:24.242127895 CEST	192.168.2.7	8.8.8.8	0x6f75	Standard query (0)	telize.com	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:24.478154898 CEST	192.168.2.7	8.8.8.8	0x1d58	Standard query (0)	www.telize.com	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:24.899523973 CEST	192.168.2.7	8.8.8.8	0x6a99	Standard query (0)	freegeoip.net	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:25.113876104 CEST	192.168.2.7	8.8.8.8	0x27e9	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:25.174091101 CEST	192.168.2.7	8.8.8.8	0x272c	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 18, 2021 11:06:21.466551065 CEST	8.8.8.8	192.168.2.7	0xf38c	No error (0)	telize.com		88.198.193.213	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:21.705435991 CEST	8.8.8.8	192.168.2.7	0x7937	No error (0)	www.telize.com		88.198.193.213	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:22.072565079 CEST	8.8.8.8	192.168.2.7	0x9a6d	No error (0)	freegeoip.net		104.26.14.73	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:22.072565079 CEST	8.8.8.8	192.168.2.7	0x9a6d	No error (0)	freegeoip.net		172.67.75.176	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:22.072565079 CEST	8.8.8.8	192.168.2.7	0x9a6d	No error (0)	freegeoip.net		104.26.15.73	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:22.323796034 CEST	8.8.8.8	192.168.2.7	0x2961	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Apr 18, 2021 11:06:22.323796034 CEST	8.8.8.8	192.168.2.7	0x2961	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Apr 18, 2021 11:06:22.323796034 CEST	8.8.8.8	192.168.2.7	0x2961	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.144.221	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:22.323796034 CEST	8.8.8.8	192.168.2.7	0x2961	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.165.85	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:22.323796034 CEST	8.8.8.8	192.168.2.7	0x2961	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		50.19.252.36	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:22.323796034 CEST	8.8.8.8	192.168.2.7	0x2961	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		50.19.96.218	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:22.323796034 CEST	8.8.8.8	192.168.2.7	0x2961	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.243.121.36	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:22.323796034 CEST	8.8.8.8	192.168.2.7	0x2961	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.66.150	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:22.323796034 CEST	8.8.8.8	192.168.2.7	0x2961	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		107.22.233.72	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:22.323796034 CEST	8.8.8.8	192.168.2.7	0x2961	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.83.248	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:22.383488894 CEST	8.8.8.8	192.168.2.7	0xe8b1	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Apr 18, 2021 11:06:22.383488894 CEST	8.8.8.8	192.168.2.7	0xe8b1	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Apr 18, 2021 11:06:22.383488894 CEST	8.8.8.8	192.168.2.7	0xe8b1	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.175.90	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:22.383488894 CEST	8.8.8.8	192.168.2.7	0xe8b1	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.48.44	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:22.383488894 CEST	8.8.8.8	192.168.2.7	0xe8b1	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.144.221	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:22.383488894 CEST	8.8.8.8	192.168.2.7	0xe8b1	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.222.160	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:22.383488894 CEST	8.8.8.8	192.168.2.7	0xe8b1	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		50.19.216.111	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:22.383488894 CEST	8.8.8.8	192.168.2.7	0xe8b1	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.83.248	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:22.383488894 CEST	8.8.8.8	192.168.2.7	0xe8b1	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.76.253	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:22.383488894 CEST	8.8.8.8	192.168.2.7	0xe8b1	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.155.255	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:24.299067020 CEST	8.8.8.8	192.168.2.7	0x6f75	No error (0)	telize.com		88.198.193.213	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:24.526839972 CEST	8.8.8.8	192.168.2.7	0x1d58	No error (0)	www.telize.com		88.198.193.213	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:24.961105108 CEST	8.8.8.8	192.168.2.7	0x6a99	No error (0)	freegeoip.net		104.26.15.73	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:24.961105108 CEST	8.8.8.8	192.168.2.7	0x6a99	No error (0)	freegeoip.net		172.67.75.176	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:24.961105108 CEST	8.8.8.8	192.168.2.7	0x6a99	No error (0)	freegeoip.net		104.26.14.73	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:25.166945934 CEST	8.8.8.8	192.168.2.7	0x27e9	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Apr 18, 2021 11:06:25.166945934 CEST	8.8.8.8	192.168.2.7	0x27e9	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Apr 18, 2021 11:06:25.166945934 CEST	8.8.8.8	192.168.2.7	0x27e9	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.144.221	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:25.166945934 CEST	8.8.8.8	192.168.2.7	0x27e9	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.165.85	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:25.166945934 CEST	8.8.8.8	192.168.2.7	0x27e9	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		50.19.252.36	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:25.166945934 CEST	8.8.8.8	192.168.2.7	0x27e9	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		50.19.96.218	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:25.166945934 CEST	8.8.8.8	192.168.2.7	0x27e9	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.243.121.36	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:25.166945934 CEST	8.8.8.8	192.168.2.7	0x27e9	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.66.150	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:25.166945934 CEST	8.8.8.8	192.168.2.7	0x27e9	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		107.22.233.72	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:25.166945934 CEST	8.8.8.8	192.168.2.7	0x27e9	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.83.248	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:25.222827911 CEST	8.8.8.8	192.168.2.7	0x272c	No error (0)	api.ipify.org	nagano-19599.herokussl.com		CNAME (Canonical name)	IN (0x0001)
Apr 18, 2021 11:06:25.222827911 CEST	8.8.8.8	192.168.2.7	0x272c	No error (0)	nagano-19599.herokussl.com	elb097307-934924932.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Apr 18, 2021 11:06:25.222827911 CEST	8.8.8.8	192.168.2.7	0x272c	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.175.90	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:25.222827911 CEST	8.8.8.8	192.168.2.7	0x272c	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.66.150	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:25.222827911 CEST	8.8.8.8	192.168.2.7	0x272c	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		23.21.48.44	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:25.222827911 CEST	8.8.8.8	192.168.2.7	0x272c	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		50.19.96.218	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:25.222827911 CEST	8.8.8.8	192.168.2.7	0x272c	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		107.22.233.72	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:25.222827911 CEST	8.8.8.8	192.168.2.7	0x272c	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.165.85	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:25.222827911 CEST	8.8.8.8	192.168.2.7	0x272c	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.225.222.160	A (IP address)	IN (0x0001)
Apr 18, 2021 11:06:25.222827911 CEST	8.8.8.8	192.168.2.7	0x272c	No error (0)	elb097307-934924932.us-east-1.elb.amazonaws.com		54.235.83.248	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

telize.com

www.telize.com

freegeoip.net

api.ipify.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.7	49702	88.198.193.213	80	C:\Users\user\Desktop\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Apr 18, 2021 11:06:21.563847065 CEST	1033	OUT	GET /geoip HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0 Host: telize.com Connection: Keep-Alive
Apr 18, 2021 11:06:21.633836031 CEST	1034	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Sun, 18 Apr 2021 09:06:21 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Location: http://www.telize.com/geoip Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.7	49703	88.198.193.213	80	C:\Users\user\Desktop\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Apr 18, 2021 11:06:21.774736881 CEST	1038	OUT	GET /geoip HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0 Host: www.telize.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.7	49704	88.198.193.213	80	C:\Users\user\Desktop\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Apr 18, 2021 11:06:21.919517994 CEST	1040	OUT	GET /geoip HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0 Host: www.telize.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.7	49705	104.26.14.73	80	C:\Users\user\Desktop\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Apr 18, 2021 11:06:22.115767956 CEST	1041	OUT	GET /xml/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0 Host: freegeoip.net Connection: Keep-Alive
Apr 18, 2021 11:06:22.163099051 CEST	1042	IN	HTTP/1.1 301 Moved Permanently Date: Sun, 18 Apr 2021 09:06:22 GMT Transfer-Encoding: chunked Connection: keep-alive Cache-Control: max-age=3600 Expires: Sun, 18 Apr 2021 10:06:22 GMT Location: http://freegeoip.net/shutdown cf-request-id: 0985d4334300000eb300348000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=ah9aj0ZxS2M1mM9UwA452sWb1TJt9xCwn58p8aN2bmtzfD1%2Bff3qqB4FPBmzuCAChP%2F4xZZKJlZRhFiGMYuH2kdBU4s%2FZdnvSlRjh3Sj"}],"max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 641cbc986b850eb3-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Apr 18, 2021 11:06:22.169833899 CEST	1043	OUT	GET /shutdown HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0 Host: freegeoip.net
Apr 18, 2021 11:06:22.215786934 CEST	1044	IN	HTTP/1.1 200 OK Date: Sun, 18 Apr 2021 09:06:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d2a9ec5a5d3ae55ad948113671243aa5a1618736782; expires=Tue, 18-May-21 09:06:22 GMT; path=/; domain=.freegeoip.net; HttpOnly; SameSite=Lax vary: Accept-Encoding expires: Sat, 26 Jul 1997 05:00:00 GMT cache-control: max-age=31536000, must-revalidate, post-check=0, pre-check=0 pragma: no-cache last-modified: Wed, 14 Apr 2021 00:09:21 GMT x-cache-miss-from: parking-6dfcfcdcd9-s8xzl CF-Cache-Status: HIT Age: 377821 cf-request-id: 0985d4337900000eb3cb0e5000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=S2Gqa3fiKN67011uGaowtQmcjlJkVU4VyEtntFVnAxK7ZEL4Smywe8lSd0anBIbTrBvctrtHjeDXmFKrLS4G9oyMas3tZgF8Mo1S9L7N"}],"max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 641cbc98cc160eb3-FRA Data Raw: 36 30 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 Data Ascii: 609<!DOCTYPE html><html><head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height: 100%; width: 100%; margin: 0; padding: 0; border: 0; outline: 0; font-size: 100%; vertical-align: baseline; background: transparent;
Apr 18, 2021 11:06:22.215821981 CEST	1045	IN	Data Raw: 20 7d 0a 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 Data Ascii: } body { overflow: hidden; } </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following M
Apr 18, 2021 11:06:22.215838909 CEST	1045	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.7	49707	54.225.144.221	80	C:\Users\user\Desktop\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Apr 18, 2021 11:06:22.513216019 CEST	1051	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0 Host: api.ipify.org Connection: Keep-Alive
Apr 18, 2021 11:06:22.652966976 CEST	1052	IN	HTTP/1.1 200 OK Server: Cowboy Connection: keep-alive Content-Type: text/plain Vary: Origin Date: Sun, 18 Apr 2021 09:06:22 GMT Content-Length: 10 Via: 1.1 vegur Data Raw: 38 34 2e 31 37 2e 35 32 2e 33 Data Ascii: 84.17.52.3

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.7	49709	88.198.193.213	80	C:\Users\user\Desktop\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Apr 18, 2021 11:06:24.402847052 CEST	1110	OUT	GET /geoip HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0 Host: telize.com Connection: Keep-Alive
Apr 18, 2021 11:06:24.471179008 CEST	1111	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Sun, 18 Apr 2021 09:06:24 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Location: http://www.telize.com/geoip Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.7	49710	88.198.193.213	80	C:\Users\user\Desktop\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Apr 18, 2021 11:06:24.596831083 CEST	1207	OUT	GET /geoip HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0 Host: www.telize.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.7	49711	88.198.193.213	80	C:\Users\user\Desktop\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Apr 18, 2021 11:06:24.738730907 CEST	1391	OUT	GET /geoip HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0 Host: www.telize.com Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.7	49712	104.26.15.73	80	C:\Users\user\AppData\Roaming\SubDir\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Apr 18, 2021 11:06:25.004817009 CEST	1394	OUT	GET /xml/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0 Host: freegeoip.net Connection: Keep-Alive
Apr 18, 2021 11:06:25.051582098 CEST	1395	IN	HTTP/1.1 301 Moved Permanently Date: Sun, 18 Apr 2021 09:06:25 GMT Transfer-Encoding: chunked Connection: keep-alive Cache-Control: max-age=3600 Expires: Sun, 18 Apr 2021 10:06:25 GMT Location: http://freegeoip.net/shutdown cf-request-id: 0985d43e8d00002b22bfbbb000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=DeXk04E1XV0K7pqCMWMW7j0tXhifjkx%2FX0nCasBa4Gw%2Br5TSdrKQ6x8vigni2MZ0sut4R%2BydVvGeZfKNt2ByCw0qe3JFDQMcSr67zHxD"}],"max_age":604800,"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 641cbcaa7e012b22-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Apr 18, 2021 11:06:25.053112030 CEST	1395	OUT	GET /shutdown HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0 Host: freegeoip.net
Apr 18, 2021 11:06:25.103585005 CEST	1396	IN	HTTP/1.1 200 OK Date: Sun, 18 Apr 2021 09:06:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d4848ee9ab27e8bbe0477f048b200ec481618736785; expires=Tue, 18-May-21 09:06:25 GMT; path=/; domain=.freegeoip.net; HttpOnly; SameSite=Lax vary: Accept-Encoding expires: Sat, 26 Jul 1997 05:00:00 GMT cache-control: max-age=31536000, must-revalidate, post-check=0, pre-check=0 pragma: no-cache last-modified: Wed, 14 Apr 2021 00:09:21 GMT x-cache-miss-from: parking-6dfcfcdcd9-s8xzl CF-Cache-Status: HIT Age: 377824 cf-request-id: 0985d43ebe00002b2229009000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=W4jszXvUD4kMGXoco2tww5xnE0KOk31Wn3UrfqOQdAxHyV%2Fi1h9mNOp%2Bbt2haqBxTEl%2BYilKLu1rseeuKWfGLrLkXVSJ2SDfuFqzNdZM"}],"max_age":604800,"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 641cbcaace8d2b22-FRA Data Raw: 36 30 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 20 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 Data Ascii: 609<!DOCTYPE html><html><head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height: 100%; width: 100%; margin: 0; padding: 0; border: 0; outline: 0; font-size: 100%; vertical-align: baseline; background: transparent;
Apr 18, 2021 11:06:25.103619099 CEST	1397	IN	Data Raw: 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 Data Ascii: } body { overflow: hidden; } </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Follo
Apr 18, 2021 11:06:25.103635073 CEST	1397	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.7	49714	54.225.144.221	80	C:\Users\user\Desktop\svchost.exe

Timestamp	kBytes transferred	Direction	Data
Apr 18, 2021 11:06:25.354588985 CEST	1399	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0 Host: api.ipify.org Connection: Keep-Alive
Apr 18, 2021 11:06:25.484994888 CEST	1404	IN	HTTP/1.1 200 OK Server: Cowboy Connection: keep-alive Content-Type: text/plain Vary: Origin Date: Sun, 18 Apr 2021 09:06:25 GMT Content-Length: 10 Via: 1.1 vegur Data Raw: 38 34 2e 31 37 2e 35 32 2e 33 Data Ascii: 84.17.52.3

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: svchost.exe PID: 3008 Parent PID: 5564

General

Start time:	11:06:19
Start date:	18/04/2021
Path:	C:\Users\user\Desktop\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\svchost.exe'
Imagebase:	0xf80000
File size:	273920 bytes
MD5 hash:	275D9F11168D6B0A8369DC5A9FF0F7EA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000003.233358475.0000000007201000.00000004.00000001.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000000.00000000.227665901.0000000000F82000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000000.227665901.0000000000F82000.00000002.00020000.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000000.00000002.234340681.0000000000F82000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000000.00000002.234340681.0000000000F82000.00000002.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 4884 Parent PID: 3008

General

Start time:	11:06:21
Start date:	18/04/2021
Path:	C:\Users\user\AppData\Roaming\SubDir\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\SubDir\svchost.exe
Imagebase:	0x120000
File size:	273920 bytes
MD5 hash:	275D9F11168D6B0A8369DC5A9FF0F7EA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000001.00000002.494084624.0000000000122000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000001.00000002.494084624.0000000000122000.00000002.00020000.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000001.00000000.234021337.0000000000122000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000001.00000000.234021337.0000000000122000.00000002.00020000.sdmp, Author: Joe Security Rule: Vermin_Keylogger_Jan18_1, Description: Detects Vermin Keylogger, Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe, Author: Florian Roth Rule: xRAT_1, Description: Detects Patchwork malware, Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe, Author: Florian Roth Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe, Author: Florian Roth Rule: Quasar_RAT_2, Description: Detects Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe, Author: Florian Roth Rule: CN_disclosed_20180208_KeyLogger_1, Description: Detects malware from disclosed CN malware set, Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: C:\Users\user\AppData\Roaming\SubDir\svchost.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 79%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 3260 Parent PID: 3292

General

Start time:	11:06:33
Start date:	18/04/2021
Path:	C:\Users\user\AppData\Roaming\SubDir\svchost.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\SubDir\svchost.exe'
Imagebase:	0x7ff6ec5b0000
File size:	273920 bytes
MD5 hash:	275D9F11168D6B0A8369DC5A9FF0F7EA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000006.00000002.263919430.0000000000B42000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000002.263919430.0000000000B42000.00000002.00020000.sdmp, Author: Joe Security Rule: Quasar_RAT_1, Description: Detects Quasar RAT, Source: 00000006.00000000.259204194.0000000000B42000.00000002.00020000.sdmp, Author: Florian Roth Rule: JoeSecurity_Quasar, Description: Yara detected Quasar RAT, Source: 00000006.00000000.259204194.0000000000B42000.00000002.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: svchost.exe PID: 3440 Parent PID: 560

General

Start time:	11:06:33
Start date:	18/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5344 Parent PID: 560

General

Start time:	11:06:40
Start date:	18/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff6e70f0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 672 Parent PID: 560

General

Start time:	11:06:43
Start date:	18/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 1656 Parent PID: 560

General

Start time:	11:06:44
Start date:	18/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5304 Parent PID: 560

General

Start time:	11:06:44
Start date:	18/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 3808 Parent PID: 560

General

Start time:	11:06:45
Start date:	18/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k unistacksvcgroup
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5380 Parent PID: 560

General

Start time:	11:06:45
Start date:	18/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 1348 Parent PID: 560

General

Start time:	11:06:46
Start date:	18/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6540 Parent PID: 560

General

Start time:	11:06:54
Start date:	18/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6944 Parent PID: 560

General

Start time:	11:07:08
Start date:	18/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 5064 Parent PID: 560

General

Start time:	11:07:18
Start date:	18/04/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff641cd0000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: MpCmdRun.exe PID: 6596 Parent PID: 1348

General

Start time:	11:07:48
Start date:	18/04/2021
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Imagebase:	0x7ff678d20000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6584 Parent PID: 6596

General

Start time:	11:07:48
Start date:	18/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: svchost.exe PID: 3008 Parent PID: 5564 svchost.exeCOMMON

Executed Functions

Function 05DF0DB8, Relevance: 1.6, Strings: 1, Instructions: 337COMMON

Download Yara Rule

Strings

<"l, xrefs: 05DF1005

Memory Dump Source

Source File: 00000000.00000002.235983683.0000000005DF0000.00000040.00000001.sdmp, Offset: 05DF0000, based on PE: false

Similarity

API ID:
String ID: <"l
API String ID: 0-1337001861
Opcode ID: 6152b7dc7fe74248345705d069939d08c4ff6569b40df3a858bbc5fadfe8cb7b
Instruction ID: b68e101d66fdc2843cba93f2e54eb3014e94ee23a0d4ffc7f2f081af4e026223
Opcode Fuzzy Hash: 6152b7dc7fe74248345705d069939d08c4ff6569b40df3a858bbc5fadfe8cb7b
Instruction Fuzzy Hash: 20D16D70E04209DFCB14DFA8C484AAEFBF2FF88314F15855AE915AB351DB74A946CB90

Uniqueness

Uniqueness Score: -1.00%

Function 05C3A90A, Relevance: 1.3, Instructions: 1308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.235646050.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7b7391c576a3b7d9544802c95c41fbee03643ab294dfbc4b47baa2c38f3d479
Instruction ID: 20523ba39815aefb81300199c7d38f01f31eb8a6e001d0026e37d8d9e299e8f3
Opcode Fuzzy Hash: b7b7391c576a3b7d9544802c95c41fbee03643ab294dfbc4b47baa2c38f3d479
Instruction Fuzzy Hash: 64D20570E0421CCFCB54DF64C891AEDB7B2EF89304F1189A9C64AAB254EB355E85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05C3A987, Relevance: 1.3, Instructions: 1282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.235646050.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3adac4aa76152c7e0b3244afacacc0fc10a43bc9fbd2d94fddc025bc5b4fa118
Instruction ID: 1dbf21dc646ff54bc2aaa86f6ae53027e2c6663bbf60b3abe1375bad81fc1cbf
Opcode Fuzzy Hash: 3adac4aa76152c7e0b3244afacacc0fc10a43bc9fbd2d94fddc025bc5b4fa118
Instruction Fuzzy Hash: 41D2F470E0421CCFCB54DF64C891AEDB7B2EF89304F1189A9C64AAB254EB355E85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05C3EDD0, Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.235646050.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba962bd9d26b33d03ff23d5705861c322d7c26aa78da3302b9a3a8dd978fe89a
Instruction ID: fa27d51d6c89a7766e030631e20d291eba0f0f16fdf429200a5744461ab756be
Opcode Fuzzy Hash: ba962bd9d26b33d03ff23d5705861c322d7c26aa78da3302b9a3a8dd978fe89a
Instruction Fuzzy Hash: CAB14A70E0420D8FDB10CFA9D8867EEBBF2BF88704F148929E415A7294EB749945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 05C3F6A0, Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.235646050.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8942e5ee95c955b36f583c91aeb1b4786d88a469534846630d4b4e2f8f15b05
Instruction ID: 6bcc0d7a0c92e5bec02e013d67710c42ae4ed3313e47ae7e166ca8bd18fcc1f0
Opcode Fuzzy Hash: d8942e5ee95c955b36f583c91aeb1b4786d88a469534846630d4b4e2f8f15b05
Instruction Fuzzy Hash: AFB18D70E0420D9FDB14CFA9C8867EEBBF2BF88314F14892DD415A7254EB789985CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05DF6434, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 05DF67A0
GetCurrentThread.KERNEL32 ref: 05DF67DD
GetCurrentProcess.KERNEL32 ref: 05DF681A
GetCurrentThreadId.KERNEL32 ref: 05DF6873

Memory Dump Source

Source File: 00000000.00000002.235983683.0000000005DF0000.00000040.00000001.sdmp, Offset: 05DF0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 107da5f1f5a592489f618b9249b03730910d3b6b47a5726f1deb93d4956f66e1
Instruction ID: 5e0ecc390301b1ec6e2d72b2fb2810f28f2f29286a4da5c4ca94f6a14160ebfe
Opcode Fuzzy Hash: 107da5f1f5a592489f618b9249b03730910d3b6b47a5726f1deb93d4956f66e1
Instruction Fuzzy Hash: C45167B09002498FDB14CFA9E589BDEBBF1FF88314F14845AE41AB7750C774A944CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 05DF6730, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 05DF67A0
GetCurrentThread.KERNEL32 ref: 05DF67DD
GetCurrentProcess.KERNEL32 ref: 05DF681A
GetCurrentThreadId.KERNEL32 ref: 05DF6873

Memory Dump Source

Source File: 00000000.00000002.235983683.0000000005DF0000.00000040.00000001.sdmp, Offset: 05DF0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 069ccdc2a02c929c17dd86a36fd7f61a87a8e1f321ee5a2c03fa41548f1c62f6
Instruction ID: 6ee159b4b191c66875b8448486bfdcf511965fcb1aec581675449336a6835e76
Opcode Fuzzy Hash: 069ccdc2a02c929c17dd86a36fd7f61a87a8e1f321ee5a2c03fa41548f1c62f6
Instruction Fuzzy Hash: 885177B09042458FDB14CFA9E589B9EBFF1FF48304F14845AE01AB7790C7749845CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 05C32F24, Relevance: 1.6, APIs: 1, Instructions: 109COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 05C32FE1

Memory Dump Source

Source File: 00000000.00000002.235646050.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e6cdeecb52b9352082252dc4b2d49a64bcca64ae62467ca081dbbe620a1fd03c
Instruction ID: 6755e393aea2a3c5084c7a66fd39eb566af1b9a521770422c0f0eebbab4332ea
Opcode Fuzzy Hash: e6cdeecb52b9352082252dc4b2d49a64bcca64ae62467ca081dbbe620a1fd03c
Instruction Fuzzy Hash: 714101B1C0461DCEDF24CFA5C8857DDBBB1BF48304F24886AD409AB251D7756A49CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05C3A79C, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 05C3C7C7

Memory Dump Source

Source File: 00000000.00000002.235646050.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 87e165b3a80c59de4f079a846ea04d7f8108c0ed159e40c3e06e8a906159c4b9
Instruction ID: 8887dc0dc0b6a9ee5c481bb3bbbb3742c39ec33b2729364a29e8c4c61050c34d
Opcode Fuzzy Hash: 87e165b3a80c59de4f079a846ea04d7f8108c0ed159e40c3e06e8a906159c4b9
Instruction Fuzzy Hash: C14144B0D00618DFDB10CFA9C88679EBBF1BF49304F108529D815AB344D774A946CB92

Uniqueness

Uniqueness Score: -1.00%

Function 05C3158C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 05C32FE1

Memory Dump Source

Source File: 00000000.00000002.235646050.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 87194010ea49953fb263562a5e8ed9b367e0357624419a4917f7cc8d9e1b7b9d
Instruction ID: 41adb86e9eba5cde67599113af9340129e17dd60711301cd6c3668497bd44efd
Opcode Fuzzy Hash: 87194010ea49953fb263562a5e8ed9b367e0357624419a4917f7cc8d9e1b7b9d
Instruction Fuzzy Hash: EC41F1B0C0461CCBDF24DFA9C888B9DBBB1FF49704F10886AE409AB251DBB56945CF91

Uniqueness

Uniqueness Score: -1.00%

Function 05C3C6D7, Relevance: 1.6, APIs: 1, Instructions: 94libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 05C3C7C7

Memory Dump Source

Source File: 00000000.00000002.235646050.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ee8a3a24ffebb598e10f56566f8c200421ed76c5f313b4dfea65f8f37ca7c9ee
Instruction ID: 377fcc171eebeb700caaacc1b6679ceeac9452015d8c4761a0ff0296e9e01f49
Opcode Fuzzy Hash: ee8a3a24ffebb598e10f56566f8c200421ed76c5f313b4dfea65f8f37ca7c9ee
Instruction Fuzzy Hash: 7C4156B1D00618CFDB10CFA8C88679DBBF1BF48314F14852AD825A7384D774A986CF81

Uniqueness

Uniqueness Score: -1.00%

Function 05DF6D68, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05DF6DF7

Memory Dump Source

Source File: 00000000.00000002.235983683.0000000005DF0000.00000040.00000001.sdmp, Offset: 05DF0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 46ef5a2644bf1d1b1c5089ce2dca862cefc190c26879e048b4830ec22f748185
Instruction ID: beca24f56055bd4a5ceedb492a20cc55ce7b83b8d017fd63fd4b2a3b474ddf27
Opcode Fuzzy Hash: 46ef5a2644bf1d1b1c5089ce2dca862cefc190c26879e048b4830ec22f748185
Instruction Fuzzy Hash: 322114B5900248AFDB10CFAAE884ADEBFF4FB48320F14841AE914A7310C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05DF6D70, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05DF6DF7

Memory Dump Source

Source File: 00000000.00000002.235983683.0000000005DF0000.00000040.00000001.sdmp, Offset: 05DF0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0d501d9fb73bb6a5ac5038c97ae1d8bfe4d7e8f6c7f45392eeb4bdd684118f35
Instruction ID: 25a399e0e7426382f8f471c068cfba13bd360f5986ce7f8ec2ff0fb23460951b
Opcode Fuzzy Hash: 0d501d9fb73bb6a5ac5038c97ae1d8bfe4d7e8f6c7f45392eeb4bdd684118f35
Instruction Fuzzy Hash: 8121F5B5D002499FDB10CFAAD884ADEFBF4FB48324F14841AE914A7310D374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05DF5A88, Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 05DF5B00

Memory Dump Source

Source File: 00000000.00000002.235983683.0000000005DF0000.00000040.00000001.sdmp, Offset: 05DF0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 6d5a6f656a07c384e5bb6f13b45169e61917a76124334a172fa46b3924a27a63
Instruction ID: c804461b2753d0c89c27fe4b782be9e6b5c41a97bf15dd93c1dc510b0905fed3
Opcode Fuzzy Hash: 6d5a6f656a07c384e5bb6f13b45169e61917a76124334a172fa46b3924a27a63
Instruction Fuzzy Hash: 772124B1C0461A9BCB10CF9AD444BDEFBB4BB48324F05812AD919A7640D778A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05DF5A90, Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(00000000), ref: 05DF5B00

Memory Dump Source

Source File: 00000000.00000002.235983683.0000000005DF0000.00000040.00000001.sdmp, Offset: 05DF0000, based on PE: false

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: e0cbe982b79cf150ffaf44f635c86dcd44fab8635dcb2716a2d7d115b3e9d369
Instruction ID: ee76244f3fbd948c71069ff21e2600b19307625f651277a7bf11f87a7128ca27
Opcode Fuzzy Hash: e0cbe982b79cf150ffaf44f635c86dcd44fab8635dcb2716a2d7d115b3e9d369
Instruction Fuzzy Hash: 4B1133B1C0461A9BCB10CF9AD484B9EFBF4FF48320F05822AD919B7640D778A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05DF7798, Relevance: 1.6, APIs: 1, Instructions: 52comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05DF77F5

Memory Dump Source

Source File: 00000000.00000002.235983683.0000000005DF0000.00000040.00000001.sdmp, Offset: 05DF0000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: a334ed1079803ef97dee387b6eb27a9f7a2c07a87cbac39b1e1c6f6026f09684
Instruction ID: 5229bca8e3185654ce424818d19f6f885e6ff6cd95befb169a508c3fcbae8af4
Opcode Fuzzy Hash: a334ed1079803ef97dee387b6eb27a9f7a2c07a87cbac39b1e1c6f6026f09684
Instruction Fuzzy Hash: BB1155B59042498FCB20CF99D588BDEBFF4EF48324F15845AD159B7210C378A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05DF6BF8, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 05DF77F5

Memory Dump Source

Source File: 00000000.00000002.235983683.0000000005DF0000.00000040.00000001.sdmp, Offset: 05DF0000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: d4b62843c3579364319d4309e94e7f43ec9d94f473274fc51c0031607d41ad34
Instruction ID: 2c81b2b3a4aa9c0b1eabd765a9342dc29b8f75a8122ea5367c13000d074293f4
Opcode Fuzzy Hash: d4b62843c3579364319d4309e94e7f43ec9d94f473274fc51c0031607d41ad34
Instruction Fuzzy Hash: 341112B59046498FCB20DF9AD888BDEBBF4EB48324F15845AD519B7300D3B8A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 01B9D428, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.234867450.0000000001B9D000.00000040.00000001.sdmp, Offset: 01B9D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d35ea8ee8dfb59acf76817de2257237c0e9b432d1299ec822897f4d03a409ff6
Instruction ID: 84375650225f799308a439a82e251bc05c70e8ca32b0be48ab9d891b91858f09
Opcode Fuzzy Hash: d35ea8ee8dfb59acf76817de2257237c0e9b432d1299ec822897f4d03a409ff6
Instruction Fuzzy Hash: 752106B1504240DFDF19CF54D9C0B66BB65FB94324F24C6B9E9094B306C33AE856C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 01B9D514, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.234867450.0000000001B9D000.00000040.00000001.sdmp, Offset: 01B9D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4f8e25f3f885784d970f5750269faea6d7e96788c7386776e0a8bcefeaacdf
Instruction ID: c3e6a7bb9658b1a472022aba02be88a01abe291f22886fabd64f30b4e66705e1
Opcode Fuzzy Hash: bc4f8e25f3f885784d970f5750269faea6d7e96788c7386776e0a8bcefeaacdf
Instruction Fuzzy Hash: 2A2103B1504240DFDF19DF54D9C0B26BB65FB88328F2486B9E9054B206C33AD856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01B9D423, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.234867450.0000000001B9D000.00000040.00000001.sdmp, Offset: 01B9D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e4186e4ea15213e6bdc2dae606fe6de48a4bfb9a3d0da06027442d22881957d
Instruction ID: 6eadb8b0115863a293490d4cd2731072802db697bc074bc431d0acf3b04a781f
Opcode Fuzzy Hash: 5e4186e4ea15213e6bdc2dae606fe6de48a4bfb9a3d0da06027442d22881957d
Instruction Fuzzy Hash: 9C11AC76404280DFDF16CF54D9C4B56BF71FB88324F2886A9D8090B617C33AE45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 01B9D50F, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.234867450.0000000001B9D000.00000040.00000001.sdmp, Offset: 01B9D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e4186e4ea15213e6bdc2dae606fe6de48a4bfb9a3d0da06027442d22881957d
Instruction ID: 09fb5a203bcb839cc2c21314a6630aeaa1bab493c2d9bf23c95dc80acfd8ea63
Opcode Fuzzy Hash: 5e4186e4ea15213e6bdc2dae606fe6de48a4bfb9a3d0da06027442d22881957d
Instruction Fuzzy Hash: 5211B176404280DFCF16CF54D5C4B16BF71FB84324F2486A9D8054B617C33AD456CBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00F89322, Relevance: 1.3, Instructions: 1309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.234340681.0000000000F82000.00000002.00020000.sdmp, Offset: 00F80000, based on PE: true

Associated: 00000000.00000002.234332446.0000000000F80000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84662bdfff181c308b5d9142eb6a0cdfa2b820514601306fb401038d163e0ff2
Instruction ID: cbbba2da2b5254e2ab2cdf9902284af045c7c009e5ae7a010558a881eefa8a5c
Opcode Fuzzy Hash: 84662bdfff181c308b5d9142eb6a0cdfa2b820514601306fb401038d163e0ff2
Instruction Fuzzy Hash: 08B2392144E3C29FC7135F7488B51E1BFB0EE5722471E49DBD4C08F463E26869AADB62

Uniqueness

Uniqueness Score: -1.00%

Function 05DF7840, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.235983683.0000000005DF0000.00000040.00000001.sdmp, Offset: 05DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e17f4b8fa6f4ba6572d001df8125a12e1463ac0b0967d72ae5c940f6421b8385
Instruction ID: 0743714eb430ac99c6048722417e67c48ebdadebbdb9d25994ddefb4998137df
Opcode Fuzzy Hash: e17f4b8fa6f4ba6572d001df8125a12e1463ac0b0967d72ae5c940f6421b8385
Instruction Fuzzy Hash: 4E12BAF14217468BE312CFA5E49E3A93FA1BF45328B514208E2611BAD5DFB8114ACFC9

Uniqueness

Uniqueness Score: -1.00%

Function 05C3EA88, Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.235646050.0000000005C30000.00000040.00000001.sdmp, Offset: 05C30000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85bd250d912ed6658531c67a23a2ea945102391c8b20f19b3a340e518384e77e
Instruction ID: 3aaa93faf9636734a7100fddbc299b41ce5947413a6a8032621504444b6705d0
Opcode Fuzzy Hash: 85bd250d912ed6658531c67a23a2ea945102391c8b20f19b3a340e518384e77e
Instruction Fuzzy Hash: 60916A70E0420D8FDB14CFA9D8867EEBBF6BF88318F148529E406A7394DB749945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 05DF7830, Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.235983683.0000000005DF0000.00000040.00000001.sdmp, Offset: 05DF0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4981c1af4b103eae281075d35514bcbe0137c1d5cae7089ff3d11272a8f84e59
Instruction ID: bc1b651022dc173414bc68eb8bb16b60a87e41311491d24ff88cacf0e3e2842a
Opcode Fuzzy Hash: 4981c1af4b103eae281075d35514bcbe0137c1d5cae7089ff3d11272a8f84e59
Instruction Fuzzy Hash: 52C10CB14217468BD712CFA4E89E3997FA1BF45328F514309E1612B6D0DFB8154ACFC9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exe PID: 4884 Parent PID: 3008 svchost.exeCOMMON

Executed Functions

Function 06263C88, Relevance: 1.7, APIs: 1, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.502345506.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 02b509885c25c3416d7aa1e7fb7e9e046f0c3d40e592f7a4ccdb0c1d262488c5
Instruction ID: 19562bb3384af47f70ffe977b4d8eeaff681f01074b2aa24a66656d8160b31d5
Opcode Fuzzy Hash: 02b509885c25c3416d7aa1e7fb7e9e046f0c3d40e592f7a4ccdb0c1d262488c5
Instruction Fuzzy Hash: 69814770A10B058FDB64DF6AC44179ABBF1FF48204F00892EE496D7A50DB75E849CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06265D12, Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06265E2A

Memory Dump Source

Source File: 00000001.00000002.502345506.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 937540eca082afb380c8bf69236628b8e0b7973c25d027315f805075911f9085
Instruction ID: fe8447ad8606f1d2d7ce2364e8a654e94ed20e389590e82567408b51802040a1
Opcode Fuzzy Hash: 937540eca082afb380c8bf69236628b8e0b7973c25d027315f805075911f9085
Instruction Fuzzy Hash: 6A51B0B1D103099FDB14CFAAC884ADEBBB5BF48314F24852AE819AB254D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06265D18, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06265E2A

Memory Dump Source

Source File: 00000001.00000002.502345506.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 63aa9c56adec1af06f0d67e6e6c8db2fa605f076e02ac2d1c6b813837ac769ed
Instruction ID: c85f46220fc2d0cdfe7a1bd6f1d12fddb1ce5bb017d36359376b3bd74f6e578d
Opcode Fuzzy Hash: 63aa9c56adec1af06f0d67e6e6c8db2fa605f076e02ac2d1c6b813837ac769ed
Instruction Fuzzy Hash: 3641BEB1D10309DFDF14CF9AC884ADEBBB5BF48314F24852AE819AB254D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 04DD2F24, Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 04DD2FE1

Memory Dump Source

Source File: 00000001.00000002.500397410.0000000004DD0000.00000040.00000001.sdmp, Offset: 04DD0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d2d5ff83e2ab936d41664644b45ed9918c3c5e2dc25b0ca098d86b665cb1a71c
Instruction ID: b20be890ea9d79cc3513987d7edf22043dd39bf2a58a69a2e56efafb896dd2ae
Opcode Fuzzy Hash: d2d5ff83e2ab936d41664644b45ed9918c3c5e2dc25b0ca098d86b665cb1a71c
Instruction Fuzzy Hash: 5C4114B1D04218CFDB24CFA9C8847DDBBB1FF49308F10846AD509AB251DBB5694ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 06263474, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 06268511

Memory Dump Source

Source File: 00000001.00000002.502345506.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 72ba181ea9f3d83efbce41d46cb089315e9f9ea7aec32ee6ea7f3427152c3d3d
Instruction ID: ac932c429704f83dd46cc045663bfebe35d573ce09595a0e445dc334a98e9dd6
Opcode Fuzzy Hash: 72ba181ea9f3d83efbce41d46cb089315e9f9ea7aec32ee6ea7f3427152c3d3d
Instruction Fuzzy Hash: 75415BB4910205CFDB54CF59C888BAABBF5FF88314F158849E919A7321D7B4E881CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 04DDA79C, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 04DDC7C7

Memory Dump Source

Source File: 00000001.00000002.500397410.0000000004DD0000.00000040.00000001.sdmp, Offset: 04DD0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 364396f9bef2eccaa0852ac430ad6dc62822b79e7dc026336e4375145ed014da
Instruction ID: 00d133eab62d33c8792de7052cab63b1e99b2e52cf16ff6a8c53fa93ed382fe8
Opcode Fuzzy Hash: 364396f9bef2eccaa0852ac430ad6dc62822b79e7dc026336e4375145ed014da
Instruction Fuzzy Hash: 454125B0E102089FDB10CFA9C885B9EBBF1BB49704F148529E815E7384D7B4A845CF81

Uniqueness

Uniqueness Score: -1.00%

Function 04DD158C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 04DD2FE1

Memory Dump Source

Source File: 00000001.00000002.500397410.0000000004DD0000.00000040.00000001.sdmp, Offset: 04DD0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fcd43a763bc08d8da0ee2e79ae24c63f0cb572a9b6158a9101dcbb904a3aabf7
Instruction ID: 5872849899542b4b71af9c551d110cf9ebdf372633495dbcef9219e72b70afb6
Opcode Fuzzy Hash: fcd43a763bc08d8da0ee2e79ae24c63f0cb572a9b6158a9101dcbb904a3aabf7
Instruction Fuzzy Hash: 00410270D0421CCBDB24DFA9C884BDEBBB5BF48308F11846AD508AB255DBB5A949CF91

Uniqueness

Uniqueness Score: -1.00%

Function 04DDC6D6, Relevance: 1.6, APIs: 1, Instructions: 94libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 04DDC7C7

Memory Dump Source

Source File: 00000001.00000002.500397410.0000000004DD0000.00000040.00000001.sdmp, Offset: 04DD0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dc93e63a051b2dce2752916909b2363162bc7ee90651bd6b91421976380ffef9
Instruction ID: c02e52f4fb627f6f2106523bd84a8462df962905b313540f5ea1b3f428f5b228
Opcode Fuzzy Hash: dc93e63a051b2dce2752916909b2363162bc7ee90651bd6b91421976380ffef9
Instruction Fuzzy Hash: 794124B1D10208DFDB10CFA9C985B9EBBF1BF49714F148529E815A7384D7B8A886CF81

Uniqueness

Uniqueness Score: -1.00%

Function 062640C8, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 0626413A

Memory Dump Source

Source File: 00000001.00000002.502345506.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f94d4de1cf4b32aa710792d0782cda3ae6d7e3ca02cf768d38c1e0328d62a082
Instruction ID: 6871601d5ec3b3c06413a07cac45c15557293ef2b4e26e0ebc8ba1c1e54a0352
Opcode Fuzzy Hash: f94d4de1cf4b32aa710792d0782cda3ae6d7e3ca02cf768d38c1e0328d62a082
Instruction Fuzzy Hash: 812136B6C002099FCB10CF9AD884BDEFBF4AB48314F00845AE815B7200C3B5A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 062640D0, Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,?,?), ref: 0626413A

Memory Dump Source

Source File: 00000001.00000002.502345506.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 93136271b68e262d6ffe4ca43f99968865dded3e01cdcf66369c612608bec501
Instruction ID: 667a6b0cd315a67b47e8fc2d1c7f106c1c660ce9b20912fe9d45693588041f8b
Opcode Fuzzy Hash: 93136271b68e262d6ffe4ca43f99968865dded3e01cdcf66369c612608bec501
Instruction Fuzzy Hash: 0611F6B6D002098FCB10DF9AD844BDEFBF4EB58314F15841AE955B7200C3B5A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 062631A4, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,06263C9B), ref: 06263ECE

Memory Dump Source

Source File: 00000001.00000002.502345506.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: aa94e3acc7fde99084280595574526ef438e94974cc97ab7868fa8d7280cbb0d
Instruction ID: e5eb17260d184ff217aecd95af3c12d7e011eb5f92f1cc9768eaa53ac649f73e
Opcode Fuzzy Hash: aa94e3acc7fde99084280595574526ef438e94974cc97ab7868fa8d7280cbb0d
Instruction Fuzzy Hash: 551104B1D006498FDB10CF9AC444BDEFBF5EF88214F15841AD919B7200C3B5A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06269478, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0626A44D

Memory Dump Source

Source File: 00000001.00000002.502345506.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 13b4afb6bae57818c036b710a1c2bcc65a8d85e1233faa628d477e243a305bb9
Instruction ID: 878ebfd32f063a4f6960c742aa2d29ac79a99fb8caeb4cf7104f54ed6ed27c98
Opcode Fuzzy Hash: 13b4afb6bae57818c036b710a1c2bcc65a8d85e1233faa628d477e243a305bb9
Instruction Fuzzy Hash: 111103B19047498FDB50DF9AD8887DEBBF4EB48324F10841AE919B7200D7B4A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06269524, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,0626A937), ref: 0626BCD5

Memory Dump Source

Source File: 00000001.00000002.502345506.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: ad58705cb65746d8a01a95d2899ff0b28401aa1b097d8c8b2f317b1d3fd29571
Instruction ID: 09acb5f54784833139b7b236227dec2cf99442fd9fd596eeec950d5763e6d285
Opcode Fuzzy Hash: ad58705cb65746d8a01a95d2899ff0b28401aa1b097d8c8b2f317b1d3fd29571
Instruction Fuzzy Hash: EC1110B0C04648CFCB10CF9AD848B9EBBF4EB48224F00852AE919B3240C3B8A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0626A3F1, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 0626A44D

Memory Dump Source

Source File: 00000001.00000002.502345506.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: f6e62437b6e97307fdb31dfa1b27b029efa1c07bff80beb9867702f65757103d
Instruction ID: b879bdf37e10f8fb07c8c67e303cf686b48955661b4fa5ed20e610a5bbbccf6a
Opcode Fuzzy Hash: f6e62437b6e97307fdb31dfa1b27b029efa1c07bff80beb9867702f65757103d
Instruction Fuzzy Hash: AE1115B19006488FCB10DF9AD989BDEFBF4EB48324F148419E519B3200C7B8A584CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0626BC71, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

DispatchMessageW.USER32(?,?,?,?,?,?,00000000,-00000018,?,0626A937), ref: 0626BCD5

Memory Dump Source

Source File: 00000001.00000002.502345506.0000000006260000.00000040.00000001.sdmp, Offset: 06260000, based on PE: false

Similarity

API ID: DispatchMessage
String ID:
API String ID: 2061451462-0
Opcode ID: 1f3942f09bb8fb9030acc938ebb2d89471bbf590d84440b4e3a8d58bc2534496
Instruction ID: e0b25869b50ec1acfab15d14bb11b40d39a9b18f40d44ed7005299475b7dfa21
Opcode Fuzzy Hash: 1f3942f09bb8fb9030acc938ebb2d89471bbf590d84440b4e3a8d58bc2534496
Instruction Fuzzy Hash: 9B11F2B5C046498FCB10CF9AD448BDEFBF4EB48324F10841AE919A3240C778A545CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00BFD428, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.496611882.0000000000BFD000.00000040.00000001.sdmp, Offset: 00BFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1af6c4e59204e18e37421a3bb162c9052b17693d3f326216ed8d06b9c875806
Instruction ID: 53e9cb95c94a195b08056221485070cc338f533cb20cd62d311fd2a9012786c5
Opcode Fuzzy Hash: d1af6c4e59204e18e37421a3bb162c9052b17693d3f326216ed8d06b9c875806
Instruction Fuzzy Hash: 43213D71504244DFDB14CF10D9C0F36BBA6FB94314F24C5A9EA054B306C33AE859D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00BFD514, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.496611882.0000000000BFD000.00000040.00000001.sdmp, Offset: 00BFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 495fe627bafc264ce4143ca46675efcdb314e42acce82fab07baae5779d31fd1
Instruction ID: 310d437f5005231345b612f655e3c449ed50b4379217a071d7d14c058f457099
Opcode Fuzzy Hash: 495fe627bafc264ce4143ca46675efcdb314e42acce82fab07baae5779d31fd1
Instruction Fuzzy Hash: 33213DB1504244DFCB15DF14D8C0F36BBA6FBA4318F2485A9EA054B206C336D859D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 026ED04C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.497021189.00000000026ED000.00000040.00000001.sdmp, Offset: 026ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ed55d33b14e8a5a4bec0cd3af4546de07cce706065e68eb300e6e322a75e569
Instruction ID: 61789101baad9415e963232dda70061ca3d75eaa06994e56db241a19bc023fa0
Opcode Fuzzy Hash: 3ed55d33b14e8a5a4bec0cd3af4546de07cce706065e68eb300e6e322a75e569
Instruction Fuzzy Hash: 4E21D7B5505244DFDF14DF10D9C0B26BBA9FB88314F24C569D90A4B346C77AD847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 00BFD423, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.496611882.0000000000BFD000.00000040.00000001.sdmp, Offset: 00BFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e4186e4ea15213e6bdc2dae606fe6de48a4bfb9a3d0da06027442d22881957d
Instruction ID: 41fa4134a101e9044f51fae0ff18300f0615f33ce75ed547d2f7883609d06313
Opcode Fuzzy Hash: 5e4186e4ea15213e6bdc2dae606fe6de48a4bfb9a3d0da06027442d22881957d
Instruction Fuzzy Hash: 9211D376404284DFDB11CF14D5C4B26BFB2FB94324F24C6A9D9090B616C33AD85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00BFD50F, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.496611882.0000000000BFD000.00000040.00000001.sdmp, Offset: 00BFD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e4186e4ea15213e6bdc2dae606fe6de48a4bfb9a3d0da06027442d22881957d
Instruction ID: f6935589d8cffae84d04a111e2073272ebcaa9eb014120ea998a641ea74bc4dd
Opcode Fuzzy Hash: 5e4186e4ea15213e6bdc2dae606fe6de48a4bfb9a3d0da06027442d22881957d
Instruction Fuzzy Hash: 9111D376404284CFCB12CF14D5C4B26BFB2FB94324F24C6A9D9054B616C33AD85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 026ED047, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.497021189.00000000026ED000.00000040.00000001.sdmp, Offset: 026ED000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b9e5a6db499c0d458f35ccbadbd52f740084883ffb5dfa4356901dfeda36fd5
Instruction ID: d686348ca5da554c840eb8c431c00828f643b3d62a424fab93ca5a9a716fdd68
Opcode Fuzzy Hash: 6b9e5a6db499c0d458f35ccbadbd52f740084883ffb5dfa4356901dfeda36fd5
Instruction Fuzzy Hash: 6C118B75504280DFDF11CF10D9C4B15BBB1FB88224F28C6A9D84A4B756C33AD45ACBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 054FD800, Relevance: 6.1, APIs: 4, Instructions: 126threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 054FD870
GetCurrentThread.KERNEL32 ref: 054FD8AD
GetCurrentProcess.KERNEL32 ref: 054FD8EA
GetCurrentThreadId.KERNEL32 ref: 054FD943

Memory Dump Source

Source File: 00000001.00000002.501551883.00000000054F0000.00000040.00000001.sdmp, Offset: 054F0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6f47366feeeb909cdd505962ea99d330f0d8f01408bc451fbe494dd36984e2a9
Instruction ID: e5004399b117865e230702b3229c618ae3209195ab9385eda5a8a4ab13deefaf
Opcode Fuzzy Hash: 6f47366feeeb909cdd505962ea99d330f0d8f01408bc451fbe494dd36984e2a9
Instruction Fuzzy Hash: 535177B0D002498FDB10CFA9E988BDEBBF1BF49304F14845AD11AA3351D778A944CB61

Uniqueness

Uniqueness Score: -1.00%

Function 054FD810, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 054FD870
GetCurrentThread.KERNEL32 ref: 054FD8AD
GetCurrentProcess.KERNEL32 ref: 054FD8EA
GetCurrentThreadId.KERNEL32 ref: 054FD943

Memory Dump Source

Source File: 00000001.00000002.501551883.00000000054F0000.00000040.00000001.sdmp, Offset: 054F0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 74ecaf3a07150bc15eaff535826ed3a9fcd64fcdc775b572768278b8c60e007e
Instruction ID: 51be3304eab3fb1be7703013710f6cabe945102fc518c5f796dd9a87798c1197
Opcode Fuzzy Hash: 74ecaf3a07150bc15eaff535826ed3a9fcd64fcdc775b572768278b8c60e007e
Instruction Fuzzy Hash: 8D5155B0D002498FDB14CFA9E948BDEBBF1FB49314F24845AE51AA3350C778A944CB66

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: svchost.exe PID: 3260 Parent PID: 3292 svchost.exeCOMMON

Executed Functions

Function 057F2F24, Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 057F2FE1

Memory Dump Source

Source File: 00000006.00000002.265091735.00000000057F0000.00000040.00000001.sdmp, Offset: 057F0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0d272787c001b550e82cdd76d1ebdee35b313740b1d4c4f4ed418a8e0573bbef
Instruction ID: 90d5ffdcf7633ab3ad24fb0cd98c09786978fb4b5143e8a6f49a316e084072b6
Opcode Fuzzy Hash: 0d272787c001b550e82cdd76d1ebdee35b313740b1d4c4f4ed418a8e0573bbef
Instruction Fuzzy Hash: 934135B1C04218CFDB20CFA9C888BDDBBF1BF58304F24846AD509AB251DB746989DF91

Uniqueness

Uniqueness Score: -1.00%

Function 057FA79C, Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 057FC7C7

Memory Dump Source

Source File: 00000006.00000002.265091735.00000000057F0000.00000040.00000001.sdmp, Offset: 057F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 70b3f24543f332314b4d893cb50f26d0cb6de18c04b248192c223c2baaa0984e
Instruction ID: 6ba4441a37e584d10240a97b821d2199b29cefc2a2495f0bb0e102dd9e12619f
Opcode Fuzzy Hash: 70b3f24543f332314b4d893cb50f26d0cb6de18c04b248192c223c2baaa0984e
Instruction Fuzzy Hash: 0B4144B0D04218CFDB11CFA9D885B9EBBF5BB48314F10802AD915EB380D7B4A845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 057F158C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 057F2FE1

Memory Dump Source

Source File: 00000006.00000002.265091735.00000000057F0000.00000040.00000001.sdmp, Offset: 057F0000, based on PE: false

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 94603c3f14f261e745fa6c7d352c8de89a18ec263e8f0f9f79fe3f893deca3fa
Instruction ID: e3e0ecfc9f6d3671207209e9b0637aaee38e18552d5048438f06d68092865cae
Opcode Fuzzy Hash: 94603c3f14f261e745fa6c7d352c8de89a18ec263e8f0f9f79fe3f893deca3fa
Instruction Fuzzy Hash: A9410FB0C04218CBDB24DFA9C884B9EBBB2BF59304F50806AE509AB251DBB56945DF91

Uniqueness

Uniqueness Score: -1.00%

Function 057FC6D6, Relevance: 1.6, APIs: 1, Instructions: 95libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 057FC7C7

Memory Dump Source

Source File: 00000006.00000002.265091735.00000000057F0000.00000040.00000001.sdmp, Offset: 057F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a1c1ff58a0962ce133a573860c72e944daf1a6466a36d5b4d3e4dc09ec2796cd
Instruction ID: 54f13ffb65424d32fae94a5ee53def9b8dbe94ab14d47d6e3f5a20eeb59ead71
Opcode Fuzzy Hash: a1c1ff58a0962ce133a573860c72e944daf1a6466a36d5b4d3e4dc09ec2796cd
Instruction Fuzzy Hash: 3D4156B5D04208CFDB11CFA9D88579DBBF5BB48314F148129D925E7384D7B8A846CF91

Uniqueness

Uniqueness Score: -1.00%

Function 06614400, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0661448F

Memory Dump Source

Source File: 00000006.00000002.265371365.0000000006610000.00000040.00000001.sdmp, Offset: 06610000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ac45beb08f4f6b4ac15e982d50d708c65bf25f083a6adcf7e3e26ceffba7c8c4
Instruction ID: 7f9171c83072e866faece840ccf4492087b66e601a7176a6c7f2c50aee3bacc2
Opcode Fuzzy Hash: ac45beb08f4f6b4ac15e982d50d708c65bf25f083a6adcf7e3e26ceffba7c8c4
Instruction Fuzzy Hash: 4221E3B59002489FDF10CFAAD984ADEBFF4EB48320F14841AE954A7310D778A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06614408, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0661448F

Memory Dump Source

Source File: 00000006.00000002.265371365.0000000006610000.00000040.00000001.sdmp, Offset: 06610000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: fa327485a2b0c571b0208c59e7b5d7259c38cbb53652165d568a6ccecbf72ed6
Instruction ID: 7f73144afd1e174f7487e45d77433f9ebaeee52f4769169a81abb2a1141bae31
Opcode Fuzzy Hash: fa327485a2b0c571b0208c59e7b5d7259c38cbb53652165d568a6ccecbf72ed6
Instruction Fuzzy Hash: C621C2B59002489FDB10CFAAD984ADEBBF8EB48324F14841AE914A7310D378A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 066159C0, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,06616141,?,?), ref: 066162E8

Memory Dump Source

Source File: 00000006.00000002.265371365.0000000006610000.00000040.00000001.sdmp, Offset: 06610000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 27e4ba16da7f70fe2e5976b416504b17ac381d4b0b991cb9cb4f59ba4aab2472
Instruction ID: b1086a328302aca7bdb8fe8e25234c54800e88099594e84858e0a5937850f8c5
Opcode Fuzzy Hash: 27e4ba16da7f70fe2e5976b416504b17ac381d4b0b991cb9cb4f59ba4aab2472
Instruction Fuzzy Hash: A01188B58003098FCB50CF9AD488BDEBBF4EB48324F14842AD918B7300C778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0661628A, Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,06616141,?,?), ref: 066162E8

Memory Dump Source

Source File: 00000006.00000002.265371365.0000000006610000.00000040.00000001.sdmp, Offset: 06610000, based on PE: false

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: af38c7a81a7adf51bfaf5798a8d7d1590e7bd938716a9b29c4ea914f82e9b78d
Instruction ID: 48e7b0a77a5b7929db1dcd2df29c56c9e33cb66af558a8f4fa1fef580a7683ac
Opcode Fuzzy Hash: af38c7a81a7adf51bfaf5798a8d7d1590e7bd938716a9b29c4ea914f82e9b78d
Instruction Fuzzy Hash: 1D1136B68002098FCB10CF9AD485BDEBBF4EB48324F14842AD954B7340D778A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06614148, Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06614E7D

Memory Dump Source

Source File: 00000006.00000002.265371365.0000000006610000.00000040.00000001.sdmp, Offset: 06610000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: ab7d78f507d48005724a87cc3d1ca100c3053d2bdb63abb849bf0e86b3faeb27
Instruction ID: 12b88d8133541d7d386d0778c0e9ee821e95a16795984fe8fb2d2f587ff52d44
Opcode Fuzzy Hash: ab7d78f507d48005724a87cc3d1ca100c3053d2bdb63abb849bf0e86b3faeb27
Instruction Fuzzy Hash: F11115B19047498FDB50DF9AD488BDEBBF4EB48324F14845AD519B7300C778AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06614E22, Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06614E7D

Memory Dump Source

Source File: 00000006.00000002.265371365.0000000006610000.00000040.00000001.sdmp, Offset: 06610000, based on PE: false

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: f767afc769cd7e76709f969805fd38f16917510cc7ef4a6216e5900ea76d9c6c
Instruction ID: c7e782362a5af83a9c5500b9a6ce649a3f1958861fa9977550f3f4c87acaaf70
Opcode Fuzzy Hash: f767afc769cd7e76709f969805fd38f16917510cc7ef4a6216e5900ea76d9c6c
Instruction Fuzzy Hash: A71115B58003488FCB10DF9AD489BCEBBF4EB48324F148459D519B7340C378A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report svchost.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries